Basic Cable for the Internet
Thursday, March 31, 2005
  In the bumper sticker vein
Apparently the Secret Service takes bumper stickers far more seriously than I do: according to this story, several people were ejected from one of George Bush's Social Security reform/privatization-pumping events. The reason? They had been ID'ed from the bumper stickers on their cars as potential troublemakers.

Whether I agree or not with the political views expressed by either side, this seems wrong to me. It's OK for *me* to make sweeping generalizations about people based on their bumper stickers, of course (see my post below): I just don't think people should be ejected from ostensibly public events (apparently paid for by their tax contributions) based on those generalizations.

To summarize: sweeping generalizations from me = good. From anyone else = bad.
Wednesday, March 30, 2005
  This brought back memories
Icons from various OSes, and the things they led/lead to. Neat stuff.

  Why I hate bumper stickers: 2 reasons
I won’t even mention the fact that your life philosophy (at least, the part of it you find so compelling that you need to express it to random strangers on the freeway) can be summarized in 2-8 words in 72pt-font on something the third of the size of a sheet of paper. My two reasons:

(1) No bumper sticker ever asked "What's *your* opinion?" I, the reader, have to assume that you believe the statement on your bumper sticker to be so undeniably true that you will broach no argument or alternative viewpoint. After all, you're not exactly inviting a conversation, are you? Unless said conversation can be held entirely via extended middle fingers at 75mph, the implication is that your bumper sticker is Truth with a 72pt "T", and anyone who has even a slightly different opinion can go suck lemons.

Bumper stickers never express a middle ground or a nuanced perspective, let alone invite conversation on opposing views; forget considering the possibility that the driver's perspective on things just… might be… wrong. Or at least that the issue might not as absolutely black/white as it may seem at first blush? I have to assume that this is the driver's mentality, and so he/she will be less willing to have an enlightened, open, informative discussion than in having a slogan screaming shoutfest. Thanks for your input, Mr. Meat is Murder, but thanks to your stickerized personality summary I’ve already decided that I’d rather not have that discussion with you without a police barrier between us, so that the venomous spittle of your inspired soundbite chanting can fall on an article of riot gear instead of on my face. Feel free to continue supporting Calvin’s inalienable right to urinate on whatever it is you hate today, but don't expect me to pay any attention.

I do not believe that anyone’s mind was ever changed thanks to a bumper sticker (“A fish with feet! Darwin was RIGHT!”) Therefore, they are used only to declare membership in (and the un-nuanced, obvious complete superiority of) a particular groupthink. Since bumper stickers are designed to stay on your car and yell your point of view as long as possible, I assume your opinion cannot change over time either.

For this reason, I tend to believe people with bumper stickers are opinionated (not a bad thing in general) but inflexible (definitely a bad thing). Their minds are made up, and unless you subscribe to their particular groupthink, you are wrong. Not someone I want to engage in conversation or debate, whether I share some version of the expressed opinion or not.

(2) By definition, a bumper sticker assumes that my opinion is worthier than yours simply because I am in front of you. You never see them on car doors, and only rarely do you see them on the front bumper. It is human nature to extend superiority or leadership in one area to other areas in which the subject may not be fully qualified, but in the same way that I don’t particularly care about a good actor’s political views, I don’t necessarily value your opinion on whale killing more, simply because you managed to leave your house a fraction of a second before I did. Hey, I needed my coffee so I could think.

There are very few things in this world, maybe 3 or 4, that I feel that completely 100% sure of, to the point where I'm not open to even considering opposing views: most of those are much too personal for a bumper sticker (my love for my family, for example).

Not too personal for a blog, of course. But at least blogs can have comment sections.

P.S. Extra-special detention: people who “support” a cause by buying a ribbon magnet, the proceeds of which are far more likely to end up in the coffers of a magnet manufacturer than actually being used to explore the rain forest to find the cure for Projectile Soy Intolerance.

Funny enough, I hate those things for the opposite reason of the above: it's a magnet. It's such a wimpy, temporary expression of support, regardless of who the funds went to. So... fighting breast cancer is something that, sure, you can commit to supporting now, but that if the physical laws of magnetic attraction change polarity at some point in the future you're willing to reconsider?
Thursday, March 24, 2005
  Attachment Processor for Outlook
Interesting little app: allows you to automatically extract attachments from your Outlook mailbox and save them to a folder (or set of folders, set by filters and parameters), replacing the file in your mailbox with a link to the file.

You'd want to configure this to save your attachments to a network drive, since the local drive on the workstation is easily reachable via a variety of methods.

Not exactly a KVS "file-vault" replacement, since a lot of central control over attachments is lost: they are no longer visible for indexing or searching from a central location, and if you're using OWA or a Blackberry you're out of luck.

Still, there are plenty of people for whom this would be a perfect (and relatively cheap) solution. I would configure it so that it saves all attachments that are in folders other than the Inbox, and that are in emails older than (say) 30 days. That way my most recent docs are available in OWA and Blackberry, but the older stuff is saved off. In addition, I would create a one-to-one mapping from folders and subfolders in Outlook to the file folder structure, so that all common files are held together.

Attachments Processor
Wednesday, March 23, 2005
  Visio Cafe
Incredible collection of Visio templates/stencils. Even includes collections specific to Sarbanes-Oxley and Citrix, which is cool.
Wednesday, March 16, 2005
  What's in the new IE?
Speculation abounds on what's in and what's out of MS' recently-announced IE7. Tabs? PNG support? CSS 2.0 support? IDN support? An RSS aggregator? Integration with spyware? (See here and here.

Hey MS: as long as it's more secure, I'm going to recommend that users install it. Even if it offers none of the features above. In fact, do this: release IE7 just as a security update, and then add all of the above in easily downloadable (or not, if I don't want them) Feature Packs.

MS should not lose sight of the fact that the reason IE7 is desperately needed today is not because IE6 is missing an RSS aggregator. You know what? I already have Omea Reader, I don't need it in my browser. But what I and the rest of the Internet *do* need above all else is a default browser that isn't riddled with more holes than Salvatore "Big Pussy" Bonpensiero. Everything else is an interesting extra, well worth the development time, but not worth delaying the release of a secure browser for.
Tuesday, March 15, 2005
  Google Desktop Search security issue?
Touching on a topic we've addressed before: Google Desktop Search. We have in the past maintained (internally) that it is not to be installed on company desktops until its various security concerns are addressed, including the lack of security on the index that can allow remote network files to be re-created from local, less secure information. The new version (1.0) seems to correct some of the security problems the betas had. However...

It now appears that you may be able to use the new version to search content (without any authentication) on other users' PCs. Given the techniques for the attack, it is assumed that the attacked PC has GDS on it as well, but it should give pause to all before installing it on your own machine.

Or maybe not: after all, you have firewalls on all your machines, right?

A huge security hole? Eh... not so much. I would point out that the GDS exploit I mentioned in my previous email requires you to have a port redirector (datapipe, in this case, but could work with SSH) installed on the remote machine. So it's not like your machine is freely available just because it has GDS installed. If you can install datapipe, there are many other apps you can install that will allow you remote access to the machine.
  ...and a perfect one-two for the link below this one...
MS reveals it's preparing to support two-factor auth, built into Longhorn.

  The Failure of Two-Factor?
I think this article by Bruce Schneier may be mis-titled: it should be "The Failure of Understanding of Two-Factor Authentication", because what it is discussing at its core is the fact that two-factor is not the panacea it has been sold as for resolving the problem of inappropriate authentication (where I have access to your account/system under your security context, whether you've allowed me to or not). I simply do not buy that Mr. Schneier would believe that two-factor auth is a failure because it would force hackers to find other avenues of attack: in fact, by many definitions that is a form of success. At times the best we can hope for is to make their job harder, if only to buy ourselves a little time.

Putting the Club on your car doesn't make your car impregnable, it just makes a car thief look at the next car down the block which doesn't have one; sometimes that's all you want (or are willing to spend money for). All we want in this case is that if one of the company executives accesses their web-based email from a Kinko's public workstation with a handy malware keystroke-logger on it, the logger captures information that will be useless for an attacker to subsequently log in to that email account. That's the problem I'm trying to solve with two-factor authentication, and I won't try to solve phishing or social engineering attacks, and I won't even attempt to solve bank account access with it, because that's not what the solution is being designed for.

In a layered security model, and when used with a clear understanding of the scope of the problem it is trying to address, I think two-factor authentication presents a viable and (at least recently) affordable solution to this *specific* problem. It has "failings" only if you try to make it protect the components of the identity transaction that it was never supposed to protect, and for which there are other solutions that, in combination, reduce the total risk to a point where the business benefit is strong enough to make it acceptable.

That last point is one of the keys for the discussion comments here: no transaction of this sort is completely risk-free and secure. However, removing the capability to do business because I am so paranoid about security that I make it impossible to conduct the transaction is a self-induced Denial of Service with 100% risk potential.

  Cory's new DRM paper
This stuff is important in so many ways. Written for an International Telecommunications Union report on DRM, and pointed directly at the people around the world who are making decisions on which DRM to use. The answer, in most cases, is "none of the above, because you'll only be hurting yourself and your customers, while doing nothing to reduce the 'loss of rights' you're trying to prevent." The executive summary says it best:

This paper discusses the failure of DRM in the developed world, where it has been in wide deployment for a decade with no benefit to artists and with substantial cost to the public and to due process, free speech and other civil society fundamentals.

Link to the paper.
Friday, March 11, 2005
  TV Ads
I don't watch a lot of TV, something I'm not just proud of... I'm smug about it.

Kidding, of course, but here's why I can't afford to be smug: I don't watch TV because I don't have enough self-control to stop when there's nothing on. Too often I would turn the TV on when there was nothing on that I wanted to watch, leave it on through a series of programs that I had no interest in, and not turn it off even when there was something on that actively annoyed me.

Same reason I don't buy an XBox or a Playstation. I don't have the willpower to stop playing once I've started.

But I did have the TV on the other day: I could claim that I was watching Dan Rather's historic signoff, or a fascinating show on the econo-religious implications of Middle Earth pigeon-stuffing techniques on PBS, but it wasn't. It was Will & Grace.

What amazed me was the sheer amount of car ads. The commercial breaks started with car ads, continued with car ads, ended with car ads. What the hell?

When I worked in radio, an unbroken rule (under pain of working with the oh-so-crazy morning "Krew" for two days, punishment I wouldn't wish on an army composed entirely of my worst enemies) was that you *never* placed two ads in a row from competing products. A cereal doesn't follow a cereal, Slumberland doesn't follow Dirty Stained Used Mattress Liquidators, Pepsi doesn't follow Coke. Car ads don't follow car ads.

But now the sheer overwhelming number of car ads seems to make it impossible to go into a commercial break without over half the ads being for cars. The Law of Ad Distribution in that case breaks down, and Chevy follows Ford, Toyota follows Hyundai. It's not as if you could even claim that the ads targeted different segments of the market: it might even make a bit of sense if an ad for a Lexus were paired with an ad for the Kia CrumpleOnImpactia... different targets (so to speak). But nope, several ads in the same break advertising cars in the (say) $20-25k range. One ad right after another advertising the latest SUV capabilities: the ad for the Toyota LandMauler followed by an ad where the Volkswagon Kilimanjaro drags the
LandMauler around on its rims while pushing the Ford Behemoth into the path of an oncoming train.

Is this desperation, or are they so flush with cash that they just don't care whether their message is completely diluted and lost within the overload?
  Mastering email overload
There's something about this article overall that strikes me as wrong, and I can't figure out exactly what it is.

One of the recommendations is to "Answer briefly", and that one definitely is not what I would advise. The problem I see here, which may be specific to my company's environment, is that an email becomes a physical record of your response, and a short answer leaves too much up to the recipient's interpretation.

Part of the issue lies with the sender's original email: are the points made very clearly, are the deliverables stated correctly, does the sender actually understand what they are asking for and the resources that it takes to deliver? I find that I very frequently have to "debug the question", where I have to take the sender's email (which may be a very short, seemingly low-key request) and try and find out exactly what they want and whether what they are requesting will actually fulfill that need. I need to take that into account when composing a response, and make sure that I am answering the real question, not the one posed.

For example, I received an email recently with a request from someone asking whether adding elements to the AD schema was relatively simple to do, given that we were now migrated to Windows 2003. The short answer to that is "yes", with a focus on "relatively", and another spotlight on the fact that it is technically simple, but... As it turns out, this was someone who was trying to given the task to find out whether a particular unified messaging solution (fax, voicemail in your inbox) was going to be an easy install.

The short answer, unfortunately, leaves out the fact that for various reasons (standards, security, overall architecture) we would never implement the messaging solution the sender was looking at. Unless I probed a little further to find that out, I would have been on the record stating that this was not a solution of which we disapproved... dysfunctional, yes, but the nature of this particular company. The next thing I would have heard would have been from the support group for this business unit stating that we (as managers of AD) were the roadblocks in a half-million dollar project for a solution that had already been purchased, since we were refusing to perform the simple act of changing the AD schema, which we have already stated was easy to do. Effed up? Yes. But trust me, it happens all the time.

This is why my responses to emails tend to be longer. I want to make sure that our approach, our philosophy and our requirements are well-stated. If I could do that in a separate document that we could just attach as part of every response, I would do so, but a document like that would never see the light of day from all the input it would have to receive from business units, managers, legal, HR, the VP of Project Encumbrance, the Executive Director of Delay, etc.

I also get a lot of email queries for new systems, services or features that have to be denied for a variety of reasons: whether it's a standards issue, a security concern, a supportability and resource issue, it just cannot be done in the current environment. I could easily just type a message saying "no," but then the requestor would not understand why the request was denied and just label me as an obstacle to be worked around, rather than someone who's trying to do what's best for the company.

Not that I'm saying I'm perfect either, but I like to think I try my best.

I think that my main concern with the article is an assumption that others are already following the recommendations: they will have stated intentions and requirements clearly, and so a short answer is appropriate. I rarely find that is the case. Yes, I understand that the article asks readers to lead by example, but some of the recommendations will lead to bigger problems in the short term before they start producing significant results.

Look Ma! A Blogger template!

Location: Minneapolis, Minnesota, United States
06/01/2000 - 07/01/2000 / 07/01/2000 - 08/01/2000 / 02/01/2005 - 03/01/2005 / 03/01/2005 - 04/01/2005 / 04/01/2005 - 05/01/2005 / 06/01/2005 - 07/01/2005 / 10/01/2005 - 11/01/2005 / 11/01/2005 - 12/01/2005 /

Powered by Blogger