This blog is now hosted at

Friday, December 28, 2007


Going to the Apple Store ... $0
Looking at iPhones ... $0
Logging into your personal email account with a demo iPhone ... $0

Leaving 100 of your private messages, including receipts and private correspondence on said demo iPhone? Priceless.

Yes, I did actually see this. Maybe it says something about the core demographic for the iPhone (I kid!)?

Wednesday, December 5, 2007

How not to Monitor Email

This is inspired by an article over at Worse Than Failure.

If you really want to fail at email monitoring, here are some ideas:

  1. Don't tell the employees.
  2. Don't create any policies that outline acceptable use.
  3. Don't create any policies that outline acceptable monitoring.
  4. Make sure the monitoring is as intrusive as possible, bonus points for trying to be covert, but telegraphing everything to the people being monitored.
  5. Cause mail delays or blockage.
  6. Be inconsistent.
  7. Use people to review every email-- better yet, outsource it to somewhere that doesn't care about your intellectual property.
  8. Implement it without much thought towards what you wish to accomplish, a vague feeling of "we should be monitoring" is enough to start.
  9. Don't talk to the HR department.
  10. Don't talk to the Legal department.
  11. Don't talk to IT, just foist it upon them at the last possible moment.

Wednesday, November 21, 2007

Ribbecke Halfling

I'm having an acoustic bass guitar built by Ribbecke Guitar Corporation, and the first pictures of the build are now available.

If you haven't heard of them, check RGC out-- they make the best acoustic bass guitar I've ever heard. Read more...

Monday, November 19, 2007

Mike Huckabee Uses One Of My Favorite Internet Memes...

So now, in addition to being a bass player (we're all about style over substance here), Mike Huckabee has thrown down the gauntlet. Vote for Huckabee or face the wrath of Chuck Norris.

Chuck Norris doesn't have a chin under his beard-- he has another fist!

Clever indeed, and this video will definitely "go viral", due to the existing viral nature of "Chuck Norris Facts". Read more...

Wednesday, November 14, 2007

Teh iPhone Causes Typos?

Okay, I was right, and I was wrong.

The iPhone isn't significantly slower than other types of keyboards to type on, but it does cause significantly more errors.

An article at ITworld outlines the results of a study into speed and accuracy for different input methods. iPhone users made over twice as many errors (5.6 per message vs. 2.4 for a numeric only keypad).

Apple made a bet on an experimental user interface. Many of those aspects worked well (multi-touch is going to be a de-facto standard over time). Some of them, (the keyboard) didn't work so well.

I know that Steve Jobs hates buttons, but should his jihad continue to the detriment of his users?

Update: Roger Matus covers this in his blog (Death by Email): link

Tuesday, November 13, 2007

Android De-Fragmentation

With Android being released as an open source operating system, one of the risks is that the companies in the Open Handset Alliance could fragment the development of the OS. It turns out that Google has worked to prevent this.

It seems fairly obvious, but balkanization of Android would likely cause significant issues with its adoption. The real issue is: who does balkanization affect?

Answer: the users.

Up until now, the cell phone manufacturers and the service providers have been united in denying user choice. I have high hopes (some days I'm an optimist!) that Android can be the straw that breaks the camel's back in this hegemony.

If android actually lives up to my current expectations, we're due for a serious inflection point-- and another Internet revolution.

Vive la choice!

Monday, November 12, 2007

Android SDK first look

Last week, I took a brief look at the Blackberry SDK. Well, it's November 12th, and it's A-Day. Here are some initial thoughts on the Android SDK.

  • Kudos to Google for producing a cross platform SDK. Win/Mac/Linux is nice, since so many developers today use the latter two as their primary OS.
  • In looking at the documentation, everything seems to follow the web development paradigm, but with a few detours for things like long running processes (like the example they use: a media player that plays music in the background even when the UI isn't showing)
  • The interfaces look very open; you can register for external events (e.g. an incoming call or SMS message)
  • The Content Provider interfaces look nice, and the XPath style access to data is a nice, clean, and open interface.
APIs are nice and all, but what about tools?

I'm happy to note that the tools all seem to be there: Plugin for Eclipse, debugger (both against the emulator, and remotely against a device), plus all the packaging tools. Nice.

Other things to note:
  • Location based services, with integration to Google Maps.
  • 3D graphics (OpenGL). The support looks somewhat immature, but with NVidia as part of the Open Handset Alliance, this might just become a decent homebrew gaming platform.
  • Low level hardware access will be available, but isn't ready yet.
  • XMPP support; this will enable P2P applications and communication (IM, games, etc.)
  • Android has support for recording and playback of audio and video. As a musician, I like the audio recording bit. Nice.
  • They have some really nice documentation available; They even cover some of the things that developer level documentation doesn't normally cover, like how to make an app responsive, how to understand the lifecycle of applications, etc.
With HTC announcing that they are going to release 3 handsets based on Android next year, it looks like Windows Mobile might be in trouble. If they can make a well-integrated, responsive phone that looks nice, they will probably start to cut into the iPhone market as well.

Looks like the smartphone market is about to get a whole lot more interesting. Read more...

Thursday, November 8, 2007

The right to a trial is sacred

Normally I don't talk about things that go on in the office, but the PFY managed to get himself a rather steep speeding ticket.

So, he's doing the smart thing: getting a lawyer!

I've heard all the excuses, I'll ask for leniency, etc. All hogwash, in my opinion. If you're in the Seattle area, and you get a ticket, do yourself a favor and call Jeannie Mucklestone. She's great. Read more...

Tuesday, November 6, 2007

Blackberry SDK

I've been considering a development project for the Blackberry, so I downloaded the Blackberry SDK from RIM. I was pleasantly surprised:

It looked quite complete (having looked at J2ME a few years ago, yuck!)

They included many examples, including some that would be difficult without an example, i.e. Bluetooth Serial

All in all, I'm quite impressed with the level of effort that obviously went into producing this SDK, and it is nice to see device makers actually courting developers.

I'm hoping to do some comparisons or at least an evaluation of Google's Open Handset Alliance/Android toolkit, so watch this space after the 12th of November (when the toolkit is due). Read more...

Monday, November 5, 2007

GPhone Isn't a Phone, It's an Android

The much awaited announcement did actually happen today, it just wasn't what everyone was expecting. Google announced the Open Handset Alliance (OHA). While the gadget freak in me would have liked to have seen a shiny new device, this actually is a great announcement. Read on for more analysis.

The Open Handset Alliance has definite potential to be a market changer. Let's all admit it: cellphones are currently a game where you decide what deficiencies you're willing to live with. Things like:

Windows Mobile: Microsoft has been steadily proving to us that they are incapable of producing a decent quality mobile OS. They always have all the checkboxes (fast processors, great screens, etc.), and always come up short.

iPhone: The device that makes Apple look like IBM in the bad old days.

Blackberry: not quite as powerful or featureful as, say, Windows Mobile

I've long thought that Linux would be great for mobile devices, once they hit a certain level of CPU/Memory capacity. The main downfall with Linux is that nobody seems to go the extra mile to make something that "just works" (and kudos to Apple for doing just that, unless you want decent bluetooth support).

If the OHA can figure out how to put out a bunch of devices that "just work" but are also an open platform that actually invites developers to produce software, we may just have a winner on our hands. It is about time for someone to apply bazaar development practices to the traditionally cathedral mobile market.

As these devices become more powerful, the PC will begin to lose its dominance, and having an open platform upon which to make that transition is a huge win for consumers.

Thursday, November 1, 2007

Bayesian Filtering: Why Not?

The earlier pieces I did on Ron Paul spam (here and here) point to some problems with Bayesian filtering. Read on for some further analysis of the problems with Bayesian filtering.

Bayesian filtering, in a nutshell, breaks down an email into words and or phrases, and then assigns a spam probability to each, based on the word's previous penchant to be spam. For example, let's assume that spammers are sending messages advertising a product called "Bradley". Over time, as those messages are categorized as spam, a Bayesian system would give an increasing spam score to the term "Bradley".

This type of system began to be deployed widely starting 3 or 4 years ago, and was very effective for a couple of years.

Bayesian Poisoning

As seems to always be the case, the spammers switched tactics. They began sending out their spam with a large number of (typically incoherent) words stolen from news sources or literature. This throws off the Bayesian system by

  • Adding to the non-spam score (since there are "good" words in the mail), and
  • Putting the good words in the spam list

Beginning about a year ago, I started receiving spam that only had the good text, no advertisements. This was a deliberate attempt just to poison Bayesian systems.

The ongoing issue with Bayesian systems is that spammers have fairly effectively figured out how to confuse them (either by falsely calling acceptable mail spam, or letting spam go through). Fortunately, the state of the art in spam detection is being pushed forward as well.

Tuesday, October 30, 2007

Ron Paul Spam an attempt to block campaign email?

After writing my previous article about the email spam advertising the 2008 Ron Paul presidential campaign, I was left wondering: why?

Why would someone use a method so polarizing as spam in a popularity contest? The tinfoil beanie wearer in me came up with a very insidious reason.

So let's say that you are an opponent of Ron Paul, and you want to limit his reach. Where is his campaign most effective? That's right, online. You can't block his campaigners on digg, et al., but maybe you can prevent email.

No really, and here's how it works:

Send out all of Ron Paul's campaign ideas, use his bumper sticker phrases: "Ron Paul has never voted for a tax increase", and make double sure that the email will get caught as spam.

About Bayesian Filters
Now, most people who have used anti-spam tools have probably heard of a Bayesian Filter, but what you may not realize is that Bayesian Filters are subject to poisoning. You've seen this before, in spam that seems to have unusual strings of semantically incoherent words, or direct quotes from the news or literary sources. This is an attempt to "trick" a bayesian filter.

What you may or may not remember is that most of this was preceded by mail that looked similar, but contained no actual advertisement. This was an attempt at pre-training the bayesian filter to accept the later spam.

How does this effect legitimate mail?
Now back to the Ron Paul spam: if these mails are caught as spam (and they are a very obvious form of spam-- any spam filter should catch it, and MessageGate certainly nails the headers), then the phrases contained in the email get added to the bayesian spam bucket" and are henceforth used as indicators of spam. Then, when the Ron Paul campaign sends out a legitimate mail (say, one that you actually asked for), it will be categorized as spam by the bayesian filter.

That would be particularly devastating to a campaign that seems to be almost entirely dependent on the Internet.

I'm not saying that this is actually what happened, but it's interesting to think about.

Monday, October 29, 2007

Ron Paul Spam

I wrote about the Ron Paul fan club earlier.

I've been around since Canter and Siegel offered me a chance at the green card lottery, but this is novel:

Message-ID: <000701c81a53$0156f27e$3360289e@yeibw>
From: --obscured--
To: byoung
Subject: ***SPAM*** Ron Paul Eliminates The IRS! XqvMlJY
Date: Mon, 29 Oct 2007 15:56:37 +0000
MIME-Version: 1.0

Hello Scott,

Ron Paul is for the people, unless you want your children to
have human implant RFID chips, a National ID card and create
a North American Union and see an economic collapse far worse
than the great depression. Vote for Ron Paul he speaks the
truth and the media and government is afraid of him. This is
the last honest politican left to bring this country out of
this rut from the War Profiteers and bush Administration has
created. Get motivated America, don't believe the lies of the
media he has also WON the GOP Debate On Sunday! Value Freedom
and Liberty instead of corporate lies and corruption. Bypass
this media blackout they are doing to Ron Paul, tell your family
and friends and get involved in a local group at make
your voice heard! He will end the War In Iraq immediately,
He will eliminate the IRS and wasteful government spending, and
eliminate the Federal Reserve and restore power to the people
and the only person not a member on the CFR. Can any other runner
make these claims or give Americans the true freedom we were all
raised to believe? We are all economic slaves to the banks and the
illegal federal Reserve. This is why our currency is worth nothing
because of Hidden Inflation Tax and the IRS taking everything
you make!


He has NEVER voted:
* to raise taxes
* for an unbalanced budget
* to raise congressional pay
* for a federal restriction on gun ownership
* to increase the power of the executive branch

He HAS voted:
* against the Iraq war
* against the inappropriately named USA PATRIOT act
* against regulating the internet
* against the Military Commissions Act

He will eliminate the IRS, Wasteful Government Spending &
Stop The Iraq War Immediately!

Most importantly, he voted NO on anything in Congress that
is not allowed by the Constitution. And he Despises any
politican that does not do their job for the people and lives
up to the constitution! & Search: "Ron Paul"
Join The Revolution!

We Need A Real President That Will Restore And Protect
Americans! Stop The War! Protect Our Borders!
*********VOTE RON PAUL 2008************

Editors note: I work at a company that produces anti-spam solutions.

Now from the purely technical point of view, this is a rather obvious spam-- there are definite telltales in the received lines (which is why I didn't get this message at my work account-- we screen for false headers). This came in on my "canary in the coal mine" account, which isn't listed anywhere, and I never use, except to receive spam.

Dr. Paul's supporters are well known at this point for being very active on digg and the like (to the point that many have accused them of spamming), but this is really a new low.

I hope that these political spams get a little more sophisticated (since we all know they will continue, now that they've started), starting with: please don't send mail with 500 words in one paragraph.

Concert last weekend

This weekend, my wife attended an event, leaving me as sole provider to the kids. Always looking to expand their horizons (and lacking adult supervision!), I decided to take them to see some live music.

Kimberly Lynn is a bass soloist, who has an interesting methodology: she uses a looper (which is pretty much de rigueur for soloists), but also has a MIDI pickup. Anyhow, she's very talented, and the music is interesting (the kids definitely liked it). I'll even forgive her for a rendition of White Christmas before Halloween.

She is currently playing Saturday nights in Poulsbo, WA at Casa Luna. Check her out if you have the chance.

On the way back, we took the Bainbridge Island ferry (see picture above). I loaded the little ones with hot chocolate and made them stand out on the freezing cold prow with me. It brought back the magic of childhood-- they were so excited to be on the ferry, asking about sharks, "we drive onto the ferry?!?!", etc.

I wish I had thought to bring a kite. Read more...

Friday, October 26, 2007

More troubling breathalyzer news

I have written previously about the Minnesota case where the company that manufactures breathalyzers is being required to produce the source code for the device in a drunk driving case (here and here).

By way of disclaimer, I do not condone the practice of drunk driving, and believe that current penalties are at least 1-2 orders of magnitude too light. Additionally, I'm focused on US law.

An article in the Seattle Post Intelligencer has, in my mind, clarified quite succinctly why we should require open availability of specifications, design documents, and source code for any software or hardware device that is used as evidence in a court of law. From the article:

In a widely anticipated decision, the Skagit County District Court judges found examples of careless or potentially flawed work done by state scientists and evidence that three people -- including state toxicologist Barry Logan -- committed misconduct.
Here's why we should have access to the designs, specifications, and implementation information:

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defense. (emphasis mine)

That's the sixth amendment to the U.S. Constitution.

How do you cross-examine a device? How do you confront this "witness"?

You look at three things:
  1. Its design. The design may be flawed, intentionally or unintentionally.
  2. Its implementation. This is where the hardware and software (firmware) can be tested to verify correct function.
  3. The device itself. Is the device used for the test operating correctly?
Now, before you accuse me of being paranoid, read this article from the DUIBlog. The source code would not pass muster for any public safety requirement, but can be used to reliably convict you of a crime.

Imagine that there's this magical box that can decide your innocence or guilt. Whether you go to prison or not. Whether you are branded criminal.

It is truly amazing to me that we are willing to trust a device without truly verifying it. As though it has some magical power to discern. Maybe we're just too willing to trust that a commercial entity is going to produce a perfect device, or that they are "experts".

The reality of the industry is that there are a lot of mediocre developers, managers, testers and processes. The reality is that deadline pressures cause inadequate testing. The reality is that th "expert" implementer may have taken 6 weeks of Java training before starting work on the software in question.

I know that seems harsh, but it is a reality in the software industry.

Hence the need for openness.

Wednesday, October 24, 2007

Microsoft to push functional programming

The .NET Common Language Runtime has indeed shown its flexibility (I'd like to see a JVM do this!) in supporting a "real" functional language, F#. F# is closely related to OCaml.

Ars Technica has coverage.

The most interesting part of this announcement is that it will be fully supported in Visual Studio. In case you haven't worked in enough development organizations, this means that a large percentage of current .NET shops will, over the next several years, evaluate and begin to accept F# as a first tier programming language.

This can only bode well for those of us who were left feeling a little flat with Java and C# (although C# is a markedly better programming language than Java). The part that excites me is that if this catches on, it will generate new modes of thought in programmers, as we saw years ago when noun-oriented (oh, sorry, I meant object-oriented) programming became fashionable.

Kudos to Microsoft for continuing to push forward and take risks with the .NET platform. Read more...

Google Analytics

I love reading the reports from Google Analytics. There is a section in the reports that outlines what query terms were used to find your site, and some of them are interesting (makes you wonder what they're really looking for), and some that are just sort of funny.

Here's one:

how do you address an acting first sergeant

Just for reference, I'll submit that you'd address them formally as First Sergeant:
Yes, First Sergeant, I'll clean the latrines right now.

and informally as Top:
On my way, Top.

I don't know the particular etymology of the "Top" moniker, but I suspect it has to do with being the senior (i.e. top) enlisted position at the company level. Read more...

Monday, October 22, 2007

Apple to release iPhone Development Kit

In a somewhat interesting turn, Apple, Inc. have decided to release a development kit for the iPhone and iPod Touch. BusinessWeek has some coverage of this.

I'm happy about this, because I think that the more open a device is, the more attractive it is. I don't think this will help with Apple's not-quite-complete Bluetooth stack (as I said earlier-- it doesn't have HID (keyboard) voice activated dialing support), and that's probably a deal killer for me.

So I'll likely be sticking with BlackBerry, but seriously considering upgrading to the 8800 series. Read more...

Monday, October 15, 2007

Gold plated, oxygen-free interconnects... for your dryer?!

I was tasked with being the "care provider" the other night, so I decided to make a family pilgrimage to Fry's. Two things stood out:

1) The line for the cashiers was absolutely obscene.
2) Monster Cable is now making power cables for dryers.

Now, maybe it's just human nature, but what would bring you to pay 2-3 times as much for a power cord for your dryer? Are you concerned that you're not getting all the frequencies that you should? Already spent $20,000 on cables for your stereo, and you've run out of things to "hand-wire with point-to-point architecture"?

Of course, the cables were only like $50, no true audiophile would consider that- they can't possibly have bright open highs and singing bass at that price point. Or be hand routed. Of course, I'm not sure how you'd measure something like that on a dryer.

In Monster Cable's defense, it did look like a well built cable, and I do use their instrument cables (they have a no-questions-asked, bring it to any dealer exchange warranty, and cables always go bad over time). Read more...

Thursday, October 11, 2007

Apple Class Action Suit over iPhone

Looks like Apple is going to get sued over their bricking of modified iPhones.

AppleInsider has the goods.

I think that apple has been getting progressively more control freak-ish, what with controls on the iPod, and the hardcore lockdown on the iPhone. Maybe a lawsuit will mellow them out some.

Wednesday, October 10, 2007

Mobile Firefox on its way

Mike Schroepfer has an interesting article
on his blog about creating a mobile version of Firefox.

I, for one, am very excited about the prospect-- I've gradually gotten hooked on having a web browser with me all the time, and it would be very helpful to have a full featured browser available (e.g. AJAX support). I'm hopeful that the development cycle and hardware advances will intersect, producing a decent iPhone competitor.

The perfect partner for this would be the smartphone vendors, like RIM or Danger. I've already expressed my fanboy love for Blackberries, but it would really help to have a better browser included (I will admit that Opera Mini is pretty decent, but the idea of proxying everything through their servers is disconcerting).

Here's my ultimate device:

great email support (BB gets the nod, here, but rendering HTML mail is dodgy, and needs improving)
Great bluetooth support (keyboards, stereo headphones, etc)
high resolution screen
full featured web browser
Must take third party applications

Notice that this looks a lot like the Blackberry 8820, which I might just buy in the interim (while the mobile firefox guys get ramped up).

What do you think? Comment below.

Tuesday, October 9, 2007

Email, the miscommunication optimizer.

There is a good article about the potential for miscommunication in email over at The New York Times (registration required, don't you have BugMeNot yet?).

It puts a bit of a new spin on an old dilemma-- the fact that emotional content is difficult to properly convey in email. This should be obvious to any long term email user-- you've likely had your email grossly misinterpreted. The interesting bit is that they are bringing "social neuroscience" into the equation, and actually analyzing the brain patterns of people interacting.

The rule of thumb I have used for years:

An in-person conversation has 100% communication bandwidth (body language, tone, words).

An on-phone conversation has 50% communication bandwidth (tone, words).

An email conversation has 20% communication bandwidth (words).

Monday, October 1, 2007

Receiver Initiated Authentication

Over the weekend, I read a proposal for a new method to combat spam, called receiver initiated authentication.

Read on to learn the pitfalls that the author missed.

First, it depends on changing client code. The author suggests that three companies control 70% of the email clients, which is basically true. What he does not account for is that users also have some choice in this-- they don't have to (or may not be allowed to by IT policy) upgrade to the latest version of Microsoft Outlook, for example.

Second, it assumes that "legitimate" companies would implement it. The spammers implemented SPF faster than any of the "legitimate" companies.

Third, it assumes a database of "authorized" domains. This is a popular anti-pattern to many integration problems, so I got a good laugh. (The anti-pattern is, "Let's build a big database!", and is fraught with scalability issues.)

Fourth, it uses captcha. This is supposed to block spammers, but creates a pain for legitimate users.

Anti-spam solutions are about two things:

  1. Convenience for the user (put another way: productivity for the user increases when they don't have to delete 100+ spam messages a day)
  2. Security (preventing phishing scams, viruses, etc.)

When the solution puts burden on the end user, it can never be successful.

Editor's note: I work for a company which is in the Email Governance space (including anti-spam).

Full article here.

Friday, September 28, 2007

Perforce considered harmful

Color me unimpressed with Perforce's keyword expansion.

if ( ( -f $File::Find::name ) && ( $_ =~ /.eml$/i ) ) {


if ( ( -f $File: //messagegate/MAP/tools/ $_ =~ /.eml$/i ) ) {

Since I use File::Find only all the time, no problem. Of course, Perforce's byzantine user interface always helps matters. Read more...

Tuesday, September 25, 2007

The Proof of Concept

Continuing in the theme of pre-sales presentations, I thought I'd spend some time discussing the Proof of Concept (POC). The Proof of Concept is essentially required to bring enterprise sales to closure, but they can be risky.

Here are some pointers on doing a successful POC.

First and foremost, understand that the success or failure of a proof of concept hinges on two things:

  • Technical aptitude and sales ability (skills)
  • Control of Scope (management/risk mitigation)
The area that you can influence the most (aside from keeping your chops current) is risk mitigation. The method to do this is to control scope. You want to do the minimum proof necessary to demonstrate capabilities.

"Well, could you make it do..." is the most dangerous question ever during the middle of a POC.

Some of the questions you need to ask before the POC starts:

  • What is it that we're trying to prove?
    You should have an elevator speech ready, and should repeat it often. This is what we're trying to prove, and this is what we have proven. This should be something definitive or measurable: "We're proving that we can do X transactions per unit time with this test corpus" or "We're proving that we can web-enable this business transaction"
  • What are the standards of success?
  • What are the next steps upon success?
    This is a "give to get" proposition: if we can prove the solution works, what is the next step in the sales process.

Some additional tips:
  • Be visual.
    While at WRQ (Attachmate), I did numerous Proofs of Concept with their integration tool, Verastream. In every case, I highlighted the "behind the scenes" workings by showing the actual mainframe transactions-- this never fails to communicate that the demonstration is real, and integrated.
  • Teach.
    If you can educate your customer about the product or service you're trying to sell, you just won a leg up. Customers buy solutions they understand and can approach.


Saturday, September 22, 2007

More on Technical Presenting

This is a follow-on to a previous post.

If you're doing a Technical Presentation, here are the most important things that you can establish or give to your audience.

  • Education: the audience is there to be taught about your subject
  • Communication: interactivity is the key to moving beyond the brochure into the "I can use this" moment
  • Understanding: How can your audience actually make use of your subject matter?

There is a maxim that I use, "You can't tell anyone anything." By way of definition, think about attempting to "tell" your kids what to do, e.g.: don't play in that mud. What will the child do?

Reminds me of the Bill Cosby Children are Brain Damaged skit, but that's a discussion for another day.

So, to communicate, it is necessary to remain factual, and when you want to convey subjective points, you need to be more subtle. Consider the story of Eve and the serpent:

Gen 3:1 (KJV) Now the serpent was more subtil(emphasis mine) than any beast of the field which the LORD God had made. And he said unto the woman, Yea, hath God said, Ye shall not eat of every tree of the garden?

Now of course, we know that the serpent was trying to deceive, but let's separate that from the fact that he was being subtle. Subtle is asking questions.

By asking questions, you can establish the baseline from which you are working-- where is your audience at?

By asking questions, you can lead the audience to understanding.

By asking questions, you can establish value.

Friday, September 21, 2007

News Flash: Veterans Administration security is shameful.

Film at 11.

Among the great quotes:

As the VA was rolling out the e-mail filtering software, the software caught about 7,000 e-mails containing Social Security numbers in just one month
The VA had only completed two of 22 recommendations from its inspector general following the breach

Here is the full article.

Let me get this right...

The Veterans Administration (I'm a vet, so maybe I'm a little sensitive) has been sending 7,000 emails a month with SSNs?

Pause, drumroll, please--


Notice that that wasn't the number of SSNs, but the number of emails, so an excel spreadsheet with 1000 SSNs counts once.

I don't even want to know what they are doing with my medical records. Maybe they are putting them up on LED readerboards across the nation?


Friday, September 14, 2007

Beware of Security Theater

I've consulted at a lot of Fortune 500 companies, and I'm always amazed at the level of Security Theater that I see. Follow the link for a definition and commentary.

From Wikipedia:

Security theater has been defined as ostensible security measures which have little real influence on security whilst being publicly visible and designed to demonstrate to the lesser-informed that countermeasures have been considered. Security theater has been related to and has some similarities with superstition.

Let me provide a concrete example from a large financial institution:

When logging in to the mainframe, three failed password attempts lock your account.

Since the company can't really afford to have the downtime related to this (since it happens all the time, and there are thousands of accounts), they built an automated phone response system that would allow you to unlock your account with your employee identification number.

See the fallacy? Instead of removing the restriction, or limiting it to something reasonable (20 attempts), they spent--swag numbers--low 6-figures on an automated system.

There is a concern, of course, about brute force attacks on the passwords, but that can be detected at a network layer, or even just through a report on failed attempts with timestamps.

The best part is that the users became so desensitized to password lockouts, they did not consider it to be suspicious in any way, and would merrily dial in, and unlock their account without notifying anyone.

So, the so-called "security measures" actually reduced the overall level of security in the organization. Not good.

This is a specific example, but there are many that I can cite-- I'm sure that your organization has its fair share, too.

Wednesday, September 12, 2007

Robotic Overlord Magic Quadrant

With the announcement that there are between one and ten million computers infected with the Storm Worm (estimated), I thought I would provide a magic quadrant style guide to our eventual domination by, and complete submission to, our new robotic overlords.

Computer Scientist Peter Gutman calculates that the Storm Worm has access to more computing power than the top ten supercomputers in the world, combined. He also estimates that it controls between 1 and 10 petabytes of ram.

Article here.

Iphone unlock available

I'm still sticking with my BlackBerry Pearl (since it has a keyboard, and voice dialing), but it is nice to know that I could use the iPhone now.

Engadget has coverage here.

This is great news-- this is an open source solution, too. Read more...

Thursday, September 6, 2007

Television linked to poor attention

I'm one of those rare people that don't have a television.

A new article on New Scientist confirms my thoughts.

The article links childhood television watching to attention problems. From the article:

...roughly 40% increase in attention problems among "heavy" TV viewers...

Interesting fact for those of you who suspect that your kids watch too much TV.

How to fix the iPhone

Apple announced that it is dropping the price for the 8GB iPhone by $200, and discontinuing the 4GB model.

I think that the iPhone isn't selling quite as well as they thought it would-- make the jump for my analysis.

The main problem with the iPhone is that it isn't open. You're forced to use a particular provider.

It has only barebones bluetooth support-- it will not support a bluetooth keyboard. The touchscreen keyboard isn't the end-all-be-all, and it would be nice to use an external keyboard for composing longer emails.

If the iPhone had been open from the beginning, I think it would have been a much bigger hit. For now, I guess I'll stick with my BlackBerry Pearl.

Wednesday, September 5, 2007

Interesting run-in on Southwest airlines

I'm not all that great in making a clean break from work-- I'm currently on vacation in Las Vegas, but I took a business trip to San Diego.

Normally, I fly Alaska Airlines or United, but the best flight from Vegas was on Southwest. Side commentary: kudos to Southwest for hiring flight attendants that actually seem to like being there.

On the return flight, one of the flight attendants was announced as the mother of Miss Teen USA 2007, South Carolina. It was an interesting brush with current events. Read more...

Minnesota Breathalyzer Case Gets More Complicated

Last month, I wrote about a case where a Minnesota man asked for the source code to the breathalyzer in his DUI case. Things have gotten slightly more complicated-- more after the jump.

Article here.

Best quote from the article:

...the Minnesota Supreme Court in late July concluded that language in the contract between the device's manufacturer, Kentucky-based CMI, and the state indicates the source code belongs by extension to Minnesota. The justices suggested the state must do whatever it takes to enforce that contract, even if it means, for example, suing CMI.
(emphasis mine)

Tuesday, August 28, 2007

Protests and child rearing

I brought my son to work with me yesterday, not realizing that sleepy little Bellevue was about to be the site of a protest.

Little did I know that President Bush was coming to town for a fundraiser. The crowds gathered hours in advance to protest, so I decided that my son should have an impromptu civics lesson.

It prompted lots of good questions, and we had a long discussion about the political process. It was a good chance to explain the importance of different opinions, and the need for healthy debate. Read more...

Friday, August 24, 2007

Non-business email messages are not public records in Florida

At least for the State of Florida.

Follow the jump for an interesting opinion on the question of whether non-business email constitutes a public record.

The opinion Makes the following assertions:

..."official business communicated by e-mail transmissions is a matter of public record." In re: Amendments to Rule of Judicial Administration 2.051 -- Public Access to Judicial Records, 651 So. 2d 1185 (Fla. 1995). However, the court has also recognized that e-mail messages may include transmissions that are not official business and which, consequently, are not public records." id. at 1187. Thus, the Supreme Court has already given us some guidance in this area. Non-business e-mail messages are not public records and need not be retained.


Experience in our office indicates that many e-mail messages consist of one or two lines dashed off electronically because, at any given time, it may be the most expedient means of communicating a simple message: "your meeting is at 2:00, don't be late"; "remember to order a new copier cartridge this afternoon"; "please let me know when you will have the project finished." These communications are the electronic equivalent of communications that under different circumstances would take place verbally -- either by telephone or directly.

It seems that there is a prevailing legal mantra, "save everything". Including every joke of the day, every email from social networking sites, every chain letter, every everything.

I'd like to suggest that it is possible to manage your archive with a little less extreme-ness. There are definitely items that can be safely removed: do you really need the 65,000 low toner notices?

I think it is time to really discuss what constitutes a business email. What are your thoughts?

Thursday, August 23, 2007

E-Discovery Searches are Inadequate

Many e-discovery efforts focus on two things: date range searches and searches for email addresses. I'd like to suggest that these are inadequate, and what you can do to really find the messages you're looking for.

The main problem with searching addresses is that they are not normalized. They come in myriad formats:




These are just examples-- there are others. The point is that these all refer to the same user. On the other hand, you might end up with different users sharing the same address (which Joe Smith were we referring to during the three year period covered by the e-discovery?).

Dates in email are really completely random, unless you are referring to dates in the received lines. Alternately, you could keep metainformation about the email, i.e. the date that it was delivered to the journal, etc.

Emails need to have the current contextual information applied at the time of archive insertion. At a minimum, I would suggest looking at inserting unique identifier for the user (something like an employee id), what department the user is in, whether the user is an executive, whether the email contains potentially proprietary information, and whether the email is potentially privileged.

It would also be a good time to set retention policies and flag non-business mail, but that's a discussion for another day.

Wednesday, August 22, 2007

Schadenfreude and Bacn

Schadenfreude is one of my favorite words, precisely because of the almost universal reaction received upon defining it. "There is a word for that?!", is the incredulous refrain.

Now there's a new term making the rounds of the noosphere, and it is bacn.

Bacn is the term for mail that isn't spam, isn't personal email, and isn't business email, either. Think about the newsletters you get from companies you purchase from, automated notices from internal systems, etc.

The reason I find this term interesting is that it is something I've been talking about for some time, but just never had a good word (words are power!) to properly describe it quickly. Even though it has "hip", "Web 2.0", "look I dropped a vowel, how creative I am!"-ness to it, I suspect it is going to make it into the common lexicon.

Here's why:

  • It talks about a productivity problem with email.
    The modern information professional has 10-30% of their email composed of these types of email (newsletters, automated notices, your order has shipped), and every interruption to check email takes 15 minutes to properly resume from.

  • It talks about an infrastructure problem.
    These emails are going in the archive. 10-20% of the emails in an email archive are bacn. They are especially likely to be saved by users, because, "I want to read them, just not right now."

  • There are tools to help deal with it.
    Here at MessageGate, we use our software to automatically tag email as bacn, and the end user can set up rules to file these emails appropriately. A more intensive approach could auto-file these mails for the user (without them setting up rules).

  • The volume of email involved has a very negative impact on e-discovery efforts, especially since the current (broken) methodology of searching by address and date has basically no false-positive filtering.

Companies are starting to look at the productivity and infrastructure burden of bacn; I'm just glad to have a word to describe a topic I've been working on and thinking about. Read more...

How to do a successful technical presentation

Update: more on this subject here

I have done my fair share of technical presales calls and proofs of concept. I have a few notes on what I've found to help them be successful.

  1. Ditch the acronyms and technobabble
    Also known as know thy audience. If you can learn to bridge the gap to the non-technical crowd, you'll be leagues ahead of your cohorts. I use my wife as a sounding board for technical explanations; if I can explain it to her, I know I've sufficiently simplified things.

  2. Get rid of Powerpoint, if possible.
    If not, follow my revised version of Guy Kawasaki's 10/20/30 rule. I suggest no more than 5 slides, 10 minutes to discuss the slides, and 30 point font, minimum. Consider it the 5/10/30 rule. Do Not read from the slides.

  3. Ask questions.
    Nobody is opposed to answering legitimate questions. I took a Solution Selling course, and was amused to learn that sales people typically have 18 months of increasing effectiveness in a new position, and then productivity falls off. This is, also, coincidentally, the same point at which most people "learn all there is to know" about a product or service, and stop asking questions.

  4. Use the whiteboard to your advantage
    This ties in with the previous point-- use the whiteboard to ask questions. Ask about their environment. Draw it on the whiteboard. Ask leading questions about the potential solution you're looking to provide. Draw the solution into their environment.

  5. Use your hands to emphasize points.
    This article points out that using gestures makes a math teacher more effective than their less gesticulating counterparts (from the article):
    Susan Goldin-Meadow, a professor of psychology at the University of Chicago, found in a recent study that Chicago schoolchildren learned math best when the gestures of teachers enhanced their words rather than simply repeating them.

  6. Don't fall into the perception vs. correctness trap.
    I was once giving a presentation, and the customer asked me if turning on encryption would affect performance. The obvious technically correct answer is that yes, it does impact performance.

    So I told him yes, that it had a 20% impact on performance. This was also technically correct.

    And the wrong answer.

    Why? Because I could have told him (and whiteboarded) that an average transaction takes 2 seconds, to which we add 2/10ths of a second, to which encryption adds 20%. In total, encryption adds .04 seconds to a 2.2 second transaction. And then told him, "basically, no, encryption does not affect performance."

  7. Make your demonstration interface with their infrastructure.
    I used to work at WRQ (now Attachmate), and consulted on a product called Verastream. We really started to hit our stride when we honed our ability to interface with a mainframe in an afternoon. We would walk in, exchange pleasantries, talk about the potential solution, and have a web or web services interface to the mainframe up in hours.

    Customers were always amazed that we could make it work so quickly, and the real power was in the idea that it wasn't just a canned demonstration, it really was their mainframe.

    My current employer (MessageGate) is announcing an update to our current IIS adapter which will be much easier to plug into a test Exchange server and demonstrate our email governance capabilities. I'm excited, not because we can't already demonstrate our software, but because it will make demonstrating our software in a live (test) environment that much easier.

In short, it's all about interactivity. One-sided discussions aren't really discussions at all; there's no chance of establishing rapport or coming to a common understanding. Both of these are necessary to move the sales cycle forward.

The New Rickenbacker

I got the new Rickenbacker cleaned up (man, it was grungy!). I'll be taking her out tonight for her first live usage, but I don't have a proper set of straplocks, so that's definitely something I'm going to need to remedy.

More on strap locks after the jump.

I'm pretty enamored with a set that I put on my Alembic-- they are called the Zeppelinn ZSL600 (yes, Martha, an extra N). You can find them here.

The one caveat with them is that the screw they ship with it is just plain inadequate. Do not attempt to use the screw it ships with. My suggestion would be to use a threaded inserts and a better screw.

Tuesday, August 21, 2007

Burn Them With Fire

I am a Desert Storm vet. While I was formally trained as an infantryman, I drove a fuel truck during the time I was deployed. I have a lot of stories from this time, but one of my favorites is about Dung Beetles.

I was completing my fuel run for the day when a Sergeant (First Class, and acting first sergeant) approached me and told me he needed to show me something. I followed him a couple hundred meters into the desert, and he showed me a patch of ground completely riddled in holes. "What's this all about, top?", I asked.

"Those are Dung Beetles.", with a you know what to do nod of the head. The last unit in this area had apparently buried a latrine here, and the Dung Beetles were having a field day. I didn't know what he was expecting, so I asked.

"I want you to soak all of this with MoGas, and light it on fire." I'm not kidding when I say that he looked like a demented priest bent on an exorcism. Let's just say that this was a somewhat atypical request, but I thought about it for a minute, and went to get my truck.

Tossing matches at 100 gallons of gasoline is a fairly precarious task, but we did eventually get it lit-- fifteen foot flames and roiling black clouds ensued. I wish I had the presence of mind to have taken a picture.

Sometimes it works to gently correct course or mildly adjust angle of attack; sometimes purging with fire is the only option.

Monday, August 20, 2007

Lack of email controls considered harmful

The Treasury Inspector General for Tax Administration performed an audit of the Internal Revenue Service. In summary, the IRS has improved greatly, but employee noncompliance is still leaving Personally Identifiable Information (PII) at risk.

analysis and link to the report after the jump.

Full report here.

Employees have also shown they are susceptible to social engineering techniques that hackers could use to gain access to their systems, and they continue to ignore IRS policies on the use of email, which increases potential security vulnerabilities.

Now, maybe I'm biased (and who are we kidding: of course I am!), but this again points to the need for centralized, server based controls on email. How long would employees continue to "ignore IRS policies on the use of email" when they receive an email each time stating that they are in violation of the Acceptable Use Policy, and that their email has been logged?

Our SenderConfirmTM even allows the user to make the final judgment on whether an email should actually be sent. This is a powerful influence on behavior, nonetheless.

One of the core benefits of this approach is that you don't actually have to add any human infrastructure-- it isn't necessary to actually hand analyze the mail: the threat of it alone is enough to change user behavior. I believe that this coincides with the "broken windows" theory; allowing users to make "little violations" leads to a lack of vigilance ending in a breach, but the blocking the "turnstile hopper" promotes an increased level of security.

New Rickenbacker

I wasn't really in the market for another bass, but I found a really good deal on a bass that I've been lusting after for some time. A JetGlo (black) Rickenbacker 4003.

She's a little beat up, and I'm not convinced that the bridge pickup works, but this bass has been one of my longer term desiderata. The Colonel (a.k.a. my longsuffering better half) wasn't too impressed, but it was a really good deal.

So, in trade, I'm selling my fretless Alembic Epic, and I have a new #1 bass.

Friday, August 17, 2007

Email statistics

Chances are that you have some decidedly unexpected behaviors happening on your email network. You probably expect that there are jokes and video files being emailed around. But did you know about that user on you network that only forwards mail?

That's right. In an enterprise of any substantial size (over 500 users), there is virtually a 100% chance that there is at least one user that for every 10 mails sent, 9 are forwards (and it isn't uncommon to see 100%). No, I don't know what they do all day.

Have you ever measured which account sends the most emails in a given unit time? I'll take odds on it being a printer (or copier, or database, or application). This certainly points to enterprises using email as a generic messaging platform, and that enterprises consider it acceptable to use email as a method for applications and devices communicating their state.

Of course, the law of unintended consequences rears its ugly head when you realize that the printer sent 65,000 emails last month lamenting the loss of toner. To a distribution group. With dozens of users. And all of it gets archived.

Of course there's the 25-40% of your email (by volume) that is entirely Office documents, and the 20-40% that is non-business email (non-business images, video files, jokes, chain letters).

Here's an idea for blocking chain letters: just block any email with more than one exclamation point in the subject line. While this is meant to be tongue in cheek, it is pretty accurate.

Thursday, August 16, 2007

The Ron Paul fan club

This is not about politics.

While I have to admit that Mike Huckabee definitely has impressed me with his bass playing (which is decent, but more marked by the fact that he plays a "semi-boutique"** bass-- a Tobias. He's even on YouTube.)

I'm also amused that John Edwards has decided that Men Who Look Like Kenny Rogers is part of his core demographic.

But I've been really interested by the grass roots campaigning of the Ron Paul campaign (and supporters). More thoughts after the jump.

If you have any exposure to the blogosphere, you've likely heard of Ron Paul.

You can't have read Digg lately without finding a reference to him.

What is interesting to me is that this all seems to be a rather deliberate and purposeful effort. It looks like a very organized grassroots effort to provide their candidate with coverage that I doubt that the mainstream media would have provided.

Our generation now has the Internet as one of the primary influencers of thought, and one campaign seems to have really capitalized on that. I suspect that the cost for this extra boost in "market presence" was the equivalent of a rounding error in a normal campaign budget.

It isn't quite as catchy as a bass solo (or men who look like Kenny Rogers for that matter) but pretty impressive, none the less.

** Semi-boutique: since these are really production line basses built by Gibson, but originally designed by Mike Tobias. He may have a pre-Gibson model, in which case, it's in great condition, and a boutique bass. Read more...

Three (more) things you can do today to get email under control

My friend Robert posted an article entitled three things you can do today to get your email under control. I'd like to propose my own list of three items after the jump.

  1. Implement an Acceptable Use Policy (AUP)and educate your users.
    This is the starting place for all email governance efforts. You must offer your users guidance on what constitutes acceptable uses of the email system. Have you actually educated your users about policies regarding non-business email?

    It surprises me how many organizations either do not have an AUP (or one that is hopelessly out-of-date), or do not properly educate their users on it. If, God forbid, an employee termination is necessary, proof that the user was educated on the policy is more than just nice to have. Every webmail service has an AUP that must be acknowledged before an account can be set up, why shouldn't all organizations implement this?

  2. Block proprietary content from leaving your organization.
    This can be as simple as searching the email and attachments for terms like "proprietary and confidential" or "internal use only", or as complex as fingerprinting specific documents, and flagging emails containing subsections of the documents.

    Whatever you do, you need to look at the types of files that constitute your intellectual property. Some suggested starting places:

    1. Office Documents (including Adobe PDF)

    2. Source Code (VB, Java, C, C++, Perl, COBOL...)

    3. The files that support your business, e.g.: AutoCAD, Matlab, specific reports, etc.

  3. Perform an audit of your traffic to see what is really going on.
    Okay, so admittedly I copied this from Robert's article. But it bears repeating, since the vast majority of organizations do not know what exactly is moving through their email network.

    If you are concerned about privacy, have the report anonymized. This is something that MessageGate does regularly. It provides a great value, and I can assure you that there will be unique and interesting information in the audit. It will help you understand the metrics of your network, and will, I dare say, offer insight into the character of the organization as a whole.

    Just like a financial audit, it is most helpful to do the email audit on a regular basis, allowing you to track to particular goals.

Implement these, and you'll have a much greater understanding of your email, a lower risk of information leakage, and better control over your email network.

Wednesday, August 15, 2007

Email and Stress

There is an interesting (although not unexpected) study published by researchers from Glasgow and Paisley universities about email stress.

Interesting findings:

The participants in the study were checking mail up to 40 times per hour.
They thought that they were checking 4 times per hour.

Links to the articles after the jump.

The article is on the Ars Technica: link.

Another interesting study was conducted in 2003, with American workers: Overwhelmed by Email. Since this study is from 2003, keep in mind that email volume has been climbing 10-20% per year (which implies that time consumed by email may have as much as doubled since then).

Consider the costs of this "always on", "pressured to respond immediately" mindset:

It takes up to 15 minutes for an information worker to properly resume the task that was interrupted responding to email. Meanwhile, the average user receives 10-20 emails per day. Even accounting for the mail coming in pairs, that would account for 1 hour 15 minutes of lost productivity, per employee, per day (and going up by 10-20% per year).

In a 1000 employee organization:

1000 users * 1.25 hours * 250 days per year = 312500 hours per year in lost productivity.

Multiply that by an by a fully loaded cost of $35/hr, and you're at $11M per year in lost productivity.

Something to keep in mind when you are analyzing the costs of email governance.

Tuesday, August 14, 2007

Help! My archive is out of control!

One of the great things about email archives is that they keep everything. One of the worst things about email archives is that they keep everything. When I say everything, I mean that you're literally paying (in storage, management, and software costs) for every spam, every picture of Johnny's 4th birthday party, every inappropriate email, every humorous "video du jour" that arrives at the mailbox.

Better yet, when push comes to shove, and an e-discovery event happens, you'll be paying a lawyer or paralegal to inspect these.

What should companies be doing about archives? I can certainly understand the "keep everything" mantra, but I'd like to suggest that there might be a method to keep everything that is necessary and important, while cleaning some of the non-business email from the archive.

First, try to get rid of as much spam as possible. Implement defense in depth: multiple spam solutions with different approaches (reputation services, content analysis, and something that analyzes fraudulent headers are all important) will help eliminate that extra several percent of spam that is currently getting to the mailbox. Five to ten percent of the email in most networks is spam (and that's after the spam filter).

Second, make decisions about what types of media are necessary to your business. Some examples: MP3 (music), Windows Media (video), and MPEG (video) aren't typically business critical files. If they aren't necessary, consider blocking them.

It is helpful if you have the ability to whitelist certain users or provide policies based on job description or department. We have implemented this with great success.

Third, if you allow users to take documents or files home for work purposes, consider encouraging the use of either flash drives or a remotely accessible content management system (e.g. Sharepoint). This has two benefits: it promotes better archive hygiene, and helps prevent information leakage.

Most of the information leakage we see is accidental-- mis-addressed email is probably the leading culprit for confidential information leaving most organizations.

Finally, educate your users. Establish an Acceptable Use Policy (AUP) for email, and specify the appropriate and inappropriate use of email. Establish etiquette guidelines-- many people have no idea what is appropriate in email, especially with Generation Y entering the workforce. They have had their formative years of electronic communication in an entirely personal context, whereas us "old folks" have, generally, had a more business-oriented introduction.

Following these suggestions could cut 20-30% off the size of your archive, without any impact with regards to actual day-to-day business email.

Saturday, August 11, 2007

Analyzing archives

I read a lot of email.

Ok, technically, I analyze a lot of email. One of the services that we perform for our customers is an email audit.

Follow the link for some statistics on archive volumes under typical usage patterns.

The number of messages sent and received varies widely-- the average user sends between 147 and 198 emails per month and receives between 145 and 185 emails per month.

By direction, 70% is internal, and the remaining 30% is pretty evenly split between inbound and outbound mail.

Roughly 25% of email is non-business (i.e. spam that made it past the filter, private communication, external newsletters, etc.).

Most companies have an average email size of 50-60KB. There are two reasons for this:

1) HTML/RTF email cause small messages (that could have been 1KB) to be much larger (3-10x). This drives up the baseline.
2) You may have noticed this: there are a couple of Office documents floating around your email network.

Point 2) bears further consideration: 30-50% of the email (by volume) in a typical organization is Office documents (in which I include PDF files).

This causes the following storage analysis:

1000 users * 300 emails per month * 12 months * 60KB = annual storage burden of 206 GB, on average, per thousand users. That would be 2 TB per 10,000 users (per year).

Your mileage may vary, of course.

Friday, August 10, 2007

What might get revealed in e-discovery?

I saw an article about a Minnesota man who is requesting the source code to the breathalyzer the police used during his arrest for drunk driving. How's that for e-discovery?

Apparently the purchase contract included granting the state, "all right, title, and interest in all copyrightable material".

And the Minnesota Supreme Court agreed with him. While most organizations are not bound by such contracts allowing the release of their intellectual property, it does point to one of the major issues in e-discovery-- that it can be difficult to segregate privileged, confidential and trade secret email from the rest of the discoverable materials. So you get to pay (and pay) the e-discovery firms to do this segregation after the fact.

I'm not denigrating the services they offer, just suggesting that an ounce of prevention is worth a pound of cure.

Specifically, if you have an email archive, you should be tagging messages that are from inside and outside counsel, executive management, or contain intellectual property. This definitely contributes to good archive hygiene.

One way to make this much easier is to require all documents containing proprietary or confidential information to be marked as such. Then you can tag these documents as they enter the archive. In this case, a little can go a very long way. Read more...

Thursday, August 9, 2007

It's impossible to sing and play the bass

I have an admission to make. I cannot sing and play the bass. I cannot talk and play the bass.

I can't even answer yes or no questions. I have no idea why, but I've come up with a pseudo-medical term for it: musical aphasia.

Here's Jay Leonhart's take on things:


Storm Worm and adaptability

So, the storm worm is the new kid on the botnet block. I'd like a zombie PC with a side of fries.

Estimates put the storm infected botnet at between 250,000 and 1,000,000 PCs- although I think it definitely has the potential to be much higher.

More interesting than the fact that there's a new botnet du jour is that there are still so many networks that allow this vector of infection. Yes, Virginia, there are still networks that allow executables into their networks via email.

Of course, your network doesn't, right? Here are a few things to think about:

I got a scam email a few weeks back. It had a PDF with an embedded executable in it.
In my consulting practice, I've regularly bypassed these filters using one of the following two expedients:

Simply renaming the file to something other than .exe (i.e. .txt)
Putting the executable in a zip file.

Most email systems out there aren't capable of detecting either of these types of subterfuge. Add to that that this is a de facto acceptable policy (since sending email with executables is actually part of the job description for certain individuals), and you essentially are forced to accept some amount of "slippage" with regards to protection.

Never mind the fact that there are zero-day exploits with Microsoft Office (and just try and block that!).

Without understanding the content (is this an executable, even though it is named foo.txt and embedded in a rar file?) and the context (Joe in IT should have the ability to send executables), it is next to impossible to implement sound policies around email.

However, with these, we can actually prevent these types of attack, and begin to deal with zero day attacks. I have a customer who decided last week that he didn't like the amount of PDF spam he was receiving, so a he built a dictionary to search for the spammer URLs in the PDFs. Net implementation took about 30 minutes (mostly finding the URLs). Net result? 68,000 of these blocked last week. Read more...

Wednesday, August 8, 2007

Social Engineering at the IRS

Information Week published an article outlining how a security test revealed that 60% of the users tested were willing to accept a call from an unknown source and change their password to something that the caller suggested.

First off, kudos to the IRS for actually testing their security. And double kudos for actually being willing to release the (admittedly bad) results publicly. But I am not surprised at all that 60% of the users tested were fooled into helping the person on the other end of the line.

With my amateur psychologist hat on, I assert that users just don't feel the same way about virtual information as they do physical information. How often would you see someone accidentally mis-address a FedEx envelope containing financial data? This happens all the time with email (oops! I meant to send it to Mike Smith, not Mike Jones!).

Welcome to the war on human nature-- and we're losing. Read more...

Monday, August 6, 2007

Custom development

I play the bass guitar. I don't play particularly well, but I can hold down the bottom, as they say. I am having a custom bass built, which I've affectionately titled "the software project." Because it had scope creep: it has way more features than it started with, is late (32 months total), and ever so slightly more expensive than I told my tolerant wife it would be.

It reminds me of some software projects I've worked on.

When you are looking for something that is completely custom, expect it to cost more than you planned. Expect it to take more time than you allotted. Most of all, expect it to change.