Legitimate businesses selling out to spammers

Like most tech geeks, I own multiple domain names and dozens of email addresses. I have configured many of my email servers with "catch-all" or wild-card forwards that allow mail sent to any address at a particular domain to be delivered to a particular inbox. One of my uses for this setup is to allow me to use unique email addresses when I give out my email address to online businesses. Doing so allows me to filter incoming email, immediately gauge the priority of email, and track if my email addresses leak beyond the online company with which I originally shared it.

With two notable exceptions, email addresses I have given out to companies end up being used by them only for legitimate business communications. The two recent exceptions: Addison-Wesley and Lands' End. Spam is making email less and less useful each passing month as hundreds or even thousands of spam messages flood my inboxes daily. I always thought of the people who sell or trade email addresses for spam use were faceless individuals operating from their living rooms, not major companies like Addison-Wesley and Lands' End or their affiliates.

With Addison-Wesley, I signed up for an email list several years ago for announcements of new technology titles. For a while, I received emails from Addison-Wesley every month or so announcing its latest technology books. The mailing list was low-volume and useful.

I no longer receive announcements of new books from Addison-Wesley. But the email address I gave them is now used by spammers several times a day to send me unsolicited commercial email messages. Here are some headers to a spam email I received tonight advertising "Cheap Vl x AG x RA"
Return-Path: <olmedaa@iskiv.net>
Received: from iskiv.net (lns-bzn-22-82-249-89-146.adsl.proxad.net [82.249.89.146])
by [my email server] with SMTP id k9T7mmeJ029902
for <awbookalert@[my domain]>; Sun, 29 Oct 2006 07:48:54 GMT
Reply-To: "Romano Wischmeier" 
From: "Romano Wischmeier" 
To: awbookalert@[my domain]
Subject: Re: 693
Now, with an email address like "awbookalert," you figure no spammer stumbled onto this address by guessing. More likely, the spammer purchased the address from someone who stole it from Addison-Wesley's computers, or Addison-Wesley gave it away or sold my email address for use by spammers. I consider it unlikely this email address was stolen from my computers because I use several "alias" email addresses and have had a problem only with this one I gave to Addison-Wesley.

I checked Addison-Wesley's privacy policy to see if they protect email addresses as private information. You know what? They don't. Addison-Wesley treats as private "your name, address, phone number, date of birth, job, personal interests, and credit card information," but your email address is not covered by Addison-Wesley's privacy policy. Addison-Wesley, and parent company Pearson Education, should be ashamed to have a privacy policy like this where email addresses are not held in confidence.

Another company contributing to spam is Lands' End. My wife ordered clothing a few weeks ago online from Lands' End, again using an email address unique to this one transaction. Lands' End sent two emails to this address: an order confirmation and a shipping notice.

Last week, though, she received an email sent to this unique address from a company advertising self-confidence books. Her thought was Lands' End either suffered a computer security breach, and the thieves sold her email address to spammers, or this publishing company is affiliated with Lands' End. Lands' End's privacy policy acknowledges the company shares private information with business partners. My wife called Lands' End to find out how this publishing company obtained her email address.

The Lands' End customer-service representative my wife spoke with assured her the publishing company is not affiliated with Lands' End, and that Lands' End experienced no data security breach. The spam must have originated, she said, by someone breaking into her ISP's email server and stealing that address.

Yeah. Uh huh. Someone broke into an email server and stole a solitary email address. These thieves overlooked the dozens of other email aliases on her server and focused solely on this one email address she shared with Lands' End. (Her email server is different from mine, by the way, eliminating the possibility that a single server was the source for both these email addresses picked up by the spammers.)

If Lands' End's computers were not broken into, it seems likely one of its business partners is using email addresses in ways not sanctioned (or at least acknowledged) by Lands' End. A possible partner could be Coremetrics, a company that provides website analytics for Lands' End. Lands' End says they share website information with Coremetrics, but the "data that they collect for us [cannot be used] for any other purpose." Interestingly, the self-help publisher who sent my wife the spam also is a Coremetrics customer.

I don't want to cast aspersions on Coremetrics. They have many online retail customers. What I want to ask Lands' End is which is more likely:
  • Hackers broke into two of our ISP's email servers and stole one email address from each?
  • One of your business partners is violating the confidentiality of your customer information?
  • A hacker broke into your computer system and stole information?
I would think the likelihood of the latter two scenarios to be much higher, and a much higher concern to Lands' End.

If companies don't want to suffer black eyes when the public discovers how casually or carelessly they treat their customers' information, they need to start treating data privacy more seriously. The alternative, they will find, is that Congress will receive enough pressure from Americans so fed up with spam and identify theft that they will tighten data-privacy laws to make it a criminal offense when what should be private data leaks from their computer systems. When the first CEO goes to jail for contributing to spam or identity theft because the company treated customer data carelessly, perhaps that's when we'll see companies treat customer data with more seriousness and care.

U.S. Air Force Memorial Weekend

Air Force Memorial photo/Washington Post
photo by Michel Du Cille/The Washington Post
U.S. Air Force Memorial
The United States Air Force finally has a memorial in the nation's capital. The memorial was dedicated Saturday in a ceremony attended by President Bush and other dignitaries. The memorial honors those who have served and those serving in the Air Force. Its triple stainless steel spires soar to varying heights up to 270 feet in a "bomb burst" flaring-out pattern, "truly representative of flight and the flying spirit of the Air Force."

The memorial sits on a small hill between Arlington Cemetery and the Pentagon, and is visible from I-395 on the left as you approach Washington from Virginia. An approximate location is marked by this Google map. (If you view the map, the memorial is actually where Columbia Pike bends north toward Southgate Road.)

The weekend ceremonies were by invitation only, although the public was invited to view Saturday's ceremony remotely from big-screen TVs set up in the Pentagon South parking lot. The Washington Post has a video of the event.

Rather than watch from the parking lot, my wife and I viewed the airplane flyovers accompanying the event from the Mount Vernon Trail next to National Airport. Yes, they had to temporarily shutdown commercial air traffic for the event, as vintage and modern war planes flew overhead, capped off by a flyby from the Air Force's Thunderbirds. (Photos below.)
F16 missing man format photo
F-16s in 'missing man' formation


Ceremonies continued this morning with a memorial service. The service included a wreath-laying ceremony and a flyover (right) from four Air Force F-16s in a missing-man formation.

The memorial opens to the public on either Monday or Tuesday. (The Washington Post says Tuesday. The A.F. Memorial Foundation says Monday.)

Here are some of the other photos we took of the events.


Bicyclists on the Mount Vernon Trail look toward the memorial in the distance.


A Consolidated B-24 Liberator makes a flyby. Apparently, this is the only restored Liberator still flying.


A B-2 Spirit bomber made an approach from the east. My wife caught this picture just as it flew into the sun.


The B-2 banked right as it flew over the memorial. This is the first time I've seen a stealth bomber in flight. You can really see how the plane's thin profile helps foil radar echoes.


This photo from this morning shows the F-16 'missing man' formation as it flew over our apartment.

Updated at 10:50 p.m.: I earlier labeled the B-2 bomber as an F-117A. I'm pretty sure it's a B-2, thanks to Chris Nokleberg's comment.

Grady Booch: SOA sold as snake oil

If you have sat through the many sales pitches from companies selling SOA products, which you learn is defined as whatever their products used to be but now with a new, improved web services interface and UDDI registry, you'll probably enjoy reading Grady Booch's blog entry on Thursday.
Groody Booch mugshot
Grady Booch
In it, Grady laments how service-oriented architecture is being sold like snake-oil: the miracle elixir to cure all your enterprise ills. That part isn't breaking news. But it is nice to hear this message repeated from such an architectural luminary, and whose employer is big on SOA.

The best part of his snake-oil blog is a list of questions those who hype SOA fail to explore. These are the questions to put in front of your CTO when he or she is being wooed, wined and taken out to golf by the SOA salespeople. Here's a selection:
  • What distinguishes a good service from a bad one?
  • What should the granularity of a service be?
  • When should I offer up a stateless service versus a stateful one?
  • How do I express stateful service semantics, and how do I ensure their misuse doesn't corrupt my system?
  • How do I express the semantics of a society of services when only the most trivial services work in isolation?
  • How do I expose some services to some clients and hide them from others?
Grady points out he's a strong supporter of SOA. "However," he writes, "I tremble at the realization that the fundamental technical benefits as well as the costs and trade-offs of SOA are sometimes lost in the guise of Snake Oil-oriented Architecture."

What Google Did Right: Browser Sync

On Wednesday, I ragged on Google for four of its good-to-terrible services that all could be better. Today I want to play fair and congratulate Google on one service that is so handy and useful, it has saved me time nearly every day: Google Browser Sync.

Google Browser Sync Firefox toolbar button
Browser Sync's Firefox toolbar button
This handy Firefox plugin stores my browser bookmarks on a Google server, and then synchronizes the bookmarks to all of the four-to-six computers I use each week. If I save a bookmark while surfing at home, it's there on my work computer the next morning. I don't have to visit any special website or store my bookmarks on a "social networking" site like with the del.icio.us Firefox extension. I let Firefox manage my bookmarks, and let Google Browser Sync synchronize them between all my computers.

I have to say, I really like this service from Google. I don't have to do anything but occasionally re-confirm my Google password when Firefox launches. It just works.

Browser Sync also can synchronize Firefox's browser history, persistent cookies, and saved passwords. I don't use these services out of my general caution for leaking passwords and other sensitive information if Google's servers are ever hacked, but I can see perhaps one day using the cookie sync out of convenience.

Thank you, Google. With Browser Sync, you did good.

Why isn’t Google better?

After using Google search for many years and being impressed with its lightening speed, using Google Maps and being impressed with its spiffy Ajax features, and using Google Earth and being amazed at how easy it was to zoom around neighborhoods and find features like subway stations, I find myself more and more disappointed by Google's more recent services. Is googleplacency setting in at the Googleplex?

Here is why Google is more and more failing to impress me. First, as a shopping search engine, Froogle is next to useless. Second, as a calendar service, Google Calendar lacks a critical and obvious feature. Third, as an email reader, Gmail is no longer impressive (and it's still in beta after how many years?). Fourth, as a news/blog reader, Google Reader is pretty ho-hum compared with at least one competitor. With these service shortcomings I have to ask, why isn't Google -- with its billions of dollars of cash, its 8,000 top-notch employees cherry-picked from competitors, and with its cachet as one of the coolest places on the planet to work -- why isn't Google better at what it does?

My first, albeit minor disappointment with Google came years ago with the launch of Froogle. When I first saw Froogle, I thought, "Cool, with Google's search technology and the way they vacuum up and index most of the web, this will surely outperform all other shopping sites." I was wrong then, and every time I've used Froogle since, I continue to be wrong. And disappointed.

Why? Froogle, by default, sorts search returns by relevance. The result is the product I'm looking for tends to be at the top of the list. That's good. The problem is the cheapest relevant product isn't at the top of the list. That's what I'm using Froogle for in the first place. Here's part of a screen shot showing a search for M.S. OneNote 2003, with prices in an apparent random order.

Froogle sort by relevance screen shot
Froogle search for Microsoft OneNote 2003 sorted by relevance


With Froogle, I have to manually find the lowest price among pages of "relevant" results. Why can't Froogle automatically sort the "relevant" product results by price? If I want to sort by price, Froogle offers that as an option: select "Sort by price: low to high" from the drop-down box.

Froogle sort by price screen shot
Froogle search sorted by price low-to-high


Ah, and as you can see in the above screen shot, that's when all the irrelevant items show up at the top of the list, usually pages and pages and pages of related products, such as books and accessories. The problem frequently arises with software. The sort-by-relevance search won't easily find me the lowest price, and the sort-by-price search finds me the books written about the software, the various "OEM disk-only" solutions that seem a bit dodgy, and various other product near-misses. I was amazed when Search Engine Watch awarded Froogle Best US Shopping Search Engine in 2005.

Disappointed by Froogle, I've turned to BizRate, NexTag, and PriceGrabber as providing more useful price comparisons. I don't tend to like Yahoo! Shopping or msn Shopping because of their limited number of online stores they apparently track. DealTime and Shopping.com seem more hit-and-miss when searching for products. For instance, when searching for the best price for an Olympus voice recorder, model VN-2100PC, DealTime and Shopping.com were convinced I was shopping for RAM for my computer, or plumbing supplies. The other sites (including Froogle, to its credit) had no problem homing right in on the Olympus product.

But one disappointment wouldn't take the shiny gleam off of Google. No. They've done so many things right with other cool applications. But just in the past few months, I've found Froogle isn't the only place Google falls down. Google Calendar, which I began using a few months ago, Gmail, which I've been using off and on for more than a year, and Google Reader, which I started using this month, all lack in usability or expected features, especially when compared to competing web services.

Google Calendar probably is the biggest letdown of these three productivity applications. Google developers seem to have spent enormous effort building Calendar and the way-cool Calendar Data API to allow developers to access Google calendars remotely from other applications. But sorely missing is the simple, expected feature of being able to set how you are reminded of each approaching calendar event. Google Calendar does provide three notification options: a pop-up dialog box, an email message, or a pager/SMS message. However, the notification method you choose for your event reminder type is global for all events.

For instance, say I want to be notified of important events (flight departs in 2 hrs) by receiving a text message on my phone. Google can do. But once I configure Google Calendar to send one reminder to my phone, all reminders now go to the phone (dry cleaning ready for pick up). By allowing only one notification type for all events, I'm either frequently interrupted by my phone with low-priority reminders, or I have to accept high-priority reminders getting emailed or appearing only when I'm online.

How could the developers at Google leave out this ability to change notification type based on the event's importance? Come on, Google! Yahoo Calendar has this ability! You thought creating a Data API was more important than creating a usable calendar service in the first place? You're not going to win me over to your calendar as a developer unless you win me over to your calendar as a user! Or at least a calendar service I can recommend.

After being pushed into the arms of Yahoo for its online calendar, that's when I discovered Yahoo's updated Mail service. I remember trying Yahoo mail many years ago and abandoning it as the usual clunky web mail. But the Ajax-enabled beta email service is nice. It uses separate tabs to open messages. You can have several messages open at once in different tabs, rather than opening each message into the current window, as Google does. From the Yahoo Inbox, you can hit Enter to open the current email in a new tab, read the email, hit Esc to close the tab and return to the Inbox, then hit Del to delete it. Or, if you want to save the message, you can actually move it to a folder and drag messages into the folder for organization. Gmail instead insists on enforcing the Web 2.0 world view of tagging to organize email. I actually like being able to tag emails with several labels, but tagging is different than all other email programs I've used. For me, 99% of my mail only needs one tag, so Yahoo's more-familiar folder system works fine, and its user interface is superior. Just like Gmail, Yahoo mail supports other keyboard shortcuts, like hitting r to reply to the selected message. (However, Yahoo went with keyboard shortcuts Ctrl-. and Ctrl-, for up-down navigation rather than the more usual k and j that have been used in the Unix world for decades and that Google adopted.)

Yahoo Mail also integrates with Yahoo Calendar. When viewing email, the bottom of the window displays upcoming events from your Yahoo Calendar along a horizontal scroll pane. That's a nice feature I don't see in Gmail.

With Yahoo Mail besting Google's Gmail in functionality and usability, I'll turn my attention to one of Google's newer web services, its recently updated news reader, Google Reader. Google Reader was the first web-based news reader I tried. Previously, I had used Thunderbird's built-in news reader, but I wanted a web-based reader so I could read the same blogs and news sites from any of the half-dozen computers I use during a given week.

I have no real complaints about Google Reader's functionality. The problem is, it's just not impressive.

Google Reader screen shot
Google Reader screen shot after selecting Cedric Beust's feed


Google Reader does a good job of letting you see what's new in your subscribed feeds, and lets you click feeds in order to scroll through its entries to read. I like the fact that it has a full ("Expanded") view and a "List" view to read just the titles of the entries. My chief dissatisfaction with Google Reader is it just isn't cool and full of extra features that make using it a nice experience. As compared to? Well, after I started using Reader, I noticed almost as many visitors to my blog were coming from Netvibes as were coming from Google Reader. So I checked it out and started playing with it. What I discovered was a news reader with cool, even fun, features that make reading news and blogs faster and more efficient for me.

Netvibes organizes feeds/blogs into portlets, which can be re-arranged on screen, resized and minimized. (See the screen shots, below.) Here are some of the cool things Netvibes can do:
  • Organize your feeds into tabs. (Google Reader has folders you can open/close. Very similar)

  • Mouse over a feed's entry to read the beginning. (Google can't do this.)

    Netvibes showing popup quick-read of an entry
    Netvibes mouse-over behavior showing popup quick-read of an entry


  • Drag and drop feeds to rearrange them in the window (Google doesn't let you change order)

    Netvibes showing drag-and-drop
    Netvibes lets you drag a feed's box to re-order them


  • Read a feed's full entry, with an index of all entries in a left-hand column.

    Netvibes showing reading one entry
    Clicking on an entry opens the item for reading


    The above-pictured reader window acts like an Ajaxian widget. You can see an X in the upper right corner to close the window and return to the main feed window.

  • Open/close the items list for each feed.
    You can select how many item headlines for each feed you want to see in its portlet window when the feed's portlet folder is opened. (You see the title for all entries when you open a single entry, as mentioned and pictured above.)

  • Refresh an individual feed to see if it has been updated (Google doesn't allow this).

  • Drag and drop feeds onto different tabs as well as to re-order them on the page. (Google has no drag-drop of feeds.)

  • Quickly mark all items in a feed as already read by clicking on the item count. (Google Reader provides a "Mark all as read" link that operates slowly because it seems to reload the page.)
Until I saw the Netvibes referrers in my logs, I had never heard of it. Then, two days after first starting to use it, I picked up September's Business 2.0 magazine and saw Netvibes being mentioned as a "disrupter" of leading portal websites like Yahoo.

So, these are four Google's web applications that leave me wanting, and leave competitor services more impressive. My initial wow-I-didn't-know-you-could-do-that-in-a-web-page feeling I got years ago with Google Maps has been replaced by me wondering what's Google up to that it would allow its applications to become second-rate. I have two theories.

My first theory is the Google's complacency is a symptom of corporate maturity. Google doesn't have to be cool any more. It needs to answer to shareholders. Perhaps Google is directing its focus and energy to today's moneymakers: AdWords and AdSense.

My second theory is that Google is leaving services like Froogle, Calendar, Gmail and Reader to languish for now because it has bigger fish to fry, new services that Google will roll-out that will allow it to suck even more of the profit from its chief competitors -- Yahoo and Microsoft -- and place it into the hands of Google and its shareholders.

I don't follow the business intricacies at Google to pretend to know the details. But Google's recent You Tube purchase makes it clear Google wants to be a we-have-it-all portal service to make Yahoo less relevant, with Google reigning supreme in the search and web advertising business. And we all know Google has been working on its web-based version of office productivity applications to replace (or at least augment) Microsoft's Word and Excel (with Docs & Spreadsheets), Outlook (Gmail, Calendar), and the remaining Microsoft Office applications. Google's Apps for Your Domain is the first step in that direction until it adds the remaining Office applications to that suite.

So, instead of focusing on gee-whiz applications, I'm guessing most of Google's development and marketing resources are working on the web versions of Word, Excel, and probably an improved version of Gmail to replace Outlook for some users.

In the meantime, Google has failed at one of its 10 corporate philosophies: "Always deliver more than expected." Google, I expect more from you with Calendar, Gmail and Reader. Your competitors are doing more. But perhaps Google, when its web-based Office-killer applications take hold among businesses in the next year or two, will reprise a line from Pirates of Silicon Valley. I can see the day when Bill Gates or Yahoo's Jerry Yang confront Google CEO Eric Schmidt and tell him, "We're better than you are! We have better stuff." Schmidt will turn away and say over his shoulder, "You don't get it. That doesn't matter."

Anonymous fire in D.C. wafts smoke over Capitol

Here's something you don't see everyday: A black cloud of smoke wafting toward the U.S. Capitol.

Fire Over DC 2
Fire in Washington, D.C. Sunday about 1:50 p.m.

It was unusual enough for my wife to snap a couple of pictures of the fire from our apartment across the Potomac River in Arlington. We checked the Washington Post, Washington Times, and the websites for the local TV stations later Sunday and today. Not a peep.

Fire Over DC 1
Granted, the fire was a couple of miles north of the Capitol building, and no one apparently was hurt from the fire (because that would have made the news, right?) but the fire must have affected some residents of northwest D.C., even for the annoyance of the smoke. That's why we were a little surprised not to read anything about it in the news today. Hmmm. And to think, Sunday began this year's National Fire Prevention Week.

Replacing Tomcat’s ROOT index.jsp page

Apache Tomcat comes with a simple ROOT webapp that is nothing more than a precompiled index JSP page. The text of this JSP page warns users not to bother trying to edit this index.jsp page in the $CATALINA_HOME/webapps/ROOT directory. If you try, then reload the http://localhost:8080/ page, your changes won't be reflected because the index page was precompiled into a JAR file. Nowhere in the Tomcat HowTo page did I see a quick pointer to changing the contents of the index.jsp page so Tomcat beginners can experiment quickly with Tomcat and JSPs. The closest I could find was a How To that tells users they can write an index.html page and have that override the index.jsp page.

So here's my quick pointer instructions. For those of you familiar with Tomcat and servlets, you will see nothing new here. But for Tomcat and J2EE beginners, I hope I'll save you a few minutes digging through the ROOT webapp's configuration files if you want to start playing with JSPs soon after installing Tomcat 5.5.

How do I edit the default JSP home page loaded by Tomcat?

The contents of the default Tomcat home page comes from the ROOT webapp servlet called org.apache.jsp.index_jsp. The page that you see in $CATALINA_HOME/webapps/ROOT/index.jsp has been precompiled into a class file (org.apache.jsp.index_jsp.class) stored in a JAR file (catalina-root.jar) in the ROOT webapp's WEB-INF/lib directory. Because of this servlet, Tomcat will not look at the contents of the ROOT web application's index.jsp file if you change it.

The easiest way to change the contents of the index.jsp page is to remove this index_jsp servlet from the ROOT webapp. Once you remove the index_jsp servlet and restart Tomcat, Tomcat will see the index.jsp file in the ROOT directory and compile it on the fly into a class file. You now will be able to edit the ROOT/index.jsp file and have those changes take effect immediately by reloading the http://localhost:8080/ page.

To remove the index_jsp servlet, edit the ROOT web application's configuration file, $CATALINA_HOME/webapps/ROOT/WEB-INF/web.xml. Comment out the definition of the servlet and the servlet mapping, so that section of the file will look like this (changes in red):
<!-- JSPC servlet mappings start -->
<!-- Disabling the index_jsp servlet
<servlet>
<servlet-name>org.apache.jsp.index_jsp</servlet-name>
<servlet-class>org.apache.jsp.index_jsp</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>org.apache.jsp.index_jsp</servlet-name>
<url-pattern>/index.jsp</url-pattern>
</servlet-mapping>
-->
<!-- JSPC servlet mappings end -->
Once you disable the index_jsp servlet and restart Tomcat, how does Tomcat know to compile the index.jsp page in the ROOT web app's directory? Easy. First, when you request the default page of a web application, Tomcat (like every servlet container) will look for a welcome file. The default welcome files are defined at the bottom of $CATALINA_HOME/conf/web.xml. This web.xml file acts as a global web.xml file used for all web applications installed in Tomcat. The default welcome file list includes index.jsp, which means Tomcat will try to load that file (if found) in order to display it. Second, the $CATALINA_HOME/conf/web.xml configuration file also defines a servlet called simply jsp. This section of the web.xml file:
<!-- The mapping for the JSP servlet -->
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jspx</url-pattern>
</servlet-mapping>
maps all *.jsp and *.jspx pages to the jsp servlet. The jsp servlet performs the work of compiling the source JSP file into a servlet and then executing the servlet. The JSP servlet, by default, will check the JSP source page every time it is requested to see if it was modified since the last time it was compiled. If the page changed within 4 seconds of the last time it was compiled, the servlet will recompile the source JSP page before running it. The behavior of the jsp servlet is quite configurable. You can see all its options defined in the $CATALINA_HOME/conf/web.xml configuration file.

I've added the above instructions to the Tomcat HowTo wiki in the hope it helps Tomcat newcomers find their way around the server.

Updated 2007-7-11:
  • Fixed typo in XML comment tag. Thank you Peter Fischer for pointing this out.
  • Note: Tomcat 6 simplified its ROOT webapp index page, so these instructions don't apply.