Some things just bug me. Sometimes I write them down. :)

For example - What is it that makes the concept of putting stuff into the overhead bins on airplanes so freakin' complicated? People just don't seem to get it, despite the repeated intercom begging performed by the flight attendants to put rollaways in wheels first, wheels first, WHEELS FREAKIN' FIRST.

Even worse, there's a subset of people who, when asked to move their bag to the optimal position in order to accommodate others, can get downright indignant. What is it with these people? Move your bag, sit down and shuddup already. They didn't build that bin - or this whole airplane - just for you. Jeez.

I dunno why this bugs me so much. I guess it's because the underlying message from such people is that they don't really care how their behavior, stuff or actions affect others. We have enough of that kind of problem already in this day and age. We really don't need it when a couple hundred people are jammed into a metal tube with wings and a couple engines hanging off a few bolts hurtling said flying torpedo through the air at a few hundred miles an hour.

Okay, I feel a little better now. Heh.

Well, honestly, it's about time.

Bloggers are all over the story, and are espousing a variety of opinions, but I have wondered for years when Microsoft would finally crack down on software thieves and simply not allow their software to run unless it was legitimately licensed. I'm responsible for cutting a big check each year to Microsoft to pay for the software we use at the company I work at. It costs me more, in effect, because others are taking without paying.

So, Windows Vista will detect piracy and take action. In Microsoft's words:

"Collectively termed the Microsoft Software Protection Platform, the new technologies will introduce improvements in how Microsoft software activates, is validated online and behaves when tampering or hacking is detected."

Thinking about this from a security guy's perspective, one thing bothers me: Turning off the anti-malware capabilities on unlicensed copies? Are you kidding me? That means the rest of the world falls victim to everyone out there that's running pirated Windows? Please, please, please change this one - Microsoft might be a victim, but no need to invite the rest of the world into that club. And it looks like Richi Jennings agrees with me on that one. That's just poor prioritization. Hopefully someone will rethink the approach in that specific area...

Elsewhere, Ed Bott at ZDNet has written a very good piece describing the changes and his thoughts on the matter. He has some important point, ones that Microsoft should make sure they have thought completely through and have a plan for - especially where it comes to Volume License customers. Those are the people you don't want to aggravate, for sure.

Among Bott's comments:

Microsoft denies that this is a "kill switch" for Windows Vista, even giving it a separate question and answer in its mock interview announcing the program. Technically, they're right, I suppose. Switching a PC into a degraded functionality where all you can do is browse the Internet doesn't kill it; but it's arguably a near-death experience. The accompanying white paper describes the experience in more detail:

By choosing "Access your computer with reduced functionality," the default Web browser will be started and the user will be presented with an option to purchase a new product key. There is no start menu, no desktop icons, and the desktop background is changed to black. The Web browser will fully function and Internet connectivity will not be blocked. After one hour, the system will log the user out without warning. It will not shut down the machine, and the user can log back in. Note: This is different from the Windows XP RFM experience, which limits screen resolution, colors, sounds and other features. [emphasis added]

My head practically exploded when I read this sentence describing the new, improved punishment regimen: "Windows Vista will have a reduced functionality mode but one that is enhanced." Enhanced reduced functionality? Orwell would be proud.

Snarky as ever, Engadget reports:

Well, Microsoft has fired the first salvo in this war on pirates -- according to The Associated Press, the Redmond crew will be taking "much harsher steps to curtail piracy" than in years past. First, the company will "deny access" to some of the "most anticipated features," including Windows Aero, the new GUI. Then, Vista will start issuing ransom demands (we're not kidding about this part), demanding that a legitimate copy be bought within 30 days, or else. What would such consequences entail? How about limiting Web access to an hour at a time? Further, what about not being able to open documents from the desktop or "run other programs such as Outlook e-mail software" ? However, the article goes on to say: "Microsoft said it won't stop a computer running pirated Vista software from working completely, and it will continue to deliver critical security updates." So for those of you keeping score, Microsoft wants to make using your computer as miserable as possible, while keeping it as "safe" as possible, ok?

People out there will whine and complain and say it's not fair, that it's all a bunch of red tape and people will be inconvenienced (and they might be right about that one point), and a million other things that go along with the typical victim mentality (sorry guys, but possession of stolen goods is illegal, even if it's inconvenient, and possessing stolen stuff unknowingly doesn't make the goods any less stolen). And Microsoft needs to make sure that legitimate users are not impacted in a truly meaningful and workable way. But the fact of the matter is that Microsoft is right on this one. In fact, it seems to me that if I ran a company that created software for use by consumers and businesses, and if I wanted to make sure it was being legitimately used and paid for, I'd just keep it from working at all if it was obviously stolen.

But the politics of huge-mega-corporation-attacked-by-angry-mob is a multi-billion-dollar business, apparently.

Glad to see they're finally doing something about it, though.

Some Techmeme-tracked discussion on the topic:

• Matt Hickey / CrunchGear: Microsoft Readies Vista for Piracy Wars
• Jordan Running / Download Squad: Microsoft threatens to cripple pirated Vista PCs
• Cisco Cheng / Gearlog: Windows Vista: Reduced Functionality Mode
• Chron.Com / TechBlog: May I see your Windows license and registration, ma'am?
• Jack Schofield / Guardian Unlimited: Microsoft's Software Protection Platform — WGA will get tougher
• Computerworld Blogs blogs: Vista's SPP: bastard child of WPA and WGA? (and geek wallets)
• Ed Bott / Ed Bott's Microsoft Report: For Vista, WGA gets tougher

Saw this coming a mile away. It's always fascinating when people - or companies - show their true colors.

Apple Computer is sending cease and desist letters, apparently, so a number of companies and organizations that are using the term "pod" in their positioning or names, claiming it causes confusion in the marketplace. Podcast Ready is the latest victim among several.

Give me a break.

The deal is this: It's said Apple has recently applied for coverage from the USPTO to get protection via trademark for the word "pod" in addition to the already protected term "iPod." They've not been granted protection, and I would hope they won't get it. "Podcast" is probably next on their list, at this rate. I see several others have already applied for the term and several variants.

But , after all, it doesn't take a solid legal footing to be a bully, it just takes - well - a bully mentality.

And now, it appears the fight is being taken to the podcasting playground. Despite the fact that Apple didn't invent the term "podcasting," and despite the fact that they adopted - even embraced - the term (and created a whole section and special logo for iTunes, etc.), Apple apparently believes they can Monday-morning-QB this one into the courts - and they must think they can win. One would hope that's not the case, but in California, who knows.

Don't get me wrong - Apple's a company that makes cool stuff and I own a Mac in addition to my PCs. But hey - no one likes a bully, especially when there's really nothing to gain, and a lot of people who could be negatively affected as a result of this move. The idea that the terms "Podcast Ready" and "myPodder" could be confusing in a way that hurts Apple is a stretch. "Podcast" is practically a household term now, and the fact is that Apple didn't jump in until well after it became the defacto standard name and term (despite some heated debates early on around the terminology).

Apple really needs to go find someone or something else to pick on, lest all the other kids on the playground get tired of the black eyes and bruises. Or send some of the lawyers out for a vacation or something. Their judgement is getting clouded.

Now and then I get to rant.

I am (once again) on an airplane, on my way to some upper Midwest city for the day, heading right back home this evening. You get real perspective on airplanes, you know. Perspective on things like heights and time - and on people, too. People you know you'll never see again. And when one knows they'll never see the people around them ever again, I guess they let their words flow more than they might otherwise. That can be good or bad.

There are two middle-aged guys, poorly dressed in corporate standard attire, in the row in front of me. Like as in one of these guys is wearing one beige dress sock and one navy one. They've been yapping away ever since we got on this flight three hours ago. We should have landed well over an hour ago, but they have these things called, umm, I think they're called 'delays' in the secret vernacular of air travel. Anyhow, no one really understands it, so we just sit in the broken down coach seat and smile like it's comfortable as the flight attendants walk up and down the aisles with forced smiles on their faces. You know, the smile that says 'Isn't this fun, we're all stuck on this thing going nowhere again, and we're gonna be late too, yay!'

Anyhow, at least I got some sleep, which is nice (seriously). But that's not my point.

Now I am back awake, and these same two yahoos (no, I don't mean they work at Yahoo! as that would be a compliment, and as you are about to see I have no compliments for these particular guys) are still going on and on about someone they apparently work for and how SHE (emphasis added to match their conversational emphasis on the fact that their supervisor is apparently female) does this and SHE does that and how SHE expects things and how SHE can't possibly understand. It's really rather amazing to listen to. It makes one want to yell "Shut up!"

They're also apparently very concerned about some presentations that they have to give. But they don't seem concerned at all about the actual content, or the audience, or whether the presentation convinces anyone or informs, or anything useful like that. Instead they're harping on and on about how SHE likes JOHN's presentations better, and how the other day they were afraid that they might not look like good presenters in the room with so-and-so, and what they might be able to do to make such-and-such look bad the next time.

Wow. And all of this where I can hear it, with a computer open to a PowerPoint deck I can clearly read and a company logo I can clearly see. And now one of the guys is opening a girly magazine.

Yahoos, I tell ya. And someone's paying them money to "do work."

Some people are truly amazing. Amazingly pathetic, that is. I'm glad I get to work with quality, decent people in my job. If I had to work with guys like this, I don't know if I could keep my mouth shut. Actually, I know I couldn't. They'd be right out the door, no question.

Proof that cyber-crime is real, Consumer Reports is out with their State of the Net survey. It's pretty much as bad as we all know. From MSNBC:

"...American consumers lost more than $8 billion over the last two years to viruses, spyware and various schemes.

" Additionally, it shows consumers face a 1-in-3 chance of becoming a cybervictim -about the same as last year."

Thing is, prevention is much less costly than reactively paying for damage already done. You want to prevent the guy from getting into your place? Or do you prefer to let him in but then keep him from walking out the door with your money? Or are you like most people, who are resigned to watching him walk out the door with the prize, throwing your hands up in the air, and blaming someone (anyone, really) else?

How do we convince people, and what will it take?

UPDATE - AOL apologizes (not as if it makes a difference at this point, though):

"This was a screw-up, and we're angry and upset about it. It was an innocent enough attempt to reach out to the academic community with new research tools, but it was obviously not appropriately vetted, and if it had been, it would have been stopped in an instant," AOL, a unit of Time Warner, said in a statement. "Although there was no personally identifiable data linked to these accounts, we're absolutely not defending this. It was a mistake, and we apologize. We've launched an internal investigation into what happened, and we are taking steps to ensure that this type of thing never happens again."

AOL, over on their research wiki site, on Sunday posted an article describing their release of search data collected for more than a half million AOL users over a three month period. They claimed the data was made "anonymous," and that it was being released for research reasons. Problem is, it's not anonymous enough. Each unique user was replaced with a unique random identifier. That means you can see everything that user 336072 searched for. What if someone examined everything you searched for over three months? Even without knowing your name explicitly, do you think they might be able to find out some interesting things? Have you ever done a "vanity" search?

It's just not anonymous enough. I have a copy of the data that I downloaded before it was taken offline, and I've poked around in it a bit, so I know. Not only that, but spammers and search engine "optimizers" out there are going to have a field-freakin-day with this data. No, I won't share it with anyone else. It never should have been released in the first place, so I am not going to add fuel to the fire.

Michael Arrington at TechCrunch wrote about it in his blog entry entitled "AOL Proudly Releases Massive Amounts of Private Data," and updated his post a couple times as AOL mysteriously removed the data file from the web, as well as the page announcing the availability.

Arrington: "AOL must have missed the uproar over the DOJ's demand for "anonymized" search data last year that caused all sorts of pain for Microsoft and Google. That's the only way to explain their release of data that includes 20 million web queries from 650,000 AOL users."

When you consider that AOL search is - get this one - actually Google's search with a different face on it, you can imagine what the emails and phone calls that went flying around between the two companies on Sunday afternoon might have sounded like. Ouch.

Yeah, and so much for the privacy of AOL's users. If you're an AOL user, is that what you signed up for, to be a guinea pig in AOL's poorly-planned foray into academia? I think not. This is identity theft just waiting to happen, that's what this is. Again from Arrington:

"The data includes personal names, addresses, social security numbers and everything else someone might type into a search box. The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with "buy ecstasy" and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless. "

Google says "do no evil" and keeps this kind of data under wraps when challenged in federal court. AOL? Not so much.

Any would-be AOL boycotters better be prepared, though. Last we checked, you can't even cancel your account at AOL without being put through the ringer. Several years ago when I canceled mine it was a several-months-long experience before I was able to decipher enough to get the billing truly stopped. Coming and going, that's how they get ya in Dulles... There's a reason PC Magazine ranked AOL "Number One" in a list of things you'd really rather not be on...

Technorati : AOL, privacy, private data, release

Tell me what you think, share what you know... In large part, I help catch bad guys for a living. So I have my own perspective and base of experience, but please share yours.

You may already be familiar with the term "phishing" and possibly you have a good idea of what it means. If you're not familiar with the term, you should be. Essentially, bad guys set up fake "phishing" web sites, typically by copying an online banking or other e-commerce site. The bad guys then send out emails or use other means to try to get you to visit the fraudulent web site they've set up, in hopes you'll think it's legitimate and "update" your banking or other private information there. In reality you're not communicating with the actual bank or e-commerce company at all, and you're not really updating anything - Rather, you are providing confidential identity and financial information to cyber-criminals. The bad guys then use that information to steal money, defraud you and others, and to create a new identity or leverage yours for their own gain. They're good at what they do, and the fact of the matter is, it works well enough for those who are the best in their "industry" (and it is its own micro-industry, as we'll discuss) to be motivated to make a career of it.

The general technique of convincing you via trickery to give up your private and sensitive information is called "social engineering." Bad guys act in ways that cause you think you're communicating with a legitimate business, but in reality you're being defrauded of information and - in turn - your financial and identity assets. More recently even myspace.com and similar sites have been faked, so we know these criminals are creative and go after us where we live. Whether it's a phone call from someone who sounds like a legitimate business person or a web site that looks like it's the real thing, it's all social engineering - tricking you into believing you're communicating information to a legitimate person or business when you're not.

You've likely seen emails show up in your in-box that pretend to be from ABC Bank or XYZ Credit Union. Beware any email that request information from you. The emails typically say something has happened to your account or that they;re verifying information, and you need to update your information by clicking a link to go to the bank's web site. But those emails are fakes, and so are the sites that load when you click the link. They're sent (well, spammed really) to anywhere from a few thousand to millions of people at once. Even when only a very small percentage of victims actually take the bait (hence the term phishing, eh?) , the bad guys win and come out ahead - big time.

Unfortunately, people do take the bait. I see it every single day in my work. Just the other day I dealt with a situation in which someone who provided their information to a phishing site fraudster was ripped off for $19,000. We're talking about serious stuff here... Now, when you lose money it's sometimes recoverable (but not always - you can sometimes be held responsible for giving away security secrets, after all). But if someone steals your private identifying information - things like driver's license numbers, dates of birth, social security numbers and the like - it's bad news. You're in trouble. Recovering from a stolen identity can be nearly - and oftentimes completely - impossible. You can get a couple thousand dollars back if you get tricked into giving up a password, but you can't take back your social security number once someone knows it.

You get the picture.

So, phishing is when someone sends an email and tries to get you to provide your secret information on a web site that looks like a legitimate one, but which is really just a fake copy that some bad guy controls. A lot like walking into what you think is your favorite coffee chain and walking out with a Strychnine latte, really. And on top of that, you paid the bad guy who you thought was your friendly barista $5 for it - and left a tip.

We've covered some of the basics of phishing fraud - just the first thin layer of the problem, actually. Over the course of some future posts, we'll dig a bit deeper into the details of what makes up a phishing campaign and what can be done about it. We'll also discuss pharming, spear-phishing and other cute terms that start with "ph" but which are really just about the farthest thing from cute you can imagine.

There are solid reasons for this madness that plagues the financial service and e-commerce industries. But truly understanding the problem means more than just knowing what phishing emails look like and avoiding fake sites. The fact that the sites are even there in the first place, that the email actually reaches your in-box, that you can't tell a fake site from the real one - all of these things are problems in and of themselves. To truly prevent the problem - and let's face it, prevention is the golden key here - we need to know and understand much, much more.

For instance, do you know why certain banks, credit unions and online retailers are targeted over others? Here's a hint: It's not always about how many customers they have to target or how big a name the bank is, although that can be a factor. Many of the biggest targets are credit unions with just a few thousand customers. And do you know what the phishers actually do with the information they fraudulently trick you into providing?

Do you have any idea who the bad guys are?

That's a taste of what we'll be discussing here over the next few weeks. I'll publish some of my thoughts on these topics and more. Not the secret stuff that lets us catch them, but the information consumers and institutions can use to help combat the problem. It's an opportunity to learn and share information. If you have ideas, thoughts or comments about the phishing problem, or online fraud in general, please leave a comment on this entry, or write about it on your own blog, or alternatively you can email me (but please use the comments if it's safe and reasonable to do so in order to provide the benefit to others - I tend to get a lot of emails that would be much better from a community standpoint if they were posted instead as comments). I'll leverage my own thoughts as well as the thoughts of others like you to help build parts of the future discussion. With hat tips all along the way, of course.

Honestly, I can't tell you how tired of the typical, average, mundane, same-old PowerPoint presentation I have become. 99 percent of the time, as soon as any given PowerPoint presentation starts, I can feel the bile and boredom start to slosh and boil in my gut - in part because I sit through so darn many presentations, but even more so because most presentations - well - they just suck.

There's nothing quite like a slide deck with all the bulleted words the presenter that will be coming right out of the speakers mouth, if your intent is to say to your audience, "Hey, you're an idiot, so let me read this to you." Who's the idiot, really? There's nothing more redundant than reading and listening to the same thing. Or even worse, a zillion words on the screen and the speaker is talking about something else entirely. You lost me at "Hello."

So more and more I feel like I'm wasting my time. "Read to me, speak at me, bore me with bullets ad nauseum." Please, don't.

Don't get me wrong - I know people don't do this on purpose, they're trying hard and - well - it's the way everyone else does it, right? I also know I'm being a bit harsh (in order to make a point, really). It's just that for most every presentation anymore it doesn't matter all that much what it's actually about, because it's so much like everyone else's. PowerPoint is PowerPoint is PowerPoint, and it's tiring.

If you sell a product, or an idea, or some thing, you don't want it to be just like everyone else's do you? Apply that rule to your presentation style - How do you differentiate yourself from the crowd?

We actually love the crowd, of course, because it's easy to stand out when everyone else is doing the same thing. But it's worth risking having to work harder at it if a few people will revisit their presentations and get out of the common PowerPoint traps.

Anyhow, I got to a point where I was also hating giving presentations with PowerPoint (which I do quite often), not because of the PowerPoint application itself, but because of the fact that all my presentations seemed to be basically the same, and all the templates out there seem to encourage it: Long bulleted lists, points to read aloud, graphs and charts and nasty nasty nasty clip-art. Seriously, using clip-art should be a felony. No, really. Seriously. Like as in prison.

So, a couple weeks ago I took a chance on a presentation I gave at a conference, and went all Lessig-ish with it. A couple words on each screen to punctuate the salient points, a plain white background with big, readable black letters centered on the screen, and the rest was all talk. No handouts (and believe me that was a real surprise for the attendees - but it's not like they walked out or rioted or anything). It took some concentrated effort to create the new presentation. Not rocket-science level effort, mind you - but extra work it was. Time well spent.

And - get this - it worked. The audience was engaged and the conversation (which is what it's all about - exchanging thoughts and ideas, as opposed to making a speech, right?) was interesting, for everyone including me. You could tell the format and style was something new for the audience, for sure, but the looks on people's faces were certainly fun to watch. And the thing is, they actually had looks on their faces. Gone was the blank gaze. Everyone in the room was looking at me as I spoke, and that means making a connection. They'd glance at the screen momentarily and then look back to me for the information, not the other way around. We actually looked in each others' eyes. Now, it's not that I have some kind of problem where I desperately need that kind of attention - it's just that it's clear as day that direct, personal communication is much noticeably more effective and meaningful.

The questions from the crowd at the session were good - They were thoughtful, and the audience was obviously tuned in. Not that my audiences aren't tuned in in general - quite the opposite. But in this presentation you could sense the difference - One could feel the connection and involvement noticeably more.

After the conference, we sent my spartan slides, along with the relatively detailed speaker notes printed on the page below each slide, in PDF form to anyone who attended and wanted it. Gotta provide those handouts at some point, you know... Unless it's caught on video or something.

One of the best and most effective presenters I know personally, Scott Hanselman (it's my week to link to Scott, heh), called it "Existential Presentation." I assume by that he means free, individual, unique, possibly even rebellious. I can see that. 

Personally, being the practical and somewhat-less-eloquent guy I am, I see it as a kind of resurrection of some form of miraculous goodness from the hell of a bloated and obese PowerPoint existence. Ah, existence. I get it, Scott!

Anyhow -- What do you think?

P.S.  Great resources for presenters and presentation authors (hey - you do write your own presentations, right???):

• Presentation Zen Blog (which has been subscribed in my aggregator for quite some time)
• Garr Reynolds presentation tips
• Scott Hanselman's Tips for a Successful Microsoft Presentation (great stuff)

From the comments, Jim Holmes points out a couple more great ones:

• Dick Hardt - http://www.identity20.com/media/OSCON2005 (which is a great presentation on top of his great style)
• Cliff Atkinson's "Beyond Bullet Points" is a good book, and his companion site - http://beyondbulletpoints.com - has had lots of good info in the past

and Shane Perran also has some excellent suggestions:

• Steve Jobs - Simply brilliant when it comes to presentation. That goes for most of the Apple design/marketing team
• www.guykawasaki.com - Guy Kawasaki - A one time Apple guy turned VC and absolute master of presentation
• sethgodin.typepad.com - Seth Godin - Author of the ever popular Purple Cow and another master presenter and storyteller
• www.alertbox.com - Jakob Neilson - While wildly hard-nosed about design, he knows content usability like no other - mostly web oriented, there is a lot of carry over

Those are all good ones, and most all those blogs I subscribe to (and the rest I just did, heh). Presentation is about content, style, design, personality, conversation... All important components.

Just when you thought you'd seen it all, well - you'll just have to check this one out for yourself (from KGW.com).

Straight from the Portland Bureau of Ridiculousness...

A Northeast Portland man is suing basketball superstar Michael Jordan and Nike founder Phil Knight for a combined $832 million. Allen Heckard filed the suit himself, June 29th in Washington County Court. Heckard says he’s been mistaken as Michael Jordan nearly every day over the past 15 years and he’s tired of it.

 
kgw.com

“I'm constantly being accused of looking like Michael and it makes it very uncomfortable for me,” said Heckard.

Heckard is suing Jordan for defamation and permanent injury and emotional pain and suffering. He’s suing Knight for defamation and permanent injury for promoting Jordan and making him one of the most recognized men in the world.

Uhhh... Yeah, right. You can read the whole story here. And roll your eyes like me. Rolling eyes is so much fun. What an idiot.

My favorite quote from the story:

Some might wonder how he decided to sue Knight and Jordan for $416-million each. "Well, you figure with my age and you multiply that times seven and ah, then I turn around and ah I figure that's what it all boils down to."

Wow. Scary thing is he might get a few bucks tossed at him to go away. Or if we're lucky he'll lose hard and get stuck with the defendants' attorney's fees. You think he considered that possibility?

What an idiot. Sorry, but there are times when you just have to come out and say it.

The headline reads: "Credit card security rules to get update."

I see that and I think to myself, "Hey, cool."

Then I read the story.

What it should have said: "Credit card security rules that make perfect sense and protect your identity are about to be flushed right down the toilet because companies say it's too hard."

Now, that's not so cool.

Why is that? Industry requirements that were put in place not too long ago that required companies to encrypt sensitive information are going to be removed. Yes, you read that right - Removing the already established requirement to encrypt the data that is most sensitive and valuable. I'm not one who typically leans in the direction of government mandated standards, but in the absence of private self-regulation and in this particular case...

From CNET's News.com:

While security stands to benefit from a broader, another proposed change to the security rules may hurt security of consumer data, critics said. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data.

"Today, the requirement is to make all information unreadable wherever it is stored," Maxwell said. But this encryption requirement is causing so much trouble for merchants that credit card companies are having trouble dealing with requests for alternative measures, he said.

In response, changes to PCI will let companies replace encryption with other types of security technology, such as additional firewalls and access controls, Maxwell said. "There will be more-acceptable compensating and mitigating controls," he said.

The Payment Card Industry (PCI) security standard was developed to improve the security of applications processing credit card transactions. In the best-practices world of layered security, we deploy security in multiple locations and in different parts of the lifecycle. We even get redundant, especially in areas that matter the most.

To think that more firewalls can protect data in a way that makes it unnecessary to encrypt is ridiculous. Encryption protects data from theft when other layers are compromised. It keeps data safe even from internal theft (and trust me, that's at least as common as external theft, often even more so). It means - if done correctly - that even is a server is stolen from a datacenter,  the bad guys still cannot get at the information that's stored in a secured form on the machine. Keeping people out is important, but encryption is about the bad guys that already got in. So let's can the firewall arguments, although perimeter security is still a critical thing to deploy.

Scanning software to make sure you cover the threats and reduce the chance of successful attack is a good thing - but having people analyze it with eyeballs is significantly better. Scanning software only finds the low hanging fruit that is exposed on the outside layers and only finds the things we already know about. It provides no mechanism for creative scrutiny and under-layer analysis. It doesn't account for finding the new threats and vulnerabilities. Those things take active brains and connected eyeballs. It's what I don't know how to detect that will kill me in this case. It's the holes I can't see today, but which will be all too obvious tomorrow. So let's drop the "build secure software" argument as an alternative to encryption, although it's still an important thing to do.

Ultimately, cutting out the data encryption requirements will make it easier for companies that do transactions - by trading off the security of sensitive, personal information. It comes at our expense. It's a bad idea. And you should do something about it.

It's not easy to do 99% of what makes up my job, and it's not always fun. Security is hard. It's not really supposed to be easy. But I do it because it's necessary and right. The identity of users is the proverbial gold and crown jewels of this real-life game. It's not about protecting institutional assets - it's all about protecting individual people's identities.

To be concise: Removing the encryption requirement is a fundamentally bad idea that will hurt real people in the real world. Especially in this day and age of identity theft and with the endless news stories covering data loss and theft where the data is vulnerable specifically because it's not encrypted, I'm rather shocked by the decision. It's another example of where doing what's right falls victim to doing what costs less and reduces complaints.

It's time to stand up for what's right for security. First of all, as a business you should not be storing any personal information that's not absolutely necessary and that I have not specifically told you I want you to store for me.  Protection of the personal information you do store is your responsibility, but I own it. Encryption of my sensitive information in your systems should be a requirement, not a nice-to-have or a convenience-based suggestion.

Period.

A coworker sent me a link to a news article today, yet another one about a data breach from - you guessed it - a stolen laptop. This one was an auditor working for Ernst & Young and doing an audit of Hotels.com, and apparently the auditor (and I can't believe this) left it in his or her car and it was broken into and stolen.

So now, thousands of Hotels.com customers' personal data - meaning names, addresses and credit card information of about 243,000 people - is potentially in the hands of someone who could use it improperly. Oh, and by the way, my name is certainly on that list.

Up until today I was frustrated to no end with these events.

Now it's personal. Now I'm angry.

And get this: The theft occurred in February and Ernst & Young didn't notify Hotels.com until the first week of May. What??? And on top of that, customers were not notified until a few days ago. You've got to be kidding me...

This post contains some useful information about data breaches, packaged with a bit of a rant by yours truly about information security - or the serious lack thereof - in US companies and institutions. As a reminder, what I post here is my own opinion and not that of my employer or anyone else. I work in information and cyber security, and I care - a lot - about these issues.

There's a major attitude problem - let's call it a lackadaisical mentality - out there and it's high time someone did something about it. Lazy security means lots of helpless victims, and we're so far behind the 8-ball as a country it's downright scary. There's a fundamental "people problem" at the root of this, and no matter how much technology we throw at it, the analog physical and human components need to be addressed before any of the technical issues can be resolved.

The Privacy Rights Clearinghouse maintains an online chronology of data breaches with descriptions of each event, outlining any known data breaches that have occurred since February, 2005.

All told, as of the time I write this, there are 84,797,096 individuals whose identities are known to have been included in these data breaches. Banks, universities, health care providers, insurance companies, corporations, credit card providers... Lord only knows about the ones that have not been reported. Ugh, it's depressing. It's also ridiculous.

What bothers me the most is how often the term "stolen laptop" shows up in the list. What in the world are people doing with sensitive information stored on computers that can walk out the doors of all of these heavily regulated companies and institutions? It's insane from a security management perspective.

But then again, let's take a look at just how many US banks, universities, health care providers, insurance companies, corporations and credit card providers are certified under some kind of recognized information security management standard. Let's take the big standards - BS 7799-2 and ISO 27001 - for example.

BS 7799-2:2002 (in this case, the "BS" stands for "British Standards") has long been the recognized standard for overall security management, and the new ISO/IEC 27001:2005 international standard is basically BS 7799-2:2002 in an updated form. It's also related to ISO 17799, since we're throwing around fancy names. Ultimately it's all the same stuff, just renamed and reassigned. The 27001 standard represents a systematic approach to managing sensitive information so that it remains secure. It encompasses people, processes and IT systems.  It is used to determine and evaluate a company's security management framework and is internationally recognized as the gold standard for security.

If a company doesn't have a security management framework in place, not only is it unaware of what's happening in it's own walls, it doesn't really know whether or not it knows much of anything. Yeah, that's confusing. What you don't know is what will most likely kill you. Either way, it's negligent in this day and age not to be formally on top of information security, and that involves not just firewalls and technology, but risk assessments, people, processes, and an over-reaching management framework to ensure all the bases are covered.

Did he say "negligent?" Yes, negligent. And I mean it.

It's a lot of work to achieve and maintain the 7799/27001 certification and to hold up to ongoing audits, to be sure (just ask me or my coworkers about it some day, we live it), but it's not rocket science and for gosh sakes, IT'S IMPORTANT. And it's not about the actual certificate, it's about all the things that go into the process of getting the certificate and keeping it.

So, if you had to hazard a guess, how many agencies, institutions and companies in the United States do you think have this important and recognized certification?

Be prepared to be disappointed. Especially when compared to the number of certified organizations in other countries, like say Japan and India and Korea. Or pretty much any other developed country, for that matter. It's really quite pathetic.

Of the 2600+ organizations on the certificate register, there are only seven  (yes, that's "7") companies or organizations in the entire United States certified under ISO 27001, and only 39 have been certified in the US under BS 7799-2 and ISO 27001 combined. Keep in mind, there's overlap on the lists, as a number of companies (like ours) have converted from the British Standard cert to the ISO 27001 model, meaning we've been certified twice.

This table shows how many organizations are certified under either ISO 27001 or BS 7799-2 as of June 5, 2006. The term "organization" can mean any one of several things: companies, portions or divisions of companies, agencies, or various other other entities. I've left off most of the countries that have only one certified organization to save space.

Japan	1602	Brazil	9	Slovenia	2
UK	244	Sweden	8	South Africa	2
India	186	Spain	7	Armenia	1
Taiwan	92	Turkey	7	Bahrain	1
Germany	57	Iceland	6	Chile	1
Italy	42	Greece	5	Egypt	1
USA	39	Kuwait	4	Lebanon	1

And of the US companies, agencies and organizations on that list, only one of them is a bank (and even then it's only the information security team's component of the business). None of them are credit unions. None of them are insurance companies. None of them are health care providers. One of them is a university. A couple are government agencies - and not the same ones that have been in the news lately, that's for sure.

If you think about it (or search for it, for that matter), how often do you hear about information disclosure outside the United States? Sure, it happens, but seemingly not nearly as often. And why is it, I wonder, that in Japan there are so many certifications? ISO 9000 (the gold standard for manufacturing) is huge there, as well. 

The fact of the matter is that overall, companies and institutions in the US don't take security nearly seriously enough.

So - It's time to do something about this. Now, not tomorrow. It's already much too late, so we need to get moving. We're already in triage mode, friends.

What to do? To start, if you do business with any company that handles sensitive individual data, ask them about their security certifications. And don't accept just a SAS-70 certification as covering the bases - it only covers operations of the datacenter and has practically nothing to do with the rest of the company. Also, make sure you know specifically what any issued certifications actually cover - this is called the "scope" of the certification. Is it the entire company (usually it's not so you have to ask), or is it just a department or division? If the company is not formally certified, do they have a security management framework and a standard they follow?

Also, this is formal security management we're talking about. Don't accept lame responses like "we're covered under HIPPA" or "we get audited for Sarbanes-Oxley so that's all covered..." Sorry, that doesn't come close to cutting it. Neither of those auditing standards require a company to have a security management system in place, and neither come close to covering what's needed to ensure proper security standards are met outside of their narrowly focused scopes.

Get educated. Find out what needs to change. Demand change. Question systems that put the secrets in the hands of people who don't have a personal stake in the game. Do business wherever possible only with companies that are cognizant enough of security to formalize their program on a standard framework and which preferably have external certification of the results of that effort. I'm not kidding here. And yes - it can be done.

Unless you have a better idea (and feel free to share - comment away), that's what it will really take to create change - Market forces. We certainly can't count on the government to do anything about it - they'll just come up with vague, useless legal acts that almost always miss the mark and cost the business sector billions (take SARBOX for example). Individual action and demanding that companies get serious - and that they do so in a manner where they can be formally reviewed and held accountable - is the best real-world way to force change.

Okay, I just have to say something here. I can't help myself. Like CBS hasn't already done enough to ruin things for us in its own studios, now it's reporters are taking it to the streets, too.

You know, Fight Club used to be cool, one of the best movies of the last several years for sure, then these guys have to go and freakin' ruin it.

Grrr...

Let me put it this way: This is to Fight Club as "What are YOU doing???" is to "WAZZZZUUUUUUP?!?!?!?"

Someone should go find these guys and kick some @*$ for real for breaking the first rule. Where's Tyler when you need him? Not to mention what this does for the image of software engineers in our world. That's it, might as well just give up now.

Alright, anyhow, back to our regularly scheduled programming...

I've been heard on occasion to suggest that it might be a good (or at least interesting) idea to turn off email in the workplace and to resort to more personal means of communication, like say in-person. Or on the phone. Anything that's not written.

Why? Because, it can be so hard to really understand what someone is saying, and especially difficult (if not impossible) to tell what they mean. When you're talking about business relationships, it's hard to believe one can make good, solid decisions based on conversations as limited as email.

Now there's some research that supports my hair-brained suggestions:

According to recent research published in the Journal of Personality and Social Psychology, I've only a 50-50 chance of ascertaining the tone of any e-mail message. The study also shows that people think they've correctly interpreted the tone of e-mails they receive 90 percent of the time.

"That's how flame wars get started," says psychologist Nicholas Epley of the University of Chicago, who conducted the research with Justin Kruger of New York University. "People in our study were convinced they've accurately understood the tone of an e-mail message when in fact their odds are no better than chance," says Epley.

One thing's for sure: Simply knowing what the results of this research tell us could make a difference in daily email communication practice.

Does your place of work ever discuss email communication, its pitfalls, and etiquette? Now that's a topic that's worth some face time.

(via wired.com)

Plagiarism sucks, and Om Malik's weblog was apparently being copied verbatim, images and all, and repurposed sans-attribution on another site that was serving up ads and (potentially) making money. I've had this happen to me a few times in the past year or so, and in some cases found the only way to fight it was to quote the DMCA in an email to the host. Lord knows asking Google to hold them accountable for their terms of service did not work in my case - Google just wrote back and said "we can't do anything." Plus the bad guys were repurposing content from a whole slew of other sites. Lazy jerks.

By the way - this is really not exactly a trivial deal for many blog authors and publishers. I know when it happens to me, I chase it down and take it seriously. No lawyers needed - I am pretty good at that stuff and have some legal and courtroom experience, so why not put it to use eh? The ads on my site pay for my web hosting and my Internet access each month, and then some, so I have a little more than just an ego interest in what I choose to write and post.

Anyhow, below is an email I used last year to resolve a plagiarism problem involving full content from this web site. It's blunt, direct, complete and it worked. Also, note that this letter followed multiple attempts to get the site owner to remove plagiarized content. I'm posting the email letter here simply for the benefit of anyone who might become a victim of blog plagiarism and wants access to some ideas that have worked for others in the past.

And by the way - make sure you have a copyright statement and maybe a Creative Commons license on your main page that states what people can and cannot do with your blog content (mine's at the bottom of every page - it says people can repurpose it with attribution and for non-commercial purposes). It can't hurt to do this, and it helps set reasonable expectations and ground-rules for well-behaved people, while it can also be ammo for the ill-behaved later on...

Note that the problem I tackled with the below email was resolved within 4 hours of the email being sent to the hosting provider (the site owner never responded), and it happened a year and a half ago, so please don't go harassing anyone - this is just posted here to help people who might end up in a similar situation.

Where you see the word "(-- edited --)" below, I have removed identifying information to protect the innocent as well as those who complied with the requests to remove the offending content.

[via tech.memeorandum.com]

-------- Original Message --------
Subject:  ACTION REQUIRED: Illegal use of copyrighted content by one of your customers for commercial purposes
Date:  Sun, 3 Apr 2005 17:18:51 -0700

NOTICE: IF YOU ARE THE OWNER, OPERATOR OR HOSTING PROVIDER OF THE “MICROSOFT-DOTNET-TECHNOLOGY.INFO” DOMAIN, THIS IS A CEASE AND DESIST LETTER REQUIRING YOU TO IMMEDIATELY CEASE REPUBLISHING CONTENT OR ALLOWING/ENABLING CONTENT TO BE REPUBLISHED, WHICH IS SOURCED FROM THE “GREGHUGHES.NET” DOMAIN.

The owner of the web site(s) located on your servers/network at the below IP address and domain name is stealing and republishing - via an automated web-server application that gathers an XML feed - content owned and copyrighted by Greg Hughes at http://www.greghughes.net:

216.7.187.20 (MICROSOFT-DOTNET-TECHNOLOGY.INFO)

The following ARIN information identifies (-- edited --) Holdings, LLC (which is a corporation in Colorado) and (-- edited --).com (which appears to be a possibly defunct operation) as owners of the IP address/block in question:

Location: United States [City: Loveland, Colorado]

NOTE: More information appears to be available at NET-216-7-186-0-1.

(-- edited --) Holdings, LLC D393LLC-DC-INVERNESS6 (NET-216-7-160-0-1)
                                  216.7.160.0 - 216.7.191.255
(-- edited --).com VONOC-216-7-186-0-23 (NET-216-7-186-0-1)
                                  216.7.186.0 - 216.7.187.255
 
# ARIN WHOIS database, last updated 2005-04-02 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

The person(s) running the web site at MICROSOFT-DOTNET-TECHNOLOGY.INFO have been contacted in the past via the “contact” form on the web site and told to stop repurposing this content, specifically because they have not obtained permission and because they are profiting from advertising revenue from said web site. This activity constitutes theft of intellectual property under copyright laws and the DMCA. The information being sourced is copyrighted as indicated on the web site, and is not in the public domain for re-use. The party(ies) associated with MICROSOFT-DOTNET-TECHNOLOGY.INFO have not responded to repeated contacts and requests to cease use of the copyrighted material.

We have sent a CEASE AND DESIST letter to the parties once again today (April 3, 2004) through their web site contact form at http://www.microsoft-dotnet-technology.info/contact.asp. At this time we request that you remove the offending web sites and pages from your servers, as they are clearly in violation of the common acceptable use provisions of the parties to this email:

http://www.(-- edited --).com/acceptable-use.asp#copyright

IN ADDITION, the same person(s) appear to be sourcing copyrighted material for commercial use from Yahoo!, Search Engine Watch, moreover.com, the Kansas City Public Library, National Geographic News, about.com, and Web Hosting News. Unless the situation is rectified immediately we will also be contacting those persons and companies to advise them of the misuse of the copyrighted property and data.

The WHOIS information on record for the domain in question is:

Domain ID:D8436219-LRMS
Domain Name:MICROSOFT-DOTNET-TECHNOLOGY.INFO
Created On:27-Nov-2004 15:34:17 UTC
Last Updated On:27-Nov-2004 15:34:20 UTC
Expiration Date:27-Nov-2005 15:34:17 UTC
Sponsoring Registrar:R136-LRMS
Status:ACTIVE
Status:OK
Registrant ID:C7727838-LRMS
Registrant Name (-- edited --)
Registrant Organization:(-- edited --)
Registrant Street1:(-- edited --)
Registrant City:(-- edited --)
Registrant State/Province:Gujarat
Registrant Postal Code:(-- edited --)
Registrant Country:IN
Registrant Phone:(-- edited --)
Registrant (-- edited --)
Admin ID:C7727839-LRMS
Admin Name:(-- edited --)
Admin Organization:(-- edited --)
Admin Street1:(-- edited --)
Admin City:Ahmedabad
Admin State/Province:Gujarat
Admin Postal Code:(-- edited --)
Admin Country:IN
Admin Phone:(-- edited --)
Admin (-- edited --)
Billing ID:C7727840-LRMS
Billing Name:(-- edited --)
Billing Organization:(-- edited --)
Billing Street1:(-- edited --)
Billing City:Ahmedabad
Billing State/Province:Gujarat
Billing Postal Code:(-- edited --)
Billing Country:IN
Billing Phone:(-- edited --)
Billing (-- edited --)
Tech ID:C7727841-LRMS
Tech Name:(-- edited --)
Tech Organization:(-- edited --)
Tech Street1:(-- edited --)
Tech City:Ahmedabad
Tech State/Province:Gujarat
Tech Postal Code:(-- edited --)
Tech Country:IN
Tech Phone:(-- edited --)
Tech (-- edited --)
Name Server:VOB1.(-- edited --).COM
Name Server:VOB2.(-- edited --).COM

(Note: I edited the names and other identifying infomration from the WHOIS record at the request of the person listed in the contact sections of the record becuase they asked me to do so. While the information is accurate as it was originally posted, it serves no useful purpose to keep that person's phone and other information here and the orginal issue was resolved, so I agreed to make the change).

Scott Adams says he recently quit caffeine. It wasn't exactly pleasant for him. Sounds like it still isn't.

I can relate. Except that I have not quit.

I drink coffee like it was, well, water. Like it's going out of style. It's easy to do - there's tons of free coffee everywhere I go. Which means work and home. And church sometimes. Free coffee everywhere.

Coffee is The Devil. So I am not sure why it's at church.

If I don't get my requisite dose of caffeine in the morning, I (seriously) can't see straight. Like as in my vision is blurry and my head hurts. That can't be good.

I stopped smoking a couple years or so ago. I've quit other things before, many years ago. But caffeine, well man oh man... Painful.

For the record, cigarettes was the hardest from a withdrawl perspective. Freakin' BRUTAL. It still is from time to time. I tell people I *stopped* smoking. I don't say I "quit." Nothing is guaranteed, nothing is forever. For today I am stopped, and it's better that way.

I guess I've learned that much fairly well. Heh.

But, back to coffee - It's the one vice I have left remaining in my life, really. I know I shouldn't drink as much as I do, but it just won't let me go. I've tried it - Ringing ears, blurry vision, massive headaches, general lethargy, an *inability* to sleep (seriously), and on top of that no more coffee, which I actually like (and I never actually liked smoking that much).

Argh. Decaf doesn't really appeal to me. All the decaf I've ever had tastes like crapola.

Any ideas?

I'm supposed to be on my way to Portland by now, to meet up with the youth group for a evening thing, Christmas shopping and stuff.

Supposed to be. Just one minor problem.

My truck's sitting out there in the driveway, with my laptop, camera, phone, and everything else I might possibly need tucked inside. The engine is all warmed up, the heated seats are turned on.

And the doors are all locked.

And the extra key? Yeah, let's not even go there.

To solve this problem, after failing miserably at the Magic Wire Coat Hanger Method, I brought out the smallest Yellow Pages book in the United States and looked for a local locksmith.

I'm starting to see why there are times when it's easier to live in or near the city. My first call was to a guy who, it turns out, is over in the state of Washington. Another call or two went unanswered. My next call was to a guy three-quarters of the way to the city, and he said he'd be heading my way. That's about 30 minutes away.

Days like this make me happy I have that Hemi V8 under the hood, what with the truck sitting there in the driveway at fast idle for the past hour and all.

But hey, with the PC laptop locked up in the car, at least I can be glad to have this Mac sitting on my desk in the corner over here. And I can be glad I have time to apply the gazillion software patches and updates I apparently missed since I last used it who-knows-how-long-ago.

I just hope there's enough gas left by the time they guy gets it unlocked to get me to the closest gas station.

Okay, I'm done. How's your weekend?

Thomas Hawk wrote about a severe problem he had ordering a camera from an abusive online retailer that's really nothing but a major, unethical sales scam operation. The fact that he wrote about it and pointed to a number of other people's experience is great, and it brought to mind a number of other things that people need to know, especially this time of the year.

First of all, there ARE unethical, bad people out there trying to sell YOU their stuff. And there are some that will threaten, extort and otherwise manipulate their "customers." It doesn't just happen to other people - it can and will happen to you, too. Protect yourself and do your homework. While the vast majority of online retailers are good, solid companies, there are the few bad apples, just like in any community, that make it bad for everyone they can take advantage of. 

• If the price is too good to be true, it's probably not true. Seriously. Don't fool yourself.
• Do your homework if it's a company you have never head of or dealt with. You're trying to save money, so spend some time. That means getting information about the company. A good way to do this is to look for bad information online, by using Google or another search engine to search for "The Company Name"+scam (like this and this show some serious info). Look for the NEGATIVE information. Keep in mind that there are times when the bad guys will try to make themselves look good by posting positive information. It happens.
• Don't rely solely on the Better Business Bureau to tell you what you need to know, but do be sure to check information there. The company Thomas wrote about has a record with the New York BBB that's pretty terrible. Also be sure to use epinions.com's "Online Stores and Services" search and read through the whole lot. Again, there are bad guys that will post fake positive comments about themselves - so be a pessimist.
• Always use a reputable credit card, never use a check or debit card. If you ever need to reverse charges, a credit card with purchase and fraud protection is invaluable; You can't reverse cancel payment on a check that's already posted, and you fighting the debit card battle is painful if the money has already been pulled from your account. Credit cards provide lots of real protection, so use them for these purchases. That's why I have credit cards, really, is to protect myself if ever needed for major purchases. That and true emergencies. Other than that I think they are evil, heh.
• Did I mention "If the price is too good to be true, it's probably not true?" Okay, well it's worth repeating.

Finally, based on other people's experiences with the company Thomas had his problem with, I'd suggest you never, ever do business with Price Rite Photo, which also uses a number of other business names. Check the BBB for retailer names and aliases, and alway always always be careful and suspicious of the too-good-to-be-true deals.

Leave it to the Oregon Lottery to come up with the holiday marketing stunts to top all stupid holiday season marketing stunts. Thank God for the lottery people... And here we were starting to worry people might actually take Oregon seriously for a second...

So, here you have it: Scratch-and sniff lottery tickets in a beautiful fruitcake flavor. Yeah, seriously. Scratch the card, and it smells like f-r-u-i-t-c-a-k-e. Uhhh... Yuck.

People actually want to buy this crap? Wow.

To top it all off, be sure to check out the (actually somewhat amusing) MP3 files being used to promote the seasonal cash-collecting game.

It's all at http://spiritoffruitcake.com.

Sheez...

A couple months ago I took early delivery of a ThinkPad X41 Tablet PC, and I like it a lot. There are a few things I'd improve (like maybe offer a faster proc and faster hard drive spin speed as an option, and possibly higher resolution video), but overall it's great.

But I ran into my first problem last week. The "push-through" latch - which sticks out of the machine's screen either on the screen surface side or the top surface side, depending on whether you've rotated into slate mode - broke and fell out. So not I have a Tablet without a latch. Luckily, the lid tends to close shut. he only real problem is it also tends to rotate if you push on it the wrong way.

Looking at the base side of the latching mechanism, it appears something in there broke. Not good. And the thing, is, all I've done with it is open and close it normally... No torture, drops, hard landings, hard closings or anything.

Bummer. Seems like the convertible Tablet PC latch market needs a better design. Someone out there should design the perfect latch, patent their Really Good Idea and run with it.

Want to instantly turn off a blogger? Ask them to link to you without a compelling reason. Seriously. Unless it's a truly compelling and timely topic, never ask for a link. If you do, prepare to be ignored.

Robert Scoble wrote a short-but-right-on-target post today that I can totally relate to. And keep in mind, my blog is like 1/100th of what his is from an attention perspective, so the impact of blatant link begging on me is nothing even close to what it is for him, I'm certain.

Like Robert, I've also been getting a lot of emails and even a few phone calls recently from PR people, bloggers, marketers and other people who don't quite "get it" asking me to write about specific things on my blog. Some have even gone so far as to offer something in return as payment. At first I just laughed and tried to figure out why anyone would actually take the time to ask me to write, then I looked at my pageviews and did some fuzzy math in my head. Okay, so lots of people read the content on this site, that's cool. Not as nearly as many as the big guys, but a lot nonetheless. My AdSense income amazes me more than anyone. But my voice is mine, and it's not for sale.

I'm not saying I don't want to hear about cool stuff - send it on. What I am saying is if your request takes the form of "will you please link to this?" or "hey you should link to this" or "you should write about this for me," I'm really not interested. Of course, if you think something is really cool and it catches my eye, too (and you're not pulling a fast one or crying wolf), I'm going to be interested.

I've gone so far as to reply to one or two of the more truly blatant, entitlement-laden requests with words like "I don't take requests" or "Sorry, I don't do performance blogging." Most of them I just ignore and immediately file in the electronic circular file. It's not that I don't want to hear about good and cool stuff. I just don't want to be anyone's hired or begged PR publisher.

PR people often operate in the old-skool world (been there in a prior career), one where lazy print writers looking for something new to write about love to get calls from PR agencies with some pre-written copy that can be regurgitated or copied verbatim and published. Bloggers don't work that way. If you (hypothetically) send me a book to review, I will try to read it when my schedule allows and if it catches my interest. If I find it especially compelling I might write about it. If I don't like it, I'll most likely just let it go. If it's really, really bad, I might just write about that, too. But probably not - I prefer to emphasize the positive here. So, unlike the print world, there' some risk involved. One thing's for sure: There's no promise or guarantee I'll write anything. And if the request is to take a book or software or anything else in turn for a guaranteed review, don't ask. I'm not for hire. Some people have asked if they would have a chance to respond to anything negative before I write it. I tell them no, but that my blog has comments and if they have a blog (they should), they can always participate in the conversation. It's amazing how many people that puts a stop to. Heh.

I agree with Robert's suggestion. If you see something cool and want me to blog about it, send me a link and tell me what's got your interest and why. I don't care whether it's a link to your site and your comments or if it's pointing to the original info, or whatever.

Now, don't let me scare you away. I write about many things - stuff I care about. Some of it I discover by reading something someone else wrote or sent to me. If I happen to have the same level of interest as you when you show me something, I might take you up on the info. Conversely, if you specifically ask a blogger to link to you for selfish reasons, prepare to be ignored unless it's something very special and urgent.

I've written almost nothing all week until today, partly because I got tired of these calls and emails with blatant requests. It's not fun. It feels like work, and that's one thing this blog is not. Plus, I have been pretty busy recently with my job and life. We all need a break now and then.

Anyhow, Robert - you got that one right, man.

Every now and then some random person or event comes along that deserves memorialization. Such is the case with Lt. Gen. Russel Honore and his words this past week when confronted with a gaggle of reporters. Honore and others (including the Mayor of New Orleans, who was having a hard time with the media crowd) were at a press conference (called by the mayor) in order to immediately get out the important word about the government's plan to evacuate people from the city of New Orleans in the face of yet another hurricane - this time, it was Rita.

But some of the reporters at the press conference were apparently still stuck on Katrina. The General was there to make sure they clearly understood their role in the situation. There's a time and a place for everything, to be sure - and that means there's a time for the media to ask questions, and there are other times when the message needs to be immediate, clear and loud in order to save lives and ensure peoples' safety. Unfortunately, there are many in the media who are all about conflict, not about helping people (regardless of what they say their motivations are). It's makes the former journalist in me scream at the TV. I hate it.

So - Thank God for people like Lt. Gen. Russel Honore. Here's his words, an audio file and a partial video of the interaction between him and the media:

Audio Attachment: 0920honorestuckonstupid.mp3 (1685 KB)

Video Attachment: stuckonstupid2.wmv (2957 KB)

Gen. Honore: And Mr. Mayor, let's go back, because I can see right now, we're setting this up as he said, he said, we said. All right? We are not going to go, by order of the mayor and the governor, and open the convention center for people to come in. There are buses there. Is that clear to you? Buses parked. There are 4,000 troops there. People come, they get on a bus, they get on a truck, they move on. Is that clear? Is that clear to the public?

Reporter: Where do they move on --

Gen. Honore: That's not your business.

Reporter: But General, that didn't work the first time --

Gen. Honore: Wait a minute. It didn't work the first time. This ain't the first time. Okay? If...we don't control Rita, you understand? So there are a lot of pieces of it that's going to be worked out. You got good public servants working through it. Let's get a little trust here, because you're starting to act like this is your problem. You are carrying the message, okay? What we're going to do is have the buses staged. The initial place is at the convention center. We're not going to announce other places at this time, until we get a plan set, and we'll let people know where those locations are, through the government, and through public announcements. Right now, to handle the number of people that want to leave, we've got the capacity. You will come to the convention center. There are soldiers there from the 82nd Airborne, and from the Louisiana National Guard. People will be told to get on the bus, and we will take care of them. And where they go will be dependent on the capacity in this state. We've got our communications up. And we'll tell them where to go. And when they get there, they'll be able to get a chance, an opportunity to get registered, and so they can let their families know where they are. But don't start panic here. Okay? We've got a location. It is in the front of the convention center, and that's where we will use to migrate people from it, into the system.

Reporter: General Honore, we were told that Berman Stadium on the west bank would be another staging area --

Gen. Honore: Not to my knowledge. Again, the current place, I just told you one time, is the convention center. Once we complete the plan with the mayor, and is approved by the governor, then we'll start that in the next 12-24 hours. And we understand that there's a problem in getting communications out. That's where we need your help. But let's not confuse the questions with the answers. Buses at the convention center will move our citizens, for whom we have sworn that we will support and defend...and we'll move them on. Let's not get stuck on the last storm. You're asking last storm questions for people who are concerned about the future storm. Don't get stuck on stupid, reporters. We are moving forward. And don't confuse the people please. You are part of the public message. So help us get the message straight. And if you don't understand, maybe you'll confuse it to the people. That's why we like follow-up questions. But right now, it's the convention center, and move on.

Reporter: General, a little bit more about why that's happening this time, though, and did not have that last time --

Gen. Honore: You are stuck on stupid. I'm not going to answer that question. We are going to deal with Rita. This is public information that people are depending on the government to put out. This is the way we've got to do it. So please. I apologize to you, but let's talk about the future. Rita is happening. And right now, we need to get good, clean information out to the people that they can use. And we can have a conversation on the side about the past, in a couple of months.

Time to print some bumper stickers... "Don't get stuck on stupid." Heh. It's not a new phrase - more like old made new again. But it's great, and appropriate.

Update: The Stuck on Stupid Blog. Heh...

(via RadioBlogger and The Political Teen)

Recently I've had a number of interesting (albeit often protracted) conversations with people about processes in business, and how formal, written procedures and established processes can be good (I agree, to a point) and can also be very, very bad.

I'll explain in a minute, and while I'm at it I'll do some tangential opining and show why I think Sarbanes Oxley and other process-intensive initiatives and guidelines don't always accomplish what they set out to do. In fact, in the case of SARBOX, I'd argue it doesn't even come close to accomplishing what it was originally intended for. But that's another story...

First a reminder and a bit of clarity: This is a personal blog, so anything I write is my opinion and mine alone.

Saturday morning telephone support call: Failed process illustrated...

Saturday morning I woke up at a criminally early hour (for a weekend anyhow). Since sleep apparently wasn't in the game plan I decided to call Vonage to see if I could actually get someone on the phone, and if I could convince them to listen to me long enough to troubleshoot a hardware/firmware problem I've been having with my VOIP terminal adapter.

For the record, I like Vonage. A lot. I recommend them. I'll refer you if you email me and ask. But I'll be honest - I'm never too excited about calling them.

But on Saturday morning, that's what I did. After umpteen layers of voice menus and hitting random keys to get pretty much nowhere, calling back after being disconnected (don't hit 'zero' in Vonage's voice prompt system...), and then finally getting someone on the line (whom I could not understand and who it seems could not understand me during the entire painful process of validating my account, name, billing address, etc.), we finally got around to troubleshooting the problem:

Vonage Lady: "Yes, hello mister huge-hess...

Me: (silently) <grrrrrrr!!!>

Vonage Lady: "...how can I help you with today?"

Me: "Okay, so I am having a problem with my Motorola VT1005 terminal adapter, about once a day it loses its connection with Vonage and I have to pull the power plug and plug it back in to get it to work, and several times a day the network data port stops communicating completely so my computers here at home cannot get to the Internet. I have to unplug the Motorola device and plug it back in in order to resolve that problem, too, and then it happens again later, a few times a day."

Vonage Lady: "Okay, so what I understand from you is..." (reads back a different version of what I just said, but leaves out all the key points, like the whole data connection problem, etc)

Me: "That's partly correct, but the worst part of the problem is that several times a day..." (I explain the loss of LAN port connectivity issue again)

Vonage Lady: (seemingly ignoring what I just told her) "Okay, I would like you to go to your router and unplug the wire from the PC port and so you will have the modem and the wire, and the Vonage router and then your computer, and I want you to plug a wire into your computer okay can you do that and tell me?"

Me: (wondering if I - a high-tech IT guy with lots of experience fixing crap much more complicated than this - really understand what she means) "Umm, okay, so... You want me to plug the ethernet cable that goes from the Motorola device on the LAN side into my computer directly then?"

Vonage Lady: (pause, pause, pause) "Uhhh, yes, I need you to put the wire from the PC port in your computer."

Me: (deciding the only logical thing to do is to go with my gut) "Okay, so I have done that, okay I am ready for the next step."

Vonage Lady: (seems to be shocked that the next step is already starting) "Ohh umm, okay, one moment please... Okay, I need you to open your Internet Explorer, and in the address bar at the top of the screen..."

Me: (I'm starting to quietly get a little frustrated now) Okay my web browser is open, you want me to type in an address?

"... I would like for you to type this address in the address bar."

Me: (I'm already on the adapter's admin web page, I think to myself, she's gonna send me there - slowwly) "Okay, ready."

Vonage Lady: "Okay, One-Nine-Two..." (pause, pause, pause)... "No, wait... H-T-T-P --"

Me: "192.168.102.1?"

Vonage Lady: "No, no no. AICH-TEE-TEE-PEEEE, COLON, SLASH-SLASH, ONE-NINE-TWO..."

Me: (waiting for more numbers) "... ... ... okay, i got that part, you can keep reading it to me."

Vonage Lady: "DOT-ONE-SIX-EIGHT-DOT-ONE-ZERO-TWOOO-DOT-ONE"

Me: (Thinking to self: Is there an echo in here?) Okay, I'm there.

Vonage Lady: "Oh well, now we need to go to the admin.html page, so to do that please click in the-"

Me: "Okay, I'm there."

Vonage Lady: "Oh, okay... Do you see a button that says Restore Factory Defaults on the page there then?"

Me: "Yes. I have a fixed IP address though, so if we do this it will stop working 'til I reconfigure."

Vonage Lady: "That's okay, push that button and tell me when it's done."

Me: <click>

Vonage Lady: <she's now long-gone due to the fact that she just told me to kill my phone line>

Bad process and procedure? Most certainly. But what's the real problem in this story? Unfortunately it's one that we see happening more and more these days, over and over again with all the emphasis on building deep, complex, wide swaths of processes and supporting procedures.

I'm not here to argue against process. I'm here to argue for thinking.

When process hurts...

People have stopped thinking for themselves and doing critical analysis of the situation at hand. Instead, they read from a script. They follow a written procedure. They stay exactly between the lines, thinking the lines are the end-all-be-all of clarity in every situation. When I speak to people in my field about this, I describe it as being similar to walking around with blinders on.

We're suffering from a deficit of creative thinking and reasoning. But more on that in a few minutes.

What does this result in? Three things mainly:

First of all, people increasingly look at the world and the things going on around them as being bipolar in nature: black and white. In reality though, it's all about the infinite shades of gray. Oh, how simple the world might be if it was all pure black and white in nature, but in the real world it's just not so. Unfortunately, the desire to simplify things cognitively into black/white, us/them, good/bad is probably a greater part of the way people look at things today than it has even been.

Second, people have lost their sense of ownership and don't think for themselves. Pride goes soon after that. More and more the accepted method of teaching people how to do things has become the "hand-me-the-procedure" method. But, absolute processes and procedures are fundamentally flawed. There's simply no way to compute every possible outcome or input to a situation, yet we expect that by creating processes and procedures that *must* be followed, we can solve critical problems. The fact is that while they may ensure compliance most of the time, they can also often ensure lack of compliance some of the time - especially when the procedure or process doesn't exactly fit, but the person applying it doesn't stop to think about that fact. Or, even worse, they're not given the level of permission needed to stop, think, and evaluate situations on their own.

Third, we walk around with a false sense of confidence and safety. By assuming we are creating controls and processes to keep the bad things from happening, we do the one thing that police officers and security professionals have known better than to do for all time: We lure ourselves into that place where we believe everything will be okay, everyone will follow the rules, everything will be out in the open, the checks and balances will all work because the auditor signed a pieces of paper (not like the auditor had any real guidelines to audit against or anything...) and the bad guys won't be able to get away with anything anymore.

But it just won't work. Nope.

I'm sorry Senator, I have no recollection...

Example from the real world: The Sarbanes Oxley Act (SARBOX for short) was terrific for consultants, and lots of people are making lots of money off lots of companies that are shelling out big bucks for something that only minimally does what it needs to do (if that). The fact of the matter is that SARBOX resulted in huge expenditures and rampant development of crippling processes that offer little protection from bad, smart people who want to pull a fast one on investors. Even one of the sponsors of the act says it doesn't really accomplish what was originally intended. Hey, Senator, can we send you an invoice for the costs of this mandatory program that won't do what it's set out to do? Let me know. Thanks.

So, SARBOX is good for consulting companies, and expensive for business, and even though the rules and regs don't really fit small to mid-size businesses, they have to follow them anyhow. It doesn't really prevent another Enron from happening. In the end, it's costing the shareholders it was intended to protect a lot of money, and it's not really doing what it needs to do.

Hmm. That's like going to a store with no knowledge of tools, telling the sales person I need a something to help drive a nail into a wall, being sold a bunch of hard hats and yellow vests and thick gloves, along with a pneumatic nailing system and a whole stack of safety equipment and mandatory classes to make sure I use it right, and a certification that's required to issued by the government before I use it... And then six months later finding out there's this thing called a claw hammer...

Maybe we forgot what we set out to do. Maybe there's a short term memory problem involved. Or maybe too much vague, confuse, poorly-defined process got in the way of building (wait for it...) effective process.

This is starting to sound like "the meeting to plan the meeting."

Anyway, back to Vonage...

I made another call to Vonage (after I set up a fixed IP, reconfigured the TA, etc., and this time without getting disconnected), Communication went a little easier with the support worker I got this time, and within a minute of the same scripted process, I heard him pause for a moment. He stopped what he was doing and said, "Mr Hughes," (thought: do people who put time and effort into pronouncing names correctly also think more for themselves?), "I am going to transfer you to another number because I think they will be able to help you with this. I could go through all of the things I have here, but I really don't think they will help you."

There ya go, now that's thinking for yourself.

Within five minutes, another Vonage rep (who was quite knowledgeable and professional by the way) had deduced - after listening to my technical explanation and asking a couple follow-up questions - that my terminal adapter is pretty much on its last legs, and offer to send me a replacement.

I spent two hours on the whole deal, between the first phone call, phone menu prompt maze from hell, getting disconnected by the voice menu system, the first rep, getting disconnected by my hardware reset,. It took 10 minutes to solve it, as soon as I spoke to a couple people who were willing and able to think about the situation outside the script.

Now, I've picked on Vonage here just because they happened to be the company I called on Saturday. I have tales of woe from a slew of other tech support experiences, too. A friend just IM'ed me to vent about his phone call this morning to Dish Network. I like Vonage, I like their services, and I like their prices. I think they're doing a good job, and they are adding (literally) 10,000 new users a day (got that from the last guy I spoke to on the phone). They have more than a million users now. So don't take this to be a Vonage bashing post - it's not. But I do think it illustrates an important point.

So - what do we do now?

Okay, great so what are we supposed to do about the Blinders of process? It's simple: Let your employees take them off. Encourage them to!

In fact, it might be worth training employees in two basic skills that most people don't get any decent training in: Listening and troubleshooting. Think about how much time we spend learning to read and write, to speak in front of others, to read from the script. How much training in our lives, from school to professional adulthood, is spent learning how to listen well? How much time do we spend learning the nuances of critical thought or effective problem solving and troubleshooting?

Not much. Not enough, for sure.

But we'll have to save that topic for later.

You've seen it before, over and over and over again: PowerPoint presentations that contain practically every word pouring out of the presenter's mouth, slides that digitally drone on and on and on and...

PowerPoint, when used well, can be a useful, powerful (hmmm) and productive tool. But more often than not, it's a bane of our existence, putting us to sleep with completely forgettable blocks of useless text and gratuitous effects.

I have seen PowerPoint used as that proverbial, metaphorical screwdriver, where the proper tool would instead be a hammer. I've seen attempts at web-site designs done in PowerPoint (by the way - that still doesn't work people). I've seen it used over and over - by a wide variety of people trying desperately (and with good intentions, I am sure) to create something outside their area of expertise - using it to do things for which it simply was never intended.

But even when PowerPoint is used what is was meant for - creating slides for presentations - it can be painful to see how people use it. It's a software tool and requires some level of technical understanding to be sure, but technical expertise in using the program is not the most important part of the job.

PowerPoint has become a crutch, and more often than not it's damaging the patient. It's the loaded gun in the hands of the untrained shooter. It's the '79 Cadillac being driven by the nine-year-old who learned by watching mommy.

Kathy Sierra gets this. She understands, and she wrote about it to try (I assume) to make a difference in how it's used in the world. If you use PowerPoint, regardless of your expertise of years of experience you should read her post and take it to heart.

I've also been reading Cliff Atkinson's new book, "Beyond Bullet Points," and it's a great book for learning how to put together effective presentations "that inform, motivate and inspire." Recommended.

PowerPoint's a great program, to be sure. But it's only a good tool when put in the hands of someone who knows how and when to apply it. Kathy's post should be mandatory training. We license drivers... Maybe we should come up with a test and a license for PowerPoint users?

Ok, time for a random pet-peeve post. I don't do these often, but I figure maybe I can change the whole world if I post this, so here goes:

People, listen up. If you learn only one grammatical/spelling/language rule this year, please make it this one... It will improve your sales figures, professional development, ability to earn promotions and recognition at work, and your general status in the community. Seriously.

Loose is a four-letter word.

Now, allow me to explain...

• Loose = loos = adj/adv, meaning not tight, fastened, restrained, rigid, bound, etc.
• Lose = looz = verb, meaning to fail in, or to fail to retain possession (opposite of win or find)

I can't even begin to tell you the number of emails, blog entries, letters, and even printed and online professional news articles (who's copy-editing these days anyhow?) I've read where members of the Hooked-on-Phonics generation (dat's Huhked-ahn-Fonikz fer yoo membrz) use the incorrect word in a variety of sentences.

Examples of improper use of "loose" in a sentence:

• "Joe is such a looser. I can't believe that guy."
• "If you don't try hard enough, you'll loose the game."

Examples of correct use of "loose" in a sentence:

• "He's got a screw loose in his head."
• "Your seatbelt is looser than mine."

I could also easily list a variety of colorful uses of both words in the same sentence - but I won't. Use your imagination and post a comment if you feel so inclined.

How have you seen these words (or others) completely butchered? Any funny examples?

It's no real surprise that VOOM, a satellite service that provides boatload of HDTV programming to its customers, is about to shut down. Cablevision, the company that owns the subsidiary, is cutting its losses before it's too late.

But it's really too bad that a company that was making its name on hi-def television is going south. With HDTV being such a big thing, a service provider like VOOM, which already has a satellite in operation, seems like such a good thing.

It's unclear what will come of the channels and the satellite space currently used by VOOM when they shut down on April 30th. Hopefully something good will come of all this - HDTV is so late in coming.

Why did VOOM fail? Bad marketing? Before it's time? Cable-company ownership mark of death? Bad company name?

Sorry to see it go...

Forgive the topic (just skip this entry if you don't care to read semi-graphic bathroom prose), but Doc Searls writes today on his weblog about the bad habits guys have in the men's room - namely not using the urinal for "number one," and making a mess while standing and "using" a stall instead. So, I have to respond. I can't help it, it's like a disease this blogging thing.

Doc bluntly covers the not-lifting-the-seat problem, as well as the hygiene issues:

"But: why piss all over the place? Why not lift the seat? Don't these guys ever sit on the damn toilet? Do they like sitting on somebody else's pee? 

"These questions come to mind for two reasons: 1) because I just witnessed exactly that scene, in a mens' room here at a nice hotel here in San Francisco; and 2) nobody ever talks about the problem.

"So I'm thinking... a substantial percentage of men A) only piss in stalls; and B) don't lift toilet seats. If you're one of those guys, and you blog, can you please explain your position, so to speak, on this issue?"

Well, I can tell you that it still surprises me, even after all these many trips to restrooms over the years, how often I find a bathroom that's a disgusting mess because of people who have no sense of personal responsibility. And that includes places where only adults use the restroom.

But Doc's words make me thing of more.

For example, take the following from Greg's Quiz on Common Sense Men's Room Hygiene, based on experiences of observation over the past couple of weeks:

A guy walks into the men's room, approaches the urinal, and relieves himself. Once he's done he "zips-up" and then...

a) walks straight out the door.
b) walks straight to the sink, washes hands, dries hand on paper towel, and walks out the door.
c) walks straight to the paper towel dispenser, uses paper towel, and walks out the door.

Which action is the most disgusting? Please explain you answer.

Use the comments to relieve yourself of your thoughts and record your answers to the quiz, should you be so inclined.

How do you save a few bucks on McDonald's drive-through staff in Oregon?

Outsource them. To North Dakota. Click for more...

Ree-freakin'-diculous.

"Louis is here with the weather..."

The painful, awful, terrible weather.

"Maybe Louis, you can tell us what we can expect for the rest of the week..."

If you're ever having one of those days where you feel like the clumsiest person on the face of the planet, just click the link above, and find comfort in the fact that someone, somewhere has almost certainly had a harder day than you.

(I recall my time in journalism school, which is almost certainly where this tape came from, and it could be brutal at times. Broadcast news performance is an art, and artists are few and far between).

Jeremy Zawodny points out the Blogger's Bill of Rights and gives his opinion on the matter. He doesn't like it. Neither do I. It's just another example of people making something out of nothing, and trying to avoid personal responsibility in the good name of free speech. Here's where I speak up and say why I think it's crap, too...

Now, I'm a fairly outspoken person. I've also had a tendency in the past to open my big mouth, say exactly what I think, and then go into another room to extract my foot from my esophagus. But when I stick my foot in my mouth, I am keenly aware that it's my foot, it's my mouth and it's my choice - regardless of whether or not I thought it through ahead of time. Whether or not I was correct isn't relevant. You can be correct every time, but that doesn't necessarily make you right.

People, this is all about responsibility and ownership. You want to say something? Fine, but ya gotta own it, like it or not.

Let's define a couple of terms for the purposes of the discussion:

• Consequences: The results of something one chooses to do, or not to do. All choices have results, both good and bad. Some of those results impact the chooser, some impact others.
• Speech: Pretty much any form of communication - collective, individual or otherwise - in a variety of forms. In this context, we'll keep it somewhat simple (since we are talking about individual weblogs) and say it's an individual's written or spoken words.

Okay so - Right up front I'll say this: There is no special, magical set of rights that bloggers can (or should) expect, not with regard to employers, husbands/wives, boyfriends/girlfriends, coworkers, friends, family members, governments, or anyone else. The idea that blogs are somehow special or different and should be treated differently is arrogant and probably and indicator of the root of the problem - people think they are entitled to say whatever they want, however they want, with no consequences. Sorry, Charlie. Ain't happening.

• Your right to free speech does not apply to the specific medium in which you exercise it. Speech is protected in certain circumstances, in certain locations, regardless of the form that speech takes. You have no more right to expect protection on a blog than anywhere else. Your rights are reasonable to expect, but when your exercising of your rights infringes upon the rights of another, you're crossing a line.
• If you shoot off your mouth on your weblog, it's not an ollie-ollie-oxen-free home-base super-top-secret say-anything-I-want kind of thing. You are responsible for what you say, at the time you say it.
• Speech is behavior. In a previous career I was always amazed at the idiots who thought if they could just get their car into the driveway, they were safe, regardless of the level of alcohol in their blood while there were on the street that got them to their driveways. It's not where you land, it's who and what you affect along the way.
• Your speech is your speech, and with it come consequences. If you choose to say or write something on a weblog, keep in mind, it's speech in a public place and you are making a choice, and with that choice comes certain consequences. Your choices may impact others (coworkers and employers), and as a result, the very second you post your words, you choose to accept all of the consequences of that speech, regardless of whether or not you have taken the time to think about said consequences.
• Your employer can hire and fire based on the quality of your behavior and how it impacts business, your performance, personalities, coworkers, morale, anything. You should remember this before you post on your weblog for everyone to read. And comment on. And quote. And read again. And copy/paste/email to your coworkers and your boss and his/her boss. And to end up on the Wayback Machine.

It's not about who yells the loudest or who thinks/knows they're right. What it is about is being responsible for oneself and thinking ahead about the impact of exercising one's right to free speech.

One important aspect of thinking ahead is considering the consequences and weighing the risks. Preferably before speaking. But if you don't take the time to do that, it shouldn't be (and isn't) someone else's problem.

Anyhow, that's about all I have to say about that.

Not the same way one New Hampshire UPS truck driver does. I bet his last name is Murphy – It almost has to be.

CLICK HERE for the story...

Seriously. My sensibility hurts.

At the invitation of a friend, I went to the movies tonight, and saw The Grudge.

Sheez. Now there’s something like two hours of my life I’ll never get back.

I’m not the kind of person to talk out loud in movies, but this one sucked so hard I couldn’t help myself. It’s was editorial comment after editorial comment. And you know what? I wasn’t the only one. And on top of that, NO ONE complained about the out-loud commentary that was going on. That should tell you something.

I’m not even going to explain why it sucked. That would simply do the film too much justice, and someone might spend enough time reading this to subconsciously convince themselves they should see it. DON’T!

And that’s all I have to say about that…

Coudal.com has perhaps the most useful PDF file of the year available to download…

Do you ever get tired of those idiot people who suck up all the ambient quiet while talking on their cell phones about things that they – well – should probably just keep quiet?

Take action now:

“After reading a story in the NYT, Jim's wife Heidi decided that maybe there was a way to fight back against the obnoxious cell phone users that we all have to deal with in stores, restaurants, trains and pretty much everywhere else. Can design ride to the rescue? Jim and the incomparable Aaron Draplin think it can. So, as a public service, we introduce the reasonably polite SHHH, the Society for HandHeld Hushing.”

Download this PDF, get out your exacto knife or scissors, and start fighting back (NOTE: The PDF contains a few choice profanities, so if you’re easilly offended, don’t click).

(via Engadget)

Most any blog that’s been Googled, Slashdotted, or Engadgeted – or for that matter pretty much anything that drives traffic to a site – has seen the effects of referral spam. It SUCKS. Porn and marketing sites create a fake link to your blog entry, which results in a link to their web site (usually and unpleasant and unwelcome one) showing up in your referral list for that entry. Your readers click a link and get porn tossed right in their faces. Ugh.

With dasBlog, the only way I had to effectively battle this (I am a victim of referral spam for sure) was to turn off referral displays on my blog. I don’t want that, but this is a family-friendly site for the most part, so keeping the nasty out was important.

But last night Scott Hanselman, a friend and co-worker, sent me a new little C# 2005 Express project ZIP file, told me to compile it, and to try it out. He just built it for himself, and passed it on for me to use.

No more referral spam!

UPDATE: While I was able to kill the nasty referrer links, I have again removed referral listings from the blog for a while, because I have one particular weblog entry that has so many hundreds of referrers, it will crash the browser when you try to load it with referrers showing… But that’s a whole different issue…

Since then, Scott has posted the project source file on his blog, too, so any dasBlog users that need it can take advantage. He plans to make it a little more elegant in the future, but this is a great start!

Scott Hanselman, YOU’RE MY HEEEROOOO.

I'm feeling a bit put-off today. And a little sarcastic, I admit that freely. But there's a reason...

I just don't get why it is that sales people will make cold calls, leave a long, run-on message that they're obviously reading from a note card or computer screen, and then when they leave their phone number, speak so damn fast you can't catch the freakin' numbers.

Then, of course, comes the obligatory indignant follow-up call a couple weeks later, going something like, “I've been trying to reach you and left you a voice mail, but have not heard back from you, so please call me as soon as possible at one-eighthundred-fourtwofishevyumaevablahblahblah.

Ugh.

Look, sales guys, here's the deal.

Leave me a short but meaningful message that includes the purpose of your call, and when you leave your phone number, please speak slowly and clearly. DO NOT go on and on espousing crap like synergy, top-100 blah blah, value-added yada yada and the same crap every other poor sales person drones on and on about. Just tell me why you're calling and what you really want to talk to me about.

Don't expect me to call you back. Believe it or not, I have plenty of other things to do, and believe it or not, those things are almost always more important than speaking to every vendor that cold-calls me.

If I am interested, I will call you back, If I am not, I won't. If you slurred or raced through your phone number, then obviously I won't. Don't take it personally. And don't expect me to listen to a two-minute voice mail full of buzzwords a second and third time just so I can try to decipher that slurred phone number you left at the very end.

And whatever you do, don't get me on the phone and act indignant because I have not returned your cold call. It's one of a hundred I got this week, and your indignant disposition will earn you a “don't call me again.”

Thank you in advance. I appreciate your time and value our relationship. Hope to speak to you soon.

Finally some action and results in the spam war.

A jury in Leesburg, Virginia has convicted Jeremy Jaynes and his sister of scamming millions of dollars via SPAM email schemes.

The jury has recommended Jaynes spend 9 years in prison.

Hey Jeremy... You've got mail male. Congratulations.

You jerk.

I picked up a copy of a documentary film on DVD today from Best Buy called FarenHYPE 9/11, which is a response film that was made to take a critical, factual look at the Michael Moore film, Farenheit 9/11.

If you watched the original Michael Moore movie and cared at all about it (whether you liked it or hated it, doesn't matter), you owe it to yourself and everyone else to watch this documentary. You'll see people from the Moore movie talking about how they were misrepresented in the original film. Much of what Moore presented in Farenheit 9/11 is examined, critically reviewed and corrected in this film.

Seriously - there are two sides to every story, and Moore's story was such an exaggeration and misrepresentation of many facts, the FarenHYPE 9/11 DVD should be mandatory viewing. It is inexpensive - only about $11 at Best Buy, and you can order it from Overstock.com as well.

You don't necessarily have to be a Bush supporter to accept that Michael Moore flat out lied and twisted events to meet the requirements of his agenda. This is in no way an attept on my part to change your mind with regard to a voting decision - that's all yours.

It's the best $11 I've spent in quite some time.

One more time: regardless of your opinion of the Moore film and it's content, be sure to see FarenHYPE 9/11 - Once you see it, I think you'll understand why I'm so adamant.

Anyone who wants to borrow my copy, let me know.

And now, back to your regularly scheduled programming...

Web forums used to be useful. Then h4xZ0r teenagers found them, and the world changed (for the worse). Over at adminmod.org for example, about two years ago things in the support forums went to hell in a hand-basket - about the time goldzip came along (or a little thereafter). Forum flaming became an art for a short time, but as it is with most art-forms, it was quickly commoditized and thus cheapened.

But I digress...

Someone apparently picked up on this little-known and less-understood behavior over at the Steam forums, and having realized that a FAQ or sticky post won't get read by the people that need to read it, did what all good communicators do: Took it to their own medium and style.

Introducing: Posting and You

Pretty much hits the proverbial nail right on the head.

I woke up this morning, bright and early, and was getting ready to head out the door. I decided to check my email real quick, and BAM! ... Tons of referral tracking notifications, all from the same porn URL - So, it looks like someone referral-spammed by blog last night. I just removed all the bad listings, and have been trying to think of a way to prevent this from happening again. I'm coming up short in the ideas department, with the exception of the obvious: turning off referral tracking. I really don't want to do that, though.

It's the first time in quite a number of months that the site has been online, so I'll leave them on and see what happens in the future. Anyone have any bright ideas about preventing referral-listing spamming? Hey - I guess I should just be glad it's not comment spam!

This has got to be one of the most amazingly perfect examples of what's truly wrong with our world today.

PostmodernPets.com sells really-freakin' expensive pet crap for tons of money. German designer Phillip Plein has designed all kinds of cool stuff, apparently including dog bed that sells for - now get this -  a mere $1650.00!

Straight from the "uh-yeah-right" department (and the company info page of their web site):

"After browsing through our selection of products, we think that design-addicts that do not currently have pets may change their mind, and will soon discover what wonderful joys that these loveable companions can bring to life. And even if you don't purchase any products from our site, we hope our website will deepen your appreciation of postmodern design and your appreciation of pets and the fun and humor that both can bring to your life."

Riiiiiight...

The United States Patent and Trademark Office never ceases to amaze. Working as an intellectual property litigation attorney will be the biggest, fattest, most lucrative cash cow of a position of the next ten years, mark my words. Here's why:

According to a bunch of people on the Internet (here's one), it looks like Microsoft has patented the double-click. No joke. Wow.

Now, I'm a Microsoft fan, and I make no qualms about saying so - but this is going a little far, isn't it? I mean, this is amazing, really (and it has to be true, it's on the freakin' Internet!) Probably most shocking thing about it is that the patent was granted within the past month or two.

Or is it really that big of a deal???

Articles have been posted on the Internet, predictably describing this as a completely out of control situation. But, when you read the patent, it's not exactly as some might have you believe. In reality:

• The patent is primarily related to hand-held devices (I'd feel a little better if it was limited to handheld devices, though).
• The patent application states that the invention “relates generally to computer systems, and more particularly to increasing the functionality of application buttons on a limited resource computing device.”
• It describes the way an application or the OS on the device determines what kind of soft-key press has occurred, generally short, long, or multi-press events.
• From the patent: “As those skilled in the art will appreciate from the following description, while the invention is ideally suited for incorporation in a palm-type computing device and is described in such a device, the invention can be incorporated in other limited resource devices and systems, for example mobile devices such as pagers and telephones.”

Okay, so while it may be a little surprising, it's hard to say this is truly a patent on the use of the double-click action in any computing application. But it is pretty broad-reaching, and as always open to interpretation and challenge. Which gets expensive, every time it has to be litigated or challenged (see “cash cow,” above). Especially for smaller companies without major corporate resources.

And Microsoft has made no secret of it's position that there are thing it's invented (or at least claims to have invented) and for which it's recently been issued patents. The FAT file system and ClearType technologies are two recent examples, and Microsoft (some would say rightfully) has also stated publicly that it intends to pursue completion of patents to protect and increase its earnings. And even though it's a big company with big profits, that's no reason to start yelling about how they already make too much money. Whether it's the first dollar earned or the trillionth, it's not about how much, it's about who's idea it was in the first place. If Microsoft can't own ideas that are truly theirs, neither can Apple, IBM, my employer, or anyone else - whether they be big, small, corporation, or individual.

But hey - you don't really need Microsoft to be amazed. All we seem to need is the U.S. Government Patent and Trademark Office. At least recently.

Well, there is one positive thing to take away from all this: If it makes you smile, it's at least a little bit good for you (even if you do shake your head at the same time).

Well, ok, I don't actually hate them... Heck I live in a town called “Deer Island,” so I guess I can't really hate them... But the one last year that jumped in front of me, the one I drove around just barely, the one where I was on a motorcycle, and it was dark, and the ditch I drove into in order to avoid the deer, well, it had a big fallen tree branch in it, and I never knew you could total a motocycle just from the cost of the broken plastic...

Yeah, well anyhow deer are ok with me unless they're in the middle of the freakin' road in the woods at night. Then they just suck.

But anyhow, none of this matters, especially since I got right back on that horse again this year (or more specifically I got back on all 203.5 of them).

My real point is, I laughed out loud while reading a pretty funny blog entry. And I thought I'd share the laughter. The link was gleaned from several other blogs I read. Enjoy.

I know there are some people in the world that never get spam email, but unfortunately I am not one of you. Between my email being publicly available on the Internet for the past few years and the fact that I have to sign up for all sorts of random things with a real email address, it’s just added up, and I get inundated. It’s funny to talk to others about spam email. Either they understand because they, too, have fallen victim to the scourge of the Internet, or they look at you like your advanced-stage leprosy has caused you right ear to fall off and your left leg to rot.

So, in the interest of protecting the reputations of those of us who unwillingly receive tons of junk mail a day, let’s take a look at how and why spam reaches our inboxes. Hopefully some who read this will learn something new, others will realize the errors of their ways and stop calling their spam-laden friends perverts, and still others will pick up a few hints about how to avoid becoming a victim (in the cases where it can be avoided, that is).

Remember one thing walking into this: Spam is almost completely about money. If there wasn’t a potentially big payoff in sending spam, no one would do it. If people did not reply to spam email messages and offers, no one would do it. It’s a business, albeit one that most of us hate with a passion.

Before I get too far down this road, let me say that every day I receive in excess of 200 junk mails in just one of my email accounts. I have other email accounts that get none. So, since I am one person with multiple accounts, something tells me the issue here is not me personally, but instead about how the world of email and spam works, and how the spammers started using my email address in the first place.

The fact of the matter is, much of what many people believe about spam and how one starts getting it is patently false. Certain assumptions are correct, although often the facts are twisted around, and people often wear blinders, assuming there is one root cause or one simple solution. It’s not that easy, friends. So, here are a few (admittedly random) things I think everyone should know about spam:

Myth Number One: If You Get Spam, You Must Be One Of Those Porn Surfers

Just like in junior high school, where your friends laughed at you and pointed in the hallway when they found out you did THAT (never mind that it wasn’t true, of course), people tend to assume that if someone gets spam email, it’s because they went to an “adult” web site and registered with their credit card and email address. As a result, you were added to an email list, and so now you get tons of junk email about V1agra and S3X – but hey, if you get that kind of email, it’s entirely your fault and you got what you deserved.

Not true. As someone who has *never* registered for online porn or anything even resembling such, especially with my work email address (I mean, come on, how stupid can a person get?), I can tell you that you don’t need to be a perverted Internet sex addict to become a spam victim.

I can also tell you that people really do think along the lines of this particular myth. Not many, but at least some do: A couple of years ago, I was standing in front of the entire company, showing off the new secure, web-based email interface. I switched from the PowerPoint slide to the browser where I had my email account open, and sure enough, right there on the screen was a spam email with the words “XXXPORN SUPERSTORE” in bold red letters. Luckily it was just text in the email, and while surprising to many, there was nothing vulgar displayed. Needless to say, many laughed and I still get (lighthearted and friendly) comments about it to this day. A few people followed the pattern of the myth and assumed I *must* have signed up for porn using my work email account (uh, yeah, sure), while others stopped by to see me later and tell me privately that they, too, had a problem with nasty, offensive spam and that they had no idea why or where it came from. It wasn’t long before we started working on ways to combat the spam at work. More on that later.

Myth Number Two: It’s Completely Your Fault

Another assumption people make is that if you get spam, it’s because you signed up for *something* somewhere on the Internet and voluntarily made your email address available when you filled in a registration form. If you had not done that, they say, you would not get the spam email.

Similarly, some say that if you get spam, it’s because you must have posted your email address somewhere on the internet, like on a web page, and so you advertised it for spammers to eventually find (this is one form of a technique called email address “harvesting”). And so – again – it’s all your fault.

Ok, so it is true that if you register with your email address on a web site that does not respect privacy, or if you put your email address on a web site somewhere, you could end up becoming a spam victim. It’s reasonable to say that these are two ways email addresses might get on a spammer’s list. However, it’s important to understand that you don’t *have* to do these things in order to get on a junk email list. There are many other ways, and some take no action on your part. More on that below.

Myth Number Three: People Who Get Spam Are Irresponsible, Don’t Think Ahead, and Cannot Be Trusted

This sounds almost comical, I know, but I actually stood on the edge of a conversation where one person said to another (seriously), “I would never hire anyone who gets spam email. It’s just an indicator they don’t know what they’re doing and that they’re basically stupid.” Wow. If there was ever a false, way-over-the-top generalization made about junk email, this has to be the one. The guy who made the statement was serious as a heart attack, and went on to explain that because people can completely avoid spam if they would just be more careful and use common sense in the first place, spam was an example of how you can tell whether or not someone will be a good employee. He even includes the question, “Have you ever received spam email, and if so what do you think about it?” in his interviews. I’m just glad this guy doesn’t work at my company. If he wasn’t actually serious, I’d laugh, but the fact of the matter is there are people out there who make off-the-cuff, uninformed decisions about lots of things based on completely irrelevant data. Amazing.

Myth Number Four: Spam is Totally Preventable – You Just Didn’t Do Enough

People just don’t seem to get it. Spam is *not* totally preventable. While there are ways you can protect your email address from getting on spam lists, there is no sure-fire set of things you can do that will guarantee your account will stay junk-mail-free.

By way of example, I set up a catch-all account on a domain I own recently. Any email sent to any email address on the domain was all funneled into this one email account. I did not set up a web site, did not set up or submit any email addresses anywhere. I just set up the brand new domain with it’s single show-me-everything email box and waited.

Within a few days I started receiving spam at random addresses on the domain. Some of them you might expect: admin@domain.com and support@domain.com for example. But others were more creative and sneaky. Random first initials and last names, first names followed by last initials, common first and last names combined, etc.

So, there’s the proof – you don’t have to sign up for anything, post your email address anywhere, or take any action at all to start getting spam. Now, granted – if you are not prudent about how you handle your email address or if someone else mishandles it (intentionally or otherwise), you are more likely to fall victim. But sometimes you just have to do nothing.

Myth Number Five: Out-of-Office Auto-Replies Are Totally Cool and Make My Life Easier

Ah yes, the ol’ OOF autoreplier – You know, it’s that thing that shows up in your mailbox when you send a friend or colleague an email and they happen to be, say, on vacation, or maybe at the mall shopping instead of working.

What, you ask, is so bad about that? And what does it have to do with whether or not I receive spam email?

Glad you asked.

Let’s say someone sends a spam email that happens to be directed at your email account. Here’s what happens.

1.       Email sent by sorry, good-for-nothing spammer

2.       Arrives at your email box

3.       Your server sends your out-of-office autoreply back to the reply address specified in the spam email

4.       That reply address is monitored

5.       Spammer checks the account your server replied to, sees your autoreply, and thus has confirmation your mailbox is legitimate, working, active and – therefore – valuable to him/her.

6.       Spammer adds your address to the list of email addresses confirmed to be good – the gold list, so to speak

7.       Spammer sells gold list of known-working email addresses to other spammers for a premium

8.       You get more (and more and more and more) spam

Fun eh?

Moral of the story: Don’t use Out of Office autoreplies, or configure them so they only work for internal emails. And yes, I know there are legitimate business reasons for wanting to use them – it’s a trade-off decision that has to be made. You just need to understand the potential effects.

Myth Number Six: Antivirus Software Has Nothing to Do With Spam

Wrong again. AV software certainly can protect your computer and its data from damage, theft and a lot of other nasty things, but what you may not have known is that it can also protect you from becoming a spam victim. The only problem is, everyone has to use AV software (and use it correctly) for it to really work.

For the uninitiated: A “Worm” is a virus-like application that replicates via email. Generally speaking, once they get on your computer they scan your system in a few common places (address books, cached web pages from sites you have browsed, text files, documents, etc.) for email addresses. *Any* email addresses. They then use those email addresses to send emails (which generally include an attached copy of the same worm) to the email addresses found on your computer. So, you see how it works – the worm sends itself all over the place, to thousands of people, and each step of the way it collects email addresses so it can send itself again to more victims.

But wait a minute – that’s not always the extent of what they can do. In addition to installing other software that might, for example, allow a hacker to gain access to the files on your computer or to use it to launch attacks against other computers, some worms take those email addresses and (as long as they are being gathered) send the addresses off into cyberspace where spammers and others can get them.

So, in other words, if you don’t use anti-virus software on your computer and you get infected with one of these harvesting worms, you’re not only making yourself a victim – you’re dragging along all the innocent people listed in your address book and the other files where the worm does its harvesting, as well.

Using current AV software is part of being a good Net citizen. By doing so you protect more than just yourself.

Myth Number Seven: Well, That’s All Fine and Good, But There’s Nothing You Can Do About It Once It Starts

Again, not true. There are a number of companies out there that sell software that is quite effective at blocking spam from reaching you or your end users.

Why would you want to use it?

If you’re an individual, then you want to rid yourself of the mess. Maybe it offends you (depending on what kind of spam you get). At least you’d like to segregate email that is determined to be likely spam so you can filter through that separately from your legitimate email.

If you’re a person with responsibility for a company’s information systems, the reasons are bigger and more important. You have a responsibility as an employer (or the agent of an employer) to make sure the working environment is positive (or at least not offensive or hostile). Depending on the type of spam email your end users are receiving, you may have a responsibility to them to make sure you are doing what you can to combat the problem. Remember, ignorance is not bliss. And as easy as it is to put measures into place to help curb spam these days, not doing something when there is a problem is – truly – ignorant.

Where I work we use Mailfrontier’s anti-spam gateway. There are a number of other products from a variety of vendors that also do a good job. But for our part, we like what we’re using just fine; Mailfrontier is highly customer-oriented as a company, and continually combats the latest techniques spammers are using to get their junk through to you.

UPDATED: My friend Travis emailed me with some valid comments about Myth Eight:

I think the validity of the unsubscribe link is directly proportional to the legitimacy of the spammer's business.  If you get porn spam, or "V1AGRA" ads, you're probably better off not clicking the link, sure, but ads from job posting sites and such generally do actually unsubscribe you if you click.

That's a good point. Travis continues with his own opinions about spam:

Spammers should be punished by death.  A brutal, painful, horrible death.  Something that's probably specifically in the "cruel and unusual punishment" class.

Spam sucks. There’s no one root cause. You can’t always prevent it. But there is something you can do about it.

Anyhow, when it comes to spam, that’s about all I have to say about that.

I must say, I was just a little surprised at how many people actually thought I was being serious earlier today... I mean - DOG SEAT BELTS??? Come on!

My story was borrowed from a pre-planned radio show on 1190-KEX here in Portland. The radio personalities notified some listeners a day ahead of time, to have them help to make it that much more believable. It worked.

The first person I heard from among many today was my friend, co-worker and neighbor, Mike. He seemed shocked that my dog, Buddy, was in jail.

My reply: “Can you *believe* that crap????”

He wasn't the only one.

Once the radio show started this afternoon, not only did the phone calls start rolling in to the KEX studio, but the local and state police offices started getting a lot of phone calls, too. The Portland Police Bureau was warned ahead of time, and it sounds like they were ready, but the Oregon State Patrol wasn't aware or prepared for a bunch of phone calls from angry and confused people wanting to know what the heck was going on with this “new law.”

Classic.

Anyhow, Happy April Something-or-Another.

Bike? CHECK!!  Video Camera? CHECK!!  Sheer Cliff? CHECK!!  Parachute??? Uhhh...

Oh my my my my my.. It hurts sooo bad just to watch. Can't say I didn't warn you.

Note to self: Make sure parachute's properly rigged before riding off cliff.

AAAAAAGH!! Something about Kid Rock in a cut-up American flag, preceded by the lamest set of artists they could possibly think up, that just further affirms my prior belief that CBS sucks. Only in Houston. Really. Think about it...

And wow, what perfect timing: Janet Jackson. Gee, wonder why? Justin Timberlake certainly seemed to enjoy being on stage with her, though.

Oh, and here I am, watching the Superbowl with our entire youth group at church. And there's Justin and Janet, gettin' it on. And hey, quite the ending there - wow.

Great. Just great. The game means nothing, but suddenly halftime is the most important thing on the face of the planet. These kids are all over it. We've got twelve year old boys hollering for others to get out of the way just in case there's more Janet Jackson on the screen. No such luck, kids. Maybe next year.

Overheard: “TriMet's a great system if you live next to it.”

Uh, yeah.