Sunday 16 March 2008

Two up and one down, keep moving

Two new Yahoo Groups have been formed. The Grouply-Users-Group is for active users of Grouply to explore the product. To belong to this group one has to be a registered user of Grouply. Postings on this group are closed.

The other group, GrouplyFriendlyGroups is there to list groups that welcome Grouply users. This is a backlash probably to counteract the some of the negative assertions of past few weeks where some groups have elected to block Grouply use using the owner controls.

I tried to do my own survey of groups that have blocked Grouply and it seems that for some reasons people who into knitting, embroidery and such are more likely to have blocked Grouply. Why people who knit and sew might take this approach is beyond me, but it is a free world.

And the Old one? Well the major proponent arguing against Grouply was someone called Ungrouply running a group by the same name. Neither seems to exist anymore. All very interesting.

Saturday 8 March 2008

What has happened?

Can someone tell me what has happened to the Ungrouply group?

Monday 3 March 2008

There is only ONE way to make a computer system secure

I really mean it. The only way to ensure a computer system, whether hardware or software or a mixture of the two - is to ask your most ardent critics are hard trying to crack your system. Anyone who is supportive of you will most likely tell you the story you want to hear. On the other hand your critics tell you the stories you do not want to hear.

This is what happened some years ago to Microsoft who claimed their websites were secure, and then they were immediately hacked. Such hacking of one of the Internet's highest profile websites does not seem to occur anymore.

Speaking from personal experience of running 24/7 high-powered and hand-built Internet servers running from USA, UK, France and more, I had various people "challenge" these systems . I found this process so useful I also ran competitions to hack the system and discover & publish key information. Although I believe my systems were never compromised I never had the advantage of a public group of ardent critics.

Enter ungrouply. This Yahoo group is proving the most ardent critic of Grouply and is trying hard to find and document any weaknesses. Right now a new user is trying different Yahoo profiles against Grouply and seeing what happens. No errors on that account seem to be noted, thus far. But you never know.

Please ungrouply go to it. You are doing stirling work. Much of what your opinion I may disagree with as off-the-wall hyperbole. On the other hand inside your group there are some important points. Please do your best to explore and document these.

The result of a Grouply that has been security tested by its biggest critic will ensure Grouply is truly a solid product & service.

Saturday 1 March 2008

You would think someone interested in photography would have good eyesight!

If you look at the home page of Canon-100 Yahoo Group you will see an assertion of "the risk of identity theft it can facilitate". Now I consider myself reasonably well versed in understanding what identity theft is, but hey let's get the verdict of a real authority. Let's go to ftc.gov and see what they have to say.

Identity theft occurs when someone uses your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.
Three words hit me from that sentence: permission, fraud and crime.

So let us understand what Grouply does and measure it up against the assertion on the Canon-100 Y!G.

Grouply requests that users register their Yahoo ID and password. In this way they are gaining permission. At least that is what I understand by "permission".

Grouply are not alone in requesting this kind of information. Household names that do similar include Trillian, Qnext and Meebo. If you look further getting to around 20 tools and websites that do similar is very easy, and I would not be at all surprised if the diligent researcher could get to a 100 tools and services, or more.

Now on the Yahoo Groups blog this issue was explicitly raised, and what Yahoo said was that if you were going to reveal your Yahoo ID and password to anyone then you jolly well ought to be careful. More than that they said that you are responsible for such an action - that's what their Terms of Service says.

Note that what they did NOT say is that you should not reveal your Yahoo ID and password. To say that would have been very easy for them to do. Nice, clean, job done. But they did not. No, what they said was - act responsibly.

Now I would like to briefly investigate two questions that are opposite sides of the same coin. Why hasn't anyone complained about the many other tools and services that are around and that also request a Yahoo ID and password, or more rather why do Yahoo Group owners get overly concerned.

Well to start with many of the tools and services such as Trillian and primarily aimed at chatting and instant messaging. Chatting has two characteristics that are different to Yahoo Groups, it is temporal and also (with no disrespect) can often be relatively "light" hearted. Conversations in Yahoo Groups can often get quite heated. Sometimes debate becomes very intensive and very personal. It can also be very informed debate. It can also be quite ground-breaking. Basically people who frequent Yahoo Groups often put their life and soul on the line.

Not only that, but the content of a Yahoo Group can also be very personal not just from an intellectual sense but also from a physical sense. I belong and contribute to several groups concerning medical conditions. I, personally, would not want the content of those groups revealed to people outside those groups. And I am not talking acne!

What goes in a group, stays in a group. Okay? That is what it is important to group owners and members alike. That's privacy, and that what Grouply does. Grouply exposes messages to users who are in already in a group. It does not expose those messages to people who are not members of a group, even if the group's archives are public.

(There are a couple of important refinements to this in progress for groups where the moderator restricts archive access to moderators only and groups with deleted posts. See GrouplyImprovements below for more info.)

Of course the problem of the all-encompassing Yahoo ID & password is that it potentially gives access to all of one's yahoo system. That includes email, instant messaging, groups, profile and whatever other products and services that Yahoo delivers. That's why you have to act responsibly.

This means that those people who just use Yahoo for its Groups activity may take a different perspective to ones who use Yahoo for a wide range of their products and services. And this is just one reason why Yahoo does not say "thou shalt not". They know that everyone is different.

They know that someone who is simply going to IM around friends on GoogleTalk, AIM and Yahoo Messenger is going to use a single easy to use, no install, no clutter, no ads interface service like Meebo or Trillian every chance they can get.

I know of high-powered computer system administrators use tools like Meebo to stay in touch with their customers. They know that their customers will use their own favourite tool and rather than being proscriptive, "hey, if you want to talk to use you have to us when your servers are down then you MUST use GoogleTalk" they prefer to say, "just use whatever way you have of communicating, we accept all kinds of IM technologies..." That's where IM aggregation tools step in.

Let me underline a point here. It would be extremely easy for any and all of these tools and services that are similar to Grouply to surrepticiously garner all of your Yahoo Groups information, profiles, groups and their archives. Once they have your Yahoo ID and password nothing you could do could stop them, except for changing your credentials. But they don't, at least in general. Most if not all of them act totally responsibly. To do otherwise would be quickly spotted by some Internet guru, perhaps using tools such as TcpView from SysInternals that monitor TCP and UDP endpoints.

Now Grouply is an aggregation tool, one currently focused on Yahoo Groups, and potentially soon to include Google Groups. So focusing on Yahoo, they know that new products and services will come on stream all the time and that flexibility is a fundamental requirement if any one company is going to survive. They also know that people write passwords down on pieces of paper, that they share them will family and friends - and colleagues. They also know that people send passwords in (insecure) emails.

They, Yahoo, know like the rest of us should know that passwords are a very poor security system. They and you know that passwords are well understood and very flexible. Just act responsibly. Responsibly means things like changing your password occasionally, using strong passwords and maintaining its privacy.

And so Grouply enters the fray. A new service that delivers significantly beneficial functionality for some types of Yahoo Groups users. Yes, there will always be some people who do not wish to use Grouply because it offers them nothing.

Yet there are others who have their eyes open to new ideas, new ways of working. Such people are interested in working more effectively, whether that is faster or more informed or whatever. This is the information age, after all.

So we now kn0w that Grouply users, because of the information they are dealing with is primarily on Yahoo Groups that they are often sensitive as to how that data is managed. Therefore it is right that Grouply should act responsibly. I will go further than that they should act very responsibly. So what do we mean by responsibly?
  1. A properly formed company
  2. A comprehensive statement on privacy
  3. One that is backed by independent auditing authority
  4. And a company that is very responsive to user needs on privacy
Have I missed anything? What I have listed above sums up what Grouply is. Their statement on privacy is very comprehensive. To my knowledge there has not been one complaint against that statement, and if there has then Grouply has been very responsive to work with the person / people to ensure that those privacy needs are met.

To give an example of how responsive they are the Yahoo Group called GrouplyImprovements was formed by people who are considered by many in-the-know as perhaps doyens of this industry. When they speak, people listen. The group runs independently and the Grouply team are "in there" as members, as contributors. They listen to what is going on, they answer questions and they interpret ideas, take them away and implement them in an orderly fashion back into the Grouply product and service.

And so we come back to identity theft. How someone can insinuate that Grouply is stealing Yahoo IDs and passwords is beyond my ken. Grouply state, up front what they are going to ask for. They have a well defined process for safeguarding that information, the essential points of which is covered in their privacy statement. They say why information is required, and how it will be used. Further than that they say how it will NOT be used.

And how does it measure up against the FTC's powerful words "fraud" and "crime"? I think you will agree that if someone was going to commit such acts they would at least avoid having a decent privacy statement. I think you would probably find that a company interested in such acts would try to hide behind a veil of secrecy: instead Mark & Rich the company's founders are not difficult to find or talk to.

I would like anyone to show me another company that requests Yahoo IDs and passwords that acts more responsibly - and you can take that as a challenge.