Computer Security Essentials for Campaigns (and others)

I saw this interesting post by technical entrepreneur and social critic Maciej Cegłowski recently: What I Learned Trying To Secure Congressional Campaigns. It’s a long account, though entertaining and informative, of his efforts traveling the country, teaching political campaigns about basic computer security practices.

As if getting campaigns to meet with you wasn’t hard enough, there’s also the problem of what to tell them.

The limiting reagent here is people’s mental capacity for hassle. You have to take pains not to burn through it. It is possible, with whining, to get a campaign to do one or two things. If you catch them early enough, and can visit them multiple times, maybe they will do a third thing.

If you work with or know anyone who works on campaigns, there’s a lot of good, first-hand insight there.

For much shorter checklists of items to consider, there are also succinct resource pages on the website of his organization, Tech Solidarity. In addition to security advice for Congressional campaigns, there are also basic security guidelines for activists and journalists, instructions for using U2F security keys, and more.

Caught up on some updates this morning, including WordPress 5.2.1 and a handful of minor plugin and theme releases. Also added a new site for a group in Michigan to kick the tires on!

Security Certificates Available for All Sites

This important feature has been available to sites for quite some time, but I’ve neglected to publicize it more: thanks to the excellent Let’s Encrypt project, any site on this network can be configured with a secure TLS certificate, free of charge.

A certificate like this is what lets browsers encrypt the data they send and receive with websites. You know it’s in use when the URL begins with https, and your browser also shows a lock icon in the address bar:

It’s an important level of protection for users, especially if they’re filling out forms or sending data to your site, and it’s even more important for administrators who are sending their passwords across the web.

If you want this feature but don’t have it yet, or if you have any questions, just contact me via this form or email!

And We’re Back

…and ready to try to post more regularly here. I’ve spiffed up the theme and tidied up the details of what this is about. Though the network continues to proudly host sites for many groups, this site has looked abandoned for too long. Will I stick to posting better than I did with the three (3) “weekly updates” I posted through all of 2017? Follow along to find out!

I’ve become more and more concerned about the power that the giant, corporate social networks have over our lives, information, and discourse, and will probably tend to post about that. For example, this TED talk about Facebook’s role in Brexit:


And if you’re interested in that, her behind-the-scenes account of giving that talk is also fascinating:

In the theatre, senior executives of Facebook had been “warned” beforehand. And within minutes of stepping off stage, I was told that its press team had already lodged an official complaint. In fairness, what multi-billion dollar corporation with armies of PRs, lawyers and crisis teams… wouldn’t want to push back on the charge that it has broken democracy?

Facebook’s difficulty is that it had no grounds to challenge my statement. No counter-evidence. If it was innocent of all charges, why hasn’t Mark Zuckerberg come to Britain and answered parliament’s questions? Though a member of the TED team told me, before the session had even ended, that Facebook had raised a serious challenge to the talk to claim “factual inaccuracies” and she warned me that they had been obliged to send them my script. What factual inaccuracies, we both wondered. “Let’s see what they come back with in the morning,” she said. Spoiler: they never did.

Two-Factor Authentication Available for All Sites

This has been in place for a while, but I neglected to announce it widely: two-factor authentication is now built in and available to every user of every Indivisible.blue site. Setting this up adds an additional level of security to keep someone from logging in as you. (Here’s a good article explaining two-factor authentication, if you’re not familiar with it.)

To enable this for yourself or Indivisible.blue users you administer, start at the “Users” section of your WordPress dashboard. The list there includes a new column that shows whether two-factor is enabled for each user.

To change the settings, click “edit” for a user, and then scroll down to the “Two-Factor Options” section. I recommend using “Time Based One-Time Password (Google Authenticator)” method, as well as generating backup codes, if you have a secure place to store them (like a password manager). The Google Authenticator app can be installed on your iPhone or Android phone and is easy to use.

If you have any questions or run into any problems, as always, let me know via the contact form or on Twitter: @IndivisibleBlue.

Sept. Update: This Network is Now Free

Yes, this project is still a going concern, and yes, it’s easier to say “I’ll write an update every week” than it is to actually do that. But rest assured, software updates and backups have been running right on schedule, regardless of posting regularity.

The news I wanted to share with you is that hosting Indivisible group websites on this network will now be provided free of cost. That has been the case from the start, thanks to an early, generous donation and modest expenses. But I’ve decided to make it official, and permanent: Indivisible.blue is free.

From the start of this project, I wanted to make sure it would be sustainable over the long years ahead of fighting the Trump/GOP agenda. If dozens or hundreds of groups signed up, I didn’t want to be on the hook for hundreds of dollars each month. But now it’s clear that growth in the number of sites has leveled off, and everything is still running fine on a $10/month server. I can live with that. (Though I’m still happy to accept your help if you care to chip in: see the financials page for donation details).

So to all the people who I awkwardly tried to describe the possible, maybe, semi-kinda-sorta estimated price, based on server costs divided by the number of sites based on the phase of the moon – I’m happy to say it’s much simpler now. And you don’t need to worry about the bill-collectors coming to collect $1.28 next month.

And to any new folks: come on in; it’s not too late. We have plenty of room to grow, so get in touch.

#Resist!

Learning WordPress

Here are some recommendations for sites, books, and courses to help you get going and make the most of your WordPress site on Indivisible.blue. Suggestions and contributions always welcome!

Note: If your site is hosted here, you can skip info about finding a hosting company, installing WordPress, and registering a domain; we take care of all that for you.