A Lesson From the Underground

By | November 23, 2011
0 Comment

Security is as much about giving people information as it is about building security systems. That’s the message from the managing director of the London Undergound, Tim O’Toole, but it could as easily apply to personal computer security. Don Phillips’ piece in today’s International Herald Tribune could offer useful lessons to software developers and anyone trying to keep trojans, viruses and spyware at bay:

Tim O’Toole, the managing director of the London Underground, who said a terrorist attack last summer was the greatest Underground crisis since the Nazi blitz of World War II, was telling U.S. transit and rail officials they should avoid the temptation to spend lavishly on new security systems just to reassure the riding public.

Instead, he said, spend first on human resources, including constant training and a system to lavish fresh information continually on every employee in the system during a crisis, even if there is a chance some information could fall into the wrong hands.

O’Toole’s message may not have gone down very well since, “outside the hall where he spoke were many exhibits of expensive new equipment to battle terrorism on transit and rail systems.” One could imagine the same thing happening at a computer security conference. But here, I think, a difference emerges. What I think firewall and antivirus vendors need to think about is this: giving timely, useful and intelligible information to users so they can make good decisions. It’s not about locking everything out, because that’s clearly impossible.

Neither is it about ‘educating the user’. Vendors usually complain that they try to do this but fail, so go the other way — software that does everything silently, behind the scenes, and automatically, with an interface that gives only the barest information or choice to the user. Neither option — education or invisibility — works. Instead, the secret is like the Underground lesson: let people know what’s happening in the context of the situation and threat.

Back to Don’s piece:

O’Toole said the greatest mistake the London Underground had made after the bomb attacks of July 7 was its “poor performance” in keeping employees fully informed of everything that was happening even if that information is sensitive and could not be released to the public right away. In an information vacuum, employees may grow suspicious of authorities just at the time they need to be full members of a crisis team, he said. Management did a “poor job” of information flow during last summer’s attacks, he said. In the future, “We will be pumping everything we know out internally. Some of it may get out, but that’s O.K.”

There’s a clear parallel, in my mind, to Internet threats. Don’t hide knowledge about newly discovered vulnerabilities — newly found holes in existing software that might let bad guys in, if they knew about it — until a fix is found. It’s clear that attacks happen too quickly for antivirus vendors and software developers to be able to cover all contingencies, so better to inform customers and let them assess the risk. The trick is, how to do this?

I would suggest the following guidelines:

  • Most people now have firewalls installed on their desktop computers. These programs — or anti-virus programs, or antispyware programs, or combinations thereof — could become a sort of signalling service giving timely information to the user. For example, the current Kama Sutra worm, Nyxem.E or Grew.A, could be flagged with a small pop-up message informing the user of the danger and offering suggestions.
  • Make the information relevant to the situation. How do I know whether the new updates to my firewall keep me safe from the WinAmp bug identified by Secunia? If something big is happening, letting people know quickly might be more worthwhile than feverishly working on an update which doesn’t reach the user in time. Worst case scenario, the user can just unplug their computer for the rest of the day. Let them make that decision, but give them the information first.
  • The text of such alerts or advisories has got to be useful and clear. ZoneAlarm and other vendors often leave their messages too vague to be meaningful for us ordinary folk, scaring us out of our wits the first few times and then, gradually, just like the wolf crying scenario, we get blasé.

Sadly we’ve become accustomed to ignoring messages we don’t understand. This needs to change. Just like in the ordinary world, we’ve become both numb and constantly terrorized at the same time because of poor or insufficient information. We need to learn lessons about security from other fields. I don’t recommend bombarding users with alerts, but if they are used sparingly, judiciously and with good solid guidance contained inside, I think they are the best way to keep the user in the loop.

Lame Pixel Ads

By | November 23, 2011
1 Comment

This whole pixel ad thing is getting lame pretty quickly. Pixel ads, for those who haven’t been following, are web pages where each pixel of the screen is sold as ad space. It worked well for UK student Alex Tew, who made $1 million from his aptly named  MillionDollarHomepage.com. As with all things involving money, people quickly saw a quick buck. The only problem is: Tew didn’t make his money because he sold pixel space, he made money because of the buzz he created about his new idea.

This hasn’t stopped folks. Google Pixel ads and you get 8 sponsored ads and nearly 900,000 hits, including BuckAPixel.com, MillionPixelClick.com and ChistrianPixelAds.com. Here’s the latest “twist”: Mosaicpixelads.com., which claims to have an edge by creating a, er, work of art from all the pixels it sells. “We took the original pixel ads concept and made it in to a mosaic art form, in the process creating the first internet work of art,” co-site creator Martin Westwood says in a press release. The idea is that the resulting pixel picture will be a mosaic, according to the FAQ.

Lame, lame, lame. The original worked because it was, well, original. People wanted to go visit the page because it was a new idea. The rest will just die slowly, and, hopefully, quietly. BuckAPixel, for example, which tops the Google hits, has had 25 visitors today and has so far sold 11,300 out of 1 million pixels. You do the math. It’ll be interesting to see just how short a lifespan these kind of ideas have. It’s because they’re novelties. Repeat after me: Novelty does not a good business model make.

My Favorite Email Program Is Now Free

By | November 23, 2011
4 Comments

The email program I have been using for the past seven years is now free (for the moment): Courier Email from Rose City Software.

Special Offer: For a limited time, Courier Email can be registered for FREE for unlimited use. Your free registration for Version 3.5 will never expire.

This registration won’t expire, but they’re working on version 4 (in fact they’re looking for a C++ programmer to help them finish it.

Courier used to be Calypso and I still think it’s the best email program around. Of course I’m biased, since I’ve been using it so long, but it has too many useful features for me to walk away from it. Check it out.

Directory Of Clipping Savers

By | November 23, 2011
11 Comments

Update Nov 7 2006: A new kid on the block for Firefox 2.0 users: Zotero. (Thanks, Charles)

I recently wrote in WSJ.com (subscription required) about how to save snippets of information while you’re browsing. I didn’t have space to mention all the options I — or readers — came across, so here’s the beginnings of a list. Please feel free to let me know about more: The basic criterion is that the service lets the user easily capture material they’ve found on the Internet (for stuff that’s more socially oriented, check out my Directory of Social Annotation Tools).

  • Zotero. It not only does a great job of storing globs of web pages or the whole thing but it has an academic bent too, allowing you to store bibiographic information too.
  • ContentSaver:   is both a browser add-in and an Office-style application at the same time: With the additional toolbar and the extended shortcut menus in the browser, you can easily gather material during your Internet research. 35 EUR (Thanks, Ganesh)
  • eSnips:    Save real web content not just links: relevant paragraphs and images you find on any web site….oh yes, and links too. 1GB free
  • wists.com: The idea is to bridge the gap between blogging and bookmarking. It aims to make simple list blogging as easy as bookmarking and make bookmarking take advantages of weblog publishing, with automatic thumbnail image creation etc. (David Galbraith)
  • Net Snippets: The friendly, intuitive way to maximize the effective use of information from the Internet and online research
  • Jeteye: enables users to create, send, view and share any type of online content, add notes and annotations and save it all in user organized Jetpaks™ through an easy drag and drop interface.
  • Google Notebook: makes web research of all kinds – from planning a vacation to researching a school paper to buying a car – easier and more efficient by enabling you to clip and gather information even while you’re browsing the web.
  • ClipMate: ClipMate saves time and makes you more productive by adding clipboard functions that the Windows clipboard leaves out – starting with the ability to hold thousands of “clips”, instead of just one. ($35)
  • Clipmarks: Clip and tag anything on the web
  • Onfolio: a PC application for collection, organizing and sharing information you find online. ($30 to $150)
  • EverNoteQuickly create, organize and find any type of notes on an endless, digital roll of paper. (from free to $35)
  • ScrapBook: a Firefox extension which helps you to save Web pages and easily manage collections. Key features are lightness, speed, accuracy and multi-language support.
  • Omea Reader: Free and easy to use RSS reader, NNTP news reader, and web bookmark manager. It’s fast, it aggregates, and it keeps you organized.

My personal favorites? I love ScrapBook because it lets me save stuff in folders on my own computer. Clipmarks is great for online stuff, and the tagging/folder mix is powerful. EverNote has its moments but for all its interface ingenuity, it’s not easy to organise stuff.

An Opera whinge:

Some readers have pointed to Opera’s ‘Notes’ (Flash Demo) function which is neat, but doesn’t do as much as ScrapBook (there’s also a Firefox extension called QuickNote which performs more or less the same tricks as the Opera Notes. And besides, I’m still mad at Opera for not supporting drag and drop. What is it with them?  (Sad to say that, because I think Opera have been great in improving interface design. But I think they’ve dropped the ball. Back in February 2003 I was wowed (WSJ.com link; subscription only, I’m afraid) I wrote:

Just when I thought software had become as innovative as a bacon sandwich, something came along to prove me wrong. There is software out there that is innovative and that actually makes things easier. It’s a Web browser made by a Norwegian company called Opera Software ASA and its latest incarnation, released last month, is a real gem.

Of course, that was before Firefox came along and stole my heart.

Podcast: The Joy of Monitors

By | November 23, 2011
1 Comment

The joy of having more than one screen, and controlling other computers from one keyboard. It’s less nerdy than it sounds. This is podcast version of my BBC World Service column, which runs on the World Business ReportDownload it and/or subscribe to the podcast feed here. For more on extra monitors, check out my resource page here.

(This link should work. Thanks Syd, for pointing out the error.)