Because I am Here

Disaster Recovery Collaborative Work Order System

Titus — Thu, 20 Dec 2012 16:02:21 +0000

Update 24 Mar 2013: I have Finally launched the Official Crisis Cleanup Blog, including a more up-to-date version of this post.

Over the past several months a few developers and I have created a Collaborative Work Order System for disaster recovery (now at CrisisCleanup.org, Twitter: @CrisisCleanup). The project is open source under the Apache 2.0 License, and is a gift to the community. The system is now being used to manage recovery efforts in Connecticut, New York, New Jersey, Mississippi, and Georgia. The National VOAD will formally adopt/assume the project in May at the National VOAD conference. Many thanks to the dedicated work of Andy Gimma, Jeremy Pack, Chris Wood and dozens of others who have made this volunteer effort more successful than I could have ever imagined at the outset.

The platform implements a “Craigslist” philosophy to recovery efforts—organizations that are aware of work orders enter them into the system, and organizations with capacity to help can claim and perform the work without interference from any centralized organization. This minimizes duplication and maximizes communication, coordination, and efficiency.

No single organization can guarantee that any of the individuals in the system will be served. However, using the same system will permit inter-agency coordination, situational awareness, and help participating organizations prioritize their limited resources. And sharing work order information among dozens of organizations maximizes the chances that a client will receive help.

As of right now, more than 90 relief organizations and agencies with more than 30,000 combined volunteers are using the system to coordinate Hurricane Sandy relief efforts. The system is managing more than 4,900 homes in need of gutting and rebuilding from Connecticut, Long Island, New York, New Jersey, Mississippi and Georgia.

There are three requirements for an organization to participate in the system:

An organization must have a physical presence in the disaster area.
An organization must either perform home assessments and/or perform gutting, mucking-out, debris removal, mold abatement, or rebuilding.
An organization must be reputable. This generally means that the organization must be non-profit, or a member of National VOAD, a state VOAD, a County VOAD/COAD, a local government agency, or come recommended by a VOAD member or government agency.

The current implementation requires a password. However, I have posted a training video that explains how the system works. I’ve also included screenshots below.

Philosophy Behind and Limits to the Collaborative Work Order System

The system is based upon a few foundational philosophies:

Retired Admiral Thad Allen observed that in the military, they operate under a “Unity of Command,” but in private sector disaster recovery, the best you can hope for us “Unity of Effort.” This tool facilitates Unity of Effort without striving for the mirage of private sector Unity of Command.
I don’t want to be in charge of your organization’s activities, or tell you what to do.
The system should enable, not interfere with your existing business processes.
No single organization should be in charge of others without their consent.
The system should make collaboration and communication not only convenient, but required.
This is not the “One App to Rule them All.” Do not stray too far from the system’s strengths.
The system is open (but not public), and should therefore not contain sensitive personal information.

App Development Philosophy

There are two approaches to app development. The first is to create a mammoth, fully-integrated system that tries to be all things to all people. Sahana is a great example of this approach. However, even the most successful of these apps can be overwhelming and tend to be a jack of all trades but master of none.

The second approach is to try and create a relatively lightweight app that does only one thing very well. These apps are generally far more user-friendly; but their success comes with a cost. Without careful curation, these apps can be highjacked, forced to do things outside their core competency, and grow into unwieldy mammoths.

The Collaborative Work Order System definitely falls into category 2. There is no such thing as “The One App to Rule Them All,” and this is no exception. The Collaborative Work Order System excels at coordinating tens or hundreds of thousands of volunteers from multiple organizations, to thousands or tens of thousands of work order sites across a large geographic area; improving communication, and improving inter-organization coordination. But there are certain things for which it should never be used.

For example, because the system is open (but not public—there is an important difference), it is inappropriate to use the system to store sensitive personal information. The system’s power to coordinate and facilitate communication comes from its openness; but some things were not meant to be shared, such as confidential case management information, volunteer details, etc. The Collaborative Work Order System is not, and can never be, all things to all people. The Collaborative Work Order System should never be used to store sensitive personal or case management information.

Why a Collaborative Work Order System Hasn’t Been Developed Before

In the disaster recovery community, we talk a good deal about VOAD’s 4Cs: Cooperation, Communication, Coordination, and Collaboration. One reason these ideals are so difficult to achieve is because, even though we don’t like to admit it, most disaster recovery organizations are essentially competitors. Of course, we all get along in the field, forging deep and lasting friendships while we labor side-by-side in the service of our fellows in distress. But almost all relief organizations (with exceptions like Mormon Helping Hands and Occupy Sandy) rely upon grants to fund their operations.

Passive competition for scarce grant resources means that every organization wants to be in charge. In an effort to qualify for the next grant, each organization strives to direct the work of other organizations and, most importantly, each organization wants to control the flow of information. These tensions create natural barriers to the 4Cs.

In addition, organizations with employees have a tendency to perpetuate inefficiency. Even though efficiency saves the organization money, efficiency may also eliminate jobs. Therefore, most bureaucracies are suspicious of or downright hostile towards new or efficient technologies.

In short, a collaborative work order system hasn’t been developed until now because: 1. Everybody wants to be in charge; and 2. Internal bureaucratic interests run counter to efficiency.

My Unique Opportunity

First, allow me to start with a disclaimer: The Collaborative Work Order System is neither developed nor formally endorsed by The Church of Jesus Christ of Latter-day Saints/ Mormon Helping Hands, and this blog post represents my own opinion and not the official position of the Church. In my role as New Jersey VOAD representative for the Church, I have had a wonderful opportunity to tackle these difficult problems during Hurricane Irene, the June 2012 derecho storms, and Hurricane Sandy. First, because Mormon Helping Hands relief efforts do not rely on government grants, it has no economic incentive to be “in charge” of other organizations. We just want to help everyone get the job done.

As a result, I designed the system so that no single organization is capable of controlling the information or governing other organizations without consent. The technology permits, but does not require oversight. Who is in charge? The answer to that question is the same as this question: “Who is in charge of Craigslist?”

This non-threatening approach is designed to facilitate an organization’s existing business processes, rather than impose new processes. As Joseph Smith taught, people can “govern themselves” when they operate according to correct principles. And based upon the participation of more than 90 organizations, the approach works.

Second, unlike most other relief organizations, Mormon Helping Hands relies exclusively on volunteers with families and full-time jobs. Unlike employees, volunteers have a natural inclination to work efficiently, and are therefore more open to adopting disruptive or efficient technologies. Mormon Helping Hands volunteers (as well as Occupy volunteers) don’t get paid, and if they’re anything like me, they must hold down a full-time job make time to see their wife and five cute kids. Volunteering efficiently improves my personal bottom line.

Real Innovation

The Collaborative Work Order System’s technology is not new or particularly innovative. Due to the great work of developers like Jeremy Pack, the user interface is great, but not groundbreaking. In fact, if I leave you with the impression that the Collaborative Work Order System is just a cool technology, then I have failed. This system does not evangelize technology; it evangelizes a philosophy.

The real innovation of this system is the ability to coordinate tens of thousands of volunteers from dozens of organizations to thousands of sites after a disaster. The Collaborative Work Order System proves that it is possible to create a near frictionless technological platform where inter-organization Cooperation, Communication, Coordination, and Collaboration is not only convenient, but required.

Next Steps for Development

Since launching CrisisCleanup.org, the mostly volunter-driven project has received a lot of attention from FEMA, and VOADs across the country. If all goes well, I intend to give long-term stewardship of the project to National VOAD, which will be in a better position to evangelize and maintain the project long-term.

In the meantime, we’re working on some big upgrades. Well, they won’t look big to end users, but they require some heavy lifting in the database. Here is a current list of development priorities:

Create a new Incident on the fly
Streamline joining CrisisCleanup.org, and allow organizations across the country to join during peacetime.
Adapt the tool for Long-Term Recovery (LTR) including Rebuilding and Refurbishing.
Import Work Orders
Public-facing, de-identified and blurred map
Duplicate work order detection and merging
Fully-functional administrative back-end
Create a Mobile interface
Manage Spontaneous Unaffiliated Volunteers (SUVs) and connect SUVs with volunteer organizations
Enable a separate “Canvassing” map that will allow others to see which areas have been canvassed, and which have been ignored
Send Text Messages to Team Leaders with Work Order Information
More easily contact other organizations in the field

As you can see, we have a long list of high priorities. We’re making slow progress, but hopefully we’ll be able to get some funding to continue development.

Participating Organizations

The following organizations are or have participated in the Collaborative Work Order System:

Adopt A House	MHH-Philadelphia PA Stake
All Hands Volunteers	MHH-Plainview NY Stake
American Baptist Men USA	MHH-Queens NY Stake
AmeriCorps St. Louis	MHH-Scotch Plains NJ Stake
Americorps VRC	MHH-Valley Forge PA Stake
Bergen County VOAD	MHH-Westchester NY Stake
Carolina Baptist Relief	MHH-Williamsport PA Stake
Catholic Charities, Diocese of Camden	MHH-Wilmington DE Stake
Christian Aid Ministries	MHH-York PA Stake
Convoy of Hope	MHH-Yorktown CT Stake
Durand Masonic Lodge	Nassau County Office of Emergency Management
Friends of Rockaway-World Bank	NECHAMA
GNJAC Methodist ERT	Never Alone, Never Afraid Inc.
GNJUMC – Methodist ERT	New York Cares
Habitat for Humanity of Bergen County	NJ 211
Habitat for Humanity, Westchester County Chapter	NYAC United Methodist Church
Health and Welfare Council of Long Island	Oceanport NJ OEM
ICNA Relief	Poured-out
Inc. Village of Patchogue	Presbyter of Elizabeth Disaster Recovery Team
Islamic Relief USA	Rebuilding Together Bergen County
Jersey Cares	Rebuilding Together NYC
Lamb’s Chapel	Regional Catastrophic Planning Team
Lindy Manpower	Respond and Rebuild
Long Island Volunteer Center	Samaritan’s Purse
Lutheran Disaster Response	Sayville Chamber
Lutheran Social Ministries of NJ-Lutheran Disaster Response	Staten Island Council of Churches
Mastic Shirley COAD	Team Rubicon
Mennonite Disaster Service	Tennessee Baptist Disaster Relief
MHH-Brooklyn NY Stake	The Bonner Center
MHH-Buffalo NY Stake	The Salvation Army – Suffolk
MHH-Caldwell NJ Stake	UMCOR
MHH-Centreville VA Stake	United Methodist Church
MHH-Cherry Hill NJ Stake	United Way 2-1-1 Hudson Valley
MHH-Columbia MD Stake	United Way of Central Jersey
MHH-Dover DE Stake	United Way of Monmouth County
MHH-East Brunswick NJ Stake	United Way of Northern NJ
MHH-Frederick MD Stake	Virtua
MHH-Lynbrook NY District	Volunteer Army Foundation
MHH-Morristown NJ Stake	Washington State Conservation Corps
MHH-New Haven CT Stake	World Cares Center
MHH-New York NY Mission	World Renew Disaster Response
MHH-New York NY Stake	Zakat Foundation of America
MHH-Paterson NJ District

FAQ

Scope of Project: The system is primarily focused on the assessment, gutting, and rebuilding phases of recovery. It does NOT handle case management, inventory control, or volunteer management, etc. However, it will track volunteer hours.
Can the system be adapted outside of the New York/ New Jersey area? Yes. The system is geographically agnostic.
How much does the system cost? I don’t charge (and don’t plan on charging) organizations to use the system. In addition, the code is free to download, adapt, and install. It is open source, provided under the Apache 2.0 license, and was created by volunteers. Although the code is free, hosting and programming is not. Hosting costs vary from $50-$200 per month, depending upon usage. Ongoing programming support will also require funding. Right now a generous volunteer is paying for the hosting out of his own pocket, and volunteer programmers have created the system. I will probably need a long-term funding source.
Have you considered crowdsourced funding? Yes, I’ve considered everything, including crowdsourced funding. But I only have so many hours in each day, and when I’m not cleaning up a hurricane or being a dad, I have a pesky full-time job to maintain. If you’d like to help get funding, drop me a line.
Can I install a version for myself? Yes, but I wouldn’t recommend that right now. You’ll need your own developer, and because the system is being improved, you’ll have to manually install all new patches as they come out. Instead, the system will be designed to handle any number of new incidents as they arise. You will be able to create a new incident in the existing system, any time.
What if a disaster happened tomorrow in my state? Could we use this system? Short answer: Yes. Long answer: Right now it will take 6-12 hours to set up a new incident in the system. We’re making programming improvements that should turn around that time to near zero.
What are the long-term plans for the system? The code will always be open source and available to anyone who wants it. I hope to be able to offer the service for free to any voluntary organization who needs to use it, also. But I’m making this up as I go along, and I feel like I’ve been constructing an airplane while in free-fall, writing the owner’s manual and giving status updates for the past 2 1/2 months.
Will the system do case management? No. Because of the open nature of the system, it is not appropriate to store or track confidential case management information using this system. The system is primarily focused on the assessment, gutting, cleanup, and rebuilding phases of recovery. It does NOT handle case management, inventory control, volunteer management, etc. However, it will track volunteer hours.
Will the system adapt for long term recovery? Yes, with limits. We are adapting the system to do long term recovery for property, but not other aspects of LTR, such as case management.
What does the system do best? The system is designed to organize and coordinate tens or hundreds of thousands of volunteers from multiple organizations, to thousands or tens of thousands of work order sites across a large geographic area; improve communication, and improve inter-organization coordination. It has been successfully used to deploy more than 30,000 volunteers during Hurricane Sandy, and manage more than 4,600 work order sites.
Will this system manage Spontaneous Unaffiliated Volunteers (SUVs)? No, not really. Because the system includes location and contact information for clients, it would not be prudent to allow the entire public to access the system. Consequently, SUVs must first affiliate with an organization before using the system.
This system is great! Can you make it do something else?: Yes! If you give me a programmer (or a grant), it will be done tomorrow. Until then, the answer is probably “not for a while,” but there is probably a workaround that will get the job done for now.
Bugs: We’ll fix bugs as volunteer programmers have time.
How do I…? I cannot provide technical support. I have found that the training video answers 95% of questions. Please watch it. If you figure out how to do something, chances are someone else would like to hear about it. PLEASE email me your how-to, and I will include it in the knowledge base.
Will you give me a report? No. I’ll probably give you a username and password and let you pull your own reports.
Information for Programmers: The source code is released under a Apache 2.0 License. Here is a list of open issues. Please grab a bug, submit a patch, and start working!
Programmer Skill Set: Python, Javascript, with Google Maps familiarity. Familiarity with appspot.com is beneficial. I also need help developing the database schema, and laying a good foundation for others to build upon.

I’m in desperate need of volunteer programmers. I feel like I’ve been constructing an airplane while in freefall, writing the owners manual and giving hourly status reports for the last 1 1/2 months. We’re now gliding, but I need help building the rudder, landing gear, and gas gauges. Please comment below if you’re interested in helping out. Thanks!

Screenshots

A Christmas Vision: Dedicated to Emilie Parker

Titus — Mon, 17 Dec 2012 13:24:18 +0000

A Christmas Vision

Music and lyrics by Hayley Winslow. Adapted from a poem by Edgar Howard on the death of his young daughter.

A Christmas Vision- Hayley Titus, Edgar Howard (MP3 Audio)
A Christmas Vision (Live Recording)

Perhaps this Christmas time is like all Christmas tides gone by.
Children’s faces are as bright with every sparkling eye.
Each face reflects a picture of a heart that throbs with cheer,
And yet it does not seem the same because she is not here.

The church choir sings the same Christ songs they’ve sung two-thousand years.
Priests and preachers tell God’s love ‘nor speak of hell or fear.
The wide world wears the same glad garb with Christmas joy and cheer,
And yet it does not seem the same because she is not here.

So few years she was my child; I held her in my arms.
Now I live without her and must hold her in my heart.
I yearn to find a sweet release at this joyous time of year,
But still my poor soul suffers, for I know she is not here.

Last night I saw a vision, of a child with laughing eyes,
and heard her speak a message from her place in Paradise,
And the message told me truly that one day I may share
A Christmas with the loved and lost- not here, but there.

My Great Great Grandfather, Edgar Howard lost his young daughter, Martha, at the age of 10. He wrote this poem which has been adapted and set to music by my sister, Hayley Winslow. On behalf of our family, we re-dedicate it to Emilie Parker, her family, and the families of all those who lost children and loved ones in Newtown, Connecticut.

Edgar’s words helped heal my heart from the distance of a hundred years; I pray that his words and Hayley’s voice may heal many more hearts this Christmas.

A Christmas Vision.

Original Poem by Edgar Howard

Perhaps this Christmas-time is like all Christmas-tides gone by.
The children’s faces are as bright, and every sparkling eye
Reflects the picture of a heart that throbs with Christmas cheer,
And yet it does not seem the same, because–she is not here.

The church choirs sing the same Christ songs they’ve sung two thousand years,
And priests and preachers tell God’s love, nor speak of hell and fears.
The wide world wears the same glad garb with Christmas joy and cheer,
And yet it does not seem the same, because– she is not here.

Last night I saw a vision of a child with laughing eyes,
And heard her speak a message from her place in Paradise;
And the message told me truly that one day I may share
A Christmas-time with the loved and lost–not Here, but There.

Mormon Helping Hands: Southern New Jersey Cleanup Final Report

Titus — Mon, 10 Sep 2012 00:23:44 +0000

On June 29th, 2012 a major thunderstorm made its way across a third of the country, knocking down trees and cutting power to more than a million people.

The damage from this storm in Cumberland County, New Jersey and Atlantic County, New Jersey was severe and wide-spread. Tens of thousands of trees crushed roofs and cars, blocked roads and driveways, and downed power lines. This animation from the University of Wisconsin—Madison illustrates the extent of the storm. Southern New Jersey was by no means the only place affected by this massive storm.

About one week after the storm, the Offices of Emergency Management for Cumberland and Atlantic Counties asked members of the New Jersey Volunteer Organizations Active in Disasters (VOAD) to assist with clean-up and tree-removal efforts. In particular, they requested help on behalf of senior citizens and disabled individuals who could not otherwise clean up downed trees. The Church of Jesus Christ of Latter-day Saints participates in New Jersey VOAD.

Under the direction of Ahmad Corbitt, President of the Cherry Hill New Jersey Stake (a stake is similar in size to a Catholic diocese) of The Church of Jesus Christ of Latter-day Saints, more than 700 Mormon Helping Hands volunteers, a dozen UMCOR volunteers, and several Boy Scouts and Comcast Employees from New Jersey, Delaware and Pennsylvania enthusiastically donated 4,859 hours to Southern New Jersey senior citizens. Volunteers responded to 314 requests, and saved New Jersey senior citizens an estimated half-million dollars (~$529,000) in tree removal expenses.

This Google Earth animation and KMZ file illustrates the extent of the service volunteers provided, between July 15, 2012 and August 25, 2012.

Mormon Helping Hands volunteers worked in coordination with the Cumberland County, New Jersey Office of Emergency Management; the Atlantic County, New Jersey Office of Emergency Preparedness; New Jersey 2-1-1; the United Methodist Church’s UMCOR volunteer organization; the New Jersey VOAD; the Burlington County, New Jersey Council and Southern New Jersey Council of the Boy Scouts of America; Comcast employees; the New Jersey Governor’s Office on Volunteerism; and the Emergency Management departments of several cities and townships in the Garden State.

About The Church of Jesus Christ of Latter-day Saints

The Church of Jesus Christ of Latter-day Saints (commonly called the “Mormon Church“) is a Christ-centered faith with more than 14 million members worldwide. Mormon Helping Hands is a Church program to provide community service and disaster relief to those in need. Members of the church are encouraged to volunteer in the community. The Church will soon open the new Philadelphia, Pennsylvania Temple.

Instructions for Running the Southern NJ Mormon Helping Hands Clean-Up KMZ file

To open the animation in Google Earth (cleanup_timeline.kmz), follow these steps:

If you have not done so already, download Google Earth.
Download and save 2012-08_mhh.zip
Unzip 2012-08_mhh.zip. It should contain:

A file named “readme.html”
A folder named “htm”
A file named “cleanup_timeline.kmz”

Install and run Google Earth
In Google Earth, open “cleanup_timeline.kmz”
By default, the playback will take only 30 seconds (which is way too fast). For optimal playback, follow these steps (click to enlarge images):

Slide the Time slider all the way to the right.
Slide the “Span” section of the time slider all the way to the right. This will make sure that you’re only seeing one slice of time in each frame. If you run the time slider and it just looks like slides are being piled on top of one another, make sure you adjust this setting.
Slide the Time slider all the way to the left.
Click the (+) button twice until the date on the left says “7/15,” and the date on the right says “7/22.”
Click the Setup button that looks like a wrench. Change the “Animation Speed” to roughly halfway between “slower” and “faster.”

Click the Play button to see the animation.
You may listen to the The Time To Run by Dexter Britain that serves as the sound bed for the YouTube clip. It is distributed under an Attribution-NonCommercial-ShareAlike License.

September 11th, 2011: Create in Bold Defiance

Titus — Sat, 10 Sep 2011 10:54:46 +0000

I was not in Washington DC or New York ten years ago on that shattered Tuesday, but the deaths of thousands weighed heavily on us all. I spent the day in college and work, physically exhausted and emotionally wounded. The Eleventh of September was a dark day, and it seemed as though the flame and smoke of that morning had choked every source of inspiration. I had no desire to do anything, and it seemed as though my mind and soul had been smothered.

That afternoon my architecture professor, Julio Bermudez, gave lengthy instructions about a drawing assignment in his thick Brazilian accent. I don’t remember a word of that lecture. None of us cared about drawing, or school, or work. The very mention seemed trivial and sacrilegious. At the end of the lecture, he told us to go outside and draw. For the first time that day, my utter numbness turned to indignation and then anger at his triviality.

Then, sensing our irritation, he paused; and began speaking to us as Architects. “Today we have witnessed the most anti-architectural act conceivable… We are Architects. We do not believe in death and destruction. We believe in life. We create. I know many of you are angry right now. I am angry. You want to retaliate. Right now it seems trivial to go out there and draw. But if you really want to retaliate against what happened today, if you really want to take a stand and make a difference, then go out and do Architecture. Go and create, and you will retaliate in the best way you can. Now, go out and draw!”

No more appropriate words were ever said than at that time. As members of our religions and communities, we do not believe in death and destruction. We believe in life. We believe in peace. We create. Ten years later, that terrible moment inspires me to serve with a purpose, and create in bold defiance of everything that is murderous, destructive and evil.

How to Build Your Own Hurricane Irene Hand Sump Pump

Titus — Sat, 27 Aug 2011 04:30:33 +0000

Instructions to Construct a Manual Auxiliary PVC Pipe Sump Pump

UPDATE: 8/28 9:00AM EASTERN: The power went out last night at 2am and didn’t come back on until 8:15am. The pump worked well, but I completely underestimated the volume of water entering my basement. I could not pump fast enough, so we retreated, and Hurricane Irene gave us an 18-inch indoor swimming pool in our basement.

I made a hand pump to avoid basement flooding, just in case the power goes out and the sump pump stops working. Pictures below. I use the following Materials:

1 @ Wood 3/4″ wood board suitable to secure the pump and stand on
10 feet 1 1/4″ PVC Pipe
5 feet 1″ PVC Pipe
1 foot 3/4″ PVC Pipe
1 @ 1 1/4″ PVC T-Connector
1 @ 1″ PVC T-Connector
6 feet hose, ~1 1/4″ outside diameter
1-4 @ 1 1/4″ PVC Elbow Connectors
2 @ 1 1/4″ Straight Connectors
2 @ 1 1/4″ Check Valves
2 feet metal straps
4 screws
1 @ 1 1/4″ to 1″ male/female straight PVC adapter
1 @ 1″ to 3/4″ male/female straight PVC adapter
1 @ 3/4″ Female/female PVC threaded adapter
1 @ metal threaded garden hose adapter
1 @ PVC cap with 1″ outside diameter OR large dowel (to fit snugly inside 1″ PVC)
2 @ #18 O-Rings (1 3/36″ O.D)
1 Table saw
1 PVC Cutting Tool
PVC Primer
PVC Glue

Instructions

The hand pump works by sucking water through one check valve, into a hand-driven piston, then out another check valve, through a garden hose. I created three different connectors for the intake: A hose (most verisitile, but most expsensive), a straight-down connector for my sump, and a rectangular intake connector for

I wish I had time to give detailed instructions. I don’t. Here are some pointers:

Cut the piston to about waist height.
Make sure to tighten the compression rings VERY tight on the check valves. They are the first to blow.
You can plug the 3/4″ piston with a dowel, or any random piece of PVC that will fit over the top. I simply glued mine on.
The pump will work without the O-Rings, but it will leak slightly each time you pump. But in an emergency situation, who cares?
Be careful to not go too deep when cutting the channels for the O-Rings. I used a table saw, and had to cut about 70% into the PVC.
Make the piston shorter than the shaft, or at least make sure to place the O-Rings higher up the piston. Otherwise, when you push down on the piston, the O-rings will get stuck under the bottom of the shaft, where it enters the T.
I tested it by emptying a pool and pushing water up 8 feet through a garden hose. It works.
There is no need to glue the intake pipe or hose.
Pump was inspired by a design created by a 6-year-old boy.
Total cost, not including tools was around $50. The hose cost $23, and was the most expensive part.

Entire Pump with all attachments

I just wanted to demonstrate that you can attach multiple intakes to the pump. In this case, I have a hose, a straight-down intake, and a rectangular intake that will stay at ground level, and go over a barrier.

A wider view of the hose and straight PVC intake pipes. You don't have to glue these on.

I used 3/4", 1" and 1 1/4" PVC pipe for this project.

Don't forget to glue the PVC pipe together. I used metal straps to secure it to the wood. I used #18 O-Rings.

I used #18 O-rings. I had to carefully cut channels into the piston, through about 70% of the PVC to get the O-Rings to fit. Be careful when you cut the channels using a table saw. Sorry the image is turned.

You can use a saw, but these little tools are really handy. They're about $12 at Home Depot.

The 1" Piston fits inside the 1 1/4" pipe. It's a pretty snug fit. It will work without O-rings, but will leak. Then again, if you're in an emergency, who cares if there's a little spray? I'm sorry this one is turned, too.

This is one of the most important details. You can use anything convenient to cap the end of the 1" diameter PVC interior piston. A large dowel would work, too. I just happened to find a miscelaneous piece of round PVC that fit nicely. I used a table saw to cut channels for the O-Rings. It's a very snug fit.

I just used a simple 1" T connector to make the piston handle.

You can see the piston and the shaft side-by-side. The piston is inserted into the shaft. With the O-Rings, it's a snug fit, so you have to make sure to cut the O-ring channels deep enough; but not too deep. IMPORTANT (and not shown here): The O-Rings were too low on the piston, and when I pushed down on the piston the O-Rings got stuck on the bottom of the shaft, where the shaft entered the T. I solved the problem by gluing a stopper at the top of the piston. You can also solve this problem by making the piston shorter than the shaft, or placing the O-Rings higher up the piston.

Make sure that the check valves are pointed the same direction-- away from the intae and toward the garden hose adaptor. I found that the check valve compression rings were the weakest part of the pump, and tended to blow out first. Make sure you TIGHTEN ALL COMPRESSION RINGS very tightly to avoid blowing them out.

The T connector connects two 6-inch pieces of 1 1/4" PVC with the check valves. I secured it with two metal straps. As the piston is lifted, water flows through the intake check valve. As the piston is lowered, the water flows out the outtake check valve.

The outtake check valve is connected to a 1 1/4" PVC pipe, which is adapted down to a 3/4" PVC pipe. Then I added an extra adapter with a female garden hose connector.

NSTIC Identity Ecosystem Marketplace Roles and Concepts

Titus — Thu, 28 Apr 2011 13:23:10 +0000

This post is a follow-up to our April 15, 2011 whitepaper and accompanying presentation.

NSTIC envisions a secure “Identity Ecosystem Framework,” or “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements and accountability mechanisms that structure the Identity Ecosystem.” While the Identity Ecosystem will provide value to any participant which needs to verify a User’s identity, the Ecosystem will provide tremendous opportunities to streamline the further commoditization of human identity. Without regulation, the NSTIC Identity Ecosystem will create new markets for businesses which thrive on the commoditization of human identity. I identify this resulting market as the “Identity Ecosystem Marketplace.” An Identity Marketplace already exists, and has been admirably illustrated by Luma Partners, LLC and Improve Digital.

The Identity Ecosystem Marketplace includes at least six major roles, as illustrated here. A single organization may fill multiple roles in any given Identity Ecosystem transaction. Some of the definitions here may differ or even conflict with official NSTIC definitions, usually because the official definitions lack clarity within the context of this analysis.

Major Identity Ecosystem Roles and Concepts

A Subject or User is an individual or Non-Person Entity (NPE) which must assert its identity to a Relying Party in order to receive a benefit such as access to a trusted network, bank account access, or access to premium content online.
An Attribute Provider (AP) creates, stores and allows others (such as the Identity Provider and Relying Party) to access or analyze User Attributes, usually under conditions. An Attribute Provider is also usually a Third Party. In the Identity Ecosystem, an Attribute Provider must be trusted as an authoritative source of information. Typical examples of attribute providers might be a government title registry, national credit bureau, or commercial marketing database.
An Attribute is a fact related to a User. Attributes may include traditional PII, information about authority, roles, rights, privileges, or any other fact asserted by a User, Attribute Provider, or Third Party. NSTIC defines “Attribute” as “a named quality or characteristic inherent in or ascribed to someone or something.”
An Identity Provider (IdP) is an organization certified as trustworthy through an accreditation authority. An IdP issues a credential, which corresponds to a piece of information known to the User (such as a password), a biometric attribute, or information stored on an Identity Medium (not represented herein). An IdP is responsible for verifying the credential when used as evidence of a User’s identity. An IdP may collect attributes about the User from Attribute Providers, store those attributes, and compare them against assertions made by the User to a Relying Party. Identity Providers do not guarantee the correctness of attributes obtained from Attribute Providers, but may instead confirm that a Claim made by a User matches information from Attribute Providers. Identity Providers may share User attributes, personal information, and Transaction Information with Relying Parties, Third Parties, Parent Companies and Attribute Providers, in accordance with the Data Usage Policy.
A Data Usage Policy is a contract between a User and Identity Provider, governing the use and disclosure of User information held by the Identity Provider.
Transaction Information is a record of the benefit provided to the User from the Relying Party, and is analogous to a receipt. Transaction Information may include the name of a product purchased, a log of network access and User activity, or services provided.
Identity Medium refers to the physical device that stores an NSTIC-compatible identity credential. Examples of Identity Mediums include cell phone apps, smart cards, or USB computer dongles. Identity Media are not visually represented, and are not required for a transaction.
A Relying Party (RP) is a person or NPE that requires some degree of identity assurance and possibly User Attributes before it will provide a benefit to the User.
A Parent Company is a company which owns or is affiliated with the Identity Provider and/or the Relying Party in such a way that by action of law, ownership or contract, the Parent Company has right to access and use the Identity Provider or Relying Party’s data assets, unless expressly prohibited by law or regulation.
A Third Party is any person, organization, system, or device which has no direct affiliation with the User or the transaction in question. A familiar example of a Third Party is an online advertiser.
For purposes of my discussions, I define a Claim as an assertion that an Attribute is truthful or correct. A Claim may be made by any party. Examples of User Claims are, “I am over 18 years old,” “I am a constituent or citizen,” or “I am authorized to enter your network.” Claims are not visually represented here. In technical circles, a “claim” is an assertion that may be derived by comparing or analyzing one or more Attributes.
According to NSTIC, the Identity Ecosystem Framework is “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem.”
The Identity Ecosystem Marketplace is the Identity Marketplace created by the Identity Ecosystem, where Identity Ecosystem Participants may commoditize and trade User identities and Attributes in exchange for benefits. Not all Identity Ecosystem transactions necessarily commoditize human identity. The exchange of identity information in many e-commerce transactions is ancillary to the transaction, and the User pays directly for the benefit of the transaction (e.g. a money transfer, music or movie download). Notwithstanding, the Identity Ecosystem Marketplace enables Participants to more easily commoditize identity as an additional source of revenue. NSTIC recognizes that Participants should not be allowed to buy and sell identity information within the Ecosystem, but does not yet identify a credible mechanism to enforce this requirement.
Fair Information Practice Principles (FIPPs) are Transparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality and Integrity, Security, and Accountability and Auditing. NSTIC identifies FIPPs as core requirements in the Identity Ecosystem, but stops short of mandating FIPPs.

The NSTIC guiding principles are:

Identity solutions will be privacy-enhancing and voluntary.
Identity solutions will be secure and resilient.
Identity solutions will be interoperable.
Identity solutions will be cost-effective and easy to use.

Through these guding principles NSTIC aims to accomplish its primary goals of:

Privacy
Convenience
Efficiency
Ease-of-use
Security
Confidence
Innovation, and
Choice.

Future posts will explore the interaction of these roles in the Identity Ecosystem Marketplace, and under what conditions NSTIC will be able to meet its goals.

NSTIC as a National ID

Titus — Tue, 26 Apr 2011 17:29:46 +0000

Even outrageous statements on controversial topics often contain flecks of truth. This is an attempt to pan through the muddy waters of NSTIC media coverage in relation to NSTIC to as a “National ID,” identify the golden flecks and nuggets of truth, and frame the debate on this important topic.

As NSTIC develops, we can expect to hear more soundbytes in the public media invoking fear, uncertainty, and doubt (FUD) around NSTIC as a National ID, Internet Passport, Internet ID, or Online Driver’s License. Some of the fear is warranted. Some of it is not. All of the risk and uncertainty should be measured to the fullest extent possible, without freaking out.

Frankly, I do not have a comprehensive definition for a “National ID” right now. Jim Harper, director of Information Policy Studies at the Cato Institute, and author of Identity Crisis: How Identification Is Overused and Misunderstood would have a much better answers than me. Notwithstanding, I have a few comments which I hope will add some clarity to the discussion:

Instituting any sort of national identification can have serious and unanticipated consequences, and should be the subject of a robust public policy debate. History, present and past, is replete with examples of extreme abuse of government-issued identification. To give just two examples, identification credentials played key roles in both the Holocaust and Rwandan Genocide. Other, less dramatic forms of abuse exist wherever identity credentials are issued. For example, the U.S. National ID, commonly known as the Social Security Number, is regularly used to commit crimes we now refer to as “Identity Theft.”

NSTIC is NOT a National ID

Several commentators have expressed skepticism to downright disdain for NSTIC as a back-door approach to instituting a National ID. NSTIC’s defense to these accusations is simple and true, but incomplete: NSTIC is NOT a National ID.

NSTIC itself is not an identification system, much less a National ID. NSTIC is a framework for setting up a structure of interoperable federated identity systems. Each system will be owned and operated by various independent private companies and public institutions, using various technologies with various levels of identity assurance, security, and trust levels. NSTIC is policy, not technology or identification credentials. In fact, I am guilty of a techical faux pas by using the term “NSTIC credential,” since no such thing actually exists. But unfortunately I don’t have a better shorthand way of saying,

“Voluntary identification credentials issued by an accredited private or government Identity Provider which complies with the ‘overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem,’ which are implemented using a range of technologies, mediums, and authentication protocols.”

So I say “NSTIC credential” instead.

I do not attempt to establish a comprehensive definition for a “National ID” here. But when government-issued identification is used to separate individuals into groups, and centralization decreases the transaction costs associated with classifying human identity, bad things can happen.

I decline to call NSTIC a “National ID.” Instead, it is much more prudent to discuss attributes which may be similar or dissimilar to a centralized, federal-government-issued National ID card. I hope that the following table can focus the public discussion on this matter, which is currently lacking articulation.

How NSTIC is Not Like a National ID	How NSTIC Might be Like a National ID
NSTIC credentials are not owned, issued, or managed by the Federal Government, except for IDs issued to government employees.	If adopted by a majority of state governments, NSTIC credentials could become standard in State IDs and drivers licenses. The Federal Government could also embed an NSTIC credential in passports.
Identity Provider Databases are not under government control, except for a few run by the Federal Government for government employees.	Identity and personal information which enters the Identity Ecosystem Marketplace is subject to very little protection against government search and seizure under the 4^th Amendment.
NSTIC is voluntary for the private sector and private citizens.	If adopted by State governments, which control a substantial portion of the identification market, NSTIC credentials could become mandatory and displace private sector identity competitors.
NSTIC credentials are not yet required to access government benefits.	Access to electronic government services may one day require an NSTIC credential.
NSTIC credentials are not primarily designed to classify individuals by a status such as race, religion, age or gender.	NSTIC credentials are designed for classifying people by roles and access to resources; the supporting technology could be easily adapted to expand identity profiles compiled by the private sector that may include age, gender, political beliefs, religion, race, socioeconomic status, etc.
Identity and Transaction Information is not stored in a single, centralized government database.	Identity and Transaction Information is stored in thousands of private databases which may be centralized by the private sector, purchased by the government, or accessible to law enforcement with little due process.
An NSTIC credential is designed for online transactions only.	With more of our lives and business conducted online, widespread adoption of the NSTIC framework could mean that an NSTIC credential may become a functional requirement for participating in online life, with real-life consequences.

I agree with the Center for Democracy and Technology’s Jim Dempsey who said,

The Obama Administration is not planning to create a government ID for the Internet. In fact, the Administration is proposing just the opposite: to rely on the private sector to develop identities… for online commerce.… [T]he government needs an identity ecosystem or identity infrastructure. It needs it for its own services as well as part of the solution to the broader Cybersecurity problem as well as one of the foundations of eCommerce, but the government cannot create that identity infrastructure. Because if it tried to, it wouldn’t be trusted.

I hope this table helps to frame the discussion about NSTIC as a National ID.

Why I Support Jeremy Grant, and Hope NIST Will Too

Titus — Mon, 18 Apr 2011 16:13:49 +0000

Those even remotely familiar with Washington politics know that everything is political. A few agencies such as the Census bureau, attempt to stay above the political fray with varying degrees of success. The National Institute of Standards and Technology (NIST) is arguably the gold standard of apolitical federal agencies. NIST has learned through experience to remain staunchly apolitical by focusing strictly on standards, science, and technology while keeping their noses and fingers well away from policy. As a result, NIST enjoys a good deal of transpartisan respect. NIST zealously (and appropriately) guards its reputation by avoiding policy and politics.

That’s why I’m both excited and worried about NIST’s role in the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). On one hand, this emerging framework will benefit substantially from NIST’s knowledge and capability in technology standards development; and let’s face it, the Department of Commerce was one of the few agencies politically neutral enough to host NSTIC. NIST’s NSTIC team includes notable and respected scientists, academics, and technologists. But as our recent Whitepaper on NSTIC’s policy hurdles illustrates, NSTIC policy requires as much development as the technology.

That’s what makes NIST’s role in NSTIC unique: NIST must not only support the development of standards and technology, but must also develop the policy governing the use of the technology. Or, to paraphrase Scott David, NIST must develop both the “tools” and the “rules.” In recognition of these challenges, the NSTIC team also includes respected policymakers and thinkers led by Jeremy Grant, himself a universally respected policymaker. NSTIC needs both tools and rules to avoid abuse, and the inclusion of policymakers on the NSTIC team is essential to develop both.

In Washington everything is political, especially policy. Very soon the policy and governance debate will begin, and proverbial political bullets will begin flying from every direction. I believe that Jeremy Grant and his team will work hard to navigate the impending battlefield of industry, advocates and government interests. But even intelligent, dedicated and respected public servants like Jeremy Grant and his team need the support and political cover of their agency, NIST. And when the negotiations get divisive, political and ugly, NIST has a tendency to wash its hands of such riff-raff and retreat back into its comfort zone of apolitical academic and scientific research.

Among the worst imaginable disasters for NSTIC is if NIST doesn’t have the stomach for policy development and quietly cajoles the NSTIC team back into NIST’s comfort zone of standards and technology, ceding the policy to those with the most firepower.

Then truly, the war will be lost.

Advocates must watch carefully for signs of a NIST retreat from its uncomfortable role as policymaker. Mr. Jeremy Grant, we do not envy your position; you have our support, and we hope that NIST will support you too.

NSTIC’s Effect on Privacy

Titus — Mon, 18 Apr 2011 16:00:02 +0000

The Department of Commerce released the National Strategy for Trusted Identities in Cyberspace (NSTIC, pronounced “N-Stick”). From a privacy perspective, the 52-page April 15, 2011 Final Draft is a big improvement over the June 25, 2010 Draft.

Also on April 15, 2011, Identity Finder released a 39-page analysis on NSTIC’s effect on Privacy. I was the principal author. The report supports the aspirations of NSTIC, but warns that success is far from assured. NSTIC faces multiple unresolved hurdles to implementing privacy and security in a de-centralized, national framework of interoperable identity systems.

If done well, an ideal NSTIC Identity Ecosystem could establish:

High levels of identity assurance online, increasing trust between Users and service providers
More secure online transactions
Innovation and new services
Improved privacy and anonymity
Increased convenience for Users and savings for service providers

Through extensive analysis, Identity Finder has found that to successfully implement its visions of privacy, security, and secure identities, NSTIC cannot rely on the private sector alone. Identity technologies may be used for profit, or to preserve privacy, but rarely both. While the private sector is best positioned to develop and maintain the framework of federated identity systems, federal policy must balance individuals’ need for privacy and security. In order to be successful, NSTIC must be supported by regulations that:

Hold all Identity Ecosystem Participants to legal and technical standards which implement Fair Information Practice Principles (FIPPs) and baseline privacy and security protocols
Create incentives for businesses to not commoditize human identity
Compensate for an individual’s unequal bargaining power when establishing privacy policies
Subject Identity Providers to similar requirements to the Fair Credit Reporting Act
Train individuals on how to properly safeguard their Identity Medium to avoid identity theft
Ensure that consumers and advocates have a meaningful voice in the development of NSTIC policy

While we’re concerned about the unsolved techological hurdles, we are even more concerned about the policy and behavioral vulnerabilities that a widespread identity ecosystem would create. We all have social security cards and it took decades to realize that we shouldn’t carry them around in our wallets. Now we will have a much more powerful identity credential, and we are told to carry it in our wallets, phones, laptops, tablets and other computing devices. Although NSTIC aspires to improve privacy, it stops short of recommending regulations to protect privacy. The stakes are high, and if implemented improperly, an unregulated Identity Ecosystem could have a devastating impact on individual privacy.

If NSTIC fails to implement the necessary regulations, the resulting Identity Ecosystem could turn into a free-for-all Identity marketplace, and create the following risks:

Powerful identity credentials which, if lost or stolen will enable hyper-identity theft
A false sense of control, privacy, and security among Users
New ways to covertly collect Users’ personal information
New markets in which to commoditize human identity
Few consumer protections against abuse or sharing personal information with third parties
No default legal recourse against participants who abuse personal information without consent

I’ll be writing more blog posts in the coming days exploring some of NSTIC’s unsolved policy hurdles, and why individuals, businesses, and policy-makers should care.

April 2010 General Conference Themes

Titus — Mon, 11 Apr 2011 02:09:47 +0000

After the interest in the Wordle tag clouds I did of the October 2010 General Conference, I decided to analyze themes of the April 2011 General Conference of the Church of Jesus Christ of Latter-day Saints using the same method. I have posted word clouds here that will help visualize the major themes of each session, and the conference as a whole:

Entire April 2010 General Conference

Themes of the April 2010 General Conference of the Church of Jesus Christ of Latter-day Saints

Young Women Session

Themes of the Young Women Session of the April 2010 General Conference of the Church of Jesus Christ of Latter-day Saints

Saturday Morning Session

Themes of the Saturday Morning Session of the April 2010 General Conference of the Church of Jesus Christ of Latter-day Saints

Saturday Afternoon Session

Themes of the Saturday Afternoon Session of the April 2010 General Conference of the Church of Jesus Christ of Latter-day Saints

Priesthood Session

Themes of the Priesthood Session of the April 2010 General Conference of the Church of Jesus Christ of Latter-day Saints

Sunday Morning Session

Themes of the Sunday Morning Session of the April 2010 General Conference of the Church of Jesus Christ of Latter-day Saints

Sunday Afternoon Session

Themes of the Sunday Afternoon Session of the April 2010 General Conference of the Church of Jesus Christ of Latter-day Saints

7 Sources of Data Breaches You’ll Never Hear About: Your Network Drives

Titus — Tue, 05 Apr 2011 06:09:46 +0000

If you think that the tangle of Cat5 in your server room is a mess, wait until you look at your network drive file structure. Licensed from Stock Exchange.

This is the seventh post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, Your Inbox, Your Thumb and External Drives, Your Old Computer, and Your Cloud Backup . Finally, we’ll discuss Your Network Drives.

Most companies have an internal corporate network with one or more shared network drives. If your company network drive is typical, it’s a layered mess of multiple naming conventions, files from employees who haven’t been around for years, and old documents with unrecognizable file extensions. Frankly, it’s impossible for anyone to know exactly what’s there.

Sometimes breaches happen when the internal network is not properly segregated. Only individuals or departments with a “need to know” should have access to sensitive information. The Human Resource department should never have access to trade secrets, while the R&D department shouldn’t have access to HR data. The Executive team should have access to confidential client information, while that information might be best kept away from the Sales department.

Aside from inappropriate network segregation network drives, like all computer devices, are eventually replaced. Old hard drives are sometimes donated to schools, sold on Ebay, thrown away, recycled through Best Buy or a similar program, or just stored and forgotten.

Several researchers, including Simpson Garfinkle, have demonstrated that with a small budget you can recover hundreds of thousands of pieces of personal information from used hard drives. Like other computing devices, old network drives must be scanned and completely wiped of all sensitive personal information before they leave your possession.

Remember the fundamentals rules of all data breaches: 1. If you don’t have it, you can’t breach it. 2. Old, forgotten data is dangerous data. Regularly scan these seven types of devices for personal information so that your next breach doesn’t originate from your own computer.

Article first published on Security Catalyst.

7 Sources of Data Breaches You’ll Never Hear About: Your Old Windows 95 Computer

Titus — Tue, 29 Mar 2011 06:02:47 +0000

Digital pack rat: You probably have a backed-up copy of your old 256 MB hard drive, don't you? Licensed from Stock Exchange.

This is the fifth post in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox, and Your Thumb and External Drives. Next we’ll discuss Your Old Windows 95 Computer.

Technology has made it easier than ever to be a digital pack rat. Cheap and plentiful memory probably means that you have backed-up a copy of your old 256 MB hard drive, which you also have stashed somewhere in your basement. Before blindly making back-up copies of old hard drives, make sure that you first delete any information you don’t want to save.

I see this problem haunt people across the country. Once a week a university professor somewhere in the United States copies an archived copy of an old hard drive to a web server, without realizing that the hard drive contained social security numbers of students who graduated a decade earlier. Within weeks those social security numbers can be available to the world via Google.

If you’re a digital pack rat, make sure you scan those old hard drives for sensitive personal information before making backups. Your old hard drive is one of the biggest sources of preventable data breaches you’ll never hear about.

Article first published on Security Catalyst.

7 Sources of Data Breaches You’ll Never Hear About: Your Thumb Drive

Titus — Thu, 24 Mar 2011 06:49:06 +0000

The Law of Portable Device Breaches says that the risk of losing a device, and the information thereon, is directly proportional to its portability. Licensed from Stock Exchange

This post is the fourth in a series about data breaches you can prevent. We’ve covered Phones and Personal Computing Devices , Your Browser, and Your Inbox. Here we’ll explore Your Thumb and External Drives.

Just about anything that can store information can be used to store sensitive personal information. Whether you use an external drive to back up sensitive data, or use a thumb drive to transfer large files from one computer to another. The Law of Portable Device Breaches (which I just made up) says that the risk of losing a device, and the information thereon, is directly proportional to its portability. In real terms, this extremely scientific law means that you’re more likely to leave your cell phone at the bar than your desktop computer.

Readers of this blog no doubt assiduously delete sensitive information from portable devices on a regular basis. But simply deleting files doesn’t actually erase the data. Just like cranberry juice on white linen, personal information stains hard drives.

Simply throwing a stained table cloth in the washing machine won’t remove cranberry juice stains. Likewise, simply hitting the “delete” key and emptying the recycle bin won’t completely remove personal information from your thumb or external hard drive. The hard drive usually remains stained with the sensitive information, which may be recovered until you proverbially “scrub” the drive. This scrubbing is called “shredding” the file, and typically requires at least a three-step deletion process whereby each byte is individually overwritten.

You should always think twice before copying sensitive files, such as tax documents, pictures, passwords, or confidential documents to removable media. Regularly scan removable media forgotten personal information so that when you leave your thumb drive in the taxicab, you don’t accidentally cause your own data breach.

Article first published on Security Catalyst.

7 Sources of Data Breaches You’ll Never Hear About: Your Browser

Titus — Thu, 17 Mar 2011 06:36:22 +0000

Your Stored Passwords: Not exactly secured. Licensed from Stock Exchange.

This post is the second in a series about data breaches you can prevent. We’ve already covered Phones and Personal Computing Devices. The next source we’ll explore is Your Browser.

Laptops, desktop computers and smartphones all have built-in internet browsers. A typical browser can store hundreds of passwords and usernames, credit card numbers, contact information, and browsing history. Even though we use our smart phone browsers to do a significant number of online transactions, typical smart phone browsers do not allow users the same degree of privacy control as desktop browsers.

Aside from browser hacks and viruses, it’s important to remember that your browser caches remain intact and accessible even after the machine is lost, stolen, or sold. That’s one reason why it’s important to scan your browsers for personal information and delete unnecessary information, and use a master password whenever possible.

I fancy myself a fairly savvy and privacy-aware individual. I use Firefox and have installed several plugins to help me manage my privacy, including Better Privacy, GoogleShairng, a few PrivacyChoice Plugins, and Abine’s TACO. But when I ran an Identity Finder search, even I was shocked to see the depth of information that my browser stored. It was very sobering to see that my usernames, passwords, and credit card numbers were accessible in plain text. Fortunately, Identity Finder allowed me to delete or secure all of that information.
If your browser caches are ever lost, it may represent a significant breach of personal information. So make sure you are aware what information your browser is storing, because you shouldn’t expect to get a letter in the mail if it ever falls into the wrong hands.

Article first published on Security Catalyst.

7 Sources of Data Breaches You’ll Never Hear About: Your Phone

Titus — Tue, 15 Mar 2011 06:31:28 +0000

Smart phones are now portable computers which just happen to make calls. Licensed from Stock Exchange.

This post is the first in a series about preventable data breaches. Most Americans have received a letter, telling them that their personal information has been breached. But there are many breaches you’ll never hear about, and many of them are right under your nose. The first source we’ll explore is Your Phone and Personal Computing Device.

Remember when cell phones were telephones? Those days are long gone. The current generation of smart phones are powerful computing devices which just happen to also make phone calls.

Your personal computing devices perform almost all of the functions of a laptop computer. Smart phones, iPads, Kindles, and other devices are notoriously easy to lose, and store gigabytes of files, passwords, credit card numbers, social security numbers, digital photos, address books, and email attachments. Because of the wealth of personal information on a cell phone, most people would rather lose their wallets, and nearly all respondents to a 2009 survey said they would be “devastated” if they lost their phone.

Upgrading your phone can be as risky as losing it. Some people donate their old phones to charity or sell them on Ebay, and experts warn that personal information on the phone could easily be mined and re-sold. Periodically search your cell phone for personal information, and make sure that you digitally shred the entire contents of your mobile device before you get rid of it.

Article first published on Security Catalyst.