Recently in Smackdown! Category

Well, not really. They did, however, overturn their longstanding style rule that says that "Marines" shouldn't be capitalized. The Marine Corps Times has the whole story, drawn from the Times' Philip Corbett's blog entry here. Semper fi, Old Gray Lady!

I'm trying to sign my oldest son up for the Church of Jesus Christ of Latter-day Saints' summer youth program, Especially For Youth. Frankly, I'm jealous that he gets to go. It's sort of a combination summer camp and mini-seminary, and everyone I know who's attended it (or whose kids have been) has raved about it. However, the signup process is giving me a headache. Here's what's on my screen right now:

So let me count the ways that this reeks of FAIL.

First, it doesn't tell you what your queue position is. Having a queue length is meaningless; all it does is tell you the total number of people who may (or may not) be waiting for the service. Without some estimate of where you are, knowing the number of people in line or the wait time isn't helpful.

Second, what does "the average wait time for the entire line" mean? If it's for the entire line, is it really a total time, or is it the average time that someone has to wait in the queue? It can't be the latter, because it keeps bouncing up and down. I've seen it as high as 130 and as low as 85-- during the 240+ minutes that I've been waiting.

Third, how about an estimate for when it will be my turn? Is that too much to ask?

Here's the best part: the registration isn't first-come, first-served! There's no hurry to register, but that little detail is several clicks beneath the actual registration screen.

Managing signup queues for high-demand events like EFY is a well-understood problem. If you've ever used Disney's FastPass system, you know about one possible solution (and one that would certainly apply here). The LDS Church does such a good job with its use of technology in general that it's a real disappointment to see this kind of junk.

It's like a joke that never gets old. I've written about Oracle's terrible approach to product security before (here, here, here, and here are a few examples... bonus: this). Now security legend Jericho has written this outstanding timeline of exactly what Oracle has failed to do in the security arena. He should have subtitled it "Bring Me the Head of Mary Ann Davidson". Well worth a read.

I am so mad right now I could just spit. Key Bank has been slow-rolling me at every turn as I attempt to get them to pay off on one of Dad's insurance policies. The latest: I asked them to fax a piece of information to the insurance company. After multiple requests, they finally sent in the necessary form... and left most of it blank. Naturally, the insurance company was not amused, and now I'm essentially back to square 2.

My immediate urge is to write a paint-scorching letter to several of these folks. However, I'm going to give them another two business days to get all their socks in the same basket. If they haven't squared things away by then, it's hammer time.

Update 8/25: a supervisor at Key was able to get the documentation problems solved, although it took longer than it should have. I'm debating whether to drop a dime on the incompetent, slow, and generally unfriendly person I had to deal with. On one hand, everyone has periods where they're less effective than usual, so maybe she was just having a bad day. On the other hand, it's amazing how a crisp letter can help snap people out of those kind of bad days.

I am so mad right now I could just spit. Key Bank has been slow-rolling me at every turn as I attempt to get them to pay off on one of Dad's insurance policies. The latest: I asked them to fax a piece of information to the insurance company. After multiple requests, they finally sent in the necessary form... and left most of it blank. Naturally, the insurance company was not amused, and now I'm essentially back to square 2.

My immediate urge is to write a paint-scorching letter to several of these folks. However, I'm going to give them another two business days to get all their socks in the same basket. If they haven't squared things away by then, it's hammer time.

Update 8/25: a supervisor at Key was able to get the documentation problems solved, although it took longer than it should have. I'm debating whether to drop a dime on the incompetent, slow, and generally unfriendly person I had to deal with. On one hand, everyone has periods where they're less effective than usual, so maybe she was just having a bad day. On the other hand, it's amazing how a crisp letter can help snap people out of those kind of bad days.

We recently stayed at the Hilton Garden Inn attached to Albany Medical Center. I felt it necessary to write a letter to Hilton Hospitality's CEO. See below.

I like to think that I can write a decent smackdown letter, but Michael Rakusin, director of Australia's Tower Books, puts me to shame with his response to a bookseller's demand that Tower pay extra fees to help the bookseller be profitable. Mr. Rakusin, my hat is off to you.

So, via this article from Computerworld, confirmation that McAfee's SiteAdvisor FAQ did say that it included anti-phishing features, as I said it did the day our phishing tool report was released. I am pleased to see them owning up to it, and I look forward to seeing how the new and improved Site Advisor Plus does in a head-to-head test.

Update: Sandi says it better than I could, since she's a disinterested third party.

Technorati Tags: phishing

Wow. This is hard to believe: someone stole personal data on 26.5 million US military veterans from the home of a Veterans Affairs employee. What the devil was the employee doing with that data at home? "Working on a department project," according to the NYT. This FAQ from the VA says, basically, nothing: veterans should monitor their financial accounts for unusual activity (hey, great idea), and employees are getting training so that this doesn't happen again (training? how about some public floggings pour encourager les autres?) Thanks a lot, guys.

David Litchfield delivers some very strong medicine to Oracle in his open letter, "Complete failure of Oracle security response and utter neglect of their responsibility to their customers". I wrote about Oracle's bad attitude a few months ago, and it doesn't seem to be getting better. His conclusion:

What is apparent is that Oracle has no decent bug discovery/fix/response process; no QA, no understanding of the threats; no proactive program of finding and fixing flaws. Is anyone in control over at Oracle HQ?

A good CSO needs to more than just a mouthpiece. They need to be able to deliver and execute an effective security strategy that actually deals with problems rather than sweeping them under the carpet or waste time by blaming others for their own failings. Oracle's CSO has had five years to make improvements to the security of their products and their security response but in this time I have seen none. It is my belief that the CSO has categorically failed. Oracle security has stagnated under her leadership and it's time for change.

I urge Oracle customers to get on the phone, send a email, demand a better security response; demand to see an improvement in quality. It's important that Oracle get it right. Our national security depends on it; our companies depend on it; and we all, as individuals depend on it.

Wow. This essay is a stinging, and entirely accurate, assessment of the current state of the Shuttle and ISS programs. Too bad NASA won't do anything about it. Excerpt:

In the thirty years since the last Moon flight, we have succeeded in creating a perfectly self-contained manned space program, in which the Shuttle goes up to save the Space Station (undermanned, incomplete, breaking down, filled with garbage, and dropping at a hundred meters per day), and the Space Station offers the Shuttle a mission and a destination. The Columbia accident has added a beautiful finishing symmetry - the Shuttle is now required to fly to the ISS, which will serve as an inspection station for the fragile thermal tiles, and a lifeboat in case something goes seriously wrong.

This closed cycle is so perfect that the last NASA administrator even cancelled the only mission in which there was a compelling need for a manned space flight - the Hubble telescope repair and upgrade - on the grounds that it would be too dangerous to fly the Shuttle away from the ISS, thereby detaching the program from its last connection to reason and leaving it free to float off into its current absurdist theater of backflips, gap fillers, Canadarms and heroic expeditions to the bottom of the spacecraft.

Boy, this is worth a read: Oracle's chief security officer, Mary Ann Davidson, has an op-ed piece on CNet in which she attempts to blast some security researchers (in particular, she links to this story on Alexander Kornbrust, so I assume he's target #1). I don't think I would have taken her approach, for two reasons. One is that it's going to inflame the BlackHat crowd, and will undoubtedly result in Oracle's vulns getting much more press than they would otherwise-- remember, the tech press loves controversy.

The other reason is that, given Oracle's recent security troubles, she would have been better off to talk about how Oracle is addressing the legitimate concerns its customers have. She's right that fixes to even simple vulns still have to go through a full test and release cycle, but she's being disingenouous in claiming that Oracle has been responding in a timely manner to the notifications they've received. They haven't (and this is not new behavior).

Fearless prediction: Oracle will get publicly spanked by Kornbrust, Litchfield, and probably some others during BlackHat. Davidson will be unrepentant.

Update 4/30/08: the gentleman whose name appeared here as the CEO of Kärcher USA is no longer with the company. At his request, I removed his name from the post.

I own a Kärcher electric pressure washer. I bought it because it was reputed to be from a solid company. Over the five or so years that I've had it, it's worked well enough, but it failed, so I wanted to get it repaired. Here's the deal:

• if you have a gas pressure washer, you can take it to one of Karcher's service centers.
• If you have an electric pressure washer, and it's under warranty, Karcher will exchange it for a refurbished unit under their "rapid exchange" program.
• If you have an electric pressure washer, and it's out of warranty, too bad. Karcher won't fix it. I spoke to Shane, at their customer service [sic] center. He said, "Oh, if you want to fix it, you can order the parts from us."

So, I fired up Word and made ready to send them a letter asking how I could get the unit fixed. Surely what Shane told me can't be right. However, here's what I learned:

• The Karcher USA web site doesn't list an address or telephone number for their US office.
• The customer support number on their website goes to what's obviously an outsourced firm; they'll only give out the company address, not the phone number. That's because (drum roll) they don't have it
• If you use an online directory to find their phone number, the listed telephone number for their Atlanta office rings incessantly; no one ever answers
• Their press releases don't include any contact information
• The press release site for the parent company requires a user name and password to log on

After a whole bunch more web searching, I found their correct address (2825 Breckinridge Blvd, Suite 120; Duluth, GA 30096) and phone number (678-935-4545). No one answers that number, either, but I plan to keep trying until I get a human. In the meantime, I'd certainly advise against buying anything from these folks, given their unusual mastery of customer-avoidance techniques.

Update: I found this page, which lists XXX as the CEO and 678-935-4550 as the fax number. Score!

Update: I faxed them a letter. It's in the "more" section.

Update: I got a call on Friday, July 29, from a customer service rep who offered me a discount on a remanufactured unit. He was supposed to send me some email explaining which units I could choose from-- but lo and behold, 10 days later, no email. Hmmm. (And yes, I checked the spam filter logs; no such email ever arrived here)

Ed Brill links to this CRN article that talks about a "bounty" being offered to partners who convert customers from Notes or Oracle. Two brief thoughts (I'd write more but have too many other more pressing things to do). Disclaimer: I don't have any specific knowledge of this program, or any other one for that matter.

First, if this is like other MS programs, the "bounty" is actually funny money and a non-story. Let's say the partner moves a 1,000-seat organization and (according to whatever criteria MS has) the bounty is $20/seat. That means that the partner gets up to $20,000 from Microsoft to either spend on MS consulting / design / deployment services (via MCS) or to use for application and data transition. IOW, Microsoft is paying the partner to do work that the customer would otherwise have to pay for themselves. This is hardly what Ed makes it out to be, with his sinister implication that MS is "plucking" "pieces of meat". Sheesh. It's the logical equivalent of the car dealer giving you a tank of free gas when you buy the car.

Second note: I'll bet a nickel that IBM has similar programs for selected competitors. Why? If you want sales people to do something, you have to give them incentives, and the #1 incentive in that world is cold hard cash.

I got a "press release" from a company called Mayo Communications. Here's an excerpt so that you can decide whether they're a good firm trying to rep their client, or a despicable bunch of ambulance chasers who are using a tragedy to drum up PR. I've redacted the client's name to avoid giving the publicity they so avidly sought.

"Be More Alert And Report Suspicious Acts Says Nation's Top Counterterrorism Expert XXX *** "Suspicious people covertly photographing metro railway and trains have been observed and reported in major cities across the nation – from Los Angeles to New York,," said XXX, CEO, YYYY.

Los Angeles, CA (July 7, 2005) — "The typical terrorist attack is planned months to years in advance," said XXX, CEO & Founder XXXXX, ZZZZ, reacting to four explosions that rocked the London subway and tore open a packed double-decker bus during the morning rush hour Thursday. The deadly explosive terrorists' attacks injured more than 700 people left more than four dozen people dead.

So, these folks used the occasion of a terrorist bombing to hype their client (the "nation's top counterterrorim expert"). Here's what I wrote back to them:

It is difficult for me to express my distaste for your use of the London bombings as a vehicle to pimp the "expertise" of your client, the alleged "Nation's Top Counterterrorism Expert". Your mail makes your firm out to be sleazy opportunists of the worst sort. (As a side note, you really should run your press releases through a proofreading pass; it contains a number of grammatical and typographical errors).

I would rather eat an old shoe than use any of my publication venues to give your client free publicity-- but you can bet that I will tell my readers and listeners that, within hours of the London bombings, I was contacted by a PR firm seeking commercial advantage for their client on the bodies of London's dead.

It's popular for people to claim that corporate bloggers like Microsoft's Robert Scoble threaten the conventional PR industry. I can only hope that there's some truth to that claim.

Update: I got an (unsigned) response from Mayo. It seems pretty clear that one of us doesn't get it, and I don't think it's me:

Everyone has an opinion, unfortunately not everyone agrees with you! but I will remove you from our list since you biggest challenge is deleting emails.

FYI. Time Magazine along with other more important trades are running the story in Monday's issue. hope you sugar coated your shoes, too.

Nothing like compounding an initial error by being arrogant and antagonizing the people to whom you're evangelizing your customer. Is this representative of what other PR firms are doing for their customers? I sure hope not.

I've turned off trackbacks for all posts older than 5 days. I'm tired of having to clean up spam every single day.

Last night I got spam from a fellow named Steve W. Martin, author of a book called Heavy Hitter Selling. (I'm purposefully not linking to his web site or the book's page on Amazon, so as not to give him any juice). That's not that unusual; I get a dozen or so spams a day. What really irked me about this was his use of a service called Jigsaw.com, which pays its customers for uploading other people's contact data. Jigsaw is much worse than Plaxo; at least with Plaxo there's some utility to making your contact information available. Jigsaw bills itself as a sales lead database, and (to their credit) their TOS prohibits spamming-- but I'm still not thrilled with the idea that someone I know made a buck (literally; Jigsaw pays $1/contact) so that boneheads can send me spam. I'm sure a lot of more famous bloggers (cue: Scoble!) will probably be hearing from this guy soon.

Last night I got spam from a fellow named Steve W. Martin, author of a book called Heavy Hitter Selling. (I'm purposefully not linking to his web site or the book's page on Amazon, so as not to give him any juice). That's not that unusual; I get a dozen or so spams a day. What really irked me about this was his use of a service called Jigsaw.com, which pays its customers for uploading other people's contact data. Jigsaw is much worse than Plaxo; at least with Plaxo there's some utility to making your contact information available. Jigsaw bills itself as a sales lead database, and (to their credit) their TOS prohibits spamming-- but I'm still not thrilled with the idea that someone I know made a buck (literally; Jigsaw pays $1/contact) so that boneheads can send me spam. I'm sure a lot of more famous bloggers (cue: Scoble!) will probably be hearing from this guy soon.

You know Microsoft has to love it when the CEO of Intel publicly trashes Windows security:

Pressed about security by Mr. Mossberg, Mr. Otellini had a startling confession: He spends an hour a weekend removing spyware from his daughter's computer. And when further pressed about whether a mainstream computer user in search of immediate safety from security woes ought to buy Apple Computer Inc.'s Macintosh instead of a Wintel PC, he said, "If you want to fix it tomorrow, maybe you should buy something else."

You might remember that I ditched the Google Toolbar a couple of months ago. Steve Rubel is reporting on another good reason to do so: the newest version includes a feature called Autolink. Greg Linden explains it very simply: with this feature turned on, Google's modifying web page content to add its own links. For example, addresses are linked to Google Maps pages. Book ISBNs and package tracking numbers are linked too.

The folks at Google Blogoscoped toss this off with "talk about the Google OS taking over our lives", but you know what? Microsoft tried something similar with their IE support for smart tags. Smart tags are exceptionally useful in Office, because you can easily write your own smart tag code to recognize objects unique to your business (like chemical compound names for a pharmaceutical company). I wrote one that recognizes scripture verses (you know, like "John 3:16"). When MS proposed extending this feature to IE, the furor was incredible. Walt Mossberg, Dave Winer, Dan Gillmor, and a host of other influencers immediately started screaming that Microsoft was taking control over web content and generally acting like an 800-lb gorilla. The EFF even opined that the MS smart tag implementation might be illegal. In fact, here's what Chris Kaminski had to say:

Even if smart tags don’t violate copyright or deceptive trade laws, they still violate the integrity of the web. Part of the appeal of the web is that it allows anyone to publish anything, to take their thoughts, feelings and opinions and put them before the world with no censors or marketroids in the way. By adding smart tags to web pages, Microsoft is interposing itself between authors and their audience. Microsoft told Walter Mossberg “the feature will spare users from ‘under-linked’ sites.” Microsoft is in effect deciding how authors should write, and how developers should build, websites.

Worse, Microsoft’s decisions may be at odds with the intent of the site’s author or developer. If an Internet Explorer 6 user visits Travelocity and looks at a page with information on visiting Nice, France, the smart tag that aggravated Thurrott will link the word “Nice” to Microsoft’s Expedia site. With smart tags, Microsoft is able to insert their ads right into competitors’ sites.

Microsoft is crossing the Rubicon of journalistic and artistic integrity. Editors and authors no longer have final authority over what their sites say; Microsoft and its partners do. For a preview of what the web may look like for Internet Explorer 6 users who also have Office XP or Windows XP installed, take a look at InteractiveWeek’s Connie Guglielmo’s preview. With smart tags, Microsoft is effectively extending its role from being a supplier of tools people use to view content to being the executive editor and creative director of every site on the web.

So, check that out: Kaminski accuses Microsoft of "deciding how authors should write", "insert[ing] their ads right into competitors' sites", and becoming "the executive editor and creative director of every site on the web". He left out barratry and mopery and dopery in the spaceways, but that's still a pretty damning list.

Now Google's doing the same thing. Will we see the same reaction?

My guess is "no". Google's widely publicized mantra of "don't be evil" is increasingly often being used to excuse behavior for which Microsoft, Oracle, or IBM would be roundly condemned. This is just the latest such instance. Don't get me wrong: as a user, I think Autolink could potentially be a useful feature (but then I thought the same thing about smart tag support in IE). As a web content provider, I'm not comfortable with the idea that another entity (which may not have my best interests at heart) is modifying my content before someone else sees it. If Microsoft was wrong then, so Google is wrong now.

SearchEngineWatch says "the commercial possibilities are massive"-- I'd have to agree. My somewhat cynical guess, though, is that , and that raises the question of whether it's OK for Google to make money by modifying other people's web content. My guess would be "not so much"-- look back at the Kaminski quote and see the part about ad insertion again. On the other hand, I see that Dave Winer is labeling this as "a line they must not cross"-- an encouraging early sign.

Update: Adam Gaffin points to this article, pointing out that I have Google ads enabled. True. One prominent difference, of course, is that I get to choose whether ads appear on my page or not; I have some reasonable control over the ads' appearance, and I could filter out competitors if I wanted to. Autolink doesn't provide any of these features, except that it allows you to disable it. If I'm an Amazon affiliate, let's say, how do I stop Autolink from doing something nasty to Amazon links on my page? Sure, it might not do that now, but as any competitive strategist knows, you judge competitors by their capabilities, not by their intentions.

FedEx is up to no good. I got my corporate Amex bill and noticed that there were two shipments listed-- one for $25 and one for $55. I'd used FedEx to ship my SPOT watch (< 1lb) back for repair and to seen a book to a friend in Long Beach. Sure enough, the shipment dates and tracking numbers matched. When I called FedEx to ask them WTF, the explanation was simple:

FedEx: We've been encouraging our customers to use our shipping materials. When you ship a package with nonstandard packaging, we automatically dim weight it.

Me: What does that mean?

FedEx: We take the package dimensions and calculate a standardized weight, then bill you for that.

Me: (incoherent spluttering) Why didn't anyone tell me this?

FedEx: You should have noticed the change in your latest Service Guide.

Me:

(more spluttering) I didn't GET a service guide this year!

They were kind enough to remove the overcharge for those two packages, but there are two more enroute right now that'll have to be re-rated once I get the bill. In the meantime, FedEx's perverse website has decided that two addresses which look the same to humans aren't really the same, so it won't let me log in to order some more of the Holy FedEx Boxes that I have to use in order to not be grossly overcharged. Grrrrr.

If you use FedEx for shipping, check your bills very, very carefully.

FedEx is up to no good. I got my corporate Amex bill and noticed that there were two shipments listed-- one for $25 and one for $55. I'd used FedEx to ship my SPOT watch (< 1lb) back for repair and to seen a book to a friend in Long Beach. Sure enough, the shipment dates and tracking numbers matched. When I called FedEx to ask them WTF, the explanation was simple:

FedEx: We've been encouraging our customers to use our shipping materials. When you ship a package with nonstandard packaging, we automatically dim weight it.

Me: What does that mean?

FedEx: We take the package dimensions and calculate a standardized weight, then bill you for that.

Me: (incoherent spluttering) Why didn't anyone tell me this?

FedEx: You should have noticed the change in your latest Service Guide.

Me:

(more spluttering) I didn't GET a service guide this year!

They were kind enough to remove the overcharge for those two packages, but there are two more enroute right now that'll have to be re-rated once I get the bill. In the meantime, FedEx's perverse website has decided that two addresses which look the same to humans aren't really the same, so it won't let me log in to order some more of the Holy FedEx Boxes that I have to use in order to not be grossly overcharged. Grrrrr.

If you use FedEx for shipping, check your bills very, very carefully.

Amazon released their 2004 list of the best computer books, and once again Secure Messaging with Microsoft Exchange Server 2003 wasn't on it. Dang! I was all set to be depressed, but then I saw this great post from fellow author Ed Bott, with whom I agree totally:

Nothing on Windows XP or Windows Server 2003. Nothing on Linux or Mac OS X or cascading style sheets or PHP or Adobe Photoshop or computer security or digital music or photography. You know, topics that lots of people might actually be interested in.
From all of us computer book authors, thanks for the support, Amazon. (Not.)

Of course, if you want a really good computer book, I have just the thing :)

I've had a long series of email discussions with Troy Werelius, CEO of GOExchange's parent company. I'm now convinced that the sales rep didn't intend to be dishonest, but that he was trying to bolster his case that eseutil is complex (true), dangerous (true), and not for use by the unwary (true). He pointed out that it was unfair of me to criticize GOExchange as "little more than a scheduling engine that wraps around eseutil" without having used it. That's a fair criticism, although in my defense he has been reluctant to talk about what the product actually does do. To avoid confusion, I've removed my earlier post.

However, let me make something perfectly clear: I do not think that it is a good idea to run eseutil except in certain specific, well-defined circumstances. It is not a tool for routine or casual use. Reasons to use eseutil include fixing a damaged database or running an offline defrag, neither of which are routine maintenance operations. I think that's where the central point of disagreement between my viewpoint and Troy's lies.

Troy is working on arranging a technology demo for the Exchange MVPs that will help all of us understand better what the product actually does-- I'll post my impressions of its functionality after the demo.

Thanks to the brain surgeons at SIxApart and Pair Networks, my MovableType upgrade has quickly gone off into the weeds.

• Pair's resource limits are killing the mt-upgrade30 script before it can finish, so there are no comments.
• All my comments disappeared because the upgrade script can't put them in the new format
• MT-Blacklist doesn't work, in no small part because of its terrible documentation, but also because Pair doesn't give enough detail in their error logs for me to figure out what's broken
• Some part of the upgrade ate all my CSS, so my layouts have reverted to standard.

I'll get it fixed eventually. In the meantime, please be patient.

So, now it's getting personal. From Rob Novak via Ed Brill:

While standing there, I saw a title from Microsoft Press: "Secure Messaging for Exchange Server 2003".  OK, that sounds reasonable.  It belongs there. Then I realized something.  Why in the WORLD would you need a 506-page book to tell you how to do secure messaging???  You just have to Sign and Encrypt!  What is with these people?

Fair question, one deserving of a comprehensive answer. The short answer: there's a hell of a lot more to messaging security than "sign and encrypt"! What about anti-spam protection? What about hardening the base OS? What about risk assessment? What do you do if your boss comes to you and says he wants to read a coworker's mail?

The book's 506 pages because it:

• begins at the beginning with a detailed discussion of fundamental security principles, including the need for good physical security and the difference between various methods of authentication, encryption, and access control
  
• covers risk assessment and physical and operational security in some depth-- rare for a non-textbook security book
  
• completely describes a workable patch management process, something that every Windows or Linux admin had better be good at (particularly on the Linux side, where patch auditing, assessment, and deployment tools suck. Disclaimer: I don't talk about Linux patch management. Ha ha.)
  
• explains how to deploy and use S/MIME-- a topic that's poorly explained in most of the Exchange and Domino books I've evaluated to date. Can you cross-certify? Can you issue certificates to use the web client with smartcards? My readers can.
  
• explains how to use and secure a number of Exchange 2003 features that Domino doesn't even have, like wireless device access, attachment blocking and control for the web client, the anti-virus API, and so on
  
• tackles several issues that even Domino admins care about, like message archiving and retention requirements and legal issues about when you can, cannot, should, and should not open or scan user mail for legal or law enforcement reasons, the DMCA, and so on.
  

In fact, I'm so confident that even Domino administrators who run on Windows would find the OS hardening, archiving/retention, and legal chapters to be useful that I'll make a bet: I'll let the Domino community pick a representative to review the book, and I'll supply a review copy. If the reviewer doesn't honestly think that this is a terrific and useful book, and that it does a great job of explaining the wealth of security features provided in Exchange 2003, then I'll donate US$250 to a charity of Ed Brill's choice. On the other hand, if the reviewer finds-- as I'm confident he will-- that the book rocks, the reviewer will post reviews at Slashdot, ERCB, his own site, and Ed's site. Deal?

All right, I've had it. I am tired of waiting for "real" media to pick up on this story.

Oracle won't give its customers security patches unless they buy a support agreement. This is flat-out wrong. It holds customers hostage in a particular nasty and egregious way: if you don't buy support, you can't get the patches you need to protect against vulnerabilities in products you've bought and paid for even if they're still current.

If Microsoft did this, they'd be (rightly) pilloried. As it is, you can get any security patch for any supported product for free, either as part of a service pack or by directly calling Microsoft PSS. Microsoft has even extended the end-of-support date for Windows 98 and Windows NT so that customers can continue to get support (and patches) for them.

Of course, very few large Oracle customers run in production without support, as you would expect from such a large, complex group of products. Perhaps their customers don't care that they can't get patches without support because they all have it. I still think it's wrong.

(n.b. I don't know what IBM and Novell do in this scenario, but I aim to find out. Stay tuned.)

I keep seeing hysterical reports that Bill Gates wants to impose e-mail postage to stop spam. A quick Feedster search for "gates spam postage", for example, turned up 90 posts. Most of these are based on this CNN/AP story .

Unfortunately, virtually all of the articles and commentary miss the point: Microsoft's not calling for people to pay money for postage. Instead, they're floating the idea of using a hashcash-like system that requires the sender to perform a calculation (something like a hash of the message plus the sender's address, with some additional crypto thrown in) before sending the message. The MS Research system (described somewhat here) uses a similar idea: if you require a certain amount of computation to send messages, that raises the cost to people who send out millions of messages, i.e. spammers. (Interestingly, the BBC article says that Cynthia Dwork, who first floated the idea of computational-postage systems in 1992, is now working at Microsoft Research. Her original paper, here, makes for interesting reading).

Now, here's the part that most people are missing in all the "Bill Gates wants my postage" kerfuffle. If the message doesn't have a valid hashcash token, it can be passed through a normal spam filter. . In other words, if it has "postage" (which is created by burning a few CPU-seconds on the sender's machine), it can be directly accepted (or not), but if it doesn't have "postage" it gets the full proctologist's treatment with SpamAssassin, the Exchange IMF, or whatever. (n.b. Ecto's spellchecker recognized "proctologist's"-- pretty cool, huh?) This is exactly analogous to what we all do with postal mail: if I get something that was mailed bulk rate (thus lacking "postage"), it's much more likely to get canned.

Microsoft is not suggesting that we pay actual cash for any of this (although these guys, and others, are). Calm down, everybody. Considering that there aren't any viable micropayments systems (and yes, I include Peppercoin in that dismissal), the idea of requiring actual micropayments for email is laughable, and no one knows that better than MS. However, a hashcash-like system is a useful adjunct to (not replacement for) other filtering systems. In fact, there's already at least one hashcash implementation, FirePay.

So, Ed Brill has been reading the Exchange team blog, probably for much the same reason that Microsoft PMs read his blog-- know your enemy, and all that. So, let me leave aside the fact that it's disingenuous (and, IMO, slimy) of Ed to say "I'm not spinning, but $spin..." and point out one key difference between IBM and Microsoft's support programs.

With Microsoft, any customer with a credit card can call Microsoft PSS and get support for any active product. If you want to buy a support contract, fine, but if you don't, you can still get support. The PSS org thus has to be sized for variable call volume from an unpredictable mix of 5.5, 2000, and 2003 customers, calling at unpredictable intervals. As far as I can tell, the only way to get any support from IBM (apart from their relatively useless support forums) is to buy a Passport Advantage contract, pricing information for which isn't publicly available. This gives IBM a pretty good way to predict required staffing levels, given that they know exactly how many customers they're obligated to support.

It's an interesting tension: limiting your support to contracted customers helps screen out a large percentage of customers, who are then hosed when they do need support, but that smaller support base means you need fewer support engineers, who will generally have lower utilization. Of course, MS would hire more PSS engineers if they could; in fact, they're aggressively hiring for the Exchange support team, but the skill bar is pretty high, so it takes time to fill the open positions.

Ed and I are in agreement on one thing, though: it is refreshing to see the blog-driven openness that is slowly permeating Microsoft, IBM, and other large companies. (Well, we agree on two things: AT&T's new upgrade program stinks.) That openness is all the more refreshing when it's factual and technical, not just more marketing spin and hype.

Update: Ed was kind enough to link here from the comments to his post, in which he points out that edbrill.com isn't an IBM web site. That's true, and I should have made it more clear that Ed is of course speaking only for himself, so I retitled this post slightly.

After I saw this item on BoingBoing, I couldn't hold back:

The Pentagon issued a secret report to Bush warning him that catastrophic climate changes in the next 15 years are a bigger threat than terrorism, and will lead to massive riots and nuclear war.

Actually, this is bogus, so I sent Mark Frauenfelder a note (which I've made HTML-friendly here):

Mark, I saw your item about the Office of Net Assessment report today. A few things become clear if you read the original Fortune article in which the report was mentioned. First, the Pentagon is a building, so it didn't issue the report itself. The report you cite was commissioned by Department of Defense's Office of Net Assessment (ONA). Andy Marshall is the director of ONA; see this article for background. Marshall's job, which he's had since about 1973, is to think of radical scenarios and assess which ones the Department of Defense should be preparing for. This has a long tradition, dating back at least to the Navy's "Plan Orange" for fighting Japan in the 30s. . In the more immediate past, this forward thinking has led to a renewed focus on ballistic missile defense and a variety of interesting ARPA projects (including the recent "Metabolic Dominance" project, which personally I think is very cool). Radical scenarios, and potential consequences thereof, is exactly what they got with this report: ONA hired Peter Schwartz (who is famous for helping Royal Dutch Shell prepare for an oil market where prices *dropped* instead of monotonically increasing) and his Global Business Network firm (see here for more on GBN). GBN's mission was to prepare a menu of *possibilities*, which, if you read the Fortune story, is exactly what they did. I haven't read the report, but some of the scenarios that Forbes cites as possibilities from the report (water wars between Canada joining the US in an alliance, à la Fred Pohl's "Foodies" in JEM) are familiar to futurists and sci-fi readers. The more interesting question is whether Marshall's influence, coupled with the clear scientific evidence that there are tipping points at which dramatic climate changes happen *quickly*, will prompt any changes in US policy. (for one example, see this NOAA page). Unfortunately, the interesting aspects of this project have been buried under an avalanche of bogosity, like the Guardian article that breathlessly labeled the *speculative* "secret report" as an official Pentagon *prediction*. It's not.

Update: the report itself is available from Greenpeace. Interesting reading.

I'm trying to look at the Library page for the Domino Access for Microsoft Outlook product. Oddly, the feature comparison promised on the library page is 404. Hmmm. Not such a good selling tactic.

Because I have too much good sense to try fighting my way through 17 layers of IBM webmasters, I'll ping Ed Brill about this; I bet he can get it fixed.

Update: after a nice IM session with Ed, he's promised to look for the document, which indeed does seem to have disappeared from IBM's public site.

I tried to use BestBuy.com for some Christmas shopping, and the results were dismal. I needed a Sony Clie TJ-25, a Kodak DX4530, and a Kodak Printer Dock 4000. First, I ordered the Clié. I got back an email saying they were out of stock. I tried again later and got another email telling me it was ready for pickup, so I ordered the dock and camera on a separate transaction.

When I went to the store, they found the Clié but couldn't close the order in the computer. The sales rep's advice was simple: buy the Clié, camera, and dock together and ignore the orders; they'd automatically expire after seven days of not being picked up. But that's not what happened...

Obviously these guys have been using Notes.

This is sort of a reverse smackdown; normally I post complaints in this category, and that's what this started as, until it was happily resolved. I use a WiebeTech FireWire DriveDock, a little pod that snaps into the back of any IDE hard disk or optical drive and makes it visible with FireWire. This is a great way to speed up running VMware or Virtual PC on my ThinkPad, since its internal disk is pretty slow. I was running out of space on the 40GB drive I had plugged into the dock, so I bought a 120GB WD1200 and found that it wouldn't start-- the motor would start and give a little torque kick, but then it would shut down again. I thought the drive was bad, but it tested OK, so I emailed WiebeTech's support alias asking them for suggestions on how to fix the problem. About two hours later, I got a response:

Hello Paul, As you have witnessed first hand, Western Digital has changed the power requirements of their newer drives. To compensate for this, we have a device that plugs in-between the DOCK and the drive, called a Power Filter. Send me your WiebeTECH Invoice number and/or shipping information, and I will be happy to send one out to you.

Problem identified and solved, politely and at no cost to me. If only every company were so responsive! I've been recommending Wiebe's products for a while because they work well, but I'm really pleased by their attitude toward customer service.

It turns out that NASA engineers really were sounding the alarm about potential damage to Columbia; it's just that their managers were actively resisting, or passively ignoring, their claims. I saw a lot of boneheaded, turf-protecting, politically-motivated decisions when I worked at a NASA subcontractor, but nothing like this. My favorite part of the story is this:

Since the accident, Mr. Rocha said, engineers and other colleagues have thanked him enthusiastically for speaking up, saying things like, "I can't imagine what it was like to be in your shoes." His immediate supervisor has been supportive as well, he said, But from management, he said: "Silence. No talk. No reference to it. Nothing."

Except, that is, from the highest-up higher-up. One day Mr. Rocha read an interview with the NASA administrator, Sean O'Keefe, who wondered aloud why engineers had not raised the alarm through the agency's safety reporting system. This time, Mr. Rocha broke the rules: he wrote an e-mail message directly to Mr. O'Keefe, saying he would be happy to explain what really happened.

Within a day, he heard from Mr. O'Keefe, who then dispatched the NASA general counsel, Paul G. Pastorek, to interview him and report back. In a recent interview, Mr. O'Keefe said Mr. Rocha's experience underscored the need to seek the dissenting viewpoint and ask, "Are we talking ourselves into this answer?"

Indeed.

I am fuming after reading this article in the New York Times. Titled "For Citizen Soldiers, an Unexpected Burden", it's the story of some folks from an MP company in the California National Guard. They got deployed to Iraq, and their tour has now been extended. This is another in a long series of reports featuring people who signed up and took the king's shiling taxpayer's money and now claim they didn't know they might actually have to do their jobs!

I vividly remember sitting in a college English class in 1990, a week or so after Iraq invaded Kuwait. Thanks to my nifty haircut, my classmates knew I was in the military, and on this particular day they peppered me with questions. "Will you have to go?" "Are you worried that you might get deployed?" "Did you know this might happen when you enlisted?"

Of course I knew it might happen. Anyone who says "gee, I never thought I'd be activated" is either fooling themselves or you. For example, take this fellow:

Specialist Jory Preston, 30, of Pleasant Hill, Calif., signed on with the National Guard in January and was assigned to the 870th. He was working at a small telecommunications company and, having served in the Army in the 1990's, saw the National Guard as a way to earn extra money. He was married in February, and his wife was already pregnant by then. The next month, he was on his way to Iraq.

Here we have a 30-year-old with prior Army service. Undoubtedly he knew that, in the Army, people get sent overseas, away from their families. He enlisted in January, after it was already crystal clear that US forces were heading to Iraq. Then he acts surprised when he gets deployed.

I don't want to minimize the difficulty of being separated from loved ones, or the financial impact of going from a good civilian job to crappy military pay. But don't act surprised, people. It's not like you were drafted; you knew, or should have known, what you were getting into.

Tom Clancy has a new book, Teeth of the Tiger, out. It's not a very good book, IMO, although it's better than his last two pieces of crap, err, novels. However, I notice that Amazon doesn't have any user reviews! This, for a book whose current sales rank is now 4, and which has been shipping since 8/11 or so. I find that suspicious. Given how many readers (if, perhaps, no longer fans) Clancy has, one would expect a torrent of reviews on such a hot-selling book, but there are none. That makes me wonder why there aren't any reviews, and none of the possible answers (incompetence, systems failure, reviewer latency, desire to keep sales up by failing to post bad reviews) are good for Amazon.

Update: BN.com does have reviews listed on their page for the book. Of course, BN also has reviews for John Grisham's latest, as yet unreleased, book, so maybe they aren't the most reliable source. I just sent email to Amazon to ask where the reviews were for Clancy's book; we'll see what they say.

Update: I got a return email from Amazon's "community service" team. They claim that the review problem was a temporary technical glitch; indeed, there are now 219 reviews averaging 3 stars. (The number of reviews hasn't changed since late Thursday, which seems a little unusual.)

Among others, CNet is carrying this story. There's a great deal of additional material at their site, including this interesting architecture diagram. Is this a credible threat? Not yet. These guys have literally millions of man-hours of catchup to do before producing a product that does what Exchange and SharePoint Portal Server (their apparent targets) can do. I won't even attempt to list the hundreds of features that have to be implemented before they even reach parity with Exchange 5.5, much less Exchange 2000... much less Exchange 2003. Of course, since they're not trying to implement a mail engine they get off the hook for a lot of stuff. We'll see.

I got a response from Verizon after the letter I sent. This afternoon, I got a call from Josh, the assistant store manager here in Maumee. He apologized and promised to "take care" of the problem. I was (barely) able to refrain from asking whether that meant that Bob would be found in the Maumee River wearing a cement overcoat.

So, on one hand Verizon gets points for quick action; I faxed the letter the afternoon before a long holiday weekend started, and I got a call back on the next business day-- not too shabby. On the other hand, it remains to be seen whether the CEO's office handed out the kind of preemptive butt-chewing that prevents these kind of problems instead of just patching them. I guess the store manager was too busy with his other stores to handle this particular problem, so he delegated it to his assistant. C'est la guerre.

Update: I just got off the phone with Drew Moss, assistant to the Verizon Wireless CEO. He apologized profusely and promised that the director of retail services for this region will be looking into the matter. Since the store manager already knows what's up, I expect that to be a short conversation. Drew also offered me a month's credit on my bill, which was a nice gesture. VZW is now officially back in my good graces.

In which Paul suffers a broken phone and gets satisfaction from the warranty while simultaneously getting rudeness from a store employee; a missive to the CEO

Is there some reason why you can't just give me a context menu item to add a sender to the server's whitelist? Having to review messages in the console and then add them to the configurator is a pain in the butt-- just let me right-click an item in the console and say "add to Friendly Senders" or "Add to Friendly Listservers". Just a suggestion that your competitors have already implemented...

Remember our air conditioner problem? The fine folks at Ultra Heating and Cooling told us that our compressor had failed and that we'd need a new compressor-- say, $900 or so-- and that given the age of our unit, we'd be better off buying a new one (oh, $2800 or so).

The home warranty company required me to call a company that they have a contract with, so I did: Oasis Heating and Cooling. Their guy came out, puzzled over the unit for about 10 minutes, and brought in a dead fuse. After it was fixed, voila! 61° air from the air vents.

I don't know whether to ascribe Ultra's diagnosis as incompetence or malice on the part of their tech. Either way, a) I won't be calling them again; b) you shouldn't either; and c) their pres is going to get a letter from me in the near future.

So, after I registered at TechEd yesterday I wandered over to the grandiosely-named "TechEd Mall", a big plexiglas cube in the CommNet area. The book section was supposed to be substantially larger, and I was hoping to see Secure Messaging with Exchange 2000 substantially featured. After all, I reasoned, it's from Microsoft Press, it's about a Microsoft product, and this is the largest Microsoft-centric conference in the world-- a natural fit. I slowly cruised by the display wall outside the door, where there were lots of MS Press books visible. Not mine, unfortunately. "Oh well," I thought. "They must be inside."

Nope. There were MS Press books in abundance (and a nice selection of other titles from O'Reilly, Wrox, and others), but no copies of my book. I spoke to the (very pleasant) bookstore manager; it turns out that two books didn't make it here on time for the show-- mine and one other. I was pretty unhappy until I learned that the other author's book failed to arrive after they'd planned a big book signing because yesterday was the guy's birthday. Ooops. Hopefully some copies of the book will appear before I leave today.

If I had time, I'd write Sam Palmisano a nasty letter. I don't, so this will have to suffice. Why in the hell doesn't the battery for the T20 series ThinkPad fit in the T30? They're the same size, but there's a protrusion on the T30 battery that's not there on the T20. Identical capacity, nearly identical casing-- I'm tempted to use a Dremel tool to make it fit. Grrrr.

Jeremy points to a Bruce Perens article which more or less accuses Microsoft of being the puppetmaster behind the whole SCO-Linux mess. Josh Allen has a great rebuttal that correctly points out that a conspiracy in this case is, ahem, unlikely. That's all I have to say about that.

Well, OK, not really. I have to admit that I got a kick out of Eric Raymond's contention (see page 2 of the story) that the Linux gang is the "principal source of innovation in software". They're busy ripping off copying reinventing every feature they can grab from vendors as diverse as MS, Apple, and Opera (not to mention Sun and Palm). I have yet to see anything as innovative from Linux as any of the following: auto-discovery of WiFi networks (Win XP), Quartz compositing (Mac OS X), browser-based S/MIME email (Exchange 2003), complete support for FireWire 800 (Apple), support for IP over FireWire (Apple, Microsoft, and some other third-party ISVs)... I could probably think of some others, but I have real work to do.

WASHINGTON (AP): In a speech that surprised even such high-level Republican confidantes as Bill Frist, Tom Delay, and Brit Hume, US Secretary of Defense Donald Rumsfeld today called on Congress to allow President Bush to proceed with plans for military action against the state of Louisiana.

"We do not have the luxury of time to debate our strategy," Rumsfeld told a
group that included members of the Senate and House Armed Services Committees, leaders of both houses of Congress, and selected members of the
news media.

"Louisiana has demonstrated, time and time again, that it is not interested
in peaceful coexistence with the United States," the Secretary claimed. "The leadership there says one thing and does another. They tell the world that they have no desire to be aggressive, yet we have proof beyond a doubt that they are producing weapons of mass destruction, and that they would use them against us, especially if they had too much to drink."

"Louisianians are like that," he added.

When asked what types of weapons of mass destruction Louisiana had, Rumsfeld turned the podium over to Secretary of State Colin Powell, who produced a series of line drawings of Tabasco Sauce bottles and containers of cayenne pepper.

"They have capsaicin," said Powell. "And frankly, we have never before seen chemical weapons of this intensity. Each small bottle of Tabasco sauce contains 720 drops. A teaspoon of the stuff has 60 drops. Two to three drops of capsaicin at these levels can disable someone, and five to six drops can cause choking, heart palpitations, respiratory decompensation, and even death. Four drops if the person is from Minnesota."

Powell went on to describe Scoville units, the units by which pepper heat is measured, and said that the deadly chemical was produced in a remote part of Louisiana known as Avery Island. According to the dossier from which Powell read, when all four production lines of the Avery Island factory are in operation, over 450,000 bottles of Tabasco can be produced in a single day.

"That is enough to kill every man, woman and child in the free world many
times over," he said.

Secretary Rumsfeld then returned to the podium and fielded questions about his new military directive, which he called a necessary assault on what President Bush is referring to as the Axis of Carville.

"The President believes, and I agree with him, that no one in America is safe until Louisiana is disarmed," Rumsfeld announced. When asked about the possibility of sending UN weapons inspectors to Louisiana, Rumsfeld became impatient:

"There you go again, with the inspection song and dance. Don't you think that hasn't been tried? Every inspector that was ever sent there wound up in New Orleans, and came back drunk and weighing an extra ten pounds. If you knew anything at all about Louisiana, you wouldn't be asking such an inane question."

Asked about the possibility of allowing Louisiana time to disarm on its own, Rumsfeld said intelligence reports showed that if left to their own devices, the state's leaders would eventually distribute capsaicin throughout every major city in the United States. There are already more than a thousand Popeye's Fried Chicken franchises in the country, he said, and there are many other ways to introduce capsaicin to the population.

"But what about Governor Foster?" a reporter asked. "Isn't he a Republican?"

Rumsfeld smiled. "We're really not sure anymore, after the November election," he said, "and anyway, his term will be up soon. And if you don't think Mary Landrieu knows about the Tabasco plant, you are more naïve than even I could imagine."

Later, at a briefing on the latest addition to the growing list of places
the United States will attack, Press Secretary Ari Fleischer was asked if
President Bush had visited Louisiana. Fleischer replied, "He thinks he may
have been there when he was governor of Texas, but he isn't sure when. I
think right now it's somewhat murky."

"Louisiana has a lot of oil, Ari," Helen Thomas asserted. My understanding is that it has 18 petroleum refineries, 27,250 producing wells, and is home to two of our four strategic oil reserves. Do you want us to believe that the proposed attack on Louisiana isn't part of the White House's plan to confiscate oil on a World-Wide basis?"

"Helen, it's certainly true that Louisiana has a crude oil reserve of 529 million barrels of oil, but the president has no interest in that. What he does have an interest in is the security of the American people, and that security cannot be maintained unless Louisiana is disarmed of its stash of chemical weapons."

With that remark, Fleischer ended the news conference. Later, however, reporters had a chance to talk with President Bush, who invited some of them to the golf course.

Asked if he thought an attack on Louisiana would be hard to sell to the American people, the president replied that American citizens were becoming more and more suspicious of the motives of foreign countries, and that they would not hesitate to do whatever was necessary to protect national security. When told that Louisiana was one of the fifty states, Bush nodded and said "God bless America."

Asked about allegations that the White House wanted to attack Louisiana for
its oil, Bush turned and faced the group.

"I can assure you," he said, "I know all about the allegations. They are crawling around all the swamps in Louisiana. Some of them are ten feet long. Make no mistake: we will hunt them down, and we will bring them to justice."

The reporter reminded President Bush that Texas had even larger oil reserves than Louisiana. "Can we expect a future attack on Texas, too?"

The President turned toward the second hole. "Now watch this drive," he said, then, turning and winking, added, "Don't mess with Texas."

original source unknown; courtesy of my mom

Woo! If I was a drinker, I'd buy Tim Mullen a beer for this column.

MS Press has generally been quite competent and pleasant to work with, but I'm not very happy with them right now. My book is due to be on shelves in 9 days (2/5, baby!), but do you think it's mentioned on their web site? Noooo, of course not. There's no "Robichaux" in the author list, and searching for "secure" turns up three books, none of which are mine. My original editor is out on parental leave, but his replacement has promised to investigate.

Why should you care? Well, until they get the MS Press page for the book up, I have no sample chapters to post here. That means you have two choices: be a trusting soul and buy the book sight unseen, or wait for the samples. Personally, I prefer the first option, but I realize that not everyone likes to buy on faith alone. I'll have the samples up this week, even if I have to make them myself.

My wife likes to play bridge; so do all of my other female relatives (well, OK; most of them, anyway). She plays once a week against my mom, sister, and aunt, using Yahoo! Games' Java bridge applet. Their applet usually works fairly well, but that was before I installed ISA Server, which is much more capable than the appliance firewall I was using before.

To make a long story short, you must open some ports to make the Yahoo! Java games work right. They admit this, but they get the port numbers wrong! Ack! I eventually found the correct answer at Tom Shinder's ISA Server site, but I shouldn't have had to-- not to mention the 20 minutes or so I wasted trying various combinations of ports according to Yahoo!'s specs. Idiots.

So, word to all vendors: if you're going to publish security information, get it right. Otherwise, I will have to sic Russ Cooper on you.