Security Is All About Obscurity
It is commonly argued that “security through obscurity” is false security. I think this whole debate is poorly defined. Ultimately security is all about obscurity and nothing more. Take password for instance. “123456″ is the most common password, so if you are smart, you would not use it. Your birthday would be more obscure but it is still relatively easy to crack, especially by someone who knows something about you. So, you might use the name of your cat. But, you might feel that this too might be crackable. So, you combine the name of your cat with the name of your first grade teacher. And, so on… The more important the information you are trying to protect, the more obscure you make your password. This is security through obscurity. There is no security system that does not use security through obscurity. Even fingerprint scanners rely on obscurity. The chance of someone sharing the same fingerprint as yours is 1 in 64 billion. Again, this is not perfect. It is still relying on obscurity; the only difference is the degree.
—posted by Dyske » Follow me on Twitter or on Facebook Page
To Flash or Not to Flash
Flash is a technology that allows you to have "rich" media on the Web such as animation. It’s commonly used for banner ads on Web pages. It was originally called FutureSplash back when it was first introduced in 1996. I remember the excitement it created then. It allowed designers to have animations on websites, and that was a big deal because this is when everyone was still connecting to the Internet through phone lines. Since then Flash was acquired by Macromedia and then by Adobe. It is one of the most successful technologies in the history of the Internet so far. But in April of this year, Apple’s CEO, Steve Jobs, made a statement about Flash that threatened the future of Flash. Apple has made a decision not to support Flash in their mobile devices like iPhone and iPad. Adobe ran an advertising campaign to counter Jobs’ curse on their product. Many Flash developers voiced their displeasure in the blogsphere. At the same time, those who agreed with Jobs scrambled to convert their Flash-based contents to HTML. What does all this mean to business owners who have no time or interest to understand the techno-jibba-jabba?
—posted by Dyske » Follow me on Twitter or on Facebook Page
How Popular Is Your Website?
Surprisingly this is not an easy question to answer. Suppose the data from your Web server says you get about 50 visitors a day. Is that high or low? Well, it depends. In order to figure out whether your website is “popular” or not, you would need to be able to compare your website with those of other businesses similar to yours. For instance, if you are a magazine publisher, 50 visitors a day would be quite low. Given that you have to make money from visitors seeing ads on your site, 50 visitors could not sustain your business. On the other hand, if you are a lawyer, 50 would be a lot. Lawyers typically make thousands of dollars from each client, so having 50 potential clients looking at your site every day would be good news. In other words, the number of visitors is somewhat proportionate to the amount of money the average customer spends for your business.
Another factor is your physical presence. Suppose you start an online business selling hats, and your competitor opens a store on Broadway that also sells hats. Suppose your competitor also has a simple website for his business (but he does not sell anything through it). Who would get more visitors? In most situations, the one with a retail store will. The part of the rent you pay for a retail space is essentially a marketing budget. People walk by the store and learn about your business. If your business exists only online, it’s equivalent to a store that is on the 85th floor of the Empire State Building; nobody would just happen to walk by it. With no marketing, you get zero visitors.
—posted by Dyske » Follow me on Twitter or on Facebook Page
Managing Email for Your Business
I remember the days when only a small number of my friends and colleagues had email accounts (i.e. mid 90s). I used to think, “Oh, wouldn’t it be nice if everyone had email… I could send out my party invitation in one click!” (Yes, I used to throw parties.) Now we assume everyone has an email account. Even our government asks for our email addresses, which implies that having an email account is a social responsibility. Also, every legitimate business is expected to have its own domain name for the email addresses of their employees. It does not look professional to have email addresses at AOL or Yahoo. But it’s not so simple to have your own domain name and manage it. The solution I offer below assumes that you have a small business without an IT department. That is, it is a cost-effective compromise, and not a definitive solution for all businesses.
—posted by Dyske » Follow me on Twitter or on Facebook Page
For BP, There Is No Such Thing As Bad Publicity?
Today I was trying to learn more about the new strategy to stop the oil leak in the Golf, and came across this illustration below. The first thing I noticed was the BP logo in the upper right corner. Many people have pointed out how bad BP is with public relations. It stuck me as odd that they would stamp their logo so proudly on this illustration that explains how to stop the oil leak. Why would they want to associate their brand with something so negative?
Earlier today, I walked by the BP gas station on Houston and Broadway here in New York City, and noticed that someone had splattered dark brown paint over the BP sign. To me, branding the illustration of the biggest oil leak in American history with a logo is just as damaging to the brand as this brown splatter, except that the order is reversed; instead of defacing the logo, slapping the logo on something that’s defaced. Such an odd thing to do.
—posted by Dyske » Follow me on Twitter or on Facebook Page
iPad and the Future of Publishing
Popular Science+ on iPad
Now there is a lot of excitement about iPad saving the publishing industry. Even though I love my iPad, I doubt that it can do anything for the print media. The only real difference between an iPad-optimized website and an iPad App is the price expectation. We come to associate the Web as a free medium whereas we expect to pay for “Apps”. But this will change rather soon. The prices of iPhone apps keep dropping, and if any apps are more than 99 cents, people complain that it’s too expensive. It’s just a matter of time before the vast majority of Apps are free.
Although the novelty of iPad magazines like Popular Science+ may be worth paying for it now, the excitement will wear off pretty soon. Ultimately I don’t think there will be any advantage with reading magazines on an App. Google has done a great job of optimizing Gmail for iPad, and I actually prefer using it within the browser over using iPad’s native email App. Gmail has many great features, some are built-in by default, while others can be added. The features like labeling and filtering would not work on iPad’s email App. There is no chat or SMS features from within the email UI either.
App-based magazines will have the same problem: While some features are going to work better on the App versions, others will be better on the Web versions. The App version could only be used on the device you installed it on, while the Web version could be accessed from any device, iPad, iPhone, or desktop. Your own machine or someone else’s. You have to manage your copy of the magazine App; installing, upgrading, and backing up. The Web version would not require any of them.
As more websites start to take advantage of HTML5, the differences between the App versions and the Web versions will be virtually none. There will be less and less reasons to publish anything as Apps.
Also, less popular magazines could create an iPad version and make it free to take the audience away from more popular magazines, which could force all the magazines to go free.
Another situation publishers are facing now is that the brand names of magazines and newspapers are less relevant now for the readers. Because of the efficiency of the search engines, I can find relevant articles in any publications. I don’t really care who published them. I’m often reading articles from magazines that I’ve never heard of. And, I surf from one publication to another.
The same phenomenon is happening on TV. Because of DVRs, we no longer care what channels our favorite shows are on. In the old days, people were loyal to certain network channels, and watched whatever shows that came on those channels. This was mostly due to the fact that we could not watch what we wanted whenever we wanted. We were at the mercy of network schedules. DVRs and other on-demand video technologies freed us from this. Now we can search and play what we want to watch, just like on the Web. The concept of “network” is no longer relevant.
The same holds true for magazines. Much of the existing conventions and our reading habits are tied to the physical limitations of printed media. Because it did not make sense to print and sell one page at a time, they published a set of articles at a certain time interval. This is no longer relevant.
Furthermore, with printed magazines, we could only buy and carry a limited number of them, so we were stuck reading everything in the magazine we bought. This too is no longer relevant. With the Internet, we have access to thousands of magazines at our fingertip. There is no reason for us to read all the articles in one magazine cover-to-cover. We can jump from one great article in one magazine to another great one in another magazine. We don’t really care who published them. In the end, it’s the content that matters. This is yet another disadvantage of App-based magazines: It’s disruptive to have to go from an App to another App. It’s much easier to surf within a browser.
In the early days of blogs, most of them had no specific topics. Now, the idea of general interest blog is almost an oxymoron. On the Web, there is no point in grouping a variety of unrelated contents because the Web itself is doing that. There has to be a good reason why you would want to group contents into one site. I would rather follow a particular writer than to follow a general news media outlet like New York Times. The latter is too general to be useful. The differences between various news media outlets are too subtle. “New York Times” is just a way to group a variety of contents, and what ties them together is their editorial vision. But the difference between their editorial vision and that of, say, “Washington Post” isn’t great enough to offer any real value in those groupings. In our digital age, such groupings are no longer relevant.
In comparison, “Engadget” and “Gawker” are groupings that make sense. Many of these popular blogs started out as ordinary blogs operated by one person, but they have now become institutions. Blogs are becoming closer to traditional media as traditional media are becoming closer to blogs. I believe somewhere between the two is the future of publishing. iPad is a great device, but I do not think that it can save the traditional business model of publishing. If anything, it will probably accelerate the demise of it.
—posted by Dyske » Follow me on Twitter or on Facebook Page
DoGood — How They Abuse Good Cause to Make Money
I just came across this website, DoGood, which provides a browser plugin called DoGooder that swaps website publishers’ banner ads with DoGood’s banner ads. Their rationale is that the banners they serve are all Green-related or philanthropic. I just published an article about documentary filmmakers who exploit good causes to promote their own careers. This is another example of how people exploit their association with good causes. The trick is to use the cause as a disguise so that the audience does not notice the exploitation.
What they are doing is stealing. They are stealing the contents (intellectual properties) that the advertisers paid for. Whether the advertisers are “good” or evil (or “generic”) is besides the point. Even if the products that they are selling are not “good” or “philanthropic”, these advertisers have the right to make their own decisions about the good causes they may want to contribute from their profit (or not). Advertising is a way for them to increase that profit.
DoGood accepts website publishers’ requests to be on their exemption list if they too serve Green-related banners. This would basically mean that most major publishers like New York Times would be exempted from it, which in turn means that DoGood will be stealing mostly from the little guys who barely make money from their websites.
On their website, DoGood assures publishers that they will still get paid for their ads, presumably because the plugin will still act as though it is requesting the real ads from the ad servers. But if the ads are not displayed, nobody will ever click on them. For the publishers, these clicks are the real sources of their income.
If DoGood was a plug-in written by some college student who makes no money from it, I wouldn’t have any problem with it, but DoGood is a private business. Even though they claim to donate 50% of the profit, they are still pocketing the other 50%. Even if DoGood was a non-profit organization, they would still be paying salaries to themselves. There are plenty of web-based projects where unpaid volunteers pitch in their time to keep them going. That would be an acceptable solution too. But DoGood is a business. Let’s not get fooled.
Any money that DoGood receives from their advertisers (not just their profit, I mean any money they receive) equates to the value of the goods (banner impressions) that the advertisers were supposed to receive for the money they paid, but were stolen by DoGood. And, also the clicks the publishers lost. Remember: DoGood does not provide any content. There is nobody working hard at DoGood writing articles, creating artworks, or shooting photographs. So, they have zero cost for generating contents.
It’s like the music sharing programs. There is a big ethical difference between those that make no money and those that do. I have no interest in protecting the music industry but if any music sharing services were making profit from letting their users share MP3 files without paying any licensing fees to the music publishers, I would find it unethical too. If such a service were to donate 50% of their profit, would it make their business ethical? I’d say no. If donating 50% of the profit makes anything OK, hell, let’s sell drugs or steal other people’s properties, and donate half of it.
Furthermore, the problem with this type of Robin-hood-esque self-righteousness is that it disregards the rights of others and disrespects the differences in opinion about what constitutes good and bad. They put themselves up on a moral high ground and force others to eat their moral standards. To add insult to injury, DoGood is making money from that process. I would question the integrity of any organizations that pay DoGood to deliver their ads.
Let’s not get fooled by these shrewd people who abuse good causes for their own benefit.
UPDATES AND CORRECTIONS:
In the discussion that follows this post, the founder of DoGood Faisal Sethi and I debated the details of this post. I initially said that I did not misunderstand anything, but there is one thing I did misunderstand and should correct. The criteria for being on their exemption list is not based on what banners the publishers serve. They are evaluated by the content of their sites, and this evaluation is “subjective”, meaning DoGood decides what passes as “good”.
They actually do not discriminate the banner ads they are swapping. That is, even if the publishers are serving philanthropic banners, DoGood will replace them with their own philanthropic banners, essentially depriving the publishers of their rights to decide what is “good”. He tries to argue this by saying the users can at any point view the original banners by a mouse click, but this is clearly a disingenuous answer. Who would deliberately choose to see banner ads?
Faisal emailed me and said that he no longer wishes to continue this debate, so the discussion is closed. The reason why he does not want to continue is because he believes I’m accusing him of deliberate misconduct. I’d like to clarify that. From the tone of my writing above, I admit that the readers could interpret it that way. So, I should clarify: I do not believe what they do is a deliberate misconduct (like Spammers). I think they are blinded by their own self-righteousness. This is why I described them as “Robin-hood-esque”. Their “good” intensions are misguided and therefore have grave consequences for many publishers and content creators. This is what I’m concerned about and tried to debate about.
—posted by Dyske » Follow me on Twitter or on Facebook Page
Should Facebook Have the Power to Decide Who Gets Banned?
I didn’t know that your Facebook account could be banned so easily. My own account is fine, but I discovered that many people have had their accounts disabled. Once your account is disabled (Facebook doesn’t tell you why), you disappear completely. No trace of you, like you never existed on Facebook. This leads me to question the current laws protecting consumers. I’ll discuss that a bit later; first, here are the results of my research on this topic.
When I Googled for “Facebook disabled”, I found many people complaining about their accounts getting disabled. One person created a whole website dedicated to it. This writer on The New York Observer described the social consequences of getting banned from Facebook. Craig Daitch on Advertising Age sounds quite angry about the whole thing.
I found many different reasons for the ban. One of the comments said that Craig Daitch repeatedly sent requests to one person to be a friend. The writer of the Observer article was banned because he cited a part of someone else’s profile on his blog. I also found someone getting banned from using a software utility that saves your Facebook contact info. Apparently, you could also get banned from sending too many private messages to people you don’t know, having too many friends, or just using Facebook too often. In most of the cases, it was Facebook’s automated script that flagged and disabled these accounts. So, be careful, if you are very passionate about promoting your political cause on Facebook.
Although it is important for Facebook to control certain user behaviors (such as Spammers and stalkers), it is also important that we users have some say in how such policies are established and enforced. You might say, “But Facebook is a business. They own it, so they should be able to do whatever they want.” Legally this is true, but I think the laws should be changed for any product where its primary value is derived from the sheer number of users. In many cases, the reason for the popularity is actually the popularity itself. People flock to it not because it is the best product, but because they feel socially pressured to. Microsoft Windows is the best example of this. Most people who use Windows are not particularly happy with it; they use it because they are required to at work, and the businesses use it because that’s what everyone else uses.
It’s like how English became the most popular language in the world. Many students around the world are required to study English in school, but it’s not because English is the best language; it’s simply because it is the most popular. In order to increase efficiency, stay competitive, and promote better communication, we often have to do what others do out of no choice of our own. When such a situation is established for a product or a website, the company who owns it should not have complete control over what they can do with their users. After all, they are deriving great values from us; the values that they didn’t create themselves. What we want in such a product isn’t so much the product they created but the other users. eBay, Craig’s List, Apple’s iTunes, and some Google products are good examples.
These products and websites take full advantage of so-called “user-generated content”. The vast majority of the contents we enjoy on Facebook are not generated by Facebook, we the users generate them. What a sweet business! In comparison, sites like NYTimes.com have to spend a lot of money generating their contents, but they don’t get any more money from their advertisers than Facebook does (for the same number of impressions and click-throughs).
Since we are all contributing contents to Facebook, we deserve to have some say in how Facebook regulates their users. For this to happen, the laws have to change (I think). This goes beyond the concept of monopoly. (Perhaps closer to the legal concept of “public figure”.) Even for a relatively small site, if the contents are user-generated, the users should have some say in its user policies. It’s only fair; don’t you think?
—posted by Dyske » Follow me on Twitter or on Facebook Page
Getting off on the Power to Control Access
Access Control List (“ACL”) is a way to control user access to a website. It manages different groups of users like administrators, managers, employees, customers, etc., where each group accesses different areas of the website. ACL comes built into many web development platforms. We are using CakePHP which has a sophisticated ACP built in, but we’ve never used it before. So, I recently looked into how ACL is implemented on CakePHP. After Googling about it for about an hour, I found a whole bunch of articles and blog posts about how “hard” it is. I then created a test project with ACL to look into the details of it. Oy. I now see what everyone is complaining about.
Personally, I have no idea why anyone needs this type of complex access control. What sort of systems are people building that actually require this level of complexity? A system for CIA?
In the past, I’ve simply added another column in a users’ table called “security_level”. I’ve never even bothered to create “groups” table, because we’ve never come across a situation where it was necessary. (I simply store the security_level value in session and check it wherever I need it.) I’m a pragmatist, so I never bother to create anything that the reality does not require. Having 3 different levels of access seems to take care of pretty much everything.
From a point of view of a pragmatist, I see a serious problem with having a complex ACL. If you need a complex ACL, it means that you must be managing a system that is used by thousands of people working within a complex organizational structure. When you have a complex ACL with thousands of users, managing the access list becomes a full time job. As the security needs change in the real life, someone has to modify the ACL to reflect the new reality. Having the ability to fine-tune the privileges of individual users means that nobody could possibly have a clear picture of what everyone is accessing unless you specifically look it up on the system. This can easily create security holes that nobody is aware of. For instance, one specific user may have access to a top-secret area of the site that nobody is aware of, until someone suspects something and looks him up on the system. (For instance, you meant to temporarily grant him access to a very specific section of the site, but you forget to revoke it later.)
In other words, complexity of a security system is itself a security risk. So, a complex security system defeats the whole point of having a security system. When you simplify the security system, it may create some inconveniences in reality, but the simplicity allows many people to intuitively understand how the security works, which makes it more secure with less room for mistakes and holes.
For instance, with my scheme of just having 3 levels, all I would need to know is what security_level you have. I would then immediately know what you can access and what you cannot. Not just me, but everyone else who has the same security_level would know what that means. Every user in this situation can act as a potential auditor who can keep an eye on other users. Once you start fine-tuning each individual, nobody would have any idea who has access to what, and who should have access to what.
Am I wrong here? What am I missing? Why is everyone going nuts trying to implement such a complex ACL? In reality, the number of websites that actually require that type of complexity would be very small, and those who require it can afford to write their own ACL (such as large government institutions or financial institutions), so what is the point of writing a reusable library? Wouldn’t it make more sense to create a reusable library that is very simple, so that 99% of websites can use it with ease?
I find that many programmers, especially those who studied computer science in college, tend to get so excited about certain abstract ideas like flexibility, scalability, re-usability, and controllability, that they ignore what the reality needs. It reminds me of hardware geeks who get really excited about building super-fast computers even though they have no use for them personally. (All they do is to run benchmark testing utilities to prove their speed.) This lack of central coherence is often absurd.
I think the power to control users is a particularly exciting area for some programmers because it involves controlling actual power (political or organizational), and because the programmers often get to be in the most powerful position (“superuser”). But, they really need to stop masturbating and start focusing on what the reality really needs.
—posted by Dyske » Follow me on Twitter or on Facebook Page
Whole Foods Boycott Turns Politics into Personal Attack
As you may already know, the CEO of Whole Foods, John Mackey’s opinion piece on Wall Street Journal has spawned a Facebook Group to boycott Whole Foods. And, according to the article on Mashable, the damage the group has caused is now real. Personally, I do not believe that boycotting a business for the political opinions expressed by its CEO is a proper way to resolve political differences. In fact, I believe it’s ultimately harmful for us all, particularly for this healthcare debate.
Let’s face it, there is no perfect solution for our healthcare problem. Every solution will have its own shares of pros and cons. Everyone will have to make compromises, so it’s only fair that we listen to different views, opinions, and ideas. It’s not a game where we try to win by any means necessary.
You can boycott Whole Foods for their business practice, but not for the CEO expressing his opinions. Doing so is like your boss firing you because you voted for someone he doesn’t like. When we face someone who is far more powerful than we are, we tend to become blind to our own abuse of power because it is very small in comparison. Individual consumers do also have power. It is true that the CEO of Whole Foods is far more powerful than we are, but this is a matter of principle. For instance, even in a fight with someone much bigger and stronger than you, the fact that you are much weaker does not justify the use of violence. This is why Gandhi’s strategy worked because he refused to resort to the same dirty strategy that the British empire was using.
“Abuse of power comes as no surprise” because when we have it, we don’t realize that we have it, because we only look at the people who are more powerful than we are. Power is of course a matter of degree. Boycotting a business is certainly an expression of our power. The only difference is the degree.
Would you fire your employee for expressing his political opinions? Most of us would say no. If so, why “fire” Whole Foods for the CEO expressing his political opinions? I would “fire” Whole Foods if their actual business practice bothered me, but not for the CEO expressing his political opinions.
My power to “fire” Whole Foods is tiny, but to me, it is the same exercise of power as firing my employees just at a much smaller scale. So, if I do not believe in firing someone for his political positions, I would not do that to a business, even if they are much more powerful than I am.
A company that I once did some consulting work for, lost one of their big clients one year. After a little research about the client, they discovered that one of their executives saw Planned Parenthood listed as a client on the company’s website, and that prompted them to end their business relationship. It was a financial retaliation over political differences. This type of hostile strategies to fight our political opponents can only divide us further. Do we ultimately want to get along with one another or do we want to divide ourselves further? If we want to get along, why couldn’t we see this type of situation as an opportunity to get to know one another and to see the point of view of the other?
Now that the damage of the boycott is real, the fight has become personal. If John Mackey is angry enough, he could stop hiring people who express any support for Obama’s healthcare reform, although I really doubt that Mackey would do such a thing. If this is a proper way to do politics, then why stop at Whole Foods? Why don’t the Democrats boycott all businesses whose CEOs are Republican, and the Republicans boycott all businesses run by Democratic CEOs? Why should we boycott only the businesses whose CEOs expressed their opinions publicly? How about the quiet ones? They are saved just because they are quiet?
It’s easy to see how this type of strategy can escalate to a point where both sides simply become more resolute about their own opinions, unwilling to consider any other ideas or solutions. It becomes a matter of winning, not of finding the best compromises. The American politics is already too personal and hurtful. Do we need to make it any worse?
—posted by Dyske » Follow me on Twitter or on Facebook Page
