Introduction to Cybersecurity

May 5, 2009 – 7:36 pm

This afternoon I presented “Introduction to Cybersecurity” to members of the New England Water Works Association in New Haven, CT.  The presentation focuses a recurring theme of this blog; no/low cost options for improving security.  This particular presentation focuses on the particular challenges faced with securing SCADA (Supervisory Control And Data Acquisition) systems.

Intro To Cybersecurity

View more presentations from Jon Dipietro.

During the presenation, I stressed the point that humans are the weakest link.  I wish it had occured to me to embed the following video of Kevin Mitnick demonstrating social engineering techniques:

Remember, people are the weakest link.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
By Jon DiPietro | Posted in Cyber Security, Hacking, Social Engineering | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Comments (0)

Domain, Web, and Email Hosting Explained

February 3, 2009 – 2:40 pm

A lot of confusion (understandably) exists about how domain, web, and email hosting works and what the difference is between them.  Most online services these days offer all of these services, so is it really necessary to understand the differences?  Just like there are carpenters who can do perform all aspects of a small project themselves (rough carpentry, painting, finish carpentry, flooring, etc…), you typically hire specialists when undertaking serious construction projects.  Similarly, many hosting providers have their own specializations and you can get the most for your money by selecting the services that best meet your needs.

In order to illustrate how these all work together, I’m going to describe the process of registering a domain to sell my new world-changing invention; the “widget,” of course.

Domain Registration

The first step in the process of setting up a domain is registration.  This is done through ICANN-accredited registrars, who collectively maintain the shared registration system (SRS).  There are over 500 companies that offer these services and some of the larger ones are Network Solutions, Go Daddy, and Register.com.  Quite simply, the registrars will let me know whether “JonsWidgets.com” is available and, if so, register it in my name.  As it turns out it is available, but this point all I’ve done is reserve the right to use a the domain name.

Domain registration process

Domain registration process

DNS Hosting

Now that “JonsWidgets.com” is reserved, the next step is to get the domain listed in the “Internet phone book,” also known as the Domain Name Service (DNS).  When you’re browsing the Internet, domain names are a convenient way for humans to remember sites and email addresses.  However, we all know that computers only understand ones and zeros, so everything must eventually be translated into a number.  Every computer on the Internet (both browsers and servers) has what is known as an IP address - it’s a unique number that identifies that particular machine on the network and works very much like a telephone number.  Every time you type a domain name into your browser, the first thing your computer must do is to perform a DNS lookup to find the address of the server for which it’s looking.

 

How DNS lookups work

How DNS lookups work

These days, nearly all of the domain registrars offer DNS hosting services.  As soon as you register a domain name, the registrar will typically create a DNS listing that points to a common page indicating that the domain is “parked” but that a web site doesn’t yet exist.

Web Hosting

OK, now it’s time to talk web hosting.  So far, all we’ve done is secured the domain name and pointed any browsers to a generic “Under Construction” type of page.  The first question is, “Who should I use as a web host?”  Selecting a web host should be the result of finding the best match between the requirements of your site and the hosting company.  This is largely dependent upon the technology  that will be used in developing your site.  Here are two main considerations:

  • Environment: Linux vs. Windows
    Most hosting packages are offered in either Windows or Linux based hosting environments.  LAMP (Linux-Apache-MySQL-PHP) is a commonly used collection of open source software that offers inexpensive web hosting.  Windows hosting is generally a combination of Windows Server, Internet Information Server, SQL Server and ASP.NET technologies that are more expensive to license and, therefore, generally cost a little more for hosting.
  • Add-On Applications
    There is a growing list of applications that web hosting providers offer and in many cases they’re free!  Two of the more popular categories of add-ons are blogs and content management systems.  I’ll cover both of these in more detail in future posts, but these technologies make it incredibly easy (and cheap) to build powerful, professional looking web sites without anyone having to write a single line of computer code.  If you plan on using on of these for your site, it’s important to choose a provider that specializes in hosting that particular application.  The service and performance will typically surpass those of a provider that specializes in either something else or nothing else.

Email Hosting

Email hosting is similar to web hosting in the sense that it needn’t necessarily be hosted by either your registrar or web host providers.  This is another case of selecting the host that makes the most sense for your particular situation.  Using myself as an example, several of my domains’ email accounts are hosted by Google’s Gmail service.  This is configured by making a change to the DNS records for your domain.

 

Screenshot of the DNS control panel from one of my GoDaddy accounts

Screenshot of the DNS control panel from one of my GoDaddy accounts

You can see that email routing is also controlled by entries in the DNS records.  This is how it is possible to direct different types of domain traffic to different servers.  In the screen shot above, in fact, you can see a few entries (called CNAMEs) that create sub-domains that direct traffic to completely different servers and/or services like email, calendar, shared documents, etc…

Conclusions

There are a couple of points to take away from this with regard to web and email hosting.  The first point is to understand that you are not beholden to the registrar of your domain to also host your web site or email.  The second point is that a web hosting provider should be chosen based on the requirements of your web site; not the other way around.  Finally, in many cases you can benefit from “best of breed” providers in the form of increased service for less money.

Tags: , , , , , , , , , , ,
By Jon DiPietro | Posted in small business, technology advice | Tagged , , , , , , , , , , , | Comments (1)

Create a Compelling Resume Online With WordPress

January 18, 2009 – 10:46 pm
Do you stand out?

Do you stand out?

Here’s a news flash - the economy is a little rough these days.  With the unemployment rate creeping up, it’s a time when you need to be clear about what you can bring to a prospective employer or client and, above all, to stand out from the competition.  Fortunately, it’s cheaper and easier than ever to make yourself “present with authority.”

One of my new year’s resolutions was to get my online identity sorted out, which means making the most of the available tools and delivering a consistent message. After taking inventory of the various professional sites to which I belong (e.g. LinkedIn, VisualCV), I decided that I needed an aggregator to take charge and deliver my message, my way, in my style. I had registered my own name as a domain many years ago but not done anything with it, and so I decided to use WordPress to tell my professional story.

What Are the Benefits?

If you think about your career as a product that you’re selling, wouldn’t it make perfect sense to have a web site? Of course it does, and you want your personal brand to have the same benefits:

  • More and more, clients and employers are performing online searches to learn more about the people with which they are considering to engage. Having a search engine friendly web site makes it more likely they will find you.
  • Indexing your experience through the use of keywords makes it easy for people to zero in on the skills and/or expertise in which they’re interested (more about that later).
  • Multimedia capabilities (i.e. images, video, presentations, links) make it easier for you to tell your story in a vivid and interesting way.
  • You can use specialized links to direct people to specific content areas of your profile.
  • While this practice may soon be common place, for the moment at least it will help you to stand out from the crowd.

Laying the Groundwork

The first decision is your domain name. One option is to use Blogger or WordPress (e.g. jondipietro.wordpress.com), which is free. However, for the few dollars a year it costs you are far better off registering your own domain name; preferably your first and last names if available. This article will discuss building your online resume using WordPress on your own hosted site.
Once the basic WordPress installation is in place, the first thing you’ll want to do is to find a clean, professional theme and install it. There are a number of plugins that I install on every WordPress site right out of the gate:

Turn the Page

Now it’s time to set up the pages.  I decided on the following site map:

  • Home
  • About Me
    • Work History
    • Skills
    • Volunteerism
  • Experience
  • Companies
  • Social Networks
  • Contact Me

The tricky thing about this is that, by default, WordPress publishes blog articles to the front page of the site.  In order to implement my strategy, it’s important to change that.  You can do this on the Reading Settings page by selecting “Home” for your front page and “Experience” as the posts page.

Change the default settings for the front and posts pages.

Change the default settings for the front and posts pages.

Next, you’ll need to populate the Home, About Me, Work Experience, and Skills pages.  The Home page functions as a sort of generic cover letter, while the other pages represent the customary sections of a resume.  However, you have the freedom to be a little more creative and verbose in this environment than on a paper resume.

What you don’t see in the site map (or in the menu) is my social networking landing page.  Another benefit of having your own web site is the ability to create landing pages from other sites that allow you to customize messages and, again, tell your story.  For example, Twitter provides very little space to customize your profile but they do allow you to enter a web site URL that you can point to a customized landing page.  This is where the “Exclude Pages from Navigation Menu” plugin comes in handy.

Rubber Meets Road

Users can click on areas of interest

Skills, experiences, clients, etc... are displayed in the tag cloud widget.

The power of this approach now takes shape as you create blog posts to describe specific projects, publications, and experiences.  The key is carefully selected categories and liberal use of tags for the posts.  This will allow employers and/or clients to quickly zero in on the topics in which they are interested.  And since you’re making it easy to find the information they’re looking for, you can feel free to include lots of details, making them as interactive as possible.  You’ll want to include the Simple Tags tag could widget in the sidebar.

The categories are also important and you can use them to organize your pages and posts at a higher level than the tags.  How and where the categories are displayed is somewhat dependent upon your theme.  Some themes display them as menu itmes while others are displayed in the sidebar and is a matter of your personal preference.

Shout It Out Loud

Once your online resume is good to go, you can send out customized links to direct people straight to a particular area of interest.  For example, if I’m looking to secure a consulting contract for VB.NET development, I could send the following in an email:

“Please see the VB.NET projects listed on my online resume.”

The “VB.NET” link is http://www.jondipietro.com/tag/vbnet, which will automatically display a list of all pages or posts that were tagged with the VB.NET keyword.  You can begin to see how easy it is to send customized links to employers and clients that zoom right in to the areas on which you want them focused.

Conclusion

As I mentioned, I didn’t initially set out to create an online resume but once I started putting the idea together it became clear how compelling and useful this approach can be.  But I’m interested to hear about other creative ideas for leveraging this medium, so leave some comments.  Oh, and feel free to share a link to your own online resume.

Photo credits:
“Stand Out in a Group” by TheZionView

Tags: , ,
By Jon DiPietro | Posted in best practices, personal branding, technology advice | Tagged , , | Comments (8)

Top 5 No-Cost Cyber Security Practices

January 9, 2009 – 6:02 pm
Is cyber security a technolgy problem or a people problem?    Is cyber security a technology problem or a people problem?

 

Cyber security is complex, highly technical subject that is best left to the Asperger-nerd in the computer room battling against the pimply-faced hacker sucking down Mountain Dew in his mother’s basement, right?  It’s a cat and mouse game that pits the white hats against the black hats, the antivirus computer scientists against the hackers, right?  It’s certainly not the realm of the average small business owner, right?  Wrong, wrong, and wrong!

What if I told you that human error was more responsible for data breaches in 2008 than hacking?  What if I told you that hacking was third on the Identity Theft Resource Center’s (ITRC) categorized list of data loss methods?  The reality is that cyber security is a people problem first and a technology problem second.

More Awareness, Less Reliance

Most organizations are oblivious to the weakest link in the security chain

Most organizations are oblivious to the weakest link in the security chain

I’ve come to a remarkable, if not depressing realization in my information technology career.  Over the last 20 years of consulting, I’ve visited scores of clients in hundreds of facilities and I can easily count the number of times I was ever given any sort of cyber security orientation - exactly once.  I’ve walked into propped-open back doors of more manufacturing facilities than you can shake a stick at, and more often than not waltzed right up to a machine control panel, hooked up my laptop, and started pounding away at the keyboard while smiling and waving at trusting operators I had never before met in my life.  The realization is this; the vast majority of companies, large and small alike, is completely oblivious to the weakest link in the security chain; people.

The misperception that cyber security is all about technology is a serious mistake that is made by both small and large businesses.  The small businesses often believe that they are not sophisticated enough to employ their own cyber security programs and, therefore, either ignore it altogether or simply outsource it to an IT subcontractor.  The large businesses spend millions of dollars on intrusion prevention systems, biometric security, and other sophisticated technological countermeasures.  

Hopefully by now I’ve made the point that cyber security is about much more than firewalls, Trojans, and keyboard loggers.  So without further delay, here is a list of five no-cost practices every organization can implement that will go a long way toward securing their data.

Use Passwords, Use Them Well

OK, show of hands… how many of you are rolling your eyes?  It sounds obvious, but password laziness and ignorance is still the number one vulnerability for computer systems.  I understand how painful it is these days to maintain all of the user names and passwords in our lives these days.  However, it is the world we live in and we must accept it and follow these bare minimum password practices:

  • No shared passwords:  This is especially common in process automation where there are many users of the same machine.  Everyone must have their own unique user name and password.
  • Complex passwords:  Use combinations of letters and numbers, preferably composed of one or more words that are not in the dictionary.  Why?  Read this article about Dictionary Attacks.
  • Change passwords:  This is probably the most annoying of these three practices, and I confess that it aggravates me to have to do.  However, changing passwords periodically is one of the best ways to prevent misuse of a password that is unknowingly (or even deliberately) disclosed.

Utilize Automatic Updates

Unpatched operating systems and out of date virus definitions are like the gimpy prey of a flock; they are the first to be targeted by the hunter.  Many computer viruses and other exploits rely on software vulnerabilities that are typically patched within days or weeks.  However, it is not at all unusual for me to see network servers out of date by more than a year.  Another common problem is for antivirus subscriptions to expire, preventing the virus definitions from updating.

Clean House

Every program loaded on a computer is a potential vulnerability.  The fewer of them there are, the better.  A typical Windows PC has loads of “crap-ware” installed on them that can and should be removed using the Add/Remove Programs option in Control Panel.  Additionally, there are Windows Components (e.g. Messenger, Media Player) that should be removed if not used.  Finally, there are usually Windows Services running by default that are not used.  This particular cleanup is generally left to computer professionals, as it is not always obvious which of these is required and disabling the wrong service can lead to “unexpected behavior.”

Create Policies

There are many reasons for establishing written computer and internet policies for employees.  One, of course, is legal liability for the employer.  The other is (or at least should be) educational.  It’s not enough to write up these policies; they need to be presented and explained in an open environment to ensure that they are understood and appreciated.  These policies go far beyond telling users they can’t surf porn on the company’s computers.  They need to include things like proper care and usage of portable storage devices, remote access procedures and policies, e-mail policies, etc…  You can find a list of templates at the SANS Security Policy Project web site.

Protect Sensitive Information

Insiders and subcontractors are another major vulnerability and care must be taken to provide information necessary for them to do their jobs, but no more.  This is especially true of subcontractors, of which I am one, who are frequently given and/or create sensitive documents, diagrams, lists, and other data.  It is important to establish guidelines for its use to ensure that the information is handled with care and returned or disposed of when the job is complete.  As incredible as it sounds, a subcontractor published a complete schematic of Pearl Harbor Naval Base’s power monitoring control system in a white paper available publically on the Internet (I just checked and the information has apparently been removed).

The Bonus Round

What is the hacker’s #1 tool of the trade?  I’ll give you a hint; it has nothing to do with computers.  It’s called Social Engineering and you can read more of it in my blog, “The Hacker as a Magician.”

Feel free to share your own anecdotes and pearls of wisdom on the subject.  What are some of the head-shaking moments you’ve witnessed?  Are there any “doh!” moments you care to share?

Credits and citations:

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
By Jon DiPietro | Posted in Cyber Security, Hacking, Social Engineering, best practices, small business | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Comments (0)

How to Spot Phishing

January 4, 2009 – 2:05 pm

Phishing is a deceptive tactic used in emails, on bogus web sites, and other communication media that convince people to click on a link that typically brings the user to an impostor web site. These cyber attacks are generally attempting to accomplish one or both of the following:

  • Surreptitiously obtain personal account information
  • Plant virus and/or worm programs on the machine

Phishing is considered to be a “social engineering” cyber attack because it relies on tricking or deceiving humans into doing something they don’t realize they’re doing (see “The Hacker as a Magician“). This is contrasted by exploits, which rely on shortcomings or defects in computer firmware or software to accomplish their nefarious objectives.

There are two common link manipulation tactics used that are easily recognized if you know what to look for…

Tactic #1: WYSINWYG

WYSIWYG” is an acronym for What You See Is What You Get and is commonly used to describe software programs that provide an intuitive, graphical user interface that provides an accurate visual representation of the final rendering of some sort of content. In this case, I’m coining a new acronym; What You See Is Not What You Get. This is because the first common misdirection tactic used in Phishing is to display a legitimate URL (uniform resource locator) address that, in fact, points to a completely different address.

In order to understand how this works, here is a very quick and dirty introduction to how links are built in HTML. You’ll notice that there are various links scattered throughout this article that are plain English words that can be clicked.  As an example, the code for creating “Click here to visit my blog” looks something like this:

Click <a href=”http://domesticatingit.com”> here</a> to visit my blog.

When your browser sees this code, it composes a link to the address pointed to in the “href” attribute (in this case, “http://domesticatingit.com”) but only shows you the word “here”. Phishing attacks frequently rely on displaying a link that appears to be a legitimate address but isn’t. Consider the following screen shot:

Example Phising email

Example Phising email

This is an example from Microsoft’s web site of a common technique that Phishing attacks use to obtain online banking credentials. The text displayed in the email (#1) displays the legitimate URL for this fictitious bank’s login page. However, hovering over the link in Microsoft Outlook reveals that the actual address (#2) is a completely different address. There are three observations to make in this example:

  1. The displayed address and the actual address are different. This is a huge red flag and should make you extremely suspicious.
  2. The displayed address is secure (i.e. “https”) URL, and the actual is not. Again, this is a red flag.
  3. The actual address is an IP address instead of a domain name. While there are occasionally legitimate reasons for doing this, it is another red flag that makes the link questionable.

In most software programs, hovering over a link will display the actual address either in a status bar or as balloon text below the link. Here’s an example from my Gmail account (using Firefox 3) that illustrates how to see where the link in an email is going to take you. The cursor is hovering over the “Review Legal Agreements” text and the status bar in the lower left hand corner displays the “href” attribute of the link.

Example of email link previewing

Example of email link previewing

If for some reason hovering over the link does not reveal the destination address, you can usually right-click on the link and select “Copy Link Address” and then paste into Notepad in order to check it.

Bottom Line: Look before you leap.

Tactic #2: Sneaky URLs

Another tactic employed in Phishing attacks is to use URLs that, at first glance, appear to be legitimate because they include the real web site’s name somewhere in the URL. A recent Phishing exploit pointed toward Twitter users employed this approach to steal logins by using “twitter.access-logins.com” for the domain. Many people are fooled into believing this is legitimate simply because the word “twitter” appears in the address. It is further legitimized by rendering a near-perfect forgery of the real web site:

Twitter Phishing forgery

Twitter Phishing forgery

The reality, however, is that entering your login credentials on this site causes them to be logged to a hacker’s database that then uses the compromised accounts to send direct messages to other Twitter users.

This deception works because the address used directs a browser to the “twitter” subdomain of the “access-logins” web site. Without diving into a full-blown tutorial on how host names are constructed, suffice to say that you need to read host addresses from right to left in order to understand how they are qualified. The right-most portion of the address is “com”. The next portion of the address, “access-logins” is the actual domain name. The WHOIS registrant for this domain turns out to be:

Registrant:
  Organization   : zhang xiaohu
  Name           : zhang xiaohu
  Address        : changningzhonghuainanlu192hao
  City           : changning
  Province/State : Hunan
  Country        : CN
  Postal Code    : 421500

Bottom Line: Parse that address - make sure the two right-most components are correct (e.g. “twitter.com”).

Feel free to add your hints and suggestions in the comments below.  Also, forward this article to anyone you know who might be vulnerable to these tactics.  You can find more advice on avoiding Phishing scams on Fraud.org.

Tags: , , , , , , , , , , ,
By Jon DiPietro | Posted in Cyber Security, Hacking, Social Engineering, best practices, technology advice | Tagged , , , , , , , , , , , | Comments (1)

The 21st Century Land Grab

January 1, 2009 – 10:16 am
Are you leaving yourself out of the Internet’s latest “land grab”?Cherokee Strip land run (1893 photo)Cherokee Strip land run (1893 photo)        

By now, many people are familiar with Cybersquatting – a process whereby a person registers a domain name in bad faith with the intent of reselling it later for a profit.  Recent legislation has made it easier for trademark holders and famous persons to obtain their domains from squatters, but the process is by no means full-proof (just ask Kevin Spacey and Bruce Springsteen). 
However, this is just one layer of an increasingly complex wired world…

I Registered, Therefore I Am

All large and most small/medium/micro businesses (though still not enough) are finally coming to the realization that online invisibility is a tremendous liability.  But what about your personal online visibility?  Many people have registered their personal names as domain names.  Indeed, most domain registrars beat you over the head with requests to do so.  But this article is about far more than domain names – that ship pretty much sailed years ago along with Gmail and Hotmail addresses.  This is about establishing your online homesteads to be prepared for the current and future waves of social networking.

“Do you have a flag?”

This is a brilliant and hilarious skit by comedian Eddie Izzard.  He satirizes imperialistic England, who claimed ownership over indigenous civilizations “through the cunning use of flags.”  And so it goes with the new wired world – possession, as they say, is nine tenths of the law.  You need to claim as much territory as possible as soon as possible and all you need is a flag: your name.

More and more every day, web sites are becoming tools for learning more about individuals.  Sites like LinkedIn and VisualCV are becoming de facto online résumés.  Blogger and Wordpress are windows into peoples’ expertise and opinions.  Flickr, Delicious, and Netflix allow people to share their interests and experiences.  Of course, there are the mothers of all personal identity sites; Facebook and MySpace.  Finally, there are aggregators like FriendFeed and Plaxo that attempt to tie them all together.  You may utilize few if any of these sites right now, but do you want to bet your online future on the fact that you never will?

He Who Hesitates Is Lost

I’m fortunate in the sense that my name is not all that common.  My identity is pretty readily available on most platforms.  However, I’m not leaving it to chance.  I registered my domain name years ago and have been on a land-grabbing tear recently, snatching up my identity on any site with which I come into contact regardless of whether or not I think I will use it.  It’s the sports equivalent of “the best offense is a good defense.”  I firmly believe that more and more prospective employers and customers will be using online searches for individuals sooner rather than later.  If nothing else, don’t let them find the other “Jane Smith” before you.

On Your Mark, Get Set, Register

If you’re new to social networking and/or personal branding you may have no idea where to begin and that’s understandable.  In my opinion, these are the top priorities:

  • General
    • Domain name (e.g. www.janesmith.com)
    • Email (e.g. jane.smith@gmail.com, jane.smith@hotmail.com)
    • Twitter (e.g. twitter.com/janesmith)
  • Professional
    • LinkedIn (e.g. www.linkedin.com/in/janesmith)
    • Blogger (e.g. janesmith.blogger.com)
    • Wordpress (e.g. janesmith.wordpress.com)
    • Technorati (e.g. www.technorati.com/people/tecnorati/janesmith)
  • Personal
    • Facebook (e.g. www.facebook.com/people/JaneSmith)
    • YouTube (e.g. www.youtube.com/user/janesmith)
  • Sharing and Aggregating
    • FriendFeed (e.g. friendfeed.com/JaneSmith)
    • Delicious (e.g. delicious.com/JaneSmith)
    • Digg (e.g. dig.com/users/JaneSmith)
    • Flickr (e.g. www.flickr.com/photos/janesmith)

 Have I left anything out?

Tags: , , , , , , , , , , , , , , , , , , ,
By Jon DiPietro | Posted in best practices, personal branding, small business, social networking | Tagged , , , , , , , , , , , , , , , , , , , | Comments (1)

What is RSS and Why Do I Care?

October 24, 2008 – 7:20 am

What is RSS?

Well, it stands for “Really Simple Syndication” but given the fact that there is still not widespread adoption and so few people understand it, one could take exception to that moniker. In any case, let’s try to use a newspaper analogy to explain this. Think about reading your local newspaper. For many people, there are certain sections that are of more interest than others. And maybe some sections that are of no interest. Wouldn’t it be cool if you could call up the newspaper and tell them, “I’m only interested in the Local, Business, and Sports sections, so would you please only include those in my newspaper? Also, I’d like the newspaper delivered to me at home, the office, and in my car - depending upon where I am at the time.”

So, that’s it in a nutshell; it allows you to subscribe to “feeds” that contain news and information from sources that are of interest. And depending on your technology platforms, you can read them from anywhere, anytime. You can scan over headlines, deciding which (if any) sound interesting, choose whether or not to read the entire article, and even make notes, mark them as a favorite, or share them with your friends and associates.

For this particular article, I’m going to stay away from the more technical how-to stuff and try to concentrate on the “what” and “why”. I’ve spoken with many colleagues in the past couple of weeks who are either new to the concept or don’t really understand how it can be leveraged by them to help them meet their personal and/or professional goals.

Here’s a snapshot of my Google Reader. It’s only showing publications I haven’t yet marked as “read” (click on the image to see full size).

So you can see that I’ve set up my reader to “tag” feeds with certain keywords (e.g. “FFL”, “LinkedIn”, “News”, “Sports”, etc…) I can browse through the publications based on these categories and when something seems worth reading more, I’ll either click on the article to read it immediately or “star” it so that I can read it later. Because I’m using Google Reader, I can also do all of this on my BlackBerry as well using Google’s Mobile Reader Application.

Why Do I Care?

  • Let the information come to you. For me personally, this is the most compelling benefit of RSS. I don’t have to worry about missing out on information that might be important to me by failing to read a particular issue of a newspaper or seeing a press release on a company’s web site.
  • It takes all kinds. There are many different types of RSS feeds available for subscription that make it possible to stay informed of many different topics. You can subscribe to news articles, blog posts, forum discussions, Craigslist postings, press releases, etc…
  • It’s OK to look. Any RSS reader will display a headline and several summary lines describing the publication, allowing you to quickly and easily scan through for items of interest.
  • Save, tag, share, and/or comment. RSS readers generally provide capabilities to perform tasks to organize, document, and share your subscriptions. If you see an interesting article but don’t have time you can save it to read for later. You can assign “tags” that categorize articles and even share them with others in your social and/or professional circle.

If you want to start utilizing RSS, the first decision to make is selecting a RSS Reader. Read this Lifehacker article to get some recommendations. You can also see how many different ways there are to make use of your RSS feeds.

Tags: , , , , , ,
By Jon DiPietro | Posted in RSS | Tagged , , , , , , | Comments (0)

The Hacker as a Magician

July 24, 2008 – 5:04 pm

I recently read two different stories that I probably never would have connected, had I not read them within 24 hours of one another. It struck a chord with me because it made me think about a particular pet peeve of mine in a slightly new way. But more about that later.

The first article was entitled “Social Engineering 101: Mitnick and other hackers show how it’s done.” Kevin Mitnick was the computer hacker who allegedly used the telephone system to hack into NORAD and was the inspiration for the movie Wargames. This article contains several YouTube videos in which Mitnick and other hackers describe social engineering tricks they’ve used to successfully trick employees into releasing sensitive information. The examples are at once hilarious and horrifying.

The second article was a blog entry entitled “The Magic of Marketing” on Guy Kawasaki’s “How to Change the World” blog. In it, he talks about research conducted on the relationship between misdirection and social queues. In a nutshell, one experiment found that the way a magician used his eyes influenced the audience and helped to induce the misdirection required for the illusion. Kawasaki, who’s marketing gears are moving full speed 24/7, made the keen observation that similar social queues can influence marketing.

I’m sure by now you’ve made the same connection; Mitnick and other social engineers use common social queues to their advantage in order to create misdirection that allows them to create whatever illusion they wish. Now I can bring this home to my pet peeve regarding IT security - reliance on technology while ignoring the weakest link… people.

I am a firm believer that an ounce of prevention is worth a pound of cure, and it applies to security as well. Basic employee education and standard computer and internet use policies are a major step in the right direction toward closing some of those holes. But during my travels as a technology consultant, I am disappointed by the number of organizations that don’t seem “get it.” Too many of them exist in a the sense of security (pun intended) that their firewalls, IPS’s, and security agents will keep them safe.

One, two! One, two! And through and through
The vorpal blade went snicker-snack!
He left it dead, and with its head
He went galumphing back.

Tags: , , , , , , , , , ,
By Jon DiPietro | Posted in Cyber Security, Hacking, Social Engineering, best practices, guy kawasaki | Tagged , , , , , , , , , , | Comments (2)

Do You Speak “Geek”?

March 27, 2008 – 4:20 pm

Or perhaps more importantly, should you? I want to explore the very common situation of a manager or small business owner who does not “speak geek” and needs to outsource a software or web development project. I was recently asked by someone in such a position what the “best way to talk to a web developer” would be, since their requirements discussions were ending up in what he described as “Babylonic confusion,” hoping to find a book or course he could take in order to be able to better communicate his needs to the developer.

I don’t know that anyone has found a real live Babel Fish yet, so you’d better figure out another way to get your point across to the geek(s).

It’s Not Me, It’s You

At a moment like this, it’s time go and get yourself a new developer. The project is doomed to fail. While it is your responsibility as a project manager to clearly articulate your requirements, it should only have to be done so in your own comfort zone and business terminology and not involve learning a new language. Here are some inherent problems with taking this approach:

  • First, this assumes there is a single language to be learned. There are typically multiple technologies involved in any project (e.g. database, server operating system, programming language(s), scripting language(s), hosting platform, external API’s, etc…) and hoping to become conversant in all of them is going to take an incredible effort at best and is futile at worst.
  • Second, merely speaking the language is not enough and could, in fact, exacerbate the problem. The reason is that there is such a thing as “knowing enough to be dangerous”. Without experience in architecting a solution, talking about the technical aspects of a solution is premature. It would be like specifying what type of tires you want on a new car before even deciding whether it will be a sports car, sedan, or SUV!
  • Third, this leads to the real possibility that you will end up with what you asked for and not what you wanted. This is quite common in software development. It’s something like asking for a “kick ass” sports car and then getting a car with a mechanical arm on the front of the car with a boot mounted to it. It may be what you asked for, but it’s not what you wanted.

Tell Me What You Want, Then I’ll Tell You What You Need

I’ve sat down with users many times in requirements meetings and asked them what they want the system to do. Often, they find it very difficult to answer because there have not been any boundaries or parameters established for them. It’s like when my wife asks me, “What do you want for dinner tonight?” When I’m feeling particularly sarcastic, I’ll say something inflammatory like “How about Peking duck with an orange glaze and chocolate soufflé for dessert?” and then run for cover. What I’m actually saying is, “What are my choices? What are the parameters? Are you going shopping or do we need to find something in the fridge? If so, what do we have? What about take out?” You get the picture.

When you alter this scenario and instead put a prototype or screen shots in front of users, then you’ll get bags and bags of feedback. That’s because the parameters have been set and they can visualize the inputs, the manipulations, and the outcomes. In the end, that’s what information technology is; stuff goes in to a box, something happens to the stuff, and new stuff comes out the other end. It’s all about defining the inputs, the manipulations and the outputs. But that still doesn’t answer the fundamental question here. How do you deal with a contract developer who doesn’t get it? I’ve already said you go and get yourself a new one. But how do you make sure the new one will work out differently?

Tell Me Something I Don’t Know

Developing a software application is a lot like building a house; it’s the design, architect, build process. You’re the designer and ideally you’d like to find the architect and builder in the form of one person. As a last resort, you are better off hiring both if you can’t find one person to do both jobs. And remember this – you’re a designer, not an architect and certainly not a builder!

The bottom line is to try to find someone with experience in the business arena in which you operate. If you’re the owner of a small chain of sandwich shops, don’t just hire someone who’s developed a web site before, try to find someone who’s developed a web site for a restaurant. And not just one restaurant; a chain. Experience is golden here and there is one rule of thumb that I also mentioned in an earlier blog (Yes, Virginia, You Need a Web Site). When or if you find a developer who can tell you something non-technical about your business that you didn’t know, then you know you’ve got yourself a winner.

Tags: , , , , , , , , , , , , , , , , ,
By Jon DiPietro | Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , | Comments (1)

Yes, Virginia, You Need a Website

March 12, 2008 – 12:45 pm

To web, or not to web, that is the question. Whether ‘tis nobler in business to suffer the slings and arrows of outrageous consultant costs or to take arms against a sea of technological doubts, and by opposing, end them.

Since recently becoming active in the LinkedIn question and answer section, I’ve seen no fewer than four questions in the span of one week asking “Do small companies need a website?” and various derivatives thereof. Most of them were asked by incredulous marketing consultants who obviously run into prospects and clients who do not have one and/or don’t feel they are necessary. My $0.02 = they are as necessary as business cards, only cheaper!

I see lots of advice from professional designers and marketing consultants about leveraging technology, search engine optimization, brand identification, consistency of message, etc… Which is true enough in many circumstances, but I feel that advice like this partially responsible for discouraging small businesses from commissioning a web site. The other (and likely far more common) reason is ignorance of just how quick, easy, and inexpensive it is these days.

Why!? Why!?
Before a discussion of exactly how quick, easy, and inexpensive it is to get a web site up and running, I can hear the “professionals” tearing clothing and ripping hair from their skulls as they scream, “Noooooo! But what about x, y, and z?!?!” Where x, y, and z represent any web design or marketing catch phrase you care to insert. I even saw one designer advise a small business owner to make sure that any designer they select does not use tables for web page layout, or they would be sorry! While there is sound theory behind this advice, it is precisely the sort of technological hyperbole and cart-before-the-horse advice that paralyzes small business owners. My short answer is, “All in due course.” But let’s get this beast domesticated right now with a little more detailed answer…
I don’t mean to make light of the legitimate points made by professional web designers and marketing consultants. They are, by and large, valid concepts that are important in the proper context. However, I think that people too frequently equate “minimally done” with “poorly done” and I submit that they are very different. With that in mind, I’ll suggest three stages of web presence that can all be done either well or poorly, but the amount of money spent will not be a factor.
Stage 1: The Online Business Card
That sounds pretty simple, right? In this stage you expect no more from your website than you would from a business card; your company’s contact information and logo along with a quick blurb about what you do and/or what your mission is. The key thing about a business card is the “leave behind” aspect; that you can give it to someone for them to reference later on. Browser bookmarks are the Internet equivalent in this case. If I want to remember your company for some reason, I’ll slap a bookmark to your website in the appropriate category.
Obviously, an online business card can be done well or poorly just like an ordinary business card (I’ve seen some pretty hideous ones). The key here is to keep it simple and visually appealing. For many companies who believe they don’t need a web site at all, this is likely about all they need. And as for that argument, I can tell you two things about my personal approach to finding something I need. First and foremost, if I can’t find it on the web then I probably won’t find it. If your product or service is not on the web, then your competitor’s probably is and you lose. Keep in mind here, I’m not talking about looking for a “high volume widget supplier” or world-class patent and trademark litigator. I’m talking about finding a plumber, dog sitter, yoga instructor, or wedding photographer. Second, if you don’t care enough about your business to have a web site, then I don’t feel like it’s a “legitimate” business. That’s just a personal bias I have, but I think it is becoming more and more common.
This stage is absolutely a “do it yourself” candidate. As an example, GoDaddy.com has a service called “Website Tonight” that gets you a hosted web site with web templates and authoring tools plus a list of features too long to list here for $4.99 per month. All of the web hosting companies offer similar products that allow you to get a web site created literally in minutes.

Stage 2: The Online Advertisement
This is the stage where a small business owner who is not a) technically savvy and (emphasis on the word “and”) b) knowledgeable in marketing will need to get some help. This is not to say that it necessarily needs to be fully outsourced and professionally designed, but it will be important to make sure that certain basic principles of web design and marketing are followed. The goal of a Stage 2 web site is to actually advertise your product(s) and/or service(s) and convince the visitor to take some follow up action.
This may or may not be a “do it yourself” situation, depending upon several factors, none the least of which are the company’s expertise as just discussed. Other factors include the complexity of the product and/or service, the volume of traffic, and technology required (if any) to deliver the message (e.g. streaming video, flash animations).

Stage 3: Launch
This final stage transitions the web site from an information server to an active lead generation and business development tool. Its goal is not just “to be” or even simply to provide a compelling call to action online. Rather, the goal is to generate an online presence that includes a web site. I’m not going to say very much about this stage for a couple of reasons. First, the whole point of this blog was that most small businesses don’t realize they only need stage one or two. Second, it’s a subject that can take up an entire (virtual) library. Third, there are many bloggers out there with much more expert advice on the matter than I could give.
Conclusion
In summary, I don’t accept that a simple, template-based web site is worse than no web site at all. However, that’s not to say that a poor web site is better than no web site, because I don’t believe that is true. It’s important to follow the Hippocratic Oath here; first, do no harm. Aside from the obvious advice of not making glaring mistakes (i.e. spelling, factual, copyright violations), it’s important not to bite off more than you can chew. For example, don’t put a news section on your site if you aren’t going to update it frequently. And don’t ever, under any circumstances, use the words “under construction” or “coming soon”. These have become euphemisms for “I’ve run out of money” or “I don’t know how to do this.”
It’s easier and cheaper than ever, so you have nothing to fear but fear itself. Give it a shot and ask friends and colleagues for their feedback and suggestions. If you keep it simple, you generally can’t go wrong.
Tags: , , , , , , , , , ,
By Jon DiPietro | Posted in small business, technology advice, web sites | Tagged , , , , , , , , , , | Comments (4)

© 2008-2009 Domesticating IT All Rights Reserved