December 2005 Archives

Collaboration is, in most cases, a good thing. But when it's done poorly, it can be an expensive proposition.

Let's look at the positives. Collaboration can save time and money. It can keep travel and telecommunications costs down. It allows an easy exchange of ideas. It makes it easier for people in different time zones to work together. Good examples of collaboration surround us: we have multiple authors of this blog; no two editors in this EarthWeb channel are in the same physical space; Lennon and McCartney.

As for the negatives: people weren't designed to collaborate and share information. Many enterprises make collaboration investments a departmental decision, which not only means there can be numerous collaboration platforms, but restricts who can collaborate. Many people collaborate via e-mail, which is a horrible collaboration tool. Bad examples of collaboration also surround us. Hall and Oates, to name just one.

There are more collaboration options than ever. There are collaborative workspaces, blogs, wikis, audio and video conferences, and whiteboards. But this doesn't even begin to touch on how many choices there are, as explained in this article on how to select collaboration tools from IT World Canada.

There are close to 1,000 vendors in the collaboration market, according to David Coleman, managing director of Collaborative Strategies LLC in San Francisco. "There are way too many vendors," he says. Coleman projects that sales of collaboration software, services and related hardware will reach $40 billion in 2008, with an average annual growth rate of 13 percent.

Thanks to Michael Sampson for the link.

Last week I wrote about a study that found compliance initiatives are distracting CFOs from growing their companies and expanding shareholder value.

This week, Tony Byrne of CMS Watch has a pair of links about electronic records management (ERM) and how all of this time and money spent on compliance projects isn't rubbing off on ERM.

Colman Murphy of Xerox writes in Line56:

Amidst all this spending, funding for electronic records management (ERM) initiatives has lagged. Even when funding is committed, there are still significant hurdles to overcome that can sometimes cause the entire project to grind to a halt.

Among the hurdles Murphy mentions are unforeseen costs, slow adoption, and the lack of a champion within the organization.

Writing in CMS Watch, Priscilla Emery tries to sort through the perplexity of ERM certifications and how they relate (or don't relate) to compliance. Enterprises that need to store their records according to a standard such as DoD 5015.2 have it pretty straight forward; not so when it comes to Sarbanes-Oxley.

Just about every vendor will tout its ability to support everything from Sarbanes-Oxley to HIPAA regulations. However, there are no certification specifications or procedures for any of these compliance activities at this point.

Sarbanes-Oxley isn't a records management issue. Or maybe more accurately, it isn't just a records management issue.

...although records management can play a significant role in Sarbanes-Oxley compliance most of this activity is associated with financial reporting and monitoring financial processes making workflow activities and process monitoring more important features to focus on than just records retention.

John Diebold, the man who pushed businesses to computerize as far back as the 1950s, died yesterday at the age of 79.

He died at his home in Bedford Hills, N.Y. from esophageal cancer, according to a report in the New York Times.

To say that Mr. Diebold was a man ahead of his time would be a gross understatement. Remember back when computers weighed not pounds, but tons? Well, even back then he tried to tell the world how programmable devices could change the way business was done. He authored the book Automation to evangelize about opportunities that computers would bring.

Mr. Diebold went on to create an international consulting firm and explained technological advances to the likes of Boeing, Xerox and AT&T. The New York Times raves that he ''persuaded major corporations to automate their assembly lines, store their records electronically and install interoffice computer networks''. That's high praise from a cynical industry.

Mr. Diebold saw how computers could change business and society. He saw the benefits that technology could bring to this world. And he worked for decade after decade to educate the rest of us about it.

For that kind of vision and passion, he will be missed.

There's an interesting discussion online about whether the new network-centric social software applications that have come to be known as Web 2.0 will eventually evolve into enterprise applications. Phil Wainewright calls this shift Web 3.0.

According to Wainewright's initial post:

I'd like to make one thing is absolutely clear right from the outset: Web 3.0 isn't just about shopping, entertainment and search. It's also going to deliver a new generation of business applications that will see business computing converge on the same fundamental on-demand architecture as consumer applications. So this is not something that's of merely passing interest to those who work in enterprise IT. It will radically change the organizations where they work and their own career paths.

I don't know if I'm sold on this, but I've heard stranger things. My biggest issue at this point is that most office workers are too comfortable in the world of Windows applications for this to happen right now, but no one is saying this will happen overnight.

John Hagel has his own opinions on how Web 2.0 will or will not morph into Web 3.0.

Phil is focusing on two related changes. First, the emergence of the traditional enterprise as a significant new customer set for the technologies that are shaping Web 2.0. Second, and related to the first, an urgent need to define and deploy more sustainable business models. In particular, he has been hammering appropriately on the need to define other revenue models beyond advertising for the enterprise market. But these are not profound technology shifts. These are marketing opportunities and business challenges created by Web 2.0 technology.

Whenever Web 2.0 fans talk about their favorite applications getting traction on the enterprise level, they point to Dresdner Kleinwort Wasserstein, which implemented wikis to replace its intranet. As a journalist, one thing I've noticed is that the Dresdner example has been kicked around for some time now. If Web 3.0 is coming, we'd better see some more examples soon.

Firefox fans are going to love this. Bruce Schneier wrote yesterday about a browser study from August that measured the number of days browsers were known to be unsafe.

The researchers tracked three browsers (MSIE, Firefox, Opera) in 2004 and counted which days they were "known unsafe." Their definition of "known unsafe": a remotely exploitable security vulnerability had been publicly announced and no patch was yet available.

Microsoft's Internet Explorer was 98 percent unsafe; meaning there were only 7 days in 2004 that didn't have an unpatched publicly known security hole. And that's only publicly known holes.

Firefox was 15 percent (56 days); Opera was 17 percent (65 days).

I expect next week to be a slow week, but I'll be in the office for two days anyway. One of my projects will be updating Intranet Journal's Spyware Guide.

I'll have to find a place to add a link to this post by Suzi Turner on ZDNet's Spyware Confidential blog. Suzi enumerates the top 10 tricks causing the spyware epidemic; everything from adware, AIM worms, to Sony's rootkit (of course).

Not only is there a list of methods used to spread spyware over the past year, but there's citations and links so you can read more about the exploits. If spyware has been a problem in your organization this year, you may want to publicize these among your users.

That's all for me this week. Have a Merry Christmas, a Happy Chanukah, a splendid Kwanzaa, or just a nice weekend. Whatever floats your boat.

The FTC has told Congress that the CAN SPAM act is working. When I first saw this news on Thursday, I thought maybe there was something to it. I only had about 70 spams waiting for me in the morning. Today it was back up to about 130. That's pretty normal.

The FTC cited two studies in its report. One, by e-mail filtering company MX Logic, said spam accounted for 67 percent of the e-mail passing through its system in the first eight months of this year. That's down 9 percentage points from the same period a year earlier.

The second report by MessageLabs, another e-mail filtering company, said spam rates rose for much of last year but have since declined and hover near the levels they were at in December 2003 — when Congress passed the anti-spam legislation.

There are several problems with CAN SPAM, the most obvious being that it's a law for an online activity that only applies in the United States. Let's just say those Nigerians aren't shaking in their boots.

As with most pieces of superficial legislation, the law was more about politicians backing a bill that everyone supports in theory. But this morning I realized another reason spam rates may be dropping.

I have been deleting spam comments from this blog all morning. (Why do people even bother? We delete them before they see the light of day.) This makes me think that while e-mail spam may be down, it's likely spammers are just spamming blogs, because that's what superficial legislation does, it makes the bad guys change tactics.

It's not just comment and trackback spam that's threatening to do to blogs what spam did to e-mail. AdWeek quotes research saying one in five new blogs is pure spam.

A study commissioned by McAfee in Europe puts some numbers to the danger that systems and networks face from within. Here's some of the findings:

• 21% let family and friends use company laptops and PCs to access the Internet
  
• 60% admit to storing personal content on their work PC
  
• 10% admit downloading content at work they shouldn't
  
• 51% have no idea how to update the anti-virus protection on their company PC
  

You can read more of the results from The Register.

You can protect all you want against attacks from the outside, but those insiders, especially those laptops and devices that leave the office, can kill you. Of course, if you were part of the audience for our Enterprise Security Challenges for 2006 webcasts, you heard all of this. If you weren't, you can still catch them on demand.

Thanks to Bruce Schneier for the link.

There's a chance someone in your organization is using an IM screen name like CrazySexyKewl. Sure, they'd have to be missing a common sense chip or be totally deaf to social norms, but the IM screen names in your organization may need a review, according to Ferris Research.

If you're an IT manager and your users employ instant messaging as part of their jobs, you need to ensure their screen names present an appropriate image of your company.

There's a good idea in the comments to that post too. Not the one that tries to sell IBM software, but the one that suggests your employees use their company e-mail address as their IM screen name.

Thanks to the Computerworld IT Management Blog for the link.

I don't know why this took so long, but it appears election officials around the nation are awakening to the fact that electronic voting machines are easily susceptible to tampering.

Brian Livingston wrote in this week's Executive Tech column (Fixing Elections for Fun and Profit) that two counties in Florida scrapped their e-voting machines made by Diebold Elections Systems "after computer experts showed that vote totals could be changed by a single individual in a way that would be undetectable later."

Now I read in SiliconValley.com, via Techdirt , that the secretary of state in California has refused to certify Diebold voting machines in 17 counties. In a letter to Diebold, an aide to the secretary of state cited "unresolved significant security concerns" about the memory cards used to store votes in each machine.

According to SiliconValley.com:

The Secretary of State's office is asking Diebold to submit the machine's source code for review by the federal Independent Testing Authorities before resubmitting the company's application for certification in California.

Diebold, which has a history of refusing to share source code and then providing lame reasons for not doing so, says it will review the state's request. Why do I get the feeling the state's "request" will be rejected?

I clicked on the Wall Street Journal link in Mike Pastore's post below about telecommuting and stumbled upon a short article that job hunters may find very helpful.

It's about using discretion in the workplace when looking for another job. Among the tips offered:

Keep your big mouth shut. Even if one of your co-workers is your bestest friend in the whole world, if you tell just one person in your office that you're looking for a job, you may as well distribute a podcast announcing your employment plans.

Don't leave tracks. You have to assume your employer (or these days, your government) is monitoring what you do on the job. So avoid using the office fax, telephone, computer and email account.

Dress up more. If you normally dress as if you're headed to a techno-rave, and then show up looking like a Brooks Brothers mannequin, it may (rightfully) arouse suspicion that you have a job interview elsewhere.

Observe these basic rules and you should be able to fly safely under the radar. Happy job hunting. Not that I think you're looking or anything.

Working at home requires discipline. Anyone who has tried to do it, even from time to time when it snows, knows this.

Telecommuting has gotten a lot of press lately. When it works, it makes life easier for employers and employees. When it doesn't, you get a story in the Wall Street Journal. (A free story too; it must be Christmas.)

Conditions at home can be more dungeon than castle, and in contrast to turf wars at the office, you can't escape the enemy at night. Contract manager Bill Hall started working from home in mid-August, setting up shop in his basement, which has two small casement windows stingy with light. His son, a high-school senior, gets frustrated that he can't blast his music or the enemies in his videogames the way he used to. And while Mr. Hall squeezes in tasks like doing the laundry, loading the dishwasher and reorganizing the refrigerator, that 110% effort isn't always appreciated.

There's other tales too, of nosy neighbors and family members, annoying pets, and co-workers and supervisors who don't give people who work from home credit for the work they do.

Like a lot of things, telecommuting depends quite a bit on corporate culture. If it's going to lead to suspicions you aren't pulling your weight, then maybe you work for an organization that should keep people in cozy little cubes.

If you aren't pulling your weight because... I don't know... your cat slept on your laptop and hit a bunch of buttons while dreaming about the Manx next door (as did one cat in the article; Manx excluded) then perhaps you're not cut out for working from home.

That's all from this cozy little cube.

This isn't really a shock, but I thought I'd follow the lead of the folks at ABI Research and buck the trend by predicting things that won't happen when the calendar turns.

ABI's whitepaper, "What ISN'T Going to Happen in 2006," (free registration required) focuses mainly on RFID, wireless and cellular networks, and related non-predictions.

I like this approach, actually. We see enough predictions about the next great thing, it's about time someone temper the enthusiasm with a more realistic look. And as a PR move for ABI, well I wrote about it, didn't I?

Among the things you won't see in 2006, according to ABI: successful video products from the satellite radio companies; successful broadcast mobile video products; cellular communications on airplanes; 802.11n products on the market; and widespread adoption of e-passports.

Give it a read.

As Mike Pastore pointed out yesterday, we've made little headway in our battle to rid the Internet of spam.

And while some remain hopeful that we really can defeat the spam monster, others -- in this case David Clark of MIT -- fear for the very future of the Internet itself. Clark, quoted in a multipart article in MIT's Technology Review, argues that its lack of built-in security, along with its increasing inability to easily accommodate emerging technologies, could make the Internet not worth the hassle:

"We might just be at the point where the utility of the Internet stalls -- and perhaps turns downward."

I like this description of the contemporary 'Net experience by article author David Talbot:

[F]or the average user, the Internet these days all too often resembles New York's Times Square in the 1980s. It was exciting and vibrant, but you made sure to keep your head down, lest you be offered drugs, robbed, or harangued by the insane.

All of that happened to me when I visited Times Square in the '80s. And the same thing is happening on the Internet today, only now the insane are called bloggers.

According to the article, "Clark argues that it's time to rethink the Internet's basic architecture, to potentially start over with a fresh design," rather than trying to make do with the current flawed architecture cobbled together over many years.

It's pretty fascinating, high-level stuff. And while the notion of rebuilding the Internet from scratch to make it less vulnerable to spam, viruses and other cyber-scum seems daunting, the alternative is to let this Times Square get worse.

Put me down as in favor of a do-over.

IT professionals don't have to join the GTD cult to become more efficient, effective and productive.

I mean, if it works for you, go right ahead. Followers of productivity coach David Allen's Getting Things Done credit the time-management book with transforming their jobs and lives.

It's just that there's a good column over at CIO Update which also offers advice on managing your time, but takes a different tack than Allen's process- and detail-driven approach.

Rajesh Setty says CIOs should put aside their "to do" lists and begin thinking strategically:

What you really need to focus on is “leverage” — how to get the most out of your time rather than how many “things” you can get done within a specified time.

Accomplishing that, Setty says, requires thoughtful planning and utilizing the resources at your disposal, not getting all frenetic and list-happy.

He also offers this insight:

The genesis of time management problems is the commitments you make to others.

So the reason you never have time to get everything done is those damned other people! I knew it! Actually, what this really means is you have a hard time saying "no" and, like a sap, are prone to overcommitting.

All is not lost, though. You can learn to negotiate and re-prioritize in order to get the important things done. Now go do that.

There is no bigger waste of time for IT professionals than Sarbanes-Oxley compliance, and that's not just me saying that.

That was one of the findings of a survey this past summer of Share members; Share being the oldest independent IBM user group in the land.

One of the survey's questions asked respondents to imagine themselves being transported to 2015 and then looking back at 2005 and what they thought in retrospect would prove to be either an ineffective or wasteful use of their IT time. Twenty-eight percent of those polled cited Sarbanes-Oxley compliance, followed by deployment of unproven technologies (23 percent), purchase of unneeded technologies (19 percent), and continuing support for outdated technologies (17 percent). The fifth-rated bugbear cited by 10 percent of respondents was external consultants, with software upgrades only distressing one percent of those polled.

And there's this from Robert Rosen, president of Share:

"[Sarbanes-Oxley compliance] is occupying a lot of people's time and they can't figure out what the return on investment is there..."

There's avoiding fines and staying out of the pokey, just to name a couple off the top of my head.

Thanks to Paul Chin, a regular contributor to Intranet Journal, for bringing the survey to my attention.

You know what drives me nuts? When you make some ridiculous prediction and a couple of years later someone calls you on it.

So let's say you lead the top software company in the world — that you're one of Time magazine's people of the year even — and a couple years back you said we'd be done with spam in two years. And now you're down to just a couple of weeks.

Not only is spam still a problem, but it's one that Ray Everett-Church says is fixable. Unfortunately, it's become a way of life and most of us just try our best to ignore it.

If there has been any major difference for spam this year, it's been that in 2005 the anger toward spam has been replaced by a kind of grudging acceptance that it's just one of those annoyances that isn't going to change anytime soon.

And that leads to spam becoming a back-of-mind issue.

We didn't hear too much this year about spam. Aside from a few successful lawsuits against a handful of spammers, and a handful more being sent to jail under various federal and state anti-spam laws, there has been precious little groundbreaking news in the world of spam.

Maybe our software leader became obsessed with a certain search engine in the past two years and lost his spam focus. That's what drives me nuts; that, and the 169 spams I had waiting for me this morning.

Certain things are guaranteed to test one's holiday cheer: Mall gridlock, losing a bid for immortality, and hackers.

An article published today at Sys-con-Brasil offers some interesting info on cyber-extortion:

The newest ransom caper in real life involves hackers taking over an individual's or company's computer, scrambling or encrypting documents, videos, spreadsheets, databases, and other crucial files, and then demanding a ransom to unlock the files and make them usable again. Called "ransom-ware," this new malicious code combines the worst of spyware and Trojan horses.

Not exactly script kiddies testing their chops. The article cites a Carnegie Mellon study which "found that 17% of businesses had been the target of cyber-extortion." And the stakes could get higher:

Professional criminals can command legions of vulnerable computers to send denial of service attacks. Adding ransom-ware to their arsenal would pose a formidable threat that could have serious security and economic ramifications.

Just what IT security pros -- and the rest of us -- need.

Get used to reading about studies this week because no one's going to be releasing much in the way of news. That includes a study that found your next CIO might be wearing a suit.

"It's funny because there's been some talk about this happening for the last three or four years," says Phil Bloodworth, a partner in Advisory Services at PriceWaterhouseCoopers. "Now we're finding that it's being put into practice. It's actually happening. Companies put someone over technology who isn't necessarily a technologist. They're more of a strategist or a business person."

This is one way to align IT with business. I think in the future you'll see more people who are adept at both; technologists with MBAs, for example.

As for how the geeks are handling this change in CIO background:

"It's going over pretty well," he says. "Let me tell you why. If you get an IT organization that's not viewed as just driving the bus, but it's viewed as someone who's tactical and strategic, then technology is elevated. IT is becoming elevated. There will be the crusties who don't like that. But the enlightened IT professional, who wants a broader perspective, will like this move. It's elevating their status in the company and it's allowing them to help the company achieve its strategic goals."

I'm waiting for the remake of A Christmas Carol where Bob Cratchit is a CFO stuck in the office working on Sarbanes-Oxley paperwork for Christmas.

OK, I'm not. I actually like the original. But the more I read about compliance regulations and the impact they have on business, the more I think they were the government's gift to the professional services industry.

As someone who follows the enterprise content management market, I saw that sector jump on the compliance bandwagon early. Then it was the security sector. Funny thing is, the word "software" isn't mentioned anywhere in Sarbanes-Oxley.

We're probably going to keep hearing that software is the answer to compliance questions because word came down last week in a survey from IBM and The Economist that CFOs will likely be working through the coming holidays.

Chief financial officers are so swamped with earnings reports and compliance work that they are not able to focus on expanding their companies and driving shareholder value, according to a global study released Friday.

I wonder what the CEO is doing while the CFO is buried in compliance hell...

CFOs who are bogged down with operational and financial details may have trouble focusing on strategy, but a CFO who focuses only on strategy may not have enough operational information to make the best decisions

Better get him some IBM software.

Publicly accessible files on your Web site may be leaking sensitive information in the form of meta data, user names, and file locations, according to a study.

The study was conducted for Bitform, which is in the content security business — so the findings are, shall we say, anticlimactic. But the list of things that are hidden in the meta data of Microsoft Office files can be extensive, and they can be embarrassing if not dangerous.

Among the information left exposed in online documents, according to the study:

• Author histories
  
• File paths
  
• Printer information
  
• Outlook properties
  
• PowerPoint speaker notes
  

Biform CEO Joe Keslin explains the problem:

"You don't have to expose your trade secrets to open your organization to potential harm. For instance, what we call Outlook Properties is a great example of information that you probably don't want to expose to the world. This includes a user's email display name, the subject line of the email that contained the file attachment, and the sender's email address. As an executive, I don't want my employee's display names and email addresses made available to competitors, recruiters, social engineers, hackers or anyone else that we don't explicitly want to share this information with."

If buying software isn't your thing, Microsoft does have instructions for removing meta data if you know where to look. Not to pick on Microsoft, the meta data in Adobe's PDF files has been an issue too.

With media reports on the traffic the day before Thanksgiving and shopping on the day after Thanksgiving, the holidays can sometimes seem like an annual repeat. Lists of predictions, reviews, and resolutions are no different.

We're not ignoring the ubiquitous lists of predictions for the IT world here at the Datamation blog (I wrote about one for Microsoft last week), we're just waiting for a list of predictions that makes us think.

Let's take Bruce Perens' Forecasts for 2006 as an example. Among the predictions I found interesting:

• Java begins its decline as an enterprise platform
  
• Trouble ahead for PHP
  
• Cellular carriers are just carriers
  

Details on that last one:

...remember the first generation of internet providers? Compuserve, Prodigy, Genie, GNN, and AOL all worked hard to provide unique content and enhance the user experience. They lost out to a second generation of internet providers that were just high-speed data pipes, while content moved to carrier-independent entities like Google and the user experience was engineered by software application providers like Netsape, Microsoft, and eventually the Mozilla project.

PHP's problems, Perens says, have to do with multiprocessing and security.

Thanks to Stephen O'Grady for the link.

Those crazy Terrapins at the University of Maryland have been setting out the honeypots and gathering quantitative data on how hackers break into computers, and what they found could change the way you think about secuing your computers.

Assumption: port scans precede actual attempts to hack into computers.
Reality: More than 50 percent of attacks are not preceded by a scan of any kind.

This means that security administrators may be using flawed assumptions to prevent attacks. Many IT administrators try first to detect scans and then take preventive measures to secure their networks. The research shows they may be acting too late to prevent the bulk of hacking attempts.

The researchers also measured the time separating scans from attacks, conducted a longitudinal study of malicious activity recorded over one year, as well as a comparison between malicious activity from inside the university with malicious activity from outside.

There's a PDF of the findings available. Enjoy.

If you're reading this blog via an RSS feed, know that you're one of the elite. Most studies seem to put the number of people using RSS at about 5 percent of Internet users. This, of course, means that mainstream users have yet to catch on. RSS remains a toy of the tech world.

But all of that could change with the upcoming versions of Windows Vista and Internet Explorer 7.0, we can presume. Once Windows starts integrating things, the masses tend to catch on.

One problem, however, has been finding an icon to alert users an RSS feed is available in the upcoming version of IE. Those of us who do this for a living know the orange XML icon and blue RSS icon, as well as any number of icons (or chiclets as some like to call them) from Bloglines, FeedBurner, and My Yahoo, let us know we can subscribe to the content. Casual Internet users click on the links, see a page of XML code, and hit the Back button.

The people at Microsoft have put a lot of time into how they will communicate the availability of a feed. Microsoft's RSS blog has been publishing example icons and looking for comments for quite sometime.

And the winner is...

The same icon that Mozilla uses for RSS feeds in the Firefox browser. Microsoft will be using the icon, with the permission, agreement, and cooperation of Mozilla of course, in the IE 7.0 command bar whenever a page has a feed associated with it, and in other places in the browser when it needs a visual to represent RSS.

This kind of takes the Ho Ho out of the holidays.

It seems that a lot of IT professionals won't be home opening presents on Christmas morning or celebrating Hanukkah with their families. And plans for ringing in the New Year? Don't mark that down in your PDA just yet.

Nearly 50 percent of email administrators will be working this Christmas and New Year's because of email problems, according to a new Osterman Survey, which was sponsored by Zenprise. And 42 percent of IT managers and email administrators said they worked on Christmas at least once in the last two years because of an email problem. Forty-four percent said they worked on New Year's Day because of email problems.

Maybe letters to Santa should have included a request for the holiday at home... or trouble-free email.

When it comes to garnering admiration in the world of business, the captains of technology are second to none.

Well, technically, I guess only Bill Gates is second to none. The Microsoft founder has been named the world's most admired business leader in a survey by PR firm Burson-Marsteller and the Economist Intelligence Unit, based in London.

But three of the top four were technology titans. Finishing as runner-up, or second to one, was Apple founder Steve Jobs, while Dell Computer's Michael Dell was fourth. Which must make him "second to three" because "fourth to three" strikes me as redundant.

Survey respondents included CEOs, senior executives, financial analysts, business media and government officials in North America, Europe, Asia and Latin America.

A new study from Harvard Medical School concludes there is no link between excessive computer use and carpal tunnel syndrome.

Since I'm not about to plunk down $24 for the report (which you can do here, if you want), I have no details other than what I get from news stories and Harvard's press release. But here's a summary of what the study concludes:

Heavy computer use -- up to seven hours a day -- does not increase risk for carpal tunnel syndrome. However, improper computer use and other workplace conditions can contribute to a type of disorder known as repetitive stress injury.

OK, I'll buy that. Now here's my unscientific, anecdotal 2 cents: I've been sitting in front of computers, typing words for a living, for more than 20 years. The only time I've ever experienced pain in my wrists was in 1996, when one of my jobs was to help create links for my publication's new web page.

It involved an intensive amount of mousework -- I was clicking, dragging and dropping up a storm. Whatever the official affliction, it was killing my right wrist, and soon I felt sharp pains shooting from my little finger toward my elbow. I tried alternating hands as I moused away, with the predictable result that both wrists hurt.

Fortunately that gig lasted only about six months or so. Once I stopped the crazy mousework, the pain slowly went away. Ever since then I've been pretty convinced that excessive mouse use -- yes, along with poor posture, etc. -- is bad for you.

And while I can't dismiss the Harvard study merely based on my own experiences, it's drawing fire elsewhere on the Internet. I think this guy may be onto something, though.

Will actually come tomorrow during the last Webcast in our Enterprise Security Challenges for 2006 series.

This one has been a challenge to put together because the topic is continually evolving, and my inbox gets more potential information every day. It's online shopping season and people insist on reminding people about online fraud and identity theft.

Just yesterday I was preparing the part of my presentation that talked about two-factor authentication, and why some experts think it won't work for, say, online banking customers. The Federal Financial Institutions Examination Council expects banks to adopt some form of two-factor authentication by the end of 2006.

Some experts say two-factor authentication will just make the bad guys change their tactics, which really accomplishes nothing. They'd like to see banks and other financial institutions held liable for fraud and identity theft. That, they say, is what will really get people serious about the problem.

Word comes today, via Bruce Schneier's blog, that South Korea is going to do just that.

The new laws will require financial firms in the country to compensate customers for virtually all financial losses resulting from online identity theft and account hacking, even if the banks are not directly responsible.

We'll see how well it works. In the meantime, I've had my fill of online fraud and will put the topic to bed for the remainder of 2005 after tomorrow's Webcast.

If online content really wants to be free, it's slowly getting its chance.

The Toronto Star has removed the registration requirement from its Web site, the star.com. By my unofficial tally that's two major newspapers that have dropped the registration requirement in the past two months. The Houston Chronicle dropped registration in November.

Both the Star and the Chronicle had free registration for readers.

"We believe that in order to be competitive in the online news and information space, growth of both audience and page impressions will be the cornerstone of our success. Further, we believe that the key to that growth is through the removal of all barriers, including registration," said Michael Goldbloom, Publisher, Toronto Star. "Our online readers have told us that registration is an inconvenience. We listened to our readers, and we've removed mandatory registration from our site."

It seems the Star has realized that even if you are the largest daily newspaper in Canada, the way to make money in online publishing is to get eyeballs to your ads. Standard & Poor's latest look at the media industry panned pretty much every sub-sector (especially those God-awful movies they keep releasing and the disaster called radio) with the exception of online advertising.

Even assuming that growth decelerates somewhat, Internet advertising is likely to exceed magazine advertising in 2006. Spending on Internet ads could potentially surpass spending on radio in 2008, assuming 1% to 2% growth in radio ad spending and a minimal contribution from satellite radio.

Even with the Winter Olympics coming up in 2006 and what figures to be a pretty eventful midterm election next November, advertising is going to have problems because it seems slow to move where the consumers are.

The broad shift of viewers and advertising dollars to the Internet is deeply troubling to many media companies, TV networks are grappling with the implications of ad-skipping technologies, and key advertisers like automakers and retailers are rethinking their ad budgets.

There's a battle shaping up now in Washington between telecoms and online content providers that could determine how the Internet is used -- and what it will cost.

Under the proposal being pitched to lawmakers, telcos and cable companies could create a higher-speed Internet and charge both consumers and online content providers to use it. As explained in this Boston Globe article:

AT&T and other telecoms want to charge consumers a premium fee to connect to the higher-speed Internet. The companies could also charge websites a premium to offer their video to consumers on the higher-speed Internet. That could mean that a company like Yahoo might have to pay AT&T to send high-quality video to AT&T subscribers.

Needless to say, online content providers such as Yahoo, Google and Time Warner are adamently against the proposal. This story reports that Vint Cerf, Internet pioneer and now a vice president at Google, argued against the plan in a letter to a House Energy and Commerce subcommittee:

"This bill would do great damage to the Internet as we know it. Telephone companies cannot tell consumers who they can call; network operators should not dictate what people can do online."

Admittedly I'm biased as a consumer, but I favor the status quo, and thus hope the content providers' lobbyists are more effective than the telco lobbyists.

Or at least they will be if they take the advice of Jon Oltsik, a senior analyst at the Enterprise Strategy Group.

Oltsik says his early advice for 2006 is to outsource security because it's cheaper, better, and it makes good business sense. After all, we outsource just about everything else.

What's that you say? Security is rarely outsourced because it's like trusting someone else with the keys to the place? That has been the conventional wisdom in the past, but Oltsik says outsourced security is better.

Here's another controversial but true statement; most security folks aren't big picture guys. They may kick butt at managing a Check Point firewall but do they really have the technical or business skills to protect a critical business process? Nope. Security outsourcers certainly can match your folks on basic security skills and since they work with 100s of customers, they simply gain more worldly experience than you can. This is a big plus when you change the discussion from firewall settings to securing your e-commerce applications.

What Oltsik doesn't mention is that many large organizations are starting to outsource their security as part of their moves to outsource compliance. Security alone didn't seem to warrant outsourcing, but according to the IT Compliance Institute, combining it with compliance was apparently getting too far away from the core business for many enterprises.

Greg Gianforte, CEO of RightNow Technologies, accuses the major software vendors of selling platforms with no tangible value in BusinessWeek this week. He compares the way major vendors sell software these days to your mechanic giving you a set of tools instead of fixing your car.

According to Gianforte, whose piece is called "The Great Software Platform Hoax," platforms aren't platforms anyway; they're "marketectures" that exist to rationalize bad acquistions, and they exist as smokescreens to hide that the fact that the vendors haven't delivered good software.

Corporate customers, however, aren't out shopping for new computing platforms. They need business solutions that actually help them compete and succeed in the real world. They also want something that no platform-obsessed vendor seems able to provide: a technology partner that can actually be held accountable for promised business results — such as increased revenue, reduced expenses, faster time-to-market, or improved customer satisfaction.

As an alternative, Gianforte suggests an on-demand delivery model, which eliminates the need to create a proprietary technology platform as a competitive differentiator. He also suggests open source, which commoditizes the software stack.

So Microsoft is launching a contest in India to find new programmer talent, with the top prize being a yearlong internship with Bill Gates' technical team.

If Wag-Ed isn't packaging this as an "Apprentice"-style television show, Redmond should dump them and get a new PR firm. This concept is a winner.

After all, "The Apprentice" has done miracles for Donald Trump, thrusting him back into the spotlight just when it seemed he was fading from public view, if not the New York Post.

And, PR-wise, Gates is starting from a better position: He's much richer than The Donald and has (marginally) better hair. Now that I think of it, Steve Ballmer does too.

Most important of all, it would steal Google's "mindshare," at least for one hour of prime-time a week.

Sure, there would be challenges. Coding showdowns tend not to make for the most riveting viewing, no matter how many quick-cuts, zooms and other camera tricks are used. And, truthfully, it might take some doing to "tease out" the nascent star quality in your average dorky programmer.

But there's a solution to those problems that's as old as silent film: Eye candy. Teach some HTML to a couple of Bollywood babes and you can start booking advertisers.

As for the "catch-phrase" Gates utters when he "fires" an unfortunate programmer, how about:

-- "Fatal error!"
-- "I'd offshore you if we weren't already in India!"
-- "I hear Google's hiring."

Or simply have Ballmer hurl a chair. Now that would be good television.

Nearly anyone who has ever written anything remotely negative about Apple (or even quoted someone else saying anything remotely negative about Apple) knows the drill: Publish your piece and await the arrows of indignation let fly by outraged Apple blowdiehards. It's usually a short wait.

A journalist named Harris Collingwood knows well this phenomenon, and has authored an interesting piece here explaining how Apple has acquired such fanatical devotion:

The general perception of Apple as an exceptional entity rather than a profit-making enterprise is no accident. Apple's leaders have assiduously cultivated the image of a corporation that is hip, stylish, humane...

This, Collingwood argues, has led to a double-standard:

Despite some hooting and hollering on weblogs, the majority of the business press and the buying public don't seem to object when Apple, say, takes legal action against some of the biggest fans of its products. ... It's as if the entire company has ingested some magical elixir that immunises it against bad publicity.

So what's Apple's secret? According to Collingwood, it "can be boiled down to five simple rules that apply not just to Apple but to other companies as well." They are:

1. Excellence trumps everything
2. Decide on your story, then stick to it
3. Choose your friends well
4. Choose your enemies better
5. Let your allies play bad cop

I know some of the above items seem vague out of context, so I urge you to read Collingwood's entire article, which also includes this all-important caveat: "Of course, your products had better be as good as Apple's too."

Fire away.

I've been trying to keep tabs on the latest methods being used to commit fraud online for my upcoming Webcast on Thursday. This one seems almost far-fetched.

It comes from Fleet Owner, a publication for people in the trucking industry. Now, remember something: the trucking industry has been at the forefront of a lot of technology movements. Admit it, long before you knew what a Blackberry was, UPS drivers were using handheld computers. Electronic manifests cut down on the paperwork for truckers. Telematics are used to monitor truck performance and location.

But these electronic innovations put physical loads at risk the same way that software with holes can put electronic data at risk. And there usually comes a time when your sensitive is shipped via a truck.

At a trucking safety and security seminar in Washington, D.C., Stephen Spoonamore, CEO of data security consulting firm Cybrinth, talked about e-hijacking.

He pointed to the supposed loss of 3.9-million banking records stored on computer backup tapes that were being shipped by UPS from New York-based Citigroup to an Experian credit bureau in Texas. "These tapes were not lost — they were stolen," Spoonamore said. "Not only were they stolen, the theft occurred by altering the electronic manifest in transit so it would be delivered right to the thieves." He added that UPS, Citigroup, and Experian spent four days blaming each other for losing the shipment before realizing it had actually been stolen.

This isn't an easy thing to do. Spoonamore said upwards of 15 to 20 people were needed to hack five different computer systems simultaneously to breach the electronic safeguards on the electronic manifest.

Thanks to Bruce Schneier for the link.

In an effort to milk one news item for two blog posts provide readers with more fascinating data, I want to return to the security survey I wrote about earlier today.

The (ISC)² survey of information security professionals confirms what often has been said about the IT jobs market: In the enterprise field, security is a pretty good place to be.

There are 1.4 million information security professionals in the world today, an increase of 9 percent over 2004. That's impressive growth, and IDC expects it to continue, predicting there will be 1.9 million IT security pros worldwide by 2009.

Most of the rest of the study is an advertisement for certification, but demographic charts on company size and revenue make it clear that a large number of IT pros still aren't tuned in to their organization's business.

Only 2.3 percent of respondents were unable to tell IDC how many employees were in their organizations. In other words, almost all of them knew how many people were hooked into the enterprise.

But when asked how much revenue their companies generate, 16.4 percent of respondents said they didn't know. I'd say the IT/Business alignment advocates still have some work to do.

IT professionals long have fought a frustrating, sometimes futile battle to persuade cost-conscious C-level executives to make security a higher priority.

That may be changing, based on a recent survey of more than 4,300 information security pros in more than 80 countries.

According to the second annual Global Information Security Workforce Study, conducted by global analyst firm IDC and sponsored by the International Information Systems Security Certification Consortium (ISC)²:

...ultimate responsibility for information security moved up the management hierarchy, with more respondents (than last year) identifying the board of directors and CEO, or a CISO/CSO, as being accountable for their company's information security.

Specifically, nearly 21 percent of survey respondents said their CEO ultimately is responsible for security, up from 12 percent last year. Those saying the board of directors bears ultimate responsibility for enterprise security neared 6 percent, more than double last year's 2.5 percent.

For IT pros, that's good news. It means more high-level executives are paying attention to security and taking it seriously. IDC says this trend is fueled by the need for effective risk management and IT governance strategies. Sounds about right.

Further, nearly three-quarters of respondents expect "their influence with executives and the board of directors to increase in the coming 12 months." It's a lovefest, I'm telling you.

What happens when a bunch of analysts who once worked for Microsoft make a list of things Microsoft needs to do in the New Year?

Well, most likely, nothing. But that doesn't mean Susan Kuchinskas' piece in InternetNews this week wasn't an interesting read.

The list comes from Directions on Microsoft, where many of the analysts are former Microsoft product managers. It reads like this:

1. Get Vista into the boardroom
   
2. Application security and reliability
   
3. More information about plans for its "managed solutions" hosted software initiative
   
4. Developer tools for Windows Vista
   
5. Extreme Makeover: Online Strategy Edition
   
6. Clarify the solutions line of business, which has been re-named Dymanics
   
7. Turn Microsoft's Dynamic Systems Initiative (DSI) for managing software from vision to reality
   
8. If not roadmaps, then clear policies
   
9. A killer game for XBox so it turns a profit
   
10. Resolve the disconnect between software assurance plans and the actual product release cycles
    

And once you're done with that, Microsoft, track down an XBox 360 for Ballmer's kids.

Given the legal issues that Blackberry developer RIM is fighting these days, Gartner is advising its clients to halt Blackberry deployments until the lawyers can figure it all out.

Here's the short of it: RIM is in a patent dispute with a Virginia firm called NTP.

According to a statement issued by NTP, the ruling allows the company to continue moving forward in the case, including re-confirmation of an injunction that "prohibits RIM from selling, using or importing into the United States infringing BlackBerry hardware and software until the last of the litigated patents expires in 2012."

You can see why Gartner recommends putting the brakes on. While Gartner thinks it's possible the legal issues will be settled within a month, the firm is advising clients to halt all Blackberry deployments until it's settled.

Gartner also wants clients to pressure RIM into making information about a workaround plan publicly available. Up to now, RIM says it has a plan, but hasn't shared.

Finally, Gartner thinks clients can look for alternatives to the Blackberry, with the warning that similar devices may also have legal issues with NTP. A laptop with a wireless card might be the best solution.

So says a GAO study that found that tracking down phishers, scammers, and online swindlers is next to impossible because the WHOIS database is apparently run by that Iraqi Information Minister.

There are roughly 2.31 million Web addresses where no one knows who the owner of the site is or how to contact them.

A November report by the U.S. Government Accountability Office (GAO), published Wednesday, shows 5 percent of all domain names ending in .com, .net and .org have "patently false" data in the fields where contact information is stored, such as e-mail addresses, phone numbers, names and mailing addresses.

You don't say? Last month in a post about marketing, I commended the people behind Lost for the Web site for the show's fictional airline. It's a nice guerilla marketing touch.

Clearly the people behind that idea knew the WHOIS database wasn't an issue, because the site isn't registered to ABC or the producers of the show. It's registered to Oceanic Airlines, an airline that exists solely to be used in fictional television shows and movies (Executive Decision is a movie that used the same airline), at a fictional address in Los Angeles, with telephone numbers that use the 555 exchange used for movies and TV.

Is there no better way to get a handle on this?

It figures that on the day I have a Webcast to do about spyware, which will touch on the different "zones" in Internet Explorer, Microsoft goes and re-defines its zones for version 7.0 of Internet Explorer.

The changes seem to be spurred on by the continuing problems that home Internet users seem to have with security. The Intranet zone on IE 6.0 was leaving home users open for attack, and Microsoft has decided they don't really need it anyway. So it's been done away with. Sort of. Intranet sites will be automatically detected in a corporate setting.

There were also problems with the so-called "Trusted Sites" in IE 6.0.

With the Trusted Sites zone in IE6, we find that many users don't understand how powerful a site becomes when they make it a Trusted Site. For example, a Trusted Site in IE6 can automatically install signed ActiveX controls on the user's machine. As a safety precaution in IE7, we have set the default for the Trusted Sites zone to Medium, the same level as the Internet zone in IE6. Customers who depend on the IE6 level of the Trusted Sites zone will be able lower settings back to IE6 levels with the slider on the "Security" tab of "Internet Options" or through policy settings.

It's been clear to me that IE 6.0 gave too much control to home Internet users who didn't understand how the zones worked. This time, Microsoft wants to err on the side of caution.

There will be a beta version of IE 7.0 that will run on XP available in the first quarter of 2006.

There's a decent article on Microsoft's site about buying a computer for your parents. Since it's that time of year, there's some good advice here for those buying PCs for the not-so-technically inclined. And it's not an outright ad for Microsoft either.

The six steps when buying your parents a computer are:

1. Ask your parent what they would like to do with the computer
   
2. Buy the right system that fits your parent
   
3. Set up their desktop with software that you are familiar with
   
4. Set up the computer system in a good location