I’ve been going through a fascinating exercise this week, as I streamline the information going to my myriad e-mail addresses. That entails changing the addresses used to receive some information, like newsletters from companies that I buy from or cover as an analyst. In many cases, this process is prompting me to cancel subscriptions to things I don’t read any more.

This isn’t about fighting spam. This is about controlling e-mail messages that I’ve opted to receive, or which are legitimately coming from businesses that I’ve worked with before. Here are some of my experiences:

• In the best cases, unsubscribing is easy: Just click the unsubscribe link in the e-mail newsletter. The unsubscribe link is coded with my e-mail address or other unique identifier, and a personalized e-mail response or Web page positively confirms that I have unsubscribed. That’s nirvana.

• Some messages prompt me to click on a link which takes me to a blank Web form, where I enter the e-mail address that I wish to unsubscribe. In some cases, there’s real-time validation: If I enter an e-mail address that’s in their database, it confirms the unsubscription. If I enter an invalid address (like email hidden; JavaScript is required), it tells me “not found.” In some cases (like at Intel), the form claims that I have successfully unsubscribed, even if I enter nonsense characters, like “hi, mom.” And in some cases – Apple eNews stands out – it insists that my address is not in their database. I’ve been fighting with this one all week, while more Apple newsletters keep coming.

• Some messages tell me to hit reply with the word “unsubscribe” in the subject line. The problem is, some of the e-mail addresses that I’m trying to unsubscribe from are forwarding addresses, which I can’t reply from. Now what?

• Some messages insist that I provide extra information. Newsletters from Palm fall into that group. A link takes me to a Web form which lets me subscribe/unsubscribe from various newsletters. However, the form contains mandatory fields — such as first name, last name, and “most recent handhand/smartphone,” which must be filled in before you can hit “submit,” even if you’re unsubscribing. Lame!

• And then there’s Microsoft, in a class by itself. In order to unsubscribe, I must register for a Windows Live ID. Their privacy page says, “You can stop the delivery of future promotional e-mail from Microsoft sites and services by following the specific instructions in the e-mail you receive.” One newsletter from them refers me to https://login.live.com/ppsecure/secure.srf in order to cancel my subscription. However, the e-mail address that the newsletter came to is not affiliated with any Windows Live ID.

So, what can I do? At the bottom of the privacy page there’s a section called “Contacting Us,” which refers people to a Web form. So, I filled it out, with the subject line “Trying to get off your mailing list,” and with the message, “Please remove email hidden; JavaScript is required from ALL MICROSOFT COMMUNICATIONS. I can’t see how to do that w/o signing up for a “Live ID”. I don’t want that. I want Microsoft to stop sending email there.“

In response, I received a form e-mail response, which read:

Thank you for your message to MSN and Windows Live Privacy.

We offer you choices for the collection, use, and sharing of your personal information. You may go to the MSN and Windows Live Communications Preferences Web page to make choices about the use of your personal information. You may choose not to receive marketing material from MSN and Windows Live or on behalf of external third party business partners. You may also stop the delivery of future promotional e-mail from MSN and Windows Live by following the specific instructions in the e-mail you receive.

You may subscribe and unsubscribe to MSN Newsletters by going to http://newsletters.msn.com . In addition, each MSN newsletter you receive, will have instructions about how to unsubscribe.

These communications choices do not apply to mandatory service communications that are considered part of certain MSN and Windows Live services, which you may receive periodically, unless you cancel the service.

You may also have the ability to view or edit your personal information. If you wish to update your MSN and Windows Live profile information, change your password, view the unique ID associated with your credentials, or close certain MSN and Windows Live accounts, please visit MSN Account Services at http://accountservices.msn.com

If you have a billing account you can add to or update the information through the Account Update area located at https://billing.microsoft.com

If you have created a public profile on MSN or Windows Live, you may also edit or delete information in your public profile by going to http://members.msn.com/edit.msnw

If you buy MSN Keyword advertising, you can review and edit your personal information at http://adcenter.msn.com/

Some services offered on MSN and Windows Live may collect personal information that is not accessible via the links above. However, in such cases, you may be able to access that information through alternative means of access described by the service. Or you can write us by using our Web form and we will contact you within 30 days regarding your request.

If your sign-in credentials remain inactive for an extended period of time they will be deleted. Inactivity is defined as not signing in to any site or service on the Passport Network using your credentials. If your credentials are associated with a free MSN or Hotmail e-mail account, your account will be made inaccessible if it remains inactive for 30 days and your inbox will be deleted. If you have Passport Network credentials that are not associated with a free MSN or Hotmail e-mail account, your account will be made inaccessible if it remains inactive for 365 days, and any information you have provided will be deleted. These restrictions do not apply to accounts associated with paid subscriptions for MSN or Hotmail.

For further information on the MSN and Windows Live Privacy Statement please visit: http://privacy.msn.com

Sincerely,

Pramod
MSN and Windows Live Privacy

And the links bring me back to where I have to enter my Windows Live ID. Brilliant, eh?

Today, we hit the triple jackpot on three big storage advances.

First: Hitachi has shipped the first terabyte 3.5-inch hard drive — only five months after my colleague Andrew Binstock predicted that one would go onto the market. The Deskstar 7K1000 is a 7200rpm drive with 4.17ms latency and 8.5ms seek time, according to Hitachi. The price at Computer Discount Warehouse is US$444.99. I want one.

Second: Dell has offered what I believe to be the first mainstream notebook PC using a solid-state drive as its main storage. You can order the Latitude D420 (a 3.0 pound machine) with a 60GB rotating drive, an 80GB rotating drive, or a 32GB SSD. The SSD option costs $450 more than the default 60GB rotating drive. According to Dell, choosing the SSD option may delay shipment by five days.

Third: Samsung is now offering a 120GB hard drive in the 1.8″ form factor used by devices like the Apple iPod. Seagate also offers an 1.8″ drive in that capacity, but still, it’s exciting.

For those who read my earlier posting about the complete collection of April Fools’ Day RFCs, the book is finally available for ordering from Amazon.com. (I already pre-ordered it from Barnes & Noble.)

Day One of the Software Security Summit kicked off with a keynote from Herbert “Hugh” Thompson, chief security strategist at People Security, and one of the most innovative (and funny) people in our industry. He told a great story which I think illustrates the nature of security vulnerabilities — and the people who find them.

Back when he was a student in his native Bermuda, Hugh said, his high school got a shipment of used U.S. Coke machines. They were set up to give you a nice cold soda in exchange for four U.S. quarters. That wasn’t a problem, because U.S. coins are pretty common in Bermuda, due to the tourist trade, and because the Bermuda dollar is kept at parity with the U.S. dollar.

Hugh reported that one day, he and his high-school buddies discovered that the odd-shaped Bermudan ten-cent coin would trick the Coke machine, whose weight-and-diameter test thought that it was a U.S. quarter. After getting lots of sodas at a discount, one of the students learned that if you put in four Bermudan ten-cent pieces and pressed the “coin return” button, the poor machine would give you back four U.S. quarters. Not bad!

What to do about it? Hugh described three of his friends, who represented the three ways that attackers or security researchers can respond to the discovery of a vulnerability:

• Responsible disclosure: “Let’s go tell the school administrators, so they can fix the problem before anyone else finds out.”

• Full disclosure: “Let’s tell everyone, although some folks might exploit this bug before it’s fixed.

• No disclosure: “Let’s get some Bermudan coins and go make some easy money!”

It’s that third type, of course, who are really scary.

It’s important to remember, Hugh said, that most sane, rational hackers want something – and hacking is just their way to get it.

Hugh also talked about the nature of the vulnerability. Was the Coke machine broken or defective? No it took coins and give you cold sodas. However, the algorithms used to authenticate user credentials was flawed, because the system used to validate U.S. coins didn’t do a good job.

Hugh gave a solid and entertaining keynote – thanks for launching the conference!

Lest you think that I only pick on Microsoft, Oracle just released a whopper of a patch list. This Critical Patch Update Pre-Release Notice is a head’s up for security patches coming to dozens of Oracle products on April 17.

Oracle rolls up its security patches into quarterly updates. Here’s where you can get a list and subscribe to e-mail alerts for these critical patches.

The irony is ironic: On the same day that I learned about a new Microsoft marketing initiative to sell its customers client, server and network security software, the company released yet another slew of patches to plug up flaws in its products, including Windows Vista.

The new marketing initiative is called “Fast, Faster,” and is designed to push Microsoft’s Forefront security products — products, that is, the customers need to protect themselves against flaws in Microsoft’s operating systems and applications. According to Microsoft’s press release,

“The campaign uses humorous metaphors to illustrate how defending against security threats with Forefront is easier than defending against virtually anything else — including far-fetched threats from aliens, ninjas and zombies.

“The goal of this campaign, created by McCann Worldgroup San Francisco, is to emphasize Microsoft’s competitive differentiation in making security products easier to deploy, implement and manage.

“The Easy, Easier campaign will be appearing in IT print and online media in the U.S. and 28 markets worldwide as well as throughout Microsoft’s digital properties. More information on Microsoft Forefront, the Easy, Easier campaign and related customer stories can be found at http://www.easyeasier.com/.”

The Forefront products officially launch on May 2, at an event in Los Angeles.

What would be truly easy, easier for Microsoft’s customers would be to have more secure operating systems and applications.

• Yesterday was also Patch Tuesday, the monthly event that systems administrators dread. Just think about that: Every month, Microsoft’s customers know to expect a whole bunch of bug fixes. (Every Microsoft customer should sign up to receive advance notification of these patches.) The April 10 patches included five new fixes, four of which Microsoft itself said were critical.

• Microsoft did depart from that monthly schedule to ship an emergency update on April 3. Patch MS07-017 works to resolve a vulnerability in animated cursor handling in .ani files. For those who didn’t catch it early, Microsoft rolled this one into the April 10 patch group.

• Also according to eWeek, Microsoft is investigating public reports of new security flaws in Office. “Reports of several new security holes in Microsoft Office have been made public on known exploit sites. The company did not release specific information about the vulnerabilities, citing potential risk to users,” eWeek reporter Brian Prince writes.

That’s not to say that all the flawed software comes out of Microsoft. Even companies like IBM, Rad Hat and Apple issue regular security bulletins and patches, and have security advisory mailing lists. However, there is the hypocrisy that Microsoft charges customers for Forefront, which is software that exists mainly to help customers overcome flaws in Microsoft’s other products. If Microsoft truly wanted to make security easy, easier, it would create less buggy and less flawed products.

Today, Apple announced that it had sold 100 million iPods. That’s a lot of computers… and yes, that’s what the iPod is. It’s a specialized computer, but it’s a computer nonetheless. So, too, are high-end cell phones and devices like BlackBerries and Palm Treos.

Seeing Apple’s news made me realize that I have no idea how many iPods I’ve purchased. My own family has four, all of which I purchased: an initial 20GB “iPod with click wheel” for me, then a second one for my wife. Then an upgrade to a 30GB “iPod photo,” for me, with the 20GB becoming a hand-me-down. Then, a final upgrade to a black 80GB “iPod with video” for me.

Amazingly, I still haven’t watched a video on it. I got it because my music library wouldn’t fit onto the 30GB model.

But that leaves out the dozens, dozens, dozens of iPods that I’ve purchased as premiums for sales promotions, survey respondents, door prizes, and so-on. Last December, we gave away nearly two dozen iPod shuffles for one particular give-away to business partners. At $79, a shuffle’s the perfect prize.

By far, offering an iPod as a premium or incentive is the most popular thing that I’ve done (even outpulling an equivalent-value Amazon gift certificate in one test that I did). Seemingly, everyone wants one, either for himself/herself, or to give away to a family member.

The number of different iPod models, past and present, is astonishing. See Apple’s site for pictures of ’em all. (Did you know that there was even an iPod Special Edition Harry Potter, with the Hogwarts Crest engraved on the back?)

On the heels of International Data Group’s decision to discontinue the print edition of InfoWorld, Crain’s BtoB reports that the publishing company will be reducing the paper size of its two tabloid-sized newsweeklies to standard magazine trim.

According to Crain’s BtoB (which covers the business-to-business media industry),

“Given the financial pressure we’re under in mailing these things out, we thought it was time to save the money and take advantage of the new format,” said Matt Sweeney, CEO of Computerworld, in a statement.

Being on the outside, it’s hard to say if these three big decisions are related. But given that InfoWorld, NetworkWorld and Computerworld are managed independently at IDG, my guess is that this cost-cutting is a broad or top-down directive. Otherwise, this would be a heck of a coincidence.

As far as I know, this leaves IDG without any tabloid-sized publications (that is, around 10×13 inches) in the U.S. market. Standard magazines are trimmed to around 8×10 inches. No word yet how this affects the international editions of Computerworld and NetworkWorld.

While IDG moves away from the tabloid format, please be assured that BZ Media still believes in that trim size.

The 10×13 format that we use for SD Times is popular with readers and advertisers, and also provides our art/production staff with lots of room for creativity. We have no plans to downsize SD Times.

It’s amazing how clever those spammers are.

On Oct. 30, 2006, I set up a new mailbox on one of the domains that I manage. It’s a hosted domain held by a major ISP. I just set up the mailbox, but didn’t do anything with it. It’s never sent a message, not even a test message. The address has never been given out. The address was an obscure one; it wasn’t something like info@ or service@.

Today, for the first time, I logged in to the Web-based interface, and found 58 pieces of spam in the inbox.

How do they do it? Brute force? Have spammers hacked into the ISP’s back-end systems? Is there someone on the inside? Absolutely incredible.

We should all celebrate: Today, the U.S. Federal Communications Commission has terminated its proceedings regardng the use of cellular phones onboard aircraft during flight.

That’s not to say that they won’t bring the issue up in the future, or that the FCC agreed that cell phone usage within the inescapable confines of a commercial aircraft is simply too obnoxious a practice to be allowed. (See my earlier post, “Please, no cell phones on airplanes.”) Instead, the FCC said that it didn’t know enough about the technical ramifications to make an informed decision.

To quote from order FCC 07-47 (I’ve added bolding for emphasis):

“On December 15, 2004, the Commission adopted a Notice of Proposed Rulemaking (Notice) in the above-captioned docket proposing to replace or relax its ban under Section 22.925 of its rules on the use of 800 MHz cellular handsets on airborne aircraft. The Notice explored several different options for allowing airborne use of wireless devices, including a proposal to allow the airborne use of cell phones. The Commission also noted that the Federal Aviation Administration (FAA) prohibits the use of portable electronic devices (PEDs) on airborne aircraft. Given the lack of technical information in the record upon which we may base a decision, we have determined at this time that this proceeding should be terminated.

“In the Notice, the Commission specifically requested technical comment, emphasizing that the ban on the airborne use of cell phones would not be removed without sufficient information regarding possible technical solutions. The Notice also noted that RTCA, Inc. (RTCA), a Federal Advisory Committee, at the request of the FAA, is currently studying the effect of PEDs on aircraft navigation and safety. Phase I of the study – a short-term technology assessment – was completed in late 2004, and focused on existing PED technologies. Phase 2 – an ongoing, long-term technology assessment – is focused on emerging PED technologies, e.g., ultra-wideband devices or pico cells for telephone use onboard aircraft. RTCA published findings in December 2006, and is expected to issue recommendations regarding airplane design and certification requirements later this year.

“It is apparent that it is premature to decide the issues raised in the Notice. The comments filed in this proceeding provide insufficient technical information that would allow the Commission to assess whether the airborne use of cellular phones may occur without causing harmful interference to terrestrial networks. Similarly, although the report issued by RTCA recommends, inter alia, a process by which aircraft operators and/or manufacturers may assess the risk of interference due to a specific PED technology within an aircraft, it does not provide data that would allow us to evaluate the potential for interference between PED operations onboard airplanes and terrestrial-based wireless systems. Further, because it appears that airlines, manufacturers, and wireless providers are still researching the use of cell phones and other PEDs onboard aircraft, we do not believe that seeking further comment at this juncture will provide us with the necessary technical information in the near term. Accordingly, we conclude that this proceeding should be terminated. We may, however, reconsider this issue in the future if appropriate technical data is available for our review.

“Accordingly, IT IS ORDERED that, pursuant to sections 1, 4(i), 11, 303(r) and (y), 308, 309, and 332 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151, 154(i), 161, 303(r), (y), 308, 309, and 332, that this proceeding is TERMINATED, effective upon issuance of this Order.“

To which, we can all say, “hallelujah!” and hope that this never ever comes up again.