As all you Sitecore coders out there know, the default recommended set up for a Sitecore solution in Visual Studio is as one web project. This can make working with multi-site solutions a challenge and also means that your custom code for the solution gets mixed in with the rest of the Sitecore base installation. To overcome this issue, our preference at bv02 is to use Team Development for Sitecore (TDS), to organize our work into a separate Visual Studio project that gets pushed to Sitecore on build. However, when using TDS recently in this sort of set up, I encountered a problem with TDS not properly deploying and pushing the code to Sitecore.

Here’s what happened…

I separated the Sitecore install from the Visual Studio project: Sandbox and Web project respectively.*

I also set up a second project named “Data” that contained information related to site configuration and a third project named “Custom” to store custom classes or pipelines etc.

Then, using TDS I was able to set up a push process for Visual Studio builds from the Web to Sandbox project.

Midway through my development, though, I noticed that my Web project was no longer pushing any of my builds to my Sandbox installation of Sitecore! This was obviously a big problem.

With many hours of debugging, and support from TDS, I was able to fix this issue.

In case you encounter this in your own work, here are the steps that I took to fix my project:

1. Un-comment the following code in the target’s file code located at C:\Program Files (x86)\MSBuild\HedgehogDevelopment\SitecoreProject\v9.0\HedgehogDevelopment.SitecoreProject.targets:

<!– <Copy SourceFiles=”@(DeployFiles)”


Condition=”‘$(SitecoreDeployFolder)’ != ”” SkipUnchangedFiles=”true”/>–>

2. Build the solution and voila!!

*Reference: For help on setting up a project in TDS, check out Brian Beckham’s blog, “Setting Up a Sitecore Solution Part 2: TDS and Build Configuration”.

As one of the fastest growing social media photo sharing platforms in the world, with over 200 million monthly active users, it was only a matter of time before a brand leveraged Instagram’s capabilities to create a fun – and free – alternative to a website.

IKEA recently used the site to launch a web-based catalog and showcase its annual PS line targeted towards millennials. Upon searching the ikea_ps_2014 account on mobile, you’ll find what looks like a homepage resembling a typical IKEA catalog. Each main post or image represents a categorized collection of items offered as part of the line.

Leveraging Instagram’s tagging system, when an image of a product is tapped, hidden links to additional photos and specifics in that category open and allow for itemized navigation. Each product has it’s own account where users can view video demos, photos, product info and pricing.

This may not be the first time we’ve seen brands find a unique way to use Instagram, however it is the first time we’ve seen a brand exploit the sites user experience to essentially create website links out of Instagram’s tagging system.

IKEA’s latest use-case for Instagram may help the photo-centric social hub progress from a repository of selfies to a digital marketplace. We have seen over 2500 brands join Instagram to date and can expect to see these brands exploring more exclusive ways to leverage the site rather than expecting organic reach and engagement based on product shots and hashtags.

Since launching on June 21, IKEA’s @ikea_ps_2014 account has gained over 13,000 followers.

Last weekend, June 28-29, marked Ottawa’s third instalment of Random Hacks of Kindness (RHoK) (

The first order of business is to answer “So, what is it?”.  RHoK is a hackathon for making the world a better place by developing practical, open source technology solutions to respond to some of the most complex challenges facing humanity. RHoK, an international initiative (in over 30 countries), happens concurrently twice a year in June and December.  Our Ottawa chapter operates wholly on its own, while maintaining the vision and mission of the global organization.

Now before I dive into how it works, I want to venture an important point of clarification for hackathons: it’s not just for developers. In fact, many hackathons welcome and actually need a diverse group of individuals. For example, at RHoK this weekend, we had developers of all types, graphic designers, UX designers, community managers and an anesthesiologist. Of course there are also the organizations that benefit. Everyone is welcome.

What’s really exciting about RHoK is that we pair participants with real organizations that have real challenges. As a result, it’s a great environment…but there is a lot that goes into the event. Recruiting organizations is actually tougher than it sounds. While they get the benefit of collaborating with bright and talented minds, simply providing a venue and people aren’t enough. The organizations need to generate a project that fits the bill. The project or objective must: have a clear problem and direction but still leave lots of room for creative problem solving; be able to be solved in a weekend; be applicable on a larger scale to other organizations; and, be engaging and rewarding to the participants — the organizations tend to be one of the key selling features in getting participants to join.

We’ve yet to have any real problems in finding participants as we’ve sold out in June and last December. But, that’s in no small part due to the outreach we do and the great opportunity we are creating for people. We reach out to a host of developer groups across the city, encourage past participants to join, post on our professional and corporate networks, and rely on the participating organizations to also spread the word.

Participation costs $5 and the reason for charging this amount is really only to encourage attendance if you register. To put this in perspective, and thanks to the many sponsors who contributed, RHoK participants ate like kings all weekend for that $5. Not to mention, they got some pretty sweet laser-etched mason jars as a take-away.

This year we capped out at 45 participants. On the organization side, we had Oxfam Amnesty Code for Kids Art Engine Ladies Learning Code and Mustaches for Kids. The projects included:

  • Oxfam Canada is working with a coalition of organizations on putting together a common campaign calling for a national debate to be held during the 2015 elections on women’s issues/women’s rights (international and national). They were really interested in how technology can play a role in connecting citizens more directly to political representatives and RHoK was the perfect venue to explore this.
  • Mustaches For Kids: The goal was to build a third-party fundraising platform that makes it easier and much more compelling for participants — with great images, fundraising tracking & analytics, historical data, and more.
  • Amnesty International Canada: They wanted to create an for their members that would make for safer protesting through aggregating and displaying tweet trends from specific geographic areas. For example, to keep an eye on events in Taksim Square.
  • Code for Kids: This group aimed to build a game to help kids aged 7-13 learn to program Ruby on Rails.
  • Artengine has a library of tools and equipment that they make available to the public, but managing reserved resources right now is kind of a pain. The project was to build a reservation system that could be used by Artengine and other makerspaces around the world to manage reservations.
  • Ladies Learning Code: Continued their work on a job board that helps connect workshop learners and the technology community with great talent. The job board will have three pages: main, administration page and a job seeker’s area. Some of the key tasks and functionality required are to: search jobs, browse jobs by date, browse by category or by employer, and to include the most recent jobs listed on the front page.

At bv02, myself (Brett Tackaberry), Lisa LaRochelle and Brandon Brule were on the organizing committee along with Wesley Ellis and Christian Garceau from Shopify.

And yes, I did lead the Mustaches for Kids team. On the team was Vicki Iverson from Iversoft, Brandon Brule, Simeon Seguin and Sharon Austin.  The issue we faced was to help third-party fundraising initiatives better support team-based fundraising without requiring any technical support from the charity itself. What we accomplished was: a brand new design for the website, front-end development, an application framework (JSF using PrimeFaces), an iOS app and a data API – and they all worked together. These parts weren’t all complete but we did have a working demo by the end of the weekend. I made sure they all went home with M4K swag too.

And I certainly have to take some time to recognize our amazing sponsors:

whalesbone_logo lonestar shopify bv02 labottega12labs beaus lunch fishmarket

Here are some more pics from the event:

This marks the first video in a new series called “The Brief: The Business of Digital Marketing”, in which I’ll be talking with experts across the business world about trends and hot topics in technology and digital marketing. Today’s subject: Canada’s Anti-Spam Legislation (CASL), which comes into effect on July 1, 2014.

In one of our recent videos, we brought forward some ideas and resources for how to survive CASL as a Canadian business. What we found, though, the more we dug into the subject, is that there are a lot of grey areas around the legislation. So we decided to talk to a legal expert to get their perspective. I hope you find this interview with lawyer Porter Heffernan of Emond Harnden Law as useful as I have in figuring out how this applies to everyone both inside and outside the corporation.

Porter Heffernan practices in all areas of labour and employment law, with a particular focus on rights arbitration, civil litigation, and privacy law. He holds an LL.M in Labour Law from Dalhousie University, and is the recipient of many awards. He has been with Emond Harnden LLP since 2008.

Andrew Milne: If you were to round it out and give a short description of what the CASL legislation is, how would you describe it?

Porter Heffernan: It’s based on two main requirements for commercial electronic messages. The first, is that if you’re sending a commercial electronic message, a CEM, you have to have the consent of the recipient, “express” or “implied”. The second is that you have to incorporate certain elements into the form of that message: contact information (in a variety of forms) and an unsubscribe mechanism.

AM: We talk a lot about consent here. Can you break down the different types of consent for us?

PH: The Act contemplates two different types of consent. The first is express consent, which we call the gold standard under the Act. That’s when someone specifically opts-in to receiving CEMs. Express consent is indefinite in duration; it lasts until someone unsubscribes from receiving messages in the future. So, it really is the most valuable form of consent. If you don’t obtain express consent, the Act does provide for implied consent in certain specific circumstances. So those include, for example, where you have an existing business relationship with an individual, so they’ve purchased something from you within the last two years or engaged in another transaction, or even requested a quote or requested information about your organization within the last six months.

AM: A lot of the people we work with have monthly emails, bulletins, other regular communications that go out. And inside that, there’s often some sort of solicitation for engagement. When people sign up for those, does that fall under this law, or do we need to go and get further proof of engagement?

PH: It depends on the format in which consent was collected initially. The Act provides both for implied consent in certain specified circumstances and express consent, so someone can explicitly give consent to receive CEMs. And one of the ways in which the Act is stronger than virtually any other legislation in the world, is that it’s not enough to have someone purchase something from your website, for example, and click “I agree to the terms of this transaction” where there’s a pre-checked box that says “I agree to receive commercial electronic messages”. To get express consent that’s valid under the Act, someone has to actively check that box and then agree to the terms of the transaction. They call it opt-in consent, as distinguished from the pre-checked box, opt-out consent.

AM: How far back does that go? Say, for instance, that I signed up for an electronic engagement three years ago, and I’ve been receiving those bulletins every week.

PH: The fact that you’d signed up initially and the fact that you’ve been receiving those bulletins is not enough to count as implied consent, unfortunately. So you have to go back and scrub your database, meaning you have to try to obtain express consent from as many of those people in the database. Where you can’t obtain express consent, you have to look and see whether the other individuals might fall into one of the exemptions under the Act for implied consent. And if they don’t, then you have to either remove them from your database or carry the risk that you may breach the Act by emailing them.

AM: Third party lists… While they aren’t a great way to start an engagement, they do exist, and a lot of people do use them for garnering new members or relationships. How’s that going to work out?

PH: If you’re buying third-party lists now with this legislation in force, then you need to seek legal advice, is the bottom line answer. Third party lists now carry substantial risks for organizations that have been purchasing or leasing them. As an organization, if you send a message to a contact in your database and that message is in breach of the Act because that contact hasn’t given consent, you’re liable for that message and you’re exposed to the risk of those fines up to $1 million or $10 million for the organization. The CRTC doesn’t care where the list came from in applying those fines, so it’s no excuse to say, “but I bought it from an organization so I didn’t collect it, I didn’t seek consent”. The CRTC is going to look at your actions in sending an email without consent.

Part of what that means in practice for organizations is that they have to do more due diligence if they’re going to be buying or leasing lists. They have to look at incorporating provisions in their contracts with list providers, where the list provider provides some assurances and perhaps even an indemnification in order to reassure the organization that the list was collected in compliance with CASL, and the organization isn’t going to acquire any liability by using the list.

AM: This is going to change how businesses work. People now either have to have a relationship or have been working with them in the last two years. Besides that you have to find a new way to communicate with them.

PH: There’s no question it’s going to have a serious impact on the way many organizations do business. There’s a great deal of concern in the business community about the impact this is going to have not just on mass email marketing, but on day-to-day business communications. The law is not restricted to bulk emailing. The law applies to individual unsolicited emails as well, so there was concern that this might impact a business’s ability to communicate with its suppliers or its business partners.

One of the most significant exclusions day-to-day is what I’d refer to as the intra-company and the inter-company exclusion. There’s an exclusion for messages sent by an employee of an organization to another employee of the organization that concern the organization’s activities. So, your internal communications among your employees are generally not going to be captured by the scope of the legislation. There’s also a similar exclusion for communications between employees of different organizations that have an existing relationship. So, if you’re communicating with your supplier, your contractor, your business partner, you’re not going to have to worry about the application of CASL to your day-to-day communications with that individual or individuals employed by that organization as long as your communications are about the business activities of that organization or your shared enterprise. So those exemptions are perhaps the most significant in my view.

AM: How does that play out for membership? If we’re looking at members and membership groups, and they’re soliciting more activity — definitely pushing a commerce relationship — how does CASL effect that?

PH: You will normally have an exemption for your communications, or rather have consent for communications, with your members and your existing clients as long as there is a contract in force between the two of you. When you’re talking about transactional clients, or single purchase, single lease, single rental, you have implied consent to email that individual for a period of up to two years after the transaction. Where we’re talking about potential clients, so if you’re engaged in marketing or business development, your leads, you have a period of six months from the date of any inquiry they make, or a request for a quote or any communication they have with you in that respect, you have a period of six months to send commercial electronic messages.

AM: Social media networks…how do you see those being effected by CASL? We’ve got these independent networks that are outside of our digital communications to our inbox. They notify us, but there’s integration happening there. Do those play out the same way?

PH: The answer to that is a little grey. They are focused almost exclusively, in that the thrust of the legislation is on its application to email. The legislation is clearly applicable to text messages as well, and its broadly applicable to electronic messages generally. When we talk about social media, that’s one area that still remains a little grey. It’s not clear how the CRTC is going to interpret messaging through social media. Some of the commentary is suggesting that simply posting something on your wall on Facebook or tweeting something, is not going to be captured because you are broadcasting the message in that case to people who have subscribed to follow you to receive your messages. But when you send a targeted message, a direct message through Facebook, through Twitter, through LinkedIn, through any social media platform, the suggestion is that’s likely going to be captured, because you’re still sending a message and the message itself would be unsolicited so it would fall within the scope of the legislation.

AM: Internationally, we’ve seen laws like this come into play, so Canada’s late to the game. But, this is the harshest law that we’ve seen across the other countries. So is CASL the result of what we’ve learned from other countries and now we’re applying a tougher legislation? Do you have any insight on that?

PH: There’s no question they’re late to the game. It’s hard to say what drove the harshness of the legislation. I think there’s no question that it is the toughest legislation is the world. If you compare it to the US CAN-SPAM Act, which has been in force for a number years, this has harsher requirements and the potential penalties under this law are far more significant than in the US. As for what’s driving that, I would speculate that it’s an effort by the Canadian government to be a leader in this field. I’m not sure that the outcome has struck the right balance, I’m not sure that it’s, in the end, a positive development for Canadian businesses given the burden that it imposes and the risks that it carries. But I think it’s well intentioned. It is Canada trying to be a leader in this field, particularly after coming late to the party, as you say.

AM: Are there any positives in this? I’m not saying that it’s a negative situation — spam’s going to decrease, and I’m going to have to start really thinking about what I receive in my mailbox, which is great. But are there any other positives that you see coming out of it?

PH: I think there are certainly some positives. One personally for me, is that I now have a stock template response to spam that I receive. I say: “That’s very interesting. I have no interest in receiving your product, but are you aware that CASL comes into force on July 1. Perhaps we could assist you in complying and avoiding sending messages like this in  the future.” So I think that from the user’s perspective, from the recipient’s perspective, there are some positives. Commentators are divided on whether this legislation is a good thing, looking at it from the user’s perspective; or a bad thing, looking at it from a business perspective where it imposes more regulation, more risk, more red tape.

AM: We talked a lot about different approaches today, different things that people need to pay attention to. What do you think the key points are before we leave today?

PH: First, don’t underestimate the risk involved in the legislation. Second, get moving on compliance right away, and make it a top-down exercise, from the Board of Directors all the way down. And third, make sure you’re doing everything reasonably possible to comply, so that you can take advantage of the defense of due-diligence if a complaint is filed.

AM: So, this is all great information… Porter, how do you guys help? How does EH Law get involved with a corporation to help them get ready for this?

PH: There’s a few things we can do to help, and we have been doing with our clients. The first step, the most significant in my mind, is helping organizations understand what they have to do here. This legislation is not a masterpiece of draftsmanship. It’s clumsy and it’s difficult to navigate, so for a layperson it can be hard to look at the face of the law and understand what they have to do to make sure they are compliant. So, we’ve been assisting clients with training and presentations for senior management, the Board of Directors, or for marketing and sales people to help them understand. So that’s the opening thing we can do to assist our clients.

The next step is to assist them with their due diligence. Due diligence provides a defense to complaints under the Act, and due diligence requires managing your employees, ensuring your employees are trained and have the tools they need to maintain compliance. So we’ve assisted a number of our clients with the development of policies that can be applied throughout the organization, policies that require standard conduct from employees in sending commercial electronic messages, and give clear guidance to these employees that they are required to comply, and if they don’t comply, that there may be consequences for them, including disciplinary consequences. So, if is a complaint is ever filed against an organization and they have one of these policies in place, and they’ve trained their employees on the application of these policies, they can stand before the CRTC and say, “we’ve done our due diligence, we’ve done everything we can, and the fact that an employee chose to breach the legislation or didn’t adhere to our policy, that’s not something we can prevent. What we will do is take steps to address that situation and do what we can to reeducate our employees on our policies”, and I think the risk to the organization then from the CTRC will be lower as a result.

AM: Porter, thank you for the conversation today. I think we’re just at the infancy of understanding what this is really going to be. It’s great to see that you’re handling it from the policy side, from the business side, helping groups and individuals to see how this is going to apply for them. This is going to be a big change for all of us. I’m really interested to see what will happen as of July 1.

Do you have questions about CASL? Or maybe you have a suggestion for a topic for The Brief. Don’t hesitate to contact me, or call me at 613-231-2802 x351. I look forward to your comments.

Android versions

For several years iOS has set the bar pretty high when it came to users installing new OS versions.  Within days of a new iOS version being released by Apple, millions upon millions of people will have downloaded and installed it.  Partly this is because Apple has been very good at making new versions available to older devices and partly because users know how to update the software.

Android has lagged in support for new features because developers have been faced with supporting older versions. Until recently, in North America, to reach 85-90% of Android users would require supporting versions all the way back to 2011’s Ice Cream Sandwich.  Globally the numbers are still quite different but within North America the market share of the most recent versions are improving rapidly.

A new report from Chitika, which runs an advertising network, has seen the market share for KitKat, the latest version of Android, rise to 37% which means with Jelly Bean (released mid 2012) supporting those versions will cover about 84% of North American users.

Jelly Bean introduced new camera controls and features, widgets on the lock screen, and multiple profiles on tablet devices.  For developers, Jelly Bean is the oldest OS that will support NFC, and Bluetooth LE support was introduced with 4.2.2 part way through Jelly Bean’s lifecycle.  The Internet of Things (IoT) depends on wireless communication and a large percentage of users will now be ready.

It looks like the makers of Android devices are working harder to get the latest versions into the hands of their customers.  If this continues we should consistently be able to focus more on the current versions in developing both applications and web sites.

The full report:

I made a rookie mistake with Sitecore 7. I didn’t properly define an indexing strategy before launching a new multi-server Sitecore instance.

I have spent a lot of time working with Sitecore 7 but have found myself overwhelmed by the myriad of indexing strategies available for our shiny new Sitecore websites. Finally, I was forced to dig deeper and examine the indexing strategies in more detail when a client was unable to properly rebuild the search index on their Content Delivery server.

In the past I have relied heavily on the OnPublishEndAsynchronous strategy which uses the publish:end and publish:end:remote events to incrementally update the search indexes on the Content Management (CM) and Content Delivery (CD) servers after publishing. This Sitecore indexing strategy is configured out of the box and is recommended for multi-server/multi-instance environments (Keep in mind the EventQueue must remain enabled). This is a great indexing strategy to do the heavy lifting for you because content authors don’t need to be aware of the intricacies of a search index since any changes are picked up and indexed on publish.

Unfortunately, I ran into a situation where the OnPublishEndAsynchronous strategy just wasn’t able to properly rebuild the index on the CD server when publishing. I had the client attempt a full republish on more than one occasion but the index wasn’t picking up the new content. At this point I realized that it was a mistake to rely exclusively on the OnPublishEndAsynchronous strategy since it’s inevitable that an index will eventually get out of sync and need to be manually rebuilt. The index can get out of sync for a number of reasons but I wasn’t able to properly diagnose the issue since I did not have access to the client’s internal network.

I was looking for an easy way to manually rebuild the search index on a remote server. This would allow me to keep things simple for the client (without the need for them to install any 3rd party tools or resort to using code to rebuild the index). I informed the client that using the built-in Indexing Manager available in the Control Panel does not rebuild remote indexes as would be expected. Unfortunately, I unknowingly assumed that the same was true when triggering a rebuild from the developer tab in the Sitecore ribbon.

It turns out that rebuilding from the Developer tool bar does actually rebuild remote indexes! This was a nice find and I didn’t really expect it to work.

I was a little confused but the reason for this is that the Indexing Manager in the Control Panel does not initiate a full re-index like the indexing options in the Developer tool bar. It is the full re-index that triggers the RemoteRebuild strategy and raises an event that will re-index remote servers that are configured with this strategy.

With this knowledge Sitecore administrators can now rebuild the search index on the CD server as needed from the Sitecore client on the CM server. Hopefully this will not need to be done on a regular basis but it’s good to know it’s available in a pinch.

This was done using Sitecore 7.1 (rev. 140130).

The Canadian Anti-Spam Legislation (CASL) is one of the most aggressive legislations of its kind in the world. Officially announced over three years ago, CASL is finally coming into effect this July 1st, which means you have just a few weeks left to get ready.

What is it?

In 2004, the Government of Canada started working with stakeholders, who have an interest in responsible electronic messaging, to create a comprehensive law that will reduce the amount of unsolicited emails that land in our inboxes each morning.

After conducting rounds of research this group was able to prove that Canadians were (and still are) being bombarded each day by unwanted messages, most of them coming from commercial enterprises and are generally unsolicited.

What this means for marketers, or anyone who sends commercial electronic messages, is that you will no longer have unrestricted implied consent to anyone you want, with the interest of gaining their business. This legislation will apply to all messages sent from, and even accessed by, a computer in Canada.

And, CASL applies to any medium. If you’re an individual or small business owner who relies on email, social channels like Twitter or Facebook, and even text messages to mobile phones, to solicit new business, your messages will be up for review by the CRTC, and other government agencies. If found to be in violation, you could face a fine as high as $1M as an individual, or $10M as a small business.

This legislation isn’t being put in place to hurt or discourage Canadian businesses. Quite the opposite in fact. The goal of this new legislation is to protect Canadians and ensure that businesses can continue to compete in the global marketplace.

Why does it matter?

Because email is about to change for good. CASL is going to affect everything we do via email — from sales and marketing, to your entire digital footprint.

What can I do about it?

So, the question you should now all be asking is: how can I get ready?

It’s quite simple. When you’re contacting anyone, ask yourself these three questions:

  • Do I have consent, either implied or explicit, to be contacting this person? If you’re currently in business with this person, or have done business with them in the past two years, then you’re okay; you have implied consent. If you haven’t, then you must contact this person (by phone or in person) and get their consent.
  • Have I clearly identified who I am, or who I’m writing on behalf of?
  • Is there an unsubscribe mechanism, so there is a way for this person to stop receiving the messages?

If your message and its content covers these three bases, then you are good to go. Because for CASL, it’s all about the message, not the man.

This legislation might seem harsh now, but this is actually just the first (and least severe) of many phases that will be rolled out over the next three years. On January 15, 2015, sections of the act relating to the unsolicited installation of computer programs and software will come into effect. And, July 1st, 2017 we will see a private right of action come into effect that allows individuals to start taking legal action on their own behalf against anyone not following the rules.

So, as you can see, this is definitely not a topic you want to ignore, especially if you’re in the field of digital marketing, or are someone who relies heavily on email and social to establish contacts.

There’s a lot of information out there about CASL, but we’ve gathered the most important links for you, including the legislation itself, and added them below.

But, there’s lots more to talk about. Email me at, or give me a call  at 613-231-2802 x 351, if you want to talk more about this interesting and important topic.

We look forward to your comments and input on this topic, one we will definitely be revisiting over the next few months.

Survival Guide:

Important Links:

If you are running OpenSSL on your servers, please make sure to fix the HeartBleed Bug as soon as possible.

As many of you have heard by now, the web has recently been struck by an internet-wide security flaw known as the HeartBleed Bug. HeartBleed affects sites that use Secure Sockets Layer (SSL) encryption. We have put together a quick note about what it is, how to know if you’re at risk, and what to do about it if you are vulnerable.

What to do: First things first: Check to see if your sites, or the sites you use, are vulnerable. You can do this by using the following links: or

If your site is flagged as vulnerable, actions need to be taken. Contact your site host, or contact us here at bv02 to get this fixed.

Next: Change all your online passwords (yes, all of them!)

A big cause for concern is related to sites that have your sensitive information. Even if your site hasn’t been flagged as vulnerable, it’s not a bad idea to go-ahead and update all your passwords, especially if you’re someone who likes to use the same password for multiple sites.

SEE ALSO: The HeartBleed Hit List: The Passwords You Need to Change Right Now via Mashable

Now that we have that out of the way… Let’s talk about HeartBleed.

What is it, non-technically:

Is it some sort of virus? No, HeartBleed is the nickname for a pretty nasty bug in OpenSSL. I am sure that sounds familiar right? That’s because OpenSSL is an enormously popular way of keeping your information private on the internet and on web platforms. Millions of websites use OpenSSL to protect your username, password, credit card information, and other private data. Tests in the recent weeks have shown you can access this data completely anonymously with no sign you were ever there.

NOT good news…

Yes, that is more or less the technical assessment of the internet. The good news is that, so far, it doesn’t look like there have been any data breaches. The bad news is that Yahoo! is one of the most vulnerable major sites. Facebook and Google seem OK, but they haven’t committed anything to paper just yet; but the list is being compiled now and we are all watching closely.

Someone explained it like this: it is not a hole in the front door, its more like a key that you left under the mat in front of the door and no one knew it was there until we looked. Now it turns out every house on the street left their key in the exact same hiding place.

What is it, technically:

Lets start with the basics: As you use the web on your own sites, or for other secure transactions, you’ve likely seen a small lock icon next to the URL in your browser and “HTTPS” instead of “HTTP”. This means that the conversation between you and the website is encrypted and secure. The HeartBleed Bug takes advantage of a service of SSL that keeps this secure connection alive, which is called heartbeat. Simply put, heartbeat sends a message to the server reminding it to keep the connection alive. The server then responds confirming the connection and returns the original message.

Where the flaw lies in this exchange is that the length of the message sent is also provided by the sender and is not checked against the actual length of the message. For example, an attacker can send a very short 1 byte message and claim that it is 64 kilobytes. When the server responds the length of the returned message is the length specified by the user. If the length suggested is longer than the actual message (to use the example above, 64 kilobytes instead of 1 byte), the returned message will have a space that’s filled with a small chunk of data next to the 1 byte message in the server’s memory.

This data that is sent back to the attacker can be anything from a timestamp or metadata that is more or less useless, to something more serious, like session information, emails, passwords, or even the SSL encryption key itself, if the hacker is particularly lucky. HeartBleed affects servers using OpenSSL Version 1.0.1 a through f. Version g has this flaw fixed. Versions before 1.0.1 also lack this vulnerability so it’s a rather narrow band of OpenSSL versions that are unsecured.

If you’re not sure what version of OpenSSL you’re using, it’s not a bad idea to contact your provider to find out.

So, how can we stop the leak?

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distributors, appliance vendors, and independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances, and software they use.

What we have been doing about it:

We at bv02 are diligently going through the sites we’ve worked on and are tracking down who is vulnerable and alerting them of the dangers.

Our advice to you, the reader, is to change all of your passwords for websites that might save your personal information, like banking sites, email, Facebook, iTunes, and other important accounts, as these services could be susceptible to this flaw as well.

Here is a link to the known affected platforms you may use everyday:

What you should be doing about it: If you have specific concerns about how the HeartBleed Bug vulnerability will affect you, please feel free to call us. Our security staff will be happy to address your concerns and advise you on how you can best protect yourself.

CALL: Extension 378
Ottawa: 613.231.2802  | Montréal: 514.667.0802 | Toronto: 647.723.5456 | Regina: 306.992.4426 |  Vancouver: 778.383.7410  or email directly at:

Looking for more information on the HeartBleed Bug? We’ve complied a list of links below that might answer you questions. Or, if you prefer to talk to someone, feel free to give us a call.

Where to find more information?

This Q&A was published as a follow-up to the OpenSSL advisory, since this vulnerability became public on 7th of April 2014.

The OpenSSL project has made a statement at Individual vendors of operating system distributions, affected owners of Internet services, software packages and appliance vendors may issue their own advisories.

More on This Story

Test your site:
Passwords you should change:
A video explanation of HeartBleed:
Announcement and explanation of HeartBleed:

The Heartbleed Hit List: The Passwords You Need to Change Right Now

Related Internet links

Not that long ago we watched movies in disbelief as our favorite action star gathered data from his wrist watch, then had a video conference call from a monitor embedded in the dash of his car. A few years later, this no longer seems that far fetched, in fact, it’s reality and we are now calling this collection of connected devices as “the internet of things”. By 2015, Cisco’s Internet Business Solutions Group (IBSG) predicts that there will be 25 billion devices connected to the internet. The internet of things is moving past your phone and into things like your coffee maker, your car starter or home thermostat.

As the list of connected devices continue to grow, they will open up new marketplaces and present new opportunities. How does your business look when you start putting it on the internet of things? How does it fit into this new reality where content is being collected and transmitted all the time? And what can you do to your business to capitalize on the opportunities this will bring?

Take a look at Matt Turck’s article Making Sense Of The Internet Of Things to get a better understanding of this rapidly growing phenomenon . The Internet of Things: In action by Lauren Fisher highlights examples of connected devices in objects, the cloud and even the body.

This is no longer the future, it’s happening now.

Poster design by Melissa Cowell

A few brave bv02 souls will be donating some valuable face real estate to the Make a Wish Foundation of Eastern Ontario this November.  That’s right, our team will be taking part in another mustache-filled month as part of Mustaches for Kids.

What’s Mustaches for Kids?

Conceptually, Mustaches for Kids is like a marathon where you raise pledges except without the exertion, dehydration or cramping.

Why do we participate?

I’ve been involved in Mustaches for Kids for over 8 now, and as part of being involved I’ve had the chance to meet some of the families who’ve had wishes granted.  The impact that the hope and joy having a wish granted has on not only the child, but the whole family, can’t be overstated.  To be able to help grant those wishes is a huge honour, and my upper lip won’t be doing much else for the month – why not use it for a good cause?

Mustaches for Kids has raised over $150,000 for Make-a-Wish over the last 8 years.

How can you get involved?

On November 1st we shaved off our beloved beards in order to start with a clean slate for the month.  You can get in on the action by signing up at, and if you can’t shave today, don’t worry – registration doesn’t close, and we’re always excited to have more Growers participating. If you aren’t the mustache type, please donate to your favourite bv02 grower:

Matt Davidson

Brett Tackaberry

Justin MacNeil

Brandon Brule

Scott Mulligan

Stay tuned to bv02’s Twitter and Facebook pages for updates on the M4K fundraising efforts this year.  There will be some excellent mustaches taking shape, and we can promise a few Instagrams of them along the way.