January 2009 Archives - Jon DiPietro is Domesticating IT

Create a Compelling Resume Online With WordPress

Published on January 18, 2009 by Jon DiPietro in Best Practices, How To, Social Media, Tech Trends

stand out 300x199 Create a Compelling Resume Online With WordPress

Do you stand out?

Here’s a news flash – the economy is a little rough these days. With the unemployment rate creeping up, it’s a time when you need to be clear about what you can bring to a prospective employer or client and, above all, to stand out from the competition. Fortunately, it’s cheaper and easier than ever to make yourself “present with authority.”

One of my new year’s resolutions was to get my online identity sorted out, which means making the most of the available tools and delivering a consistent message. After taking inventory of the various professional sites to which I belong (e.g. LinkedIn, VisualCV), I decided that I needed an aggregator to take charge and deliver my message, my way, in my style. I had registered my own name as a domain many years ago but not done anything with it, and so I decided to use WordPress to tell my professional story.

What Are the Benefits?

If you think about your career as a product that you’re selling, wouldn’t it make perfect sense to have a web site? Of course it does, and you want your personal brand to have the same benefits:

More and more, clients and employers are performing online searches to learn more about the people with which they are considering to engage. Having a search engine friendly web site makes it more likely they will find you.
Indexing your experience through the use of keywords makes it easy for people to zero in on the skills and/or expertise in which they’re interested (more about that later).
Multimedia capabilities (i.e. images, video, presentations, links) make it easier for you to tell your story in a vivid and interesting way.
You can use specialized links to direct people to specific content areas of your profile.
While this practice may soon be common place, for the moment at least it will help you to stand out from the crowd.

Laying the Groundwork

The first decision is your domain name. One option is to use Blogger or WordPress.org (e.g. jondipietro.wordpress.org), which is free. However, for the few dollars a year it costs you are far better off registering your own domain name; preferably your first and last names if available. This article will discuss building your online resume using WordPress on your own hosted site.
Once the basic WordPress installation is in place, the first thing you’ll want to do is to find a clean, professional theme and install it. There are a number of plugins that I install on every WordPress site right out of the gate:

Add to Any Sharing and Subscribing buttons: Makes it easy for visitors to share, save, bookmark, and/or subscribe to your site.
All in One SEO Pack : Provides a bunch of handy tools to make your site more search engine friendly.
Contact Form 7 : Create customized forms for visitors to send you messages.
Exclude Pages from Navigation : Allows you to easily build landing pages.
FeedBurner FeedSmith : Synchs your blog with FeedBurner.
Google Analyticator : Installs the Google Analytics script on your site so you can track traffic.
Google XML Sitemaps : Creates the XML site map files that makes it easier for Google to discover pages on your site.
Simple Tags : Makes it really easy to manage the tags that you’ll use to mark your areas of expertise.
SlideShare : Allows you to embed SlideShare presentations.
Social Links : Display buttons with links to your social networking sites in the sidebar.
WordPress Database Backup : Ounce of prevention, and all that…
WP-Mail-SMTP : Reconfigures the wp_mail() function to use SMTP instead of mail().

Turn the Page

Now it’s time to set up the pages. I decided on the following site map:

Home
About Me
- Work History
- Skills
- Volunteerism
Experience
Companies
Social Networks
Contact Me

The tricky thing about this is that, by default, WordPress publishes blog articles to the front page of the site. In order to implement my strategy, it’s important to change that. You can do this on the Reading Settings page by selecting “Home” for your front page and “Experience” as the posts page.

reading settings 300x137 Create a Compelling Resume Online With WordPress

Change the default settings for the front and posts pages.

Next, you’ll need to populate the Home, About Me, Work Experience, and Skills pages. The Home page functions as a sort of generic cover letter, while the other pages represent the customary sections of a resume. However, you have the freedom to be a little more creative and verbose in this environment than on a paper resume.

What you don’t see in the site map (or in the menu) is my social networking landing page. Another benefit of having your own web site is the ability to create landing pages from other sites that allow you to customize messages and, again, tell your story. For example, Twitter provides very little space to customize your profile but they do allow you to enter a web site URL that you can point to a customized landing page. This is where the “Exclude Pages from Navigation Menu” plugin comes in handy.

Rubber Meets Road

tag cloud 270x300 Create a Compelling Resume Online With WordPress

Skills, experiences, clients, etc... are displayed in the tag cloud widget.

The power of this approach now takes shape as you create blog posts to describe specific projects, publications, and experiences. The key is carefully selected categories and liberal use of tags for the posts. This will allow employers and/or clients to quickly zero in on the topics in which they are interested. And since you’re making it easy to find the information they’re looking for, you can feel free to include lots of details, making them as interactive as possible. You’ll want to include the Simple Tags tag could widget in the sidebar.

The categories are also important and you can use them to organize your pages and posts at a higher level than the tags. How and where the categories are displayed is somewhat dependent upon your theme. Some themes display them as menu itmes while others are displayed in the sidebar and is a matter of your personal preference.

Shout It Out Loud

Once your online resume is good to go, you can send out customized links to direct people straight to a particular area of interest. For example, if I’m looking to secure a consulting contract for VB.NET development, I could send the following in an email:

“Please see the VB.NET projects listed on my online resume.”

The “VB.NET” link is http://www.jondipietro.com/tag/vbnet, which will automatically display a list of all pages or posts that were tagged with the VB.NET keyword. You can begin to see how easy it is to send customized links to employers and clients that zoom right in to the areas on which you want them focused.

Conclusion

As I mentioned, I didn’t initially set out to create an online resume but once I started putting the idea together it became clear how compelling and useful this approach can be. But I’m interested to hear about other creative ideas for leveraging this medium, so leave some comments. Oh, and feel free to share a link to your own online resume.

Update

Thanks to Eric for prompting me to write a follow up to this post. If you’d like to see how this has helped me over the past two years, check out “Personal Inbound Marketing FTW!”

Photo credits:
“Stand Out in a Group” by TheZionView

Top 5 No-Cost Cyber Security Practices

Published on January 9, 2009 by Jon DiPietro in Best Practices, How To

officetheif Top 5 No Cost Cyber Security Practices

Is cyber security a technology problem or a people problem?

Cyber security is complex, highly technical subject that is best left to the Asperger-nerd in the computer room battling against the pimply-faced hacker sucking down Mountain Dew in his mother’s basement, right? It’s a cat and mouse game that pits the white hats against the black hats, the antivirus computer scientists against the hackers, right? It’s certainly not the realm of the average small business owner, right? Wrong, wrong, and wrong!

What if I told you that human error was more responsible for data breaches in 2008 than hacking? What if I told you that hacking was third on the Identity Theft Resource Center’s (ITRC) categorized list of data loss methods? The reality is that cyber security is a people problem first and a technology problem second.

More Awareness, Less Reliance

Most organizations are oblivious to the weakest link in the security chain

I’ve come to a remarkable, if not depressing realization in my information technology career. Over the last 20 years of consulting, I’ve visited scores of clients in hundreds of facilities and I can easily count the number of times I was ever given any sort of cyber security orientation – exactly once. I’ve walked into propped-open back doors of more manufacturing facilities than you can shake a stick at, and more often than not waltzed right up to a machine control panel, hooked up my laptop, and started pounding away at the keyboard while smiling and waving at trusting operators I had never before met in my life. The realization is this; the vast majority of companies, large and small alike, is completely oblivious to the weakest link in the security chain; people.

The misperception that cyber security is all about technology is a serious mistake that is made by both small and large businesses. The small businesses often believe that they are not sophisticated enough to employ their own cyber security programs and, therefore, either ignore it altogether or simply outsource it to an IT subcontractor. The large businesses spend millions of dollars on intrusion prevention systems, biometric security, and other sophisticated technological countermeasures.

Hopefully by now I’ve made the point that cyber security is about much more than firewalls, Trojans, and keyboard loggers. So without further delay, here is a list of five no-cost practices every organization can implement that will go a long way toward securing their data.

Use Passwords, Use Them Well

OK, show of hands… how many of you are rolling your eyes? It sounds obvious, but password laziness and ignorance is still the number one vulnerability for computer systems. I understand how painful it is these days to maintain all of the user names and passwords in our lives these days. However, it is the world we live in and we must accept it and follow these bare minimum password practices:

No shared passwords: This is especially common in process automation where there are many users of the same machine. Everyone must have their own unique user name and password.
Complex passwords: Use combinations of letters and numbers, preferably composed of one or more words that are not in the dictionary. Why? Read this article about Dictionary Attacks.
Change passwords: This is probably the most annoying of these three practices, and I confess that it aggravates me to have to do. However, changing passwords periodically is one of the best ways to prevent misuse of a password that is unknowingly (or even deliberately) disclosed.

Utilize Automatic Updates

Unpatched operating systems and out of date virus definitions are like the gimpy prey of a flock; they are the first to be targeted by the hunter. Many computer viruses and other exploits rely on software vulnerabilities that are typically patched within days or weeks. However, it is not at all unusual for me to see network servers out of date by more than a year. Another common problem is for antivirus subscriptions to expire, preventing the virus definitions from updating.

Clean House

Every program loaded on a computer is a potential vulnerability. The fewer of them there are, the better. A typical Windows PC has loads of “crap-ware” installed on them that can and should be removed using the Add/Remove Programs option in Control Panel. Additionally, there are Windows Components (e.g. Messenger, Media Player) that should be removed if not used. Finally, there are usually Windows Services running by default that are not used. This particular cleanup is generally left to computer professionals, as it is not always obvious which of these is required and disabling the wrong service can lead to “unexpected behavior.”

Create Policies

There are many reasons for establishing written computer and internet policies for employees. One, of course, is legal liability for the employer. The other is (or at least should be) educational. It’s not enough to write up these policies; they need to be presented and explained in an open environment to ensure that they are understood and appreciated. These policies go far beyond telling users they can’t surf porn on the company’s computers. They need to include things like proper care and usage of portable storage devices, remote access procedures and policies, e-mail policies, etc… You can find a list of templates at the SANS Security Policy Project web site.

Protect Sensitive Information

Insiders and subcontractors are another major vulnerability and care must be taken to provide information necessary for them to do their jobs, but no more. This is especially true of subcontractors, of which I am one, who are frequently given and/or create sensitive documents, diagrams, lists, and other data. It is important to establish guidelines for its use to ensure that the information is handled with care and returned or disposed of when the job is complete. As incredible as it sounds, a subcontractor published a complete schematic of Pearl Harbor Naval Base’s power monitoring control system in a white paper available publically on the Internet (I just checked and the information has apparently been removed).

The Bonus Round

What is the hacker’s #1 tool of the trade? I’ll give you a hint; it has nothing to do with computers. It’s called Social Engineering and you can read more of it in my blog, “The Hacker as a Magician.”

Feel free to share your own anecdotes and pearls of wisdom on the subject. What are some of the head-shaking moments you’ve witnessed? Are there any “doh!” moments you care to share?

Credits and citations:

Office thief cartoon by michael molenda
Mr Oblivious photo by San Diego Shooter
Data breach report from “2008 Data Breach Totals Soar”, Jan 5, 2009, Identity Theft Resource Center

How to Spot Phishing

Published on January 4, 2009 by Jon DiPietro in Best Practices, How To

Phishing is a deceptive tactic used in emails, on bogus web sites, and other communication media that convince people to click on a link that typically brings the user to an impostor web site. These cyber attacks are generally attempting to accomplish one or both of the following:

Surreptitiously obtain personal account information
Plant virus and/or worm programs on the machine

Phishing is considered to be a “social engineering” cyber attack because it relies on tricking or deceiving humans into doing something they don’t realize they’re doing (see “The Hacker as a Magician“). This is contrasted by exploits, which rely on shortcomings or defects in computer firmware or software to accomplish their nefarious objectives.

There are two common link manipulation tactics used that are easily recognized if you know what to look for…

Tactic #1: WYSINWYG

“WYSIWYG” is an acronym for What You See Is What You Get and is commonly used to describe software programs that provide an intuitive, graphical user interface that provides an accurate visual representation of the final rendering of some sort of content. In this case, I’m coining a new acronym; What You See Is Not What You Get. This is because the first common misdirection tactic used in Phishing is to display a legitimate URL (uniform resource locator) address that, in fact, points to a completely different address.

In order to understand how this works, here is a very quick and dirty introduction to how links are built in HTML. You’ll notice that there are various links scattered throughout this article that are plain English words that can be clicked. As an example, the code for creating “Click here to visit my blog” looks something like this:

Click <a href=”http://domesticatingit.com”> here</a> to visit my blog.

When your browser sees this code, it composes a link to the address pointed to in the “href” attribute (in this case, “http://domesticatingit.com”) but only shows you the word “here”. Phishing attacks frequently rely on displaying a link that appears to be a legitimate address but isn’t. Consider the following screen shot:

Example Phising email

This is an example from Microsoft’s web site of a common technique that Phishing attacks use to obtain online banking credentials. The text displayed in the email (#1) displays the legitimate URL for this fictitious bank’s login page. However, hovering over the link in Microsoft Outlook reveals that the actual address (#2) is a completely different address. There are three observations to make in this example:

The displayed address and the actual address are different. This is a huge red flag and should make you extremely suspicious.
The displayed address is secure (i.e. “https”) URL, and the actual is not. Again, this is a red flag.
The actual address is an IP address instead of a domain name. While there are occasionally legitimate reasons for doing this, it is another red flag that makes the link questionable.

In most software programs, hovering over a link will display the actual address either in a status bar or as balloon text below the link. Here’s an example from my Gmail account (using Firefox 3) that illustrates how to see where the link in an email is going to take you. The cursor is hovering over the “Review Legal Agreements” text and the status bar in the lower left hand corner displays the “href” attribute of the link.

Example of email link previewing

If for some reason hovering over the link does not reveal the destination address, you can usually right-click on the link and select “Copy Link Address” and then paste into Notepad in order to check it.

Bottom Line: Look before you leap.

Tactic #2: Sneaky URLs

Another tactic employed in Phishing attacks is to use URLs that, at first glance, appear to be legitimate because they include the real web site’s name somewhere in the URL. A recent Phishing exploit pointed toward Twitter users employed this approach to steal logins by using “twitter.access-logins.com” for the domain. Many people are fooled into believing this is legitimate simply because the word “twitter” appears in the address. It is further legitimized by rendering a near-perfect forgery of the real web site:

Twitter Phishing forgery

The reality, however, is that entering your login credentials on this site causes them to be logged to a hacker’s database that then uses the compromised accounts to send direct messages to other Twitter users.

This deception works because the address used directs a browser to the “twitter” subdomain of the “access-logins” web site. Without diving into a full-blown tutorial on how host names are constructed, suffice to say that you need to read host addresses from right to left in order to understand how they are qualified. The right-most portion of the address is “com”. The next portion of the address, “access-logins” is the actual domain name. The WHOIS registrant for this domain turns out to be:

Registrant:
  Organization   : zhang xiaohu
  Name           : zhang xiaohu
  Address        : changningzhonghuainanlu192hao
  City           : changning
  Province/State : Hunan
  Country        : CN
  Postal Code    : 421500

Bottom Line: Parse that address – make sure the two right-most components are correct (e.g. “twitter.com”).

Feel free to add your hints and suggestions in the comments below. Also, forward this article to anyone you know who might be vulnerable to these tactics. You can find more advice on avoiding Phishing scams on Fraud.org.

The 21st Century Land Grab

Published on January 1, 2009 by Jon DiPietro in Best Practices, How To, Social Media, Tech Trends

LandRush 300x236 The 21st Century Land Grab

Oklahoma Bricktown Land Run

By now, many people are familiar with Cybersquatting – a process whereby a person registers a domain name in bad faith with the intent of reselling it later for a profit. Recent legislation has made it easier for trademark holders and famous persons to obtain their domains from squatters, but the process is by no means full-proof (just ask Kevin Spacey and Bruce Springsteen).
However, this is just one layer of an increasingly complex wired world…

I Registered, Therefore I Am

All large and most small/medium/micro businesses (though still not enough) are finally coming to the realization that online invisibility is a tremendous liability. But what about your personal online visibility? Many people have registered their personal names as domain names. Indeed, most domain registrars beat you over the head with requests to do so. But this article is about far more than domain names – that ship pretty much sailed years ago along with Gmail and Hotmail addresses. This is about establishing your online homesteads to be prepared for the current and future waves of social networking.

“Do you have a flag?”

This is a brilliant and hilarious skit by comedian Eddie Izzard. He satirizes imperialistic England, who claimed ownership over indigenous civilizations “through the cunning use of flags.” And so it goes with the new wired world – possession, as they say, is nine tenths of the law. You need to claim as much territory as possible as soon as possible and all you need is a flag: your name.

More and more every day, web sites are becoming tools for learning more about individuals. Sites like LinkedIn and VisualCV are becoming de facto online résumés. Blogger and WordPress are windows into peoples’ expertise and opinions. Flickr, Delicious, and Netflix allow people to share their interests and experiences. Of course, there are the mothers of all personal identity sites; Facebook and MySpace. Finally, there are aggregators like FriendFeed and Plaxo that attempt to tie them all together. You may utilize few if any of these sites right now, but do you want to bet your online future on the fact that you never will?

He Who Hesitates Is Lost

I’m fortunate in the sense that my name is not all that common. My identity is pretty readily available on most platforms. However, I’m not leaving it to chance. I registered my domain name years ago and have been on a land-grabbing tear recently, snatching up my identity on any site with which I come into contact regardless of whether or not I think I will use it. It’s the sports equivalent of “the best offense is a good defense.” I firmly believe that more and more prospective employers and customers will be using online searches for individuals sooner rather than later. If nothing else, don’t let them find the other “Jane Smith” before you.

On Your Mark, Get Set, Register

If you’re new to social networking and/or personal branding you may have no idea where to begin and that’s understandable. In my opinion, these are the top priorities:

General
- Domain name (e.g. www.janesmith.com)
- Email (e.g. [email protected], [email protected])
- Twitter (e.g. twitter.com/janesmith)
Professional
- LinkedIn (e.g. www.linkedin.com/in/janesmith)
- Blogger (e.g. janesmith.blogger.com)
- WordPress (e.g. janesmith.wordpress.com)
- Technorati (e.g. www.technorati.com/people/tecnorati/janesmith)
Personal
- Facebook (e.g. www.facebook.com/people/JaneSmith)
- YouTube (e.g. www.youtube.com/user/janesmith)
Sharing and Aggregating
- FriendFeed (e.g. friendfeed.com/JaneSmith)
- Delicious (e.g. delicious.com/JaneSmith)
- Digg (e.g. dig.com/users/JaneSmith)
- Flickr (e.g. www.flickr.com/photos/janesmith)

Have I left anything out?

Photo credits:
‘Oklahoma Bricktown Land Run’ courtesy of Serge Melki from Flickr (creative commons)

Jon DiPietro is Domesticating IT