Creating a private website with WordPress

When we became parents in 2015, Kelly and I talked about where and how we wanted to share the initial photos and stories of that experience with a small group of our family and friends. In case you haven't noticed, I feel pretty strongly about the principle of owning our digital homes. So I felt resistance to throwing everything up on Facebook in hopes that we'd always be able to make their evolving privacy and sharing settings and policies work for us, while also trusting that every single Facebook friend would honor our wishes about re-sharing that information.

I took some time to explore tools available for creating a private website that would be relatively easy for our users to access, relatively easy to maintain, and still limited in how accessible the content would be to the wider world. (I tend to assume that all information connected to the Internet will eventually become public, so I try to avoid ever thinking in terms of absolute privacy when it comes to websites of any kind.)

I thought about using WordPress.com, which offers the ability to quickly create a site that is private and viewable only by invited users while maintaining full ownership and control of the content. I passed on this idea in part because it didn't allow quite the level of feature customization that I wanted, and partly because it's a service of my employer, Automattic. While I fully trust my colleagues to be careful and sensitive to semi-private info stored there, it felt a little strange to think of creating something a bit vulnerable and intended for a small group of people within that context. I would still highly recommend the WordPress.com option for anyone looking for a simple, free/low-cost solution to get started.

Here are the WordPress tools I ended up using, with a few notes on my customizations:

Basic WordPress Configuration

For the basic WordPress installation and configuration, I made the following setup choices:

  • I put the site on a private, dedicated server so that I had control over the management and maintenance of the site software (as opposed to a shared server where my content, files or database may be accessible to others).
  • I used a Let's Encrypt SSL certificate and forced all traffic to the SSL version of the site, to ensure all communication and access would be encrypted.
  • I set up a child theme of a default WordPress theme so I could add a few customizations that would survive future parent theme updates.
  • I set "Membership" so that "Anyone can register" in the role of Subscriber (see more below on why this is okay).
  • For Search Engine Visibility I set "Discourage search engines from indexing this site".
  • For discussion I set "

Continue reading Creating a private website with WordPress

Cloud email, contacts & calendars without Google

Tricky situationI like Google and a lot of the things it does in the world. When people ask me what free mail, calendaring and contact syncing tools they should use, I usually include Google's services in my answer. But I always explain that they're trading some privacy and ownership of their information for the "free" part of that deal. "You're the product, not the customer" and all that.

For me, I've always tried to avoid having my own data and online activities become the product in someone else's business model. There are plenty of places where I can't or don't do that, and I mostly make those tradeoffs willingly. But so far, I've been able to avoid using Google (and Apple and Microsoft) for managing my personal email, calendaring and contact syncing.

Here's how.

Continue reading Cloud email, contacts & calendars without Google

Chrome extensions to manage online privacy

Privacy

There are a couple of extensions for Chrome that I've been using for a while now to try to maintain or improve my privacy online. Some have been helpful, others haven't. Some mini-reviews:

Terms of Service, Didn't Read

Most every modern website has a "Terms of Service" that governs your interactions with it. The document usually lays out how and when the site will use any data it collects about you - helpful, right? The document is also usually many pages long and would potentially take hours to fully absorb and understand. Terms of Service, Didn't Read is an extension that tries to give you a high-level view of the Terms of Service of the site you're on, based on their team's reading and interpretation of those documents on your behalf. If there are particular concerns related to privacy and personal data use, the extension will flag that when you arrive.

I used this extension for several months, finding it interesting at first to see how the sites I visited regularly measured up to TOSDR's evaluation. But after the initial curiosity wore off, I realized that for the most part, the information here wasn't changing my behavior. If TOSDR flagged something like "The copyright license is broader than necessary" or "This service tracks you on other websites," I'd still have to do some more digging to figure out exactly what that meant, and whether or not I was comfortable with it. So, the information provided by TOSDR is helpful, but not always conveniently actionable when it comes to protecting privacy. (There's a theme in all this: protecting privacy is rarely convenient.)

Continue reading Chrome extensions to manage online privacy

How I stay current with tech

Deloreans on paradeI'm continuing my series of posts about how I do or have done certain things in my business/tech career, and it has been helpful for me to write out my responses to these questions in a way I can point other people to. I'm honored to get requests from friends and colleagues now and then to talk with their students, children and co-workers who have an interest in developing tech skills, going into business and related topics.

One of the most common questions I've gotten is how I stay on top of current trends and tools in information and Internet technology.

Of course, the answer to that has changed a lot over the last 10-15 years. It used to be that one actually did have a hope of being on top of most of the major breakthroughs, news and trends happening with the Internet and related industries, if you were willing to spend the time on it.

Today there are legions of news sites, social media feeds, conferences and other cottage industries devoted to covering technology trends, news and breakthroughs that seem to barely scratch the surface, and trying to keep up with them would be more than a full time job. So whatever your area of focus or interest, you surely have to do some picking, choosing and compromising, and even then you'll probably miss out on some relevant or even important stuff. A lot of my own approach is focused on keeping up on trends related to website development and online publishing, software development for the web, network architecture and security, encryption and privacy issues, and "life hacks" that make me more productive.

Continue reading How I stay current with tech

Use the cloud, keep control of your data

Balloons in the Rose GardenAfter ranting recently about the choices we make to give "big data" companies access to our private information in ways that might be abused or exploited by government eavesdroppers, I thought it would be worth sharing some of the options I've found for using "the cloud" while also retaining a reasonable level of control over access to the data stored there.

This post has information about tools and software you can deploy yourself to approximate some of the functionality that third party services might provide, but that might also make you vulnerable to privacy and security vulnerabilities.  It's based on my experiences designing and implementing solutions for my own company, so it's mostly applicable to the interests of businesses and organizations, but may also be useful for personal projects.

A few important disclaimers: any time you make your personal or corporate data available on Internet-connected devices, you're creating a potential privacy and security vulnerability; if you need to keep something truly protected from unauthorized access, think hard first about whether it belongs online at all.  Also, the tools and services I'm listing here are harder to setup and configure than just signing up for one of the more well-known third party services, and may require ongoing maintenance and updates that take time and specialized knowledge.  In some cases, it requires advanced technical skills to deploy these tools at all, which is the reason most people don't or can't go this route.  Hosting and maintaining your own tools can often have a higher initial and/or ongoing cost, depending on what financial value you assign to data privacy.  Sometimes the privacy and security tradeoffs that come with using a third-party service are well worth it.

Still interested in options for using the cloud without giving up control over your data?  Read on.

Email and Calendar Sharing

Need a powerful, free email account?  Need robust calendar management and sharing capabilities? Everybody uses Gmail and Google Calendar, so just sign up for an account there, right?  Unless you don't want Google having access to all of your email communications and usage patterns, and potentially sharing that information with advertisers, government agencies or other entities.

Continue reading Use the cloud, keep control of your data

1Password alleviates the horrors of password management

1PMainWindowI come to you today a recovering password management hypocrite.

I have over 190 accounts and logins for which a password or PIN is a part of my access: website tools, online banking, social media, email, internal company tools at Summersault, and so on.  I used to pretend that I was maintaining the security of these accounts by having a reasonably strong set of passwords that I re-used across multiple sites, sometimes with variations that I thought made them less likely to be broken into if someone did happen to compromise one of my accounts.

But as I prepared to give a talk in December about email privacy and security issues, and really stepped back to look at my own password management scheme, I realized just how much pretending I'd been doing, and just how vulnerable I was making myself to the increasingly well-equipped and highly-automated attempts at compromising accounts, stealing identities and stealing funds that are being launched every day.  I went and tested some of my passwords at the Password Strength Checker, and I was ashamed.   The potential impact of this really hit home as I read Mat Honan's personal tale of woe and his follow-up piece Kill the Password in Wired magazine.  Add in Passwords Under Assault from ArsTechnica and you'll be shaking in your boots.

So I decided that I was not going to be that guy who goes around telling people about how vulnerable they are with their simplistic password schemes while quietly living a lie in my own password management scheme.  I might still be hacked some day, but I would not be found giving some teary-eyed interview to Oprah where I whined about how the pressure of the 190 accounts to manage just got to be too much and how I knew using a simple dictionary word plus a series of sequential numbers was wrong but I still didn't do the right thing.

That's when I found 1Password from AgileBits, a password management tool that alleviates the horrors of password management.

Continue reading 1Password alleviates the horrors of password management

Replacing Notifo with Pushover

Two years ago I compared Notifo and Prowl as tools for sending custom push notifications to your mobile devices.  I ended up relying on Notifo quite a bit to send me mobile alerts about certain kinds of events that I might not otherwise notice right away - email messages from certain people, some kinds of calls or voicemails at my office, certain messages meant for me in the office chat room, etc.

(You might think all that alerting would get obnoxious, but having these notifications sent to me according to my preferences has meant I'm less likely to obsessively check email or other digital inboxes for something important I might be missing.  The good/important stuff gets to me fast, the rest waits for me to view it at my convenience.)

In September 2011, the creator of Notifo announced that he would be shutting down the service.  It's continued to mostly work since then without his intervention (a testament to the self-sufficient nature of what he created), but in the last few weeks I've seen increasing errors or delays in getting messages through, so I went in search of alternatives to Notifo.

Today I found Pushover, a really simple but elegantly done service that offers all the features I want.

Continue reading Replacing Notifo with Pushover