Andy Bell said:

Bob said "Don't freak out -- we'll continue to support offline use for as long as a significant percentage of our users want it".

Hi Andy,  Thanks for you post.  I feel a lot of your sentiments although I have been quiet on the issue.  This concerns me because of the investiment I have made in this resources.  I can't just pick up and go someplace else with them.  I need Logos.  This is why I had recently re-installed L3.  Maybe I just need the assurance that if the Internet goes away, I will still have my resources and be able to easily reinstall these resources if my computer crashes.

I like all the features of L4.  I love the search and the layout along with the windows management.  I just wish I didn't have to rely on the syncing with amazon servers.  I wish it was a stand alone package.  I know the reasoning behind all the thinking.  It is for the multi-platform usage and along with the accessibility of my stuff from mobile devices and the internet.  It just concerns me.

Thanks,

John

Bob Pritchett said:

I'm sorry we're unable to make everyone happy.

We're not anti-privacy. I like it myself. But taking on privacy needs for others is a massive responsibility, and an expensive one to implement well. So we go out of our way to disclaim responsibility and to encourage you to NOT store private or confidential information in our software.

Making lots of tough privacy policy and promises just creates a higher standard that we could be legally held to. If we were a bank, I'd consider that a cost of doing business. Since we're (largely) a sermon preparation tool, and sermons are designed to be preached aloud in public, it seems like a wiser use of our resources to put money into content, user interface, and service, rather than building a fortress to protect sermon notes.

I understand the sensitivity of prayer lists. If yours are that sensitive, don't use our prayer list feature. (It was just a "freebie add-on" to our core function; it's not the heart of our software.) If we get pressed to the wall, we're more likely to remove the prayer list feature than to implement guaranteed iron-clad security.

The world is moving to cloud-based web services over installed desktop apps. (Don't freak out -- we'll continue to support offline use for as long as a significant percentage of our users want it.) Some of us wish this wasn't so, or aren't prepared for it mentally, but it's happening none-the-less. We're designing our application for this future. I know this future is not exactly present today (that's why it's the "future!" <smile>) but it is clearly coming. In the future, our product offerings will store all the data you choose to maintain with our tools in the cloud. So implementing "hold some of my calls!" type features to pick and choose what goes to the cloud now seems like a waste of time. Relevant today, but just creating problems for the future, when you'll expect ALL of your data to magically appear on your iPhone, iPad, web site, Android, BlackBerry, iSlate, etc.

The good news:

I don't want to read your private data. :-) We're designing our systems for reasonable privacy. We just recently changed the way we store passwords, so that no one at Logos can ever see your password. (Now we can't even give it to you if you ask; we can only reset it.)

We are also bound (through a non-government, private contractual obligation) to comply with stringent credit-card security rules. This PCI Security Standard is an obligation of large merchants who charge credit cards. (See https://www.pcisecuritystandards.org/) PCI compliance has required us to implement name badges, visitor logs, run background checks on certain employees, implement two-factor authentication for certain systems, and to physically and digitally reconfigure our networks. It took us a year to comply, and we get audited.

Are your synced documents as secure as your credit card number? Probably not. Sync is new to us, and we're still working on the system. In the course of debugging things, ensuring there's no data corruption, etc. I imagine some user text (mixed in with lots of <xml>tags</xml>) appears on programmers' screens. Right now it's on a server we control, but in the future it'll probably move into Amazon's cloud based storage system. I don't know that we encrypt it at the moment.

In the future, I can see us implementing some more security. We could allow you to add a client-side-only password that would be used to encrypt your personal data before it was sent to our sync servers. Of course it would create more customer service -- if you lost it we couldn't recover it, and if you wanted to see that data on one of our future web sites, or a mobile device, you'd need to decrypt it there, etc. But if that's what eveyrone wants, we can go that direction. But it won't be immediately -- we've got what we think are higher priority tasks to get done first. (Getting sync to work with shared documents -- for people who want to share their documents -- and moved to the even more reliable Amazon servers, etc.)

I'm not trying to be difficult or insensitive. But security is complicated, expensive, and a huge responsibility. And since we get more people asking "how do I share my documents with my church/class?" than "how do I keep my document private with 256-bit military grade encryption, even when it's sent over the Internet?", it seems like the first is a better place to put our resources. (Your credit card number, which I imagine you don't want shared with your church, is locked down according to the massive PCI protocols.)

-- Bob

PS If you care enough that you want to know which algorithms, etc. then you're probably wiser to just disconnect your computer from the Internet physically. This is what real security is -- locked, windowless rooms and computers without network connections, electromagnetically shielded. Because anyone sophisticated enough to be sniffing your traffic is probably much more likely to attack through the never-ending, always-a-new-one-found hole in your operating system or web browser, or by attaching a key-logger to your physical device, than by bothering to decrypt data. Even in the most plausible "it was a secret I stored in Logos Bible Software that someone wanted to get" scenario -- say, an abusive estranged spouse wanting access to counseling notes / prayer requests? -- I would imagine that planting a spy device (voice activated recorder, key-logger, remote "laser off window" listening device) ordered off the Internet, or hacking your machine directly, would be more likely and easier than finding and extracting your data on our servers.

 

Thank you Bob for your thoughtful reply and sound reasoning.

Russ White said:

<I've gone back and shortened my reply considerably--cut to the chase>

So, now that someone has pointed me to this thread, I'll answer here.

You essentially make five arguments here. The first is:

[quote]Since we're (largely) a sermon preparation tool, and sermons are designed to be preached aloud in public, it seems like a wiser use of our resources to put money into content, user interface, and service, rather than building a fortress to protect sermon notes.

This is a fundamental misunderstanding of the idea of security. Security doesn't mean hiding something permanently, or unhiding it permanently. There are many things which I want to hide now, and want to publish later. You make the same fundamental argument later:

[quote]PS If you care enough that you want to know which algorithms,
etc. then you're probably wiser to just disconnect your computer from
the Internet physically. This is what real security is -- locked,
windowless rooms and computers without network connections,
electromagnetically shielded.

Again, no it's not. I've worked in a TEMPEST rated facility with a TS/SCI safe, STU-3's, and various KG's. I've worked on equipment I still can't talk about. I've worked in environments you don't even know exist. Security is not about hiding under a rock, it's about controlling the flow and use of information. If I can't control the information (or deny someone else access to it), then I can't secure it. For instance, you say:

[quote]Relevant today, but just creating problems for the future,
when you'll expect ALL of your data to magically appear on your iPhone,
iPad, web site, Android, BlackBerry, iSlate, etc.

The implication is that just because you think I want my data everywhere, I don't want to control it. This is a false implication. I'll always expect to be able to control what data shows up
where. As the concerns over privacy become more severe, as the
generation currently rising realizes what they've given away in terms of
information about themselves, as people lose their jobs, or job
opportunities over pictures of themselves on facebook that can't ever
be removed, you're going to see a backlash against this stuff. The
best bet is to be ready for all eventualities, not to count on one
paradigm running the world forever.

The second is:

[quote]The world is moving to cloud-based web services over installed desktop apps.

I'm sorry, Bob, but I disagree, and I live and breath the IT world. These things go in ebbs and flows. Right now the world is aflame with mainframes (otherwise known as cloud computing). In six months--and a couple of business failures--later, the flow will move back. I won't name specific names, but I can tell you  more than 75% of the large networks I work on will never go to a public, commercial cloud service. I've specifically asked many large network administrators this question, and most of them say, "over my dead body." So either we're going to have a lot of dead really senior people on the network and administrative side of the network, or it's simply not going to fly to the level of the market hype.

I, personally, will never rent an application on the 'web, nor store my data on the 'web. I know how secure your data is. To put it mildly, anyone who trusts 'the cloud' probably doesn't lock their doors at night, either, because there's no point. I've always made it a rule of thumb never to use locks a locksmith tells me I'm a fool to use.

The third is:

[quote]I don't want to read your private data. :-)

This isn't about you, or anyone at Logos, Bob. This is about the
person who breaks into your system--and it will happen. This is
about the Federal search warrant in a free speech case when someone is
taken to jail for preaching against homosexuality. There are larger
issues here than you reading my notes.

You say you work hard to protect my data for me. I find this a bit of a hollow promise when you won't allow me to choose which data I've inserted into Logos to send or not to send. You're very concerned about the privacy of my data, but you won't promise me anything, and you won't do anything to let me protect my data other than to say, "don't use my software."

The fourth is:

[quote]I'm not trying to be difficult or insensitive. But security is
complicated, expensive, and a huge responsibility

What you're saying here is, "I don't want to be responsible for your data, so please don't put it in my software." I would suggest the more realistic answer is, "I don't want to be responsible for your personal data, so let me make it so you can choose what you send?" You've already admitted that it's always going to be harder for you to secure my data than for me to, but you don't want to put a simple feature in place that will allow me not to send that data to you. "Just don't use my software," is your only answer.

At the same time, there's a built in contradiction to your argument. You've already admitted that you don't want to be responsible for my data, and then you turn around and say, "you might as well get used to your data being in 'the cloud,' because that's where it's going to end up anyway." In other words, you're not willing to supply me the security you say I'll eventually need. That doesn't make any sense at all.

The fifth is:

It will cost me in support, because people will lose their data.

So you expect your users to be intelligent and mature enough to not use your software for "sensitive data," and yet you expect them to be dumb and immature enough to complain when they lose their encryption key. I don't see how this makes sense.

==

To summarize, you could say you're just wasting your time to build in local storage of some items today. I'll say you're wasting your time building in only network based storage today, because the world will only go through this swing of the pendulum until people rebel against it. And you'll lose in the next round to new software that works intelligently locally. The best bet is to understand the swings, and build in the flexibility today. I design networks and protocols for a living; the one thing I've learned over the years is that flexibility never goes out of style. To be able to say, "well you want to centralize, let me show you how to do that with this network design," and then to be able to say, "well, you want to decentralize, let me show you how to do that with this network design." That's always the winning sell. Always.

If you'd like to chat off line, I'm easy to
find--russ@cisco.com is one way.

Russ

[Y]

Mark Barnes said:

They use the https protocol for transferring your data to Logos. That's as secure as it gets. No-one knows how the data is stored when it arrives, but a reasonable guess from the traffic is that it's stored on a Logos Windows 2008 server located at FiberCloud.

Is
there someone who can answer my question, I think we are dealing with Bible matters,
what is the fear of data and so on, like we can face a terrorist attack? And
what makes doubt to trust Logos? Is there any one who has bad experience with
Logos in this matter?  

Tes said:

Is there someone who can answer my question, I think we are dealing with Bible matters, what is the fear of data and so on

If I keep homemade ice cream recipes in my Logos notes I won't really care if someone intercepts them. I would never store detailed identifiable data that could hurt someone I am counseling in a network enviroment.
Even financial institutions are not hacker proof. My bank's security certificate has been invalid for years because they registered it in a "nickname" instead of their legal name. I have also run across a cute little virus that denies access to servers by adjusting the computer's internal clock ahead several years making the certificates presented appear expired. Just last Summer a vulnerability was discovered in Transport Layer Security that allows interception. Some college kids can break 256 bit encryption in a matter of hours. There is no internet connection that possesses absolute security.
But we are dealing with a Bible software program, aren't we? Your question is a very good one:

Tes said:

And what makes doubt to trust Logos? Is there any one who has bad experience with Logos in this matter?  

Andy Bell said:

This is isn't a question of whether we can or should trust Logos

Andy Bell said:

it's about my right to privacy.

No "Andy Bell" ( if that is your real name  [;)].)  You are faced with choices every day how deeply you want to interact with the rest of the world and expose yourself to risks. When you ride in a car you are risking an accident. When you attend church or school, you are risking getting sick during flu season. You forfeit your privacy to your bank, insurance company, medical records personel, and the list is endless......
(Oh, Did you know the insurance companies in the USA have been sharing your "private" health data for years in a pool similar to a credit bureau? They say it is to prevent you from committing insurance fraud. But they are likely tagging all who have genetic predispositions for disease so they can identify your offspring for whatever plans the goverment has for the sickly. )

Tes asked a simple question: "Is there any one who has bad experience with Logos in this matter? "
Logos is not the soft spot of vulnerability. The next terrorist attack on the USA will likely be by computer against the financial industry.

If you are only concerned with the principle of your "privacy" being violated; you are your own worst enemy. To interact with a planet of billions of people and expect perfect privacy is "Lady Godiva" self-talk.

I would be tickled if Logos could give privacy advocates what they are asking for. I do not want to sacrifice functionality to obtain "privacy" I don't need. To me the focus should be: "Does Logos do what it was designed to do?" Let's work on enhancing that first.

Andy Bell said:Some of us would prefer to have the software offer a choice of where to store the data.

I am all for choices and think you've made many good points. I worry that it would detract from further program development to go back and rework the whole foundation of Logos 4. It just doesn't seem like a three day fix. And If I have to choose between current momentum of program developments and the privacy of my data, I''d go with the former.

btw: Your response has been the calmest and most convincing in the forums. Most "privacy" proponents, similar to Chicken Little in the fairy tale, say "the sky is falling" when, in fact, it fell a long time ago. Running Logos 4 isn't as risky as running Windows........[:^)]

Lastly, TrueCrypt is not impenetrable.

I'm with you Andy. Give me a local storage option. [Y]

MJ. Smith said:

Andy Bell said:

Considering that, currently, Logos 4 stores gigabytes of data on the local hard disk, there isn't a good technological reason for not storing notes locally too.

I suspect you misspoke here - your notes are stored locally as is all your user generated data. That enables Logos to work off line. The purpose of the cloud storage is to enable the syncing of data across multiple platforms - home computer, laptop, cell phone, iPad etc.

Thanks for the clarification - I din't realise that this was the case. However, this makes setting an option not to share notes via the cloud a truly trivial operation. In 'pseudo code':

IF shareNotes == true

    call ShareNotes

END IF

Obviously, I don't know the internals of the Logos code, but assuming they have properly segregated discreet operations into discreet 'methods' then it really would be this simple to do it.

In fact, such logic must exist because the code already has to deal with offline mode:

IF online == true

    call Share Routine(s)

END IF

So, it becomes even more trivial to implement a non-share mode.

I'm sorry, but I feel that the refusal to implement things like this and 'choose what you download' more and more reflect stubborness rather than anything else. A company I know has lost (probably) millions of $$$ due to this attitude. Now they have moved onto Agile Development where one of the cornerstones is 'give the customer what they ask for' unless it is impossible to do so. But I fear it is way too late for them - they alienated too many clients.

In both of my requests the functionality is actually 99% there - offline mode and hide resources are almost, but not quite, what I and others keep asking for. The effort to introduce these is minimal and, once done, stays done. It doesn't burden Logos with a huge maintenance issue down the line and it would put and end to a decent proportion of the 'complaining' of their customers, leaving just the speed issue and the bug reports...

Just my 2 penny's worth...

I haven't tried this (yet) but I wonder if manually backing up this folder:

LogosInstall\Documents\RANDOM_CHARS\Documents

would be a short term workaround for the lack of a local backup facility. Logos locally stores each type of data (Notes, Handouts etc) in their own database so this might work.

I will give it a go and report back the results...

MJ. Smith said:

Andy Bell said:

What I'm asking for is, effectively, the ability to pre-hide the resource. In other words to say "no, dont download it, just make it hidden".

This makes perfect sense. You are correct that it is difficult to imagine a "terrible" downside to the option. Have you suggested it on user voice? As I'm sure you've guessed, on the no backup issue I can see few enough potential problems that I am not willing to say "no big deal" - I'll only go so far as to say, could be, could not be - who am I to know?

edited to clarify - it had been correctly interpreted.

I will draw up a user voice suggestion later today... Or I would if I could find a link to the user voice page [:'(] Could someone point me to the right place?

At the risk of sounding as if I don't know what I'm talking about, or that I'm trying to get people to move away from using L4...I would like to suggest that perhaps L4 is not the correct software for the OP???

Perhaps there is a software that does not put your private information at risk the way you think L4 does, and perhaps that is the software you should be using, instead of L4.

L4 is very clear about how they operate, and how sync-ing with the cloud is part of the future of the software.  So those who have these privacy concerns might need to reconsider their purchase IF the risk is truly as large as the OP and others on the thread seem to suggest.

Please hear me:  I'm not trying to be confrontational, just wondering why one who holds these opinions concerning their privacy would purchase a software product that they know up front is going to compromise them?

Esther

Esther Jones said:

At the risk of sounding as if I don't know what I'm talking about, or that I'm trying to get people to move away from using L4...I would like to suggest that perhaps L4 is not the correct software for the OP???

Perhaps there is a software that does not put your private information at risk the way you think L4 does, and perhaps that is the software you should be using, instead of L4.

L4 is very clear about how they operate, and how sync-ing with the cloud is part of the future of the software.  So those who have these privacy concerns might need to reconsider their purchase IF the risk is truly as large as the OP and others on the thread seem to suggest.

Please hear me:  I'm not trying to be confrontational, just wondering why one who holds these opinions concerning their privacy would purchase a software product that they know up front is going to compromise them?

Esther

Yes, there is such a program. It is called Logos version 3. And the neat thing is; it runs 1000 PBBs, imports sermon files, saves notes & runs without internet connections. Not to mention a Portfolio Edition upgrade will add thousands of premium titles to Version 3's library.

If I were a missionary in Indonesia right now, I would definitely run Logos Version 3 to hide from persecutuion.

MJ. Smith said:

Letting my sense of humor get the best of me. I'm just saying

After 10 pages we need either humor or perspective or both.

That's funny. [:P] I do think your search results for "privacy" do prove Robert Bork was right....There is no privacy! (I know, I'm twisting things again.) 

How many of the search results would have done what they did had they known the whole world could read about it later?

MJ. Smith said:

With an omniscient God how could there be?

Of course Robert Bork was only talking about the US Constitution. It was Calvin, Charnock & Bette Midler who said "God is watching us."

Andy Bell said:

This is isn't a question of whether we can or should trust Logos. I am certain that they are honest and trustworthy both as a Corporation and, in general, as individuals. It's about the fact that storing my data on someone else's system increases the risk of someone accessing my stuff without my consent.

It could be a rogue employee at Logos but, more likely, a server hacker who is looking for personal info. If Logos use a 3rd party 'cloud' to store the data on (and it seems they are/will do) then it makes the data more vulnerable as the 'target', as it were, becomes bigger.

The issue isn't really about whether my data being hacked would lead to embarrassment (or even a lawsuit) - it's about my right to privacy. My data is my data and I should be able to control who sees it. OK, that's idealistic but Logos should, out of plain respect for my privacy, allow me to choose whether or not I want my notes, and eventually resources, to be stored and only accessed from external servers. I think it is phony reasoning to say I have to be careful how I use the program. No. I should be able to configure the program so that I can use it in a way that satisfies my need/desire for privacy.

Andy, I agree with you 100%

tom collinge said:

I agree with you, for those who use the cloud option, need to know what Logos offers, and we need to do the rest for us.  This being said, if Logos is saying they are backing up our data (for those who use the cloud option - not me), then Logos needs to state how often they backup their data.  All backup software programs that I have used give me options of which file to restore.  They ask which file because the program has multiple files to chose from.  I personally backup certain directories daily, and I back up all of my personal files every Sunday morning while I am at worship.

Therefore, for those who use the cloud option, should also have the option of restoring her/his files from a different date (if Logos is in the business of backing up their user's data).

That's a good point.

I suspect that many of the issues we are raising is to do with the fact that Logos4 cannot yet be described as a mature product. Whether or not they released it too soon is no longer worth debating, although had they released it as a public beta or even a pre-release then some of the messages here would drop in tone to 'suggestion' or 'I would like...' rather than making a complaint.

However, Logos4 was released as 'Generally Available with features yet to come'  although 'Generally available, available features 80%-90% done and others features still to come' would now seem a more accurate description. I think in a different environment - say a financial system for a commercial bank, where efficiency and value for money outweigh patience and tolerance, software released in this fashion would probably be rejected (to put it mildly).

One of the principles of Agile Development (which gets mentioned occasionally in the forums) is that features are not released until they are "DONE DONE" - emphasising that even 99.9% is NOT DONE and that the feature is not ready. It takes incredible discipline to consistently achieve 100% done before releasing a feature but the benefits in customer satisfaction are self evident.

Since Logos4 was released, there has always been, to me, the feeling of it still being in the 'evolution' stage. Many resources have had to be updated because the data structures have changed, rather than the resource content being updated. This is really a sign of a product in (relative) infancy - any software developer will tell you that changing data structures (not adding to them, but changing that which already exists) is both painful for developers and painful for customers. Logos' philosophy has just been to re-download the resources to fit the new data structures, rather than to try to 'massage' the data into the new structures, and this has led to complaints about download size. I have no idea if such downloads could have been avoided. If they could have been I think they should have been.

I had to search through several pages on Logos' site until I reached a page that said:

"Safe and secure. You can have the peace of mind that all your
documents—notes, clippings, and custom guides—are safely backed up on
our servers. If your computer crashes, just reinstall Logos 4 and all
your data will be restored." (http://www.logos.com/logos4/customize).

Because the Engine is marketed as 'free' I suspect most customers will focus on the resource description pages - after all that's what they are being charged for. Certainly, until this thread I was unaware of the full scope of this feature, but I haven't been an avid V4 user and am only just revisiting it in the last few weeks. That said, I do think, at the very least, Logos4 needs to be much more 'in your face' about what it is doing. During the initial setup it should ask whether or not to turn 'Use Internet' on rather than defaulting to it. It should explain the consequences and it should provide a way to get automatic notification of updates without also turning on synching.

Matthew C Jones said:

My warning to anyone considering using the program in ways other than designed is "DON'T" and if you do, don't assume the content of forum posts covers every possibility of what could go wrong.

Bob Pritchett quotes "You can turn off Internet Use in the program settings, and get updates by ordering DVD's on occasion. We'll continue to listen to feedback on this, though it's lower on our priority list than missing features."

That would seem to indicate you can do this.

Andy Bell said:

there is nothing illegitimate, unusual or inherently dangerous in what JimT has suggested.

From your strictly "programmer's" point of view maybe. But I was not criticizing JimT for that part of his post. I took issue with Jim saying the previousl posts on the forum are adequate to address all potential eventualities; so well covered that if a user read them all he would have enough information to make a fully informed decision as to all possible outcomes. I maintain that is not the case. The user starts tinkering with the functionality of the program and then wants to hold Logos responsible for any loss resulting from his ill-informed tinkering. Jim's advice constitutes an implied warranty that, if you first read the posts, you may then tinker to your heart's content. That is the "lawyer's hat" that doesn't seem to fit programmers very well. But I bet Bob has a couple of those types hiding in the wings that look good wearing the hat.

Matthew C Jones said:

Andy Bell said:

there is nothing illegitimate, unusual or inherently dangerous in what JimT has suggested.

From your strictly "programmer's" point of view maybe. But I was not criticizing JimT for that part of his post. I took issue with Jim saying the previousl posts on the forum are adequate to address all potential eventualities; so well covered that if a user read them all he would have enough information to make a fully informed decision as to all possible outcomes. I maintain that is not the case. The user starts tinkering with the functionality of the program and then wants to hold Logos responsible for any loss resulting from his ill-informed tinkering. Jim's advice constitutes an implied warranty that, if you first read the posts, you may then tinker to your heart's content. That is the "lawyer's hat" that doesn't seem to fit programmers very well. But I bet Bob has a couple of those types hiding in the wings that look good wearing the hat.

Sure. I understand. Perhaps I should have said: "there is nothing illegitimate, unusual or inherently dangerous in telling your firewall to block an IP address", as it was that I had referred to. I actually read this whole thread before posting as I didn't want to repeat old points - these threads have seen more than enough repetition and posturing[:)]

But I will repeat: configuring your firewall does not constitute tampering with any program. It has the same effect as running a program without any internet connection and, therefore, the software has to handle it.