nptech.info

In a diversion from my normal topics, the US financial crisis has my attention at the moment.

First context... a bunch of financial institutions got greedy and bought a bunch of assets (mostly mortgage-backed securities) that no one wants to buy. Since no one wants to buy this stuff and no one can figure out how much they are worth, the government is going to spend up to $700B to buy this stuff.

So the financial institutions made decisions that should make them bankrupt, the government doesn't want them to go bankrupt and here is where it gets interesting.

If I'm a corporation and one of my rivals is going bankrupt, I don't buy the assets that made them bankrupt... I buy a stake in the company. This is what the government did with AIG... they bought 80% of the company (actually slightly less because 80% is a magic number in corporate land).

If, in the future that company does well, my stake in the company goes up and I potentially get a big financial benefit.

Now, instead of this Schumpeter-ian creative destruction, the government is going to buy all the bad assets. This is the key issue... the owners of the firms that made bad decisions get a free pass-- they are not dilluted by government ownership.... which is pretty much the only punishment capitalists understand.

Now, in the ideal world, the government would actually take a stake + buy the bad assets off the balance sheet, since both actions are necessary... buying the bad assets to resolve the crisis and taking a stake to punish the owners of these firms/

(oh wait, I don't want to punish main street since that might cause shareholder activism that might crimp those multi-million dollar executive pay packages)

I suspect if any of the rich people that understand investment and such actually paid any significant taxes, they would be hollaring for the government to use *their* money wisely by buying the assets only on the condition of getting an equity stake.

But since the money comes from a bunch of middle income folks that don't really realize they are partially responsible for this mess by holding Bear Sterns in their retirement portfolios, its OK to just buy the bad assets.

And this is where the ideology comes in. God Forbid the taxpayers own a significant percentage of the financial system they are bailing out. That would be socialism and that would be bad-- not that we know what socialism really is, not that the government acting like an astute investor is good.... since capitalism is only good if you are a private citizen or corporation.

And tying this up into a nice little bow... this just shows the contempt that Americans have for government. Carly Fiorina says that the a person qualified to be president of the United States... in charge of an organization with revenues of $2.5 trillion and 1.7 million employees.... isn't qualified to run Hewlett Packard ($113B revenue and 172K employees).

We say our government isn't qualified to own equity stakes in our financial companies.

We'll probably unload all those bad assets to early to make a decent profit (like we did with the Resolution Trust Corporation) becuase of the contempt Americans havce for their own government.

Its my money darn it, I want it invested well. I want a government that is run well, and just like when my airline does a crappy job, I'm going to switch vendors.

Wait we have an election in a few weeks.... mmmm.

How amusing is it that platform is the dominate meme for this blog?

So NTEN decided not to include CiviCRM as a listing in their Donor Management Survey. On the face of it, that was an OK decision because CiviCRM wasn't specifically designed as donor management software.

That kind of made sense to me, plus we have plenty enough users that use CiviCRM that we'll have just as many responses as the named systems. [If you use CiviCRM for donor management, Vote Now!]

Then they modified the front page of the survey to define donor management and I started thinking this is another conflict between the platform solution vs. "best-of-breed". Their definition of donor management is:
1. Manages relationships with current and prospective donors
2. Sends/Tracks correspondence and relationship history
3. Is more than just a donation processor (i.e. PayPal, Google Checkout, DonateNow)
4. Tracks ALL types of monetary gifts (on- and offline, events, etc.)
5. Is available for purchase/downloadCiviCRM was probably excluded since it does so many other things, but from CiviCRM v1.0 oh so many years ago we supported each and every on of these "features". But as a platform, we tend not to support "deeper" version of these features... for example, you could track pledges in v1.0, but real useful pledge management / automation functionality had to wait for the current release.

As a platform, we weren't included, but I bet if we called ourselves fundraising software from day one, we would have been.

Platforms like CiviCRM are designed very much on the 80% rule... try to get most of the way there for most of your users. But when you are trying to be a platform for operating a charity, most of the way there for most of your users doesn't look anything like most of the way there for most of your users if you are just building a gifts database. Features for a platform tend to be broad and shallow.

Over time, however, each aspect of the platform becomes deeper and more capable as more users use it, more contributions (code and financial) are made and time simply allows you to get around to a specific piece of functionality.

And finally, there is another reason that CiviCRM doesn't show up on the comparision lists (Techsoup, Aspiration, NTEN, etc.). I think the assumption is that if you can't install it on your Windows PC or access it as SaaS online, it is simply too complex for charity users and therefore shouldn't be put out there as an option. I agree a little with this, but the simple fact is that installing and maintaining a MYSQL application is not beyond an advanced accidental techie... I'm not sure we are helping too much by excluding a high-quality solution for the reason it requires some technical competence to deal with.

I've watched Wild Apricot since it came out of the gate and been impressed with their product as a solution for small groups. I've also been impressed with their well thought out blog and they seem like all around good guys.

I see this blog post about how they are going to:
...take a closer look at free and open-source software: the real costs, the barriers, and the trade-offs; some of the best FOSS alternatives to “brand name” software; and online resources to help you make the most of it.And I start to wonder if it is going to turn into a stealth vendor hit piece / FUD on open source. But as I mentioned, they don't seem like those type of folks, so I'm looking forward to what they write up.

PS, if anyone wants to compete head to head with Wild Apricot using open source software, you could run a CiviCRM-based ASP ;)

Part of the fun of nonprofit technology is that you always know where it is headed with 100% certainty. Just look at the small & mid-sized enterprise (SME) technology market 5 years ago... that is where nonprofit tech is heading today. [note: that time gap is closing, but is still pretty significant]

You'd think you could make some money with that insight, but I digress.

There are a few great debates in the software world client server vs. SaaS, best-of-breed vs. platform. Nonprofit technology is finally getting its head around SaaS being better than client server. A year or two ago, it became pretty clear that SaaS was the way to deploy applications even though the cost advantages were not what were once pomised--in the SME world. In a couple of years, nonprofits too will just accept SaaS is better than client server-- actually the adoption gap here is far smaller since SaaS addresses a bunch of challenges nonprofits have... the least of which no tech staff.

And now no less a luminary publication than the Wall Street Journal has published the truth, "The End of Best-of-Breed," noting best-of-breed software companies have been bought at fire sale prices.

Such software vendors became known as “best-of-breed,” reflecting a belief that specialists in automating certain business tasks can provide customers with a competitive advantage—at least over companies that use multifunction suites of programs that come from a single vendor.

But there was a problem with this approach: It is hard to get different pieces of software to exchange data, which is necessary to understand everything that is happening in a business, said George Lawrie, an analyst at Forrester Research.

So what does this mean in the nonprofit software space? Be very afraid of Blackbaud Infinity if you are a vendor. Find lots of money to buy Infinity if you are an NPO. Since infinity is the closest thing to a platform we have in the sector.

For the small charities, as always, technology will be a harder nut to crack... yet things like CiviCRM, Wild Apricot and others are approaching the world as a platform so eventually something complete might be avaliable. And then there is Salesforce and NetSuite... if they could release a set of applications on their platform, the smaller organizations would have a pretty fantastic resource.

So after 5 years, I changed all my basic passwords. Why? I was reminded that some of them were used in less than secure sites and I have been remiss in my regular practice of changing them every year or so.

Recent compromises at TechSoup and Network for Good reminded me that ultimately I am responsible for my own security. It is inevitable that security breeches will happen. Most of the responsibility for dealing with those breeches is on me... when a site is breeched, how much of my online life is vulnerable?

The other part of responsibility is on the provider. How do they react? How do they manage risk? How do they communicate the facts and the implications of those facts? The rather minimizing notifications from providers are a little bit disconcerting: http://techsoup.org/maintenance/page10338.cfm.

I'm not sure there is clear communication going on:

1. Viruses and malware means "a key logger could have been installed in your computer"
2. No evidence of download of personal information does not mean the keylogger didn't get your personal information.

You don't want to scare people unecessarily, but I would certainly hope that a mission driven NTAP would err on the side of caution and education rather than delivering what i would call a text-book vendor notification of a breech.

Viruses and malware are used to do little things like capture all your passwords (keyloggers). I saw a great demonstration once of cracking online banking after visiting an infected site.... these are serious issues and I'm not sure that the magnitude of the potential issues is really being communicated to those impacted.

What if viruses and malware are just decoys? I know that most NPO technical services are staffed by competent, well meaning folks. But hard-core security folks that can uncover the *whole* story? Not so much. Without information on what, exactly their response has been, it is hard to have a lot of confidence.

Finally, I think there is something very inevitable about two major NTAPs suffering a compromise of their older, creeky infrastructure... technology changes rapidly... continuous expensive investment is required to keep up with the moving ball. If you can't invest the money and people and time and planning in moving the ball forward, it's time to outsource your efforts.

I will note that both providers have made timid forays into modern technology that can address some of these issues.

Techsoup has used the Drupal open source system for a number of projects. Keeping up-to-date with an open source platform does a huge amount to improve security... the open source community fixes vulnerabilities and staying up to date protects the user.

But why not over the past 3-5 years budget and upgrade to an open source platform?

Network for Good takes another good tack... go to the cloud. They have experimented with Salesforce.com, where Salesforce engineers take responsibility for security and as the cloud gets updated the user is protected.

But why not over the past 3-5 years budget and upgrade all your services to a cloud-based platform?

In the end its all about management. How well do I manage risk by changing my passwords? How well do providers manage risk by investing in their technology infrastructure?