A coworker sent me a link to a news article today, yet another one about a data breach from - you guessed it - a stolen laptop. This one was an auditor working for Ernst & Young and doing an audit of Hotels.com, and apparently the auditor (and I can't believe this) left it in his or her car and it was broken into and stolen.

So now, thousands of Hotels.com customers' personal data - meaning names, addresses and credit card information of about 243,000 people - is potentially in the hands of someone who could use it improperly. Oh, and by the way, my name is certainly on that list.

Up until today I was frustrated to no end with these events.

Now it's personal. Now I'm angry.

And get this: The theft occurred in February and Ernst & Young didn't notify Hotels.com until the first week of May. What??? And on top of that, customers were not notified until a few days ago. You've got to be kidding me...

This post contains some useful information about data breaches, packaged with a bit of a rant by yours truly about information security - or the serious lack thereof - in US companies and institutions. As a reminder, what I post here is my own opinion and not that of my employer or anyone else. I work in information and cyber security, and I care - a lot - about these issues.

There's a major attitude problem - let's call it a lackadaisical mentality - out there and it's high time someone did something about it. Lazy security means lots of helpless victims, and we're so far behind the 8-ball as a country it's downright scary. There's a fundamental "people problem" at the root of this, and no matter how much technology we throw at it, the analog physical and human components need to be addressed before any of the technical issues can be resolved.

The Privacy Rights Clearinghouse maintains an online chronology of data breaches with descriptions of each event, outlining any known data breaches that have occurred since February, 2005.

All told, as of the time I write this, there are 84,797,096 individuals whose identities are known to have been included in these data breaches. Banks, universities, health care providers, insurance companies, corporations, credit card providers... Lord only knows about the ones that have not been reported. Ugh, it's depressing. It's also ridiculous.

What bothers me the most is how often the term "stolen laptop" shows up in the list. What in the world are people doing with sensitive information stored on computers that can walk out the doors of all of these heavily regulated companies and institutions? It's insane from a security management perspective.

But then again, let's take a look at just how many US banks, universities, health care providers, insurance companies, corporations and credit card providers are certified under some kind of recognized information security management standard. Let's take the big standards - BS 7799-2 and ISO 27001 - for example.

BS 7799-2:2002 (in this case, the "BS" stands for "British Standards") has long been the recognized standard for overall security management, and the new ISO/IEC 27001:2005 international standard is basically BS 7799-2:2002 in an updated form. It's also related to ISO 17799, since we're throwing around fancy names. Ultimately it's all the same stuff, just renamed and reassigned. The 27001 standard represents a systematic approach to managing sensitive information so that it remains secure. It encompasses people, processes and IT systems.  It is used to determine and evaluate a company's security management framework and is internationally recognized as the gold standard for security.

If a company doesn't have a security management framework in place, not only is it unaware of what's happening in it's own walls, it doesn't really know whether or not it knows much of anything. Yeah, that's confusing. What you don't know is what will most likely kill you. Either way, it's negligent in this day and age not to be formally on top of information security, and that involves not just firewalls and technology, but risk assessments, people, processes, and an over-reaching management framework to ensure all the bases are covered.

Did he say "negligent?" Yes, negligent. And I mean it.

It's a lot of work to achieve and maintain the 7799/27001 certification and to hold up to ongoing audits, to be sure (just ask me or my coworkers about it some day, we live it), but it's not rocket science and for gosh sakes, IT'S IMPORTANT. And it's not about the actual certificate, it's about all the things that go into the process of getting the certificate and keeping it.

So, if you had to hazard a guess, how many agencies, institutions and companies in the United States do you think have this important and recognized certification?

Be prepared to be disappointed. Especially when compared to the number of certified organizations in other countries, like say Japan and India and Korea. Or pretty much any other developed country, for that matter. It's really quite pathetic.

Of the 2600+ organizations on the certificate register, there are only seven  (yes, that's "7") companies or organizations in the entire United States certified under ISO 27001, and only 39 have been certified in the US under BS 7799-2 and ISO 27001 combined. Keep in mind, there's overlap on the lists, as a number of companies (like ours) have converted from the British Standard cert to the ISO 27001 model, meaning we've been certified twice.

This table shows how many organizations are certified under either ISO 27001 or BS 7799-2 as of June 5, 2006. The term "organization" can mean any one of several things: companies, portions or divisions of companies, agencies, or various other other entities. I've left off most of the countries that have only one certified organization to save space.

Japan	1602	Brazil	9	Slovenia	2
UK	244	Sweden	8	South Africa	2
India	186	Spain	7	Armenia	1
Taiwan	92	Turkey	7	Bahrain	1
Germany	57	Iceland	6	Chile	1
Italy	42	Greece	5	Egypt	1
USA	39	Kuwait	4	Lebanon	1

And of the US companies, agencies and organizations on that list, only one of them is a bank (and even then it's only the information security team's component of the business). None of them are credit unions. None of them are insurance companies. None of them are health care providers. One of them is a university. A couple are government agencies - and not the same ones that have been in the news lately, that's for sure.

If you think about it (or search for it, for that matter), how often do you hear about information disclosure outside the United States? Sure, it happens, but seemingly not nearly as often. And why is it, I wonder, that in Japan there are so many certifications? ISO 9000 (the gold standard for manufacturing) is huge there, as well. 

The fact of the matter is that overall, companies and institutions in the US don't take security nearly seriously enough.

So - It's time to do something about this. Now, not tomorrow. It's already much too late, so we need to get moving. We're already in triage mode, friends.

What to do? To start, if you do business with any company that handles sensitive individual data, ask them about their security certifications. And don't accept just a SAS-70 certification as covering the bases - it only covers operations of the datacenter and has practically nothing to do with the rest of the company. Also, make sure you know specifically what any issued certifications actually cover - this is called the "scope" of the certification. Is it the entire company (usually it's not so you have to ask), or is it just a department or division? If the company is not formally certified, do they have a security management framework and a standard they follow?

Also, this is formal security management we're talking about. Don't accept lame responses like "we're covered under HIPPA" or "we get audited for Sarbanes-Oxley so that's all covered..." Sorry, that doesn't come close to cutting it. Neither of those auditing standards require a company to have a security management system in place, and neither come close to covering what's needed to ensure proper security standards are met outside of their narrowly focused scopes.

Get educated. Find out what needs to change. Demand change. Question systems that put the secrets in the hands of people who don't have a personal stake in the game. Do business wherever possible only with companies that are cognizant enough of security to formalize their program on a standard framework and which preferably have external certification of the results of that effort. I'm not kidding here. And yes - it can be done.

Unless you have a better idea (and feel free to share - comment away), that's what it will really take to create change - Market forces. We certainly can't count on the government to do anything about it - they'll just come up with vague, useless legal acts that almost always miss the mark and cost the business sector billions (take SARBOX for example). Individual action and demanding that companies get serious - and that they do so in a manner where they can be formally reviewed and held accountable - is the best real-world way to force change.

Okay, I just have to say something here. I can't help myself. Like CBS hasn't already done enough to ruin things for us in its own studios, now it's reporters are taking it to the streets, too.

You know, Fight Club used to be cool, one of the best movies of the last several years for sure, then these guys have to go and freakin' ruin it.

Grrr...

Let me put it this way: This is to Fight Club as "What are YOU doing???" is to "WAZZZZUUUUUUP?!?!?!?"

Someone should go find these guys and kick some @*$ for real for breaking the first rule. Where's Tyler when you need him? Not to mention what this does for the image of software engineers in our world. That's it, might as well just give up now.

Alright, anyhow, back to our regularly scheduled programming...

I've been heard on occasion to suggest that it might be a good (or at least interesting) idea to turn off email in the workplace and to resort to more personal means of communication, like say in-person. Or on the phone. Anything that's not written.

Why? Because, it can be so hard to really understand what someone is saying, and especially difficult (if not impossible) to tell what they mean. When you're talking about business relationships, it's hard to believe one can make good, solid decisions based on conversations as limited as email.

Now there's some research that supports my hair-brained suggestions:

According to recent research published in the Journal of Personality and Social Psychology, I've only a 50-50 chance of ascertaining the tone of any e-mail message. The study also shows that people think they've correctly interpreted the tone of e-mails they receive 90 percent of the time.

"That's how flame wars get started," says psychologist Nicholas Epley of the University of Chicago, who conducted the research with Justin Kruger of New York University. "People in our study were convinced they've accurately understood the tone of an e-mail message when in fact their odds are no better than chance," says Epley.

One thing's for sure: Simply knowing what the results of this research tell us could make a difference in daily email communication practice.

Does your place of work ever discuss email communication, its pitfalls, and etiquette? Now that's a topic that's worth some face time.

(via wired.com)

Plagiarism sucks, and Om Malik's weblog was apparently being copied verbatim, images and all, and repurposed sans-attribution on another site that was serving up ads and (potentially) making money. I've had this happen to me a few times in the past year or so, and found the only way to fight it was to quote the DCMA in an email to the host. Lord knows asking Google to hold them accountable for their terms of service did not work in my case - Google just wrote back and said "we can't do anything." Plus the bad guys were repurposing content from a whole slew of other sites. Lazy jerks.

By the way - this is really not exactly a trivial deal for many blog authors and publishers. I know when it happens to me, I chase it down and take it seriously. No lawyers needed - I am pretty good at that stuff and have some legal and courtroom experience, so why not put it to use eh? The ads on my site pay for my web hosting and my Internet access each month, and then some, so I have a little more than just an ego interest in what I choose to write and post.

Anyhow, below is an email I used last year to resolve a plagiarism problem involving full content from this web site. It's blunt, direct, complete and it worked. Also, note that this letter followed multiple attempts to get the site owner to remove plagiarized content. I'm posting the email letter here simply for the benefit of anyone who might become a victim of blog plagiarism and wants access to some ideas that have worked for others in the past.

And by the way - make sure you have a copyright statement and maybe a Creative Commons license on your main page that states what people can and cannot do with your blog content (mine's at the bottom of every page - it says people can repurpose it with attribution and for non-commercial purposes). It can't hurt to do this, and it helps set reasonable expectations and ground-rules for well-behaved people, while it can also be ammo for the ill-behaved later on...

Note that the problem I tackled with the below email was resolved within 4 hours of the email being sent to the hosting provider (the site owner never responded), and it happened a year and a half ago, so please don't go harassing anyone - this is just posted here to help people who might end up in a similar situation.

Where you see the word "(-- edited --)" below, I have removed identifying information to protect the innocent as well as those who complied with the requests to remove the offending content.

[via tech.memeorandum.com]

-------- Original Message --------
Subject:  ACTION REQUIRED: Illegal use of copyrighted content by one of your customers for commercial purposes
Date:  Sun, 3 Apr 2005 17:18:51 -0700

NOTICE: IF YOU ARE THE OWNER, OPERATOR OR HOSTING PROVIDER OF THE “MICROSOFT-DOTNET-TECHNOLOGY.INFO” DOMAIN, THIS IS A CEASE AND DESIST LETTER REQUIRING YOU TO IMMEDIATELY CEASE REPUBLISHING CONTENT OR ALLOWING/ENABLING CONTENT TO BE REPUBLISHED, WHICH IS SOURCED FROM THE “GREGHUGHES.NET” DOMAIN.

The owner of the web site(s) located on your servers/network at the below IP address and domain name is stealing and republishing - via an automated web-server application that gathers an XML feed - content owned and copyrighted by Greg Hughes at http://www.greghughes.net:

216.7.187.20 (MICROSOFT-DOTNET-TECHNOLOGY.INFO)

The following ARIN information identifies (-- edited --) Holdings, LLC (which is a corporation in Colorado) and (-- edited --).com (which appears to be a possibly defunct operation) as owners of the IP address/block in question:

Location: United States [City: Loveland, Colorado]

NOTE: More information appears to be available at NET-216-7-186-0-1.

(-- edited --) Holdings, LLC D393LLC-DC-INVERNESS6 (NET-216-7-160-0-1)
                                  216.7.160.0 - 216.7.191.255
(-- edited --).com VONOC-216-7-186-0-23 (NET-216-7-186-0-1)
                                  216.7.186.0 - 216.7.187.255
 
# ARIN WHOIS database, last updated 2005-04-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

The person(s) running the web site at MICROSOFT-DOTNET-TECHNOLOGY.INFO have been contacted in the past via the “contact” form on the web site and told to stop repurposing this content, specifically because they have not obtained permission and because they are profiting from advertising revenue from said web site. This activity constitutes theft of intellectual property under copyright laws and the DCMA. The information being sourced is copyrighted as indicated on the web site, and is not in the public domain for re-use. The party(ies) associated with MICROSOFT-DOTNET-TECHNOLOGY.INFO have not responded to repeated contacts and requests to cease use of the copyrighted material.

We have sent a CEASE AND DESIST letter to the parties once again today (April 3, 2004) through their web site contact form at http://www.microsoft-dotnet-technology.info/contact.asp. At this time we request that you remove the offending web sites and pages from your servers, as they are clearly in violation of the common acceptable use provisions of the parties to this email:

http://www.(-- edited --).com/acceptable-use.asp#copyright

IN ADDITION, the same person(s) appear to be sourcing copyrighted material for commercial use from Yahoo!, Search Engine Watch, moreover.com, the Kansas City Public Library, National Geographic News, about.com, and Web Hosting News. Unless the situation is rectified immediately we will also be contacting those persons and companies to advise them of the misuse of the copyrighted property and data.

The WHOIS information on record for the domain in question is:

Domain ID:D8436219-LRMS
Domain Name:MICROSOFT-DOTNET-TECHNOLOGY.INFO
Created On:27-Nov-2004 15:34:17 UTC
Last Updated On:27-Nov-2004 15:34:20 UTC
Expiration Date:27-Nov-2005 15:34:17 UTC
Sponsoring Registrar:R136-LRMS
Status:ACTIVE
Status:OK
Registrant ID:C7727838-LRMS
Registrant Name (-- edited --)
Registrant Organization:(-- edited --)
Registrant Street1:(-- edited --)
Registrant City:(-- edited --)
Registrant State/Province:Gujarat
Registrant Postal Code:(-- edited --)
Registrant Country:IN
Registrant Phone:(-- edited --)
Registrant (-- edited --)
Admin ID:C7727839-LRMS
Admin Name:(-- edited --)
Admin Organization:(-- edited --)
Admin Street1:(-- edited --)
Admin City:Ahmedabad
Admin State/Province:Gujarat
Admin Postal Code:(-- edited --)
Admin Country:IN
Admin Phone:(-- edited --)
Admin (-- edited --)
Billing ID:C7727840-LRMS
Billing Name:(-- edited --)
Billing Organization:(-- edited --)
Billing Street1:(-- edited --)
Billing City:Ahmedabad
Billing State/Province:Gujarat
Billing Postal Code:(-- edited --)
Billing Country:IN
Billing Phone:(-- edited --)
Billing (-- edited --)
Tech ID:C7727841-LRMS
Tech Name:(-- edited --)
Tech Organization:(-- edited --)
Tech Street1:(-- edited --)
Tech City:Ahmedabad
Tech State/Province:Gujarat
Tech Postal Code:(-- edited --)
Tech Country:IN
Tech Phone:(-- edited --)
Tech (-- edited --)
Name Server:VOB1.(-- edited --).COM
Name Server:VOB2.(-- edited --).COM

(Note: I edited the names and other identifying infomration from the WHOIS record at the request of the person listed in the contact sections of the record becuase they asked me to do so. While the information is accurate as it was originally posted, it serves no useful purpose to keep that person's phone and other information here and the orginal issue was resolved, so I agreed to make the change).

Scott Adams says he recently quit caffeine. It wasn't exactly pleasant for him. Sounds like it still isn't.

I can relate. Except that I have not quit.

I drink coffee like it was, well, water. Like it's going out of style. It's easy to do - there's tons of free coffee everywhere I go. Which means work and home. And church sometimes. Free coffee everywhere.

Coffee is The Devil. So I am not sure why it's at church.

If I don't get my requisite dose of caffeine in the morning, I (seriously) can't see straight. Like as in my vision is blurry and my head hurts. That can't be good.

I stopped smoking a couple years or so ago. I've quit other things before, many years ago. But caffeine, well man oh man... Painful.

For the record, cigarettes was the hardest from a withdrawl perspective. Freakin' BRUTAL. It still is from time to time. I tell people I *stopped* smoking. I don't say I "quit." Nothing is guaranteed, nothing is forever. For today I am stopped, and it's better that way.

I guess I've learned that much fairly well. Heh.

But, back to coffee - It's the one vice I have left remaining in my life, really. I know I shouldn't drink as much as I do, but it just won't let me go. I've tried it - Ringing ears, blurry vision, massive headaches, general lethargy, an *inability* to sleep (seriously), and on top of that no more coffee, which I actually like (and I never actually liked smoking that much).

Argh. Decaf doesn't really appeal to me. All the decaf I've ever had tastes like crapola.

Any ideas?

I'm supposed to be on my way to Portland by now, to meet up with the youth group for a evening thing, Christmas shopping and stuff.

Supposed to be. Just one minor problem.

My truck's sitting out there in the driveway, with my laptop, camera, phone, and everything else I might possibly need tucked inside. The engine is all warmed up, the heated seats are turned on.

And the doors are all locked.

And the extra key? Yeah, let's not even go there.

To solve this problem, after failing miserably at the Magic Wire Coat Hanger Method, I brought out the smallest Yellow Pages book in the United States and looked for a local locksmith.

I'm starting to see why there are times when it's easier to live in or near the city. My first call was to a guy who, it turns out, is over in the state of Washington. Another call or two went unanswered. My next call was to a guy three-quarters of the way to the city, and he said he'd be heading my way. That's about 30 minutes away.

Days like this make me happy I have that Hemi V8 under the hood, what with the truck sitting there in the driveway at fast idle for the past hour and all.

But hey, with the PC laptop locked up in the car, at least I can be glad to have this Mac sitting on my desk in the corner over here. And I can be glad I have time to apply the gazillion software patches and updates I apparently missed since I last used it who-knows-how-long-ago.

I just hope there's enough gas left by the time they guy gets it unlocked to get me to the closest gas station.

Okay, I'm done. How's your weekend?

Thomas Hawk wrote about a severe problem he had ordering a camera from an abusive online retailer that's really nothing but a major, unethical sales scam operation. The fact that he wrote about it and pointed to a number of other people's experience is great, and it brought to mind a number of other things that people need to know, especially this time of the year.

First of all, there ARE unethical, bad people out there trying to sell YOU their stuff. And there are some that will threaten, extort and otherwise manipulate their "customers." It doesn't just happen to other people - it can and will happen to you, too. Protect yourself and do your homework. While the vast majority of online retailers are good, solid companies, there are the few bad apples, just like in any community, that make it bad for everyone they can take advantage of. 

• If the price is too good to be true, it's probably not true. Seriously. Don't fool yourself.
• Do your homework if it's a company you have never head of or dealt with. You're trying to save money, so spend some time. That means getting information about the company. A good way to do this is to look for bad information online, by using Google or another search engine to search for "The Company Name"+scam (like this and this show some serious info). Look for the NEGATIVE information. Keep in mind that there are times when the bad guys will try to make themselves look good by posting positive information. It happens.
• Don't rely solely on the Better Business Bureau to tell you what you need to know, but do be sure to check information there. The company Thomas wrote about has a record with the New York BBB that's pretty terrible. Also be sure to use epinions.com's "Online Stores and Services" search and read through the whole lot. Again, there are bad guys that will post fake positive comments about themselves - so be a pessimist.
• Always use a reputable credit card, never use a check or debit card. If you ever need to reverse charges, a credit card with purchase and fraud protection is invaluable; You can't reverse cancel payment on a check that's already posted, and you fighting the debit card battle is painful if the money has already been pulled from your account. Credit cards provide lots of real protection, so use them for these purchases. That's why I have credit cards, really, is to protect myself if ever needed for major purchases. That and true emergencies. Other than that I think they are evil, heh.
• Did I mention "If the price is too good to be true, it's probably not true?" Okay, well it's worth repeating.

Finally, based on other people's experiences with the company Thomas had his problem with, I'd suggest you never, ever do business with Price Rite Photo, which also uses a number of other business names. Check the BBB for retailer names and aliases, and alway always always be careful and suspicious of the too-good-to-be-true deals.

Leave it to the Oregon Lottery to come up with the holiday marketing stunts to top all stupid holiday season marketing stunts. Thank God for the lottery people... And here we were starting to worry people might actually take Oregon seriously for a second...

So, here you have it: Scratch-and sniff lottery tickets in a beautiful fruitcake flavor. Yeah, seriously. Scratch the card, and it smells like f-r-u-i-t-c-a-k-e. Uhhh... Yuck.

People actually want to buy this crap? Wow.

To top it all off, be sure to check out the (actually somewhat amusing) MP3 files being used to promote the seasonal cash-collecting game.

It's all at http://spiritoffruitcake.com.

Sheez...

A couple months ago I took early delivery of a ThinkPad X41 Tablet PC, and I like it a lot. There are a few things I'd improve (like maybe offer a faster proc and faster hard drive spin speed as an option, and possibly higher resolution video), but overall it's great.

But I ran into my first problem last week. The "push-through" latch - which sticks out of the machine's screen either on the screen surface side or the top surface side, depending on whether you've rotated into slate mode - broke and fell out. So not I have a Tablet without a latch. Luckily, the lid tends to close shut. he only real problem is it also tends to rotate if you push on it the wrong way.

Looking at the base side of the latching mechanism, it appears something in there broke. Not good. And the thing, is, all I've done with it is open and close it normally... No torture, drops, hard landings, hard closings or anything.

Bummer. Seems like the convertible Tablet PC latch market needs a better design. Someone out there should design the perfect latch, patent their Really Good Idea and run with it.

Want to instantly turn off a blogger? Ask them to link to you without a compelling reason. Seriously. Unless it's a truly compelling and timely topic, never ask for a link. If you do, prepare to be ignored.

Robert Scoble wrote a short-but-right-on-target post today that I can totally relate to. And keep in mind, my blog is like 1/100th of what his is from an attention perspective, so the impact of blatant link begging on me is nothing even close to what it is for him, I'm certain.

Like Robert, I've also been getting a lot of emails and even a few phone calls recently from PR people, bloggers, marketers and other people who don't quite "get it" asking me to write about specific things on my blog. Some have even gone so far as to offer something in return as payment. At first I just laughed and tried to figure out why anyone would actually take the time to ask me to write, then I looked at my pageviews and did some fuzzy math in my head. Okay, so lots of people read the content on this site, that's cool. Not as nearly as many as the big guys, but a lot nonetheless. My AdSense income amazes me more than anyone. But my voice is mine, and it's not for sale.

I'm not saying I don't want to hear about cool stuff - send it on. What I am saying is if your request takes the form of "will you please link to this?" or "hey you should link to this" or "you should write about this for me," I'm really not interested. Of course, if you think something is really cool and it catches my eye, too (and you're not pulling a fast one or crying wolf), I'm going to be interested.

I've gone so far as to reply to one or two of the more truly blatant, entitlement-laden requests with words like "I don't take requests" or "Sorry, I don't do performance blogging." Most of them I just ignore and immediately file in the electronic circular file. It's not that I don't want to hear about good and cool stuff. I just don't want to be anyone's hired or begged PR publisher.

PR people often operate in the old-skool world (been there in a prior career), one where lazy print writers looking for something new to write about love to get calls from PR agencies with some pre-written copy that can be regurgitated or copied verbatim and published. Bloggers don't work that way. If you (hypothetically) send me a book to review, I will try to read it when my schedule allows and if it catches my interest. If I find it especially compelling I might write about it. If I don't like it, I'll most likely just let it go. If it's really, really bad, I might just write about that, too. But probably not - I prefer to emphasize the positive here. So, unlike the print world, there' some risk involved. One thing's for sure: There's no promise or guarantee I'll write anything. And if the request is to take a book or software or anything else in turn for a guaranteed review, don't ask. I'm not for hire. Some people have asked if they would have a chance to respond to anything negative before I write it. I tell them no, but that my blog has comments and if they have a blog (they should), they can always participate in the conversation. It's amazing how many people that puts a stop to. Heh.

I agree with Robert's suggestion. If you see something cool and want me to blog about it, send me a link and tell me what's got your interest and why. I don't care whether it's a link to your site and your comments or if it's pointing to the original info, or whatever.

Now, don't let me scare you away. I write about many things - stuff I care about. Some of it I discover by reading something someone else wrote or sent to me. If I happen to have the same level of interest as you when you show me something, I might take you up on the info. Conversely, if you specifically ask a blogger to link to you for selfish reasons, prepare to be ignored unless it's something very special and urgent.

I've written almost nothing all week until today, partly because I got tired of these calls and emails with blatant requests. It's not fun. It feels like work, and that's one thing this blog is not. Plus, I have been pretty busy recently with my job and life. We all need a break now and then.

Anyhow, Robert - you got that one right, man.

Every now and then some random person or event comes along that deserves memorialization. Such is the case with Lt. Gen. Russel Honore and his words this past week when confronted with a gaggle of reporters. Honore and others (including the Mayor of New Orleans, who was having a hard time with the media crowd) were at a press conference (called by the mayor) in order to immediately get out the important word about the government's plan to evacuate people from the city of New Orleans in the face of yet another hurricane - this time, it was Rita.

But some of the reporters at the press conference were apparently still stuck on Katrina. The General was there to make sure they clearly understood their role in the situation. There's a time and a place for everything, to be sure - and that means there's a time for the media to ask questions, and there are other times when the message needs to be immediate, clear and loud in order to save lives and ensure peoples' safety. Unfortunately, there are many in the media who are all about conflict, not about helping people (regardless of what they say their motivations are). It's makes the former journalist in me scream at the TV. I hate it.

So - Thank God for people like Lt. Gen. Russel Honore. Here's his words, an audio file and a partial video of the interaction between him and the media:

Audio Attachment: 0920honorestuckonstupid.mp3 (1685 KB)

Video Attachment: stuckonstupid2.wmv (2957 KB)

Gen. Honore: And Mr. Mayor, let's go back, because I can see right now, we're setting this up as he said, he said, we said. All right? We are not going to go, by order of the mayor and the governor, and open the convention center for people to come in. There are buses there. Is that clear to you? Buses parked. There are 4,000 troops there. People come, they get on a bus, they get on a truck, they move on. Is that clear? Is that clear to the public?

Reporter: Where do they move on --

Gen. Honore: That's not your business.

Reporter: But General, that didn't work the first time --

Gen. Honore: Wait a minute. It didn't work the first time. This ain't the first time. Okay? If...we don't control Rita, you understand? So there are a lot of pieces of it that's going to be worked out. You got good public servants working through it. Let's get a little trust here, because you're starting to act like this is your problem. You are carrying the message, okay? What we're going to do is have the buses staged. The initial place is at the convention center. We're not going to announce other places at this time, until we get a plan set, and we'll let people know where those locations are, through the government, and through public announcements. Right now, to handle the number of people that want to leave, we've got the capacity. You will come to the convention center. There are soldiers there from the 82nd Airborne, and from the Louisiana National Guard. People will be told to get on the bus, and we will take care of them. And where they go will be dependent on the capacity in this state. We've got our communications up. And we'll tell them where to go. And when they get there, they'll be able to get a chance, an opportunity to get registered, and so they can let their families know where they are. But don't start panic here. Okay? We've got a location. It is in the front of the convention center, and that's where we will use to migrate people from it, into the system.

Reporter: General Honore, we were told that Berman Stadium on the west bank would be another staging area --

Gen. Honore: Not to my knowledge. Again, the current place, I just told you one time, is the convention center. Once we complete the plan with the mayor, and is approved by the governor, then we'll start that in the next 12-24 hours. And we understand that there's a problem in getting communications out. That's where we need your help. But let's not confuse the questions with the answers. Buses at the convention center will move our citizens, for whom we have sworn that we will support and defend...and we'll move them on. Let's not get stuck on the last storm. You're asking last storm questions for people who are concerned about the future storm. Don't get stuck on stupid, reporters. We are moving forward. And don't confuse the people please. You are part of the public message. So help us get the message straight. And if you don't understand, maybe you'll confuse it to the people. That's why we like follow-up questions. But right now, it's the convention center, and move on.

Reporter: General, a little bit more about why that's happening this time, though, and did not have that last time --

Gen. Honore: You are stuck on stupid. I'm not going to answer that question. We are going to deal with Rita. This is public information that people are depending on the government to put out. This is the way we've got to do it. So please. I apologize to you, but let's talk about the future. Rita is happening. And right now, we need to get good, clean information out to the people that they can use. And we can have a conversation on the side about the past, in a couple of months.

Time to print some bumper stickers... "Don't get stuck on stupid." Heh. It's not a new phrase - more like old made new again. But it's great, and appropriate.

Update: The Stuck on Stupid Blog. Heh...

(via RadioBlogger and The Political Teen)

Recently I've had a number of interesting (albeit often protracted) conversations with people about processes in business, and how formal, written procedures and established processes can be good (I agree, to a point) and can also be very, very bad.

I'll explain in a minute, and while I'm at it I'll do some tangential opining and show why I think Sarbanes Oxley and other process-intensive initiatives and guidelines don't always accomplish what they set out to do. In fact, in the case of SARBOX, I'd argue it doesn't even come close to accomplishing what it was originally intended for. But that's another story...

First a reminder and a bit of clarity: This is a personal blog, so anything I write is my opinion and mine alone.

Saturday morning telephone support call: Failed process illustrated...

Saturday morning I woke up at a criminally early hour (for a weekend anyhow). Since sleep apparently wasn't in the game plan I decided to call Vonage to see if I could actually get someone on the phone, and if I could convince them to listen to me long enough to troubleshoot a hardware/firmware problem I've been having with my VOIP terminal adapter.

For the record, I like Vonage. A lot. I recommend them. I'll refer you if you email me and ask. But I'll be honest - I'm never too excited about calling them.

But on Saturday morning, that's what I did. After umpteen layers of voice menus and hitting random keys to get pretty much nowhere, calling back after being disconnected (don't hit 'zero' in Vonage's voice prompt system...), and then finally getting someone on the line (whom I could not understand and who it seems could not understand me during the entire painful process of validating my account, name, billing address, etc.), we finally got around to troubleshooting the problem:

Vonage Lady: "Yes, hello mister huge-hess...

Me: (silently) <grrrrrrr!!!>

Vonage Lady: "...how can I help you with today?"

Me: "Okay, so I am having a problem with my Motorola VT1005 terminal adapter, about once a day it loses its connection with Vonage and I have to pull the power plug and plug it back in to get it to work, and several times a day the network data port stops communicating completely so my computers here at home cannot get to the Internet. I have to unplug the Motorola device and plug it back in in order to resolve that problem, too, and then it happens again later, a few times a day."

Vonage Lady: "Okay, so what I understand from you is..." (reads back a different version of what I just said, but leaves out all the key points, like the whole data connection problem, etc)

Me: "That's partly correct, but the worst part of the problem is that several times a day..." (I explain the loss of LAN port connectivity issue again)

Vonage Lady: (seemingly ignoring what I just told her) "Okay, I would like you to go to your router and unplug the wire from the PC port and so you will have the modem and the wire, and the Vonage router and then your computer, and I want you to plug a wire into your computer okay can you do that and tell me?"

Me: (wondering if I - a high-tech IT guy with lots of experience fixing crap much more complicated than this - really understand what she means) "Umm, okay, so... You want me to plug the ethernet cable that goes from the Motorola device on the LAN side into my computer directly then?"

Vonage Lady: (pause, pause, pause) "Uhhh, yes, I need you to put the wire from the PC port in your computer."

Me: (deciding the only logical thing to do is to go with my gut) "Okay, so I have done that, okay I am ready for the next step."

Vonage Lady: (seems to be shocked that the next step is already starting) "Ohh umm, okay, one moment please... Okay, I need you to open your Internet Explorer, and in the address bar at the top of the screen..."

Me: (I'm starting to quietly get a little frustrated now) Okay my web browser is open, you want me to type in an address?

"... I would like for you to type this address in the address bar."

Me: (I'm already on the adapter's admin web page, I think to myself, she's gonna send me there - slowwly) "Okay, ready."

Vonage Lady: "Okay, One-Nine-Two..." (pause, pause, pause)... "No, wait... H-T-T-P --"

Me: "192.168.102.1?"

Vonage Lady: "No, no no. AICH-TEE-TEE-PEEEE, COLON, SLASH-SLASH, ONE-NINE-TWO..."

Me: (waiting for more numbers) "... ... ... okay, i got that part, you can keep reading it to me."

Vonage Lady: "DOT-ONE-SIX-EIGHT-DOT-ONE-ZERO-TWOOO-DOT-ONE"

Me: (Thinking to self: Is there an echo in here?) Okay, I'm there.

Vonage Lady: "Oh well, now we need to go to the admin.html page, so to do that please click in the-"

Me: "Okay, I'm there."

Vonage Lady: "Oh, okay... Do you see a button that says Restore Factory Defaults on the page there then?"

Me: "Yes. I have a fixed IP address though, so if we do this it will stop working 'til I reconfigure."

Vonage Lady: "That's okay, push that button and tell me when it's done."

Me: <click>

Vonage Lady: <she's now long-gone due to the fact that she just told me to kill my phone line>

Bad process and procedure? Most certainly. But what's the real problem in this story? Unfortunately it's one that we see happening more and more these days, over and over again with all the emphasis on building deep, complex, wide swaths of processes and supporting procedures.

I'm not here to argue against process. I'm here to argue for thinking.

When process hurts...

People have stopped thinking for themselves and doing critical analysis of the situation at hand. Instead, they read from a script. They follow a written procedure. They stay exactly between the lines, thinking the lines are the end-all-be-all of clarity in every situation. When I speak to people in my field about this, I describe it as being similar to walking around with blinders on.

We're suffering from a deficit of creative thinking and reasoning. But more on that in a few minutes.

What does this result in? Three things mainly:

First of all, people increasingly look at the world and the things going on around them as being bipolar in nature: black and white. In reality though, it's all about the infinite shades of gray. Oh, how simple the world might be if it was all pure black and white in nature, but in the real world it's just not so. Unfortunately, the desire to simplify things cognitively into black/white, us/them, good/bad is probably a greater part of the way people look at things today than it has even been.

Second, people have lost their sense of ownership and don't think for themselves. Pride goes soon after that. More and more the accepted method of teaching people how to do things has become the "hand-me-the-procedure" method. But, absolute processes and procedures are fundamentally flawed. There's simply no way to compute every possible outcome or input to a situation, yet we expect that by creating processes and procedures that *must* be followed, we can solve critical problems. The fact is that while they may ensure compliance most of the time, they can also often ensure lack of compliance some of the time - especially when the procedure or process doesn't exactly fit, but the person applying it doesn't stop to think about that fact. Or, even worse, they're not given the level of permission needed to stop, think, and evaluate situations on their own.

Third, we walk around with a false sense of confidence and safety. By assuming we are creating controls and processes to keep the bad things from happening, we do the one thing that police officers and security professionals have known better than to do for all time: We lure ourselves into that place where we believe everything will be okay, everyone will follow the rules, everything will be out in the open, the checks and balances will all work because the auditor signed a pieces of paper (not like the auditor had any real guidelines to audit against or anything...) and the bad guys won't be able to get away with anything anymore.

But it just won't work. Nope.

I'm sorry Senator, I have no recollection...

Example from the real world: The Sarbanes Oxley Act (SARBOX for short) was terrific for consultants, and lots of people are making lots of money off lots of companies that are shelling out big bucks for something that only minimally does what it needs to do (if that). The fact of the matter is that SARBOX resulted in huge expenditures and rampant development of crippling processes that offer little protection from bad, smart people who want to pull a fast one on investors. Even one of the sponsors of the act says it doesn't really accomplish what was originally intended. Hey, Senator, can we send you an invoice for the costs of this mandatory program that won't do what it's set out to do? Let me know. Thanks.

So, SARBOX is good for consulting companies, and expensive for business, and even though the rules and regs don't really fit small to mid-size businesses, they have to follow them anyhow. It doesn't really prevent another Enron from happening. In the end, it's costing the shareholders it was intended to protect a lot of money, and it's not really doing what it needs to do.

Hmm. That's like going to a store with no knowledge of tools, telling the sales person I need a something to help drive a nail into a wall, being sold a bunch of hard hats and yellow vests and thick gloves, along with a pneumatic nailing system and a whole stack of safety equipment and mandatory classes to make sure I use it right, and a certification that's required to issued by the government before I use it... And then six months later finding out there's this thing called a claw hammer...

Maybe we forgot what we set out to do. Maybe there's a short term memory problem involved. Or maybe too much vague, confuse, poorly-defined process got in the way of building (wait for it...) effective process.

This is starting to sound like "the meeting to plan the meeting."

Anyway, back to Vonage...

I made another call to Vonage (after I set up a fixed IP, reconfigured the TA, etc., and this time without getting disconnected), Communication went a little easier with the support worker I got this time, and within a minute of the same scripted process, I heard him pause for a moment. He stopped what he was doing and said, "Mr Hughes," (thought: do people who put time and effort into pronouncing names correctly also think more for themselves?), "I am going to transfer you to another number because I think they will be able to help you with this. I could go through all of the things I have here, but I really don't think they will help you."

There ya go, now that's thinking for yourself.

Within five minutes, another Vonage rep (who was quite knowledgeable and professional by the way) had deduced - after listening to my technical explanation and asking a couple follow-up questions - that my terminal adapter is pretty much on its last legs, and offer to send me a replacement.

I spent two hours on the whole deal, between the first phone call, phone menu prompt maze from hell, getting disconnected by the voice menu system, the first rep, getting disconnected by my hardware reset,. It took 10 minutes to solve it, as soon as I spoke to a couple people who were willing and able to think about the situation outside the script.

Now, I've picked on Vonage here just because they happened to be the company I called on Saturday. I have tales of woe from a slew of other tech support experiences, too. A friend just IM'ed me to vent about his phone call this morning to Dish Network. I like Vonage, I like their services, and I like their prices. I think they're doing a good job, and they are adding (literally) 10,000 new users a day (got that from the last guy I spoke to on the phone). They have more than a million users now. So don't take this to be a Vonage bashing post - it's not. But I do think it illustrates an important point.

So - what do we do now?

Okay, great so what are we supposed to do about the Blinders of process? It's simple: Let your employees take them off. Encourage them to!

In fact, it might be worth training employees in two basic skills that most people don't get any decent training in: Listening and troubleshooting. Think about how much time we spend learning to read and write, to speak in front of others, to read from the script. How much training in our lives, from school to professional adulthood, is spent learning how to listen well? How much time do we spend learning the nuances of critical thought or effective problem solving and troubleshooting?

Not much. Not enough, for sure.

But we'll have to save that topic for later.

You know that amazing scientific mission to a comet that NASA just succeeded in pulling off? It was called Deep Impact, and the space agency not only got a small spacecraft (about the size of a kitchen table) to slam smack into a comet without a standard orbit, it even got a second spacecraft (about the size of a VW Beetle) to simultaneously do a coordinated wingman-style fly-by, with live video of the event transmitted from both spacecraft throughout the whole process [impact video|fly-by video]. And all of it was available live for every one to see in real-time on the Internet.

Well, get this - It turns out NASA is being sued for the damage they have apparently caused with this mission. From Yahoo! News:

"Marina Bai has sued the U.S. space agency, claiming the Deep Impact probe that punched a crater into the comet Tempel 1 late Sunday 'ruins the natural balance of forces in the universe,' the newspaper Izvestia reported Tuesday...

"...Bai is seeking damages totaling $300 million — the approximate equivalent of the mission's cost — for her 'moral sufferings,' Izvestia said, citing her lawyer Alexander Molokhov. She earlier told the paper that the experiment would 'deform her horoscope.'"

Wow... You go lady. For my part, I hope it ruins more than just your horoscope...

[via Jake at UtterlyBoring.com]

Unless you've turned off every form of media for the past few days, you know there's a compact and powerful hurricane that's landed on the Gulf Coast of the US. It's a serious, dangerous time for many people, and the aftermath can be painfully difficult for those affected.

But to watch the news coverage, you'd think they'd planned it out ever so carefully, just to improve the ratings or something. Chris Pirillo provides some humorous "coverage of the coverage" in both text transcript and audio commentary formats. Or maybe it's more of a commentary on the commentators. You choose.

Back in the real world, on all the cable news stations various idiotic reporters are standing out in the 120+ mph winds, being whipped around, showing how in this terribly dangerous storm street lamp poles are bent, trees are blowing sideways and residents are out driving down the road. All the while explaining how dangerous it is to be outside.

Of course, journalists are friggin' bulletproof, right? A lot like people using a crosswalk. The magical forcefield will save you!

I can't tell you how many times I've rolled my eyes today as I heard the anchor on Fox News say, "We want to tell you that our reporters are out there, risking their lives, in order to show you this storm and it's effects!" They're out there risking their lives to show me bent signs, rain and wind? Something's stupidly wrong here. Does insurance cover acts of sheer stupidity?

What they should be saying is, "our dumb-ass reporters are being horrific role models by going outside in this crap, but we are glad they take our assignments without thinking and that they are putting their lives on the line for our large corporate media conglomerate so you will stay with this station and help us build massive revenues."

Or maybe they're just interested in building a "really sweet" tape portfolio.

Thank God for the people who are making a difference - the meteorologists that stayed inside and provided more caution and warnings than ever before, as well as all the people that right now are getting ready to help those who need it.

But some of these reporters and anchors... Ugh...

You've seen it before, over and over and over again: PowerPoint presentations that contain practically every word pouring out of the presenter's mouth, slides that digitally drone on and on and on and...

PowerPoint, when used well, can be a useful, powerful (hmmm) and productive tool. But more often than not, it's a bane of our existence, putting us to sleep with completely forgettable blocks of useless text and gratuitous effects.

I have seen PowerPoint used as that proverbial, metaphorical screwdriver, where the proper tool would instead be a hammer. I've seen attempts at web-site designs done in PowerPoint (by the way - that still doesn't work people). I've seen it used over and over - by a wide variety of people trying desperately (and with good intentions, I am sure) to create something outside their area of expertise - using it to do things for which it simply was never intended.

But even when PowerPoint is used what is was meant for - creating slides for presentations - it can be painful to see how people use it. It's a software tool and requires some level of technical understanding to be sure, but technical expertise in using the program is not the most important part of the job.

PowerPoint has become a crutch, and more often than not it's damaging the patient. It's the loaded gun in the hands of the untrained shooter. It's the '79 Cadillac being driven by the nine-year-old who learned by watching mommy.

Kathy Sierra gets this. She understands, and she wrote about it to try (I assume) to make a difference in how it's used in the world. If you use PowerPoint, regardless of your expertise of years of experience you should read her post and take it to heart.

I've also been reading Cliff Atkinson's new book, "Beyond Bullet Points," and it's a great book for learning how to put together effective presentations "that inform, motivate and inspire." Recommended.

PowerPoint's a great program, to be sure. But it's only a good tool when put in the hands of someone who knows how and when to apply it. Kathy's post should be mandatory training. We license drivers... Maybe we should come up with a test and a license for PowerPoint users?

Ok, time for a random pet-peeve post. I don't do these often, but I figure maybe I can change the whole world if I post this, so here goes:

People, listen up. If you learn only one grammatical/spelling/language rule this year, please make it this one... It will improve your sales figures, professional development, ability to earn promotions and recognition at work, and your general status in the community. Seriously.

Loose is a four-letter word.

Now, allow me to explain...

• Loose = loos = adj/adv, meaning not tight, fastened, restrained, rigid, bound, etc.
• Lose = looz = verb, meaning to fail in, or to fail to retain possession (opposite of win or find)

I can't even begin to tell you the number of emails, blog entries, letters, and even printed and online professional news articles (who's copy-editing these days anyhow?) I've read where members of the Hooked-on-Phonics generation (dat's Huhked-ahn-Fonikz fer yoo membrz) use the incorrect word in a variety of sentences.

Examples of improper use of "loose" in a sentence:

• "Joe is such a looser. I can't believe that guy."
• "If you don't try hard enough, you'll loose the game."

Examples of correct use of "loose" in a sentence:

• "He's got a screw loose in his head."
• "Your seatbelt is looser than mine."

I could also easily list a variety of colorful uses of both words in the same sentence - but I won't. Use your imagination and post a comment if you feel so inclined.

How have you seen these words (or others) completely butchered? Any funny examples?

It's no real surprise that VOOM, a satellite service that provides boatload of HDTV programming to its customers, is about to shut down. Cablevision, the company that owns the subsidiary, is cutting its losses before it's too late.

But it's really too bad that a company that was making its name on hi-def television is going south. With HDTV being such a big thing, a service provider like VOOM, which already has a satellite in operation, seems like such a good thing.

It's unclear what will come of the channels and the satellite space currently used by VOOM when they shut down on April 30th. Hopefully something good will come of all this - HDTV is so late in coming.

Why did VOOM fail? Bad marketing? Before it's time? Cable-company ownership mark of death? Bad company name?

Sorry to see it go...

Forgive the topic (just skip this entry if you don't care to read semi-graphic bathroom prose), but Doc Searls writes today on his weblog about the bad habits guys have in the men's room - namely not using the urinal for "number one," and making a mess while standing and "using" a stall instead. So, I have to respond. I can't help it, it's like a disease this blogging thing.

Doc bluntly covers the not-lifting-the-seat problem, as well as the hygiene issues:

"But: why piss all over the place? Why not lift the seat? Don't these guys ever sit on the damn toilet? Do they like sitting on somebody else's pee? 

"These questions come to mind for two reasons: 1) because I just witnessed exactly that scene, in a mens' room here at a nice hotel here in San Francisco; and 2) nobody ever talks about the problem.

"So I'm thinking... a substantial percentage of men A) only piss in stalls; and B) don't lift toilet seats. If you're one of those guys, and you blog, can you please explain your position, so to speak, on this issue?"

Well, I can tell you that it still surprises me, even after all these many trips to restrooms over the years, how often I find a bathroom that's a disgusting mess because of people who have no sense of personal responsibility. And that includes places where only adults use the restroom.

But Doc's words make me thing of more.

For example, take the following from Greg's Quiz on Common Sense Men's Room Hygiene, based on experiences of observation over the past couple of weeks:

A guy walks into the men's room, approaches the urinal, and relieves himself. Once he's done he "zips-up" and then...

a) walks straight out the door.
b) walks straight to the sink, washes hands, dries hand on paper towel, and walks out the door.
c) walks straight to the paper towel dispenser, uses paper towel, and walks out the door.

Which action is the most disgusting? Please explain you answer.

Use the comments to relieve yourself of your thoughts and record your answers to the quiz, should you be so inclined.

How do you save a few bucks on McDonald's drive-through staff in Oregon?

Outsource them. To North Dakota. Click for more...

Ree-freakin'-diculous.

"Louis is here with the weather..."

The painful, awful, terrible weather.

"Maybe Louis, you can tell us what we can expect for the rest of the week..."

If you're ever having one of those days where you feel like the clumsiest person on the face of the planet, just click the link above, and find comfort in the fact that someone, somewhere has almost certainly had a harder day than you.

(I recall my time in journalism school, which is almost certainly where this tape came from, and it could be brutal at times. Broadcast news performance is an art, and artists are few and far between).

Jeremy Zawodny points out the Blogger's Bill of Rights and gives his opinion on the matter. He doesn't like it. Neither do I. It's just another example of people making something out of nothing, and trying to avoid personal responsibility in the good name of free speech. Here's where I speak up and say why I think it's crap, too...

Now, I'm a fairly outspoken person. I've also had a tendency in the past to open my big mouth, say exactly what I think, and then go into another room to extract my foot from my esophagus. But when I stick my foot in my mouth, I am keenly aware that it's my foot, it's my mouth and it's my choice - regardless of whether or not I thought it through ahead of time. Whether or not I was correct isn't relevant. You can be correct every time, but that doesn't necessarily make you right.

People, this is all about responsibility and ownership. You want to say something? Fine, but ya gotta own it, like it or not.

Let's define a couple of terms for the purposes of the discussion:

• Consequences: The results of something one chooses to do, or not to do. All choices have results, both good and bad. Some of those results impact the chooser, some impact others.
• Speech: Pretty much any form of communication - collective, individual or otherwise - in a variety of forms. In this context, we'll keep it somewhat simple (since we are talking about individual weblogs) and say it's an individual's written or spoken words.

Okay so - Right up front I'll say this: There is no special, magical set of rights that bloggers can (or should) expect, not with regard to employers, husbands/wives, boyfriends/girlfriends, coworkers, friends, family members, governments, or anyone else. The idea that blogs are somehow special or different and should be treated differently is arrogant and probably and indicator of the root of the problem - people think they are entitled to say whatever they want, however they want, with no consequences. Sorry, Charlie. Ain't happening.

• Your right to free speech does not apply to the specific medium in which you exercise it. Speech is protected in certain circumstances, in certain locations, regardless of the form that speech takes. You have no more right to expect protection on a blog than anywhere else. Your rights are reasonable to expect, but when your exercising of your rights infringes upon the rights of another, you're crossing a line.
• If you shoot off your mouth on your weblog, it's not an ollie-ollie-oxen-free home-base super-top-secret say-anything-I-want kind of thing. You are responsible for what you say, at the time you say it.
• Speech is behavior. In a previous career I was always amazed at the idiots who thought if they could just get their car into the driveway, they were safe, regardless of the level of alcohol in their blood while there were on the street that got them to their driveways. It's not where you land, it's who and what you affect along the way.
• Your speech is your speech, and with it come consequences. If you choose to say or write something on a weblog, keep in mind, it's speech in a public place and you are making a choice, and with that choice comes certain consequences. Your choices may impact others (coworkers and employers), and as a result, the very second you post your words, you choose to accept all of the consequences of that speech, regardless of whether or not you have taken the time to think about said consequences.
• Your employer can hire and fire based on the quality of your behavior and how it impacts business, your performance, personalities, coworkers, morale, anything. You should remember this before you post on your weblog for everyone to read. And comment on. And quote. And read again. And copy/paste/email to your coworkers and your boss and his/her boss. And to end up on the Wayback Machine.

It's not about who yells the loudest or who thinks/knows they're right. What it is about is being responsible for oneself and thinking ahead about the impact of exercising one's right to free speech.

One important aspect of thinking ahead is considering the consequences and weighing the risks. Preferably before speaking. But if you don't take the time to do that, it shouldn't be (and isn't) someone else's problem.

Anyhow, that's about all I have to say about that.

Not the same way one New Hampshire UPS truck driver does. I bet his last name is Murphy – It almost has to be.

CLICK HERE for the story...

Seriously. My sensibility hurts.

At the invitation of a friend, I went to the movies tonight, and saw The Grudge.

Sheez. Now there’s something like two hours of my life I’ll never get back.

I’m not the kind of person to talk out loud in movies, but this one sucked so hard I couldn’t help myself. It’s was editorial comment after editorial comment. And you know what? I wasn’t the only one. And on top of that, NO ONE complained about the out-loud commentary that was going on. That should tell you something.

I’m not even going to explain why it sucked. That would simply do the film too much justice, and someone might spend enough time reading this to subconsciously convince themselves they should see it. DON’T!

And that’s all I have to say about that…

Coudal.com has perhaps the most useful PDF file of the year available to download…

Do you ever get tired of those idiot people who suck up all the ambient quiet while talking on their cell phones about things that they – well – should probably just keep quiet?

Take action now:

“After reading a story in the NYT, Jim's wife Heidi decided that maybe there was a way to fight back against the obnoxious cell phone users that we all have to deal with in stores, restaurants, trains and pretty much everywhere else. Can design ride to the rescue? Jim and the incomparable Aaron Draplin think it can. So, as a public service, we introduce the reasonably polite SHHH, the Society for HandHeld Hushing.”

Download this PDF, get out your exacto knife or scissors, and start fighting back (NOTE: The PDF contains a few choice profanities, so if you’re easilly offended, don’t click).

(via Engadget)

Most any blog that’s been Googled, Slashdotted, or Engadgeted – or for that matter pretty much anything that drives traffic to a site – has seen the effects of referral spam. It SUCKS. Porn and marketing sites create a fake link to your blog entry, which results in a link to their web site (usually and unpleasant and unwelcome one) showing up in your referral list for that entry. Your readers click a link and get porn tossed right in their faces. Ugh.

With dasBlog, the only way I had to effectively battle this (I am a victim of referral spam for sure) was to turn off referral displays on my blog. I don’t want that, but this is a family-friendly site for the most part, so keeping the nasty out was important.

But last night Scott Hanselman, a friend and co-worker, sent me a new little C# 2005 Express project ZIP file, told me to compile it, and to try it out. He just built it for himself, and passed it on for me to use.

No more referral spam!

UPDATE: While I was able to kill the nasty referrer links, I have again removed referral listings from the blog for a while, because I have one particular weblog entry that has so many hundreds of referrers, it will crash the browser when you try to load it with referrers showing… But that’s a whole different issue…

Since then, Scott has posted the project source file on his blog, too, so any dasBlog users that need it can take advantage. He plans to make it a little more elegant in the future, but this is a great start!

Scott Hanselman, YOU’RE MY HEEEROOOO.

I'm feeling a bit put-off today. And a little sarcastic, I admit that freely. But there's a reason...

I just don't get why it is that sales people will make cold calls, leave a long, run-on message that they're obviously reading from a note card or computer screen, and then when they leave their phone number, speak so damn fast you can't catch the freakin' numbers.

Then, of course, comes the obligatory indignant follow-up call a couple weeks later, going something like, “I've been trying to reach you and left you a voice mail, but have not heard back from you, so please call me as soon as possible at one-eighthundred-fourtwofishevyumaevablahblahblah.

Ugh.

Look, sales guys, here's the deal.

Leave me a short but meaningful message that includes the purpose of your call, and when you leave your phone number, please speak slowly and clearly. DO NOT go on and on espousing crap like synergy, top-100 blah blah, value-added yada yada and the same crap every other poor sales person drones on and on about. Just tell me why you're calling and what you really want to talk to me about.

Don't expect me to call you back. Believe it or not, I have plenty of other things to do, and believe it or not, those things are almost always more important than speaking to every vendor that cold-calls me.

If I am interested, I will call you back, If I am not, I won't. If you slurred or raced through your phone number, then obviously I won't. Don't take it personally. And don't expect me to listen to a two-minute voice mail full of buzzwords a second and third time just so I can try to decipher that slurred phone number you left at the very end.

And whatever you do, don't get me on the phone and act indignant because I have not returned your cold call. It's one of a hundred I got this week, and your indignant disposition will earn you a “don't call me again.”

Thank you in advance. I appreciate your time and value our relationship. Hope to speak to you soon.

Finally some action and results in the spam war.

A jury in Leesburg, Virginia has convicted Jeremy Jaynes and his sister of scamming millions of dollars via SPAM email schemes.

The jury has recommended Jaynes spend 9 years in prison.

Hey Jeremy... You've got mail male. Congratulations.

You jerk.

I picked up a copy of a documentary film on DVD today from Best Buy called FarenHYPE 9/11, which is a response film that was made to take a critical, factual look at the Michael Moore film, Farenheit 9/11.

If you watched the original Michael Moore movie and cared at all about it (whether you liked it or hated it, doesn't matter), you owe it to yourself and everyone else to watch this documentary. You'll see people from the Moore movie talking about how they were misrepresented in the original film. Much of what Moore presented in Farenheit 9/11 is examined, critically reviewed and corrected in this film.

Seriously - there are two sides to every story, and Moore's story was such an exaggeration and misrepresentation of many facts, the FarenHYPE 9/11 DVD should be mandatory viewing. It is inexpensive - only about $11 at Best Buy, and you can order it from Overstock.com as well.

You don't necessarily have to be a Bush supporter to accept that Michael Moore flat out lied and twisted events to meet the requirements of his agenda. This is in no way an attept on my part to change your mind with regard to a voting decision - that's all yours.

It's the best $11 I've spent in quite some time.

One more time: regardless of your opinion of the Moore film and it's content, be sure to see FarenHYPE 9/11 - Once you see it, I think you'll understand why I'm so adamant.

Anyone who wants to borrow my copy, let me know.

And now, back to your regularly scheduled programming...

Web forums used to be useful. Then h4xZ0r teenagers found them, and the world changed (for the worse). Over at adminmod.org for example, about two years ago things in the support forums went to hell in a hand-basket - about the time goldzip came along (or a little thereafter). Forum flaming became an art for a short time, but as it is with most art-forms, it was quickly commoditized and thus cheapened.

But I digress...

Someone apparently picked up on this little-known and less-understood behavior over at the Steam forums, and having realized that a FAQ or sticky post won't get read by the people that need to read it, did what all good communicators do: Took it to their own medium and style.

Introducing: Posting and You

Pretty much hits the proverbial nail right on the head.

I woke up this morning, bright and early, and was getting ready to head out the door. I decided to check my email real quick, and BAM! ... Tons of referral tracking notifications, all from the same porn URL - So, it looks like someone referral-spammed by blog last night. I just removed all the bad listings, and have been trying to think of a way to prevent this from happening again. I'm coming up short in the ideas department, with the exception of the obvious: turning off referral tracking. I really don't want to do that, though.

It's the first time in quite a number of months that the site has been online, so I'll leave them on and see what happens in the future. Anyone have any bright ideas about preventing referral-listing spamming? Hey - I guess I should just be glad it's not comment spam!

This has got to be one of the most amazingly perfect examples of what's truly wrong with our world today.

PostmodernPets.com sells really-freakin' expensive pet crap for tons of money. German designer Phillip Plein has designed all kinds of cool stuff, apparently including dog bed that sells for - now get this -  a mere $1650.00!

Straight from the "uh-yeah-right" department (and the company info page of their web site):

"After browsing through our selection of products, we think that design-addicts that do not currently have pets may change their mind, and will soon discover what wonderful joys that these loveable companions can bring to life. And even if you don't purchase any products from our site, we hope our website will deepen your appreciation of postmodern design and your appreciation of pets and the fun and humor that both can bring to your life."

Riiiiiight...

The United States Patent and Trademark Office never ceases to amaze. Working as an intellectual property litigation attorney will be the biggest, fattest, most lucrative cash cow of a position of the next ten years, mark my words. Here's why:

According to a bunch of people on the Internet (here's one), it looks like Microsoft has patented the double-click. No joke. Wow.

Now, I'm a Microsoft fan, and I make no qualms about saying so - but this is going a little far, isn't it? I mean, this is amazing, really (and it has to be true, it's on the freakin' Internet!) Probably most shocking thing about it is that the patent was granted within the past month or two.

Or is it really that big of a deal???

Articles have been posted on the Internet, predictably describing this as a completely out of control situation. But, when you read the patent, it's not exactly as some might have you believe. In reality:

• The patent is primarily related to hand-held devices (I'd feel a little better if it was limited to handheld devices, though).
• The patent application states that the invention “relates generally to computer systems, and more particularly to increasing the functionality of application buttons on a limited resource computing device.”
• It describes the way an application or the OS on the device determines what kind of soft-key press has occurred, generally short, long, or multi-press events.
• From the patent: “As those skilled in the art will appreciate from the following description, while the invention is ideally suited for incorporation in a palm-type computing device and is described in such a device, the invention can be incorporated in other limited resource devices and systems, for example mobile devices such as pagers and telephones.”

Okay, so while it may be a little surprising, it's hard to say this is truly a patent on the use of the double-click action in any computing application. But it is pretty broad-reaching, and as always open to interpretation and challenge. Which gets expensive, every time it has to be litigated or challenged (see “cash cow,” above). Especially for smaller companies without major corporate resources.

And Microsoft has made no secret of it's position that there are thing it's invented (or at least claims to have invented) and for which it's recently been issued patents. The FAT file system and ClearType technologies are two recent examples, and Microsoft (some would say rightfully) has also stated publicly that it intends to pursue completion of patents to protect and increase its earnings. And even though it's a big company with big profits, that's no reason to start yelling about how they already make too much money. Whether it's the first dollar earned or the trillionth, it's not about how much, it's about who's idea it was in the first place. If Microsoft can't own ideas that are truly theirs, neither can Apple, IBM, my employer, or anyone else - whether they be big, small, corporation, or individual.

But hey - you don't really need Microsoft to be amazed. All we seem to need is the U.S. Government Patent and Trademark Office. At least recently.

Well, there is one positive thing to take away from all this: If it makes you smile, it's at least a little bit good for you (even if you do shake your head at the same time).

Well, ok, I don't actually hate them... Heck I live in a town called “Deer Island,” so I guess I can't really hate them... But the one last year that jumped in front of me, the one I drove around just barely, the one where I was on a motorcycle, and it was dark, and the ditch I drove into in order to avoid the deer, well, it had a big fallen tree branch in it, and I never knew you could total a motocycle just from the cost of the broken plastic...

Yeah, well anyhow deer are ok with me unless they're in the middle of the freakin' road in the woods at night. Then they just suck.

But anyhow, none of this matters, especially since I got right back on that horse again this year (or more specifically I got back on all 203.5 of them).

My real point is, I laughed out loud while reading a pretty funny blog entry. And I thought I'd share the laughter. The link was gleaned from several other blogs I read. Enjoy.

I know there are some people in the world that never get spam email, but unfortunately I am not one of you. Between my email being publicly available on the Internet for the past few years and the fact that I have to sign up for all sorts of random things with a real email address, it’s just added up, and I get inundated. It’s funny to talk to others about spam email. Either they understand because they, too, have fallen victim to the scourge of the Internet, or they look at you like your advanced-stage leprosy has caused you right ear to fall off and your left leg to rot.

So, in the interest of protecting the reputations of those of us who unwillingly receive tons of junk mail a day, let’s take a look at how and why spam reaches our inboxes. Hopefully some who read this will learn something new, others will realize the errors of their ways and stop calling their spam-laden friends perverts, and still others will pick up a few hints about how to avoid becoming a victim (in the cases where it can be avoided, that is).

Remember one thing walking into this: Spam is almost completely about money. If there wasn’t a potentially big payoff in sending spam, no one would do it. If people did not reply to spam email messages and offers, no one would do it. It’s a business, albeit one that most of us hate with a passion.

Before I get too far down this road, let me say that every day I receive in excess of 200 junk mails in just one of my email accounts. I have other email accounts that get none. So, since I am one person with multiple accounts, something tells me the issue here is not me personally, but instead about how the world of email and spam works, and how the spammers started using my email address in the first place.

The fact of the matter is, much of what many people believe about spam and how one starts getting it is patently false. Certain assumptions are correct, although often the facts are twisted around, and people often wear blinders, assuming there is one root cause or one simple solution. It’s not that easy, friends. So, here are a few (admittedly random) things I think everyone should know about spam:

Myth Number One: If You Get Spam, You Must Be One Of Those Porn Surfers

Just like in junior high school, where your friends laughed at you and pointed in the hallway when they found out you did THAT (never mind that it wasn’t true, of course), people tend to assume that if someone gets spam email, it’s because they went to an “adult” web site and registered with their credit card and email address. As a result, you were added to an email list, and so now you get tons of junk email about V1agra and S3X – but hey, if you get that kind of email, it’s entirely your fault and you got what you deserved.

Not true. As someone who has *never* registered for online porn or anything even resembling such, especially with my work email address (I mean, come on, how stupid can a person get?), I can tell you that you don’t need to be a perverted Internet sex addict to become a spam victim.

I can also tell you that people really do think along the lines of this particular myth. Not many, but at least some do: A couple of years ago, I was standing in front of the entire company, showing off the new secure, web-based email interface. I switched from the PowerPoint slide to the browser where I had my email account open, and sure enough, right there on the screen was a spam email with the words “XXXPORN SUPERSTORE” in bold red letters. Luckily it was just text in the email, and while surprising to many, there was nothing vulgar displayed. Needless to say, many laughed and I still get (lighthearted and friendly) comments about it to this day. A few people followed the pattern of the myth and assumed I *must* have signed up for porn using my work email account (uh, yeah, sure), while others stopped by to see me later and tell me privately that they, too, had a problem with nasty, offensive spam and that they had no idea why or where it came from. It wasn’t long before we started working on ways to combat the spam at work. More on that later.

Myth Number Two: It’s Completely Your Fault

Another assumption people make is that if you get spam, it’s because you signed up for *something* somewhere on the Internet and voluntarily made your email address available when you filled in a registration form. If you had not done that, they say, you would not get the spam email.

Similarly, some say that if you get spam, it’s because you must have posted your email address somewhere on the internet, like on a web page, and so you advertised it for spammers to eventually find (this is one form of a technique called email address “harvesting”). And so – again – it’s all your fault.

Ok, so it is true that if you register with your email address on a web site that does not respect privacy, or if you put your email address on a web site somewhere, you could end up becoming a spam victim. It’s reasonable to say that these are two ways email addresses might get on a spammer’s list. However, it’s important to understand that you don’t *have* to do these things in order to get on a junk email list. There are many other ways, and some take no action on your part. More on that below.

Myth Number Three: People Who Get Spam Are Irresponsible, Don’t Think Ahead, and Cannot Be Trusted

This sounds almost comical, I know, but I actually stood on the edge of a conversation where one person said to another (seriously), “I would never hire anyone who gets spam email. It’s just an indicator they don’t know what they’re doing and that they’re basically stupid.” Wow. If there was ever a false, way-over-the-top generalization made about junk email, this has to be the one. The guy who made the statement was serious as a heart attack, and went on to explain that because people can completely avoid spam if they would just be more careful and use common sense in the first place, spam was an example of how you can tell whether or not someone will be a good employee. He even includes the question, “Have you ever received spam email, and if so what do you think about it?” in his interviews. I’m just glad this guy doesn’t work at my company. If he wasn’t actually serious, I’d laugh, but the fact of the matter is there are people out there who make off-the-cuff, uninformed decisions about lots of things based on completely irrelevant data. Amazing.

Myth Number Four: Spam is Totally Preventable – You Just Didn’t Do Enough

People just don’t seem to get it. Spam is *not* totally preventable. While there are ways you can protect your email address from getting on spam lists, there is no sure-fire set of things you can do that will guarantee your account will stay junk-mail-free.

By way of example, I set up a catch-all account on a domain I own recently. Any email sent to any email address on the domain was all funneled into this one email account. I did not set up a web site, did not set up or submit any email addresses anywhere. I just set up the brand new domain with it’s single show-me-everything email box and waited.

Within a few days I started receiving spam at random addresses on the domain. Some of them you might expect: admin@domain.com and support@domain.com for example. But others were more creative and sneaky. Random first initials and last names, first names followed by last initials, common first and last names combined, etc.

So, there’s the proof – you don’t have to sign up for anything, post your email address anywhere, or take any action at all to start getting spam. Now, granted – if you are not prudent about how you handle your email address or if someone else mishandles it (intentionally or otherwise), you are more likely to fall victim. But sometimes you just have to do nothing.

Myth Number Five: Out-of-Office Auto-Replies Are Totally Cool and Make My Life Easier

Ah yes, the ol’ OOF autoreplier – You know, it’s that thing that shows up in your mailbox when you send a friend or colleague an email and they happen to be, say, on vacation, or maybe at the mall shopping instead of working.

What, you ask, is so bad about that? And what does it have to do with whether or not I receive spam email?

Glad you asked.

Let’s say someone sends a spam email that happens to be directed at your email account. Here’s what happens.

1.       Email sent by sorry, good-for-nothing spammer

2.       Arrives at your email box

3.       Your server sends your out-of-office autoreply back to the reply address specified in the spam email

4.       That reply address is monitored

5.       Spammer checks the account your server replied to, sees your autoreply, and thus has confirmation your mailbox is legitimate, working, active and – therefore – valuable to him/her.

6.       Spammer adds your address to the list of email addresses confirmed to be good – the gold list, so to speak

7.       Spammer sells gold list of known-working email addresses to other spammers for a premium

8.       You get more (and more and more and more) spam

Fun eh?

Moral of the story: Don’t use Out of Office autoreplies, or configure them so they only work for internal emails. And yes, I know there are legitimate business reasons for wanting to use them – it’s a trade-off decision that has to be made. You just need to understand the potential effects.

Myth Number Six: Antivirus Software Has Nothing to Do With Spam

Wrong again. AV software certainly can protect your computer and its data from damage, theft and a lot of other nasty things, but what you may not have known is that it can also protect you from becoming a spam victim. The only problem is, everyone has to use AV software (and use it correctly) for it to really work.

For the uninitiated: A “Worm” is a virus-like application that replicates via email. Generally speaking, once they get on your computer they scan your system in a few common places (address books, cached web pages from sites you have browsed, text files, documents, etc.) for email addresses. *Any* email addresses. They then use those email addresses to send emails (which generally include an attached copy of the same worm) to the email addresses found on your computer. So, you see how it works – the worm sends itself all over the place, to thousands of people, and each step of the way it collects email addresses so it can send itself again to more victims.

But wait a minute – that’s not always the extent of what they can do. In addition to installing other software that might, for example, allow a hacker to gain access to the files on your computer or to use it to launch attacks against other computers, some worms take those email addresses and (as long as they are being gathered) send the addresses off into cyberspace where spammers and others can get them.

So, in other words, if you don’t use anti-virus software on your computer and you get infected with one of these harvesting worms, you’re not only making yourself a victim – you’re dragging along all the innocent people listed in your address book and the other files where the worm does its harvesting, as well.

Using current AV software is part of being a good Net citizen. By doing so you protect more than just yourself.

Myth Number Seven: Well, That’s All Fine and Good, But There’s Nothing You Can Do About It Once It Starts

Again, not true. There are a number of companies out there that sell software that is quite effective at blocking spam from reaching you or your end users.

Why would you want to use it?

If you’re an individual, then you want to rid yourself of the mess. Maybe it offends you (depending on what kind of spam you get). At least you’d like to segregate email that is determined to be likely spam so you can filter through that separately from your legitimate email.

If you’re a person with responsibility for a company’s information systems, the reasons are bigger and more important. You have a responsibility as an employer (or the agent of an employer) to make sure the working environment is positive (or at least not offensive or hostile). Depending on the type of spam email your end users are receiving, you may have a responsibility to them to make sure you are doing what you can to combat the problem. Remember, ignorance is not bliss. And as easy as it is to put measures into place to help curb spam these days, not doing something when there is a problem is – truly – ignorant.

Where I work we use Mailfrontier’s anti-spam gateway. There are a number of other products from a variety of vendors that also do a good job. But for our part, we like what we’re using just fine; Mailfrontier is highly customer-oriented as a company, and continually combats the latest techniques spammers are using to get their junk through to you.

UPDATED: My friend Travis emailed me with some valid comments about Myth Eight:

I think the validity of the unsubscribe link is directly proportional to the legitimacy of the spammer's business.  If you get porn spam, or "V1AGRA" ads, you're probably better off not clicking the link, sure, but ads from job posting sites and such generally do actually unsubscribe you if you click.

That's a good point. Travis continues with his own opinions about spam:

Spammers should be punished by death.  A brutal, painful, horrible death.  Something that's probably specifically in the "cruel and unusual punishment" class.

Spam sucks. There’s no one root cause. You can’t always prevent it. But there is something you can do about it.

Anyhow, when it comes to spam, that’s about all I have to say about that.

I must say, I was just a little surprised at how many people actually thought I was being serious earlier today... I mean - DOG SEAT BELTS??? Come on!

My story was borrowed from a pre-planned radio show on 1190-KEX here in Portland. The radio personalities notified some listeners a day ahead of time, to have them help to make it that much more believable. It worked.

The first person I heard from among many today was my friend, co-worker and neighbor, Mike. He seemed shocked that my dog, Buddy, was in jail.

My reply: “Can you *believe* that crap????”

He wasn't the only one.

Once the radio show started this afternoon, not only did the phone calls start rolling in to the KEX studio, but the local and state police offices started getting a lot of phone calls, too. The Portland Police Bureau was warned ahead of time, and it sounds like they were ready, but the Oregon State Patrol wasn't aware or prepared for a bunch of phone calls from angry and confused people wanting to know what the heck was going on with this “new law.”

Classic.

Anyhow, Happy April Something-or-Another.

Bike? CHECK!!  Video Camera? CHECK!!  Sheer Cliff? CHECK!!  Parachute??? Uhhh...

Oh my my my my my.. It hurts sooo bad just to watch. Can't say I didn't warn you.

Note to self: Make sure parachute's properly rigged before riding off cliff.

AAAAAAGH!! Something about Kid Rock in a cut-up American flag, preceded by the lamest set of artists they could possibly think up, that just further affirms my prior belief that CBS sucks. Only in Houston. Really. Think about it...

And wow, what perfect timing: Janet Jackson. Gee, wonder why? Justin Timberlake certainly seemed to enjoy being on stage with her, though.

Oh, and here I am, watching the Superbowl with our entire youth group at church. And there's Justin and Janet, gettin' it on. And hey, quite the ending there - wow.

Great. Just great. The game means nothing, but suddenly halftime is the most important thing on the face of the planet. These kids are all over it. We've got twelve year old boys hollering for others to get out of the way just in case there's more Janet Jackson on the screen. No such luck, kids. Maybe next year.

Overheard: “TriMet's a great system if you live next to it.”

Uh, yeah.