3 UX Mistakes That Make Sites More Hackable

DREW DAVIDSON OF ÄKTA POINTS OUT SIMPLE DESIGN IMPROVEMENTS COMPANIES CAN MAKE TO PREVENT SECURITY MISHAPS.

• 9NOTES
• 6PIN
• 33PLUS
• 184TWEET
• 233LIKE
• 113SHARE

Do you know that the URL bar in your browser is a potential security hole? I didn't either. I barely look at the thing unless I'm punching in a search term. But according to Drew Davidson, vice president of design at ÄKTA, that thin strip of UI chrome is a little keyhole that a hacker can use to infiltrate a company's website.

As Charles Eames famously said, "the details are not the details. They make the design." Here are three subtle mistakes your company might be making in user-experience design that open you up to a breach.

1. The security features of your UI are a pain in the ass.

Wait a minute--aren't fancy security measures like two-step verificationall the rage now? (Just ask Google and Dropbox.) The counterintuitive truth, says Davidson, is that the trickier you make your site's interface--even for a good cause, like protecting the user's data--the more likely your user is to actively undermine it.

"Security policies that introduce too many steps are not effective," Davidson explains, "because people will tend to do something imprudent--like setting a basic password--in order to make navigating the UI easier."

Davidson cites a file-storage company (which he can't name) as an example: "There’s literally 25 steps to go through before you can create an account." This might make some sense if the company's customers were only uploading sensitive information like medical records or social security numbers. But in reality, most of the users are just "using the software for Dropbox-like functionality, like storing resumes and photos," Davidson says. The inappropriately Fort Knox-like UI design backfires as users cope by making their own data even less secure. It's lose-lose.

FORT KNOX-LIKE UI DESIGN BACKFIRES AS USERS COPE BY MAKING THEIR OWN DATA EVEN LESS SECURE.

2. Your user interface is full of peepholes into your backend systems.

Here's where that URL bar can become a problem. "When you’re in a checkout process, many sites use different vendors to power that process," Davidson says. "You can see the URL changing as you click through the checkout, and it can tell a hacker exactly which systems you're using for which parts of your process, so they can infiltrate it that way."

Vendor names, software libraries, and even file and folder structures can be left hanging out in the open accidentally. Davidson says that this was how Edward Snowden got his hands on NSA files he wasn't supposed to be able to access. The NSA's software interface showed him exactly where to look for sensitive materials, even though he didn't have access to actually open them. Armed with that information, Snowden was able to use the command line as a "back door." The UI design technically prevented him from walking in the front door, but certainly helped him case the joint.

3. No one at your company really knows how to use your backend software.

Why is it that Medium, Instagram, and Tumblr can make complicated functionality feel effortless, but most enterprise software makes even the simplest manipulations feel like torture? Davidson says that the simplest thing a company can do to make its software secure is to ensure that its employees know how to use it.

"Things like the role of administrators, making sure there’s a permissions system in place that is robust and alerts you when someone’s doing something they’re not supposed to be doing--almost all of these systems are extremely clunky and hard to use," Davidson says. "It’s not clear who has access to what, and when, and for how long. It’s totally a UI problem: all the security engineering in the world isn’t going to prevent someone from checking the wrong box if it's not clear to them what they're doing."

SECURITY IS A PEOPLE PROBLEM, NOT JUST A TECHNICAL ONE.

Implementing these changes might be easier said than done, but they acknowledge that security is a "people problem," not just a technical one. Designing tools that let the people we trust with our data actually do their jobs--and don't compel us to do them poorly ourselves--should be the starting point, not an afterthought. If a hacker wants in, he or she will almost surely find a way. But we don't have to invite him in.

http://www.fastcodesign.com/3032195/3-ux-mistakes-that-make-sites-more-hackable

[Image: Abstract via Shutterstock]

FACEBOOK

TWITTER

SHARE

Are You Network Literate?

The Information Age to the Networked Age: Are You Network Literate?

June 04, 2014 

• 11,378
• 271Likers
• 59Comments

inShare1,229

It’s said that when architects walk through an office, they see ceiling ornamentation, light sources, building acoustics. When psychologists walk through an office, they see unresolved father issues and avoidant personality disorders. When I walk through an office, I see networks. I know that makes me sound like the kid from The Sixth Sense. But I don’t see dead people. I see networks.

When you truly see networks, it changes the way you plan and strategize. You move differently.

Take job hunting. The Networked Age has radically changed this activity, and yet when you ask people how they look for a job, a surprising number continue to say they “search the job listings.” That’s the Information Age approach! In the Networked Age, you should look for people with connections to companies you’re interested in, trace the best path from those connections to people who can share useful intelligence, and then ask for introductions to those people.

Or consider investing. In my work at Greylock Partners, I don’t form an investment theory and then go search for a startup that fits this theory. Nor do I purchase ad space in the Yellow Pages and hope that talented entrepreneurs let their fingers do the walking until they find me. Again, those are Information Age approaches.

The Networked Age approach? I focus on being a great ally to my network, and developing strong relationships where the information flow is highly reciprocal. I put myself at as many key intersections in my networks as I can. As a result, my network inevitably ends up connecting me with great entrepreneurs and great investments.

A decade ago, John Battelle stressed the importance of “search literacy.” What he meant was that people who were skilled at using Google to find information had an edge over those who had yet to acquire this aptitude. In the Information Age, if you couldn’t make sense of an increasingly information-rich world through effective search capabilities, you’d be culturally marginalized, just like a person who couldn’t read street signs.

Now, those who can conceptualize and understand networks – both online and off – have an edge in today’s fast-paced and hyper-competitive landscape, where the speed with which we can make informed decisions is critical. To wit, the subtitle of my forthcoming book is "Managing Talent in the Networked Age" -- I think the networked age changes everything.

I like to use the word “literacy” in this context because it suggests a fundamental skill, a capability you must possess in order to effectively navigate the world. An illiterate person, a person who can’t read street signs or complete job applications, has limited opportunities compared to others who possess these skills. A literate person moves freely and capably through the world.

So how do you know when you’re network-literate? I think in terms of three levels that signify ascending competency:

Apprentice: Using network technology

Journeyman: Establishing a network identity

Master: Utilizing network intelligence

Apprentice: Using network technology

At this most basic level of network literacy, you’re part of some networks. You have a Facebook profile, a LinkedIn profile, etc. You’re using these networks to keep in touch with people you know, and on occasion, you may even use them to facilitate new connections.

While you may not be completely fluent yet, you understand that Facebook is more than just a place to announce what you had for lunch – it’s a place to strengthen personal relationships. Similarly, you know that LinkedIn is more than just a repository for your digital resume. You use phrases and keywords with deliberate intention, to maximize your discoverability by the kinds of people you want to be found by.

In the case of my own LinkedIn profile, for example, my headline isn’t “Executive Chairman of LinkedIn.” It’s “Entrepreneur. Product Strategist. Investor.” That’s because my LinkedIn profile is targeted primarily to entrepreneurs who might want financing from me.

(You’d be surprised at how many people simply use their current job title as the headline of their LinkedIn profile. This isn’t wrong per se. But ultimately the headline on your LinkedIn headline is the first thing many people will see about you in a professional context – so it’s an excellent place to choicefully craft your network identity. And your network identity is larger – or at least it should be larger -- than your current position and company affiliation.)

Another way to make yourself more findable by the kinds of people you want to be found by are to join the same LinkedIn groups that they’re participating in, or to follow relevant companies and individuals within the domain of your industry. Once you start thinking in terms of how the people you want to be found by might in fact find you – and tailoring your profile to maximize such potential discoveries – you have begun to think in a network-literate way.

Journeyman: Establishing a network identity

Once upon a time, we exercised unchecked authority over our identities, verbally air-brushing our resumes into highly idealized portraits of ourselves, carefully vetting the references we chose to vouch for us. In the Networked Age, however, we’re all visibly and enduringly enmeshed in networks – even the so-called “self-made man” is a highly annotated specimen, with readily apparent links to the colleagues, mentors, institutions, and other entities that have helped shape the contours of his identity.

Indeed, we’re all the sum of an ongoing conversation that we initiate and propel, but which colleagues, customers, and even competitors contribute to as well. And while we once relied upon the broad strokes of resumes to define us, now we’re often judged by far more granular, network-derived metrics of influence and authority: Who retweets our tweets? Who comments on our Medium posts? Who shows up on LinkedIn as a 1 degree connection?

In the Networked Age, your professional identity expands well beyond your job title and the company you work for. You’re not just “you” anymore. You’re also who you know, how they know you, what they know about you, who they know, and so on. At the Journeyman level, this way of thinking is becoming second nature to you. You understand that your identity is multivariate, distributed, and partially out of your control – your network helps shape your identity too.

Increasing your network literacy also means understanding other people’s network identities. Tell me the name of a person, and I’ll think of the network around them. I always see a person as part of a larger web of relationships. When I met Jeff Weiner, LinkedIn’s current CEO, I’d already had conversations with many of my own trusted colleagues about him. I had relationships with people that he had relationships with, and these strong points of network connectivity gave me a clear signal about Jeff and the kinds of people he trusted and valued most. I had a network portrait of him. And based on that portrait, I knew I wanted to build a strong relationship with him.

Master: Utilizing network intelligence

Spend five minutes watching your LinkedIn feed or Twitter timeline, and it’s clear that information proliferates even faster in the Networked Age than it did in the Information Age. Consequently, the ability to extract the right information at the right time is more crucial than ever. Search literacy is an important starting point, but in today’s high-velocity world, network literacy is increasingly crucial too.

In the Information Age, the New York Times, the Wall Street Journal, CNN, and eventually Google were typically people’s “first reads,” i.e., their default sources of new information and intelligence. Now, if you’re fully network-literate, your networks are your first reads – because you’ve consciously built up pipelines of people who reliably deliver information that is highly significant and relevant to you.

There is a whole “dark net” of critical-edge information that hasn’t made it into newspapers and blogs, information that exists only in people’s heads. In the past, such information was difficult to access for all but the best-connected and most persistent individuals. Now, it’s often just a few keystrokes away.

And if you’re fully network literate, you’ve taken the time to understand the information flows within any given network. You know who the news breakers are. You know the thought leaders, the critics, and skeptics within a particular domain. You’re familiar with their preferred sources and biases.

While platforms like LinkedIn, Facebook, and Twitter certainly qualify as information Costcos, one-stop shopping for data en masse, the quality of your connections – and the strength of the relationships you have with them -- generally matters more than the quantity. Ten extremely informed individuals who are happy to share what they know with you when you engage them can tell you a lot more than a thousand people you only know in the most superficial way.

But remember, using networks well is always a two-way street. People who exhibit the highest levels of network literacy know that the more relevant, high-quality information you share with others, the more such information you’re likely to receive. To be truly network literate is to always be thinking of how you can add value to the networks you’re a part of, and to make it a priority to turn connections into relationships, and relationships into alliances.

What Do You See When You Enter a Room?

These days, it’s not just Internet entrepreneurs who should see networks everywhere they look. When architects walk into a room, they should see networks. When psychologists walk into a room, they should see networks. In the Networked Age, we’re all like the little kid fromThe Sixth Sense. If you’re not seeing networks when you enter a room, you might want to check your pulse.

Learn how to support the development of network literacy inside your own company in my forthcoming book (with Ben Casnocha and Chris Yeh) titled The Alliance: Managing Talent in the Networked Age.

Photo: Rawpixel & HunThomas / shutterstock

Remix: LinkedIn

https://www.linkedin.com/today/post/article/20140604152945-1213-the-information-age-to-the-networked-age-are-you-network-literate

The Link Graph Conundrum: Why Citations Remain Critical to SEO Survival

Eric Enge, May 20, 20141 Comment

•SEO Evolution: Sell, Discover, Deliver & Report on Highly Converting Keywords by Krista LaRiviere, gShift

It's a popularly held belief that the link graph is broken. This post will explore the roots of the problem, and why it is such a tough problem for Google and Bing to resolve.

It all starts with the original Larry Page - Sergey Brin thesis. At the time they were developing this concept, the leading search engines of the time were almost solely dependent on keyword analysis of the content on your page to determine rankings. Spammers had so thoroughly assaulted this model that change had become an imperative, lest the concept of a search engine go the way of the dinosaurs.

Here are a couple of key sentences at the beginning of the thesis:

The citation (link) graph of the web is an important resource that has largely gone unused in existing web search engines. We have created maps containing as many as 518 million of these hyperlinks, a significant sample of the total. These maps allow rapid calculation of a web page's "PageRank", an objective measure of its citation importance that corresponds well with people's subjective idea of importance. Because of this correspondence, PageRank is an excellent way to prioritize the results of web keyword searches.

The concept of a "citation" (bolding above was mine, for emphasis) is a critical one. To understand why, let's step away from the web and consider the example of an academic research paper, which might include citations in them that look like this:

Placement in this list is normally made by the writer of the paper to acknowledge major sources they referenced during the creation of their paper. If you did a study of all the papers on a given topic area, you could fairly easily identify the most important ones, because they would have the most citations (votes) by other papers.

Using a technique like the PageRank algorithm, you could build a citation graph where each of these "votes" were not counted equally (e.g., if a paper has a lot of citations, the votes it gives would count for more if they did not). And, just like the PageRank algorithm, you could apply the algorithm recursively to identify the most important papers. The reasons this works well in the academic citation environment are:

1. Small Scale: The number of papers in a given academic space is reasonably finite. You might have hundreds, or thousands, of documents, not millions.
2. No Incentive to Spam: You can't really buy a citation placement in an academic paper. If you were the author of a paper and had some illogical references in your citations, the perceived authority of your own paper would be negatively impacted.
3. Small Communities: In a given area of academic research, all the major players know each other. Strange out of place behavior stands out in a way that it doesn't in an open chaotic environment like the web.

Citations and the Web

At the time of the Page-Brin thesis, the spammers of the world were attacking search engines using a variety of keyword stuffing techniques. Practical implementation of a link-based algorithm was a revelation, and it had a huge impact very quickly. The spammers of the world had not yet figured out how to assault the link based model.

As Google gained traction, this changed. Link buying and selling, large scale link swapping, blog and forum comment stuffing, and simply building huge sites and placing site-wide links on them were some of the many tactics that emerged.

Fast forward to 2014 and it appears that Google has partially won this battle. The reason we can say that they have partially won is that these days almost no one publishes articles in support of spammy link building tactics.

In fact, the concept of link building itself has been replaced with content marketing, which the overwhelming majority of people position as being about building reputation and visibility. This has happened because Google has gotten good at detecting enough of the spammers out there that the risks of getting caught are quite high. No business with investors or employees can afford to invest in spammy techniques because the downside risks aren't acceptable.

On the other hand, if you spend enough time studying search results, you can easily find many examples sites that use really bad link building practices ranking high in the search results for some terms. If you're playing by the rules and one of these people in outranking you, it can be infuriating.

Sources of the Problem

Why does this still happen? Part of the reason is that the web isn't at all like the world of academic papers. Here are some reasons why:

1. Commercial Environment with High Stakes: Fortunes are made on the interwebs. People have a huge incentive to figure out how to rank higher in Google.
2. Huge Scale: It was back in October/November 2012 that Google's Matt Cutts told me that Google knew about 100 trillion web pages. By now, that has to be more like 500 trillion.
3. No Cohesive Community: The academic community would probably argue that they aren't as cohesive as one might think, but compared to the web there is a clear difference. There are all different types of people on the web, including those who are ignorant of SEO, those who have incorrect information on how it works, those who attempt to abuse SEO, and finally to those who try to do it the right way.
4. User-Generated Content (UGC): Blog comments, forum comments, reviews, social media sites are all example of UGC in action. While Google tries to screen all of this out, and most of these platforms use the rel="NoFollow" attribute not all of them do. As a result, spammers implement algorithms to spew comments with rich anchor text references to their sites across the web.
5. Advertising: The web is a commercial place. People sell advertising, and even if there intent is not to sell PageRank, many of them don't use nofollow attributes on the links and simply label the links as "Sponsored" or "Ads". Google is not always able to detect such labeling.
6. Practical Anonymity: The chances of blowback if you link to a crappy site are much smaller than they are in the academic paper scenario. Because of the scale of the web, the advertising environment, and the structure of web content, a crappy link or two may just be seen as an ad, and the average visitor to a web page simply does not care.
7. Complete Lack of Structure: Let's face it, the web is a chaotic place. The way sites are built, the way people interact with pages, the types of content, and the varying goals of such content lead to a web that has little real structure.

Why Haven't Google and Bing Fixed This?

Of course the search engines are trying to fix it. Don't pay any attention to anyone who suggests otherwise.

Google lives in terror of someone doing to them what they did to Altavista. A fundamentally better algorithm would represent a huge threat to their business. And, of course, Bing would love to be the one to find such a new algo.

The money at stake here is huge, and both search engines are investing heavily in trying to develop better algorithms. The size of the spoils? The current market cap of Google is $356 billion.

The reason why they haven't fixed it is because they haven't figured out how to yet. Social media signals aren't the answer either. Nor is measuring user interaction with the SERPs, or on the pages of your site. These things might help, but search engines would have already started weighting them quite a bit more than they have if they were the answer.

What Does This Means To You?

Frankly, it's a tough environment. Here it is in a nutshell:

1. Publishers that use crappy link building practices may outrank you on key terms, and they may stay there for a while.
2. Google will continue to discover and punish bad tactics to the best of their ability, uneven though that may be. They do this well enough that any serious business just needs to stay away from such tactics (most likely that means you!).
3. Search engines will keep looking for creative new ways to reduce their dependence on links. This will include more ways to use social media, user interaction signals, and other new concepts as well. However, Cutts says that links are here as a ranking factor for many more years.
4. As search engines use more and more of these new signals we aren't going to get a roadmap as to what they are. Yes they patent new ideas all the time, but you won't know which patents they use, and which ones they don't. In addition, even when they use an idea from a published patent, the practical implementation of it will likely differ greatly from what you see in the patent.

It isn't an ideal situation. Your best course of action? Focus your efforts and building your reputation and visibility online outside of the search engines. Ultimately, you want to build your own loyal audience. Here are a few ideas for doing that:

1. Organic social media: Just recognize that this opportunity may be transient too. As we have seen, Facebook is reducing organic visibility in order to drive revenue growth. For that reason, new emerging social platforms are particularly powerful opportunities to get visible, provided that you pick the right horse to ride.
2. Earned Media (Guest Posting): Cutts may have signalled the The Decay and Fall of Guest Blogging for SEO but writing regular columns on the top web sites in your market is something you should strive to do anyway. Don't view it as an SEO activity, its still a surefire way to build up reputation and visibility.
3. Speaking at Conferences: This is a great technique as standing up in front of a room full of people and sharing your thoughts allows them to begin developing a connection with you.
4. Writing Books or eBooks: Another traditional reputation builder, but a really good one. Don't underestimate the work in writing a book though. However hard you think it is, the reality is 4 to 10 times harder.
5. Develop Relationships with Influential Media and Bloggers: Building meaningful relationships with other people that already have large audiences and adding value to their lives is always a good thing.

These activities will all give you alternative ways to build your reputation, visibility, and traffic. They also give you the best chance that your site will be sending out the types of signals that search engines want to discover and value anyway.

Ideally, your reputation will be so strong that Google's search results will be damaged in the event you aren't ranking for relevant terms, because searchers will be looking for you. You don't have to like the way the environment operates, but it's the environment we have. Complaining won't help you, so just go out and win anyway!

http://searchenginewatch.com/article/2345637/The-Link-Graph-Conundrum-Why-Citations-Remain-Critical-to-SEO-Survival