Why Can't Girl Scouts Be Digital Cookie Pushers?
As Girl Scout Cookie season approaches, the age old conversation around parental involvement in cookie sales is rearing its head. However, the Atlanta Journal-Constitution outlines a new twist – are kids allowed to push Samoas on the internet?
While marketing cookies using email is okay, the leadership of the Scouts has put the kibosh on other online initiatives, hoping to encourage a return to knocking on wood.
In an effort to boost door-to-door sales, the Girl Scouts of Greater Atlanta is offering new incentives including a specific “Walkabout” patch (featuring a girl taking strides), according to Sarnethia Wilkinson, product sales marketing representative for Girl Scouts Greater Atlanta cookie program. The patch will be given to girls who participate in chaperoned door-to-door sales in early March (or troops can select a different date to do a Walkabout).
It used to be against the rules to send e-mail cookie pitches, but the Girl Scouts reconsidered because technology and e-mail are such a part of the girls' lives, according to Wilkinson. Meanwhile, Internet sales, such as setting up a payment account or creating a Web site to sell the cookies, is strictly prohibited.
Why can't the girls set up their own e-commerce sites? I can completely understand the drive to have girls out and interacting with their communities, instead of passively sitting behind a computer screen and fulfilling orders. However, since the cookie program is about teaching girls life skills, wouldn't website management, maintenance, order fulfillment, and digital marketing all be a vital part of today's skill set? There are lots of ways to make it work – maybe there's a master troop website, or a maximum web allotment (where each girl receives a portion of the web sales, and has to do the rest through more direct sales methods.)
Perhaps the Girl Scouts organization is reluctant to allow online sales because they already beat the kids to the punch:
In ye olden days, a Girl Scout used to come knocking on every door in the neighborhood offering up Thin Mints and Trefoils. Then came the world of two working parents, pedophiles hiding behind doors and a crappy economy. Kids just don't go door-to-door anymore. But that doesn't mean we don't crave minty chocolatey goodness.
So the Girl Scouts have set up a site for you to indulge your inner blue monster – Find Cookies Now connects you with your local Girl Scout Council via zip code.
But providing a cookie connection does not preclude other online sales techniques or strategies. While there is a Cookie Biz badge to reward girls who are willing to do things like create infomercials for Thin Mints, most of the badges related to internet savvy are way too basic, particularly when dealing with older Scouts. It's considered normal for teenage boys to launch web companies in their basements or in their first few years of college, but the GS leaders seem to think teen girls only use the computer for email – even as casual gaming (which girls disproportionately participate in) is becoming a larger industry, and social networking can provide thousands of innovative ways to sell and draw awareness to the cookie drive. If 32% of teen girls have enough web-savvy to build their own sites, clearly, there's a hell of a lot of untapped potential around leveraging technology to benefit the Scouts beyond email based instruction.
Pushing Girl Scouts to push doorbells [Atlanta Journal-Constitution]
Online Tool Guarantees Girl Scout Cookies Without the Girl
Cookie Biz Badge [Girl Scouts]
Computers in Everyday Life [Girl Scouts]
Girls rule the internet [Napa Valley Register]
Send an email to Latoya, the author of this post, at latoya@racialicious.com.
Why don't you clam up and do something already?
On Sunday, I asked question “Should you dump Internet Explorer, NOW?” and quickly offered yes as the answer for all versions of the browser. Reaction to the post surprised me. As I write, there are more than 155 comments. Clearly, IE is a sensitive topic with readers — and also with Microsoft, which has once again taken a “security by PR'' approach to the problem rather than to offer a real solution.
I first started talking about Microsoft's “security by PR” strategy more than five years ago. Rather than manage the problem — a current zero-day threat affecting Internet Explorer 6, 7 and 8 — Microsoft is trying to manage the reaction. That simply is the wrong approach to quality customer service or instilling users with confidence about using the Web browser.
Quick recap: On January 12, Google disclosed security breaches, affecting more than 20 companies, that were traced back to China. Two days later, McAfee pegged a previously publicly unknown Internet Explorer exploit as one of the mechanisms used in the attacks, which the security software firm dubbed “Operation Aurora.” On January 15, McAfee and Microsoft reported that code for the zero-day exploit was in the wild, potentially putting millions of Windows PCs at risk. Meanwhile, the French and German governments recommended that their citizens switch — at least temporarily — to another browser.
Microsoft's security by PR reaction to the exploit is the problem. Quickly summarized before I more throughly explain:
- Microsoft used the Aurora exploit as a marketing tactic, recommending that customers switch from IE6 and Windows XP; what timing with IE8 and Windows 7 as newer available products.
- Early, cleverly-word blogs or statements made it seem like only IE6 is vulnerable to the Aurora exploit, when newer Microsoft browsers are exploitable, too.
- Microsoft tried to diminish the risk by asserting that the Aurora exploit had only affected businesses, which is absurd considering how much more they have to lose than consumers.
- Over the U.S. holiday weekend, Microsoft posted new blogs and videos that offered “duck and cover” fixes. Meanwhile some executives defended IE by blaming other Web browsers.
Security by PR
Marketing Tactic. In a January 15 post warning about Aurora becoming a real zero-day exploit, Microsoft “recommend users of IE6 on Windows XP upgrade to a new version of Internet Explorer and/or enable DEP [Data Execution Protection]. Users of other platforms are at reduced risk. We also recommend users of Windows XP upgrade to newer versions of Windows.” The post also recommended that IE users disable JavaScript.
In comments to my “Dump IE?” post, AnthonySPT defended Microsoft: “How many more years should Microsoft support IE6, when they have released several new replacement versions?” That's a good question. According to Net Applications, IE6 usage share was 20.99 percent in December — or about the same as IE8 (20.88 percent).
Commenter bourgeoisdude responded: “As they will support Windows XP through 2014 (extended support), and XP came with IE6 installed, they will have to support it that long, unfortunately. Yeah, it sucks.”
I, too, find it strange that so many businesses continue using IE6. Based on my conservations with IT staff at companies doing so, legacy dependency, most often some ActiveX controls, is usually the reason. How's that for irony, given how much ActiveX has been an attack vector for IE exploits and how much Microsoft tried to diminish the plug-in architecture's usage in versions 7 and 8. Microsoft and its customers still pay for past security sins.
Blaming IE6. Microsoft could possibly justify blame IE6 if that browser only was vulnerable. The wording of blog posts, different versions of security advisory 979352 and videos about the exploit sure seem to lay all the blame on IE6. From a January 14 blog post: ”Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time.” Restated in yet another Microsoft security blog post, yesterday: “As we've previously reported, attacks remain targeted to a very limited number of corporations and are only effective against Internet Explorer 6.”
But the 979352 security bulletin lists in section “affected software” IE7 and IE8 running on Windows XP, Vista, 7, Windows Server 2003 and 2008. Meanwhile, over the weekend, security researchers reported the Aurora exploit running in IE7 on Windows Vista. Microsoft's response: Hunker down behind IE8. From yesterday's blog post:
We have not seen successful attacks on Internet Explorer 8. We continue to recommend customers upgrade to Internet Explorer 8 to benefit from the improved security protection it offers. Additionally at this time, we have not seen any successful attacks against Internet Explorer 7. However, earlier today, we were made aware of reports that researchers have developed Proof-of-Concept (PoC) code that exploits this vulnerability on Internet Explorer 7 on Windows XP and Windows Vista. We are actively investigating, but cannot confirm, these claims.
Only businesses affected. In one of the two videos accompanying the aforementioned blog post from yesterday, Jerry Bryant, Microsoft's senior security communications manager, says: “These attacks are not widespread. We have not seen any focused on consumers. In fact, it's only been a very limited number of corporations that have been targeted.”
He downplays the Aurora exploit's severity by saying only a small number of corporations are affected. At first glance, this seemingly smart PR spin is anything but. The majority of Microsoft customers are businesses, which have much more to lose if exploited than consumers. If, for example, criminals steal 1 million social security numbers from a single company, the damage is more far-reaching than exploitation of even a few thousand consumer PCs. How would Microsoft executives react if someone stole the source code to Windows 7 or the designs for Natal?
Duck and cover. Besides emphasizing IE6 blame and diminishing IE7 and IE8 risk, Microsoft retreated to its security technology of greatest strength: DEP. The company was right to tell IE7 users to turn on DEP, which is on by default in IE8 (In most, but not all, circumstances). In comments to my earlier post, there has been fierce debate about the effectiveness of DEP, as a security deterrent.
Yesterday, security researcher Dai Zovi generated buzz with tweet: “And now my Aurora exploit works on IE7 on Vista as well as IE6, IE7 on XP. Remember kids, DEP is useless if the app doesn't opt in.” In a very good blog explaining the effectiveness and limitations of DEP, Larry Seltzer writes about the tweet: “Dai Zovi is not a black hat and hasn't released his exploit, so don't expect this work to end up hacking innocents any time soon. But this does prove that the IE7 port isn't all that hard. The bad guy versions may be done already.”
According to Net Applications, IE 7 usage share is only 15.53 percent, even less than Internet Explorer 6. The question: What about IE8? According to a Security Dark Reading post by Kelly Jackson Higgins early this afternoon: “Chaouki Bekrar, CETO of VUPEN Security, says his team was able to bypass DEP on IE8 and execute arbitrary code.”
I will praise Microsoft for telling customers to turn on DEP, but the larger PR maneuverings diminish the guidance. Microsoft should have stepped up sooner with promise to fix the problem. By the way, whether or not that fix is made available for IE8 and Windows 7 will demonstrate whether there was more risk than Microsoft's talk.
Microsoft finally responds
While I was writing this post, Microsoft acknowledged in another blog post that an out-of-band security patch would be coming for the Aurora exploit.
But the reasons are bad and themselves reveal how much Microsoft is stepping up because of public relations. George Stathakopoulos, GM of Microsoft Trustworthy Computing Security, writes: “Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.”
Translation:
- “The significant level of attention this issue has generated” (Microsoft is trying to fix a huge public relations problem).
- “Confusion about what customers can do to protect themselves” (Microsoft cannot control the PR information).
- “The escalating threat environment” (Microsoft has stopped denying — at least to itself — that there is a real problem that will get worse).
Microsoft also didn't give a timeframe for releasing the fix, but presumably it would come before the next Security Tuesday in February.
Wrapping up, two clarifications are in order. I am not asserting in this post that Internet Explorer is any more or less secure than any other browser. My purpose here is only to assess Microsoft's mishandling the messaging by making security by PR the priority. Additionally, my January 17 “Dump IE?” post was written to stir up discussion about the exploit, particularly assertions by Microsoft and some bloggers that Internet Explorer users upgrade from IE6. I took the more extreme position to generate debate, because I see it as a highly effective tool for resolving problems. Likewise, this post is intended to stir up debate about IE security and how Microsoft publicly handles it.
Bill bartmann, Bill bartmann, Bill bartmann robert shumake, robert shumake
Endangered Species: <b>News</b> Librarians are a Dying Breed « ResourceShelf
According to data collected by Michelle Quigley, a researcher at the Palm Beach Post, over 250 <b>news</b> librarians (sometimes called <b>news</b> researchers) lost their jobs in the U.S. since 2007. Membership in the Special Libraries Association …
Video: Comedian Charlie Brooker on TV <b>News</b> | Peter Kafka <b>…</b>
This excellent deconstruction of TV <b>news</b>, via comedian/writer Charlie Brooker, has been circulating for the past few days, but there's a good chance you haven't seen it since it never mentions the word "Apple," "tablet" or "iPad.
Technology <b>News</b>: iPhone: Apple Lets VoIP iPhone Apps Use 3G <b>…</b>
Apple is allowing iPhone owners to use Internet calling services over cellular networks. Several companies offering Voice over Internet Protocol — or VoIP — services said this week that Apple now allows their applications to work on …
Tags: internet marketing
