(This is a cross post from our CEOs personal blog. Note that Tendenci sites do NOT use Apache and the vulnerabilities in Equifax’s implementation of Apache Struts do NOT impact your Tendenci site. Still be aware that nothing is is 100% secure so stay vigilant and be prepared friends!)
From the second article on the Equifax breach linked above, this portion really galls me:
… not only are none of the last names tied to your Social Security number, but there’s no way to tell if you were really impacted.
It’s clear Equifax’s goal isn’t to protect the consumer or bring them vital information. It’s to get you to sign up for its revenue-generating product TrustID.
Earlier it was revealed executives had sold stock in the company before going public with the leak. We also found TrustID’s Terms of Service to be disturbing. The wording is such that anyone signing up for the product is barred from suing the company after.
The following phrase alone, if true, combined with Equifax literally trying to monetize their security errors, is what gives capitalism a bad name:
The wording is such that anyone signing up for the product is barred from suing the company after.
I have to believe the Equifax PR team is working for PharmaBro or Putin trying to make them look good in comparison.
Note: Equifax has changed the indemnification, but only under duress imho. Furthermore 30 days free credit monitoring by the company that released your data and then you will have to pay monthly still seems wrong. But to be fair, here is their update:
(Editor: well ya, duh!?)
(Editor: but did you fire the person who did it in the first place?)
I get it. Nothing is secure. If the NSAs hacking tools get stolen and OPM loses all of the data on security clearance checks on our own people, then truly nothing is safe. I get it.
What I do not understand is a company as large as Equifax not being prepared for something like this. That Equifax did not announce it promptly. That Equifax executives sold stock before announcing it. That Equifax then attempted to indemnify themselves. That Equifax is using the crisis to sell a monitoring service that you have to pay for after 30 days. A service to monitor YOUR data that THEY lost control of!
This boggles the mind of a PR Professional.
The Internet was not built for e-commerce – it was built for knowledge sharing in a “walled garden”. Therefore keeping sites secure is not possible. Any security professional will tell you best practice is to white-list good guys (selective inclusion) as opposed to trying to find every attack and block it. Therefore the difficulty at a high level is primarily in identifying and blocking bad actors.
I hate to say it folks, but we are playing whack-a-mole with your identity and money. It will always be an uphill battle to maintain security on the Internet and you will never ever be 100% safe.
Python, the language used to program Tendenci – The Open Source AMS, continues it’s meteoric rise in the world of developers. And where the developers go is where the rest of us go. Thus Python’s rise matters. And it benefits every Tendenci user, self hosted or hosted with our small company (same software either way).
They have numerous charts to back up the data, but these two in particular paint a telling picture.
From Stack Overflow – the current tag questions viewed:
The above graphs should give you confidence in your choice of using Tendenci as your AMS as the developers are not only there, but growing. Given Tendenci is fully open source (this is different from “free trial” AMS systems which are NOT actually FOSS (Free and Open Source Software). Wikipedia describes the difference as:
(FOSS means) anyone is freely licensed to use, copy, study, and change the software in any way, and the source code is openly shared so that people are encouraged to voluntarily improve the design of the software. This is in contrast to proprietary software, where the software is under restrictive copyright and the source code is usually hidden from the users.
The good news is with the growth of Python, it only make sense that developers will look at and many will join in to help the community improve the software as they join associations themselves.
We’ve written about why we chose Python over PHP to develop Tendenci open source several times. Correctly choosing the open source stack gives us, and everyone in the community, confidence to see the trends predicted correctly. It wasn’t rocket science – we just listened to our team, we listened to younger developers, and most importantly we listened to our clients on what the future was/is going to be.
Why are associations unwilling to accept apps that meet only minimal requirements? Um… because they started as Guilds and go back to Medieval times. From Britannica on Guilds and Trade Associations:
Guild, also spelled gild , an association of craftsmen or merchants formed for mutual aid and protection and for the furtherance of their professional interests. Guilds flourished in Europe between the 11th and 16th centuries and formed an important part of the economic and social fabric in that era.
and Britannica goes on….
… associations are known to have existed in ancient Rome, however, where they were called collegia. These craft guilds seem to have emerged in the later years of the Roman Republic. They were sanctioned by the central government and were subject to the authority of the magistrates.
This is a huge topic of course. Just know that Tendenci is the ONLY top ranked AMS system that is truly FOSS. Unlimited admins, users, contacts – you can self host or if hosted with us we only charge for processing power. Got 1M users and contacts and 50 admins? No problem. And the growth of Python assures your continued freedom from vendor lock-in no matter what.
Hurricane Harvey Update from Tendenci – Monday Sept 4, 2017
A large part of our small team lives in or near Houston TX where Hurricane Harvey hit us with more rain than any storm in US history.
For those near us, we all know it’s not over yet. The roads are still flooded. Power is going on and off. And we are the *lucky* ones as so many lost their homes and over 60 people lost their lives. It’s important to keep in perspective.
We have been pushing updates *as urgently needed only* on twitter and facebook regarding Hurricane Harvey. The quiet messaging is what I was taught in Crisis Communications – don’t muddy the waters.
Tendenci’s servers and our diverse multinational team maintained and all is well. I do have some minor requests from us to the Tendenci community:
The current policy of prioritizing client requests by the impact in the disaster area remains in place. Please be patient if you have a normal request that doesn’t get addressed as quickly as usual. I expect this to last another week. However don’t forget tendenci is open source and another developer can use the template interface to pretty much fix anything you need if we aren’t available immediately.
Position 1 also obviously applies to the tragedy unfolding in India, Nepal, and Pakistan as well, although I’m not sure if we have any clients impacted in those areas. I do know Tendenci has numerous open source users in Nepal and our thoughts and support are with you.
If a particular hosted client is in a difficult situation regarding this disaster please contact us.
For those of you not impacted by Hurricane Harvey – please consider a donation to the charity of your choice that you believe will benefit those suffering the most.
For more information on Hurricane Harvey in Houston please check:
If you run an Association, volunteer, join in, help, learn and participate – well – at Tendenci we think you are kind of a BIG DEAL! It’s easy at times to lose sight of the bigger picture when you are on the board of directors and planning the details for a fundraiser. Please remember – we need you, we appreciate you, and YOUR CAUSE IS WORTH IT.
I get asked why Tendenci is Open Source. My reply is to point to the role of associations in society. The role of associations, your association management system as well, are both too important to survive the conflict of interest with purely commercial solutions. To clarify why this is so important to me, and I believe you, I can only quote those far more educated and eloquent then myself.
Alexis du Tocqueville viewed civil society as the third leg of the stool that allows democracies to function.
Americans of all ages, all stations of life, and all types of disposition are forever forming associations… In democratic countries knowledge of how to combine is the mother of all other forms of knowledge; on its progress depends that of all the others.
Americans combine to give fêtes, found seminaries, build churches, distribute books, and send missionaries to the antipodes. Hospitals, prisons, and schools take shape in that way. Finally, if they want to proclaim a truth or propagate some feeling by the encouragement of a great example, they form an association.
In every case, at the head of any new undertaking, where in France you would find the government or in England some territorial magnate, in the United States you are sure to find an association…. I have often admired the extreme skill they show in proposing a common object for the exertions of very many and in inducing them voluntarily to pursue it.
CIVIL society is the place where Americans make their home, sustain their marriages, raise their families, hang out with their friends, meet their neighbors, educate their children, worship their God.
It lies apart from the realms of the market and the government, and possesses a different ethic.
Civil society, on the other hand, is the sphere of our most basic humanity — the personal, everyday realm that is governed by values such as responsibility, trust, fraternity, solidarity, and love.
…. There must also be a healthy, robust civic sector — a space in which the bonds of community can flourish. Government and the market are similar to two legs on a three-legged stool. Without the third leg of civil society, the stool is not stable and cannot provide support for a vital America.
Maya Angelou wrote one of my favorite poems which I believe relates. It is “A Brave and Startling Truth.”
Maya Angelou is of course a giant not just of our time, but of all time. She speaks of greatness in the form of unity and love. That is what Civil Society does. Associations, churches, clubs, political movements … all of these things are simply too important to our planet to NOT be open source. And we will come to it. YOU and your AMS software are too important to be locked in or cut off if a proprietary vendor chooses.
Quoting Senator Bill Bradley’s piece again, he states:
The language of the marketplace says, ”Get as much as you can for yourself.” The language of government says, ”Legislate for others what is good for them.” But the language of community, family, and citizenship at its core is about receiving undeserved gifts.
Building the Tendenci AMS community Open Source – giving you control – is how I handle the brutal truth that “we must confess that we are the possible. we are the miraculous.”
To our clients and end users hosted on the AWS (Amazon Web Services) Cloud – the email outage and partial S3 (storage) outage have been resolved per the Amazon status notification site https://status.aws.amazon.com/
As marketingland states in their article, it’s not that the desktop doesn’t matter given most commerce still happens there. It is just that the buyers or donors started the journey with a search on a mobile device.
For the designers out there it is official that serving the clients means showing them the site on their mobile devices FIRST.
Mobile first design simplifies the information architecture process and focuses the team on outcomes. Focusing on your end users, the people googling your site on their iphone the vast majority of the time, is a success for everyone.
Mobile first changes the question from the ego-driven and outdated mindset of:
“How does my website look on the giant 4k monitor in the conference room?”
to a results oriented view of:
“Does this site reach our audience on their mobile devices effectively?”
Mobile first has been baseline for years. This data just confirms it once again.
Note: Tendenci, The Open Source AMS, is fully responsive across all viewports. If you are on an older version of Tendenci (v5 or earlier) we strongly recommend you talk to your developer to upgrade your site.
Listening to a client I realized that maybe “geek speak” on my part was part of the challenge. Definitions:
Themes – The “theme” is the visual part of your site that makes you unique. When a major change happens, like the rapid growth in mobile traffic, it is not uncommon to have to purchase or pay to upgrade your theme with WordPress, Drupal or Tendenci.
Software – The “software” stack is all of the functionality below the theme. Open source projects are driven by a community and most modules or add-ons strive to be backwards compatible.
Game changers – sometimes a company like Apple will invent a “game changer” like the iphone. Awesome! Oh, but wait. You can’t write software that works on a device that either didn’t exist or was a tiny fraction of visitors to your site when you first deployed your theme.
LTS Timelines – Who sets the timeline for LTS (Long Term Support) major releases? In Open Source it is driven by the community around a project. Frequently it is a combination of software and “dependencies”.
To use a large open source project as an example, WordPress users (like me – my blog is on wordpress) sometimes need to pay to upgrade a premium theme when WordPress does a major release.
As WordPress makes changes and improvements, sometimes these impact WordPress Themes and their underlying code and use of Template Tags. When a new version is announced, WordPress users are recommended to check the various WordPress Theme Compatibility lists to ensure their WordPress Theme is updated and ready for the new version.
Tendenci, a much smaller but growing open source project, is doing the same thing for the same reasons. You want a unique brand (your theme) and new functionality (the software) and you’d like it to be as low cost as possible. Hence software updates are “usually” free, it’s just when a “game changer” happens that you need to update your theme.
So why did our team choose to rewrite TendenciOpen Source and in the Python Programming language? It is a question I get asked a lot. We’ve never been a company that likes to talk in the negative if at all possible, yet it is important to talk about the megatrends going on given we work with associations and nonprofits.
Popularity of a language is a trend, and what you want is as many developers familiar and liking the language of your open source project as possible. This means you have a better chance to have a secure web site and therefore a more secure future.
To be fair – as Disraeli said – “lies, damn lies and statistics” – so there is no one perfectly secure language any more than there is a perfectly “safe” hammer. There will always be operator error and programmers make mistakes.
So we’re not saying Python is perfect, and all of us have used most of the other languages on those charts at some point. We’re just saying we are pleased so many other programmers also like Python and Open Source. THAT is the best that can be done to secure your future online. Secure code that you can examine yourself and even host yourself!
Addendum: As I post this on the Tendenci Blog. Given we focus on non-profits, associations, memberships, education, medical, religious – basically the do-good cause-based organizations, I believe it is particularly important that the project is as transparent as possible. Sometimes it is healthy to inform everyone of WHY we made a decision seven years ago. Python was the right call.
Why Tendenci doesn’t support epub uploadS through the standard ui.
We love knowledge and knowledge sharing. And all of us read a lot – more and more on mobile readers. And yet the Tendenci software doesn’t support uploading epub files. First understand you have TONS of options to achieve your business goal and keep your site secure.
Free ebooks? We recommend you upload the epub to a resource like an Amazon S3 bucket or Dropbox and link to it from your site. That immediately solves the problem – you have a link to the resource on your site, just not “in” your site for safety and security.
Selling ebooks? Look at Amazon or Shopify or google it for tons of options. Even if the books are free, “selling them” on shopify will give you analytics and insight into consumers who are interested in your topic because they are being delivered to people next to other books!
As for the upload restrictions in Tendenci, here is why we are cautious:
While knowledge is great, security is more important. YES – TECHNICALLY YOU CAN PUT EPUB FILES ON YOUR TENDENCI SITE. But to do so your network administrator will need to do it for you for security reasons. The reason is that epub and mobi files can contain viruses or malware just like many other file formats (*cough* “Adobe flash” *cough*).
A book can have a code example. Depending on how your browser or e-reader “reads” that code example it may or may not execute the code. And that may or may not be malware. Typically the code itself would not be infected and would pass a virus scanner. Rather it would call another site and download a virus from that alternate location.
Two screen shots from the epubzone.org site are pasted below.
To be sure I love learning sites that have code that I can use to learn with in my web browser. MOOCs are awesome. But Tendenci is not a MOOC. So our current system is not set up to allow uploads of epubs or mobi given the millions of people who log into hundreds of open source tendenci sites hosted or in the wild. We are just cautious.
And again – there are alternatives.
Upload it to a different location and link to it <– RECOMMENDED!
Sell it with a company like Amazon who takes care of all of it for you <– RECOMMENDED!
Have your Network Administrator upload it if you must. But if this is the case, why not just make it a PDF? <– NOT RECOMMENDED
PS – One part of being a hacker is you are frequently accused of being an “Eeyore.” This is tiring. And incorrect. Caution online is really – well – the teamwork of Q and Bond. Aware of current reality. Curious. The ability to think perhaps a bit deviously. To know what is possible – both good and bad – to protect you.