Computer Security Essentials for Campaigns (and others)

I saw this interesting post by technical entrepreneur and social critic Maciej Cegłowski recently: What I Learned Trying To Secure Congressional Campaigns. It’s a long account, though entertaining and informative, of his efforts traveling the country, teaching political campaigns about basic computer security practices.

As if getting campaigns to meet with you wasn’t hard enough, there’s also the problem of what to tell them.

The limiting reagent here is people’s mental capacity for hassle. You have to take pains not to burn through it. It is possible, with whining, to get a campaign to do one or two things. If you catch them early enough, and can visit them multiple times, maybe they will do a third thing.

If you work with or know anyone who works on campaigns, there’s a lot of good, first-hand insight there.

For much shorter checklists of items to consider, there are also succinct resource pages on the website of his organization, Tech Solidarity. In addition to security advice for Congressional campaigns, there are also basic security guidelines for activists and journalists, instructions for using U2F security keys, and more.

Caught up on some updates this morning, including WordPress 5.2.1 and a handful of minor plugin and theme releases. Also added a new site for a group in Michigan to kick the tires on!

Security Certificates Available for All Sites

This important feature has been available to sites for quite some time, but I’ve neglected to publicize it more: thanks to the excellent Let’s Encrypt project, any site on this network can be configured with a secure TLS certificate, free of charge.

A certificate like this is what lets browsers encrypt the data they send and receive with websites. You know it’s in use when the URL begins with https, and your browser also shows a lock icon in the address bar:

It’s an important level of protection for users, especially if they’re filling out forms or sending data to your site, and it’s even more important for administrators who are sending their passwords across the web.

If you want this feature but don’t have it yet, or if you have any questions, just contact me via this form or email!

And We’re Back

…and ready to try to post more regularly here. I’ve spiffed up the theme and tidied up the details of what this is about. Though the network continues to proudly host sites for many groups, this site has looked abandoned for too long. Will I stick to posting better than I did with the three (3) “weekly updates” I posted through all of 2017? Follow along to find out!

I’ve become more and more concerned about the power that the giant, corporate social networks have over our lives, information, and discourse, and will probably tend to post about that. For example, this TED talk about Facebook’s role in Brexit:


And if you’re interested in that, her behind-the-scenes account of giving that talk is also fascinating:

In the theatre, senior executives of Facebook had been “warned” beforehand. And within minutes of stepping off stage, I was told that its press team had already lodged an official complaint. In fairness, what multi-billion dollar corporation with armies of PRs, lawyers and crisis teams… wouldn’t want to push back on the charge that it has broken democracy?

Facebook’s difficulty is that it had no grounds to challenge my statement. No counter-evidence. If it was innocent of all charges, why hasn’t Mark Zuckerberg come to Britain and answered parliament’s questions? Though a member of the TED team told me, before the session had even ended, that Facebook had raised a serious challenge to the talk to claim “factual inaccuracies” and she warned me that they had been obliged to send them my script. What factual inaccuracies, we both wondered. “Let’s see what they come back with in the morning,” she said. Spoiler: they never did.

Two-Factor Authentication Available for All Sites

This has been in place for a while, but I neglected to announce it widely: two-factor authentication is now built in and available to every user of every Indivisible.blue site. Setting this up adds an additional level of security to keep someone from logging in as you. (Here’s a good article explaining two-factor authentication, if you’re not familiar with it.)

To enable this for yourself or Indivisible.blue users you administer, start at the “Users” section of your WordPress dashboard. The list there includes a new column that shows whether two-factor is enabled for each user.

To change the settings, click “edit” for a user, and then scroll down to the “Two-Factor Options” section. I recommend using “Time Based One-Time Password (Google Authenticator)” method, as well as generating backup codes, if you have a secure place to store them (like a password manager). The Google Authenticator app can be installed on your iPhone or Android phone and is easy to use.

If you have any questions or run into any problems, as always, let me know via the contact form or on Twitter: @IndivisibleBlue.

Welcome to Indivisible.blue 2.0

Though I haven’t kept this blog up to date very well lately, this network of Indivisible sites is still going strong, and still growing. In addition to adding new sites, and keeping the software here humming along smoothly, I have some exciting news to share with you.

First is a new partnership between Indivisible.blue and Indivisible Austin.

Though a lot of folks have assumed that since Indivisible.blue hosts WordPress sites and is based in Austin, that my own local group’s WordPress site was also hosted here. But as one of the earliest organizations in the nation founded on the Indivisible Guide, their site predated this one. I did work with them to make their popular and attractive theme available to sites on Indivisible.blue. And I’ve been very happy to host sites for some of their affiliated groups, like TX LEGE, TX-25, and last summer’s Cornyn Stakeout.

But recently the collaboration between Indivisible Austin and Indivisible.blue took a big step forward. Thanks to the data portability built in to WordPress, we have moved the entire site to the Indivisible.blue network! I’m happy to help free up a little of the group’s resources, which can be more focused on the primary work of activism in Central Texas. And as Indivisible.blue continues to grow, it’s great to have the backing of a strong, active group.

Speaking of growing the number of sites we host here, the second exciting announcement is a significant boost in helping organizations get their new websites off the ground more quickly. Though WordPress expertise is widespread, and how-to information is common, there have been more instances than I care to admit where groups didn’t quite manage to get their new Indivisible.blue site up and running.

Now, thanks to the extensive research and hard work of Indivisible Somerville, we’re thrilled to provide hosting for Activism.website. This fully fleshed-out, template-based site can be cloned with the click of a button to provide new sites with a solid base to build on.

Out of the box, a new site based on Activism.website features: an event calendar, mission and team bio pages, member tracking, donations, volunteer management, and more. As the getting-started page says:

In addition to talking to groups across the country about their needs, our team analyzed almost 1000 websites of new progressive organizations nationwide to find the sites and solutions that looked good, worked well, and fit the needs of the group without requiring technical skills or resources. We did all the research for you so you can focus on what you do best – engaging your community.

The original mission of Indivisible.blue was to help Indivisible groups across the country organize online, in ways that complement – but remain independent from – closed, sometimes toxic platforms like Facebook and Twitter. With this new partnership with Indivisible Austin, and new tools like hosting for Activism.website sites, we’re ready to expand this help to any other progressive groups that can use it. This support remains free of charge or advertisements.

If you’re interested in getting on board, get in touch!

Sept. Update: This Network is Now Free

Yes, this project is still a going concern, and yes, it’s easier to say “I’ll write an update every week” than it is to actually do that. But rest assured, software updates and backups have been running right on schedule, regardless of posting regularity.

The news I wanted to share with you is that hosting Indivisible group websites on this network will now be provided free of cost. That has been the case from the start, thanks to an early, generous donation and modest expenses. But I’ve decided to make it official, and permanent: Indivisible.blue is free.

From the start of this project, I wanted to make sure it would be sustainable over the long years ahead of fighting the Trump/GOP agenda. If dozens or hundreds of groups signed up, I didn’t want to be on the hook for hundreds of dollars each month. But now it’s clear that growth in the number of sites has leveled off, and everything is still running fine on a $10/month server. I can live with that. (Though I’m still happy to accept your help if you care to chip in: see the financials page for donation details).

So to all the people who I awkwardly tried to describe the possible, maybe, semi-kinda-sorta estimated price, based on server costs divided by the number of sites based on the phase of the moon – I’m happy to say it’s much simpler now. And you don’t need to worry about the bill-collectors coming to collect $1.28 next month.

And to any new folks: come on in; it’s not too late. We have plenty of room to grow, so get in touch.

#Resist!

Weekly Update, 5/7/17

Lots of action in this update (especially since I missed last week’s).

  • Site email – I discovered that automatic email notifications were exceeding my mail service’s quota, which sometimes caused delays in my receiving feedback. That’s been addressed, and I should hear from you more quickly and reliably.

  • Login security – I enabled a small – but I think important – security improvement on the login screen. Normally, if someone enters the wrong login information, WordPress will say either there is no user by that name, or that the password for the (correctly entered) username is wrong. This is a bad security practice, and I’m amazed that WordPress has this as the standard behavior. The reason it’s bad is because it gives brute force login attempts more information than they should get: it tells them which user IDs are valid (and worth trying to guess passwords for), and which aren’t (so they don’t waste time trying to guess those). The fix simply blanks out that message, which is admittedly less user-friendly, but the security improvement is significant.

  • New & updated plugins

  • New sites – Last but certainly not least, we’ve added four new sites to the network. Several of them are still getting set up or kicking the tires, but one that’s wasted no time at all is CornynStakeout.com. Targeting one of the terrible senators right here in my own Lone Star State, I’m proud to have helped this site’s creator get this site live quickly and easily. It was mentioned by the national Indivisible Team on Twitter today, and has had about 3,000 unique visitors since then.

Weekly Update, 4/23/17

This past week on Indivisible.blue:

I updated to the new WordPress core maintenance release, version 4.7.4. From the release notes:

This release contains 47 maintenance fixes and enhancements, chief among them an incompatibility between the upcoming Chrome version and the visual editor, inconsistencies in media handling, and further improvements to the REST API. For a full list of changes, consult the release notes and the list of changes.

I installed a new theme (Bento), and a new plugin (Page Builder plugin). I also updated 3 plugins and 1 theme.

Lastly, I worked with the patient admins of the Bryan-College Station (TX) site, as we worked through some wrinkles with the security plugin that temporarily locked them out of their site. I continue to see a number of hacker login attempts, and this is an area where I’ll be working more.

Weekly Update, 4/16/17

I’ve been meaning to start posting updates about all the things happening here at Indivisible.blue for some time, and haven’t managed to get it going. But here goes! I’m going to try to post at least a quick blurb every week, just to be on a regular schedule.

One big step for the network took place in early March: I doubled our (admittedly small) server capacity. Increased usage was causing occasional database crashes due to lack of memory, so we went from a server with 512MB RAM and 20GB disk (costing $5/month), to another with 1GB RAM and 30GB disk (costing $10/month). That change only took one button click and a server restart, which is one of the reasons I chose Digital Ocean for server hosting in the first place. The new capacity has been working well since then.

That increased usage is due to continued growth in the number of groups setting up their sites on Indivisible.blue. The total number is now up to 21, and includes groups from:

  • Oklahoma
  • Bryan-College Station, Texas
  • Harford County, Maryland
  • Texas District 20
  • San Diego, California
  • Cranbury, New Jersey
  • Illinois District 6
  • Arizona
  • Sausalito, California

Besides adding these sites and helping them to get going, I’ve also updated kept WordPress up-to-date, updating plugins six times, and themes twice. One new theme has been added (Bento), as well as a new plugin (Page Builder).

The last big news this time is that I added the first new HTTPS security certificate for a group’s custom domain, using the free Let’s Encrypt service. I plan to add those for remaining sites, but haven’t gotten to that yet. If you’re eager to get that set up for your group’s site sooner rather than later, let me know (by email or the contact form).

That’s it for now. As mentioned, I hope to make these updates more regular. I may also write on a few other topics, to maybe help get some conversations going about the issues groups face running their websites effectively.