Sunday, December 09, 2007

Are Windows Vista PCs Disposable?

When something goes wrong with a Windows Vista PC, don't be surprised if it is more expensive to troubleshoot and repair it than it is to buy a new PC and move your data and apps from the old machine to the new one.

For example... recently, a 6-month-old Thinkpad with Vista Business came into our shop for repair, because it had started freezing up. When it froze up, it was totally unresponsive, and the only thing to do was hold the power button down until the system shut down.

The machine's freezes occurred for no apparent reason, and nothing in the error logs was determinative either. It was still under warranty. It was originally purchased from Best Buy or Circuit City for under $1,000.

The first thing we did was test the machine for hardware problems. Lenovo's diagnostics as well as the tools we use found no problems. So, there was no warranty involved in the repair.

At this point, we were dealing with an unspecified software, virus or malware problem, and the best, most-cost-effective solution in this situation has been (i.e., Windows XP) to copy the data, reformat the hard disk and restore the operating system, applications and the data.

On the ThinkPad, there is a suite of system tools that you can access from the "Blue Button" on the keyboard, and use to restore the ThinkPad to its new condition. It reformats the hard disk and reloads the operating system and applications that originally came with the computer. Before you do that, you have the option to copy your data, which we did to a USB hard drive.

Fortunately for our client and us, we also imaged the ThinkPad's hard disk before we reformatted the drive -- fortunately because the utility to copy the data failed to get most of our client's data. We ended up having to restore the image to a spare drive to recover all the client's data.

After we restored the ThinkPad to its original, like-new condition, we downloaded and applied all the Lenovo updates; both the Urgent and the Recommended updates. This took a lot of time and numerous system restarts.

After the Lenovo updates, we reinstalled the client's applications and downloaded and applied all the Microsoft updates and patches. This also took a lot of time and numerous system restarts.

Then we downloaded and installed updates and patches for non-Microsoft applications like Adobe Acrobat Reader and Flash, Sun's Java, and AVG's anti-virus. More time.

We recreated the client's user profile and set the Lenovo and Windows security the way the client had them.

Last but not least, we tracked down the client's data files, scanned them for viruses, then reinstalled the data on the ThinkPad.

At that point, the machine was working and no longer freezing. The problem appears to have been fixed. But the time and effort involved cost more than the machine was worth. In retrospect, the client would have been better served had we grabbed the data, thrown out the old machine and installed the client's apps and data on a new ThinkPad.

Sunday, December 02, 2007

Who Is Reading Your Email?

This a subject I have written about before. It is worth revisiting because most people still think the email messages they send are private, like the US mail or a telephone call or a fax. But they are not. Click here to see my earlier posting.

Email and instant messages are nothing more than text files that can be intercepted and copied as they travel from here to there over the Internet. These stored messages can be later read by others and come back to haunt you.

In the future:
  • More and more organizations will engage in monitoring network traffic, including employee email, instant messaging, and web surfing.
  • Telephone calls are increasingly traveling over the Internet. They will be subject to the same kinds of storage, retrieval and monitoring issues that now affect email.
  • Employers will adopt the behavioral profiling technologies of online marketers in evaluating employees based on each one's use of information systems.

Bottom line, Big Brother will be listening, reading and watching you. So will Big Sister and all their Little Brothers and Sisters.

Saturday, November 24, 2007

Online Behavioral Profiling

In preparation for an appearance on KFNX (Phoenix) radio's Tech Talk show with Tom D'Auria, I did my homework and researched the topic. Here are my notes. I am sure there is more here than we will be able to cover in the time available on the program.

1 - What is behavioral profiling?

Behavioral profiling is the practice of drawing conclusions about or categorizing someone based on a limited set of behaviors. Behavioral targeting is the related practice of categorizing people or segmenting a market to provide them with advertising and sales messages designed to appeal to or work with the group they belong to.

For example, if a policeman, or anyone for that matter, sees a car swerving down the road, they may think that the driver is drunk. We speak of someone who is shifty-eyed as being not trustworthy. In the old cowboy movies the bad guys wore black hats. These are all examples of behavioral profiling.

The bride and baby magazines somehow know when weddings and birthdays are expected in everybody's family, and they send targeted promotional materials to the engaged women and the expectant mothers. These are examples of behavioral targeting.

2 - What's wrong with that?

The Federal Trade Commission held a Town-Hall meeting on November 1 & 2nd in Washington, DC on Behavioral Profiling and the Internet. There were a lot of interesting presentations, and I encourage anyone who is concerned about this issue to go to the FTC web site and watch the recordings of the meeting.

One of the big problems is that people do not understand what behavioral profiling and behavioral targeting are. Therefore people may consent to having companies, governments and other organizations collect information about them and track their activities on the Internet, but it is not informed consent.

It turns out that nobody reads privacy policies and End-User License Agreements, except lawyers when they are being paid to read them. Everybody else just clicks through them on the web to get to the content they want.

The problem boils down to this. Organizations online and in the real world are covertly spying on you.

3 - Why would organizations be spying on you? What do they hope to learn?

They are doing it, they say, in order to do a better job serving you. Other motivations include making money, avoiding losses, beating the competition, and making more money.

Governments are interested in identifying criminal behavior and avoiding terrorist plots.

The good news in this is that there is not a lot to learn from spying on most of us. The state of the art is such that there is a) an enormous amount of data being generated constantly and b) there are serious limitations to the data. The volume of data involved limits what can be done with it. You cannot drink from a fire hose. And as all of us who have designed and implemented systems know, garbage in, garbage out.

4 - What kind of data are we talking about? What is being collected?

This gets into the nuts and bolts. Some of the data is very good. has a good handle on you and what you do on their web site. You have a username and password that you use to sign in to make a purchase. And they use ¨1st party cookies¨ to capture information about what you are searching for how you navigate around their website. This lets Amazon and sites like MySpace, present pretty well targeted recommendations and information to you.

But when you go from site to site, there is currently no reliable mechanism for tracking you. What happens is that you collect 3rd-party cookies from various advertising networks that provide ads to most major web sites. Double-Click, and other such ad networks pay your content publishers to carry the ads. The 3rd-party cookies tell Double-Click where else on their ad network your browser has visited, and that helps them know what ad to serve you. Unlike Amazon, they do not know who you are, where you live, what you buy and other valuable information. If you use a different computer, Double-Click doesn't know its you and not somebody else. When you erase your cookies, you become once again a blank slate to Double-Click.

Google is in the process of buying Double-Click. Google has been coining money by putting targeted ads all over the internet. So far, Google has targeted ads based on the content of the pages showing the ads, not based on the behavior of web surfers. So this marks a worrisome development for privacy experts given the size and strength of Google, and the FTC is reviewing the proposed transaction.

5 - What about Internet Service Providers?

Internet Service Providers are in a position to collect data about everything that each of their subscribers does online, and marry that with names, addresses, credit cards, etc. Your ISP knows all and sees all. You may not want them sharing that information with advertisers and the law.

Yahoo! has been strongly criticized because it complied with a lawful request by the Chinese government for emails written by a dissident in China on his Yahoo! email account. The government jailed the dissident based on emails that Yahoo! turned over.

Interestingly enough, while AOL no longer regards itself as an ISP, for years it was in the unique position of knowing almost everything about almost everyone online. They used that information to sell ads and target ads to their subscribers. Arguably, that model that failed to sustain AOL.

But now there are new companies springing up like Adzilla that are setting up alliances with ISPs to get access to all the information about each of their subscribers. Adzilla got $10m in venture capital this past August, and their web site says they currently have alliances with 8 ISPs.

How this kind of activity does not run afoul of laws against wiretapping is still an open question. Their position is that it´s not wiretapping if no human beings are involved; if there are only machines listening and serving ads based on pre-programmed heuristics. It's no different from a spam filter or anti-virus program that scans everything coming and going.

6 - Who are the bad guys in the behavioral profiling space and what are they doing?

It is not easy to say exactly who they are. There are many layers involved. Content and advertising on a given website may come from many different places. Advertising, especially, may come from other places. There are a lot of intermediaries that buy, sell, aggregate, serve and track online ads. They may be doing behavioral profiling, even if the site displaying the ads does not.

That makes it very difficult to identify who's responsible when something bad happens. But we can say what they are doing or not doing as the case may be. We can profile the bad guys.
There are more than a few bad apples among advertisers:
Scammers, people selling get rich quick schemes, quick weight-loss programs, instant credit, and so forth have found the online world to be a fertile place to practice their trade. If something sounds to good to be true, it probably is. That goes double online.

Online fraud can happen when a product or service you buy does not do what it was advertised to do.

Hackers can embed malicious code in advertisements and on sites that ads might take you to. They could steal your usernames and passwords, credit card numbers and bank information if you are not careful. They could erase your hard drive.

And these bad guys can be almost anywhere in the world, beyond the reach of authorities in this country.

Intermediaries go bad when they pay lip-service to privacy and security but then fail to live up to their own policies and market expectations. There is an interesting case where a firm called Gator several years ago had an form filling browser plugin that people downloaded under false pretenses. The application was sending transactions data back to Gator for profiling purposes. Spyware protection programs were programed to delete the Gator app. Gator sued them.

In the end, Gator reformed its ways and survived. Gator changed its name to Claria and now it is one of the more respected names in online advertising.

Trouble happens when intermediaries do not do a good job knowing their customers and vetting the ads they run. That is how the scammers and the hackers get access to legitimate web sites.

Web sites are also known as content publishers. They have more at stake and they can get away with less than the intermediaries. They are more likely to be blamed if something bad happens, whether it is their fault or not. But shame on them if they do not take reasonable precautions to prevent bad things from happening.

For example, banner ads containing malicious code that infects users' machines if they are not properly patched have appeared on, and other mainstream web sites. It wasn't their malicious code, but they should have made sure that the ads they displayed were properly screened.

Many mainstream websites are profiling their users' behavior and selling that information to advertisers. The least they should do is let their users opt-out of such profiling.

Advertising on social networking sites is a new frontier for behavioral profiling. MySpace recently opened its doors to targeted ads where MySpace will keep its data under wraps but sell access to various demographic and behavioral populations. So, MySpace or their agents will say to advertisers, if you advertise on MySpace, we can target your ads to girls taking drivers-ed classes or boys with severe acne. They claim that they will be careful not to let objectionable ads reach our kids. But how do they know what is objectionable?

7 - What is the upside or what are the benefits to consumers of behavioral profiling?

Marketers claim that behavioral profiling allows them to present fewer, more relevant ads to consumers. But that is not sound economic reasoning. If the marginal return from advertising expenditures rises, advertising expenditures will rise. Additionally, if advertising becomes more effective, more companies will engage in it, meaning that consumers will see more advertising, not less. Online advertising is growing at the rate of 20% per year. That means a lot more ads, not fewer.

The principal benefit to consumers is that advertising allows them access to almost all the content on the web for free. It is estimated that advertisers will spend $40 b online this year and that number is growing at a rate of 20% per year. which is owned by Microsoft started as a subscription news and opinion service. It failed to attract enough subscribers to make a profit. It switched to a free, ad-supported site and it is now making money.

One of Rupert Murdoch's first steps after acquiring the Wall Street Journal was to change it's online content from a subscription model to a free, ad-supported model.

One commentator has said that the success of the internet in the market boils down to people's perceptions that, "It's all about me, and its all free."

8 - How can we protect our privacy and still enjoy free stuff?

We all can´t. Some of us can. But like Television, if everybody records shows and skips the commercials, the TV networks will die. So for now, some of us like you and me can block ads in our browsers and erase our cookies after every session. That will keep us safe, allow us to travel incognito, and still enjoy the convenience and content of the internet.

9 - What does the future hold?

In the future, there will be more information collected about people. Organizations will know much more about you and me. And there will be additional avenues for these organizations to reach out and touch you.

RFID tags will be embedded in everything we own. And tag readers will be everywhere we go, so not only will they know where we are at all times, they will know what we are wearing, everything that is in our handbags.

When you walk into a store, they will address you by name, and they will know your size and your likes and dislikes. As you drive down the street, a billboard may show you a message specifically for you. Your cell phone might ring to tell you that you missed your morning coffee and there are 4 Starbucks shops in the next block.

10 - Where can people find out more about this subject?

  1. FTC Town Hall Meeting: eHavioral Advertising
  2. Center for Digital Democracy
  3. Electronic Privacy Information Center

Monday, November 19, 2007

On Turning Document into Database

Imagine you have your contacts - names, addresses, phone numbers, spouses, children, etc. - done in Microsoft Word. Periodically you update it, print it and put it in a binder which you keep by the phone. You started doing this 20 years ago, and you have a lot of names and numbers. The information was entered over time without a lot of regard for standards and consistency. How it printed and how it looked when printed were the only considerations. Entries in the document look like this.
Shakespeare, William
Stratford on Avon
or Globe Theatre
London, UK
phone: 707-727-9999)
Tel. 800-555-1212
Fax: (866) 555-4321
(Bill & Stacey. Stacey's cell

Now imagine that you want to migrate this information to Microsoft Outlook or other database application. This was the situation presented to us recently by a client. Unfortunately, it turned out that this was not a trivial piece of work; the Word document contained over 2,000 contacts.

The document had information in record-layout form, without consistent fields/delimeters. Before we could import the data into Outlook, we needed to identify and label fields in each and every record.

One of the File/Import options available in Outlook is a VCard format file. This allows one to import data in record-by-record form, where the records comply with the VCard specs. Initially, we went down this road only to find that the fields available in the VCard spec are too limited -- no spouses, for example; and Outlook only imports one(!?) record per VCard file. There are third-party apps that let you import into Outlook more than one record per VCard file, but the field limits were a deal-breaker.

So, as the job evolved, we ended up identifying fields in each and every record and converting the whole thing into tabluar form, saving it as a Comma Separated Values (CSV) text file, and finally importing that into Outlook. Piece of cake? I wish!

The keys to success here are XML, Regular Expressions and XSL. You know how to use XML/XSL and Regular Expressions, don't you?

First, identify all the fields you are going to use. Hint: Use fields like the ones used in Outlook. Then establish your XML tags for each field: <lname>, <fname>, <mname>, <adr1>, ...

In Microsoft Word, clean up the file as much as possible; then, save it as a text file. We need it as a text file in order to use a Regular Expressions tool to perform complex search-and-replace functions, i.e., identify fields and insert our XML tags. Regexxer, a free, Linux tool, is ideal for this part of the job. But, depending upon the lack of standards and consistency in the document, this part of the job takes HOURS! We drastically underestimated the time involved.

When the long job of tagging the data document is completed, the text file should be made into an XML file and associated with an XSL file which you will create. This XSL file will transform the XML file into a CSV table in a browser. The final step is to copy and save the table and import it into Outlook.

Take it from me, this process works. Unfortunately, the time it takes makes it cost-prohibitive for all but the most cost-insensitive clients.

Wednesday, November 07, 2007

Roll Your Own Ubuntu Desktop

If you want/need to roll your own Ubuntu installation, here's what to do.
  1. Using the text-install CD, install Ubuntu to the command prompt.
  2. Apt-get install the packages you need/want to manually configure.
  3. Configure those packages and get them working.
  4. Apt-get install any other packages you want (including dselect).
  5. Get your own or use my list of Ubuntu (Gutsy Gibbon) install packages.
  6. dselect the list.

Here's the background on this...

Following up on my post, Linux Distro Hop, I heard from a reader telling me where to find the text-install version of the new Ubuntu 7.10 (Gutsy Gibbon). Either I missed the link to it the first time around, or they added the link to it sometime after the time I was first looking for it (a day or two after the formal release). In any case...

Let's recap. I have this dual-processor, dual-video card machine that was originally built as a high-end gaming machine. The motherboard was one of the first dual-processor boards. It has a low-end ATI GPU on the motherboard, and there is an Nvidia Geforce3 video card. My plan was to load Linux/Ubuntu on it and repurpose this machine (as a VMware server).

Unfortunately, the Ubuntu LiveCD would not run on the machine. The video card situation confounded Ubuntu. After trying with varying success to load different Linux distros, I settled on Debian because it is the basis of Ubuntu. That's when I posted Linux Distro Hop.

Because Debian worked, I was confident that Ubuntu should work. So, armed with the text-install for Ubuntu, I decided to try again.

Unfortunately, the text-install does not do much in terms of de-obfuscating the Ubuntu installation process. Virtually everything is done automatically, without user input. Like the LiveCD, the text install got hung up and failed. No error messages and no indication of what the problem was. Based on my experience with the various distros, however, I knew that the video cards, drivers and the Xserver configuration were causing the install to fail.

It was with some exasperation that I surveyed my options. On the text-install CD, I noticed that it offered "Install to a command line."
  • Let's see if that works...  It does! That's progress.

Feeling my way forward, I apt-get installed xserver, and edited xorg.conf to use the Nvidia Geforce3 video card.
  • Let's see what happens when I startx...  It works!

I apt-get installed gnome, and I was well on the way to rolling my own Ubuntu!! But then I thought,
  • How am I going to know what all packages I need to apt-get install before I can call this Ubuntu Desktop. And I don't want to overwrite or otherwise break what I've done already.

Fear not! It turns out that it is a simple matter to obtain a listing of all the packages installed on a given Debian/Ubuntu system. So, if you are like me and have a Ubuntu system that is pretty much the way you want it in terms of apps, codecs and proprietary drivers, you can list that machine's packages to a file, move the file to your roll-your-own machine and dselect all those packages in a single command. And, as if that was not cool enough, packages already downloaded and installed are NOT COPIED, so you won't undo what you've already done. Whew!

To do this, I followed arsgeek's guidance (don't be distracted by the comments). In case you don't have a machine to base your work on, here is the text file I generated. It is all the packages installed on a Gutsy Gibbon desktop machine, including sound and video players and codecs to let me access most/all(?) multimedia around the net. It also has KeePassX that I recommend...

You can use this file (save and rename it) as described by arsgeek to roll your own Ubuntu desktop. I did and it worked like a charm! Roll on!

Wednesday, October 31, 2007

Short Vs. Long

Do you know the old saying, "I didn't have time to write you a short note so I wrote you a long one instead?" In other words, it takes more time to be succinct, to know exactly what you want to say, to choose your words, than it does to free associate. It's hard to be pithy.

Relative to other bloggers, my postings tend to be long. I know that most people who stumble across my blog will not bother to read everything I have to say -- they won't bother to scroll down. Or they'll click through without reading anything because there aren't any pictures.

But long and short need to be qualified by content or depth of meaning. Given a choice between a short note with no meaning versus a longer, well-written note with rich content, I prefer to run longer.

Here's another pithy old saw, "Don't bite off more than you can chew." In other words, keep it simple stupid. Because its not only about how much you can chew its also about how much your readers can swallow. Most readers can't swallow more than a few bites.

In France, to make goose liver pate, the hold the bird's mouth open and jam food down it's throat. Don't try this on your readers!

Based on the few number of hits and the short average amount of time a visitor spends on my blog over the past year, it is clear that my approach is not attracting and keeping readers. Coming soon... Pictures!

Friday, October 26, 2007

Linux Distro Hop

I tried to run the new Ubuntu release, 7.10 (Gutsy Gibbon), last week on a weird-ish machine (two processors and two video cards -- one a PCI card and one on the motherboard). It wouldn't run. Instead the live CD churned a bit and stopped, then dumped the screen to a BusyBox command-line prompt. I chimped on the keyboard a bit before giving up.

I decided to see if some other Linux distros could conquer that box. Ubuntu 7.04 failed like 7.10. PCLinuxOS gave me an X-Window, but it didn't look good. I've got Ubuntu running on a bunch of machines now, and I don't want to have to learn to use the new menu structure of the PCLinuxOS GUI. I decided to move on.

Debian worked, and that is sufficiently close to Ubuntu to look and feel comfortable to me. But that set me to wondering why, if Debian works, Ubuntu doesn't. I think Debian worked because it uses a text-based install, and I was able to indicate the video card and driver I wanted to use.

Back to Ubuntu. According to the documentation I found, there is supposed to be a text-based install option for Ubuntu 7.10 on the "Alternate" CD. Turns out that for now, that is not correct. The Alternate CDs I downloaded from different servers, none of them had a text-based option, at least not from the initial menu.

For now I am using Debian on that weird-ish box. Debian is a little different (Iceweasel = Firefox). Debian appears to be a bit more dogmatic than Ubuntu about open source purity. This may or may not be a problem. I'll keep you posted.

Monday, October 22, 2007

What's Cool About Virtualization

What's all the buzz about virtualization and VMware?
  • By consolidating servers, many of VMware's 20,000 customers have managed to cut IT costs by 50% or more and increase utilization, productivity and efficiency.
    • That should make the finance boys and girls happy.
But here's what I think is cool about virtualization:
  • The "computer" will cease to exist. The network will be the computer. And it will be a much bigger and more powerful machine than I could every afford.
    • Sun Microsystems was right! -- if only a 10 years too early.

  • Forget the "Triple Play" - telephone, Internet and Cable TV - that companies are offering now. Virtualization will provide a "Home-Run" (that's a four-bagger: communication, automation, entertainment and security) to make it seem like we are all living at the Jetson's Sky Pad Apartments.
    • Virtual reality, artificial intelligence and lots of bandwidth under the hood.

  • Many "computer problems" today are the result of user errors. Take the computers away and life will be swell for users (AKA everyone).
    • A small number of IT pros (real and virual) will keep everything on the holodeck running smoothly.
Let me know what you think is cool about virtualization. Leave me a comment.

Tuesday, October 09, 2007

Interstate Swimming

When you swim from one state to another state; e.g., from Maryland to Virginia and back again, that is interstate swimming.

I am pleased to report that current conditions for interstate swimming in the Washington, DC area are excellent. The temperature of the Potomac River is in the mid 70's, the river is low, and the water is relatively clear.

Yesterday I swam solo from Maryland to Virginia and back again. This is not as crazy as it sounds, because you can see the bottom much of the way across, and you can touch the bottom at frequent points in the crossing.

FYI, the health of the Potomac River now is better than it has been in years past. Plant and fish life are in greater evidence than they have been in years past. Another member of the Interstate Swim Team has reported a rash, which may or may not be related to interstate swimming. I have not had any problems.

Tuesday, October 02, 2007

Practical(?) IT Security:
10 Policies & Procedures

As a follow-up to my posting containing 10 Practical IT Security Counter-measures, here are policies and procedures that I recommend that organizations and households adopt to enhance security. These are listed in no particular order. I am not sure how practical these recommendations really are. After all, even I violate one or two of these from time to time.
  1. WiFi is a security problem. Encryption is good, but it doesn't deal with the reliability problem. Wire your network. Yes, it is more expensive and troublesome to set up a wired network. However, you will have very little trouble with wires once you've got them installed. You won't have to worry about encryption, interference and eavesdropping. You'll be able to upgrade and integrate your different networks (data, voice, video, etc.) over time.
  2. Portable storage devices (laptop PCs, notebook PCs, PDAs, smartphones, USB thumb drives, etc.) are security problems. Avoid them if possible. When there is a strong business case to get a portable device, strong passwords shall be required for access and data shall be stored in an encrypted "vault" on the device.
  3. Strong security shall be required for access to each PC and local-area network services. Fingerprint readers, two-factor authentication schemes, complex passwords, etc. are acceptable approaches to strong security.
  4. All electronic work (documents, data, emails, etc.) shall be stored on network file storage devices. Portable devices shall be docked periodically and files synchronized to network storage.
  5. Network file storage shall be automatically backed up according to a security plan/schedule.
  6. All work (electronic and hard-copy) shall be archived and destroyed according to a security plan/schedule. Keeping information for longer than you have or need to exposes you to potential liabilities.
  7. No downloading or listening to music. Downloading music is often illegal. Listening to music uses bandwidth which may be scarce.
  8. Never send an email that you would not be comfortable seeing taken out of context and printed in the newspaper under your byline. Emails have a way of coming back to haunt you and/or the company.
    • Do not send or forward jokes, pictures, videos, etc. via email. It is hard to know where they will end up, and they can backfire. Videos especially take up valuable bandwidth and storage space in your mailbox.
  9. 90% of all email today is SPAM. SPAM can contain viruses, adware and spyware. It also takes up scarce bandwidth and mailbox storage.
    • Delete, do not open any email you are not expecting.
    • Turn off the "preview pane" in your email reader because viewing a message in the preview pane constitutes opening an email. Sometimes when you open an html-formatted email, it communicates back to the sender, validating your email address, inviting more SPAM.
    • After receiving an unwanted email message from a sender, do not try and "opt out" of receiving further messages. It probably won't work and it serves to validate your address for the SPAMMER.
    • Do not take the time to report SPAM to "the authorities." It is not your job to police the net.
    • Do not put your email address on your website. Use a web form instead that lets people send a message to you from their browser.
  10. Email messages are not secure unless you encrypt them. Encrypt emails that contain confidential information such as user names, passwords, account numbers, health information, etc. It is not hard to do. But, if your correspondent is not able or willing to receive encrypted email, fax confidential information instead.

Monday, September 24, 2007

Top IT Security Threats &
10 Practical Counter-Measures

Here are the top IT security threats that your organization faces:
  • Your people. The "inside job" has always been and remains the biggest security threat you face. While innocent mistakes more frequent than deliberate malfeasance, the results are often the same.
  • Your equipment.
    • When your equipment fails (when, not if) you may be out of business. It may be for only an hour or a day or a week or forever if you lose all your accounting and customer data.
    • Portable devices are especially prone to failure, and they are easily lost or stolen.
  • Your software. Remember the Y2K bug? You know how Microsoft is constantly releasing security patches and upgrades to its products? If you don't keep up with patches and upgrades, you may be visited with viruses and/or potential attacks from hackers. If you do apply patches and upgrades, one of them may interfere with your normal operations in an unforeseen fashion. (The iPhone's recent patches issued by Apple disabled many 3rd party applications.)
  • Email.
    • Emails are almost never encrypted, and they are being "read" and stored at various points en route. The government, your Internet Service Provider, your email service provider and others are able to monitor your message traffic.
      • Dissidents were jailed after Yahoo! turned over email correspondence to the Chinese government.
    • After your messages reach their intended recipients, there is nothing technologically to prevent any message from being forwarded to other people, friends or foes.
  • Web surfing. Web technologies have advanced in recent years. Many web sites now provide personalized content from many different sources for users (mash-ups). News, entertainment, data analysis, advertising, games, etc. are commonly brought together by web sites today. Black-hat hackers are using these new web technologies in clever ways, exploiting browser capabilities/holes to execute scripts, and infecting user machines with viruses, adware and spyware.
  • Human nature presents a host of security problems.
    • Some people/organizations expect to buy a product that they can install that will solve all their IT security concerns. If/when they don't have the latest and greatest products, they may suffer excessive fear. If/when they do have the latest and greatest products, they probably have a false sense of security.
    • Some people/organizations are happy to hide their heads in the sand when it comes to IT security. Bad things happen to other people, not them. Nothing's going to happen if they don't do their backups one day.
    • Using SPAM, phishing, and other high- and low-tech schemes, hackers exploit human nature in a variety of ways to get them to reveal valuable information like usernames and passwords, account numbers, customer data, trade secrets, etc.

Here are the 10 practical security measures that I recommend you take to deal with security threats:
  1. Articulate policies and procedures related to the appropriate use of information technology (data, hardware, software, the local network, email and the Internet).
  2. Educate employees regarding IT and their responsibilities. Monitor employee compliance with policies and procedures. Reward compliance and/or punish non-compliance.
  3. Provide continuing education/training to employees to keep pace with changing technology and changing policies and procedures.
  4. Replace older systems (hardware and software) with newer systems. Anything over 5 years old should be replaced because systems that old are likely to fail soon.
  5. Re-engineer business processes to apply new information technologies to enhance security and improve your product/service quality.
  6. Establish the business case for providing portable equipment to an employee. Require strong passwords and disk encryption on portable computers, in case they are lost or stolen.
  7. Develop and implement an automated process for backing up your systems and data.
  8. Apply patches and upgrades as they become available on all non-mission-critical systems. Test patches and upgrades prior to applying them to mission-critical systems.
  9. Develop contingency plans to deal with various possible scenarios (server failure, employee terminated, power blackout, snowstorm, fire, pandemic, etc.). Run tests to validate plans. Update plans as circumstances change.
  10. Every organization beyond a certain size needs to have a Chief Information Officer reporting to the President or other top executive with the mandate to make IT security a top priority for the organization. Otherwise, the President and other top executives may not have the technical knowledge they need to make good IT decisions.

Thursday, September 20, 2007

What?! More...

Lots of hearing aids are "Telecoil (T-coil) equipped." T-coils are designed to pick up electromagnetic signals, as opposed to microphones which register acoustic signals.

Certain telephones, cell phones, and assistive listening systems in public places (theaters, museums, etc.) produce electromagnetic signals. T-coil equipped hearing aids are supposed to "inductively couple" with such electromagnetic devices/systems to provide clear, amplified sound through the hearing aids. If you want to learn more about the technology, click here.

Few in North America know much about T-coils -- Europeans are said to know and use them more. My audiologist knew virtually nothing about the technology, and she has a Au.D.

Few of the hearing-impaired in the USA are using their T-coils. In my own case, I initially tried to use the T-coils in my new hearing aids with several different telephone handsets at home and at work. In each case, when I switched my hearing aids to T-coil from microphone, I couldn't hear the caller.

In retrospect, my hearing aides were not coupling inductively, probably because the electromagnetic signals in the ear cups were too week. At the time, I didn't know better; I just thought that T-coil technology sucked.

When I questioned my audiologist about my experience, she gave me a small, rare-earth magnet to put in the ear cup which she said would boost the electromagnetic signal. Not! It turns out that what the magnet is supposed to do is switch certain automatic hearing aids from microphone mode to T-coil mode, not boost the telephone's electromagnetic signal.

In spite of the misadventures and misinformation, I struggled on, albeit with lowered expectations. Based a few glowing testimonials that I came across in the course of my research, I decided to try an inductive loop. Luckily, my new cell phone is a Nokia 6086 (remember the Europeans know about T-coils). Furthermore Nokia makes an inductive loopset (LPS-4) that fits the cellphone model I have. Online, people are selling the Nokia LPS-4 for anywhere between $35 - $100. I paid $35, which included shipping.

When the unit arrived, there was a fat instruction book, with 3-4 pages of instructions written in just about every language on earth. The device is very simple; almost idiot-proof. Plug it into the cellphone, put the loop around your neck, and it should work. Switch your hearing aids to T-coil (one ear or two), place a call and the sound comes through loud and clear. A voice pick-up and call-answer button are located on the loopset, so your phone can stay in your pocket, except to dial.

My cellphone has a radio on board so I can listen to it during meetings and nobody is the wiser. While I can listen to music on my cell phone, the loopset only plays monaural sound.

In certain places, electromagnetic interference caused by certain electronic devices and/or machinery is a problem. Interference creates a buzzing sound in the ears which ranges from barely audible to somewhat distracting, depending on the call.

I was in love with my new Nokia 6086 cellphone before because of the Hotspot@Home feature. Now with my inductive loop, I am ready to marry it.

Wednesday, September 12, 2007

WiFi Nightmares

If you like a good fright, here are a few of my worst WiFi nightmares for you.
  • Homeowners sometimes feel that they have nothing to steal and nothing to hide on their home computers, and so they install WiFi networks without any security measures. But there is a wealth of information on any computer that bad guys can use to steal someone's identity, and thats only the beginning.

    Homeowners who leave their WiFi networks unprotected may have their data and applications erased. They may have spambots or other malicious hacker applications installed. Their machines may be employed to share illegal music files or distribute kiddie porn. Then, one day, the FBI will come knocking.

  • Students spend a lot of time on the Internet, much of that connected to wireless networks at school, at home or anywhere else they happen to be. Music file sharing, like underage drinking, is illegal, but it happens. When it does, students can compromise the performance and security of the networks they are using and they can get arrested and/or get kicked out of school.

  • Business executives usually need to have file and print sharing enabled on their laptops for when they are in the office. On the road, many of these men and women check their email and surf the web in airport lounges, at Starbucks, in their hotel rooms, or anywhere else they find an open WiFi network.

    Unless a road warrior takes steps to protect him/herself, anyone else on an open WiFi network can scan his/her shared files and folders, looking for credit card numbers, usernames and passwords, trade secrets, and other confidential information. On line and on the road, opportunities for identity theft, insider trading, industrial espionage, blackmail or just plain embarrassment abound.

  • Professional people -- doctors, lawyers, accountants, investment managers, etc. -- have ethical responsibilities to exercise care and judgment in the conduct of their affairs. If they don't, they may face sanctions including disbarment, client outrage, fines, and even jail.

    Down the street from me, near a hospital, there is "Professional Building" with offices for doctors et al. Standing outside the office building, wardriving, you can pickup several unencrypted, open network signals. Doctors' offices have lots of valuable information that bad guys would love to have for the purposes of committing identity theft, credit card fraud, prescription forgery, et al.

    WiFi security is a dicey proposition. It is not something that many lay-people understand. All they know is that implementing security complicates matters both in terms of initial network setup and ongoing operation So, many people forgo security entirely, preferring to think that nothing bad is going to happen to them.

  • Troubleshooting WiFi networks is a time-consuming process which does not always yield a positive outcome. A positive outcome is defined as a happy ending that doesn't cost a lot. A happy ending is fast, reliable Internet/network access.

    But, if there are dead spots in your WiFi coverage area or if your Internet access is slow or intermittent, it could cost you a lot in terms of dollars and frustration to identify the cause and resolve the problem.

    Let's say you live in an apartment and one of your neighbors has an old cordless phone that operates in the 2.4 GHz frequency range. Whenever that phone is in use, your WiFi network crashes. Let's assume that you know nothing about the neighbor's phone. You only know that your network keeps crashing.

    So you summon a technician to resolve the problem. The first (and only?) thing a technician can do is undertake a process of elimination to isolate any hardware or software issues that might be causing the problem.

    Imagine that the network crashes while the technician is there because the neighbor makes a phone call. While the network is down, the technician swaps out your access point. Meanwhile your neighbor gets off the phone, so when the new access point is installed, your WiFi is working. The technician declares victory, gives you a bill and leaves. This temporary "solution" has cost you a couple of hundred dollars.

    There are tools (radio frequency spectrum analyzers) that can identify WiFi interference from cordless phones, Bluetooth devices, microwave ovens, radio jammers and other sources of electromagnetic noise. But these tools are expensive, and they work better in the lab, in the hands of radio engineers, than they do in the field, operated by your average computer technician.

WiFi, when it behaves, it is a pleasure to be around. But very often, WiFi is like a difficult child who does not always behave. It doesn't care who you are, or how much you've spent on your laptop. "You are not getting an IP address from me today, mister!"

If you have a WiFi nightmare you want to share, please post it here. TIA.

Friday, September 07, 2007

Attention Nats fans...

Thursday's 12:30 PM flight from Portland, Maine to BWI was full. Every seat was taken on this mid-week, mid-day, post-Labor Day flight for one simple reason. Red Sox fans in Maine were making the trip to Baltimore to watch their team play the woeful Orioles Thursday evening.

Baseball was absent from DC for a generation, so we are still gaining a taste for the game and the Nationals. It is amazing to us how it is some days that there are almost as many fans at RFK stadium rooting for the Tigers, Mets, et al. as there are Nats fans. We have also come to expect that good seats will always available at game time and that nobody has to pay full price for admission.

Meanwhile, the ups and downs of people like Dimitri Young, Ryan Zimmerman, Brian Schneider, Jesus Flores, Nook Logan, Christian Guzman, and Austin Kearns have been highly entertaining. It has been gratifying to see young pitchers like Matt Chico, Joel Hanrahan, Jason Bergmann, Levale Speigner, Chris Schroder, Mike Bacsik, et al. come up and perform better than anyone expected. It has been inspiring to watch the Nats play tough in almost every game, win or lose. And when they do win, it is heartwarming to see the players celebrate as a team like a bunch of boys having fun.

The crowd at RFK most days is pleasant, relaxed and well-behaved. Women and children probably outnumber the men. It's good, clean family fun. It's not Yankee Stadium or hockey or the NBA.

So kudos to the Lerners, Stan Kasten, Jim Bowden, and Manny Acta. Build it (the team), and they (the fans) will come. Who knows, maybe one day plane-loads of Nats fans will travel far and wide to watch their team play.

Wednesday, September 05, 2007

T-Mobile delivers a surprise.

In a recent post, I pointed out that T-Mobile says on its web site that the Nokia 6086 hotspot@home phone is "Temporarily Out of Stock." At the same time, existing customers can login and order the phone from T-Mobile as an upgrade.

In my post, I speculated that perhaps T-Mobile had a stash of these phones which they were rationing to their existing customers. But then I asked myself, "What would T-Mobile do?" And I concluded that they probably were going to take my money and tell me to get in line. They'd fill the order at some distant future date.

After placing the order late last week, I got a text message from T-Mobile on my old phone, acknowledging the order/upgrade. A good sign, but no shipping info. Over the weekend, I tried to track a shipment as per T-Mobile's generic instructions (UPS tracking code = phone number), but UPS had no data. Not a good sign.

Then, on Tuesday, following the Labor Day holiday, the UPS truck pulls up and delivers the Nokia 6086 phone to me. Five minutes later, I'm on my new phone, calling T-Mobile to upgrade my service to hotspot@home. Five minutes after that, I'm on my wireless network making and receiving calls. VERY SWEET!

So, for now, I regret the aspersions I cast towards T-Mobile. I am a satisfied customer.

Thursday, August 30, 2007

T-Mobile Hotspot@Home

<rant>Reviews have been critical of T-Mobile for launching its Hotspot@Home service with only two phones to choose from; and, even worse, critics say, both phones are lacking sex-appeal.

Now, if you go to T-Mobile online to shop for a Hotspot@Home phone, you find that the Nokia phone is "Temporarily Out of Stock." Your only option is the Samsung. Is this any way to launch a new service!? Didn't their market research/testing tell them what the demand would be?

Next time, T-Mobile, ask yourselves, "What would Steve (Jobs) do?"</rant>

Good news for current T-Mobile customers like me who want to "upgrade" to the Nokia Hotspot@Home phone. You can do it online, after you login using your T-Mobile phone number and password. Apparently the "Out of Stock" situation applies only to new customers.

I'm hoping they have a stash of these phones that they are rationing to their existing customers. Although, if I ask myself, "What would T-Mobile do?" I have to expect that they are going to charge my credit card and then come back and tell me the phone is back-ordered. "We'll ship it to you just as soon as it comes in." ...

I'll let you know what happens.

Wednesday, August 29, 2007

Listen To Me

I get paid to speak to organizations and groups from time to time. It is not that I know anything special or that I have accomplished great things. What I speak about is business and/or information technology; conventional wisdom is my stock-in-trade. My talent, if I have one, is that I can make my talks entertaining and informative for my audience.

Over the past several months, I have appeared twice as a guest on Tech Talk. Tech Talk is a show on KFNX radio in Phoenix.
  • "How to give your old PC a new lease on life." Broadcast live on May 20, 2007.
  • "Practical precautions for protecting yourself from identity theft." Recorded July 27th, 2007. Broadcast August 5th, 2007. (This recording will be available online shortly...)
Let me know if you need a speaker for an upcoming event. Click here to contact me.

Tuesday, August 21, 2007

Cellphones - No!

I spent the last two weeks on an island in Maine. Miles from the mainland, cellphones don't work on the island (with rare exceptions).

Things change relatively slowly on the island. Social networking is done the old-fashioned way, face-to-face. But, change there is not limited by economic considerations. There's plenty of money. The community can afford cellphone service; people don't want it.
Smart with money doesn't (always) mean smart with IT... VHF radios have been used in Maine's waters for years for ship-to-ship and ship-to-shore communications. Even thought it is easy to eavesdrop on VHF conversations, people use them instead of secure cellphones, even though cellphones work in many near-offshore waters. Once I overheard a vacationing investment banker call his office on ship-to-shore radio to discuss deals that were being worked.

I don't believe you would be guilty of insider trading if you heard about an acquisition on VHF before it was announced and decided to make a quick killing.

Technological changes come to this island slowly, after some form of consensus is reached on the desirability of change. So, it is perhaps informative to know that broadband Internet access has arrived via point-to-point wireless transceivers in many places on the island while cellphone towers are nowhere to be found. In this community, it appears that cellphones are not essential, but high-speed Internet access is.

What's the significance of this finding? It is hard to say, but if this sophisticated society regards cellphones as undesirable, perhaps the day will come when no one sees cellphones as status symbols.

Want to know what other technologies are in vogue and which are louche on the island?

What's Hot?

What's Not?

  • Boston Whalers with big engines.
  • GPS for marine navigation.
  • GPS for determining how far from the hole your golf ball is (e.g., SkyCaddie).
  • Notebook computers for teleworking
  • Netflicks, DirecTV, HDTV for watching TV on rainy days and quiet nights
  • Digital cameras for Christmas Card shots of the family.

  • Drug boats and jet skis are nowhere to be found.
  • GPS for in-car use.
  • Bentleys, Maseratis, Aston Martins, etc.
  • PC workstations.
  • Video cameras.

Conspicuous consumption is limited to some degree by the year-rounders practicing aggressive wage/cost inflation and by passing ordinances and taxes on the summer folk. The summer folk police themselves using gossip and by ostracizing those who do not conform to certain unwritten and flexible standards.

Thursday, August 02, 2007

Getting older is a bitch!

Ralph - Sorry. I assumed that my memory had failed me and that I had forgotten to send you the invoice. (I didn't think to see if it was paid already.) Turns out my memory did fail me, and I forgot that I did send you the invoice.


Wednesday, August 01, 2007

Cheating in the Pool

Yesterday, the Washington Post had a story about a new line of swimsuits from Speedo, the FS-Pro, that all the top competitors are wearing because it provides a big performance boost. World records are falling by large margins. In June, swimming's oldest record -- Janet Evans's 1988 mark in 1,500-meter freestyle -- was beaten by Kate Ziegler, wearing the new suit, by almost 10 seconds.

These swimsuits should be banned in competition, in respect for the efforts and accomplishments of past swimmers. If Kate Ziegler swam her record-breaking 1,500-meter freestyle wearing flippers on her feet, she'd have been disqualified. What's the difference between wearing this new suit and wearing a pair of flippers?

Cynics say that elite-level sports are more about entertainment than competition. In the world of sports entertainment, people want to see records broken, or so the thinking goes. But for Major League Baseball, at least, records have a certain sanctity. Kudos to baseball for refusing to allow the aluminum bat and a livelier baseball to increase scoring. And as Barry Bonds, Mark McGuire et al. have found out, taking performance enhancing drugs, even when they haven't been banned, is regarded by fans, if not the game itself, as cheating.

In the past, technology has improved swimmers' performances and times.
  • Pools and lane dividers have been improved to reduce turbulence and improve swimmers' times
  • Technology used in training and coaching has helped athletes improve their conditioning and their technique -- reducing their times.
There is an interesting article in today's Washington Post that explores the black, white and grey areas of cheating and performance enhancement in sports. With advancements in technology, black and white are disappearing. Games are now decided on the playing field, in the testing labs, and in the courts of law and public opinion.

So, swimming fans, get your opinions ready and let the powers that be know that the FS-Pro suit is for cheaters only.

Monday, July 30, 2007

Answers About ID Theft

What is “Identity Theft?”

Identity theft is a slippery subject. The words conjure up images of body snatchers and zombies from old movies. The connotations are very negative.

The news media likes the term, because it is sensational. And so, they use it fairly indiscriminately. I saw a story recently titled, Laptop Thefts: The Latest Form Of Identity Theft. I've also seen purse snatching and dumpster diving described as Identity Theft.

Opportunistic business people have grabbed on to the term also. There are more than a few companies hyping the “problem,” and offering various products and services to deal with it. Ironically, or is it predictably, many of these products are regarded by the experts as being overpriced and unnecessary.

Identity theft occurs when a fraud or other crime is committed by a person masquerading as someone they are not. The person being masqueraded is the victim of identity theft, assuming they are not involved in the fraud.

It's a big problem, isn't it?

In one sense it is. For example, I bet many people listening to us have been or will be victims of Identity Theft. A couple of years ago, I was. Someone charged an expensive plasma TV at a store in the UK using a counterfeit copy of one of my credit cards.

On the other hand, I would much rather be the victim of identity theft than the victim of the fraud. All I had to do was call the credit card company and explain that the charge was not mine. The store was left holding the bag. They were out several thousand dollars after the credit card company reversed the credit.

In most cases the identity theft victim suffers no loss and no out-of-pocket expenses. However, in some cases, people are denied loans, miss out on promotions, and/or are falsely arrested for crimes. A large portion of all ID thefts are done by family members. And in many of those cases, the victim will pay the bills rather than have their family member arrested and prosecuted.

What are people doing to protect themselves from ID theft?

It varies. As I said, there are products and services available. Some people have bought ID theft insurance. Stand-alone ID theft insurance is relatively expensive. If you have homeowner's or renter's insurance, you can get an ID theft insurance rider for a fraction of the cost.

You can contact each of the credit bureaus and put an alert on your information requesting that no credit be extended to your name without contacting you. If you live in Texas or California, you can put a freeze on your credit report. But credit card companies are famous for sending out pre-approved credit cards to people in spite of these alerts. And these can be grabbed by family members or somebody looking in your mailbox. You can go to to opt-out of such mailings. This is supposed to work like the “do not call” registry.

Some companies sell services designed to handle the work involved putting alerts on credit reports, opting out of pre-approved credit cards and requesting your annual free credit report.... On the one hand, these services are pricey. On the other hand, they make sure the right things get done.

Increasingly people are shredding their bills and papers before they throw them out.

Some people avoid online shopping and online banking. But, experts say that online shopping and banking is more secure than providing your credit cards, checks, deposit slips, etc. to clerks and tellers in the real world.

Most people don't do anything intentionally to avoid identity theft, except worry about it.

Fortunately, however, many of us are doing the right thing in terms of protecting our computers from hackers, viruses and malware. In doing so, we are also making it difficult for the bad guys to steal our usernames, passwords, account numbers, etc. Many of us know better than to open emails from people we do not know. Many of us know better than to click on browser pop-ups that tell us we've won a prize.

Do these steps work?

Under specific scenarios they work. Shredding your trash will protect you from dumpster divers. ID theft insurance does only what the fine print says it will, which is generally not much. Credit monitoring services remember for you and provide you with credit reports. But no anti-virus program will stop every virus. And none of these steps will protect you if your name and social security number are stolen or lost by an employee at your bank, your doctor's office, the government ...

What else should people do?

Protection is the best Prevention. Do what you can to protect your personal information from being discovered.

Use a firewall and antivirus software. Download and install security patches and upgrades for your computer software. Security patches can be downloaded and installed automatically. Upgrades usually are not automatic. For example, Internet Explorer 7.0 is something you have to choose to install, and you should. Browser security is a big problem nowadays.

Usernames and Passwords are the only security we have on most of our online identities. And most of us have not followed best practices in terms of selecting them, keeping them safe and changing them regularly. Most people choose usernames and passwords that are easy to remember easy, rather than secure. Most people choose a small number of usernames and passwords that they use for many different accounts and identities. Many people never change their passwords. Many people have their usernames and passwords written on paper beside their computers or in an unencrypted document on their computer.

I use a tool that generates long random passwords and stores them in an encrypted database. It is called KeePass. It is free software. You can get it at I have it on a USB flash drive that I always carry with me on my keychain, so I don't have to remember all those unintelligible strings. I copy and paste them into the login fields on the different web sites I visit. Click here to read my Gimme KeePass.

But, no matter what you do, even if you do everything you can, you still might become a victim of identity theft.

Why is this such a murky issue?

I think it has to do with the nature of the crime. There is lots of information out in the world about each of us, but our identity is not stolen until somebody poses as us. We are not going to know when that happens except after the fact. Even then, we may never know for sure.

For example, many instances of “identity theft” are nothing of the kind. If/when you see a large wire transfer of funds out of your bank account that you did not order, and you call the bank and report it, the bank will restore your funds and investigate the matter. Chances are good that you will not hear anything from the bank about the results of their investigation. You'll never know if somebody hacked your computer and got your account information, if the Russian mob hacked the bank's systems, if a bank employee pulled an inside job or if it was an innocent keypunching error. The bank is not going to tell for fear of revealing something about its security systems and for fear of eroding confidence.

At the same time, the fight against ID theft is the only weapon that financial institutions can publicly wield against certain frauds, so even if it was only a typographical error, the bank is okay with having you think it was ID theft.

Does it make sense to fight ID theft in order to defeat electronic financial fraud?

This is a not a war with only one front. There is an overt war on ID theft and there is a covert war on electronic financial fraud. At the same time, I am not sure that the covert war is being fought in a way that helps the fight against ID theft.

What do you mean?

The frauds associated with ID thefts tend to be relatively small, around $5,000 while a hacker gaining access to its systems can cost a financial institution millions. These institutions are certainly doing everything they can to prevent big losses.

In terms of battling ID theft, I am not sure that the banks and credit card companies are doing their share. Charge cards are so profitable that banks and charge card companies are not going to take steps to prevent the fraud associated with ID theft if that might reduce the overall profitability of the cards.

  • Consider that the banks and credit card companies are usually able to avoid the losses arising from fraudulent card charges by reversing the payments to the merchants.
  • Consider also that many of these fraudulent charges are done by family members, and the card holders end up paying them anyway.
  • Finally, many of the institutions selling ID theft products and services are financial institutions.

So, the banks and charge card companies have little incentive to pursue their side of ID theft. At the same time, the merchants lack the resources and the information to pursue the bad guys. Ultimately, the losses associated with ID theft are passed on to consumers in the form of higher prices.

What does the future hold?

The war against ID theft will not be won without the concerted efforts of financial institutions. They are the only players in the game that can see the big picture. If there is an organized ring that is counterfeiting credit cards, the banks and credit card companies will know, but merchants and consumers will not.

Unless merchants or regulators force them into the game, identity theft will be a continuing problem. Unfortunately I don't see that happening.

What's your final word?

ID theft will be with us for a long time. It is not going to go away soon. Your vulnerability has more to do with your relatives, muggers and thieves than it does with electronic privacy and security. Electronic information and transactions are relatively safe because they are generally protected. So I want people to adopt best practices for safeguarding your computer and your network. Use a firewall, antivirus software, download and install software patches and upgrades, and be smart about opening suspicious emails and browser links.

Monitor your credit reports and financial accounts. Take action quickly when you see something that you do not recognize.

Finally, I want everyone to improve the security of the usernames and passwords they have for online access to all their accounts. Increase the complexity of your passwords, use different passwords for each of the different accounts you have, and periodically change your passwords. Check out Keepass to help get you on the right path.

For further information, go to and

Monday, July 23, 2007

Save Our Privacy

According to the Washington Post this morning, all the major search engines are tightening their privacy policies in the face of mounting concern about the vast amounts of personal data they collect and store.

I don't like the idea of Google, Microsoft, Yahoo! or any other organization collecting, storing and analyzing data about my web searches and web surfing. They all say they do it "to improve the quality of their search services." As if that is sufficient reason for them to collect and analyze mountains upon mountains of data. Quality assurance/improvement is typically done using statistical analyses of relatively small, random samples.

We all have to use search engines to find information on the web. Individually, we are powerless to prevent the collection and storage of all that data about each of us.

What can you and I do about it? The only compelling reason for these companies to collect, analyze and store these vast amounts of data is to help them sell advertising and help their advertisers sell products. Take away the ad revenue, and they have no incentive to collect all that data. Take away the ad revenue, and they will not be able to afford to collect and store the data.

In the Firefox browser, there is a free extension that you can install that blocks most of the advertising on web pages served by Google, et al. Here's how you get the extension: in Firefox, select Tools/Add-Ons/Get Extensions/Adblock Plus to download and install the extension. Once you do, you will no longer see most of the ads currently running on the web.

As more and more of us do this, the money will go out of web advertising, and these companies will no longer have the incentive to collect all that data. Just the prospect of this happening is probably enough to get the search engines to stop amassing these mountains of data.

So, if you too are concerned about the activities of the search engines, you can do your part to stop them by using Firefox and Adblock Plus. Do it today.


Google assures us that it does not "profile" users for marketing purposes. However, Microsoft and Yahoo! both use the information they collect to profile users and "behaviorally target" advertisements to them. According to the Wall Street Journal, "Microsoft says that in testing in the U.S., behavioral targeting increased clicks on ads by as much as 76 percent."

Microsoft says that users will soon be able to opt-out of demographic ad targeting if they choose. Good luck finding out when and where to sign up for that, and does that cover behavioral ad targeting, too?

Governments around the world will be itching to see this information, and these companies will supply it to them. For example, last year, Yahoo gave a user's emails to the Chinese government, and those emails were used to jail a Chinese dissident. Google, for its part says, "Companies like Google are trying to be responsible corporate citizens," in complying with lawful (in each country) requests for data.

Maybe our elected officials will get involved and require adequate protections. For instance, Rep. Bobby L. Rush (D-Ill.), chairman of the House Energy and Commerce subcommittee that addresses consumer protection, says about Google's proposed acquisition of DoubleClick, "Concerns have focused not only on the implications for competition -- in online advertising and other possibly affected markets -- but also on the potentially enormous impact on consumer privacy." On the other hand, maybe Congress will renew the Patriot Act.

Tuesday, July 17, 2007


I recently found myself living in a strange and different world. People were speaking to me; I knew because their lips were moving, but I couldn't hear them. I suddenly had become "profoundly" deaf, which is the step beyond "severe" deafness.

As you might imagine, necessity being what it is, I have gotten smart about hearing aids. For instance, while Moore's Law has held sway in the computer industry since 1980, the same cannot be said for hearing aids. They are unreasonably expensive. $1,000 - $3,500 per ear, depending upon which device you buy. This is the same technology you'll find in an iPod or a smartphone, more or less. Music players and cell phones cost hundreds, not thousands of dollars.

Why do hearing aids cost so much!? Why isn't Apple making an iHear? Don't tell me it's a small, dying market. It could be twice the size of Viagra and those other ED meds. And Viagra used to sponsor a NASCAR race car! Phonak, the Swiss hearing aid manufacturer, sponsors a bicycle racing team.

The hearing aids business is a regulated and collusive affair. Everybody involved is making good money, and nobody wants to rock the boat. Potential newcomers face a daunting gauntlet of regulatory and institutional resistance designed to spoil change and protect the status quo. So patients/consumers pay through the ear for hearing aids.

I recently spent $2,600 for a pair of hearing aids. Before I have to replace these (average life of a hearing aid is 5 years), I want to foment change that will give people like me more options when it comes to hearing aids and LOWER COST. This isn't just about me saving some (serious) money, it is also about making these devices available cost-wise to a much larger segment of the population that needs them but cannot now afford them.

I don't want to fight the entrenched forces-that-be, because that would be too expensive and time consuming. And it probably wouldn't work.

Instead, I want to promote the development of assistive listening in mass-market mobile entertainment and communication devices. The makers of cell phones and MP3 players should want consumers to stick a set of earpieces in their ears and leave them on and in all day. That way, consumers will make more calls and buy more music.

The problem with this scenario is that people have to be able to have a face-to-face conversation with the people around them, without removing their all-day earpieces. They need to hear horns honking, sirens wailing, dogs barking, and children crying.

The solution will be to put capabilities in the devices to allow people to hear the world around them when they want or need to, through the earpieces, without removing them.

So, for the always-on-and-in mobile entertainment/ communication device scenario to happen, the makers are going to have to put "hearing aids" in these devices. And, once that happens, it should be a small matter to make these devices compliant with the Americans with Disabilities Act (ADA) by letting the hard-of-hearing (HOH) adjust the volume and the sound profile of the device to suit their needs.

In order to invest the HOH with the power of the pen on this issue, here is a list of some of the specifications that these devices will need to meet to satisfy the particular needs of the hearing impaired. Please feel free to comment if you have additions/corrections/etc. to this list:
  • Two problems, frequency-specific sensorineural hearing loss (loss of sensitivity) and frequency-specific loudness recruitment (reduction in dynamic range), are generally experienced by the HOH. Only a digital, programmable hearing aid that can dynamically shape individual frequencies will be able to deal effectively with both problems.
  • Users should be able to dock the devices to a PC to download updates and content and to program various functions, including hearing aid settings. Users should be able to input their audiogram data into the PC as a basis for programming device settings.
  • Users should be able to program multiple hearing aid profiles into a device to deal with different use cases (eating with friends in a noisy, crowded restaurant, driving in a car, talking with someone in a quiet room, speaking to someone on a cell phone, or watching a movie or a play).
  • In compliance with the ADA, assistive listening technologies have been installed in many public and private locations. These technologies include inductive loops, infrared, and radio frequency (FM) systems. One or more of these technologies should be accessible with the communications and entertainment devices of the future. (That way no one will miss their flight because they cannot hear the PA announcement when they are listening to the Queen's greatest hits.)

What's the next step? I want to get some feedback from the HOH community and from you. What do you think? Post a comment and let me know.

Down the road, if it looks feasible, I'd like to get the backing of an appropriate organization, or organizations, to publish requirements and standards and test always-on-and-in products put forward by manufacturers.

Friday, July 06, 2007

Real Power Protection

A colleague of mine challenged my assertion last month that, "there is nothing you can do" to protect your electronic equipment from damage by a lightning strike. I admit, that was a bit of hyperbole. There are things that you can do to provide protection from a lightning strike.

The real point is that most consumers lack the time, money and expertise to identify and implement a plan for protecting some or all of the electronic equipment in their homes from transient power anomalies like those created by a lightning strike.

For anyone who is interested, there is an excellent booklet from the IEEE (Institute of Electrical and Electronics Engineers), "How to Protect Your House and Its Contents from Lightning; the IEEE Guide for Surge Protection of Equipment Connected to AC Power and Communication Circuits."

What can you do?
  • Identify and fix problems with your home's Building Ground(s).
  • Install "whole-house" surge protection devices for all service wires and pipes entering/leaving your home and bond them to the Building Ground.
  • Install "point-of-use" surge protectors between the equipment to be protected and all service wires connected to the equipment.
What's it going to cost? More than you want to spend, I bet.

Proper grounding is the foundation for effective protection for electronic equipment from power surges. Without a well-designed and properly executed Building Ground, and circuits and receptacles all grounded to the electrical panel and the Building Ground, other steps and expenditures to safeguard your electrical equipment may not provide effective protection.

Popular belief holds that electricity, like water follows the path of least resistance as it travels to ground. This is not correct. Electricity follows all paths available — in inverse proportion to the impedance of the paths. Without proper grounding, surges can travel in unexpected ways and propagate throughout your home.

Most, if not all, single-family homes today have problems with electrical grounding.

Grounding problems in older homes arise from the fact that building codes did not require what today is considered proper grounding. In newer homes grounding problems arise if/when electrical contractors do work that does not conform to the code everywhere in the home. Inspectors do not (cannot) catch all code violations.

Even if the electricians do it right, they aren't the only ones wiring homes today. Alarm, cable, phone, and satellite technicians along with DIY homeowners all install electronic equipment and wiring inside and outside the house. None of these people are likely to have the expertise and take the time to properly ground their work. Things like outdoor lights, spas, dog fences, satellite dishes, etc. can all provide pathways for lightning currents to enter homes instead of the ground.
  • "Since the[se] different electronic systems are often interconnected by signal and control wiring, a defect in the lightning protection for one system can allow surges from lightning to propagate to other systems, producing massive damage." (IEEE booklet, pg. 2)

What's a home owner to do!?

There's no quick and inexpensive way to get real protection. But if you have put a lot of money into computers, audio, video, kitchen appliances, and other electronic devices in your home, it might make sense to protect them. The alternatives are to:
  1. Insure your electronic equipment (make sure that you are covered for any and all power related losses) and design and implement an automated, off-site back-up for your data files.
  2. Put a few "point-of-use" surge protectors around the house to give yourself peace of mind and a false sense of security.
  3. Do nothing and hope for the best.
  4. All of the above.

Personally, I'm sort of a #4. My home computers are pretty well backed up. I've got a few point-of-use surge protectors guarding computers and some other electronics. These surge protectors advertise big-money pay-backs if any connected equipment gets damaged. Does that count as insurance? I don't know. I imagine they don't make it easy to collect on damage claims.

Finally there is lots of other equipment in my house that I have done nothing to protect. I am hoping to dodge the surge. I know that this is a false hope, and I cannot say I have peace of mind when it comes to lightning. <SIGH/>

Tuesday, July 03, 2007

What's Your Language?

So where's the action in computer programming nowadays? Offshoring has had a big impact in some places and in some languages/platforms. The US is no longer where the action is programming-wise, although, the case can be made that the US is still where interesting, inventive programming is being done.

Click the graph for a larger view.

In the graph above, results of my trend-analysis of computer programming languages are presented. The languages were Java, Perl, PHP, Ruby, SQL, and Microsoft's The analysis revealed three distinct tiers, based on the volume of search activity. Interest is highest in Java. Interest in PHP and SQL are about same, abeit lower than Java. Interest in Perl, Ruby and are about the same, albeit lower than PHP and SQL. So, why do I have listed as Tier 4 in the graph?


As my regular readers know, I have recently set about to learn Perl. From this experience and earlier experiences learning and using other programming languages, I know that there are LOTS of searches involved in the process. "What's the Perl syntax for ______?" and "Perl regexp tutorial" and "________ doesn't work in Perl" ...

Thus, the basic premise of my analysis is that search activity is a good proxy for the work being done in a particular programming language. Given this assumption, it follows Java is the programming language most used today, since it has the most searches of the languages analyzed.

Furthermore, Google Trends provides information on the top-10 regions and cities where the search activity is distributed, so it is possible to say, based on my assumption, where the work is being done. So, while Tier 3 programming languages each show the same amount of interest/work, where that work is being done is different for as compared to Perl and Ruby. This is not the case in Tier 2 (and Tier 1 (Java)). Because of the geographic dimension, Tier 4 is separate from Tier 3.

Tier 1

Over the period 2004 through the first quarter of 2007, most programming work was being done using the Java programming language. And it was being done mostly outside the US, in India, Singapore, and several of the former Soviet-block countries.
Java Trend Analysis By Geography (1st Q 2007)
1. India6. Czech Republic
2. Singapore7. Ukraine
3. Romania 8. Hong Kong
4. Poland 9. Hungary
5. Indonesia 10. Slovakia

Tier 2

PHP and SQL are "second-tier" in terms of activity over the period 2004 through the first quarter of 2007. Like Java, work in PHP and SQL is being done outside of the US, in developing countries. Indonesia is #1 for PHP, although the top 10 each have about the same market share. India is a clear leader in SQL work.
PHP Trend Analysis By Geography (1st Q 2007)
1. Indonesia 6. India
2. Czech Republic7. Malaysia
3. Ukraine8. Romania
4. Philippines9. Bulgaria
5. Russia10. Slovakia
SQL Trend Analysis By Geography (1st Q 2007)
1. India 6. Malaysia
2. Singapore7. Japan
3. South Africa8. Taiwan
4. Pakistan9. Czech Republic
5. Hong Kong10. Russia

Tier 3

The levels of business activity are comparable between Tiers 3 and 4. The distinction between the two is based on where the work is being done, and therefore, perhaps, the nature of the work.
In Tier 3, the United States appears to be leading the way, and the work is being conducted in venture capital hot-spots such as Silicon Valley, New York, Metro DC, et al. This suggests to me that while it is not the largest piece of the programming pie, it is a) being done to a large degree in the US and b) it is probably interesting, creative work.
Perl Trend Analysis By Geography (1st Q 2007)
1. Sunnyvale, CA, USA 6. San Jose, CA, USA
2. Bangalore, India7. Osaka, Japan
3. Tokyo, Japan8. Moscow, Russia
4. Chiyoda, Japan 9. San Francisco, CA, USA
5. Santa Clara, CA, USA
10. Chennai, India
Ruby Trend Analysis By Geography (1st Q 2007)
1. San Francisco, CA, USA6. Rochester, NY, USA
2. Pleasanton, CA, USA 7. Cincinnati, OH, USA
3. Raleigh, NC, USA 8. Seattle, WA, USA
4. Washington, DC, USA 9. Portland, OR, USA
5. New York, NY, USA 10. Salt Lake City, UT, USA

Tier 4

Bad news if you are a Microsoft ASP/ programmer living in the developed world: a) this is not a particularly active technology, and b) India and Pakistan account for most of the work in the period. Trend Analysis By Geography (1st Q 2007)
1. India6. Iran
2. Pakistan7. South Africa
3. Singapore8. United Arab Emirates
4. Viet Nam9. Hong Kong
5. Malaysia10. Taiwan

About Google Trends

Google Trends analyzes a portion of Google web searches to compute how many searches have been done for the terms you enter, relative to the total number of searches done on Google. The results are graphed over time, plotted on a linear scale. Below the search-volume graph is a news reference volume graph which shows you the number of times your topic appeared in Google News stories. For more, see

Friday, June 29, 2007

iDay Is Here!

The iPhone goes on sale today. Now we will see if Apple's manufacturing, distribution and quality control are as good as its design and promotion capabilities.

Will the iPhone be another iPod? Or will it be a Newton or a Zune?
Tomorrow and for the foreseeable future, the news will be all about the SNAFUs and problems that happen with iPhone and about how customers have been disappointed. The story will no longer be about what an amazing thing that Steve Jobs has wrought.

Among stock traders, there is a saying; "Buy on rumor, sell on fact." According to this wisdom, if the word on the street is that XYZ Corp. is going to be acquired, you ought to buy XYZ Corp. stock. When the deal is announced, sell it. If you followed this wisdom, you bought AAPL stock in early January when the iPhone was rumored and you sell it today. If you did that, you paid about $85 per share and right now you can sell for about $122 per share. That is a gain of 44% over 6 months. Not bad.
And what about AT&T which provides phone service for the iPhone? This is not Alexander Graham Bell's AT&T. It is the bastard child of Wall Street, having been cobbled together after the telecom bust.

The powers that be at AT&T know all about junk bonds, leveraged buyouts and corporate restructuring (AKA layoffs). They know how to play hardball. It remains to be seen if they can work with Apple and provide the technology, customer service and innovation that iPhone customers will expect.

I own a few shares of AAPL. But I am not selling today or any time soon. I didn't buy the stock because of the iPhone. I didn't buy it because of the iPod or the iMac either. The iPod is an attractive business because of its market share. The iMac certainly has its partisans, but I would not be surprised to see it sold to Lenovo before long.

The reason why I like Apple's stock over the long term is iTunes. What I like about iTunes is that it has a dominant position in the digital music business. The digital music business has "increasing returns to scale," and I believe that Apple can parlay this position in digital music into a dominant position in online movies and television shows. This means lots of upside for Apple and its shareholders, including me.

Friday, June 22, 2007

Power Protection

I've written before about power outages, surges, brownouts, etc. and the problems they cause for information technology and the people who depend on IT (i.e., everyone). Check it out.

Unfortunately, for political reasons, these problems are not going to be resolved in our lifetimes. So, today I have some practical advice for dealing with one of the power issues that you and I will encounter -- transient fluctuations in power, which are commonly refered to as power surges, spikes and dips. (Spikes contain high voltages but usually last only a few milliseconds, as opposed to longer, but lower voltage power surges.)

Following a thunderstorm which passed through our area last week, our shop experienced a "surge" of repair business (data recovery) from people and businesses whose computers were fried by the storm. How can we help people avoid these catastrophies?

In the United States, the Alternating Current voltage standard oscillates between +120 volts, through 0 volts, to -120 volts at a rate of 60 complete back-and-forth cycles every second.

Power fluctuations outside the norm can happen for many different reasons. For example electrical appliances and equipment cycling on and off can cause transient dips and surges. However, minor fluctuations are not a problem for most modern electrical equipment. For example, all but the cheapest computer equipment has the capability to handle transient power surges. And such equipment handles transient dips in voltage by drawing more current (amps) to deliver constant power (watts).

Placing a surge protector between your electrical equipment and the wall plug generally does you no good, except if your equipment has no ability to handle surges. On the other hand, there's no sure way to know if your equipment has that capability short of opening it up and looking for Metal Oxide Varistors (MOVs) inside (most brand-name and business-grade PCs have MOV's in their power supplies).

Unfortunately, a false sense of security is not the worst-case scenario for connecting your PC, for example, to a surge protector. Depending upon the design of the surge protector, voltage surges and spikes on the phase wire will be dumped to either the neutral or the ground wires or both. Depending upon the size of the spike and local variables like the specs of the premises wiring and the distance to the earth ground, the (diverted) surge may travel to the PC through the neutral or the ground wires. If a diverted surge reaches the PC, bypassing the PC's surge protections, frying the PC, the surge protector ironically will have caused the PC's demise.

In the event of a thunderstorm, where the electrical potential of each lightning bolt may be 100 million volts, and each bolt can carry 50,000 amps of current, it is impossible to predict how currents will flow in the vicinity of a lightning strike.

So, even if your electrical equipment is turned completely off, it may be damaged in a thunderstorm if it is merely plugged in. That is because with all those volts around, the current can arc over the small distances separating the wires inside your surge protector and/or your electrical equipment. And, the spike can travel from anywhere; the air, the earth, the ground wire, the phone line, the cable TV line, the computer network lines, etc. And we're not only talking about the effects of a direct lightning strike. These effects can be caused by a lightning strike on a utility pole miles away or a tree down the block.

In conclusion; how do you protect your valuable electronic equipment from transient fluctuations in power, which are commonly refered to as power surges, spikes and dips? Dips are not a problem. Surges are not a problem. Spikes are a problem and there is nothing you can do about them except to unplug all your equipment in the event of a thunderstorm in your area.

This is an unresonable prescription for most of us. What if we are away from our home or office when the storm hits? Then all we can do is carry insurance to cover our losses if our equipment is fried. Insurance will generally not cover the value of data lost, so, archive your persistent records to permanent media (DVDs) and backup your dynamic files regularly to online, offsite storage.

Saturday, June 09, 2007


I have a project that I am doing on spec. It involves a lot of text processing.

I've experimented with MS Word macros, but I cannot do everything I want to easily in Word. To borrow an example from O'Reilly's Learning Python, "Suppose you need to replace any occurrence of "red pepper" or "green pepper" with "bell pepper" if and only if they occur together in a paragraph before the word "salad," but not if they are followed (with no space) by the string "corn." That's definitely way out of Word's wildcards' league." I also don't want/need Word's GUI, spell check, and all the other "overhead" in Word that eats up RAM and CPU cycles.

Based on my research, I determined that Perl is perfectly suited for the job I have. It was originally developed (1987) for text manipulation, and it is now used for a wide range of tasks. A stated design goal of Perl is to "make easy tasks easy and difficult tasks possible." Perl has been called "the duct tape of the Internet". See for more info.

Perhaps the best feature of Perl is that it is relatively easy to learn -- relative to Java. However, Perl programmers love to create super-dense and terse code, and some even pride themselves on how unreadable their code can be. Terse, dense Perl code is not what I am after at this stage. I'd be happy with verbose, inelegant code - as long as it does what I want it to do.

So how does one go about learning Perl? I know from experience that it is not fun to learn a new programming language. A teacher of mine once said that it takes somewhere between 5 and 5,000 mistakes to learn how to do something (anything). If that's so, my corollary is that it takes 5 mistakes to learn a term, function or usage in a language and 5,000 mistakes, give or take an order of magnitude, to become fluent in the language, be it English, Spanish or Perl.

So the trick is to make the painful learning process interesting and enjoyable. I thought it would be fun to make a game. I call the game Blasphemy! I selected famous quotes and well-known texts and mangled them using a Perl script I wrote. Can you identify the original words and who spoke/wrote them?

  • Ask for your you do ask what you; country what your can do can for not country!
  • And to all that continent, nation, four men on and created are in conceived score forth a new dedicated years this seven liberty, the equal. Fathers proposition our brought ago
  • Slings nobler 'tis arrows against outrageous and sea the by and that to be-- of be, to of the or question: opposing to them. Not to whether in or mind take arms troubles a end suffer is the fortune
  • Heaven. Temptation, in kingdom give us forgive from is be those art and deliver thy as the father, and thy for against us come. Trespass into in for thine is hallowed the our and it forgive the who us and evil. Not glory, ever. Day done, daily on this and but we name. Who earth as will be ever us. Trespasses, our lead power, us bread. Kingdom, thy heaven, our
  • Village, snow. Not house up will though; in is these his think his to whose woods here the know. See I watch woods me I He fill are stopping with

    Think the little queer darkest evening year. The between of lake a and frozen without it near must the woods farmhouse to horse my stop

    Bells his the sleep. Downy I is deep, to the and flake. And miles have dark, before easy I he ask woods before and mistake. Go only to harness if are miles sound's keep, sweep some gives to of promises other there but sleep, wind I the and go shake to a lovely,

So, how did you do? Want to know the answers? Here they are:
  • President John F. Kennedy's Inaugural Address, "Ask not what your country can do for you; ask what you can do for your country!"
  • President Abraham Lincoln's Gettysburg Address, "Four score and seven years ago our fathers brought forth on this continent, a new nation, conceived in Liberty, and dedicated to the proposition that all men are created equal."
  • William Shakespeare, Hamlet's soliloquy, "To be, or not to be-- that is the question: whether 'tis nobler in the mind to suffer the slings and arrows of outrageous fortune or to take arms against a sea of troubles and by opposing end them."
  • The Lord's Prayer. "Our Father, who art in heaven, hallowed be thy Name. Thy kingdom come. Thy will be done, on earth as it is in heaven. Give us this day our daily bread. And forgive us our trespasses, as we forgive those who trespass against us. And lead us not into temptation, but deliver us from evil. For thine is the kingdom, and the power, and the glory, for ever and ever."
  • "Stopping By Woods on a Snowy Evening" by Robert Frost.

    Whose woods these are I think I know.
    His house is in the village, though;
    He will not see me stopping here
    To watch his woods fill up with snow.

    My little horse must think it queer
    To stop without a farmhouse near
    Between the woods and frozen lake
    The darkest evening of the year.

    He gives his harness bells a shake
    To ask if there is some mistake.
    The only other sound's the sweep
    Of easy wind and downy flake.
    The woods are lovely, dark, and deep,
    But I have promises to keep,
    And miles to go before I sleep,
    And miles to go before I sleep.