The Internet has Fundamentally Changed – Here’s One Partial Solution

This post is based on the premise that 1) we have a serious security problem on the Internet and 2) money is the only (unnecessary) barrier to solving a large portion of it.

The Problem

The Internet has fundamentally changed. It is so virus and malware infected that a normal human being can’t keep their own PC, Mac or Linux computer from being infected. In other words, the Internet is broken. And our devices don’t work if they aren’t connected to the Internet.

Screen Shot 2015-01-23 at 4.43.01 AMIt’s just not right. Why should you have to become a security expert? And it DOES NOT NEED TO BE THIS WAY. There is no need for this. The powers that be over the Internet are CHOOSING this and you are the victim.

The (Partial) Solution

We can’t fix it all, but what if we could stop the bleeding by even 50%? Or maybe 30%. Or even 10%. It’s a start. These are our neighbors, our family, our friends and they are being victimized by identity theft because, well, because they are human. Well, reduce the crime? WE CAN! We just have to encrypt everything. By doing so, a large portion of the problem goes away.

Will there still be break ins? Of course. Frequency however will be radically less and you are far less likely to be a victim.

Why? Because the weapons of cyber-warfare are now out in the open to be purchased for as little as $500 on the forums. People are desensitized to it all and now just accept it.

As a company that hosts web sites, here is what I know to be true.

  1. Clients will use weak passwords and we can’t audit that because WE encrypt the passwords in the database. So if a client uses “changeme” or “123456” of “washington” as their password we can’t see it, but when you login from the local hotel the wifi isn’t encrypted and bad guys can. We can’t detect or fix this because its encrypted on our side. But if you aren’t using SSL then it’s NOT encrypted when you send it over.
  2. Example top 100 passwords used on Adobe after they were hacked. http://stricture-group.com/files/adobe-top100.txt
  3. Clients and end users are faced with hundreds of passwords so they use the same passwords over and over. If someone gets one of your passwords, they effectively get everything.
  4. With the proliferation of Open Source, as Tendenci is, developers will deploy a site for you, give it to you, and leave it to you to maintain. So are you running your security updates? Because that is your responsibility now.

Why don’t people encrypt their web sites? Because there is a $50 to $500 a year fee. Plus a hidden cost of updating it every year and paying your hosting provider to install your SSL certificate so the real cost is more like $250 to $1,000 a year.

So why?

Generating a certificate takes one (1) line of code. ONE LINE! Hosting servers to verify the certificates does come at a cost, but so does DNS and it isn’t anywhere near as expensive. Generating a key is technically FREE. Here – go do it for yourself.

openssl genrsa -des3 -out server.key 1024

The certificate you just generated is called a self-signed certificate. So if you visit the site from IE you get a scary message that it can’t be verified. BUT if you visit a site with no encryption, oh, then IE is completely cool with that. Onward thus. Proceed into into unencrypted unsafe territory with abandon. Do you see the problem here?

So what’s the motive? Why? Because of the cash machine. The certificate authorities want to charge you for their certificate chain saying that you are legit. But GoDaddy charges $270 for a wildcard SSL? Or Network Solutions can offer the same wildcard ssl for $494 with a 5 year contract.

So I guess if you aren’t rich your voice isn’t as legit as someone else’s voice? The bottom line is the certificate authorities want your money. Now, DNS service providers usually charge 10 to 15 a year to resolve your domain name. Tell me again why an SSL certificate is $50 to $500 or it gives a browser warning that terrifies people? It’s not a new debate, it’s a license to print money that deters security on the Internet globally.

It’s just greed. But the cost is astronomical to the citizens of the world. It’s like a city not repairing roads and ignoring the cost the citizens bear fixing their cars which is so much more than the cost of filling potholes and installing stop signs. It’s pennies for lives. Hence, cities fix the roads (for the most part.)

What if we flipped it? Why don’t you have to pay $100 a year to NOT have your site encrypted? What if security was the default? What if encrypted email was 10$ a month but unencrypted email was 500$ a month? Would that get people attention?

We can self sign web sites and email ourselves. We don’t need no stinkin’ web authority to do it. It’s one line of code.

Oh wait. Stop. Idealistic guy trying to save the world with open source disclaimer. Why not? Because of the “man”.

The browser will give you a terrifying warning about that certificate not being “approved” and IE will flat out block it if you don’t pay up. No, you must pay “the man” which is in this case the Certificate Signing Authorities who are powerful enough to have their codes shipped with all of the web browsers. What would their cost be to include a public domain certificate authority, much like wikipedia is for information be? Um…. nothing. Zero. Nada. They just wouldn’t get a kick back.

It’s generating an “approved” key where the registrars make all of their money. It’s about the money. It’s greed. Even from foundations like Mozilla – they could easily solve this by endorsing a free and open certificate signing authority. They haven’t. I expect more from them. Some leadership in this would be nice. Where is Lessig on this? Why is there no outrage?

I’ll tell you why? Because it’s too geeky. Too technical. People zone out. zOMG, I like to create things. I bore myself talking about this crap. But it matters. Encrypt it all. Now. And do it for free. If my client buys a domain name why do I have to do ANYTHING to encrypt it? Don’t they deserve that? Should encryption be the default. I THINK SO. And I don’t think you should have to pay for it given it is as simple as DNS and could easily be included.

And yet the powers that be continue to be the “Certificate Authorities” and they continue to make money causing only 4 to 5 % of the web to be encrypted. So you and I continue to be the victim.

Please tell me someone out there is a little outraged by this? Not that I/we/you aren’t the problem as well…. read on …

To emphasize the point on weak passwords (again – this is YOUR responsibility, but irrelevant if on an unencrypted connection), these are the actual top 10 passwords used on Adobe logins (mind you this software costs thousands of dollars and this is the key to get it.) 1,911,938 of your fellow citizens chose “123456” as their password. Seriously. Another 345,834 people chose the password of …. wait for it …. “password.”

Rank	Count	Actual (no really) Passwords
---	-------	------------
1	1,911,938	123456
2	446,162	123456789
3	345,834	password
4	211,659	adobe123
5	201,580	12345678
6	130,832	qwerty
7	124,253	1234567
8	113,884	111111
9	83,411	photoshop
10	82,694	123123

One simple solution that would significantly reduce network attacks. Encrypt every site. At no cost beyond the price of the domain name. Make it easy. And free.

Dear non-technical people – please stay with me for a moment. I know I have to use a bit of geek speak but I want to try to explain the ruse that is being played on you. That it isn’t needed. That the cost of certificates is almost non-existent and you are the victims.

Encryption explained in one paragraph (simplified)

If I give you the number 21 and ask you what prime numbers divide into it besides 1, there is only one way to find out and that is to try every prime number. But if I give you 7 (my “public key”) and you can verify very quickly that it divides to a prime. That’s it.

Solution – every web site is encrypted with SSL by default and you have to pay extra to NOT encrypt your website. Done.

Obstacles – the companies that sell SSL certificates don’t want that. I pay $300/year for our wildcard certificate and what I am proposing is that they be given away for FREE TO EVERYONE WHO GETS A DOMAIN NAME.

Seriously, this isn’t a game people. YOU, as an individual need to not use dumb passwords. As programmers say, like it or not, “you can’t fix stupid.” Yet I do have sympathy given the average human has NO IDEA of the cyperwar that isnt pending, it’s happening NOW!
Screen Shot 2015-01-23 at 4.42.20 AM
Thus WE, all of us need to have everything encrypted end to end to avoid the obvious. Occam’s razor.

let us not plot against others….so by benefiting them we benefit ourselves

“Let us not plot against others, lest we injure ourselves. When we supplant the reputation of others, let us consider that we injure ourselves, it is against ourselves that we plot. For perchance with men we do him harm, if we have power, but ourselves in the sight of God, by provoking him against us. Let us not, then, injure ourselves. For as we injure ourselves when we injure our neighbors, so by benefiting them we benefit ourselves” (‘Hom. 14, in Phil.,’ Oxford transl.).

Source: http://biblehub.com/proverbs/26-27.htm

The Year of the Horse

As we approach a critical mass of the open source version of Tendenci, it is very fitting that it is in the Chinese year of the Horse. From http://www.chinesefortunecalendar.com/2014.htm

Horse is one of Chinese favorite animals. Horse provides people quick transportation before automobiles, so people can quickly reach their destinations. Horse even can help people to win the battle. Therefore Horse is a symbol of traveling, competition and victory. That’s why Horse is connected to speedy success in China.

Horses like to compete with others. They pursuit for their freedom, passion and leadership. That implies that people will have busy schedule for their goals in the year of Horse. Horse hour of Chinese Horoscopes is from 11 A.M. to 1 P.M. Sunshine generates lots of heat during the Horse hour. Therefore, horse is connected to heat, fire and red. Horses like the social activities, because horses like show off themselves. Since horse is a social animal and red is also connected to love, therefore. horse is treated as a Romantic Star in Chinese Horoscope.

and

Genghis Khan built the Mongol Empire by horses. The Mongol Horses were a smaller breed, they were bred for endurance, not for speed like stallions. Genghis Khan conquered Eastern Europe so quickly. Because Eastern European countries never realized Mongol cavalry can arrive their territories so fast and they didn’t have enough time to prepare the defense. They said each Mongol cavalryman had three or four horses. They will change another horse when one got tired. So Mongolian horses can take turn and get some rest. Mongol cavalryman even knew how to sleep in the saddle. That’s why they can travel long distances without stopping. We know horses can sleep while standing. Mongolian horses have a better sleeping skill. When they ran in a group, the horse in the center can sleep while running.

Horse is intelligent animal. Horses need to be trained to become useful to human. Human can make Horse famous. Without human’s guide, Horse just a wild animal. It doesn’t know where to go. There is no destination in its life.

Indeed there is destination in life. And it is worth fighting for. I’m in. I’m humbled by my mistakes. That is the past. We live in interesting times and the destination is what makes such a curse irrelevant. The Mongolian Horses know the way. Steady wins the race.

Decline in Crime 43% Since 1990 (yes really – so stop watching advertising shows!)

Serious crime has DROPPED 43% since 1990.

FORTY THREE PERCENT
43 PERCENT
43 PERCENT DROP IN CRIME AND THE MEDIA HAS CONVINCED YOU IT’S UP
BECAUSE THERE IS NO MEDIA, THERE ARE ONLY ADVERTISING COMPANIES. SORRY. #TRUTH

43% Drop in Crime in US Since 1990

See that HUGE decline since 1990. Those are the facts. Please Stop, just stop, stop being a tool to “the man.” Just stop.

I ask people. You should ask people to. “Is crime up or down in the US since 1990? They will say “up”. Then ask “by how much do you think it’s up?” They will say anything from 5 to 50%. They think crime is up. I ask “can you google it for us” (try duckduckgo for search too. Google isn’t God. Really people?) and I get nothing. Blank stares.

They look at the actual crime data and their minds can’t grasp it. The lie is so big we’ve all come to believe it to be true.

STOP IT!

Stop, just stop. Sorry to burst everyone’s paranoid bubble (insert pot-kettle cliche here) with facts. I know, we all hate it when someone drops facts on a good ghost story. Sadly it is true – you are safer now in the US than ever.

With a BS in Political Science (a BS in BS?) I frequently hear people parroting advertising companies that run search engines or web sites or TV shows or Newspapers. Note the first phrase – “ADVERTISING COMPANIES” – they need to sell advertising. Nothing more nothing less.

IF IT BLEEDS IT LEADS

If you sell advertising, how do you make more money? Simple, follow a very old formula and scare the life out of people. It boils down to, what if it bleeds less than before but nobody notices?

Gun Homicide Rates Drop 49% per 1000 people

What’s old is still new again – “If it bleeds, it leads.”

Stop, just stop. No more fear mongering to weak minds. And if you don’t have a weak mind, then educate and empower those around you. Advertising companies make money from page views, not from facts. They do not have your best interests at heart. But you know that. So tell your kids! Tell them! It’s not a conspiracy, it’s the system and it’s YOUR responsibility to educate your children and your community that what is in your best interest is different from what sells the most ads.

It’s all about the money….

Yes…

Example: “OK, yea, we are selling banner ads and we decided to just lie on our rate sheets that 5000 people picked up the paper in the Doctor’s office and it should be a 5000x multiple of subscribers.” (an exaggeration for the sake of drawing eyeballs… and no, the irony is not lost on money, but I don’t sell advertising and I’m not paid for this so wahtev…. )

Insiders Game

For those not in the Advertising Business, which thankfully despite the resolute ethical souls leading the Houston Advertising community (disclaimer: I was formerly a board member of AAF-Houston) the rate sheet dictates the “ad buy” rate. So the more people who view an advertisement the more you can charge. If you can convince people that your business journal is subscribed to once (1) and viewed by an additional twenty (20) people (um.. not on this planet anyway so unless aliens are spiriting it away in the night and buying online then I call BS (zOMG so (recursive(recursive(nerd-humor, *args, *kwargs))) then you can sell advertisements at a higher rates. Thus it sells ads (*cough* chron.com *cough*.)

I know, crazy, right?

Worst headline ever:

CRIME DROPS 40+ PERCENT IN LAST 20 YEARS REGARDLESS OF POLITICAL PARTY IN PWER

Facts and all that “stuff“. Those silly facts get in the way of our preconceived ideology.

Oh, and gun violence is down as well.

wolfram-alpha

It’s not all good news as death by gun is stupid. And a shame. We can continue to do better. One tragic fact not discussed in the media is that more people die from self inflicted gunshot wounds than are victims of homicides involving a gun.
Homicides vs Suicides

http://www.pewsocialtrends.org/2013/05/07/gun-violence-in-america/st_13-05-02_ss_guncrimes_06_suicide/

As a true friend has been reminding me lately:

“When is the best time to plant a tree? 20 years ago. And right now.”

PROGRESS. It’s a journey. It will take time. But these are huge improvements the media has no incentive to tell us about because they don’t sell advertisements.

django can make some weird db schemas. just sayin.

When you have awesome people and less than awesome results, it is usually one of three things

  1. leadership (me),
  2. processes or
  3. design (in the global sense of project design patterns).

I set all three as CEO for our rewrite of Tendenci to the open source software platform for nonprofits. Thus no matter what, I take 100% of the responsibility for delays between 2009 and 2014.

To be clear, I’m pleased with the progress on Tendenci, self hosted or our hosted solutions. Basically the team kicked ass on Tendenci 5.1 and I’m proud of them. It was definitely a cumulative effort from many people, past and present, addressing an incredibly complex problem – people.

Tendenci is about people, it isn’t a shopping cart selling shirts (and shopping carts can be complex, just nothing as complex as human behavior).

Tendenci is designed to be as simple as possible, but no simpler. The “minimum viable product” of 2009 is not something our client base wanted to hear about in 2014, even if the new version of Tendenci does mobile and much more. People don’t like to go backwards from what is now called “agile” development.

Lesson 1 – if you want to get REALLY agile – only build what people fund.

Yes, only build funded modifications. (Or contributed pull requests as time is money.) It’s amazing how many people will suggest a great mod. Everyone uses the web so clearly they are experts sharing their wisdom of how it should be built. As if driving a car makes me qualified to build one. And when you say 4k for the mod suddenly the programming module they desperately need isn’t relevant and they find another way.

Why? Why charge for modifications? Priorities. It tell you what people value. And we did that very well from 2001 to 2009. Resulting in a stress tested solid product. But proprietary because 2001 was a bit too soon to start building open source web apps. We had to start over if we wanted to be open source, so I pulled the trigger.

Then I tried to simplify things a bit too much. Things got a bit too Web 2.0 with blocks and giant fonts losing all data density in the display. Upsetting our power-users and looking clunky on screen. My bad. (the good news is it is mostly fixed now.)

Why is oversimplification such a fail?

Think about your car’s dashboard and controls. Look at them when you next get in your car. Incredibly complex information, right? Vast amounts of it. Presented while you are going 70 mph. Just wow. If what is fundamentally a horse (staying with the horse/car analogy briefly) with no visual controls, has evolved to this level of complexity, then exactly how simple can you make Association Management Software? Well, it isn’t a simple problem. 20,000 users on a web application is much more complicated than a car. Or a shopping cart.

Tendenci – because humans are complex. Groups of humans are even more complex!

So why this post? I’d like to start sharing what I learned along the way. Why this is one step in a long journey. And hopefully our clients and employees and the entire open source community will benefit from it. If not, then those who prefer destruction over creating something, those who laugh at people still tilting at windmills, then they will have won and there will be written documentation of my folly.

All I can do is tell you a bit about the journey. Record it along the way. And schedule blog posts over time.

Disclaimers: For the purpose of this series of posts I make no apologies if I speak Geek or brutalize the English language with poor grammar and typos while using pseudo-code to express programming concepts, all mixed up together with abandon in horrific run-on sentences. It happens. Go read another blog if it isn’t your thing. This one is mine.

As for the database schemas – I’ll cover that in a future post…for now suffice it to say I have had to relearn the primacy of MVC is MODEL-CONTROLLER-VIEW in that order. And it takes discipline to do that with Django. More later….

state

State
Impure functions are often more efficient but also require that the programmer “keep track” of the state of several variables. Keeping track of this state becomes increasingly difficult as programs grow in size. By eschewing state programmers are able to conceptually scale out to solve much larger problems. The loss of performance is often negligible compared to the freedom to trust that your functions work as expected on your inputs.

Maintaining state provides efficiency at the cost of surprises. Pure functions produce no surprises and so lighten the mental load of the programmer.

http://toolz.readthedocs.org/en/latest/purity.html

More Creative Commons Stock Photography

Aspen Colorado
Aspen Colorado

A new set of “Creative Commons Attribution Stock photography” is up on the Tendenci Open Source Software site. Per the request of one of new employees the focus of this gallery is on scenic landscapes.

And of course there are quite a few Tendenci Stock Photo Galleries to make your association or nonprofit website unique. They are all Creative Commons Attribution (check the license on the image individually and attribution and a link back is always appreciated.

Enjoy!

Car Dealership Franchise Contracts are Socialist Monopolies. Duh.

Order Button
Order button on the Tesla Motors Web Site
Car Dealership Franchise Agreements are Government Sponsored Monopolies. Oh please. Stop that 2k tax per car per family. Yes, I said it. For that matter so is the NFL, the NBA, the NHL, etc…. so let’s just call a Spade a Spade. (And speaking of “Spades“, while not a gambler myself, the last time I checked the casino industry was more open to competition than car dealerships. Go figure.)

If you want to save about 2k per car purchase – check the link on car dealership monopolies … It’s about time the monopoly of dealerships was seriously threatened with…. um….. CAPITALISM. FREEDOM. APPLE PIE. THE AMERICAN WAY. So why do we have socialized / monopoly car franchises? History and cronyism my friends. No. Other. Reason.

Free Enterprise is a good thing folks. I recognize the need for regulation (the tragedy of the commons) to protect our commons (no Benzene in the rivers for example – that’s a good regulation.)

But can’t we let competition keep up with technology? Why can’t I buy a car direct from the manufacturer? Name one rational reason besides protectionist laws from the stone age? (with apologies to my friends who might still be at UCS or ReyRey).

I work on the Internet. The speed of innovation is so radically fast and the threats to your business model are constant. And our business is 17 years old because WE ADAPT. Yes, people who can’t adapt that fast leave the company, but…. you know, it’s called competition for a reason. Adapt or die unfortunately.

So it will be interesting to see which manufacturer invalidates all of it’s franchise agreements with the dealerships first by allowing direct sales. Because whoever does it first, those dealerships will sell the MOST cars.

Yes, at first the dealers will be upset, and then, it’ll be alright. Everythings gonna be alright. And dealers know they make most of their profit from Parts and Service anyway. (OK, and Used Cars & F&I but we can’t fix it all at once I guess.)

http://beta.slashdot.org/story/207413

SXSW V2V – Proprietary to Open Source: Giving Away $6M is Harder Than You Think

My presentation slides from speaking at SXSW V2V in Las Vegas this week. The official description is below and they are producing a video so I’ll either update this post or add the video as well.

Proprietary to Open Source: Giving Away $6M is Harder Than You Think

After 15 years running a successful business, Ed Schipul released the source code for his proprietary software, Tendenci, to the world. Foreseeing the impact the cloud, mobile, and GIS, Ed knew he had to change his business model or become irrelevant. Open source was the path to future sustainability and innovation.

There were however, seemingly insurmountable challenges. Tendenci 5, the first open source CMS platform for nonprofit organizations, had to be completely rewritten from .Net, ASP and SQL to Python, Django and PostgreSQL. From Github to cloud software, he had to choose all the tools to put in place to support his rewritten product and new architecture.

Lessons learned from the transition include the importance of testing and how to make your application’s architecture more scalable as well as what open source tools have proved to be most valuable. Ed will share his reasons for thinking that all of this is the best choice for both the product and the development community.

See more at: http://schedule.sxswv2v.com/events/event_V2VP29570#sthash.SM08HnZT.dpuf

Web Marketing, Sociology, Photography, Programming