

Changes to the Blog - anu_gupta
http://www.schneier.com/blog/archives/2013/03/changes_to_the.html

======
modernerd
Is there anything wrong with linking to the share pages directly to avoid the
JavaScript buttons altogether? e.g.

Facebook:
[https://www.facebook.com/sharer/sharer.php?u=http%3A%2F%2Fex...](https://www.facebook.com/sharer/sharer.php?u=http%3A%2F%2Fexample.com)

Twitter:
[https://twitter.com/intent/tweet?text=My+tweet+http%3A%2F%2F...](https://twitter.com/intent/tweet?text=My+tweet+http%3A%2F%2Fexample.com)

Google+: <https://plus.google.com/share?url=http%3A%2F%2Fexample.com>

LinkedIn:
[http://www.linkedin.com/shareArticle?mini=true&url=http:...](http://www.linkedin.com/shareArticle?mini=true&url=http://example.com)

~~~
bsimpson
I worked at an ad company that was very keen on social sharing. Having played
with both the bookmarklet-style links you've cited as well as the official
share buttons, I've found the official buttons are better supported. I feel
like one day, Facebook is just going to deprecate sharer.php and make everyone
use the Like button. Tracking aside, the Like button has a much better UX,
whereas sharer.php has been barely maintained in spite of all the changes to
Facebook proper in the last few years. I don't think you can even suggest a
link title anymore.

Anecdotally, users seem to trust native button more. If it looks like you made
your own PNG and linked it to Facebook, they can't trust that you aren't going
to try to do something shady to their Facebook account (or open a popup). If
you use Facebook's button, it's a familiar experience without providing the
publisher's site the opportunity to play man-in-the-middle.

User perception matters. Facebook's button seems to be perceived as more user-
friendly than the unknown button on someone else's site, even if the
unfamiliar button was designed to be less hostile than Like.

~~~
wuest
> Facebook's button seems to be perceived as more user-friendly than the
> unknown button on someone else's site, even if the unfamiliar button was
> designed to be less hostile than Like.

I expect that Schneier's blog is one of the best places to start reversing
that common (and understandable) perception. Given the pervasive nature of
fraudulent sites focusing on Facebook, one can't blame the users--but shifting
their frame of mind from "fraud is bad!" to "tracking/other invasions of
privacy are bad!" is overdue.

------
rkudeshi
I'm glad to see Schneier leading by example in removing/hiding those pervasive
share buttons.

(To enable something similar for every site you go to, check out the Ghostery
extension for Firefox/Chrome.)

~~~
nikcub
> leading by example

He is way behind here, and we could have used his advocacy much earlier.

There have been alternate buttons, browser plugins and a movement to include
no third-party scripts on the web for years.

I switched techrunch.com to the two-click solution in 2008. It didn't last
long because we weren't successful in arguing why you don't want scripts from
third-parties loading automatically. I sure could have used a bit of backup at
that time.

~~~
mnutt
If you had to compromise, what about enabling the buttons on hover? You'd
still have people accidentally enabling them, but fewer than if they were
auto-enabled.

------
jlgaddis
> Over the next couple of days, I will transition existing subscribers off of
> Feedburner, but since some of you are subscribed directly to a Feedburner
> URL, [...]

Anybody happen to know how one might "transition existing subscribers off of
Feedburner"? I have a decent amount of subscribers via Feedburner but I would
also like to cease using it (the writing is on the wall) and transition
existing subscribers off but, obviously, RSS readers are tied to my Feedburner
URL instead of the "direct" URL on my blog.

~~~
modernerd
I believe the only way of doing it is to delete the FeedBurner feed. Google
redirects requests for your FB feed to the source for 15 days, then stops
redirecting and shows a message with a link to the source feed for 15 days,
then returns a 404: <http://support.google.com/feedburner/answer/79597?hl=en>

This should give keen subscribers the chance to switch over, although you will
likely lose some in the transition.

If you have FeedBurner's email subscription option turned on, you'll also need
to migrate those users to MailChimp or FeedBlitz or similar manually. (You can
export the list from the FB control panel.)

------
Foomandoonian
[Wondering aloud] Would a better approach be to activate the sharing icons on
mouseover? Sure, users would do this accidentally, but those concerned about
privacy could learn to avoid those areas of blogs. Those who don't care (or
pay attention) would get a one-click experience.

Touch users woud presumably still have to tap twice.

~~~
thomasz
If I remember correctly they went the way they did to alleviate the threat of
trademark litigation.

------
mhartl
How do you "transition existing subscribers off of FeedBurner"? I'd definitely
think about doing this, but I don't know how.

~~~
nikcub
I recently read up on this because I want to move my subs off. Feedburner has
support for redirects and extracting email subscribers, although I still wish
there was a tool that would automate a few of the steps.

See this post, which is the best I have found on the topic:

[http://devilsworkshop.org/tips/how-to-leave-feedburner-
witho...](http://devilsworkshop.org/tips/how-to-leave-feedburner-without-
loosing-your-subscribers/1402/)

------
minimaxir
Why doesn't he implement his own social sharing buttons if he's worried about
having visitors send data to third parties unwillingly?

I've done that on my own blog and it works well (using FontAwesome to identify
services). Saves on loading time too.

~~~
streptomycin
Is it as easy for a non-webdev as this
<https://github.com/panzi/SocialSharePrivacy>

If you have a better solution, you should publicize it.

~~~
minimaxir
Define "easy for a non-webdev," because implementing a jQuery plugin isn't
something I could tell my friends to do on their normal Wordpress blog.

My solution isn't "better" (nor easier to implement, due to how implemented
social buttons handle social counts) because for this purpose because I
primarily implemented my own buttons for performance/aesthetic reasons.

~~~
streptomycin
By "implementing a jQuery plugin" you mean "copy and pasting a few lines of
code, like it says in the instructions"? I'm sure you can appreciate that some
people have the skill to do that, but not the skill to come up with a new
solution from scratch.

Also, I was genuine above when I said that, if you have a better solution, you
should publicize it. Any reason why your method can't be done just as easily,
if the code was out there?

------
benatkin
This reminds me that I need <http://disconnect.me/> to add support for Disqus.

------
iuguy
I was hoping the changes would include a commitment to him keeping to
discussing things he knows about, rather than having the expert's problem of
talking about things outside his domain knowledge and being considered an
expert for it regardless.

~~~
febeling
Which pieces by Schneier were not well-informed, or in which ones was he
talking about something outside of his domain?

~~~
iuguy
It's surprisingly common. Here's[1] the most recent example of Schneier
talking out of his domain with the potential to cause damage.

The problem is that Schneier is a pundit, not a security expert. He has a good
knowledge of cryptography but as a media pundit he's often asked questions
outside of his domain and on responding or commenting he's referred to in the
media as an expert. This is precisely what happened with his views on Airport
Security. He was expressing views as an expert when he was known for
cryptography and had no domain experience in airport security. Over time he's
clearly researched it and had more interest in it, but his earlier stuff shows
his lack of domain knowledge, yet because of his media presence he's
automatically deemed an expert, and this is dangerous.

In the most recent example of security awareness training, I would bet £5 (to
be donated to the Open Rights Group, the UK equivalent of the EFF) versus the
equivalent in dollars to be donated to the EFF that Schneier never once in his
lifetime has been involved in implementing a security awareness training
programme. Yet his commentary on this marks him as an expert in the field as
far as the media is concerned, and such views coming from 'an expert' may
impact the security awareness programmes of many people trying to improve
security in their own organisations worldwide. There's strong and well put
opposition to this from Dave Kennedy[2] and Andy Ellis[3], the latter of which
is Akamai's CSO, and someone who actually practices security on a day to day
basis.

Just to be clear, I am generally critical of Schneier and I think it would be
unfair not to state this. While I'm not a cryptography expert I recognise the
work he's done in that field, however where his points have crossed over into
my domain knowledge I've found his comments often show a lack of experience
for someone deemed an expert by default. I don't blame him for this, but I do
believe that he benefits from it and does nothing to counter the impression
(that he is an expert in areas he clearly isn't).

[1] - <http://www.schneier.com/essay-419.html>

[2] - [https://www.trustedsec.com/march-2013/the-debate-on-
security...](https://www.trustedsec.com/march-2013/the-debate-on-security-
education-and-awareness/)

[3] - <http://www.csoandy.com/files/why_bother_with_awareness.html>

~~~
febeling
I don't find it very surprising that providers of security awareness programs
don't agree with Schneier's arguments against their offering.

But since they have a strong financial incentive to disagree with him I'm
doubtful about their arguments.

Their arguments were also not convincing to me. Let me quote a random and very
shallow bit from the first linked post:

"An education and awareness PROGRAM is not a one hour CBT and clicking through
something. It’s education and awareness just like your HR department helps you
navigate to your expenses."

That sounds desperate.

~~~
iuguy
> I don't find it very surprising that providers of security awareness
> programs don't agree with Schneier's arguments against their offering.

Erm... I wasn't talking about commercial providers of security awareness
programmes. I'm talking about people who work in security who actually
implement security awareness programmes as part of their security management
processes, and the risk of a higher up being convinced that it's not
worthwhile because schneier said so.

I've actually had a phone call this morning with one of my clients where this
article was raised as justification for cutting the security budget next year
by reducing spend on security awareness. This is for a major european defence
manufacturer who's under pretty much constant attack by people looking to
steal their IP.

In reference to your quote, that's not desperate, it's fact. A proper security
awareness programme is created and maintained by the organisation itself on
the basis of trying to find the best way to counter the threats the
organisation faces. Some organisations will find that the need for this is
relatively low and that the biggest threats they face are things like password
sharing and internal things with disgruntled employees. Others may find that
they're under constant attack from external threat actors and need to train
people to help support their detection capability. In either situation it's
definitely not a one hour CBT, it's more complex, it's more nuanced and it's
ongoing.

------
trinita
This is a very interesting approach, I really like it. I use Adblock and
DuckDuckGo but really like making these changes for my blog visitors as well.

