Wednesday, January 31, 2007

Toot, toot!

A client in Falls Church writes, "John, I heard you on WMAL radio this morning. Congratulations! May I have your autograph the next time you stop by? - Ralph."

Yes, I was interviewed by a radio station about the consumer release of Microsoft Vista. Yesterday, they ran various snippets of my remarks over the course of the morning, during their local news segments. Needless to say, my comments were insightful.

Friday, January 26, 2007

Password Q&A

Jim from Moline writes, "All the banks, merchants, websites, etc. that I deal with online limit the number of times I (or anybody else) can try (and fail) to log in to my accounts. Why do I need to be concerned about the vulnerability of my online data to "brute force" or other trial-and-error hacker attacks on my password?"

Interesting question, Jim. There's more to it than meets the eye.

For example, some users don't understand what's wrong with using their wedding date as a password. Afterall, if they have a hard time remembering their anniversaries, what are the chances a hacker will be able to figure it out?

A hacker won't have any trouble. A hacker will simply try every mm/dd/yy combination to crack those passwords (before trying every possible combination of numbers, letters and symbols to crack any password).

Similarly, Jim's concept of what a hacker can do is dangerously limited. Jim is assuming that the hacker is outside the network wall, looking at the secure sign-in dialog box.

Unfortunately, there are lots of "holes" in most network walls. And it is not uncommon for hackers to gain access to files containing thousands and thousands of usernames and encrypted passwords controlling access to the networks and systems of banks, merchants, websites, etc.

Your system administrators are some of the biggest violators their organizations' password policies. Administrative passwords are often easy to crack or discover via "social" means.

It is not unreasonable to imagine a disgruntled employee gaining administrative access to his/her company's systems and copying a file of usernames and encrypted passwords. That person can then misuse the information or release it to others to misuse it.

Given that people often use the same username and password combination for many online accounts, imagine that somebody steals the file of usernames and encrypted passwords at a website where you got something once. They crack the passwords, then go to all the major banks and see which username and password combinations open accounts at each bank. If they hit your bank with your stolen username and password, would they get access to your bank account? I'd say yes, unless you can tell me otherwise.

Here's a link to a clear and concise Users Guide to Password Security: It provides a good explanation of the issues and risks. It also endorses certain practices for password security that would greatly improve online security.

But, I am afraid that these practices are too complicated for most users and most situations.

There is a "missing link" needed to enable these practices for ordinary users. It is a class of products to generate, store and properly present unique, secure passwords at each place a user has accounts.

Like a wallet or keychain, it is a product that people could use to keep their valuable account information safe and handy. It could be a piece of software residing on a user's PC or PDA; (see It could be a database stored on an "ID provider's" secure website in cyberspace (see, or it could be an encrypted USB thumb drive a user carries everywhere they go (see

Until you start following recommended password security practices, your online information and accounts at banks, merchants and websites really are vulnerable to hackers. Your privacy could be compromised. Your identity and/or your money could be stolen.

If you are a senior executive in your organization, here's a service you can do for your company and your community. Implement this policy that they have at the National Cancer Institute/Ft. Detrick:

"In order to keep up security on our systems, we run a program called Crack on your password. We figure that if we can find out your password, so could an Evil Cracker. If we discover your password that way, we'll freeze your account to keep anyone else from abusing your account. You will be notified that you have to change your password to a more secure password. He/She will make sure you understand everything discussed in this write-up before unfreezing your account."

Monday, January 22, 2007

Bye, Ma!

Episode 1

This is a story of leaving home. I am saying good-bye to Ma Microsoft on my desktop, installing Ubuntu on my PC instead of Windows.

What fate awaits me as I struggle to adjust to life without Ma? Will I be able to cope without Microsoft Office? Will I be able to see my Exchange emailbox? Will I be able to use file and print sharing services on the network? Or will I give up in frustration, turn away from Ubuntu and go back to Windows?

Over the years, I have installed different distros of Linux on different PCs. These PCs then went into service as a firewall/router, a database server, a file server, and a web server. These were all command-line or non-GUI (graphical user interface) instances of Linux.

Last year, I installed Debian with KDE and Gnome GUI interfaces on an old laptop. I use the laptop to make presentations. It is a great attention grabber to show a non-Windows desktop to business audiences accustomed to Windows and the occasional Mac desktops. Talk about tech cred!

Recently, the 86-year-old patriarch of my family, AKA Grandpa, complained that his computer was running slow. His computer was a 9-year-old, Windows 98 machine with a 366 Mhz processor and 64 megs of RAM. My brother donated a 3-year-old machine that was recently retired from service, and I loaded Ubuntu on it for Grandpa. He's made the transition to his new setup like a champ! So, I figure if he can do it, I can too.

Ubuntu has greatly simplified the installation of Linux. Gone are all the questions about the refresh rate of your monitor, the chipset of your graphics card, the size and number of your swap disk and other questions that left me scratching my head when I installed Linux in the past. It detected all my hardware, and it got and installed the right drivers. Amazing!

Tips & Tricks: When I moved my PC from the bench where I did the install to my desktop, I discovered that the Linksys USB WiFi adapter I planned to use did not work. There is no Linux driver for it. I didn't want to use the Window's driver with ndiswrapper -- too much work for a cheap piece of hardware, so I swapped the USB adapter for the Linksys "Wireless Gaming Adapter" my son uses with his XBOX. This Wireless Gaming Adapter is a bridge device that requires no drivers. Problem solved. FYI, the 802.11-b version of the Wireless Gaming Adapter sells for less than $20 on Ebay.

In future episodes I will let you know how the migration from Windows to Ubuntu is going. Will I be able to survive or will I come running home to Ma with my tail between my legs? Stay tuned.

Only free software was used in the creation, storage and delivery of this message.

Episodes: 1, 2, 3, 4, 5, 6.

Wednesday, January 17, 2007

Hidden Costs of Information Technology

Think of an iceberg. Only a little of it is above the water. Most of it is below the waterline.

It is the same way with Information Technology (IT) costs. The costs of hardware and software are "visible;" they are "above the waterline." Hardware is cheap. Software probably costs more than the hardware it runs on nowadays. Together, these "visible" costs are a small part of the total costs.

Here's an all-too-common scenario. Your organization invests in new systems (hardware and software). The investment is supposed to save the organization time and money while improving quality. But employees, vendors and customers don't have the skills they need to use the new systems nor the time to learn. No money has been set aside to provide training to people. The organization's business processes are not consistent with the way the the new systems are configured, so either you have to change the new systems or change your business processes to accommodate the new systems.

Low and behold, in this all-too-common scenario, the organization doesn’t save any time or money and quality goes to hell. In frustration, the organization scraps the new systems, goes back to the old ways of doing things, and writes off the time and money spent.

Many organizations fail to appreciate the hidden costs of information technology and do not provide for them. So, let's look at the whole "iceberg" of IT costs -- both above and below the waterline, the visible and the hidden costs -- depicted in the graphic below.

  • Hardware and software are the visible costs, above the water. They are small in relation to the size of the hidden costs, below the waterline.
  • Staff training and development costs make up a large portion of the hidden costs. You have to raise and continually maintain the competency of your staff so they can effectively make use of the hardware and software you provide. These costs include the cost of the time your staff spends in training and development.
  • Business process automation means changing the way that you work and the way your clients work with you. This also represents a sizable cost, depending upon whether your organization chooses to “pave the cow paths” or reinvent your operations. Reinventing is more disruptive and costly, but it promises greater benefits.
  • Procedures and standards are necessary to safeguard your systems from threats to privacy and security. If you are a healthcare or financial services institution, by law you have to have adequate policies and procedures in place (ref. HIPAA and Graham-Leach-Bliley).
  • Corporate policies are important for success in order to provide an environment which fosters change and learning.

Don't be victimized by the IT iceberg. Understand that there is more to IT than hardware and software. Plan and budget accordingly.

Friday, January 12, 2007

10 Rules For (Not) Wearing a Speedo...

At the community pool where I have been swimming for the last five years, more and more men are wearing Speedo's (AKA banana hammocks). To stop the alarming increase, here are 10 rules men should follow to know when to "Say no to Speedo's."

You probably shouldn't wear a Speedo if any of the following conditions apply to you. If you are:
  1. Overweight (BMI 25 - 29.9)
  2. Over 30
  3. Trying to impress women
  4. Married
  5. Shy or modest
  6. Not a competitive swimmer or diver
You definitely shouldn't wear a Speedo at the community pool if:
  1. Two or more of the above conditions 1-6 apply to you
  2. Your Speedo reveals your tan line
  3. You are over 40
  4. You are obese (BMI 30 and above)
  5. Your wife, your children or your grandchildren tell you not to (ask them).
As a public service, post these rules at your community pool. Do it were everyone will read them and follow them. Don't put it right near the sign that say "Everyone Must Shower Before Swimming." People may read that sign, but they don't follow it.

Monday, January 08, 2007

Download VistA Free!

The Veterans Health Information Systems and Technology Architecture (VistA) software is available to the public at VistA is one of the most advanced clinical information systems in the world. There is also a free, light-weight version of VistA under development targeted for use by small physician practices.

The 2007 VistA Community Meeting is going on this week (Jan 9th to 11th) at the National Institute of Standards and Technology (NIST) Gaithersburg, MD 20899, USA. See for information.

Clinical Information Systems Update

Kids today have a hard time appreciating what life was like before the computer, the internet, e-commerce, cell phones, digital cameras, iPods, and the other fruits of information technology. If you want to show them a slice of life 25, 50 or 100 years ago, all you have to do is take them to the doctor.

In recent years there have been significant advances in drugs, procedures and devices. However, in many clinical settings the information technology used is outdated or non-existant. For example, the fax machine is the last piece of clinical info tech installed at many physician practices. Computers in health care are used almost exclusively for business and administrative purposes, not clinical care.

In 2004 President Bush said: "By computerizing health records, we can avoid dangerous medical mistakes, reduce costs, and improve care," and he announced his goal for most Americans to have interoperable electronic health records (EHRs) in 10 years. In 2005, Acting under President Bush’s Vision for Health IT, the Secretary of Health and Human Services (HHS) has sought to encourage all providers to adopt interoperable, clinical, EHR systems. To date, HHS has developed and identified standards for data definition and data transmission. It has also helped develop and promote the VistA-Office EHR system.

Forces operating against the adoption of EHR systems by health care providers are:

  • The cost of hardware, software and networking equipment.
  • The difficulty of evaluating the many different alternatives.
  • The risk that any one of the hundreds of vendors currently marketing proprietary EHR systems will not survive and their products will be orphaned.

Unless and until the Federal government mandates that providers adopt an interoperable EHR system, there is absolutely ZERO probability that a majority of physicians in practice will do so in the foreseeable future. The Feds will also have to design a mechanism to help providers pay for these systems.

The problem is that, absent government intervention, there are significant time and money costs for the physician practice associated with an EHR system which the practice is not likely to recoup. The benefits will be experienced by patients, payers and society at large, not providers.

The virtue of VistA is that it represents a viable, open, low-cost system that the government could get behind. However, the government won't mandate VistA or any other system because:

  • Commercial EHR system vendors are lobbying against competition from VistA.
  • Providers are lobbying against mandates that will cost them money they cannot afford.
What can you do? Ask your doctor if he/she has an EHR system in his/her practice. If not, switch to one who does. Support your local "early adopter!" (Don't be surprised if you get better care.)

Thursday, January 04, 2007

How To Buy the Right Computer(s)

A paradox of personal computers is that while any computer quickly becomes technically obsolete and the hardware loses market value, your computer will increase in value as you use it. There are several factors involved here:

  • The applications or software you load on your computer increase the value of the machine. It is not uncommon for the software to cost more than the computer itself.
  • You can spend many hours installing software and patches, customizing the look and feel of the system, getting connected to the network and the Internet, setting up email, etc. This time represents a real investment in your computer.
  • If you store documents, photos, music and/or data on the computer's hard disk, then the longer you use the computer the more such files it will contain. Such files will have substantial economic and/or sentimental value.

This means that when you buy a new computer you should not think that you are buying a depreciating, disposable appliance. Think of making an investment that can grow dramatically in value if you buy wisely and service it properly.

Computer makers and mass merchandisers usually promote machines based on a limited number of specifications:
  • Price
  • Brand Name (Dell, HP, Apple, Gateway, etc.)
  • Make of the processor (Intel vs. AMD)
  • Form factor (notebook, tower, desktop, etc.)
  • Speed of the processor (GHz clock speed)
  • Amount of memory (RAM)
  • Size of the hard disk
  • Operating system
  • Bundled software
  • Peripherals (monitor, printer, etc.)

These are a lot of things to consider, and this is only a partial list of the technical specs that can be developed to describe any computer. But what do technical specs have to do with what you are looking for?

Different people have different needs which are best enumerated in the context of “use cases” or scenarios. Use cases provide answers to questions like:

  • How are you going to use the computer?
    • Business vs. pleasure (or both)?
    • Networked or standalone?
    • Multimedia expectations (video & sound)?
    • On the road or in one place?
  • What do you want/expect the useful life of the machine to be?
  • Do you have any privacy or security concerns?
  • Can you be without your machine or data for any extended period of time?
  • What software and peripherals do you use?
  • Are there any considerations associated with your surroundings?
  • Do you need any support services (hardware, software, network, etc.)?
From the use cases, it is generally a simple matter to define the functional specifications of the computer that a buyer is looking for. For example, one use case which applies to many business executives is “I need to make impressive multimedia presentations to prospective clients.” The resulting functional specs might be that these people need computers which are mobile, powerful, and stylish. When you have an additional use case, “I need to replace my existing desktop PC,” you would have an additional functional spec for a docking station.

After you have articulated all the important use cases for each computer you want to buy and identified all the important functional specs, then you need to translate and compare your functional specs to the technical specs that you get from the manufacturers to select the right machine.

This process, starting with the enumeration use cases and ending with the purchase of the right machine, is an art and not a science. Unless you are skillful in identifying the needs for each machine you want to buy and understand the technical implications of the needs, you should get some knowledgeable help. This service is the key to getting the right computer for your needs.

Where can you find this service? My colleagues and I at Keystone Computer Group can help. We provide expert and objective decision support in situations like this for clients every day.

Monday, January 01, 2007


You want a chic and stylish HDTV that will make your friends and family drool. Get a flat-panel, direct-view HDTV (patent pending).

Flat-panel TVs are the rage these days. They have been available only in LCD and plasma HDTVs costing thousands of dollars. Direct-view or tube HDTVs outperform LCDs and plasmas on quality (see CNET's guide to TV types), and they cost hundreds, not thousands of dollars.

How thin are the new flat-panel, direct-view HDTVs? As thin as you want. Go wild, go negative (Recessed-Panel TVs)!

One drawback of flat-panel, direct-view HDTVs is that they are available only as wall units. They are not table-top units. The cost of installation will vary and may require structural changes (think "built in").

Before you buy an HDTV, see this cautionary tale on Before you decide, it pays to do your homework.

If you decide to go the flat-panel, direct-view HDTV route, remember that I came up with the idea. Send me $25, and we'll call it even. Add it to your budget for the installation.

Happy New Year!