lwhays

Selling online

2012-02-08T10:12:00.000-08:00

I was trying to buy something online the other day and it was instructive.

The Good stuff:
The Website was visually interesting and distinctive, and they'd found a product niche where they had little competition. The tone was casual and genuine, and the personality of the business and its people came through very clearly. They'd made good use of graphical elements and telling their story to mark out a very distinct little plot of the Internet. They even had good word of mouth, since that's how I found them in the first place. Their prices were good and they had a good array of payment options - I love to see options like Discover, Amex, and Paypal. All awesome.

The not good stuff:
The form to enter my "Identity theft" data wasn't secure (no https, lots of browser warnings about insecure transport and eavesdropping)

The credit card validation kept failing with a generic error. I kept re-typing the number, address and verification code and it just kept saying "enter a valid credit card". By the third time I'd very carefully entered all my data and it failed again, I became convinced that all I was doing was sending my CC and Identity theft info off to hackers in Malaysia, or somewhere. I became certain that it the bank had already blocked it because the hackers had hit my credit limit. I became convinced it had already been used to purchase nuclear materials in the middle East. I was already resigning myself to a two-year stint of trying to track down and correct all the damage done by my identity theft. This is not the emotional experience you want me to have at your online store. It turns out it failed unless I checked the "save my card in my profile" box. Which just added to my uneasiness. This guy can't even validate a credit card correctly and now he wants my permission to save all this data?

I'm sitting here typing this now and I'm kind of wondering why I persisted.

I got the expected "Thanks for your order - we'll email you a confirmation" page, but a confirmatory email didn't arrive. For days. Yes, I checked my spam folder (though I have yet to see Gmail blow it like that). Eventually, I went back to check on my order (because I'd had to save my Credit Card data, I now had a profile), and my order was just sitting there with a status of "Pending". Pending what? Pending you running my credit card up to the limit? Pending a delivery from the wholesaler? Pending whenever we get around to it? Is there a way to inquire about the order? No contact information on the order status page. No email form, to either the business or the webmaster. No way to cancel the order either, which is kind of a leech tactic.

There's a "customer service" link which has a FAQ behind it that claims they ship all orders received before 12PM on the same day. Well, I know that's a lie. At least there's a snail mail address at the bottom of the FAQ. No phone number though. Here's the very best part: On the customer service FAQ, there's a big block of reassuring text, but it's "loren ipsum" Literally. I'm Sooooooo happy I let you keep my credit card information.

Finally I googled them based on the business name and their snail mail address and got a phone number. It turned out to be one of the other businesses this guy was running. These days we understand about multiple streams of income, so that wasn't that disconcerting, once the receptionist and I worked through it. But it was definitely a shame that he didn't cross-refer between the websites of all his (fairly closely related) businesses. Anyway, I left a message. Let's see what happens.

A Smooth Drive

2011-12-22T01:10:00.000-08:00

They've repaved Lomas.

I drive it twice a day, to and from work. Alone, now.
It's nice and smooth, now.

I remember trying to avoid all the bumps it used to have.
Trying to swerve around them and avoid the discomfort.

Driving right into the rising sun
On the way home. I'm tired.

Don't hit the bumps.
Ignore the lanes. Too early for traffic. Or Cops.

But smoothly! Don't jerk the wheel!
Just one more thing he doesn't need.

Damn, I hit that one. Didn't even see it.
Manhole cover. Edge right.
No way to miss that one. Unfair. Rotten.

How little I can do. How little

Hearing those little sounds.
The grunt, the sharp breath of pain.

Chemotherapy

Programmers and firewalls

2011-07-13T15:05:00.000-07:00

OK, this one's going to be nerdy. If you're not a programmer, you'll want to surf elsewhere. If you're a programmer, please read and learn. If you're a network engineer or firewall admin, read and sympathise.

Executive summary:

Don't put your programs on weird TCP (or UDP) ports. Just don't. It doesn't help your security at all, and it blocks you from a bunch of legitimate users.

End Executive Summary

So I'm currently implementing a multi-site firewall and VPN installation, and it's pushing one of my pet peeve buttons hard.

First, Background:
One of the things I strongly support is egress filtering. Many or most firewall admins don't do this, and allow anybody inside out on any port at any time for any reason. That's fine until one of the "protected" machines gets compromised (and they will), at which point it has nothing preventing it from phoning home to the cracker that owned it and joining his botnet, to be used for future evil. Egress filtering at reduces this a little (he has to use an open port, not his "special" one), and if you combine it with some pattern matching, you might catch compromised boxes sooner (hey, the server at tweek.example.net just started generating a bunch of outbound traffic we've never seen before, what's up with that????")

So I do egress filtering. It's no silver bullet, but I think it helps.

The week after you bring up a new firewall, you always have to spend a few days punching additional holes in it for things you either didn't think of or didn't know about.

(Punching holes in the firewall is bad, MMMMkay?)

Stuff you didn't think of is on you. Bad Network Engineer! No Tee Shirt! Unpaid overtime instead!

Stuff you didn't know about is often (6 cases so far, and counting....) the fault of some programmer that got lazy or was ignorant and decided to put their application on a nonstandard TCP port. Case in point, I've discovered a webserver outside my firewall that goes along fine (on 80/443) until you do a search, and then the URL jumps to "http://lame.server.example:3442/rest/of/url"

Whoever wrote the search took it off 80/443 and put it on a nonstandard port. Just because.

There are two reasons I can think of why this turns out this way:

Laziness: Progammer doesn't want to take the time to learn and implement this in a way that integrates it with apache or IIS or whatever. No excuse for this. You don't want to be this programmer, you'll be re-inventing the wheel. Insecurely.

Ignorance / false sense of security: The programmer thinks "webservers get compromised all the time (True), I'll stick my listener on a weird port where no one will find me" (False). You don't want to be this programmer either.

I used "False sense of security" pretty deliberately. Twice now. Here's the deal: Any attacker with any chops at all, which is to say any attacker you should be worried about, is going to scan your box for open ports. Even if he weren't going to scan you (and he will) don't forget that "http://lame.server.example:3442/rest/of/url" is publicly available in the hyperlinks throughout the rest of your website, and that big fat :3442 hanging out there looks like a "hack me here" sign. So your hidden port is anything but, and of course your code is less likely to be both examined and updated for security fixes than Apache's. Or Microsoft's. Or anybody's. You might lose a few anklebiters, but only the ones too lame to download nmap. All the ones you should be worried about will be right there, Hackin ur box on ur nonstandard portz.

Worse, you're making your life (and the lives of a bunch of well, not innocent, but.... otherwise uninvolved... firewall and network admins) a hell, forever. You'll have to answer endless questions about why it doesn't work and what the app does and why it's off on a weird port. Not the sort of thing you want to do with your day. The network/firewall guy at your office will have to poke a hole for your app inbound, and that'll probably expose machines next to yours, because network people hate doing things for single hosts (that's an easy way to slow the firewall to a crawl). Are you sure you didn't pick a random port that's being used for some crummy code that's full of exploits and being hammered on constantly? Are you willing to BE sure? Every day??? Even if your code is perfect (hah!), you don't need all this exploit traffic hammering on you all day every day. Plus you just talked your firewall admin into exposing the machine next to yours, which may be vulnerable.

Worst of all, at the other end of the Internet are.... Your customers. Lots of them (more every day) have firewalls and egress filters and can't reach you because their firewall doesn't let them out on 3442. You're essentially limiting your customer base to people who are willing to poke holes in their firewalls for little or no reason. If the remote firewall admin accommodates programmers like you, he'll end up with a long, complex, slow rule base that's full of holes. If he doesn't, then his users just don't get to use your app. There ought to be a joke here about limiting your customer base to newbs and lame-os but I'm too tired and pissed to think it up.

So it's the worst of both worlds. You don't lose any of the evil intruders, and you do end up losing a lot of legitimate users. Plus you're pissing off your firewall admin. He can cut off your Internet, don't you know? Or even replace your internet with kittenwar

Take a lesson from the crackers. Put everything on 80 and 443(*). You'll fly through all the firewalls in the world, and no one will ever know, and your application will just WORK and you won't have to spend your time answering questions and writing up how-tos on getting around the corporate firewall.

Plus, though there'll be no money, on your deathbed you'll receive total consciousness. So you'll have that going for you. Which is nice...

(*)No, it doesn't actually have to be web traffic. It'll look like web traffic to yobs like me, and fly through. Which is what you want.

Bitcoin and Internet security

2011-06-21T13:04:00.000-07:00

For those of you who don't know (I didn't until recently), there are a bunch of nerds who are trying to create a cryptographically secure, anonymous, distributed Internet-based currency called BitCoin. For more information about Bitcoin, here are a couple of podcasts (one long and one longer).

For an amusing and informative fiction piece on digital currencies, please read and enjoy Neal Stephenson's "The Great Simoleon Caper"

Within the last few days, Bitcoin has suffered a major setback - someone hacked an exchange (where bitcoins can be exchanged for other currencies), and used large volume buy and sell orders to steal a bunch of money (presumably Dollars or Euro or Yen) and then drive the exchange rate for bitcoins to almost zero.

The first thought I had was that apparently Bitcoins are now officially at least worth stealing. And even if this sinks BitCoin beneath the waves, the open source code can go on to inspire and inform other efforts, so there's no way to put that genie back in the bottle.

Here are other some details I found interesting.

Bitcoin itself was allegedly not compromised. People's Wallet accounts at a popular (Mt.Gox, the most popular) bitcoin exchange were compromised. Apparently not all accounts at Mt.Gox were compromised.

Even the exchange was not hacked directly - apparently a copy of the encrypted password database held by the auditors got loose into the world and was used to launch the attack. It's not clear how the auditor's copy got outside *their* office network, but the lesson is that your security perimeter is almost certainly bigger than you think, and there are edges that are very difficult to watch. There is no setting on your corporate firewall that will protect a file that's at your auditors' offices.

The attack seems to have been a password discovery attack -- the attacker has a copy of everyone's passwords, but they are encrypted. The attacker runs the (known) encryption algorithm against either a dictionary of likely passwords (a semi brute force attack) or against a file of all possible passwords (a massively brute force attack) and see if any matches pop out of the encryption algorithm. If so, any account where a match is found is compromised. The variables are the quality of the encryption algorithm, the strength of the password, and the amount of time and compute resources that the forces of evil can devote to the attack.

Of these three variables, the one most directly under the exchange's control (besides not giving their auditors a copy of the password file) is the password algorithm. They had recently upgraded the algorithm, but some accounts that hadn't been logged into recently still had the old algorithm and were more vulnerable. In this case they did the right thing, but it took too long.

The factor most under the users' control was the strength (and freshness) of the password. If your password is "password", that'll be cracked in no time flat, as "password", "Password". "PassWord". "PASSWORD", and "P4ssw0rd" are probably the first five entries in the crackers' dictionary of possible passwords. In fact, if your password is this poor, a cracker doesn't even need an offline copy of the encrypted passwords. He can log directly into your live account with only 3 or 4 failures, which nobody is going to notice.

The big mistakes I saw reported were, first, letting the auditors have a copy of the encrypted password table (financial auditors don't need this at all, and data security auditors ought to work with it on site only if at all possible, and destroy any copies after the audit), and, second, the fact that that copy got out of the auditors' control and into the world.

The luxury of having a copy of the encrypted passwords, and being able to attack it in secret in the volcano lair of the bad guys allows them to bring vastly more resources to bear on the problem and prevents any notification that a password compromise is being attempted. If they'd been bouncing their millions of incorrect password attempts against the live authentication server, the resulting large number of login failures might have been noticed before any compromise was achieved, and they almost certainly would have activated any account lock-out mechanisms in place to foil just such an attack.

Lessons for the ordinary user are:

1. Only use strong passwords. This is so critically important that I'll devote a post to it ASAP, but in the mean time google "strong passwords" and review and learn...

2. Change your passwords periodically. Your bank may have mistakenly given a copy of your encrypted password to their auditors, just as bitcoin did. Assume it takes three months for that to get out and for your password to be compromised by the forces of evil. If you have changed your password in the interim, your bitcoins (or dollars) will be safe while others are compromised.

3. Don't use the same password for multiple sites, particularly where the risk factor is high. If someone breaks the password you used to use for the local dialup bbs account you haven't touched in three years, you don't care.... Unless you're using the same password for your bank.

This is all hard. Good security always is. There's no way you can implement this and still have a hope of remembering all these different, current, unique, difficult passwords, so all I'm going to say is: Password safe. Encrypted. With a darn strong password. That you absolutely will NOT forget.

My personal fave is KeyPass, but there are others, and I haven't seen a code audit of KeyPass anyway (not that you should trust my opinion even if I had).

Be safe.

Gerswin and Dvorak

2011-01-16T00:25:00.000-08:00

Tonight I attended the NMSO's Dvorak and Gershwin concert.
Dvořák, Symphony No. 8
Gershwin, Concerto in F
Gershwin, Rhapsody in Blue

I like both composers, and had a very good time. My feeling about music, particularly symphonic music, is that the composer's job to start with a theme, and use that theme to transport you to different environments and emotions. Both of these guys can do that just fine, thank you.

However, it was interesting how differently the two composers made me feel. Dvorak took his theme and at different points, I was watching a butterfly in a pastoral park, with beautiful, flawless landscaping. I felt I was riding through a park, on an immaculately groomed horse. I was transported to a Victorian era party, with waltzes and bowing and hoop skirts. Dvorak built a structure of grandeur and heroism that ultimately started feeling martial to me. It's not so much individual heroism as it was the Russian army on the march. Dvorak took me there very smoothly and with gentility, at every step of the way it was like being in the hands of a great concierge that just takes care of everything.

Gershwin is so much more rustic and raw, and ultimately to my ear, American. I realize that there are those who think this is unfortunate, but I have to tell you that I enjoy it immensely. With Gershwin you sort of wake up in a jazz club in Harlem with no recollection of how you got there. Then suddenly you're at a rodeo or a hoedown (It's fun to watch all those violinists strumming away). Gershwin does the horse ride too, but it's out in the wilds or the countryside, not in a manicured park. When Gershwin goes for grandeur, it's more like the Grand Canyon, raw and elemental and rugged. When Gershwin brings in a march, it's not the Russian infantry, it's a high school band in a Thanksgiving parade. He makes a lot of sharp turns with no warning, one second you're in downtown Manhattan and then you're suddenly on an elephant in a circus parade. The music will be bright and celebratory, then suddenly stop and a musical tornado suddenly rolls over the plains and there is thunder and flood and looming clouds.

And of course, when Gershwin finally brings the different threads of this whirlwind tour together, and puts the whole orchestra behind it, and the beautiful, passionate, longing flower of the piece finally blooms, briefly, and twice, it's more than just a musical orgasm, it's like falling in love. Gershwin. American. brilliant. heartbreaking.

The NMSO is savvy, and does this every year. Go.

Straw or no straw

2009-04-13T09:43:00.000-07:00

OK, so I frequently drink soda, tea and water, all with ice.

When I drink soda, I MUST have a straw.

When I drink water, I SOMETIMES use a straw.

When I drink tea, I NEVER use a straw.

Clearly it's not about ice cube management...

Double opt-in: what is it, and why do I care?

2009-04-09T15:41:00.000-07:00

OK, so in my last post I mentioned I was happy to run into a case of double opt-in. I wanted to be clear that this was basically the ONLY thing this Internet marketing effort did RIGHT, and explain why.

The point of all marketing is to get someone's attention, create a positive impression, and to attempt to leverage that into at least one sale (preferably a lifetime of sales). That's your mission, that's your ONLY mission, anything that interferes with that is to be avoided. Double opt-in is your best tool for that.

First, let's review opt-out. Opt-out is when you're included in something (in this case, an emailed marketing list) without any action on your part. This is your (landline) phone company's strategy: They sell (yes, they make money from it) your phone number to marketing companies and then these same marketers call you at dinnertime and try to get you to use a new phone company (who will then do the same...). The beauty of the phone company's model is they get paid by both ends: By the marketer that wants to annoy you, and by you so you can have a phone which marketers will use to annoy you. If you get an unlisted number, they won't sell it, but that costs you more every month. The Phone Company is frequently evil and this is lucrative for them, but that's not the point.

The point is you have to take action to get OFF the list (you opt "out" of the list), such as getting an unlisted number or requesting the marketer to take you off the list, or pressing "3" (or whatever) when the recording offers the opt-out option, or by contacting the national do-not-call registry. It's very annoying in telephone-land, on the Internet this means 95% of all email was spam at one point (maybe worse now). Compared to telephone operator time (or even telephone operator robot time), email is stupidly cheap, so the problem is much worse, as anyone who's had an email address for a couple of years can tell you (especially if your ISP sucks at Spam Filtering).

So, for the person trying to do Internet marketing successfully, this is just an expensive way to get ignored: You're either spam-filtered or at best you become one of thousands of messages that your potential customer has to sweep out of her inbox before she can get to email she cares about. If you're noticed at all, it'll be negative attention, generating a rotten first impression and if she remembers you at all, it'll be as that dude that sent her all those spam messages that she discarded along with the ads for porn and cheap viagra. You don't want to keep that kind of company in the customer's head, so don't use opt-out, ever. By the way, if the shopping cart page on your Internet store has a prechecked "contact me about stuff" option on the page that the customer must uncheck, then you're doing opt-out, it's just a "fine print notification" type of opt-out, and should be ashamed of yourself (and your marketing efforts will ultimately be expensive and ineffective, which serves you right).

Opt-in is better, but it's far from good enough. You have to take some action to get on the list, but on the anonymous Internet, this bar is pretty low. The classic example is "enter your email address to get our newsletter". The problem is that on the Internet, no one can assume you're you. There's no way to prevent a trickster from entering anybody's email address into the page and hitting submit. Some miscreants (not me, I swear) think this is a funny trick. It's the Internet equivalent of signing your mean neighbor up for lots of magazines and catalogs. Again, the costs are lower on the Internet, which means the volumes are higher, and you're back in amongst the pornagra ads, getting no or negative attention, and therefore wasting all your Internet marketing budget. So don't use opt-in, ever.

Confirmed opt-in is even better: The customer must enter their email address into a subscription page, and you immediately send him a confirmatory email that says "Somebody (hopefully you) entered your email into our subscription page, and you're now receiving our newsletter. If this was a mistake, or you've changed your mind, click *HERE* to unsubscribe". Again, you'd think that this is enough, but it's not. The Anonymous factor on the Internet strikes again. Just as you didn't know whether the customer was really booyah@whateveremail.net, he doesn't know if this confirmation is really from Widgets, inc. Maybe you're just an evil spammer who is using a fake unsubscribe link to confirm that booyah@whateveremail.net is a real email address with a real, actual, person who can read behind it. Evil spammers turn around and sell lists of confirmed email addresses for MORE, and the result is more Pornagra ads. So we've all learned the hard way not to click on links that may be untrustworthy, just like we've learned not to eat candy off the sidewalk. It's much safer for your potential customer to just avoid you, either by abandoning their email address entirely, or by training their spam filter to automatically ignore you. Result: 100% of what it costs to do this is wasted.

Double opt-in is another step up, and is the only way to go. Here's how it works: your subscription web page says up front in big print "we use double opt-in for your comfort and convenience", and offers a place for the customer to enter their email address, along with whatever explanatory text you need to explain and reassure the customer that you're taking their trust in you seriously. When they hit "submit", the ONLY thing they will ever get is an email sent to that address that says "we want to be sure you REALLY want our newsletter. We use double opt-in to prevent pranksters from signing people up who don't want our newsletter. If you *don't* want to be on our newsletter mailing list, do NOTHING, and you *won't* be added to our list. If you are really you, and if you really do want our newsletter (which will come about 2-3 times/month), then click this link to start your subscription." The newsletter will only go to the customer if they request it TWICE. That's how it works. Before we talk about why it's the ONLY way that REALLY works, let's address a common objection:

"It's too many hoops for the customer to jump through". No, it's not. Anybody who can't follow this set of instructions won't be able to order from your e-commerce site anyway. Anybody who WON'T follow this set of instructions doesn't really want your newsletter that badly at all, and would just ignore it if they got it. You want everyone on your mailing list to eagerly devour your insightful, amusing, and informative newsletter, and order everything on it. The person who got half way through the double opt-in and gave up isn't this person, and will never be. You're wasting a 100th of a cent every time you send them an email, and this adds up.

Why it works:

This is one way you can show the customer that their trust is important to you. There's no way for you to smile and offer positive body language over the Internet (yet, they're working on it), so humans have come up with other signalling mechanisms. One of these is double opt-in. It says Your email address is valuable to me, and I will be trustworthy, and I want you to SEE me making an effort to be trustworthy, because I want there to be no doubt in your mind.

This is also a way you can reinforce the fact that your newsletter isn't just a bunch of lame ads (OH, BTW, your newsletter has to be more than just a bunch of lame ads. More about that later). Reinforce the fact that your newsletter is itself a valuable interaction for your customer, full of insight, humor, and valuable information.

Finally, this is the ONLY way to make sure (double sure) that your newsletter mailing list has ONLY addresses on it which represent real people who are really interested in what you have to offer. Emailing THESE people will be effective, will lead to sales, will prevent wasted marketing expenses. Emailing anybody else is a waste of your advertising budget. Don't waste your resources. Don't end up with a reputation as a Pornagra spam artist. Don't make a bad first impression. Don't use anything less than double opt-in.

I ought to talk more about how to make SURE anybody doing Internet marketing is REALLY doing double opt-in, but I've rambled on long enough.

Internet Marketing - UR DOING IT RONG, Part 1

2009-04-07T14:41:00.000-07:00

OK, so I occasionally buy self-help books, attend classes, seminars, etc. Those of you who know me well will testify that I haven't improved much, but that's not the point.

I recently bought another self-help book, and that experience was instructive. The book's author clearly knows how to market well, since I bought his book at amazon the day I got the newsletter announcement. The book sold out, and the amazon ranking went from basically infinity to like, #20 in all books for the day. Clearly good marketing. One of the things that made his marketing so effective was the fact that he'd put together a co-marketing effort with a bunch of other people in the self-help business. If you entered your Amazon order code, they sent you to a web page with "thousands of dollars" of free offers. Now of course, the "value" of the offers is nominal only, the point is to make everyone feel like they're getting a deal, and everybody knows this, and it ticks some people off, but that's not the point.

Anyway, most/all of these free offers were actually subscription offers; they'd send you something in return for your email address. Of course, your email address is valuable, so this isn't remotely "free", and that's well understood, and some people hate it, so be careful. But even this is not the point.

One of the offers was for something to help with procrastination. I have a problem with procrastination, so it seemed like it was worth the minimal risk of maybe having to train my spam filter in the future if they got obnoxious. So I gave them an email address (a one-off, custom one of course)...

Once they had my email address, I was sent to a page that said

"we just sent you something, you need to confirm. "

So I look, and sure enough, there's a message there. It says, essentially, "You need to double opt-in". Cool. Love to see that, and I was feeling all warm and fuzzy about these guys as I clicked through to confirm and double opt-in. That's when this otherwise successful Internet Marketing attempt went seriously off the rails.

After the double opt-in, I get another mail. So far, so good. I look at it, and this one says, more or less:

Thanks! We'll be sending your free stuff over the next few days. Be sure and look for it. Make sure we're in your address book so your spam filter doesn't delete the forthcoming valuable stuff.

No other content. Epic fail.

I jumped through hoops, I trusted you with my email, and you essentially said "wait here" and ran off to the back room to do I-don't-know-what with it. For I-don't-know-how-long a period of time. I'm left standing there with.... nothing.

Beautiful.

Even better, you added nonfirmation that reminds me that I can spam-can all your responses, and mentions one way to do it.

Stunning.

Hopefully, I'm communicating this clearly enough that the reader is feeling me right now. I hope you're feeling the let-down, the frustration, the annoyance I did, the same annoyance that builds up over time to ultimately result in hundreds of nightclubs and bars where, right this instant, there are women screaming at men "I gave you my number, you said you'd call and YOU NEVER DID!" Now he's got an EXCELLENT chance with any other woman in earshot after THAT.

Let's examine where and why this promising interaction went so horribly wrong.

Firstly, on the Internet, Instant gratification is just barely fast enough. They could have included SOME kind of hints or tips or any kind of content valuable TO ME. It was basically all overhead, no payload. Hell, I can come up with something right now (attached below). The fact that they didn't even spend the 10 minutes it takes (I timed myself) trying to throw me some kind of value-bone in return for my precious, precious email address basically teed me right off. I immediately knew where I rated on the value scale, and I felt my value to them drop as I read the "wait for it" message. And by "felt it" I mean to say my ears popped. I showed them mine, and they showed me... Nothing.

The fact that they were promising to help me with my PROCRASTINATION was just the final, laughing nail in their coffin. Yep, their stuff is ALL getting round-filed. I'm not even going to wait "a few days" to see if they're really that lame. Glad I rolled up a custom email for them, and I wish them the best of luck with THEIR procrastination.

People, email addresses are valuable commodities, and you should encourage your customers and potential customers to trust you with them. But if you don't offer value in return, and right frakking now, you're being very foolish. When they give you their email address, one of two things will happen immediately, depending on how you respond. Either you start a dialog with someone who may be a return customer for many years, or you immediately make a very bad first impression. You know how wary you are when someone asks you for your email address for marketing purposes. Everybody feels that way. Some of us feel that way so strongly it's a little bit silly. You have to visibly and immediately honor that trust in the full view of the customer. Otherwise, all you're doing is ending up in the spam can a little (or a lot) faster. If you're unlucky (and given the numbers, you soon will be), you'll frustrate one of those very special people (there's a bunch of us out here) who will TELL THEIR FRIENDS what a dork you are. And they just might make it their mission to tell all their friends ON THE INTERNET. This is NOT the way you want to learn the power of Internet marketing....

Here's an example of the minimum they should have sent me:

Procrastination feeds on interruptions. If you can minimize interruptions you minimize the temptation to procrastinate. Here are the 3 most important ways to minimize interruptions at the office:

1. Schedule "office hours" and "productive hours". If you possibly can, set aside a portion of your day (even an hour or an hour and a half) and close your office door, turn off the IM and email client, put your phone on "do not disturb" and focus on being productive. It'll take a while to train your co-workers not to interrupt until after the "productive hours", but eventually you'll have part of your day where you can just focus and produce without interruption. Remember, an interruption slows you down 3 times: First, while you try to understand the interruption, second, while you address the interruption, and third while you try to remember where you were before the interruption.

2. Schedule periodic "email patrols", and stay out of your inbox otherwise. People who "camp out" in their email tend to try to address everything *right* *now*, which means they are constantly interrupting themselves. This will kill your productivity quicker than any other behavior.

3. Don't ignore your meat-sack. Human bodies aren't built to sit behind a desk, motionless and think and type. If you do this continuously, you'll end up fat, myopic and crippled by carpal tunnel. Make sure to take frequent and short breaks, and do something physical for just 1-5 minutes. Walk down the hall. Walk up and down the stairs and wake your heart back up. Look out the window. Do some stretches or isometrics. There's a lot of things you can do. Of course, don't interrupt yourself if you're "in the zone", but whenever you finish a task, or whenever you are doing nothing but thinking is a good time to move around a little. I find it particularly helpful to pace the halls while I'm trying to wrap my head around a problem. Of course, ALSO go to the gym or participate in active hobbies if possible but don't let yourself become a pure "weekend warrior" who only moves (and generally pulls a muscle) on weekends. Frequent, short activity will make you more alert, productive and healthy.

Watch for more more hints in our newsletters (about once every two weeks), or visit www.xyzzy.com for more helpful free information.

(See, told you I was a self-help consumer... That's different from being a self-help PRACTITIONER, but that's not the point...)

Econlib broadcast on Signalling

2008-09-18T17:19:00.000-07:00

Today I've been listening to an Econlib broadcast on Signalling

This is a very interesting discussion that explores the possibility that a great deal of our behavior arises out of mixed motives: partly, for direct economic reasons and partly for reasons of signalling to the rest of our community. The basis of the theory (as I understand it) is that a significant factor in our evolutionary history is our society and factions and our interactions with our group (tribe, or other small group). Factors such as predators, weather, etc were of less significance (or at least that signalling needs are of comparable significance in our evolutionary history). This leads to behaviors like dinner parties, ostentatious purchases of jewelry and BMW automobiles, etc, as well as much subtler behaviors.

Robin Hanson maintains that when we do things that don't seem to make total objective sense in straight economic terms, yet are common, we're seeing a proportionately greater influence of the signalling motives (which we often do unconsciously). Examples include things such as we seem to treat doctors very differently than we treat, for example, plumbers, because signalling becomes much more important during times of illness, and therefore our societies get set up in quirky ways that don't make strict economic sense. The example they give that comes to mind is that there's a common expectation that your mechanic will giving you back your old broken alternator (which he does in order to signal his trustworthiness), whereas we don't have a convention that the doctor is expected to wash his hands in front of the patient, even though we all know that handwashing among doctors has huge significance in the quality of our care. In fact, we don't even ask doctors if they've washed their hands. Other curiosities include that data are available on the track records of hospitals or doctors, but these data don't seem to be popular even though everyone professes that they want "the best".

Hanson says that this is because, in primitive societies, when a person was sick, signalling was very important, because it really told you who meant you well no matter your circumstances, and who was displaying lower "loyalty". Less loyal individuals would "dump you" because when you're sick is a good time to do that. So medicine in general is rife with signalling issues and expectations, and these bleed over into your relationship with your doctor (in a way that doesn't affect your relationship with your plumber).

The discussion ranges to things like the convention of bringing wine to a dinner party, choosing candies for valentine's day, parenting ("how cynical do you want your kids to be?"), schooling, skipping a funeral, wearing jeans to a ball, etc. It's very interesting and worth an hour and 10 minutes of your time. My favorite question is "why don't we treat our politicians like the waterproofer?" (the guy that wants to sell you a complex and expensive basement waterproofing system).

At one point, Russ Roberts, the host, says something along the lines of "I don't want that kind of a relationship with my wife". I found this to be kind of frustrating. I realize that, from an economic standpoint, when his wife invests in signalling to show she means well, it could be interpreted as less than totally honest, and wasteful, etc, and Russ Roberts obviously is reading these kinds of depressing meanings into this act. But my reaction was along the lines of "But, dude, she cares enough to work on signalling to you, even (especially) if she may not feel particularly romantic, etc at that moment." That's not dishonest, that's using an established tool to do an important job. I'm particularly surprised to hear this kind of objection from a married man, even I (a single man with demonstrably poor relationship skills) realize that there are things you just do in a relationship whether they "make sense" or not, just because she's a woman, and a human. Partly because that is less trouble than fighting the whole society we've ended up with. But it's also something very human. Both Roberts and Hanson don't seem to think it dishonest that we all, for instance, try to present ourselves as favorably as possible in a job interview or first date. And, as our relationships with people deepen and we understand each other, we do develop private conventions that wouldn't work with a stranger.

Perhaps I'm just a crappy economist because I value the human element more than I should. Or perhaps I'm just decieving myself because my subconsious wants to be able to do its signalling without my concious interference.