Imaginary Landscape Buzz

A study in patience and rudeness: my wait in line at Kinko's

2008-11-06T16:20:00.000-08:00

I had to go to Kinko's yesterday to pick up a banner. As I walked in to the store, I saw a number of customers congealed at the service desk, forming a line. Now, Kinko's isn't exactly the counter at McDonald's, so I knew I was in for a wait. I was 6th in line and just needed to pick up my banner and pay for it - a two minute transaction at best.

This Kinko's is open 24 hours but when I got there at around 6pm it was poorly staffed. There were only two employees working the service desk, which is divided into three segments - Shipping, Banners and Customer Service. However, there was only one line.

I was momentarily tempted to blow right up to the areas marked "Banners" but that would have been pretty rude to the others in line. So I hunkered in.

Shortly after I began my 30-minute wait in line, a woman came in and walked right up to the empty Banners counter and waited. In solidarity with my other line standers, I glared at her, hoping to convey the inappropriateness of her actions without actually saying anything. Passive-aggressive seemed to be the right call, given the context.

She felt the eyes and, feigning surprise, meekly asked if we represented some sort of line. We all nodded in unison and she fell in behind me.

For the balance of the wait, I was subject to an unending series of forced sighs, under-breath comments about slow staff and somewhat dramatic proclamations about only needing a single copy made.

As I progressed slowly towards the front of the line, I noticed that she was getting closer and closer to me, ultimately ending up beside me as I achieved next-in-line status. However, I was too engrossed in a Solitaire game to give it much attention.

Then, finally, an assistant manager came out of no where and said, "Next." Instantaneously, before I could fully register the sequence of events, she said "Me" and walked up to the counter to transact.

I was somewhat taken aback at this brazen action. As I quickly sorted through my limited options, the idea of "Hey lady, I'm next" seemed unattractive. If she had stones enough to blow by me in line perhaps she would dig in, leaving the assistant manager as arbiter. So I took the high road and let it slip by.

Rude people suck.

A thought about awards

2008-10-28T12:32:00.000-07:00

It's award season again and, like many firms, we have some more hardware to add to our faux mantle. This time it is a WebAward for the National Cervical Cancer Public Awareness Campaign Web site.

In all honesty and with minimal bias, it is a very nice site with a great mission and deserving of recognition. We are happy for them (and us) for the award.

Our policy about fetching awards is minimalist. I believe it is important to have some accolades adorning a wall, but I don't much care for the buy-yourself-an-award cottage industry that will provide you a nice statuette, provided your check clears. So we enter competitions carefully.

Even for the credible award competitions, we face a difficult challenge. Much of the work we perform is behind the curtain, where the heavy lifting of Web technology occurs. Pretty much all Web awards competitions are skin-deep. For most, a site that isn't 100% Flash has little chance of an award, regardless of how well it performs transactionally.

When we do receive an award, it is a chance for celebration. We make an internal announcement, embarrass (in a fun way) those who were involved in the project and order some extra hardware for the client. It's always nice to be recognized.

And so, we add another accolade to our "Love Me" wall - the wall clients and prospective clients walk by on their way from the reception area to the conference room. It's fun to follow them and watch. Most times they can't help but sneak a peek as they pass.

Beer goggles? Gmail to the rescue

2008-10-09T14:27:00.000-07:00

Google Labs just released Mail Goggles, a special feature to give you pause before you drunkenly send a late night email you'll undoubtedly regret in the morning.

According to the Official Gmail Blog post:

When you enable Mail Goggles, it will check that you're really sure you want to send that late night Friday email. And what better way to check than by making you solve a few simple math problems after you click send to verify you're in the right state of mind?

The feature is only active during late nights and weekends.

Brilliant.

Who has the power?

2008-09-24T13:57:00.001-07:00

I attended a recent conference hosted by the Association of Professional Design Firms, the title of which was “Win Without Pitching.” Its base premise is this: if you control the relationship, your need to “pitch” or respond to RFPs will be greatly reduced. It was an intriguing two days that revealed much about our current approach to new business as well as existing clients.

Stop being a waiter and start being a surgeon

Everyone likes good waiters. They respond to every beck and call with a great deal of deference. There is no question who has the power in the waiter-customer relationship.

As a sales organization we tend to be waiters – wanting to please our prospects, do what they say, when they say. Fetch more water.

On the other end of the spectrum are surgeons. Most people don’t like surgeons. The stereotype tells us they are arrogant, self-absorbed, unfriendly with a terrible bed-side manner. But, and here is the catch, I don’t hire a surgeon for her bedside manner, I hire her because she is expert at what she does.

Can you imagine sending out an RFP for brain surgery? Can you imagine a waiting room full of surgeons with PowerPoint presentations patiently awaiting their chance to pitch their services to you? The image itself is funny.

We have our own form of expertise. Developing a Web site well is technically challenging. Knowing and understanding the quirky nature of Web site visitors is specialized knowledge. Balancing the Web experience against the growing number of devices used to access Web sites is difficult. Designing a relational database at the third normal form is critical. The list goes on and on, yet we often sit patiently in the waiting room, armed with our PPTs.

Taking control

The Win Without Pitching conference was all about taking and retaining control by exercising your status as an expert. I will again use the surgeon analogy. A surgeon doesn’t cold call you, you seek him out. He begins by performing diagnostics, both subjective (tell me where it hurts) and objective (ordering an MRI). He researches your case and prescribes an expert course of treatment. He’s very busy, but may be able to schedule your operation in three months. He is a consummate expert in complete control.

I have no doubt as to our expertise in our chosen field. We are the surgeons. But, that expertise has often taken a back seat to a prospect-is-always-right approach. We do whatever we can to win the business, without a critical eye towards whether we can do our best work. We jump at RFPs even though they are poorly conceived, happy to follow the maze for a chance at the cheese.

But, interestingly enough, it turns out that we are much better at being experts than we are at being waiters. Our best, happiest and most productive clients did not start with an RFP for a laundry list of pre-determined features and functions. They started with a simple request. This is our problem. Help us solve it.

To us, there is nothing more powerful.

It's new, it's shiny and it's Chrome

2008-09-02T12:30:00.000-07:00

Just when we thought upstart Firefox would (and has to a certain degree) knock Internet Explorer off it's throne, here comes Chrome.

Today is the launch of Google's shiny new browser. And it is a big deal.

Microsoft still holds 73 percent of the browser market, according to Net Applications, a research firm. The market share for Firefox has climbed to 19 percent, while Apple’s Safari has 6 percent, according to the NY Times.

Prompting the company to launch early was the leak of an online comic book. It seems that Google created a comic book to explain the new browser and its features. The comic approach is novel and interesting, however no amount of illustration will make captions like this intelligible to the mainstream:

"When you interpret once and compile machine code, than that code is your representation of the JavaScript source code and it doesn't need to be interpreted, it just runs."

Google geek speak at its best. But, the accompanying race car illustration helps bring it home for me.

Chrome is available for beta download from Google.

Conference presentations a bittersweet honor

2008-08-12T15:22:00.000-07:00

Every once in awhile, as part of our overall marketing plan, we try to present at select conferences. One upcoming conference - the Healthcare Internet Conference - aligns well with our hospital practice and is a good choice.

In its twelfth year, this conference has grown to be a large event for those interesting in building and maintaining hospital Web sites (and those interested in marketing to them).

One goal for presenting at this conference is to raise the awareness of Imaginary Landscape to those seeking Web development services. Presenting versus boothing imbues a higher sense of credibility and expertise. This leads to our main goal which is to sell more products and services to more hospitals.

The organizers want to fill the sessions will high ranking staff from prestigious hospitals, not vendors. But, in many instances, the hospital's vendor is the driving force behind the presentation for the reasons stated above. So vendors provide much of the sweat and the drive to create the presentations in exchange for co-presenter billing.

For this year's Call for Speakers, I had two good topics I wanted to float. One each in conjunction with our clients OSF HealthCare and Advocate Health Care, two large health systems. Each client was game to give it a try so I submitted two applications, figuring it would increase my chances of having at least one selected.

A couple weeks later, I get the call. The conference organizers really like the presentations and want them both. Great, I think to myself - both truthfully and ironically. Truthfully, because I'm honored that they want both presentations. Ironically because I now have a lot of work to do.

Then came the zinger.

To avoid the appearance of favoritism this conference has a rule - albeit unwritten - that vendors can only present once. And although I am free (and encouraged) to put together both presentations, I am only allowed to co-present one. The other one I can neither co-present nor receive any official credit.

Against my protestations, they stood firm. Regardless of how well conceived the sessions were, the appearance of vendor bias would result in cries of favoritism by other vendors, something the conference organizers were unwilling to field.

And so I had to pick.

I remain jaded by the experience, my sense of fair play bruised. But we are a small firm and presenting at this conference trumps any feelings of poor officiating. So I will do my part in preparing both presentations. One I'll present and the other I'll sit silent, quietly rooting my team.

In the end it is their conference and consequently, their rules. Nothing I can do about it, if I want to participate.

And at least they had the decency to not schedule them concurrently.

Form security, under the hood

2008-08-05T08:31:00.000-07:00

I recently wrote a feature article for eHealthcare Strategy & Trends magazine entitled, "How secure are your Web-based forms?" The article explored what happens after you press the submit button.

It turns out that lots of things can happen - many of them bad.

To clarify, "bad" is the wrong word. "Potential security weaknesses" is a better description. Once the information is whisked away it can be - and probably is - transmitted and stored in clear text.

To be fair, form security is not always needed. Take, for example, our Web site. Probably not a lot of sensitive or private information you'll be entering on a Web development firm contact form.

But what about health sites, or banking sites, or ecommerce sites? In the context of these three types of sites, form security becomes quite important. It is these three reasons why we've been providing a continuum of form security which includes submission, notification and storage.

Submission is easy. It is handled by the ubiquitous SSL certificate. This encrypts information between the submitter and the Web site server. Cheap and reliable.

Notification (by which I mean how you learn a submission has been received on your site) gets a little trickier. The easiest way is for the Web server to dump the entirety of the form information into an email and send it to a staff member. This causes the form information to be sent in plain text, possibly touching several mail serving computers along the way. Then it arrives in someone's inbox and is stored in the mailbox of that user for who knows how long. All the time in plain text and visible to a host of machines and individuals.

A better way would be to simply notify of a form submission and provide a link back to the Web server to view it. That requires a login and password to view and, because you're viewing through the Web, it can be secured with that cheap and reliable SSL certificate.

To provide that notification, you need to store the form information in a database on the Web server. By default, database information is stored in clear text. As the final aspect of form security, we encrypt sensitive fields. This prevents someone from viewing these fields in the unlikely event that the database itself is compromised.

On Web sites, content has long been king. With Web forms, context is the real king. Every form must be examined for the possibility of drawing out sensitive information. This is true for something as innocuous as a general contact form. If that contact form is on a hospital or bank Web site, it may draw sensitive information from users - even if they are cautioned against providing it.

The music industry, once again, goes crazy

2008-07-22T08:21:00.000-07:00

It's 30-seconds long. It's blurry. It's a toddler having a great time and dancing to music. The music is garbled, distorted and barely recognizable.

It's a YouTube video at the center of a huge fight. The background music is Prince's "Let's Go Crazy" and Universal Music sent out a letter requesting that the toddler's mom Stephanie Lenz remove the video because it violated copyright.

Lenz, with apparently has a ton of free time on her hands, has made this into a crusade with the help of the Electronic Frontier Foundation. She filed suit. Universal Music defended itself. The suit was dismissed. She amended the complaint. Again to the court. A second dismissal motion is currently under consideration.

But for now, the video remains available on YouTube. Take a look - while you can - and see how crazy this fight is.

Colbert Bump a scientific reality

2008-07-15T09:45:00.000-07:00

Stephen Colbert is pretty funny and I enjoy his show for what it is - comedy. So imagine my surprise when I read that - among his overarching claims of self-importance - there is scientific truth to the phenomenon, "The Colbert Bump."

In fact, there is more than one scientific-ish study to indicate the reality of the Bump. Each one has pretty graphs to prove their scientific-ness.

One is from Mozilla. On his show, Steven Colbert made mention of the download frenzy of Firefox 3. Within two minutes of the mention, there it was - in all its graphical glory - the Bump.

Just in case you remain skeptical (aka, liberal), then I shall point you to Political Science Professor James Fowler from the University of California San Diego. Professor Fowler just published the article, "The Colbert Bump in Campaign Donations: More Truthful than Truthy" in the journal PS: Political Science & Politics. It too has spiffy graphical evidence of the Bump.

So there it is, Nation. Scientific proof.

Loss of T1 allows vendors to shine

2008-07-08T07:27:00.000-07:00

Last week our office T1 stopped working. For a Web company, the loss of our connectivity is a body blow.

It turns out that a new tenant is moving into our building, replacing an auto body shop. This new tenant is a microbrewery, so its arrival is quite popular with staff. I know I'll be happy to replace the too-often smell of fiberglass resin and exhaust with whatever odors result from the beer making process. I mention this because within that space is the main phone "nest" that powers the building and our T1.

As part of the tenant transition process, the landlord had to clean up 8+ years of auto body crud, which involved power washing and sand blasting.

The landlord assured us that it would not be a problem - that they would build a box around the nest of exposed phone wires to keep it safe. Which worked, up until the point where our T1 crapped out.

Upon further inspection, the "box" was not well affixed to the wall surrounding the phone nest. In fact, there was a several inch gap just above our T1 line - which I'm sure resulted in a torrent of water, sand and detritus waterfalling through the gap.

Our disaster recovery plan dictates that we send everyone home when office connectivity goes down so they can work remotely, which is what we did after it appeared the outage might last awhile. A skeleton crew remained at the office to answer phones and coordinate repairs.

I was more than a little skeptical about the repair process. Savvis provides our T1 service, over an AT&T line. This requires a two-vendor dance. First the call into Savvis, then their coordination with AT&T. However, it was beautifully choreographed and nothing short of miraculous.

Savvis performed their remote checks, determined it was a problem with the line, ticketed AT&T, who performed their remote checks and determined it was a problem with the line between us and their local network center. AT&T dispatched a truck that checked the line all the way to our boxed nest.

The technician needed a different truck, went back to his facility and returned within an hour. Spent a couple hours working on the line (it turns out that water had seeped in between the wires and the sheath of our T1 line). Replaced the line, tested it and all the while remained helpful and committed to the repair.

We were back up and running within 5 hours. Thank you Savvis and AT&T for stepping up.

Comcast employee hits a home run with unofficial presentation

2008-06-24T10:33:00.000-07:00

I have Comcast at home for cable, connectivity and phone. For the most part, it works just fine. However, when it doesn't, I dread the call.

One time my toddler accidentally pressed a standby button on the front of the modem. Forty-five minutes of "off-shoring" later, they had to dispatch a truck. Luckily, I had a seasoned tech who took one look at the pattern of blinking lights and pressed the standby button again.

He took mercy on me by altering the paperwork so that I would not incur the hefty service charge related to "user error." I asked why the customer service representative couldn't diagnose such a straightforward issue over the phone.

He gave me one of those looks as if to say, "Does that really surprise you?"

I stumbled upon a completely unofficial, irreverent and starkly honest PowerPoint presentation created by a Comcast employee and distributed for internal amusement. If you have Comcast - really any large vendor - then this is worth the couple minute click through.

Enjoy.

New study compares short and long "contact us" forms

2008-06-10T11:59:00.000-07:00

I've been experimenting with the contact form on our Web site. It is an important - perhaps the most important - aspect of our Web presence. For all the blogging and news releasing and testimonials and marketing, our primary method of gathering online feedback is the contact form.

We have always had decent traffic to the site and decent visits to our contact form, but a poor submission rate at around 5%.

It's not like the links to the contact form are misleading - for the most part they read "contact us" or "contact center." So if the links are not misleading, why are only 5% submitting?

I took a hard look at the form itself and realized that I was falling into a traditional marketing trap - trying to get way too much information up front. It seems that as marketeers, we are so thrilled when someone decides to pause and fill out a form, that we cram as many questions as possible. If they are looking at the form, they must be interested, right? If they are interested, they certainly will be happy to tell us all sorts of information about themselves - up front, right?

It's like we think this is the only time we will ever have to interact and we must gather all the information possible - right now.

But the marketing and sales process is more of a continuum - and the contact form needs to respect this if it is to be successful. Ask the absolute minimum needed for this exchange and nothing more.

As I was reviewing the form with this new frame of mind, I was able to immediately remove fields that had no place in the context of an initial inquiry. They included the assorted physical address fields, fax, preferred method of contact and "how did you hear about us?"

The results were wonderful. 160% increase in forms, 120% increase in conversion rate. The best part? No reduction in the quality of the form information submitted.

I thought the information was important enough to share, so I wrote it up.

Download the complete study.

Online tax inching closer

2008-05-20T15:35:00.000-07:00

It's been a nice ride - the tax free ecommerce thing - but I fear it will come to an end all too soon. I'm surprised it's lasted this long.

Last month New York State passed a law requiring retailers to collect sales tax for any items shipped to New York. The wording of the law is a bit screwy, in that it only requires the tax from retailers that directly or indirectly solicit New York consumers - like placing affiliate links on a site owned by a New York company or resident. Amazon is suing New York claiming the law is unconstitutional. Actually they say it is, "invalid, illegal and unconstitutional." No doubt immoral and fattening as well.

Texas has now joined the me-too wagon and is investigating the possibility that Amazon owes it millions in sales tax dollars.

Today, the City of Chicago is suing eBay and its subsidiary StubHub for not collecting city amusement taxes on online ticket sales for Chicago venues.

Online retailers point to the 7,400 state and local tax codes throughout the US as far too onerous for them to track, collect and pay.

The great irony is that tax free online shopping hasn't saved the consumer that much money. Instead, it has shifted to shipping fees, which has resulted in a windfall for shipping companies.

Regardless, it is coming. I doubt even Amazon can stop salivating lawmakers from such a juicy new tax.

Taking the plunge into Gmail

2008-05-13T12:05:00.000-07:00

When it was first suggested, I was immediately against it. The thought of outsourcing our company email to anyone, even Google, was simply not acceptable.

However, when asked "Why?" I stumbled and stammered. "Because we are an Internet company and, well, we just have to do our own email?" I trailed off, ending in a weak question as I heard myself.

Then the ever-so patient folks that handle our systems quietly pointed out:

Gmail supports our domain
It offers 99.9% uptime guarantee
It is available through POP, IMAP and Web
It manages spam beautifully
It costs $50 per year per person
Each mailbox comes with 25 GB of storage
They even have a spiffy way to migrate our existing IMAP accounts

That's a lot of benefit for around $1,000 per year. Depreciation on our mailserver alone equals that, let alone the maintenance of it. I don't even have to go into spam productivity issues to know it is a fiscally sound idea.

Sometimes sacred cows really do make for good hamburgers.

Customs can now examine and seize laptops, PDAs with no probable cause

2008-05-06T07:17:00.000-07:00

In another chapter of our deteriorating privacy rights, a recent ruling by the 9th U.S. Circuit Court of Appeals allows border agents to examine the contents of any electronic device and seize the devices for a period of time.

According to the court documents, the issue started in July 2005 when Mike Arnold arrived at LAX from a three-week vacation in the Philippines. He was randomly selected by a Customs agent for secondary questioning. The agent asked him questions and examined the contents of his luggage, which contained a laptop, hard drive, CDs and a Flash drive. The agent asked Mr. Arnold to turn the laptop on to determine if it was functional.

As the laptop powered up, the agent noticed two folders on its desktop "Kodak Pictures" and "Kodak Memories." The agent clicked on the folders, examined the pictures - one of which was a picture of two nude women. Then, all hell broke loose.

Arnold was detained for several hours and the contents of his laptop and all electronic storage was examined. Agents found what they believed to be images of child pornography. The electronic devices were seized and Arnold was subsequently arrested.

The arrest was overturned by the local court because of lack of probable cause but reversed at the appellate level.

The court was silent on whether or not the owner of the device is compelled to assist in the search, which may result in a boost for hard drive encryption software. Since the ruling does not address this point, the owner can refuse to log into the device or decrypt its contents...for now. However, the idea of squaring off with Customs at the border is a daunting idea - yet another consequence of eroding privacy rights.

To their credit, it seems the Customs agents chose wisely when they selected Arnold. If his laptop did indeed contained child pornography, he should be well punished. However, judging by the complete lack of any probable cause, it could have been anyone.

Let's rap about search engine marketing

2008-04-29T08:42:00.000-07:00

Okay, I'll admit it right away - this is really geeky and really funny.

A coworker sent me a YouTube link this morning. It's from a rapper named Chuck (aka the SEO Rapper). His day job is Search Engine Optimization, Search Engine Marketing and Social Media Consulting. However, his passion is hip-hop.

So, what happens when you mix a rapper with an SEO specialist?

And there are more. Visit the SEO Rapper's page at YouTube for the complete list.

Using the Internet to cause seizures

2008-04-22T10:14:00.000-07:00

In what may be the first "physical" attack conducted through the Internet, hackers descended upon an epilepsy support group forum and uploaded strobing and complex images with the goal of causing seizures.

It worked.

The attack was conducted by a group of griefers, a special name given to someone whose sole mission is to go online and cause others grief.

According to the article in Wired Magazine, the Epilepsy Foundation closed down the forum briefly to remove the offending images, but not before several people seized up.

It's hard to imagine the reasons or motivations for such an effort. It took planning, design, research and execution. In some endeavors, those coordinated disciplines would be worthy of praise. Not here.

Like most of these cases, it's probably just a bunch of maladjusted people seeing if they can hurt others. Such a waste.

Email never arrived? Maybe it was lost in a black hole

2008-04-15T10:40:00.000-07:00

Ever wonder what happens when an email gets lost or a Web site is unavailable?

Sure, there are the worldly explanations:

Someone forgot to pay their hosting bill
A truck ran into a power substation and blew the grid
Someone fat-fingered the keyboard while logged in as root

If however, you eliminate all these reasons, one remains.

A black hole.

According to the University of Washington, there are a number of servers across the Internet - connected and accessible - that sometimes lose data for unexplainable reasons. These "black holes" are being mapped through a project called Hubble: Monitoring Internet Reachability in Real-Time at UW.

So, next time you forget to send an important email, just say, "It must have been eaten by a black hole."

"No, really."

PyCon sponsorship and a booth banner

2008-04-01T09:08:00.000-07:00

Recently, we sponsored a national conference organized by the Python Software Foundation called PyCon. Python is a programming language that we use extensively for Web-based applications.

In the past we have sent a staff programmer to present at the conference, however we have never sponsored it. This year it was held in Chicago and the cost for sponsorship was quite reasonable - we were a "silver" sponsor which was a modest level and cost us $1,000. What was particularly nice was that they offered a 50% discount for small firms.

Part of the sponsorship was a booth in their exibition hall. This was the first time we have boothed and it was a positive experience, albeit time consuming. As a result, I have great respect for those companies that do it on a regular basis (although I suspect there is an economy of scale and repetition).

It was a typical tradeshow booth - 8 x 8 with an 8 foot skirted table. The booth itself was defined by two side drapes about 3 feet tall, and one back drape about 10 feet tall. Two chairs, an outlet, a wastebasket and a non-descript sign that read "Imaginary Landscape" rounded out the includes.

The challenge was to outfit the booth economically, but retain a professional, if not slick, image. I spent some time on eBay looking at tradeshow set-ups - mostly the concave types with velcro that sit on the table in the back of the booth - but they were expensive and I didn't want to invest in something so permanent yet. I decided we would do a large banner, but then set it aside as more pressing matters arose.

As the time for the conference drew nearer (and nearer), I finally turned my attention to the banner. I ran out of time to send it out, so I settled on Kinko's.

I wanted a big banner to span the back drape. I also wanted some color but without the color prices. I went to my local Kinko's and asked some questions, but they didn't have much sign expertise on staff. They pointed me to their local "sign guy" at another Kinko's nearby. My advice is that you drive as far as you have to in order to find your closest "sign guy."

I settled on an indoor vinyl two-ply sign. Each ply is a color. I wanted black text on a white background so I selected the black-on-white two-ply. They come in large rolls, 29" wide. There are many other color combinations available as well. The process is pretty cool. They run the blank sign through some machine that cuts the letters into the top ply. Then they peel off the top, leaving the black letters on the white background. This produced a very nice banner with text on it.

The next step was to have them take our color logo and print it separately on special adhesive paper. They printed the logo, cut away the non-logo excess and applied in to the sign.

The end result is a color banner, 6 feet wide and 29" tall for $80 - reusable for next year.

The worst designed Web site on the Internet

2008-03-18T08:28:00.000-07:00

No further commentary is needed.

http://havenworks.com/

What type of client are you?

2008-03-07T08:31:00.000-08:00

Thanks to a co-worker, I stumbled upon a fabulously insightful and totally funny posting called 12 Breeds of Clients and How to Work With Them from the Freelance Switch blog.

We were able to instantly categorize each of our clients into one (or more) of the breeds - and had a good laugh along the way.

It's a funny Friday read.

Store reaction to bad incident amplified by blog; CEO to the rescue

2008-03-04T08:30:00.000-08:00

I stumbled upon a blog posting about someone who purchased some goods from a Home Depot in Washington, D.C. On the way out of the store, he was asked for a copy of the receipt which, for some reason, he declined to produce.

One thing leads to another and the police are involved and the entire sordid story is broadcast to the world on the Consumerist blog.

Included in the blog posting is a rambling email to the CEO of Home Depot as well as a scan of a police complaint filed by the "victim." I stopped counting after seeing over 100 comments on the blog posting.

Then I noticed an update that read, " Home Depot's CEO Has Responded To This Complaint."

In a brief and apologetic email, Home Depot CEO Frank Blake responds in a mostly formulaic fashion. The "victim" responds to Mr. Blake's email by describing how the store manager had contacted him, invited him back to the store for some "win back your business" VIP treatment. The entire exchange and description of the store visit are included in the blog entry.

As of this posting, there were more than 60 comments on the CEO response, inclulding an editorial comment from the Consumerist: "We are genuinely impressed with this response. Way to go, Home Depot."

This is an good example of how a localized story can get national (international?) traction via blogging. But it is an exceptional example of Home Depot controlling the story within the blogging community and turning it into a positive piece.

I too am genuinely impressed. And if you're not sucbscribed to Google Alerts for any mention of your company name, something like this can take hold and you'll never know until it's too late.

The science of increasing the speed of your site

2008-02-19T08:03:00.000-08:00

We have been working to assist some of our larger clients decrease the amount of time it takes for their Web pages to download. Many of these sites are visually rich and complex and require a significant amount of information to be downloaded before the site appears properly.

While it is true that the modem is all but dead and that broadband has taken over, that does not reduce the importance of lean development and "fast-as-possible" downloading. In fact, broadband opens the door for bad code because it makes it less obvious.

And no, this isn't another "optimize your graphics" post. We'll assume that you already know that a 3MB thumbnail image is bad technique. It's also not a "preload images with JavaScript/CSS" post either.

This post provides some of the more technical resources to really get your Web pages cooking.

Each Web page is a conglomeration of many individual files. Every image is its own file (even tiny spacer images sometimes used for fine-tuning layouts). Every "include" is its own file. If you mouseover a graphical menu item and it changes colors, that's two images per menu item. Web pages can have dozens and dozens (and dozens) of individual files that need to be downloaded to the browser.

It turns out that many browsers limit the number of concurrent downloads per domain name - some as low as 2. In essence, this means that only two files can be downloading at once and the rest of the files must wait their turn in a double-file line. Having just one additional domain name to serve files from can decrease page download times in half. The Yahoo! User Interface Blog has a great article about it.

If you're hardcore technical and want a thorough resource for all the techniques to really get your pages through the pipes quickly (including keepalives, sprites, gzip compression and obfuscators) , visit Optimizing Page Load Time at die.net.

Who controls your domain name?

2008-02-12T13:51:00.000-08:00

Every domain name must be registered. Network Solutions, GoDaddy and examples of domain name registrars. The owner of a domain name is referred to as the Registrant.

To check your domain name registration, go to the WHOIS page at Network Solutions. Network Solutions will report on all domains regardless of the registrar, but most registrars have a WHOIS feature linked off their home page.

Frequently, the person who originally registered the domain name for an organization made themselves the Registrant. This could be a current or former staff member, your Web hosting company or your Web development company.

However, the Registrant is the person or company that owns and controls the domain. If someone or some company other than yours is the Registrant, you open yourself up to some potential problems, including:

Expiration - Domain names need to be renewed periodically. Sometimes annually, sometimes every ten years. When the time comes to renew, you may not be receiving these notices. If you allow your domain name to expire, someone else can buy it.

Update - Sometimes when you make a Web or hosting vendor change, you'll need to make changes to your domain record (like changing domain servers). You can't do this unless you have access to the domain.

Maliciousness - If your domain is registered to an ex-employee and that employee is unhappy...

So, here are two things you should do:

1. Go to the WHOIS page right now and check all the registration information for all your domains.

2. Make sure you have the current user name and password for your account at the registration company. If you have access to the online registration account, you have the ability to make changes immediately.

Here is the report for this domain, imagescape.com. Notice the Registrant is the company:

Registrant:
Imaginary Landscape, LLC
5121 N Ravenswood
Chicago, IL 60640
US

Domain Name: IMAGESCAPE.COM

Administrative Contact , Technical Contact :
DNS, Imaginary Landscape
domains@imagescape.com
5121 N Ravenswood Ave
Chicago, IL 60640
US
Phone: 773-275-9144
Fax: 773-275-8928

Record expires on 20-Jul-2011
Record created on 21-Jul-1995
Database last updated on 17-Jul-2006

Domain servers in listed order:
NS3.IMAGESCAPE.COM 72.32.63.137
NS4.IMAGESCAPE.COM 66.216.127.31

Are Web forms really secure?

2008-02-05T13:29:00.000-08:00

Filling out forms on Web sites is commonplace. Whether it is an online job application, an online purchase, information request - they all require Web site visitors to enter information into a form and press the submit button. Some of these - perhaps many - offer the opportunity to share sensitive information. Certainly in the case of an online job application or an online purchase, the form is likely to require some sensitive information.

So, how secure is that sensitive information?

Most people are familiar with the front-line form security - the secure Web page. This is the Web page that contains the form and is characterized by a lock icon appearing on the browser (also indicated in the address bar with https preceding the Web page address). A Web page is secured using a Secure Sockets Layer (SSL) Certificate.

The SSL Certificate has two main functions. First, it verifies that the visitor is on the expected Web page. Second, it scrambles the form information when the visitor submits it to the Web server computer. An SSL certificate costs less than $200 per year and is one of the easiest and least expensive forms of security on the Web.

Unfortunately, securing a Web page with an SSL Certificate is often where the security ends, but it shouldn't. Security is most likely to break down after the form information is securely transmitted to the server, where it is completely invisible to the user.

One of the most common actions taken by the server after form information is received is to send it in an email message to a site administrator. This is insecure.

In essence, it is taking the same information that was scrambled by the SSL Certificate when initially submitted and re-transmitting it unscrambled in an open text email message. This undermines the entire purpose of the SSL Certificate.

A better alternative would be to store the form information on the server. Then the server sends the administrator an email that just says, "Someone just submitted a form, click here to view it." This email does not contain any form information. Instead, it simply links back to an administrative Web page on the server. The administrator clicks on the link and is required to log in with a username and password. Once successfully logged in, the administrator can view the form information on the administrative Web page, secured using the same SSL certificate.

The final stage of security is to protect the form information while it is stored on the server. As described above, the submitted form information is stored on the server, in a database. Form after form is accumulated in this server database. The problem is that database information is stored in clear text.

Now, the server itself is probably secured (requiring usernames and passwords to gain access), but there may be a number of people with access to that server - staff at the company that hosts your site, staff at your Web development firm, other individuals with Web sites on the same server. Anyone with access to the server (or someone who is able to hack their logins) might be able to gain access to the database. This makes storing the accumulated form information in a clear text database a long-term and growing security risk.

To counteract this risk, the sensitive data can be scrambled within the database. For example, certain fields can be designated as sensitive (social security number, driver's license number, credit card number, etc.) and scrambled. Now, if someone gains access to the database, all of the sensitive information will be scrambled.

When the administrator logs in to view the form information, an additional password is required to unscramble the secure information.

The process outlined above is a belt-and-suspenders approach to form security and may be overkill in certain instances. However, each Web-based form should be scrutinized to see if sensitive information could be entered. Even a simple "Contact Us" form can contain sensitive information (for example, people can sometimes describe specific health conditions in the comments field of a hospital "Contact Us" form).

Make it a point to understand what happens to form information once it is received by the server. If you are receiving form information in email, be especially aware.