Mike Toscano | Blog

Reprinted from my post at the now defunct IT risk management blog at UBC Sauder School of Business.

Given that we’re still not quite to the elusive paperless society so many futurists and technologists have promised us, our offices and homes have printers. Some of our offices have lots of printers and lots of different printers at that.This brings me to an interesting question. Have you considered your printers in your information security practise?

Now at this point, you might be laughing at that idea. After all, printers print things and not much more aside from the odd print/scan/fax/copy multi-function unit, which also doesn’t sound very scary. Right? The truth is, however, that printers are really computers in and of themselves and (if network printers) run network services, such as web serving, FTP, telnet, and others, in addition to their regular printing duties.

The rationale mentioned above leads many organizations to pay very little attention to their printer fleets and how they are configured and managed, which can be quite dangerous.

What’s dangerous for them is fun for hackers auditors. So let’s take a quick look at how it’s done! The following is a bit technical though not vital to getting the gist of this post so feel free to skip it if you wish.

Printers can be found on a given network with a simple port scan. Here’s what such a port scan looks like using the popular Nmap utility:

nmap -sS -p515,9100 192.168.1.*

What this line does is instruct Nmap to scan the entire 192.168.1.0 network for services listening on ports 515 or 9100 — ports commonly used for print services.

Once the printers are identified, one can begin probing further. Another scan against the printers for port 23 will reveal if telnet is running. If it is, you can attempt logging in to the printer via telnet. If you can get in via telnet, you can do all sorts of things, as detailed here and elsewhere, such as find information printed, faxed, or copied for a start.

If FTP is running on the machine, it can be used to store and serve files. As such, printers are used for hiding files on the network or run a somewhat stealthy file sharing server.

Most network printers these days have web servers for web based configuration and they are all too often left with no password protection enabled or have only default passwords. Once in to the web configuration console, any of it’s settings can be changed (many of these things can be changed via the telnet command line interface as well).

Lots of shenanigans are possible in exploiting printer security like changing the display and banner messages, putting paper clip images on every page so people think there is a paper clip stuck in the machine, or sending scan jobs to random users.

While much of the issues I have already mentioned are not major, in and of themselves, what’s really concerning is that compromised printers can also be used to map out entire networks or as a proxy for attacks on other devices.

So what can you do to protect yourself from threats involving printers? Mostly standard security measures apply. The web panels for them can be locked down with authentication. Some can even be centrally managed. Disable unnecessary services running on the devices (as with all devices), log and restrict access to administrative functions to only those who absolutely need it. Ensure any ports the printers are listening on are not accessible from untrusted networks (like the Internet). Most importantly, have a comprehensive information security plan at your organization that includes all information systems components and educate everyone on what it means as well as why it’s important.

The real lesson here is that security and risk management is really a way of thinking and operating. It is a continual process that encompasses the entire organization — devices, software, facilities, process, and (most of all) people, rather than a concrete set of rules or a software package that one can buy. Such a comprehensive posture toward security and risk is how these less obvious vulnerabilities can be found and properly mitigated.

Much of the information presented here was based on my experience in systems administration and security auditing. However these sources were also used in informing and writing this article:
http://www.schneier.com/blog/archives/2006/08/printer_securit.html
http://www.itbusinessedge.com/cm/blogs/weinschenk/its-not-exciting-but-n…
http://www.irongeek.com/i.php?page=security/networkprinterhacking

Based on our very positive experience in building the IONICA video platform sites, we recently revamped the IONICA corporate web site in Drupal.

One problem we ran into was that any unauthenticated visitor who visited the contact page would get an ugly “Access denied You are not authorized to access this page.” error. This was not good as all our regular site visitors are not authenticated.

After some digging, I was able to find the fix.. and it’s actually quite simple.

To allow anyone, even unauthenticated users (called anonymous users by Drupal), to view and use a Drupal 7 site’s forms, log in to your site as the administrative user and follow the steps below.

• Click the modules menu.
• Next, click the permissions tab in the top-right.
• Scroll down to the section labelled “Contact.”
• In the row, “Use the site-wide contact form,” tick the anonymous user box. Tick the others too if you would like authenticated and administrative users to have access to the form as well (you probably do).
• Click the Save button.

That’s it! Now every visitor to your site can access the contact form.

Recently, CIRA announced it has proposed key changes to its bylaws. Of particular concern is the way board members are selected. Read on to see my letter to the corporation.

The public consultations on this matter are open until May 2 — tomorrow. I urge you to submit your comments to CIRA today if you have not done so already. To submit comments, e-mail governance@cira.ca before May 2. Visit http://www.michaelgeist.ca/content/view/6451/135/ and http://cira.ca/legal/governance/ for more background.

UPDATE: Thanks to clarification from CIRA Chair, Paul Andersen, I see that I have misinterpreted the wording on the full slate of candidates. The reference to that in my letter is lined through.

This message is to express my feedback regarding proposed changes to the CIRA bylaws.

Most notably, there are changes in the bylaws that remove the ability for people to run for a director or advisor position of the CIRA board without being on a slate assembled (presumably) by the existing board.

I strongly oppose this change, along with the running of a full slate, rather than individual candidates in board elections. As well, I oppose the provision for board directors to appoint other directors — even temporarily. This proposed structure and process lacks the accountability and transparency required to govern such an important public institution in the public interest. It sets the stage for an environment where only insiders are able to hold positions on the CIRA board and dramatically reduces CIRA members’ power to express confidence (or lack thereof) in board members individually or even as a group.

The make-up of the CIRA board is important, not only because of how important the corporation is, but because it is vital Canadians and the world have confidence in the legitimacy of it. Under proper governance, CIRA can be an exemplar for other similar organizations around the world to follow but in order for that to be, the board has to be taken seriously. Transparency and public confidence are prerequisites for legitimacy in boards of our public institutions.

I understand that the current CIRA board desires a more efficient process for selecting board members. Democracy, while not as efficient as the alternatives, is the only way to ensure accountability and proper governance of the CIRA board. Any changes to the CIRA bylaws must go substantially further in maintaining the integrity and legitimacy of the board than the current proposal, rather than degrade such integrity and confidence.

If you have any questions or comments for me on this matter, please feel free to contact me.

Thank you and best regards,

Mike Toscano

David Plouffe, one of US President Barack Obama’s senior advisors rose to prominence as the campaign manager for the 2008 Obama campaign for President. Mr Plouffe is well known, not only because he was instrumental in the success of Obama’s historic victory but for the brilliant digital marketing strategy he crafted and executed with chief strategist, David Axelrod.

What they did
The Obama campaign raised approximately three quarters of a billion dollars, motivated thousands of dedicated volunteers, and spurred record voter turn-out by engaging the electorate as never before (although they were very likely inspired by similar successes in the Howard Dean campaign in the 2004 presidential race). Their technical staff developed clean, clear, easy to navigate web sites built on open source technology and even accompanying mobile apps, providing information on how and where to vote and educating people on the importance of the election, as well as information on the candidate, himself. Plouffe embraced social media and digital technology to reach technically savvy Obama advocates and reach outward from there.

How what they did was awesome
In other words, they were using the technology as a means to start conversations, provide value, educate and inform, rather than to simply blast sales messages to people. Sound familiar? Many of us now know this as social media done right, yet we also know that relatively few firms and political campaigns are so clever and brave to do the job so well, especially that early on in the social media game.

There is a lot of information out there on the digital work of the Obama campaign. If you want to know more, my sources list below is a good place to start.

Sources:

• http://www.techvibes.com/blog/david-plouffe-explains-social-media-in-the-obama-campaign-at-convergence-2009
• http://www.huffingtonpost.com/2011/05/19/david-plouffe-pushing-new_n_864103.html

In my last post, I provided a brief introduction to building your personal brand, with an eye toward what I have done and how you might be able to learn from my experience. In this one, we’ll cover a few more key areas and discuss some general thoughts on the brand-building process. Without further adieu, here are some more of those activities.

Leverage LinkedIn. This most popular of professional networking sites has been highly effective for me. I regularly get calls from head hunters and company recruiters through my LinkedIn profile. Guy Kawasaki’s blog has some good tips for boosting your LinkedIn profile and making it more attractive to hiring managers, clients, and business partners. I’ll leave it to you to see what Guy has to say but generally speaking, here’s what’s working for me:

• Make entire profile public and open — allow anyone and everyone to see your profile, whether or not they are logged in. This also helps Google index your page and people searching with it to find you that way. I also can receive messages and invitations to connect from any member, whether or not they know me, are connected, know my e-mail address, et cetera. That doesn’t mean I have to accept any such invitations but I will get them and this is often how recruiters contact me.
• Fill in all the available fields. Enter your work history of the past five or so years. Show people where you’ve been, what you’ve done, and what you know. This is, after all, a huge part of your value to firms seeking employees, especially when they don’t have personality or other less tangible traits to observe yet (since they have yet to meet you).
• Make effective use of key words. Use the types of words hiring managers might be looking for. If you are a social media expert, for example, you might want to include names for any methods you use or marketing philosophies you subscribe to, tools you use, and so on. Basically, use words you might consider if you were searching for a social media expert in LinkedIn.
• Join some groups. Joining relevant groups can put you in touch with other people in your field or with the same interests as you. Many groups also meet in real-space on a regular basis so this can be especially good if you have moved to a new town.

Regarding Facebook. Odds are, you already have a Facebook account. Many of us have used this one in powerful ways to, not just connect with old friends, but to elevate their profiles, sell apps, and find other people to connect with in their fields. Beware, however, Facebook has damaged quite a few personal brands as well. It goes without saying that you have to be very careful what images and comments you post to Facebook and even when you do so (e.g. posting photos of yourself on the beach when your employer thinks you are ill). Unfortunately, what your Facebook friends do and post can also be a problem for you, especially if you are in the pictures they post or comments they make. Honestly, due to the lack of control members have over their profiles and the mixing of business and pleasure happening on Facebook, I recommend caution when using it as a brand-building tool and even think deleting your Facebook account is worth serious consideration to maintain control over your brand. Of course, this depends on your brand itself and your strategy for promoting it. For example, Paris Hilton probably has nothing to worry about in having a Facebook account, a director of public relations might.

Though our focus here has been on digital strategy, perhaps more important than everything we’ve discussed is how you present your brand off-line. How you deal with people and conduct business is probably the single most important element of your brand. As many of us know, word-of-mouth and personal references have the strongest influence over consumer behaviour. What this means for most of us is what anyone would hope for in a business partner — sticking to your word, delivering quality product on time and on budget, being an effective and pleasant communicator, among others. I also, personally, believe that being true to oneself is paramount. Its a great (and natural) way to differentiate yourself from the herd, aside from making everyone (especially oneself) more comfortable. So as you craft and execute your digital branding strategy, remember: Face-time is prime time.

As I am entering the home stretch on my MBA at UBC’s Sauder School of Business and my itch to become an entrepreneur is getting more intense, I’m seeing more and more importance in building my personal brand.

As the name implies, personal brand, is basically a brand like any other, only it applies to you as an individual. Often, this means your professional identity but it’s really more than that. To help rather than harm one’s reputation, their personal brand must be genuine. In other words, it’s not about how you want the world to see you as much as it is about how you show the world who you truly are. A nice thing about this is that the exercise of brand building can very much be one of self discovery as well.

Here’s a bit of what I’m doing in my personal brand journey.

Get yourname.com. Believe it or not, miketoscano.com and nearly every variant of my name was taken when I first tried to register it way back in 2000. So I got mmtoscano.com, which just doesn’t sound as nice. To my pleasant surprise, I decided to check the availability of miketoscano.com on a lark. Lo and behold, it was available! So I snatched it. The lesson here is to register your name as a domain name before someone else does. In Canada, we are lucky because we can also register yourname.ca so there is one more (proudly Canadian!) option. Netfirms.ca is a good place to see if your name is available as well as to register it.

Get a Twitter feed. Admittedly, I wasn’t sure what to make of Twitter when I first heard of it some years back. We had to sign up and use Twitter in the MBA program at Sauder and I quickly became excited about what we could do with it. Twitter makes it easy to see what people are talking about and to get in on the conversation. What you tweet, also tells the world a bit about yourself. I believe there is a right and a wrong way to use Twitter for building your personal brand, however (Hint: Don’t take photos of everything you eat or talk about what clothes your wearing that day). What you post should be at least a little interesting/entertaining/engaging to your audience.

Create a blog. Blogs take a bit more time so they’re really not for everyone (neither is Twitter). What’s good about blogs is that what you write in them lasts a lot longer than in other mediums and if you write interesting articles, people will find them through search engines like Google. I actually get a modest amount of traffic to my blog this way, particularly for my technical posts (I am a Unix systems administrator).

That’s about all for now. Part two is coming soon. Until then, remember: building a personal brand is telling your real story and sharing it with others. The tools you use to tell the story are less important.

For our Internet marketing course, we are required to write a report on a topical article or book related to the subject of Internet marketing. I chose to review the report from Peppers & Rogers Group, Enriching the Customer Experience.

The report opens with a section presenting data from Forrester Research’s 2010 Customer Experience Index showing the outcomes in terms of payoff of positive and consistent customer experience across several industries – wireless carriers, hotels, airlines, insurance providers, and PC manufacturers. The payoff is represented on three dimensions – additional purchases (or economies of scope), churn reduction (basically loss of existing customers, who then may be replaced by new ones), and word of mouth (as in payoff result from positive WoM about the brand). The payoffs recorded by Forrester were nothing short of gigantic, ranging from a combined 233 million for PC manufacturers (26.4m from additional purchases alone) to 1.7 billion for wireless carriers.

While it may seem logical that treating customers better yields better sales, fewer lost customers, and better WoM – it is – there’s more to it than that. Firstly, the data puts in perspective how important it is to take care of your customers and that they really do respond to how they are treated by firms. One might hypothesize (like I did) that consumers generally deal with bad experiences because they feel most or all of their choices are the same. If they felt this way, it would be for good reason – Peppers & Rogers’ Fernando Pierry claims, “Most companies are not concerned about providing their customers with a superior customer experience. I don’t see that on their CEO’s agendas.” In many cases, it shows, but as we look at the data, we see that the macro-level market impact of good customer experience is substantial. This can add up to big dollars for larger firms that operate on a large scale and serve as a highly effective differentiator for smaller firms looking to grab more market share and maximize their marketing and operations efforts.

The article continues to connect the dots by explaining that “customers expect companies to understand their prior experiences and interactions with a company,” in a quote from Terry Saeger, senior vice president and general manager at VoltDelta OnDemand. Thus gathering and mining data on customer behaviours, preferences, wants, and expectations, is central to building outstanding customer experiences. Taking the next big step with a comprehensive plan to actually cater to those preferences, wants, and expectations can then finally put firms on track to realize the tremendous potential of great customer experiences.

Another section in the report articulates seven ways the customer experience and be enhanced – adopting channel preferences (garnered through feedback from customers), using voice automation (in call centres), offering proactive alerts (like an e-mail payment notification), embracing personalization, harnessing feedback, hiring home agents (again, for call centres), and rethinking cross-channel service delivery (basically, eliminating silos in customer service and sales). What I would have really liked to see here was a wider variety of insight. Clearly, there are many more ways in which customer experience can be enhanced – representative voice tones, and eye contact, smooth operations of systems (no one likes to get an error when visiting a company web site or hear my computer is slow/down when talking to an agent on the phone), and helpfulness and courtesy of company representatives all can have an impact but this report was largely focused on improving customer experience through data gathering and mining. Additionally, the report discussed call centre customer experience almost exclusively. This may have something to do with the fact that VoltDelta OnDemand, who provides call centre products (including those for remote agents) was involved in the drafting of the report. When considering the scope and recommendations of the report in light of knowledge of VoltDelta’s involvement, it looks more like a company-written white paper intended to boost sales of its own products instead of an independent industry report with the aim of enlightening marketers and other professionals. Though there are some good insights here, the meat comes from Forrester with some dressing provided by the authors of the report who are really, as it turns out, trying to sell more call centre services and products. An independent and thoughtful analysis of this new data with a wider scope of considerations would have not only been more genuine and credible, but a great deal more useful as well.

In my previous post, I defined bought, owned, and earned media. Here, we’ll go a little deeper on one of those: earned media.

Engaging consumers through social media can be quite involved (depending on the level of engagement required). It requires a bit if a re-think in a firm’s marketing strategy and results can be mixed, with potential benefits ranging from none at all to suddenly becoming the talk of the town (or even the talk of many towns).

So why bother with earned media? One big reason is that these conversations about your space and/or brand are happening. You should be in on them. Another big reason is that of trust and effectiveness, especially in the on-line world. Rob Fuggetta at Advertising Age has a decent article, Five Reasons You Need to Focus on Earned Media which references some very telling statistics from Neilsen, McKinsey, and others on consumer trust. The research from Nielsen reveals that 90% of consumers surveyed trusted information from someone they know and 70% trusted opinions of other consumers posted online (that they did not know), while only 33% trusted on-line banner ads.* This data makes the effectiveness of earned media quite clear.

As Fuggetta also mentions, yet another benefit of earned media is the staying power of much (but certainly not all) of it. Those blog posts, videos, on-line store reviews and the like often remain up for years and are found by those searching the Internet for information about your product or other products in the segment. Thus a significant level attention gained from them can be long-lasting, though the effectiveness of older posts likely diminishes over time (I found no data on this so we have to make some inferences for now).

* The numbers quoted by Rob Fuggetta at AdAge were different than those in the actual Nielsen article he sourced from. The numbers I quoted above are from Nielsen. 

Sources

• http://adage.com/article/digitalnext/reasons-focus-earned-media/227586/#author
• http://blog.nielsen.com/nielsenwire/consumer/global-advertising-consumers-trust-real-friends-and-virtual-strangers-the-most/
• http://www.mckinseyquarterly.com/A_new_way_to_measure_word-of-mouth_marketing_2567

Many companies in search of reaching a wider audience are looking to social media. There are are other reasons to participate in all the blogging, tweeting, chatting, and the like happening on-line as well, such as better engagement and dialogue with consumers. To really see the value and power in Internet marketing and social media, it’s beneficial to understand the concepts of bought, owned, and earned media and where social fits in to those constructs.

Bought media is exposure delivered through a paid-for channel or advertizing. Good old fashioned billboards, print, and television ads fall into this category, as do the newfangled digital sort — banner ads, sponsored links, paid search, and so on.

Owned media is a channel controlled (and often owned in the conventional sense as well) by the firm (or brand). Examples include the signs on a company’s buildings and vehicles, their web site, and company publications (like a magazine, blog, or newsletter, print or digital). Official brand Facebook, Twitter accounts also fall into this category.

Earned media are the highly effective word-of-mouth that not only transpires in meatspace but also in places like on-line forums, chat rooms/IM, Amazon reviews. Sean Corcoran from Forrester says viral videos are classified here too but a clarification is in order — viral videos produced and promoted by the firm are, in essence, bought media. Videos produced by consumers are more clearly seen as earned media.

Check out the sources links below for more information. Stay tuned for a post on stimulating earned media through your digital presence.

Sources:

• http://blogs.forrester.com/interactive_marketing/2009/12/defining-earned-owned-and-paid-media.html
• http://en.wikipedia.org/wiki/Earned_media
• http://www.avc.com/a_vc/2009/04/earning-your-media.html
• http://producerposts.com/producer_posts/2009/04/earn-it.html