Tom Dalton :: Doer of Good

Our church has a semi-annual General Conference, broadcast by satellite across the entire world. It's a great opportunity to keep all the various branches and wards of the church in synch with each other. We're all seeing the same talks, the same instruction. The logistics of the broadcast are handled by Bonneville Communications, the church-owned media company that manages many TV and radio stations along with newspapers and other media outlets.

Last night, I was watching part of the broadcast at our local church meeting when suddenly the image disappeared. A blue screen replaced the man who had been speaking and silence replaced the voice we'd been hearing.

"Reception of current program is not authorized."

The message lasted for maybe 30 seconds. Then the broadcast picked back up, and we'd only missed a little bit. But about five minutes later, it happened again.

"Reception of current program is not authorized."

Another 30 seconds of nervous laughter in the audience. And then a few minutes later, the message interrupted our meeting a third time.

"Reception of current program is not authorized."

We missed the conclusion of some important messages. We'll have to wait until the printed version of Conference is mailed out in a few months.

Just another example of false positives in Digital Rights Management.

For checking out which ports are open on a given system, Nmap is a slick, simple little tool. It runs from the command line, so you have to learn the parameters to put in, but the basic run is just:

nmap 38.119.178.86

or whatever target IP address you're looking at.

http://www.insecure.org/nmap/

The windows executable installer includes winpcap which is the magic driver piece that lets you do all sorts of network fun.

Pick a company. Say, Laddernet. They offer to pay Yahoo up to $1.00 for every click on an ad for their website.

Yahoo runs the ad when people search for "electronic ladder system," and sometimes people click on it. Yahoo tells Laddernet, who turns around and writes a check to Yahoo. Everybody's happy.

But now Laddernet wants more clicks at that $1.00 per-click rate. Yahoo doesn't have any more people searching for "electronic ladder system," but they know that some other websites do. So they offer to give the ad to those other websites and split the dollar for every click. Everyone's still happy.

As this system scales, however, we get problems. Slimy Site joins this partner arrangement. They contract with adware providers to drive clicks through Yahoo to Laddernet. The adware providers, of course, don't actually generate meaningful clicks -- they fake it. But Slimy Site has a legitimate-looking site! When Yahoo comes out to check out these clicks, everything looks fine.

What can Yahoo do to prevent these fake clicks from destroying everything they've created?

I don't know. :o)

But I think similar problems have been addressed with credit cards and ATMs. And in one sense, it seems like the solution to this problem will be related to the problem of micro-payments.

Thinking... Thinking...

I love a fun problem.

Appearing on Larry King Live, president of Iran Mahmoud Ahmadinejad protested what he called "horrible mistranslations" of recent comments he made.

The comments in question, from an Associated Press report: "We won't hold talks with anyone about the right of the Iranian nation (to enrich uranium), and no one has the right to retreat, even one iota," Ahmadinejad was quoted as saying by the official Islamic Republic News Agency.

"Our answer to those who are angry about Iran achieving the full nuclear fuel cycle is just one phrase. We say: 'Be angry at us and die of this anger,'" Ahmadinejad said.

According to Ahmadinejad, the blame lies squarely at the feet of junior translator Pakran Abbas. "Abbas is my nephew. I had to give him a job somewhere. His English is choppy, I'll grant that. But this is clearly not what I meant to say! Does that sound like something I'd say? I mean, really. My own wife -- ask her! 'Die of this anger.' Who talks like that?"

Anonymous sources within the Iranian president's cabinet have confirmed Abbas' incompetence, reporting that the nephew was hired under pressure from the president's family.

Ahmadinejad's wife, however, reported that he is given to exactly the kind of comments reported in the news. "Just last week, I asked him to fix the refrigerator. He refused. I insisted we needed it fixed. You know what he said? 'I will not retreat, even one iota. Be angry at me and die of this anger.' And blaming poor Pakran for it. Despicable."

Abbas has left the country and is taking refuge in an undisclosed location.

It's the Next Cool Thing, of course. Google used it for Google Maps and suddenly everybody wants to use it. Asynchronous Javascript and XML -- man, it's a cool name and it uses nested acronyms! You almost can't get any cooler than that.

And Google Maps is cool. The technology allows you to do some really neat stuff. But when I see people jumping wholesale into AJAX development for its own sake, I have to shake my head and wonder why we don't consider the tradeoffs more carefully first.

One of my friends just told me that he developed a login script in AJAX. "It doesn't even refresh the page!"

But where's the problem in a login script refreshing a page? We've created no advantage through this new technology. And we've introduced another technical requirement -- where anybody could login before, now users must have Javascript enabled.

I told him this and he readily agreed, of course. He was just testing the technology to play around. But it's that sort of mindset that seems to pervade all new technology -- let's use it because it's cool!

Google Maps was cool not because it uses AJAX, but because it uses technology to provide a really slick, intuitive interface in an application that requires a lot of interaction.

Flash, XML, AJAX, Javascript, Java... So much cool stuff that gets misused so badly. Developers create nonstandard user interfaces that are not as intuitive or slick as Google Maps. Users are left behind when they don't know how to install the latest plugins. Corporate firewalls disable otherwise useful sites. Net benefit = -5.

Let's never use technology because it's cool. Let's use it if it fills a specific need, or provides a benefit that outweighs the tradeoff.

ps > That said, AJAX is way cool! And remind me to post about reverse proxies and the astonishingly clever use of them I ran across last week... It's a secret, but I can talk about it in generalish terms. It's so cool it makes me feel all tingly inside. :o) (Which is a good measure of how geeky I am.)

UPDATED BELOW!

So, the grand question of the day: how can I track how many people actually view our entire Flash presentations?

We've just uploaded a handful of new movies. They're built in Flash, based on some Powerpoint presentations we wrote. We used a tool called Pointecast to convert them -- I haven't used the tool myself, but it looks pretty good.

And of course, we want to know if they're doing any good. The final page of each movie has links to three differents "actions" -- our email form, and two other pages. We can track each of those actions, but we want to know how many people get to the end of the presentation at all.

In a more general sense, integrating tracking with Flash is often an important issue.

I can think of three different ways to do this:

1. Automatically redirect the presentation to a separate HTML page for the "call to action" final slide, and put Omniture code on that final page (easiest, but I don't know if Pointecast will let us do it, but maybe we could find another way to make it work even if there's no built-in feature for it)

2. Integrate external Javascript calls into the Flash itself (elegant, if it works -- and then we could track movement through the whole movie -- but I think it's unlikely we'll get this to work with Pointecast)

3. Break the whole thing into separate HTML pages (this will definitely work, but it's clunky and I'd only do it as a last, last resort)

So we're going to try for #1. You'll probably be able to tell what worked by checking out the movies at 10xmarketing.com.

UPDATE

Here's the strategy we ended up implementing:

1. Each flash movie went on its own html page, which was coded with a Campaign variable that corresponded to the movie.

2. Each movie ended with an automatic redirect to the "thanks and take action" page, which was coded with a commerce event.

This allows us to use all the commerce reports, with fallout and campaign effectiveness and so forth. The Best Solution Ever.

We don't get all the internal detail that actionscript on every page might have given us, but there was no way to implement that through the flash generator we were using, and we really didn't need all that extra info. (Though I still hope to learn enough actionscript soon that I could do that if I ever have an especial need to in the future.)

This solution should be pretty generalizable to anyone else looking to do the same thing. Let me know if it works for you!

Writing up a final paper for my Media Management class, I found myself getting interested in the practical aspects of competitive intelligence (CI) for SEO.

I found a page that outlines some interesting "black hat" SEO tactics, with a smattering of other, underhanded ideas:

http://www.seobook.com/archives/000964.shtml

Mostly, I'm just writing this post to bookmark that page for my future reading-and-thinking. Right now, I must run to class and turn in my paper. :o)

My strength is to lift the burden of others,
My health to help the sick,
My mind to solve the problems of all,
My soul to serve my God.

- Book of the Inalen
Chapter Four, Verses 5-8

This year, I've been working part-time so I could pursue a master's degree at BYU. An expensive decision, in the short-term, but if I get nothing else out of it, I think the new perspective I have gained on management is worth it. And what is that new perspective, you ask?

Management may not be the unmitigated evil I had previously assumed it to be.

Old Attitude:

Management is, at best, a necessary evil -- keeping the forces of darkness and politics from disrupting all the actual work done by the non-management who keep the company running. Most often, however, it is a bunch of people who don't know what is going on making decisions that don't help anything and then taking the credit for things that go right despite their best efforts. Being in management, by definition, means not contributing anything meaningful to the company and turning almost immediately into bloat and overhead that could be cut from the company without hurting anything at all, and probably actually helping increase profitability tremendously because of the typically inflated salaries associated with Management.

New Attitude:

Management is still probably most often what I've outlined above. But there is a better best case than what I thought before. That better best case involves two things:

1. Managers can help prioritize and make good, long-term decisions as representatives of the other interests and activities of the company

A heads-down, productive worker can do a tremendous amount of good. They are the lifeblood of the company. But the very nature of heads-down-ness is that these workers can't see what everyone else is doing. It's hard to really see how their work fits into the overall plan and direction of the company. (If the company has one, that is, which is another issue altogether.)

In a good company -- that is, one that is more than just a collection of good people, though that collection is an essential part of it -- managers can help workers do more important work better. I have witnessed a transformation as the Research and Development team (which I was ineptly managing previously) has been held accountable for weekly goals and priorities. Without even understanding every activity, our President has helped the team do better work and make everyone else in the company much happier, just by holding a weekly meeting where everyone has to report on what they've done and what they'll have done by next week.

2. Managers can train and create

This is the issue I struggled with even more than the first. Because even if they are effective motivators, all that is doing is getting other people to do the work for you. Deep down inside me, I loathe the attitude of getting others to do the "heavy lifting." Maybe it stems from childhood, and always being the "smart kid" in the group, I dunno. (No time for psychoanalysis!)

But managers can contribute real, significant value on their own, when they have actual expertise in the area they are supposed to be managing. Training people how to do things is possibly the most valuable activity a manager can perform.

Look at it as a choice: I can spend all my time learning and doing things myself, making myself a better and more-productive employee until I'm so great I just glow everywhere I go and everything I touch turns into gold. (Yes, a bit of deliberate sarcasm there. I fully appreciate the enormity of my own arrogance.) Or I can balance my time learning and doing with time training and helping others to do more, better.

Maybe I could phrase it as "if you don't teach anyone to fish, you'll not be able to feed the whole village no matter how good a fisherman you are."

I guess it involves a shift of my own goals. I have always wanted to be the best worker I could. The best employee, the best affiliate program manager, SEO specialist, program developer, marketing analyst, CRE improver, whatever. I thought (and for a time was right to think) that the best thing for the company was for me to develop myself as much as possible. ("Be the best fisherman." It's really a selfish kind of way to look at things.)

But I see that a more important goal for me now is to have our company become the best affiliate program company. The best SEO company. The best CRE company. ("Feed the whole village.") And just making myself the best doer of any of those specific things isn't the best way to accomplish that.

The only way we can really excel at each of those areas is for our employees to become the best at it. That involves a combination of processes and understanding on the part of each employee. And the way to do that is for me to develop good processes, train people, and encourage everyone to see and work towards the real goal.

So What?

So, I need to get over my knee-jerk tendency to do everything myself. That's been my default response for so long, just recognizing that I need to change isn't enough. But being part-time this year forces me to acknowledge that I can't do everything myself. That helps.

I suppose ultimately, the best way to encourage me to do the right thing is to make me responsible for and accountable for the performance of whatever groups and tasks I want to help improve. That starts to sound a lot like management.

Hmm.

I probably shouldn't be so obsessive about searching for my own name on search engines. But, see? Sometimes I get great results, like this ad for me. "Buy tom, just $4!" And no minimum fees.

What a deal!

Security through obscurity is not Good Security. I know.

Anybody who knows anything about security knows that the worst possible kind of security is secrecy. "I'll hide my million dollars under the mattress!" Or in the Internet world, "I'll post these sensitive files without any links to them!"

You should have good access control and authentication. But obscurity can be an incredibly significant next step in securing a system.

Why?

Because obscurity buys you time and makes you less "low hanging fruit." Vulnerabilities are discovered every day. Popular systems, even the secure ones, have routine security updates. It's important to stay on top of them, but organizations make mistakes. Admins go on vacation. Updates aren't always applied as soon as they are available.

On the Internet, hackers can use Google to find every single instance of a system. When a new vulnerability is discovered, a hacker can find every site using the affected system and run an automated attack against all of them. The five percent that haven't gotten around to installing the latest update yet are all hit.

But if you've taken the step of obscuring your system, you won't show up when the hacker scans. If your site says "powered by phpBB version 1.02.3b" -- you've got a flag that will catch the attention of anyone looking. If you've removed that tag, you're invisible to the kind of scanning that would alert zero-day hackers.

Depending on the system you're using, there will be more flags like that. Description tags, certain styles in the CSS, javascript function names, whatever.

Take the time to look for those and make sure you're not going to be the first victim next time a system you're using is updated.

It's not "good security," but it's a good idea.

Due to more-intense-than-usual content in the following post, reader discretion is advised.

One night early in April, a man went to the Orem public library, signed on to their public computers, and went to a forum for ravers and other party-types. There he posted a two-part message:

"I cant do this anymore. I just wanted to let anyone out there know that it wasnt their fault. This was my choice and I hope you forgive me for what I'm about to do.

Im sorry."

And a bit later, "I dont care. I already took all my meds. Its just a matter of time. Im sorry..."

Aside from the supreme creepiness of the whole thing (which struck me especially hard when I found the archived post and read it for the first time in its original context), the interesting part is what followed:

Users on the board began discussing whether the message was real or not. (Real in the sense of conveying a real intent to commit suicide.) Since that particular message board software logs the IP address associated with all comments, someone was able to do a reverse-lookup on the IP address of the guy and find out that he was posting from the Orem, Utah Public Library.

Another user called the local police and told them what was going on and that the guy who'd posted the messages was also likely a heroin addict. The police went to the library and obtained the access log for the computer. They narrowed it down to four possible library users and a quick check of police records showed that one of those four had a prior arrest for heroin use.

Police went to the address in their records and found a man on the brink of death, overdosed and fading on his couch. His life was saved.

==================
Some thoughts.

1. It's great that the community around this guy was able to help him.

2. The Internet and the comunity where this guy chose to announce his suicide were not enough to help this guy not want to commit suicide in the first place.

3. You should forge an envelope or whatever other "authentication" the library wants you to use to get a library card and use anonymous relaying proxies when you use the Internet, if you don't want people to be able to track you down in a matter of hours.

I know, point #3 is horrible. But, c'mon. People need to understand that the Internet is not a magical fairy land -- it is part of the real world and what happens there is just as IRL as anything we do out here. Bad and good.

(This post was spurred by a report in the Deseret News. I don't frequent raver forums!)