Google’s Black Navbar

Google recently rolled out a design change to their search interface. The navigation at the top linking to several Google properties, a user’s Google account and other Google services has a new black background and grey font colors. This new design change has been rolled out to google.com and all country specific Google domains. You do not only find it on search pages, but other Google properties that display the bar at the top.

The contrast to the white page is extreme, and there are certainly users who would like to switch back to the original all white page layout. If you don’t like the new bar and depending on the browser you use, you can change it back to the white bar -here’s an article from the userscripts web site:

Google Light Navbar restores the original white nav bar and blue font color on all Google pages. You can download it from here – http://userscripts.org/scripts/show/105735

The userscript works in the Firefox web browser, Google Chrome and Opera. Chrome users can simply install the script right away on the script project page.

Firefox users need to install Greasemonkey or Scriptish first before they can do so. Both are add-ons for the web browser that add userscript support to it. The install button becomes active after one of the add-ons has been installed in the Internet browser.

Opera users finally need to specify a director on their computer where they put their userscripts in. This is done with a click on Opera > Settings > Preferences > Advanced > Content > JavaScript Options and the selection of a directory under browse. They then need to download the script and put it into the designated directory on their computer. The script works right away without restart. You may need to reload the Google page however in case it has already been open in the browser.

Microsoft Launches Web-based Office Suite

Microsoft Corp. has officially launched its Web-based email and Office services, part of its ongoing effort to keep Google at bay when it comes to business software.

“Office 365” has been available in a test version since last year. It combines Web-based versions of Word, Excel and other Office applications. It also includes the Exchange e-mail system, SharePoint online collaboration technology and Microsoft’s instant messaging, Internet phone and video conferencing system.

The latest software package comes as companies are increasingly shifting to storing data and applications on remote servers rather than on users’ desktop computers.

Microsoft said Tuesday that it plans to charge $2 to $27 per month per user for Office 365 depending on what’s included. Google Apps costs $4 or $5 per month but still have compatibility issues on some fronts.

Tools for monitoring online feedback

I think there are a wide variety of ways of monitoring your feedback … although we probably don’t have enough space for all of them so I will just mention 3 that I have found really useful (plus they are FREE)!

Google Alerts – setting up Alerts about your brand name, current issues related to your brand or the names of competitors

Addictomatic – http://addictomatic.com/
Simply type in your business name and see where you appear on the web

And finally just a link to great website and a case study on Microsoft using Twitter to improve their Customer service.

http://www.socialmediaexaminer.com/how-microsoft-xbox-uses-twitter-to-reduce-support-costs/

Web Application/SQL Security Suggestions

We recently came across the following suggestions for anyone running a database application on a public interface. These are great recommendations and should be considered. The three topics cover SQL Injection, Password vulnerability and Malware issues.

SQL Injection. Since SQL Injection is not an actual vulnerability, per se, it is an attack technique that takes advantage of poorly coded or configured applications. It’s not easy enough to just patch it, because you can’t. Validate all the input entering the application. Check for type, length, format, and try to restrict input to expected values. Almost all web applications use a shared account to access the database. Ensure that account has restricted privileges on the database, and can only read and write to the necessary objects. When possible, segment the services that make up the applications to use separate restricted accounts, so that each only has access to perform their specific functions. An example would be the segmentation of payment, catalog access, and customer data. Application developers must avoid the usage of dynamic SQL statements, and instead use parameterized SQL statements to prevent injections. Database activity monitoring solutions with intrusion detection will detect and react to SQL injections, allowing an organization to decide how they want to react—block it immediately or collect evidence and contact authorities, as an example.

Passwords. Should an attacker get access to the database, there should be no reason that a properly restricted account they’ve connected with should have access to the list of other users and their passwords. Accessing other database accounts can allow an attacker access to other parts of the database, and most times to other systems on the network, where other sensitive data will reside. All major databases have decent password policy features—use them. They will force users to change their passwords on a regular basis and create strong ones. Of course some users will naturally try to weaken them for the purpose of convenience. Use available tools to continuously monitor for weak passwords and to locate the presence of accounts that should be removed, such as orphaned accounts and default accounts.

Malware. Many times, the web application is just the front door that will lead to the creation of a beachhead somewhere else within the network. Malware can be installed to provide a backdoor, or used for reconnaissance, or be used for siphoning data out. In order to get malware installed, the hacker requires an account that has the administrative privileges to successfully get it installed on the underlying operating system. We discussed restricted access previously, and the account connected to the database should be restricted from any operating system privileges. Note that many databases allow access to the operating system. Un-patched vulnerabilities in the database are a hacker’s best friend, because most allow an attacker to elevate their privileges to garner the administrative privileges that they need. This is why it is important to apply security patches as quickly as possible—it literally covers up the holes. In some cases, vulnerable components can either be removed or reconfigured so they no longer pose a threat. In other cases, databases can be easily misconfigured, introducing other security risks that allow an attacker to gain the privileges they need. Organizations should compare their configurations to third-party verified security checklists to develop a baseline. Two very good resources include the U.S. Department of Defense’s Defense Information Systems Agency (DISA) and the Center for Internet Security (CIS). Both DISA and CIS provide security checklists for databases, called Security Technical Implementation Guides (STIG) and Security Configuration Benchmarks, respectively.

Dropbox Update – A password problem

Private details of some of Dropbox’s 25 million users were exposed overnight after a bungled code update nullified account password security. The glitch allowed accounts on the free cloud storage system – ostensibly protected by “military” security systems – to be accessed with any password.  Accounts were exposed for up to four hours, although the glitch was fixed in less than five minutes after it was reported.

Dropbox co-founder Arash Ferdowsi said less than 1 percent of users – about 250,000 – had accessed accounts while the passwords were exposed. “Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism,” Ferdowsi wrote in a blog post today.

“A very small number of users logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.” Ferdowsi said the company is conducting an investigation and will notify affected users. “This should never have happened. We are scrutinising our controls and we will be implementing additional safeguards to prevent this from happening again.”

Meanwhile, administrators who are trying to access dropbox accounts on a computer used on their network, now have a powerful tool. You must have access to the files on the local computer. This too is a forensic tool and allows private files on the Dropbox online hosting service to be read.

Its developer, ATC-NY, claims the tool will reveal a user’s email address, Dropbox identifier, recent files and shared directories. The company claims that it “uses the same secure methods as banks and the military” and prevents its staff from accessing customer data. The tool is called Dropbox Reader and it could make it easier for investigators to crack open Dropbox. The program is a series of six command-line Python scripts that parse Dropbox configuration and cache files using Windows, Mac OS X, and Linux.

ATC-NY described the functions of each Python script:

  1. read_config: script outputs the contents of the Dropbox config.db file in human-readable form. This includes the user’s registered e-mail address and Dropbox identifier, software version information, and a list of the most-recently-changed files.
  2. read_filecache_config: script outputs configuration information from the Dropbox filecache.db file. This includes information about shared directories that are attached to the user’s Dropbox account.
  3. read_filejournal: script outputs information about Dropbox synchronised files stored in the filecache.db file. This includes local and server-side metadata and a list of block hashes for each Dropbox-synchronised file.
  4. read_sigstore: script outputs information from the Dropbox sigstore.db file, which is an additional source of block hashes.
  5. hash_blocks: script produces a block hash list for any file. This block hash list can be compared to the block hashes from read_filejournal or read_sigstore.
  6. dropbox_contains_file: script hashes one or more files (as per hash_blocks) and compares the resulting block hash list to the files listed in filecache.db (as per read_filejournal) and reports whether the files are partially or exactly the same as any Dropbox-synchronised files.

How Well Do You Know Your Data?

Data is such an all-encompassing term that it can seem insurmountable, but it’s essential that marketers and fundraisers delve into their data and know as much as possible about its nuances. The secret to success lies buried deep, not on the surface.

It’s not necessary to become a statistician, but a basic working knowledge of your organization’s statistics is crucial – as well as its history.  Otherwise, there is no way to learn if your campaigns’ performances are improving or getting worse.

While every organization wants to have increased participation and giving in all areas, this is unrealistic and unlikely; therefore, segmentation when marketing and tracking is the wisest course of action.  Learning which demographics respond best to what approaches during which times will assist when planning future campaigns.

This not only applies to segmenting your donors by age, gender, etc., but also by longevity of engagement, since acquisition files require more time and attention before they become profitable.  You’ll also want to consider tracking responses with respect to the type of channels of engagement – e.g., direct mail, email, phone, social media, etc.

It’s also important to remember the basics, however:  garbage in, garbage out.  How often does your database get reviewed, updated, scrubbed, verified, etc.?  Does this go beyond NCOA (National Change of Address Database lookup)?  What about email addresses?  Do all of the bounced emails get checked and updated/purged after X bounces?  Do you have a policy for it on file?  Do you check for deceased records and mark constituents as such regularly?  The easiest way to offend a constituent is to repeatedly address them incorrectly . . . especially while asking for support.

Outside of your own organization’s database, it’s good to learn how to read your website’s traffic with Google Analytics.  You or another staff member can take a Google Analytics IQ certification exam for $50 and the study materials are free.

Electricity-free Bamboo Speaker for iPhone 4

So here is the email our friend Jason sent us – this really is kind of cool (and green too!) Bamboo isn’t just for your floors anymore!

The iBamboo speaker makes use of the naturally resonant properties of bamboo to provide zero-electricity amplification for the iPhone 4. Yeah, you could get more gadgets to go with your gadget, but this is probably cooler — no wires, no energy use, and it adds as much Zen cool to your desk as a tiny portable waterfall (which would need to be plugged in anyway).

The inventor is looking for patrons on Kickstarter — he’s already gotten enough backers for the project to be funded, but you can still pledge your support and secure yourself a spot as an early adopter. A $25 donation (probably about what they would cost on the market) gets you one of the first speakers off the assembly line, plus the warm pleasant feeling of backing a super cool project.

http://www.kickstarter.com/projects/1237280080/electricity-free-bamboo-speaker-for-iphone-4?ref=video