Wednesday, August 20, 2008

Leave off the last s for (in)security

Those of us that grew up in the Big Apple remember those obnoxious ads for 1-800-Mattress where the announcer told us to "leave off the last s for savings." The company is still selling bedding and still preying on the general public for its lack of spelling prowess. (They actually purchased the 800 numbers with the misspelled names because so many customers dialed them, but that is a story for another time.)

My point today is about that ending 's' but in another place that might have you losing sleep. I am reminded of their little ditty with an email from a reader who asks if there are many eCommerce sites that still don't use secure Web pages (where they use https: instead of just plain http:) for their shopping carts.

Sadly, they do still exist. I ask you all if you come across examples, to email them to me and I will add them to my blog post and publicly shun them. It is time we put a stop to this shoddy practice. Come on people, this is the new millennium, we have better things to worry about, and this is not new technology or hard to do. Why just this week I purchased an SSL certificate – what you need to turn your Web server from http into https -- and it took all of about 10 minutes and less than $50. Godaddy makes it relatively easy to get one and get it setup, and if you don't want to use theirs, there are dozens of others who will take even more of your money for one.

Even Google's Gmail has gotten on board the https cluetrain: last week they turned on a very nice option that forces your browser to open a secure session when you are reading your Gmail account (go to Settings and scroll down to the "browser connection" choice and click the button to "always use https" and then click on save, it is that easy. If you use Gmail, go and do this now and you can thank me later.

Why is this important? Because someone can hijack your browser session and obtain personal information if you leave off the last 's'. This is especially the case when you are using a shared public computer, such as at an airport or library. But it can happen even if you are at work, if your work network has a wireless segment that anyone can see your traffic on just by sitting outside your building, or if someone brought an infected laptop into the office that is recording your sessions.

My correspondent wrote to the eCommerce vendor (in this case, it was the photo printing and sharing site and asked why they did leave off the last 's.' This is what he got in a reply:

Please don't worry about missing padlock, we no longer use HTTPS on our payment page, because web browsers tend to send warning messages about web page security and some users get confused with that. All credit card transactions are going through the secure network and properly encrypted by means of Java Scripting.

Yeah, and some users are still misspelling "mattress" too and dialing the wrong numbers. Steer clear of these Web sites that are trying to make it easier for others to steal your personal information. And don't leave off that last 's' unless you plan on spending some sleepless nights when your identity is compromised.

Wednesday, August 13, 2008

Managing contacts

Last week's thoughts about the past ten years of email have got me thinking about how we collect, maintain, and use our digital contacts. And really, when you think about what and how you use email, it is all about staying in touch with people that we have met, and answering and asking their questions.

To do this right, you need a decent contact manager. And over the years I have used dozens of products, starting with a venerable rolodex card file back in the pre-computer days. There was a great and simple program called Dynodex that ran on Macs that I used for many years: it was fast, it didn't take up tons of screen or computer real estate, and it didn't have a lot of fields to mess with. Right now I use Gmail's contact manager, and while it is cumbersome to have all my contacts online, it isn't fatal, even when (as what happened earlier this week) when Gmail goes down.

I tell you up front that I am not a big fan of Microsoft Outlook. Outlook standalone, without Exchange, is overkill for me, and besides, it ties me too closely to Windows. But there are some people that swear by it (and sometimes swear at it). My sister's company uses Outlook in standalone mode, which is probably the worst choice for any enterprise contact system.

Some people love ACT for keeping track of contacts: I think it is also overkill, and the latest versions have suffered from feature bloat. Really, all I need besides a person's name and email address is a phone number and maybe a short description or job title. I can search through my Gmail archive and see all of my correspondence with that individual, so I don't need to replicate that in ACT. I realize that many people want a lot more out of their contact managers, and that is why ACT and Outlook are so popular.

There are several things that I look for in a contact manager. One is the ability to put a single contact in multiple groups: for example, I could have a client who is a CIO that also is someone that lives in Boston. This person would be in three different contact groups: clients, CIOs, and Bostonians. I have about 50 different groups in Gmail, and one of the reasons I like the service is because I can have this kind of structure – and also for my emails too. Outlook and other desktop emailers only allow messages to be placed in a single "folder." Gmail uses labels, and you can have an almost unlimited number of them, but more importantly, each message can have multiple labels attached. Why is this important? You want to be able to sort through similar collections of people, or find out who on your list meets particular criteria, just to name two actions. Once you start using labels and groups, you wonder how you ever got along without them.

Another test is what happens when the contacts aren't personal, and need to be shared around your enterprise. Then you might want to consider one of several hosted contact management services. I actually wrote something about this for the New York Times last year:

And then there is the issue of what happens when you want to migrate from one contact manager to another, and that is usually hard to do. While most products support some kind of import and export feature, the devil is in the details: for example, Gmail doesn't allow you to export your group memberships of each contact, so you have to re-create that even if you export from one account and import to another Gmail account. Others don't fare well with the free-form text fields: if you have commas or other punctuation inside them, they will mess up the particular contact record.

There are other online services that are somewhat useful for managing contacts, such as Plaxo's Pulse and LinkedIn. Neither works well enough for me to use them exclusively, but are helpful to keep track of when someone has moved to a new job (or in the case of LinkedIn, about to consider such a change). There are also other synchronizing services, such as Glide, but it didn't like to deal with 9,000 addresses and took a while to catch up.

Stepping into this space are the various social networks that try to enumerate all your "friends" but again they are flawed: not everyone you know is a member of one particular social network, and not everyone wants to use the social network as a means to keep up with their business contacts (seeing people's sexual or religious preferences for my business contacts comes under the heading of Too Much Information, for example).

Ideally, I would like one system to use for maintaining my contacts that could also be used as a publishing platform for this newsletter, so you could subscribe to various other editorial products of mine for example, or change the way you hear from me. Most of you like these weekly emails, but not everyone – some people want RSS feeds, for example, which is why I cross post the Web Informant on my Strominator blog too. (I know, brand confusion: I probably should fix this sometime soon.) The social network that understands that will get my immediate attention, for sure.

Thursday, August 7, 2008

Ten years of email

This week Google's Gmail crossed the 7 GB storage threshold – meaning
that anyone can get a mailbox with at least that much storage, and for
free, too. (The size continues to increase slightly each day, wonder
of wonders.) It made me stop and think about how much my email habits
have changed in the past ten years, when Marshall Rose and I sat down
to write a book about Internet emails. Back then, 7 GB was a lot of
room for your mailbox, and I don't think anyone imagined that we would
have it free of charge, either.

Of course, one thing that is very odd is that Gmail has been in beta
like, forever it seems. (We are coming up on close to 5 years.) I
wonder when Google will consider it good enough for a release
candidate? If this had been Microsoft, we would be on v 3.1 or
something by now, for sure. One wag suggested that the real product
name is "Gmail Beta." Har har.

Ten years ago, I was using desktop email software to store my
messages. If memory serves me, I used a succession of products,
including Eudora, Thunderbird, and Lotus Notes. When I had problems
with T-bird corrupting my messages about two and a half years ago, I
switched to Gmail, and have been a pretty happy camper for the most
part. What is interesting is that Google hosts the email for my domain, again, completely free of charge and with a very
capable user interface as well. I don't need to store my emails on any
desktop, because it lives in the cloud.

So ten years ago, we had the following email programs popular enough
that we included them in our book: Lotus cc:Mail (extinct), Netscape
Messenger (extinct but replaced by Thunderbird you could say), Eudora
Pro (still very much alive, although no longer under the thumb of a
phone handset maker thankfully), Compuserve (not extinct but should
be), AOL (ditto and back then it was on v3), and Microsoft's Outlook
Express (v4 that came with IE v4, and replaced with the Mail app in

Curiously, CS and cc:Mail were proprietary software that didn't start
out using Internet protocols and standards, and had their basis in
local area networks (cc:Mail) and closed online systems (Compuserve).
The ones that are still among us are Internet-savvy. Indeed, you could
say that AOL had one of the first popular gateways to Internet emails
(although MCIMail beat it by several years, it wasn't very popular).
Compuserve was also very popular in its day, despite having email
addresses that only a geek could love like 73234,5869. Trying saying
that string often to your friends.

Back ten years ago, we didn't have Web-based emailers that were worth
much of anything. They had few features, couldn't really interoperate
with all that many browsers, and had lots of other quirks. Outlook's
Web interface was dog slow and required all sorts of tricks to work
across a public Internet connection. We wrote in our book: "Either the
market will enforce adult supervision … whereby IMAP technology is …
standardized or a huge opportunity will open up for Web-based email
readers." Gmail has tried to play both ends here, with its support of
the IMAP protocols as part of its service.

In our book, we introduced the concept of having 100% pure Internet
for your email – having products that faithfully implement Internet
standards natively if possible. And yes, Notes/Domino, Groupwise, and
Exchange are all far from 100% pure, which is why they are in decline.

Back ten years ago, email was still a relatively new concept for
corporate communications. You could still find pockets of people who
weren't accessible via a "dot com" email address, and not that many
people put their email address on their business card. It was rare to
find a corporation that would be diligent about answering their emails
from their customers in a timely fashion. Well, some things don't ever

Back then we didn't have the broadband penetration that we do now, and
certainly not the Wifi penetration that we have now. It is perhaps
harder to resist the urge to check your email because it is so
available. With Blackberries, iPhones, and Internet kiosks everywhere
you don't even need a laptop to stay connected. And the US is even far
behind other countries now, sad to say. Ten years ago we still had
dial up modems that we used to get connected. I haven't touched a
modem in so long that I can't remember when, but it was probably
around ten years ago when I started tossing them and not carrying them
on business trips anymore.

One thing that hasn't changed much in ten years is secure email usage:
almost no one does this, despite some major advances in encryption
ease of use. In our book, we called the state of secure email
standards "a sucking chest wound" saying that no one has a solution
that is multivendor, interoperable, and Internet standards based. That
is mostly true today, although there are some solutions that do a
better job at hiding the certificate management and automatically
decrypt and encrypt message traffic. And several multivendor attempts
in the past decade to standardize on approaches have mostly met with
failure. Still, despite the many well-publicized breaches, secure
email remains out of reach of ordinary humans.

I hope you enjoyed my trip down email memory lane. Certainly, email
has become the glue that binds together so much of our communications.

About Me

My photo
David Strom has looked at hundreds of computer products over a more than 20 year career in IT and computer journalism. He was the founding editor-in-chief of Network Computing magazine, and now writes for Baseline, Information Security, Tom's Hardware, and the New York Times.