As I thought about replacing the tablet, I thought to myself, “Hey, what about a Mac?”Macs, after all, are celebrated for their multimedia management, and I thought I might be able to shift my a/v editing tasks from the desktop to a new MacBook, thus extending the life of the desktop for another year or two.

I was concerned, of course, about compatibility with Windows systems. After all, my primary use for a notebook is to run my IT consulting business while I’m out of the office, and that’s a Windows world. Not only are all my clients using Windows, but some of the cloud services I use require Internet Explorer for full functionality. Some quick research convinced me that this would not be a problem. Not only does the Mac OS have a bunch of features designed to facilitate networking with Windows – including BootCamp, which allows the Mac hardware to boot into Windows — but by using Parallels, an inexpensive software program, I could easily switch back and forth between Mac and Windows environments.

With my compatibility concerns assuaged, I started looking at pricing. My wife is a college professor, so we’d be eligible for an educational discount from Apple. I spec’d out the following system:

• 15-inch MacBook Pro (Hi-Res Antiglare screen)
• 2.66 GHz Intel Core i7
• 4 GB RAM (2 DIMMS)
• 500 GB SATA drive, 7200 RPM
• DVD +/- RW
• Aperture and Final Cut Express (photo and video editing)
• AppleCare Protection Plan
• One year One-to-One membership at the Apple store (figuring I might need some help with the OS transition)

Total price: $2,875.00

That’s a good chunk of change, so I started wondering what it would cost to solve my performance problems while staying on a Windows platform. First, the laptop, a Dell Studio 14 running Windows 7 Home Premium:

• 14” Hi-Def screen (including facial recognition for logging on – cool!)
• 1.6 GHz Intel Core i7 (2.8 GHz Turbo Mode)
• 4 GB RAM
• 500 GB SATA drive, 7200 RPM
• DVD +/- RW
• Adobe Photoshop Elements and Adobe Premiere Elements
• 1 GB ATI Mobility Radeon HD video card
• 3-year warranty with on-site support

Total price: $1,328.00 … and that’s street price. As a Dell reseller, I should be able to get a better deal.

Having halved the cost of the laptop, it occurred to me that I might be able to replace the desktop as well. I priced out a Dell Vostro 430 running Window 7 Home Basic (as a Microsoft partner, I can upgrade the OS at no charge):

• 2.8 GHz Intel Core i7
• 4 GB RAM (2 DIMMS)
• 160 GB SATA drive, 7200 RPM (I already have two 250 GB 7200 RPM drives that I can re-use)
• DVD +/- RW
• 1 year warranty

Total price: $890.00

So if I got a new Windows laptop AND and a new Windows desktop – both of which should be crazy fast compared to what I have now – I’d spend $657 LESS than if I bought a comparably spec’d MacBook Pro.

Can anyone make a compelling case for why I should go Mac?

How to Help a Small Business Comply with the 2010 Massachusetts Privacy Law

Background

In 2007, Chapter 93H was added to the General Laws of the Commonwealth of Massachusetts. The law establishes rules for preventing and reporting data security breaches, and it applies to "any person that owns or licenses personal information about a resident" of Massachusetts. (By regulation, the rules also apply to any person that “receives, stores, maintains, processes, or otherwise has access to such personal information.”) That means it applies to virtually all businesses and nonprofit corporations in the Commonwealth.

The law directs the Office of Consumer Affairs and Business Regulation to promulgate specific regulations relative to Chapter 93H. These regulations are contained in 201 CMR 17.00, which go into effect on January 1, 2010. Once effective, the regulations will be enforced by the Attorney General.

The law and regulations cover both written and electronic information. From a small business’s perspective, the key passages of 201 CMR 17.00 are as follows:

Personal information [is defined as] a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

1. Social Security number;
2. driver’s license number or state-issued identification card number; or
3. financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

[All businesses] shall develop, implement, and maintain a comprehensive [written] information security program (CWISP, or WISP) that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to:

1. the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program;
2. the amount of resources available to such person;
3. the amount of stored data; and
4. the need for security and confidentiality of both consumer and employee information.

The safeguards … must be consistent with the safeguards [required by similar state or federal regulations that may be applicable].

[E]very WISP shall include, but shall not be limited to:

1. Designating one or more employees to maintain the WISP;
2. Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
   1. ongoing employee (including temporary and contract employee) training;
   2. employee compliance with policies and procedures; and
   3. means for detecting and preventing security system failures.
3. Developing security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.
4. Imposing disciplinary measures for violations of the WISP rules.
5. Preventing terminated employees from accessing records containing personal information.
6. Oversee[ing] service providers by
   1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information …;
   2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider [before March 1, 2010] … satisfies the provisions … even if the contract does not include a [specific requirement regarding information safeguards].
7. Reasonable restrictions upon physical access to records containing personal information, and storage of such records and data in locked facilities, storage areas or containers.
8. Regular monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.
9. Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
10. Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

Every [business] shall include in its written WISP the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:

1. Secure user authentication protocols including:
   1. control of user IDs and other identifiers;
   2. a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
   3. control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
   4. restricting access to active users and active user accounts only; and
   5. blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
2. Secure access control measures that:
   1. restrict access to records and files containing personal information to those who need such information to perform their job duties; and
   2. assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.
4. Reasonable monitoring of systems, for unauthorized use of or access to personal information;
5. Encryption of all personal information stored on laptops or other portable devices;
6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

The IT Consultant’s Responsibility

An IT consultant cannot be solely responsible for determining whether or not a small business is in compliance with the regulations. Ultimately, that decision is up to the Attorney General and the judicial process. Therefore, all businesses should seek legal counsel when evaluating whether or not they are compliant. Nevertheless, because of the regulations’ focus on specific technical requirements and procedures, IT consultants can (and should) offer advice on how their clients can best prepare for and follow the new rules.

The Compliance Review Process

IT consultants should provide the following services to their clients:

1. Education. Ensure that the chief executive is aware of the regulations and obtain his or her approval to implement a compliance plan. It is probably a good idea to identify who will act as the business’s Information Security Manager at this point and to involve the ISM in every subsequent step of the process. It is NOT recommended that the IT consultant serve as the ISM.
2. Inventory. Identify all instances of personal information that are being used by the business in paper or electronic form. (At this stage, do not worry about whether the personal information is “received, stored, maintained, processed, or otherwise accessed” by the business.) This process should involve discussions with people responsible for multiple aspects of the business, including but not necessarily limited to:
   • Human resources / benefits
   • Payroll
   • Sales (for nonprofit organizations, this may translate to Membership)
   • Accounting
   • Operations (to see if employees’ driver’s licenses are kept on file)
   • Client or Customer Service

   The consultant may find it worthwhile to conduct a survey of all employees, providing the definition of personal information and asking whether they have come in contact with such information. It is especially critical to identify any personal information that may be stored outside the business’s office, such as on laptop computers, as there are special encryption requirements for this information. It is also critical to identify any business processes that cause personal information to be sent across wireless networks or the Internet.
   At this point, generate a list of all contractors that may use personal information on your behalf. The contracts you have with them will need to be reviewed for compliance as well.

3. Scope Assessment. After identifying the extent to which personal information is used at the business, discuss with the chief executive whether personal information is a relatively small and contained piece of the business’s information or whether personal information permeates the entire business. For example, an automobile insurance agency, a certified public accountant, or a temporary employment services agency might decide that personal information is so pervasive in the organization that all information should be handled as if it is subject to the regulations, whether or not each bit of information actually is covered.
4. WISP drafting. A draft can be prepared by either the business’s ISM or the IT consultant. Although it is possible to start the draft from scratch, most businesses will probably want to start with a template that they can adapt for their specific needs. A free template is available from the Office of Consumer Affairs and Business Regulation. It is also possible to buy plan-creation tools. For example, a Boston-area consultant is offering workshops and templates at www.201cmr17.com. Businesses would be well advised to seek reviews of these products before investing significant amounts in them. To find other commercial templates, do an Internet search for terms such as 201 CMR 17 sample policy. During the drafting of the WISP, it may become evident that some existing procedures are not compliant with the regulations. These areas should be clearly flagged in the WISP with notes such as “IS THIS OK?” or “NEED TO FIX THIS”
5. WISP review and revision. The first draft of the WISP should be reviewed by whoever did not write it (i.e., either the ISM or the IT consultant). The reviewer should seek clarification of any section of the WISP that seems confusing, incorrect, or incomplete. As in the previous step, any potential non-compliance should be flagged.
6. Checklist review. Go through the 201 CMR 17 compliance checklist to identify additional potential areas of non-compliance.
7. System changes. Using comments from the draft WISP and the 201 CMR 17 compliance checklist, identify and implement the necessary organizational changes. This will be likely be the most technically challenging stage in the process.
8. WISP completion. Once the WISP is final, obtain a sign-off from the chief executive.
9. Implement and train. Because employee training is a necessary component of the WISP, implementing the WISP will not be complete after step 7 above. The training should be led by the ISM, with assistance from the IT consultant as necessary.
10. Schedule review. The WISP should be reviewed annually. Ensure that this review is placed on the company calendar for the following year.

The most common problem people encounter, from what I can tell reading various blogs and forums, is that the special boot CD does not contain the correct drivers for the PC’s network card. Without the drivers, the network card won’t work, and without a working network card, the PC can’t talk to the Windows Home Server.  If that happens, you’re supposed to put the drivers on a USB hard drive and scan the hard drive for the drivers during the restore process. The drivers you need are supposed to be found in the “Windows Home Server Drivers for Restore” folder that is part of each computer’s backup on the Windows Home Server. Yeah, right.

I recently had occasion to restore a Dell Optiplex 755 running Windows XP (32-bit). The network card was an Intel 825xx-series Gigabit ethernet card. The boot CD did not include the necessary drivers. I retrieved the “Windows Home Server Drivers for Restore” folder, copied it to a USB drive, and scanned the drive for the drivers at the appropriate point in the process. No network drivers were found. I solved the problem by downloading the correct driver package from support.dell.com, extracting the files from the downloaded .exe file to a folder called “drivers” on the USB drive, and then scanning the drive again. Fortunately, the restore program is smart enough to look through the entire USB drive, and not just the “Windows Home Server Drivers for Restore” folder. This time the correct drivers were located and loaded, the Windows Home Server was detected on the network, and the restore process proceeded successfully.

(Note: I mentioned above that I was running a 32-bit operating system because many people seem to get stuck when trying to restore a 64-bit operating system. The restore CD runs in a 32-bit environment and will not use 64-bit drivers if that’s what’s contained in the “Windows Home Server Drivers for Restore” folder. I just wanted to point out that it’s not only 64-bit drivers that can cause a problem in the restore process. Sometimes plain old 32-bit drivers turn out to be a pain, too.)

Tethering Moto Q 9H with AT&T – Windows Mobile Forums

The key bits of information, for those of you who know what you’re doing and just need the codes:

• Extra initialization commands (in modem properties): at+cgdcont=1,”IP”,”isp.cingular”
• Dial up number: *99***3#

I am a “fan” of Microsoft’s Office Live page on Facebook. Today they posted an update that appeared on my wall:

We all could use a little guidance from a consultant about now. But, for most of us, the cost of hiring a business consultant is far beyond our reach. However, help may be available for small-business owners from an under-utilized resource: college students.

What’s that, Microsoft? You’re saying I can be replaced by college students!?!?!?!

In fairness, the blog that the Facebook entry links to is not terribly inflammatory. It doesn’t suggest that a college student can do what I do. It merely suggests that students can be brought in for short-term, closely defined projects. Businesses of all sizes have been doing this sort of thing for years. I do wish, though, that the lead-in paragraph had been worded a little more carefully.

Today, though, I got a comment that went right to the point:

Post comments on websites automatically using automated comments posting software. Get thousands of backlinks per day, increase your sales and earnings. Automated comments poster is the best way to build backlinks and promote websites automatically!

Hey, at least they’re being honest.

Please forgive the extremely boring graphics at StopBuyingServers. One of these day’s I’ll spruce it up.

I just checked all of my suit / sport coat jacket pockets and none of them are wider than 4.75”. Add the thickness of the machine, and there’s no way they could fit anything wider than 4”. Some overcoats might have outer pockets wide enough to accommodate the VAIO, but a computer stuffed into a pocket like that would probably fall out or be stolen. Just look at the picture. Can you imagine any article of clothing that would have a pocket big enough for that thing?

The easiest way to change the expiration date for your server’s SSL certificate is to re-run the CEICW. When you get to the page asking about the web certificate, create a new one:

Obviously what you put in the “Web server name” box should match what you had there before – the external hostname of your server. SBS will generate a new certificate, whose expiration date will be five years in the future.

Because third-party SSL certificates from GoDaddy and others are so inexpensive these days, there is little reason to continue using self-signed certificates in SBS. However, if you want to stick with a self-signed cert for more than five years, now you know how.