Tuesday, January 22, 2008

Network security is a lot like tough love

For those of you that are parents, have you ever considered how keeping our networks secure is a lot like trying to provide tough love to our children? When we are raising our kids, knowing when to say no is one of the hardest things we have to do. We also have to let our kids make their own mistakes, and when they do how they have to face the consequences. Finally, blended families through remarriage have their own special issues. (My thanks to my friend Carol for the original idea.)

Now, let’s consider what this means for us as network and IT professionals. Learning how to say no is understanding how to block the wrong kinds of traffic entering our networks, such as malware and viruses. And today’s threats are also coming over Instant Messaging and peer-to-peer connections, so there is that to consider. It is always tough to say no to your kids, and your users, and even harder when your users always want to hear yes when we are saying no, too.

Learning from our users mistakes is also particularly difficult. We have to review our firewall and access logs and make sure that network exploits haven’t happened on our watch. Part of this is also understanding when we don’t have sufficient resources for this kind of monitoring and being able to make a case to outsource this function so that we can spend our time elsewhere.

Part of tough love parenting is teaching our kids how to face consequences of their actions, and part of our jobs as networking professionals is showing our management the consequences of their actions too. If our firewalls and other protective gear is outdated, that decision will have certain consequences. If our desktops are more than five years old and haven’t been patched with the latest protection, that will have consequences too. If we have deployed virtualization without careful analysis, that will ripple across the data center when there are problems.

Finally, there are the special issues that blended families and step-children bring to the table, and that has its analogs with how mergers and acquisitions play out in the corporate world. What if my newly acquired subsidiary is running Juniper and I am a Cisco shop? Or if they outsource all their Web servers and I still run them inside my data center? Or if I have been using a smaller vendor that is now bought by HP or Cisco or Oracle, just to name a few companies that have been on buying binges as of late?

How does this translate for our daily interactions with our users? Part of being a great parent is being able to listen to the subtext, and understand what your kids are really saying to you when they ask you questions. The same can be said for our users. I remember one of mine from the middle 1980s who didn't like any of my suggestions for how to use his PC. What he really was telling me is that he wanted to make his own mistakes, and learn from the experience. Of course, he formatted his disk and wiped out his data along the way to learning how not to do that, and I had to hold my tongue.

Another facet of IT-by-parenting is understanding that security-by-obscurity is not going to work. On the Internet, especially today's Facebook-Twitter-always-in-your-face Web 2.0 version, everyone knows your business, and even your personal life too. You need a plan, and you need to protect your networks accordingly.

Yes, being able to provide tough love is, well, tough. If you want to hear more about this, it coincidentally is the topic of a speech that I am giving on Thursday at the Sonicwall sales conference in San Francisco. If you can’t make it, I can bring this talk to your meeting and customize it for your audience, too.

Friday, January 18, 2008

Come see the spyware side at Sears

The news late last year about a community Web site from Sears hasn't been good, and should be a sobering lesson for any would-be eCommerce merchant. Security researchers uncovered issues with the site, MySHCcommunity.com (Sears Holdings Company is what the buried acronym stands for). Users can "optionally" install some very pernicious spyware on their computers that will track their browsing history and purchases.Harvard B-school professor Ben Edelman's blog describes the installation process in copious detail here.

Sears' documentation for what exact information is being tracked by the software is buried inside a license agreement that few will read, and even fewer will understand if they do. It is also, according to Edelman and others, misleading and potentially illegal. Ever wondered why companies that produce this spyware use different names? It is so consumers can't easily figure out what is being delivered to their PC. The MySHC software goes under different names, such as VoiceFive and TMRG, Inc. yet seems to be similar to ComScore's RelevantKnowledge affiliate marketing software.So what can we all learn from this debacle?

First, protect your customer's privacy or you won't have any customers to worry about. Australia is just one of many places around the world that is beefing up its privacy laws this year to protect unintended data collections and breaches. IT managers need to be involved in the creation of new applications that touch customers and vet these things properly. They also need to understand the regulatory and compliance implications of collecting all this customer data, and where this information is stored both inside the corporation and how it is shared with any partners or consultants, too.Second, any corporation should by now have a clearly worded privacy policy that is brief, to the point, and not written in legalese.

Security researcher Benjamin Googins from CA talks about how users will see one of two different privacy policies, depending on whether or not the spyware is installed on their PC by MySHC.

Finally, call a spade a spade. If you are going to conduct research on consumer buying trends, then do so in a way that doesn't monitor their computers: Sony found this out the hard way a few years ago. Since the blogosphere pounced on MySHC, Sears execs have defended the practice, claiming that few users actually go through the process of installing the software. That is a lame excuse, and time for some straight talk and to retool the site and remove the software.It shouldn't take a Harvard professor and an engineer with a packet analyzer to make Sears come clean about its privacy policies.

Wednesday, January 16, 2008

How to create a viral video

Ever wonder what it takes to create a viral video? As someone who started out in college as a physics major, it is gratifying to see people like Stephen Voltz, Fritz Grob and Walter Lewin become famous, at least on the Internet. These people might not be household names like the Spears clan, but at least they are doing things that I can be proud of.

Voltz and Grob are the guys behind Eepybird.com, the people that combine Mentos with Diet Coke to create geysers of exploding soda and some very entertaining videos. Their videos have been downloaded millions of times and enjoyed by people all over the globe.

Paul Gillin and I got the chance to chat with them this week on our TechPRWarStories.com podcast series. (For those of you that haven't yet subscribed, each week we talk about new media topics that would be of interest to public relations and marketing professionals, as well as interview leading luminaries and interesting people.)

What is fascinating is how quickly the duo became famous: within a week of uploading their first video, they were booked on all the major talk shows (and this is back when these shows had writers so the competition for guests was tough). Voltz and Grob talked about having excellent video production values isn't quite right for their audience: like so many things on the Internet, Just Good Enough Production is really what counts, and getting across a Just Plain Folks sensibility is really the best path towards more click-throughs. Plus, seeing all that spraying soda helps, too.

You can download the podcast here and hear directly from them about why they do what they do.

Contrary to popular belief, the duo has had plenty of support from the marketing arms of both Mentos and Coca-Cola companies. As you might imagine, they consume a lot of product for their backyard experiments, and they told us that a lot of planning and testing goes into setting up the final shots that you see online – sometimes these three minute videos take months of preparation. They now devote themselves full-time to their experiments, and have gone on the speaking circuit and done them live at various cities, soaking volunteers with soda geysers.

Lewin is an MIT physics professor who is also a download king, but his videos are educational rather than pure entertainment. His videos are the actual lectures that he gives his undergraduates, and are part of the MIT Open Courseware project. MIT has put 1800 of its courses online over the past several years, and now has some of them available in ten different languages including Thai, Chinese and Spanish. If you need to brush up on your intro to physics, you can start with this link here.

It is nice to see all three guys become notorious, and I mean that in only good terms.

Monday, January 14, 2008

Vendors as tech publishers

I have known Sam Whitmore my entire journalism career -- we both were at PC Week (Sam actually was one of its founding editors) in the middle 1980s. Sam runs his own shop called Media Survey, where he interviews tech and business media and tracks trends for PR professionals and others. He asked me to write a series of articles about the evolution of vendors becoming their own tech publishers. They ran on his subscription-only mailing list late last month and are reprinted below with his permission.As the major tech publishers go through additional layoffs, shut down publications and generally disinvest in their editorial product, the most experienced journalists are going to work as analysts and joining and creating vendor-driven editorial projects.

These projects are not always some custom-published vanity efforts but attempts at real editorial efforts to extend brand awareness and fill the void left by the tech pubs. Microsoft, Cisco, Salesforce.com, and Oracle all try to mimic the level of professionalism and technical authority of the trades. These vendors are all worth taking a closer look at -- but know that you may never see it all: in Cisco's case, at least one former trade editor has been hired to publish content behind a gate exclusively for customers, employees and partners."You have greater impact on the industry as a whole when you're writing reviews and working at a major trade publication," says Lori MacVittie, a former Network Computing labs analyst who now works out of her home as a technical marketing manager for F5 Networks. "Now we have a much narrower role working for F5," she says. "And you realize that you are going to have some bias, and try not to say nasty things about the company we work for."

More often than not, the journalists who succeed in vendor-land are the technically savvy ones. Peter Coffee, whom I hired back in the late 1980s at then-PC Week has been with Salesforce.com for most of 2007 and does a brilliant job blogging and video-posting about Web applications development.

Former InfoWorld marquee columnist Jon Udell has been with Microsoft for about as long, and continues to write about data access and programming issues. Reading their blog posts show their depth of understanding of arcane issues that isn't your average bedtime reading, even for many seasoned IT professionals.

While at Network Computing, MacVittie and her husband Don often played the role of analysts, because of the high quality of advice they gave to vendors. "When we were at CMP, we used to talk about how much we wanted vendors to open that kimono and show it to us," says Lori. Now that we are at F5, she says, she has a new appreciation for complexity and how difficult it can be to make sense of it all.

The tech pub world is evolving beyond just blogs and podcasts, and likewise, we'll have a hopefully rich mix of vendor-sponsored content from a wide variety of sources. Let's hope that tech PR pros, in concert with their clients, can play an important role in the overall discourse.

Part 2. Why journalists leave their tech publishers.

While some tech journalists have found a new home on the vendor side, others have become reportorial industry analysts. Maybe we should call them "journanalysts." Why do they leave?

Former eWeek lab analyst Henry Baltazar is now with The 451 Group in San Francisco as a storage analyst. He says that "although my audience as analyst is smaller -- since most of the content I produce only goes out to our subscriber base -- our readers (VCs, investment banks, vendors, end users) have influence over the markets I cover." He is also writing in more depth and has more time to cover the companies than he had at eWeek.

China Martens left the IDG News Service this summer to join The 451 Group in Boston. Martens says she has "more influence as an analyst, since the level of engagement is very different. There is a sense that as an analyst you get much greater insights into the 'why' of decision-making, and of course there is more time to engage with people, too. We also don't quote anyone in our reports so there is not the same pressure as in journalism to come up with the killer quote or two."

She also makes the point that The 451 Group keeps her objectivity intact: "I couldn't work anywhere where there were any restrictions in place on what I could say, and fortunately I've still never had to." Unlike some analyst firms like Gartner or Forrester, The 451 Group doesn't take vendor payments for specific research reports.

Deni Connor left Network World this fall. She remains there as a freelancer, writing a twice-weekly storage newsletter. But now Deni works for herself, as principal analyst for Austin, Tex.-based Storage Strategies NOW. "This is something that I wanted to do for a long time," she says. "And really, it is pretty much what I have been doing when I was a journalist, providing technical content to readers." Connor did PR for a networking vendor back in the day when Token Ring was still a viable technology, and ran an internal publication for Novell, too.

It is this background that has encouraged her to put out her own shingle. "I am fortunate that I have marketing experience and know-how, and am comfortable promoting and marketing my own business," says Connor. "Other journalists that don't have this background may find that a limiting factor."

Part 3. What does this all mean for PR professionals trying to get ink – or page views – for their clients?

Well, for one thing, it is going to be harder to keep track of where to pitch stories, and also harder to get these pitches across the transom. You should first hone your skills at tracking the blogging community: use a blog search tool, start posting comments on the more influential ones, and go meet them at the conferences that the bloggers who are working in your market niche attend. In China Martens' case, she has had to find a whole new set of AR contacts: "the analyst relations and public relations folks at the companies I cover are completely different, so it feels almost like I am starting over, establishing fresh relationships with companies that I've tracked for many years."

Second, it is too late now, but the most successful PR types are those that have developed good personal relationships with these editors before they depart CMP, Ziff et al. If you want to pitch the vendor-sponsored editors, make sure you fit into their niche and have something that can complement the overall message and product line that they represent. This means understanding your client's overall partner, channel, and distribution ecosystem and being able to find how your client's news nugget can apply to these third-party players.

For example, a new SharePoint add-in product can be pitched to people writing about collaboration (such as someone like Chris Miller who writes IdoNotes.com), to Microsoft-centric bloggers, and to major ISVs too. You need to cast a wide net, and spend some time tracking this stuff down. Which means now more than ever you need to understand the overall context for that news nugget, too.

Third, if you don't know how to use RSS feeds to keep up to date on what these folks are doing, now is the time to learn. We have put links to the RSS feeds of the journalists that we mentioned on purpose (rather than provide links to ordinary Web URLs), and if you haven't tried an RSS reader, I recommend starting with Bloglines or Google's Reader. To make things easier, you can check out the consolidated links on my Pageflakes page and see what you might find appealing.

About Me

My photo
David Strom has looked at hundreds of computer products over a more than 20 year career in IT and computer journalism. He was the founding editor-in-chief of Network Computing magazine, and now writes for Baseline, Information Security, Tom's Hardware, and the New York Times.