Friday, August 23, 2013

Being a Social Media Ambassador

This post is an excerpt and adaptation from a presentation I delivered at MINDEF's 11th CIO Seminar on 1 Aug 13. I am sharing it here for the rest of my MINDEF/SAF comrades (NSF, NSman, Regular or DXO), especially if you are proud to be a part of this organisation.

An ambassador is someone who acts as a representative of an organisation. It could be in a social setting, such as when someone talks about NS at a dinner gathering. Or it could be online, such as when a friend shares a link to an article about the SAF. All of us, as members of MINDEF/SAF, can be ambassadors of the organisation - if we choose to speak.

Why Organisations Need Ambassadors

In a social media environment, organisations have lost their voice. In the past, organisations spoke loudly because they were the ones who can pay for commercials and press coverage, to publish their views. Today, anyone can write a blog and have it shared on Facebook or Twitter, the more controversial the better. And most of us have erected a personal message shield to help us cope with the overload of information. It works like this: all advertisements and official statements are lies! The mainstream media is a government mouthpiece. I only trust things that my friends say or share.
Ken Chow's mother would only believe what her brother says
An adaption of the Personal Message Shield by Social@Ogilvy

And so, just like that, MINDEF/SAF and most other large faceless organisations have lost their voice. Anything they say is met with cynicism and skepticism. When there is criticism online, accusations from any private individual, or even online taboids like The Real Singapore, it is difficult for the organisation to respond. It is like fighting terrorists or an insurgency; you cannot ask Public Affairs to respond to every negative comments, or an armoured battleground after every insurgent. And that is where we, as ambassadors, can step in. We can be the special forces.

But Won't I Get in Trouble?

However, most of us don't step in. In a recent survey I conducted over the MINDEF intranet, I asked respondents to complete the sentence, "If I see something negative about MINDEF/SAF Online …"

About 20% of respondents would act as ambassadors to clear the air, however 70% never thought to respond, or were afraid that they would get in trouble. The good news for us is that you won't get in trouble for defending the organisation. You may not even get in trouble if you criticise the organisation (more on this later). And in this, we are much more liberal than other government ministries and even many commercial companies. However, the important thing is to ensure you do not reveal any classified information. The detailed guidelines can be found in the MINDEF/SAF Social Media Code of Conduct available on eSILK.

5 Things Ambassadors Can Do

Being an ambassador doesn't mean you have to start a blog. You should really just be yourself, and depending on your comfort level, extend your personality online.

Just Be Yourself

When you hang out with friends, do you hide in the background, silently watching and listening? Not all of us are the life of the party, but most of us would chip in a comment here and there, and join in the laughter. However, I've noticed both through surveys as well as personal observations that MINDEF/SAF folks are very conservative online. Most of us are what I call silent cyber stalkers - we stalk our friends and leave no traces.

In my intranet survey, I found that almost half of MINDEF/SAF folks are silent stalkers. And only 10% post daily. But I personally believe the benefits of being active online far outweigh the risks, as long as you think before you post.
How often do you post something on Facebook?

Many leaders and commanders are finding social media to be an invaluable channel for engagement, especially for the current generations of NSF who are often more expressive online than in person. Online interactions can provide great openings for offline engagement - "I saw you were at The Killers over the weekend, how was the concert?" Often, Facebook statuses may also be the first indication that something is wrong, or that a soldier may be struggling with some personal issues and may need support.

Sometimes these casual online conversations can also yield unexpected results. One very fond memory I have occurred about a year after I handed over command of my battalion. One of my soldiers posted a company photo they had taken with me, as he was about to ORD. Of course I wished him well, and thanked him for his service, just as I would have done if I had seen him in person. I also complimented him on his positive attitude and energy - as a Singaporean who grew overseas and returned for NS, I was always encouraged by his passion to do his best in NS. And when he mentioned that he would be returning to Canada after watching his younger brother enlist, I said I hoped his brother would have a similar positive attitude.

What made this memorable was when a third person joined the exchange - his mother - who thanked me for my kind words.

I like to think that through this simple interaction, I helped both the younger brother and the distant mother start NS on a positive note. We spend some much money and effort on family engagement, but perhaps these are the simple and sincere things that really make the difference; not necessarily the open houses and home visitation programmes (which this mother could never have participated in anyway).

So the next time you see something of interest on a friend's timeline, perhaps you should consider hitting the LIKE button or leaving a comment, if you don't already do so. Overcome the inhibitions against trying something new, but be yourself.

Correcting Untruths

Another basic act of being an ambassador is to correct untruths. If your friends said something factually wrong about the SAF over dinner, you would correct them right? So why not do it online as well?

For example, MoneySmart recently had an article titled "5 Benefits that National Service Should Have (But Doesn’t)". There are some tempting ideas on that list that I would love to have, but they are just impractical. But then there are also things on the list that we already have, and to say we do not is to do MINDEF a disservice. So it was great that several servicemen stepped forward to correct the factual errors, such as the example below.

Similarly, there have been other instances where false rumours go around about accidents or suicides. If you are on the scene and you know it isn't true, why not say so? Our responses matter, because typically the first 5 comments that any post receives will set the tone for the rest of the commenters. So if the first 5 people are venting and complaining, with no reasonable voices, the rest will follow too.

Sharing Stuff Online

Parties are great places to share a joke and make everyone laugh. Some of us are better at this than others, and it just takes a bit of practise to open up. Similarly, Facebook is a great place to share things that make us laugh, provide useful information or provoke thought. There is a lot of personal value to online sharing, but that deserves a blog post on its own, so here is a very short teaser. According to The Psychology of Sharing by the New York Times, some of the top reasons people choose to share information are:

Every now and they, you see a really heart-warming story on Facebook. National Service especially is a time when ordinary people do extraordinary things. When you see something like that, why not share it with your friends? There is also a Facebook page called for sharing such Singaporean defence-related items, which you may like to join. Remember, the value of this community is only as much as what people (like you) share on it!

The original status message, before SGAG turned it into a viral meme

Sharing Experiences

Apart from just sharing things from others, a more pro-active approach is to share your own experiences online, especially for those in the units. Tell your friends what a great day you had, or something inspiring that happened at work!

Even better, include pictures (as long as they don't breach OpSec). The picture below is a great example of what 3 SIR has been doing to engage their soldiers over Facebook. After one of their exercises, they came up with "Core Value Awards" which the CO posted on his personal Facebook. The recipient is tagged, and the post includes a short write-up of what he did to deserve it. If I was 3SG Seck, I would feel so proud if my CO did this to say why he appreciated my efforts.

This is a great start, but with an understanding of how social media works, it could be even more effective to help the public understand NS. Firstly, this post is Friends-Only, which means only Wilson's friends can see it. If it was made public, all of 3SG Seck's friends and family could see it as well. Secondly, he only tagged 3SG Seck. If he had tagged the others in the photo, it would have appeared on their Facebook Timelines to their friends too. With these two simple actions, you could increase the reach of the photo by 100 times, sharing the commendable actions of 3SG Seck to inspire others, and show them what really goes on in NS. This is the side of NS we would like the public to see more of, not the self-serving venting that goes on in HardwareZone or Temasek Review.

Sharing Opinions

Occasionally an issue comes along that you are so passionate about that you want to tell all your friends about it, and hope that they will share your views. The online equivalent would be a blog, or for those who don't want to maintain a blog, a Facebook Note or even a Photo/Status Update would suffice. This takes a little more work, but if the issue matters to you, why not? For example, I really enjoyed a sharing by 3SG Benjamin Wong on Being an Instructor in the Military Police - it helps you appreciate the professionalism and dedication that our NSF have. And who can forget In Polite and Vehement Objection to 'Singaporeans Too Weak? LOL' - only someone with ground experience could write with such passion and authority.

Ambassadors are Not Yes-Men

I think it's important to stress that ambassadors are not cheerleaders or Yes-Men for the organisation. We should share what we believe in, not blindly trumpet positive messages. If we do that, we simply damage our own credibility as thinking individuals.

While I am proud to be a member of MINDEF/SAF, that does not necessarily mean I agree with everything it does. Expressing dissenting views is a grey area, but I believe there is a space for such constructive discussion, and I think it is positive for the organisation as well. So I cannot share clear guidelines on this, but I can share some personal examples which have not gotten me in any trouble.

A few months ago, a friend publicly posted on my Facebook timeline asking why MINDEF wouldn't let NSmen bring in phones with screens larger than 4.3". I was pretty blunt, "I think it's dumb too".

My friends all know that I take a very dim view of the way we manage our IT Security, which I believe will hurt the organisation in the long run. I think MINDEF is overly conservative, and I have expressed this openly to leadership of the highest levels. I have also shared my opinions online, so others can consider and build on the arguments. In fact, more than a year ago I wrote a Facebook Note (before I started by blog) titled "IT Security Policies I Don't Understand". Among other things, I question the logic behind restricting devices to 4.3" screens, and requiring cameras to be removed by the Telco. I think such incomprehensible policies will eventually translate into lower engagement and losing good people. You can access the link above if you are my friend and an SAF regular (yes, Facebook lets you do that).

Similarly, I am not shy to share my views that I think NS is its current form will not survive the changes our society is undergoing. In 2009, my essay "NS 2065: NS By Invitation Only" won the COA Essay Competition, but POINTER declined to publish it. (I was told in private that it was the most polarising article the editorial committee had ever discussed.) So in early 2013, I decided to put that essay on my blog as well, to spread awareness of the issues.

I don't have clear guidelines, but my advice for anyone considering this is to be polite, objective, and be sure that you are writing with the right intentions (e.g. not for personal venting but rather to improve the organisation).

Where Do You Start?

If you've read this far, I hope it means you have found this interesting, thought-provoking, maybe even a little contentious. If you have always been a silent stalker, and you see the value in being more active, why not start here? Leave a comment below! Disagree with me? Leave a comment below! You can also use the icons below to SHARE it on Facebook or other social networks.

Sunday, August 11, 2013

3 Ways to Remember Strong Passwords

This post has been updated (17 Aug 13) based on lots of useful feedback received from my Facebook friends.

The Irony of Strong Passwords

Passwords are the bane of my online existence. Every time I see a screen like this, my opinion of the policy maker behind the system drops a few notches. And it gets worse if the cycle repeats itself every month. Allow me to rant a bit and try to educate these administrators, before I get to the solutions.

People are not good at remembering strings of letters, numbers and funny characters. What happens is that if you impose such requirements on them, they will resort to writing it down. And the likelihood is that they will paste it beside their computer. How is that supposed to make the system more secure? I've been a system administrator before ... and when we generated super duper passwords for all our users to comply with the guidelines imposed, that is exactly what happened.

In my mind, there are a few characteristics of strong passwords
  1. They are easy to remember
  2. They are long
  3. They are not comprised of words in a dictionary
None of those requires the mix of upper and lower case, or the funny characters. Beyond a certain point, you are just increasing the likelihood that the user will open up some other security loophole such as writing it down and sticking it on his monitor. Or that you will be flooded with password change requests that just annoy everyone involved.

The problem, I have come to realise is that us users and them system administrators are trying to manage two different kinds of security risks. The system administrator is trying to prevent the embarrassing scenario where someone breaks into their system and steals the database of user information, such as when hackers accessed the passwords and credit card data of up to 100 million Sony Playstation users. Needless to say, this is extremely embarassing and expensive for the system owner. Since this data is encrypted in their system, they would want to make the passwords as difficult to crack as possible, hence the minimum length, special characters, upper and lower case letters all increase the number of possible permutations and amount of time needed to crack each password. Qin Chuan shared a great article from Arstechnica that explains a little more how such hackers work.

On the other hand, users are more concerned with preventing their password from falling into the hands of people around them. Which is why ideally you want a password that you can remember, rather than write down. Because most logins are protected by 3 attempts anyway, so someone accessing your terminal can't sit there and try a few million different possible password permutations. 

Unfortunately, the system owners set the rules, and the users have to work around them. And frankly, it's not a problem for the system owner if one or two independent accounts are broken into. So they will guard againts the threat to them, and we have to solve the problems they create for us.

3 Ways to Remember Strong Passwords

Method 1: Patterns

The method I use today is to draw patterns on the keyboard. This is not a common method. In fact I learned it form my sister, and I have yet to find anyone else who uses it. But I find it works the best.

For examples, let's say I choose the shape of the letter "N".
I can start with the password "aq12wsde3".

For systems that are really pick and require upper case letters and special characters, I can hold down the shift key for the middle three characters. This gives me "aq1@WSde3".
The beauty of this is that you just need to remember the starting letter and shape, which can be any pattern of your choosing. If you need to change your password every month, just move across the keyboard to "sw2#EDfr4".

Victor has since pointed out to me that this type of password, while easy to use, can also be quite vulnerable to dictionary attacks, since there aren't that many memorable patterns on the keyboard. So it goes back to which type of security risk you are most concerned about.

Method 2: Phrases

A much more common way to generate a strong password is to turn a memorable phrase into the password. This is the official strategy recommended by Microsoft as well as my own employer. I find it much easier to use the lyrics of a song. For one line of the song, you just take the first letter of each word and mash them together.

For example, let's take "Goodbye" by Air Supply.
I can see the pain living in your eyes
And I know how hard you try
You deserve to have so much more
I can feel your heart and I sympathize
And I'll never criticize all you've ever meant to my life
"I can see the pain living in your eyes" becomes "Icstpliye" which is 9 characters. You can add a digit for good measure: Icstpliye1. For systems that require repeated new passwords, you can either increment the number, or move on to the next line of the song. That would be a password acceptable on most systems, except those that require special characters. For those, you could substitute a special character, for example "|" for "l" gives "Icstp|iye".

The problem with this last substitution is that it is not intuitive. The next time you come back, you might remember the phrase, but you might try substituting the "|" for "i" instead of "l". Next thing you know, you are asking for your password to be reset again. And that's why I think systems that require these special characters are idiots. It sounds like a good idea, but in effect you are making things less secure and less user-friendly.

Another great suggestion from David is to use bible verses. So for example
Psalm 23:1 - The Lord is my shepherd; I shall not want
becomes "P23:1-TLims;Isnw"

That's a great password because it is pretty long and has all kinds of characters in it. According to Gibson Research Corporations' calculator (thanks Wayne!), it would take at least a few million centuries to crack this one. Of course, you need to make sure you are consistent with the capitalisation and punctuation. But I would say that this is the overall best solution against both types of security risks.

Method 3: Apps

If all else fails, rather than writing your password down on paper, you can store it in a Password Manager App. There are both free and paid variants; all of them will use a master password to encrypt the rest of your passwords. Some of them allow you to sync across multiple devices through the cloud.

I've been using the open-source KeePass for almost ten years, and it has followed me across a variety of operating systems from PalmOS to Windows Mobile and currently Android. No complaints so far. The folks at LifeHacker are big fans of LastPass. There are plenty of options, so pick one that suits your needs best.

Moving On To ... Password Reset Questions

Clueless Password Reset Questions

If there is one thing worse than a ridiculous password policy, it is ridiculous password reset questions. Let's recap the purpose of such questions: it should prompt you to enter some uniquely identifiable detail of your life, so that the system will send you your new password.

There are some really dumb password reset questions out there...

What was the first school you attended?
And I can never remember if it is "Nanyang Primary School", "Nanyang Primary" or "NYPS". Or maybe I should put in my kindergarten. Hmm...
What is your favourite food?
That is the dumbest question to ask a Singaporean. It is KFC, black pepper crab, (Hainanese) chicken rice, unago sushi, etc etc all at once! Which answer should I key in?
What is your mother's maiden name?
Ok, there is only one answer to this. But if someone was trying to hack my account, I don't think this would be that difficult for them to find out.

And then there is HSBC ...

Faced with options like this, I just want to skip the whole process. Because I know that if I ever forget the password, I'm definitely not going to remember which was the cartoon character or wild animal I used as a reminder.

The Best Password Reset Questions

The best password reset questions have only one answer, which only you should know. Whenever the option is presented, I will set my own question. Because I grew up in a generation without mobile phones, one fail-proof tactic I have devised is to use the old phone numbers of my childhood friends. These are numbers that are ingrained in my brain, but you couldn't find in any telephone book today. For example, "What do you call Jonathan?" would be my clue to myself that I want Jonathan's old telephone number, without giving away to any would-be hacker that he should use a brute-force attack of digits to crack the hint.

If you don't have phone numbers in your brain, you might consider the license plate number of an old car, or anything else that has only one way of writing it.

Apart from my own personal experience as a user, my perspective on this is drawn from my past work as a network systems administrator and as a Certified Ethical Hacker.