Don’t let your #heartbleed over web security

HeartbleedOne word that’s been all over the web this past week is ‘Heartbleed.”

Together with a highly-visible image, it has been the focus of much commentary and opinion, some of it contradictory, some of it confusing.

Heartbleed is a major security vulnerability on the internet, one that I’ve seen described as “11 on a a scale of 1 to 10” where 10 equals ‘catastrophe.’

All of the focus has led to widespread public awareness on an international level of what Heartbleed is,  and why people need to give it their attention. What is hasn’t yet done is lead to widespread public understanding on what is a sensible course of action that individuals and organizations can take to address it.

Some people say you should change all your online passwords to ensure that your access to websites you use that require passwords isn’t compromised. Others disagree.

Heartbleed in RSS feed

With so much FUD out there – you should see the quantity of varied content about Heartbleed in my RSS reader – it’s hard to know in lay terms what you should actually do that will give you confidence that you’ve done the right thing.

Well, there are some simple and rapid first steps you can take.

Regarding places online that you use and that are essential services from your point of view – that might include social networking sites like Twitter, Facebook and LinkedIn; and services like online banking, email and shopping – your first step should be to check with the services concerned to see what they say about Heartbleed.

For instance, LinkedIn – when I visited the website in recent days, I saw a prominent message in a top-of-screen banner that says, in essence, that LinkedIn hasn’t been affected at all by Heartbleed.

LinkedIn Heartbleed banner

I didn’t see any such message in accessing LinkedIn via its Android app, though.

I was reassured to see a clear message about Heartbleed from Lloyds Bank when I logged in to the online banking site on Saturday, saying “we would like to reassure our customers that our online banking systems are not exposed to this vulnerability.”

Lloyds Bank Heartbleed message

That’s precisely the kind of message you want to look for from any service you use online. And proactively so – just like LinkedIn and Lloyds Bank – rather than not knowing and having to ask.

If you use the Google Chrome browser on a Windows computer, you can install the Chromebleed Checker extension that runs in the background checking every website you visit. It displays a warning if a site you’re visiting might be affected by the Heartbleed bug.

Chromebleed Checker alert

Quite disconcerting when an alert does pop up! But it offers no information on what to do or where to get more details or help. Note the “could be vulnerable…” text. And see the mixed reviews.

Still, it may serve a good purpose in bringing the broad issue of security to the closer attention of website users and owners.

As for changing passwords, I think you need to be a bit circumspect. It seems to me that there’s little point in doing a wholesale change-every-password activity unless:

  • you know or feel concerned that you can no longer trust a particular online place,
  • you know for sure that it’s compromised and therefore not safe, or
  • a particular site has told you to change your password.

And consider this – there is no point in changing your password for a site you think might be affected by Heartbleed but you don’t really know for sure as your new password will be just as much at risk as the old one if the site actually is vulnerable but hasn’t fixed the vulnerability yet.

A good start would be listing every service you use online that’s important to you, asking those services about Heartbleed (and searching online for what’s being said about that service in this context), and then making a decision about passwords.

Mashable published a useful list of many social networks and other companies’ sites with information that helped Mashable recommend whether to change your password or not.

mashablelistheartbleed

Mashable’s recommendation for most of the social networks in the list is “change your password!”

Those sites are Facebook, Instagram, Pinterest and Tumblr. Keep an eye on the sites of the services you use to look for news about patches or fixes, as well as their Twitter handles and other social places they also use. And email.

But there’s more.

CNN reports that Heartbleed doesn’t just affect websites, it also has shown up in the devices we use to connect to the internet.

[...] Tech giants Cisco and Juniper have identified about two dozen networking devices affected by Heartbleed, including servers, routers, switches, phones and video cameras used by small and large businesses everywhere. The companies are also reviewing dozens more devices to determine whether they’re impacted by the bug as well.

ZDNet reports that iOS and OS X  - Apple’s operating systems for its mobile devices and computers respectively – don’t have the Heartbleed bug but Blackberry’s BBM for iOS and Android do.

[...] BlackBerry has now confirmed that several of its products, including BBM for iOS and Android were affected by the Heartbleed. BBM has about 80 million users. Other BlackBerry products affected include its rival to Samsung’s Knox, Secure Work Space for iOS and Android, and BlackBerry Link for Windows and Mac OS.

BlackBerry doesn’t have a patch for any of the products yet, but worse yet there are “no mitigations” for the vulnerability in BBM or Secure Work Spaces.

According to ZDNet, Google said that Android 4.1.1, Jelly Bean, was affected by the bug and it was developing a patch and distributing it to Android partners. 

A complex and alarming landscape we find ourselves navigating today with a huge amount of information swirling out there but not enough clarity yet.

Don’t be caught out through not taking some common-sense steps to protect your information (and identity). Make sure you install any software updates or patches for your mobile devices as they become available.

Above all, make sure you have strong and unique passwords for all the important-to-you places you use. Yes, it’s a pain to have to make separate and unique hard-to-remember passwords for every place you use rather than one or a few passwords, named after your cat or your first date, for everything.

Just say to yourself: “Prudence is a virtue.”

And while you’re at it, I strongly suggest you use two-factor authentication wherever it’s available (here’s why).

Additional reading about Heartbleed:

  • The Heartbleed Bug: “The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)…”
  • Here’s everything you need to know about the Heartbleed web security flaw by Mathew Ingram in GigaOm: “Researchers have discovered a serious flaw known as Heartbleed that affects the security software that runs on about two-thirds of the servers on the internet and could expose user data, including passwords…”
  • The Heartbleed Hit List: The Passwords You Need to Change Right Now by the Mashable Team: “An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services – ones you might use every day, like Gmail and Facebook – and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years…”
  • PR pros: Comms response to Heartbleed must be proactive and quick by PR Week US edition: “The Heartbleed computer bug that has left many websites vulnerable and open to data theft this week could affect more than Internet Web servers, according to security experts. Since the encryption flaw surfaced on [April 7], it has affected companies including Amazon.com, Google, and Yahoo…
  • Here’s why it took 2 years for anyone to notice the Heartbleed bug by Timothy B. Lee in Vox: “What caused the Heartbleed Bug that endangered the privacy of millions of web users this week? On one level, it looks like a simple case of human error. A software developer from Germany contributed code to the popular OpenSSL software that made a basic, but easy-to-overlook mistake. The OpenSSL developer who approved the change didn’t notice the issue either, and (if the NSA is telling the truth) neither did anyone else for more than 2 years…”

The evolving conversation ecosystem

Social share

One of the prime reasons to start and maintain a blog, especially for business purposes, is the conversation that might happen when you publish a post.

You have something to say that others might have some views on, in agreement or disagreement, perhaps branching out in a related topic direction. Enabling others to add their perspectives to your post in the form of a comment is the foundation point for making a conversation happen, and connecting all the points of view in one place so you can, well, follow the conversation and add your views if you wish to.

The advent of third-party commenting systems like Disqus, Intense Debate or Livefyre – and more recently, with Facebook and Google+ – has offered bloggers myriad features and levels of service to manage commenting way beyond the native commenting features of a particular blog platform. (I’ve tried all of these at one time or another, but have reverted back always to native WordPress commenting features enhanced by Jetpack, the uber-plugin for WordPress blogs.)

What’s been an interesting development in the past few years is how the means of conversation is changing from comments made directly in the place where a particular post is published, to almost anywhere else on the social web and linked to the place where the post is published.

The nature of a comment has changed, too. In the past, you’d write a paragraph, perhaps, certainly a line or two with your perspective. Now, a tweet will often do. Or a Facebook like and a Google +1.

Today, comments happen anywhere and everywhere, all connected in a searchable, discoverable and shareable ecosystem.

As an example, take a look at one of my posts last year that has 120 comments.

120 comments

If you look closely, you’ll see that there are 42 actual comments, ie, responses to the post made directly on the post via the commenting facility offered by the blog.

The rest comprises a mixture of tweets, retweets, Facebook likes, Google +1s or shares, and trackbacks. Jetpack treats all of it simply as ‘comments.’

While you should treat the precise numbers with a slight pinch of salt – I always see discrepancies reported in the adding-up – the important point is that all of the comments made, wherever they take place, are linked and connected to the blog post that prompted someone to comment somewhere.

What’s equally interesting is seeing how comments elsewhere now usually are greater in numbers than comments made directly on a blog post. There are multiple reasons for this trend, including shifts in behaviours about commenting – a ‘like’ is a good as a thousand words – more places where you can make a comment, in tune with your own preferences; and less time these days for lengthy discourse.

So I found it most interesting when I read of the plans by CopyBlogger to do away with native commenting and, instead, encourage comments elsewhere that would be linked to a blog post on the highly-trafficked CopyBlogger blog.

Here’s the rationale:

[...] If you’re going to put the work in to articulate your thoughts, to make an intelligent argument, and to bring something fresh to the conversation … you should be putting that work into your site, not ours.

Not that we haven’t loved having you! We absolutely have. But now I want to challenge you to take that great thinking and writing and use it to build your audience rather than ours.

Something in one of our posts strike a chord? Something you disagree with, or think is powerful, or could be amplified? Make those points … on your site.

Now if you want to link back to us, of course we would love that. But the main goal here is to make the ideas your own — to create your own expression, your own take. (Which we can’t wait to see.)

It’s an interesting idea, and Copyblogger’s push is admirable. They also say that managing spam comments has become a major issue, which was a factor in their decision.

What’s key, I believe, is that comments, wherever they’re made, connect with the subject of the comment, in this case, blog posts. That way, you get to see the entirety of the conversation, the discussion, the exchange of views.

I remember in 2008 when Twitter in particular started becoming a tool that people started using for commenting about content published on blogs and other places. Then, there was no easy way to connect the dots, as it were, until a pioneer like Shannon Whitley created a brilliant WordPress plugin called Chat Catcher that captured those tweets and added them to a post as comments.

In one stroke, Shannon’s workaround solved the disconnect problem that was beginning to be a concern. Sadly, Chat Catcher finally met its sunset in late 2010.

Today, though, there are many ways to ensure that a blog post and subsequent comments – be they replies on a post, tweets, Likes, +1s, whatever – are connected automatically and more or less seamlessly, such as tools I’ve mentioned earlier, if not (yet) wholly accurately in terms of numbers.

I won’t follow Copyblogger’s example and disable commenting here as I believe it’s part of your choice as a reader and would-be commenter where you want to join the conversation. Commenting directly here is just one of your choices.

As long as all the dots connect, the freedom of choice in the method of commenting is entirely up to you.

Twitter eight years on

Public. Real-Time. Conversational. Distributed.

Today marks the eighth anniversary of Twitter, the communication platform that is globally ubiquitous today, the eleventh most-visited website in the world.

From co-founder Jack Dorsey‘s first tweet on this day, March 21, in 2006, the number of active users of the service now exceed 240 million per month worldwide who tweet in more than 35 languages, with over three-quarters of people now using Twitter on a mobile device. Users range from the average Joe to celebrities, big brands, the mainstream media, presidents and PRs.

Who would have imagined Twitter would become such an integral part of the way in which a lot of people connect with others and with things that interest them?

Twitter monthly active users

The platform (for that is what Twitter is) has changed in these eight years from the cosy curiosity of public and private text messaging between geeky early adopters in a little social network out of San Francisco to a sophisticated service from a publicly-listed company that reported annual revenues of over $660 million in 2013, and that now lets you record and share short videos and lets governments and other organizations alert you to emergencies.

I first heard about Twitter in early summer of 2006 and joined in December 2006, mainly because I wanted to see for myself what others I knew were increasingly talking about. The service really began to take off after SXSW Interactive in March 2007.

From the communicator’s perspective, there’s no doubting the value of this tool today as a method of listening to what people are talking about – a foundational step in communication planning, something you do before you start talking. It also offers you terrific opportunities to engage with others once you do start talking.

In my view, there’s no right or wrong way to use Twitter from the business communication perspective, only effective or ineffective ways. And like all online communication tools and channels, Twitter is a mirror on the behaviours of people, reflecting what they say and do.

Just like the real world.

To mark this milestone, Twitter posted #FirstTweet, a nifty tool that lets you find your first tweet.

#FirstTweet

Mark your milestone.

Getty Images ups its game in the collaborative economy

A picture is worth a thousand words, the saying goes. For anyone publishing content online, an image is becoming ever more valuable as an inclusive element in story-telling that can enrich your story and help it get attention.

Did the picture you see above get your attention?

It’s embedded from the Getty Images website under a new deal from Getty that enables anyone – from a website publisher, editor and writer like me running this WordPress blog to a mainstream medium employing thousands of professional editors, journalists and photographers – to use some of the photos and other images that have traditionally been available only under a restrictive licensing agreement and for payment of a usage fee.

Now, Getty will let you embed certain images for free when used for non-commercial purposes. You can choose from 35 million images in Getty’s overall image collection

The picture above – of a Boxer dog looking out from its kennel on the first day of the 2014 Crufts dog show at the NEC in Birmingham – is one of the many news, entertainment and events photos available under this new deal that Getty announced on March 6.

As for why Getty is doing this, BBC News reports that Getty made the move after realising thousands of its images were being used without attribution.

“Our content was everywhere already,” said Craig Peters, a business development executive at the Seattle-based company.

“If you want to get a Getty image today, you can find it without a watermark very simply,” he added.

“The way you do that is you go to one of our customer sites and you right-click. Or you go to Google Image search or Bing Image Search and you get it there. And that’s what’s happening.”

It’s interesting how media reports like the BBC’s view this as a defeat for Getty:

[...] In essence, [Getty] is admitting defeat. By offering the ability to embed photos, Getty is saying it cannot effectively police the use of its images in every nook and cranny of the internet.

I’d see it differently.

While the factual aspect of what the BBC says is true – undoubtedly, no one can exert control in “every nook and cranny of the internet” – it presents Getty with a great opportunity to extend its reach across the social web by enabling anyone to legitimately use images, that include links to Getty’s website.

It’s also clearly aimed at encouraging responsible use of digital content, attribution and linking.

But it’s also likely that it will open doors to more random sharing of content that you can’t control – for instance, look what you might see if you hover your mouse over the Getty embedded image above: a Pinterest ‘pin it’ button that lets you add that image directly from this website to Pinterest. No link to Getty, no control – but further exposure. That button is automatically shown if you have the Pinterest extension in your browser.

Still, it looks to me that Getty Images are embracing the embryonic collaborative economy with this move as a parallel model to its traditional licensing business. And remember, this open sharing only applies to non-commercial use – if you want a Getty image for your corporate brochure, website, TV station or what have you, you have to pay. See also what Getty did a while ago with images on Flickr.

How do you use a Getty image under this new embed deal?

Once you’ve opened an account at Getty – there’s no cost – the steps are simple:

  1. Click an image’s embed icon (</>) from the search results or image detail page.
  2. In the embed window, copy the embed code.
  3. Paste the HTML code you copied into the source code of a website or blog where you want this image to appear.
  4. Publish and share!

gettyembededimages

(Via The Verge)

See also:

Getty Images blows the web’s mind by setting 35 million photos free (with conditions, of course) – a good assessment by Joshua Benton of Nieman Journalism Lab. Of note:

[...] What does Getty get from the embed? Better branding, for one – the Getty name all over the web. Better sharing, for another – if you click the Twitter or Tumblr buttons under the photos, the link goes to Getty, not to the publisher’s site. But there are two other things Getty gets, according to the terms:

“Getty Images (or third parties acting on its behalf) may collect data related to use of the Embedded Viewer and embedded Getty Images Content, and reserves the right to place advertisements in the Embedded Viewer or otherwise monetize its use without any compensation to you.”

Getty Images makes 35 million images free in fight against copyright infringement – detailed description by Olivier Laurent of the British Journal of Photography, with quoted explanations from Getty. Of note:

“What we’ve decided to do is to provide through the embed player the capability to use this imagery, but there’s a value for Getty Images and the content owners,” says [Craig] Peters, [senior vice president of business development, content and marketing at Getty Images]. “And that value is in three parts. First, there will be attribution around that image, and since we’re serving the image, we’re actually going to make sure there’s proper attribution. Second, all of the images will link back to our site and directly to the image’s details page. So anybody that has a valid commercial need for that image will be able to license that imagery from our website. Third, since all the images are served by Getty Images, we’ll have access to the information on who and how that image is being used and viewed, and we’ll reserve the right to utilise that data to the benefit of our business.”

New research shows what drives consumers in the collaborative economy

The world of sharing

If you want to know about the collaborative economy and what it may mean for businesses large and small, the man to pay close attention to is Jeremiah Owyang.

The collaborative economy – also variously referred to as the sharing economy, the maker movement, and co-innovation – is a concept that is gaining attention as a viable business method to be considered seriously.

In its simplest form, the collaborative economy is about a consumer using a good or service rather than owning it: you buy access to the good or service for the time when you need it. When you don’t, others make use of it.

Of course, there is far more to the collaborative economy than such a simplistic description, as Owyang makes clear in Sharing Is The New Buying, a new report published today that offers a wealth of credible perspectives on the rise of the collaborative economy in the US, Canada and the UK from 90,000 people questioned to find out how they partake in digital sharing services related to goods, services, transportation, space and money.

The report contains the following sections:

  • Introduction and Executive Summary
  • Breakdown of the three groups of sharing customers
  • Market adoption rates, forecast and growth rates
  • Taxonomy of the market
  • Breakdown by demographic: age, location, political party, marriage status and more
  • Satisfaction rates of sharing services
  • Forecast of future behaviours
  • Recommendations for corporations: market opportunities, and specific departmental impacts

An ex-Forrester and -Altimeter analyst, now founder of and Chief Catalyst at Crowd Companies, Owyang says his latest research has uncovered three distinct types of people who participate in the collaborative economy:

  1. Re-sharers: Those who buy and/or sell pre-owned goods online (for example, on Craigslist or eBay), but have not yet ventured into other kinds of sharing.
  2. Neo-sharers: People who use the newer generation of sharing sites and apps, like Etsy, TaskRabbit, Uber, Airbnb and KickStarter.
  3. Non-sharers: People who have yet to engage in the collaborative economy, although many of these non-sharers intend to try sharing services (in particular, re-sharing sites like eBay) in the next twelve months.

In a world where people can get what they need from each other, how can big brands survive and succeed?

Owyang believes that is the question every business should be asking as the collaborative economy becomes more established and is set to grow, as evidenced in the report.

Like social media before it, Owyang says, sharing will be rapidly adopted because the same technologies that make it easy to share also make it easy to spread the word about the benefits of sharing.

The Collaborative Economy at a glance

While the collaborative economy could disrupt many industries – and, says Owyang, is poised to do so – there is little data available on how many people participate in sharing, who they are, and, most importantly, why they do it.

This report – produced in collaboration with Vision Critical – fills a significant gap in knowledge leading to understanding, offering a picture of the sharers in the collaborative economy and provides important recommendations for businesses that want to win in this new economy.

Sharing Is the New Buying, a 31-page PDF, is available on free download: read it at Slideshare or in the embed below.

How serious are PRs about being genuinely professional?

So many embargoed press releases...

A simple, musing, rhetorical, tweet on Monday evening about PRs who send out press releases under embargo prompted a wide-ranging conversation on Twitter among a handful of people about professional behaviour, education and training, and being prepared for the PR workplace.

Sending out press releases under embargo isn’t an unusual practice. On the contrary, it can be a worthwhile activity for a PR professional, agency or client-side, when you want to enable journalists and others you believe can help tell your story be as prepared as possible and be ready to go live at an agreed future time.

What prompted my tweet was the sense of despair I feel all too often these days upon receiving press releases under embargo from PRs I don’t know or with whom I have no actual relationship.

And relationship is key, in my view. I’ve always regarded making any public announcement under embargo part of a process of trust-building, where both parties to an embargo have, beforehand, mutually agreed to respect the terms of it.

That requires some kind of prior personal connection, either physical or virtual, between two parties that is the building block for a relationship of some kind.

What I see nowadays, though, has nothing to do with relationship (nor, hence, trust-building or even respect) when I get press releases embargoed for days forward from people I don’t know and with whom I’ve not agreed any terms of any embargo.

They just send out the press releases anyway, usually mail-merged in bulk to distribution lists built from Vocus or Cision subscription databases – in spite of clear guidance from those two respected firms that you’re not supposed to do that – and with little or no thought to understanding whether the press release contains information that is at least relevant to the receiver.

Relevance is a highly significant aspect of this. The worst case is when I get an embargoed press release from a PR I don’t know, and it’s totally irrelevant to me.

Remember An Inconvenient PR Truth’s push against irrelevant press releases a few years ago? Go on, remind yourself.

An Inconvenient PR Truth from RealWire on Vimeo.

I’ve written about this topic a lot over the years, filed under the ‘Spam’ category.

So, to my near-rhetorical question: “Why should I respect embargoes?”

I do, actually, but in a passive sense – there’s no way I will write or say anything about a company or its product or service, embargo or no embargo, on information I get sent this way. Ever. I just delete the email and any attachments that come with it, and move on.

So musing on Twitter provoked some others to share their thoughts on the topic. Quite a few like minds, thank goodness, starting with Barbara Nixon and David Kamerer in the US:

And leading to a lengthy discussion involving Gabrielle Laine-Peters, Chris Owen and Paula Stei in the UK:

Gabrielle captured the scores of tweets into a Storify curation so please review that for the full conversation flow, or see the curation embedded at the end of this post.

There are three aspects from the conversation that have been rattling around my head since yesterday:

  1. The practice of sending out press releases under embargo as I’ve described here is anachronistic at best, unprofessional at worst, especially at a time when authenticity and relationships are two watchwords for creating the climate of trust that every PR professional surely ought to be striving to do (read the Edelman Trust Barometer 2014 to see why).
  2. That leads to focusing on the word ‘professional’ and how PRs clearly wish to be perceived as such by others, according to the latest ‘State of the Profession’ survey from the CIPR, published last week, saying, “Whilst nine out of ten respondents wish to be acknowledged as ‘professional’, results indicate a practice which seemingly struggles to embrace its desired professional ambitions.”
  3. To that end, CIPR President Stephen Waddington issued a challenge to CIPR members (one that every PR should pay heed to, CIPR member or otherwise): “How serious are you about putting this ambition [to be considered a professional] into practice?

It would be an easy matter to stay in exasperation mode and dismiss all of this as so much snow in Hell.

Even Stephen thinks it may take quite a while to see change.

Yet perhaps now, there’s a chance that some people in, or about to become part of, the public relations profession care enough that they themselves will be the architects of change.

Consider Paula Stei’s comments in the Twitter conversation yesterday. She’s a third-year PR student at university, who has a clear view on what feels right or not, and questions some behaviours. Maybe Paula and others in her generation can be the drivers of change. I’m certainly optimistic that I wouldn’t get an embargoed press release from Paula if we didn’t know each other.

From little acorns do mighty oak trees grow, as an old saying has it. The meaning is clear – great things may come from small beginnings. Behaviour change in how you do press releases is a good example of a small beginning that can lead to bigger things.

Maybe it’s changing a small thing such as this that can get you on the road to being perceived as a professional.

  • Related: In this week’s FIR podcast episode 744, my co-host Shel Holtz and I discuss the CIPR survey and Stephen Waddington’s challenge, looking at other options that professional associations may consider for the big-picture of professionalism, including attaining accreditation or passing an examination as a condition and requirement for a member to be able to practice public relations. That discussion starts about 16 minutes and 50 seconds into the show.

And for the Twitter conversation that prompted this post, here’s the Storify curation of tweets by Gabrielle Laine-Peters: