Archive for August 2008

Yes. This is clearly what you should report to the authorities.   3 comments

Found on Flicker via Digg:

Yes, this is certainly the sort of thing you should report as potential terrorist activity.  No threat of false positives there.

Posted August 31, 2008 by padraic2112 in security

This Makes No Sense?   1 comment

From the Associated Press, via ABC news and my wife: “Court: US can block meat packer from testing its cattle for mad cow disease

A federal appeals court says the government can prohibit meat packers from testing their animals for mad cow disease.

Because the Agriculture Department tests only a small percentage of cows for the deadly disease, Kansas meatpacker Creekstone Farms Premium Beef wants to test all of its cows. The government says it can’t.

Here’s the wikipedia entry with some background.  A undoubtedly partisan writeup is here.  Consumer Reports writeup is here.  Slashdot commentary is here.  Now, it appears that there are legitimate reasons why blanket testing is unnecessary.

There is a two- to eight-year incubation period for mad cow disease. Because most cattle slaughtered in the United States are less than 24 months old, the most common mad cow disease test is unlikely to catch the disease, the appeals court noted. If the government does not control the tests, the USDA is worried about beef exporters unilaterally giving consumers false assurance.

This is probably why Japan only allows us to export beef cattle 20 months or younger, because we don’t test every head.  So, from a purely scientific-economic standpoint, given that in the U.S. we slaughter beef before 24 months, what Creekstone is doing isn’t necessary – they’re increasing cost without providing much in the way of additional security.  However, from a strictly macroeconomic standpoint, some countries don’t like U.S. beef because we don’t test each cow, so we can’t export our beef there.

This doesn’t make sense on about 1,000 different levels.  Why would an administration that claims to be anti-big government interpret the body of regulatory law this way?  Especially when they argue that other government agencies don’t have the authority to enforce testing in other industries?  While the USDA certainly has an interest in maintaining good testing practices, it appears that Creekstone has a damn fine testing facility; they have the means to perform good testing.  It’s not economically infeasible; Japan tests every head of beef for Mad Cow.

Ah, but large beef producers in the U.S. generally produce beef for domestic consumption, and keeping the price of beef low means that they can sell… more red meat to the average U.S. citizen… than they ought to be eating in a week anyway?  And large beef producers don’t want to test every cow, because it’s expensive.  But “we’re afraid that people might want it” seems to be a pretty crappy reason to apply political pressure to your smaller competitor, isn’t it?

I doubt this is over, rulings have gone both ways in this case.  I expect Creekstone will keep at it.  If the Democrats take the White House, I expect a massive overhaul of both the USDA and the EPA.  While (again) there may not be legitimate science behind “testing every cow” as the optimal meat safety practice, this is the sort of change that could be made into a public relations victory.  If I’m running Big Meat, USA, I’m making plans to do what Creekstone is doing now before it becomes The Law.

Posted August 31, 2008 by padraic2112 in politics, science

Sarah… Palin?   2 comments

So McCain (in a move undoubtedly planned to take steal some thunder from Obama) announced his Vice Presidental pick today – Sarah Palin, governor of Alaska.

I don’t get it.

To tell you the truth, the last few weeks seems to have been filled with oddball moments in politics.  First, Obama flubs the expected high heat from Rev Warren (“That’s beyond my pay grade” – really?  You know this question is coming and this is the best you come up with?)  Then Obama picks Biden as his VP – a senator who hasn’t quite been around as long as dirt.  Not that I don’t like Joe (even when I disagree with his politics, the guy is inclined to be rather blunt, which is refreshing in politics) but he hardly seems to be a natural for the “Change” candidate.  Then last night Obama delivers quite an excellent speech, and does what he should have done when Warren served up the “when does life begin” question -> he reframes it.  This is, after all, what his campaign message has been all along… “let’s not focus on what divides us, but what unites us”.

I think Mr. Obama needs a bit more rest; the campaign seems to be wearing a bit on his ability to talk outside oration.  Whether or not you think that Obama is just chock full o’ it or an honestly genuine guy, you have to admit that last night he gave a Presidental speech.  The man certainly knows how to talk without sounding like an idiot (or acting like his audience is a collection of idiots, something the current office holder does with depressing regularity).  If it comes down to looking Presidential, Obama blows McCain away.  Heck, even Pat Buchanan, hardly a fan of liberalism, liked the speech:

But I digress.

So today McCain busts out with an entirely unexpected VP pick.  This is actually something I expected (that the pick would be unexpected), simply because picking the unexpected pick would dish up media talk, and media talk is what McCain needs.  He’s got little in the way of monetary resources in comparison to Obama, so all the free press he can net is good press.  Picking a woman is something a cynic would say is a good call – woo those disillusioned feminist Clinton supporters!  Uh, except Palin’s not exactly a feminist candidate.  This isn’t like picking Susan Collins, who at least has been in the Senate for 12 years.  Collins was actually my secret pick – heading up the FEMA investigation after Katrina answers that Democratic charge, she’s a moderate and would appeal to independents, she’s worked in health care reform – also answering that Democratic talking point, and she’s got a 100% rating from the Small Business folks.  Palin’s a relative political newbie.  If you’re going to be saying that Obama is too young and inexperienced to run the country, Palin’s just a weird pick.  Unless…

Palin’s a diehard pro-life supporter.  McCain may be trying to buck up his pro-life credentials, and a pro-life woman running mate is an intriguing combo.  But you’re not going to get pro-choice independents with Palin as your running mate (whereas Collins has gone pro-choice in the past).  I don’t think McCain *needed* a diehard pro-life supporter.  Contrary to the radio pundit I heard this morning, diehard pro-lifers weren’t going to cross over to Obama under any circumstances, so McCain’s perceived lack of antiabortion votes isn’t really a loser for him, is it?  Is Palin really going to get the anti-abortionist crowd out?

If anything is going to get the anti-abortion crowd out to the polls this election cycle, it’s going to be the Democrats talking about Supreme Court justices and how this next President is going to set the court’s personae for the next decade.  When Gore brought it up last night, it flashed on me that this is a line of attack that can only cost the Democrats an advantage this campaign.  Anti-abortion voters will vote for McCain if there’s a remote possibility that it can net an overturn of Roe v Wade.  Pro-choice voters, on the other hand, are probably less concerned about Obama losing.

Anyway, Palin is definitely an ethics reformer candidate.  Maybe that will be the talking point during the elephant circus next week, we’ll see.  If it comes down to a VP debate, my gut call is that Biden will eat her alive, but I don’t know much about her public speaking skills, so that’s more based upon Joe ripping into someone on Meet the Press than it is a fair and balanced political analysis.

Now it’s almost time for the coin flip.  Teams have been picked.  The crowd is tired of the pregame show.  Captain Obama, this is Captian McCain.  Captain McCain, this is Captain Obama.  You’ve got the toss there, Captain Obama… Captain Obama calls “Heads”… it’s…

Posted August 29, 2008 by padraic2112 in politics

Funny Story, Serious Implications   Leave a comment

From Arstechnica, by Joel Hruska

Lloyds TSB is the fifth-largest banking group in the UK … [snip]… the banking giant enjoys rooting through customer records and changing passwords it finds offensive, then refusing to change them back.

Steve Jetley of Shrewsbury discovered this firsthand, after he changed his telephone banking password to “Lloyds is pants” (“rubbish” to us American sods on the wrong side of the pond). Upon calling in, Jetley discovered that his “pants” password didn’t match what was in the system. Instead, his password had been changed to “no it’s not.” Initially, this was no big deal.

Actually, this is a really big deal.

What this means is that the password database for Lloyd’s is unencrypted.  This is a very-very bad no-no.

If you’re using passwords as your authentication method, decent security demands that only the user knows what the password is.  That is to say, it is impossible for anyone at the bank to find out what the user’s password actually is.  In cryptography, this is accomplished using one-way hash functions.

Mathematically, the concept is actually pretty simple.  A hash function takes a string (in this case, the user’s password “Lloyds is pants” and computes a result that cannot be reverse-engineered.  For example, an MD5 hash of “Lloyds is pants” might look like this: “08cbdb76f55034939fb530dbf367725b”.  The cool thing about well-designed hash functions is that if I know the hash, I *can’t* tell you what the original password is (note, this isn’t exactly the case for MD5, which is broken, but that’s not germane to this post).

Anyway, this means that if someone manages to get unauthorized access to the password database, they can’t see the actual password, they can only see the resulting hash.  This means that they can’t turn around and *use* the password.

Lloyd’s obviously doesn’t do this.  Which means that any employee who has access to the password database can not only act like a corporate gentility cop (like this story), but they could also sell, trade, or use the password themselves.  Ick.

[edited to add] – Bruce and I are picking up on the same stories lately.  The comment thread over at his blog indicates that this isn’t actually a password (to be used with online banking, for example), but a code phrase, to be used when dealing with human banking representatives.  Which explains the unencrypted nature.

Posted August 29, 2008 by padraic2112 in security

This is relatively cool   1 comment

Mr. Voss sent me this one… someone has too much time on their hands.  I applaud the results.

My favorite so far:

But this runs a very close second:

Posted August 27, 2008 by padraic2112 in noise, web sites

IS Research in Real World Organizations   1 comment

Lisa Kleinman, a doctoral student in IS at University of Texas-Austin, recently asked the AISWORLD Information Systems World Network mailing list for advice on getting research projects running in real-world organizations.

Lisa compiled all of the responses and created an information page. If you do IS research, or any sort of real world research where you want to get your nose into an existing corporation or organization, there’s some good advice here.

With permission, I’m replicating the page here, in case Lisa’s personal web page disappears from the Internet some day:

Obtaining (Academic) Research Access from Organizations
This web page is intended to help doctoral students with the process of obtaining access to conduct data collection with a real world organization. I am a doctoral student who is currently trying to access four Fortune 500 companies to conduct a survey with their employees and make observations while job shadowing.

The information summarized here is mainly drawn from the wisdom of readers on the ISWorld mailing list who were generous enough to share their insight into this process with me. If you would like to be given credit for your response, please let me know and I will add a citation. Also, feel free to contact me if you have additional resources or advice to add to this page.

1. Published Resources on Research Access
Rymer, J. & Rogers, P. (1993). How researchers gain access to organizations. Business Communication Quarterly, 56, 42-48.

  • This paper has four vignettes where researchers describe in detail their experience with gaining research access. In one case the individual already works for the organization but wants to collect data for his dissertation simultaneously, in another case a doctoral student finds his own research site by cold-calling, the third case discusses access using family connections and the fourth describes how she focused on discussing her research with new people whenever possible in order to generate leads.

Brewerton, P. & Millward, L. (2001). Organizational Research Methods (Chapter 4: Obtaining and Using Access to an Organization), 44-51.

  • This chapter briefly summarizes the process of research access by talking about finding leads, putting together a proposal, getting a buy-in and manging the overall process.

Witman, P. (2005). The art and science of non-disclosure agreements. Communications of the Association for Information Systems, 16, 260-269. Available online here.

  • Helps researchers negotiate the process of NDAs when trying to conduct research in organizations.

Interview with Prof Kevin C Desouza on AOM-OCIS Student Site

  • Professor Desouza discusses how he achieves buy-in from organizations to carry out research.
2. Finding Leads
  • Ask your adviser and/or committee members for introductions to people they know in industry
  • Attend conferences where executives and managers are likely to be in attendance and introduce yourself
  • Utilize the connections of alumni groups from colleges you have attended
  • Utilize the connections of graduated Masters students from your college who may be in industry now (or former students you may have taught)
  • Check your Facebook, LinkedIn, etc. connections for any leads
  • Contact local community service groups/clubs (e.g. Rotary, Toastmasters) and offer to give a presentation
  • Connect with a professional organization/institution who may be able to grant you access to their member list
  • Try and get to the highest person possible in the organizational hierarchy (but not so high up that they don’t have time to consider your project and/or are concerned about the reputation of the company)
3. The One Page Proposal
  • Emphasize the direct benefits to the company in terms that they will value and understand
  • Explain that they are getting a consultant’s evaluation in exchange for their time
  • Eliminate any scientific lingo in the proposal
  • Emphasize confidentiality of the organization/employee participants
  • Discuss the “lessons learned” that your research will provide
  • Explain how risks will be mitigated (time involved, potential political problems)
  • Don’t bring up any questions that will put the company in an awkward or defensive position
  • Be sure what you can offer (e.g. a written report) will be given to them soon after data collection, not when the dissertation is complete
4. General Advice
  • Rejection by one person from the company does not necessarily mean someone else in the company can’t be of more help
  • Don’t send an attachment in your initial e-mail to a lead, people are unlikely to want to open an attachment from a stranger
  • Use every opportunity to demonstrate that you are an excellent person to work with
5. The Verbatim Responses (Uncredited)
Pardon my bluntness, Lisa, but in my experience no manager is going to read an 8 page proposal from a doctoral student whom they barely know, if at all. I suggest you write a one page proposal and include in the proposal the direct benefits to the company in terms of something that they will value. When I send my MBA students out to do case studies, I tell them to sell themselves to the company as if the company was getting a consultant’s evaluation for the price of their time. That same strategy got me entry and a grant with NASA, also. Create some ROI to the company and they will respond; well at least you will increase your chances.
In general it is just a tough proposition and takes time and likely multiple rejections. Given the school that you attend, it might be possible to get some introductions from Professors who already have consulting or prior research relationships.

But generically, these folks are all busy and have too much to do and too little time to do it. So your approach needs to be fairly concise. If you are working with executive levels of management, you probably need to outline your proposal in one page rather than eight.

Additionally, I always try to ensure that there is a value proposition for the company. That is, they can expect to receive some appreciable benefit for the investment in time that they do make.

But even with those suggestions, I have found it difficult although not impossible to gain access.

First thing that strikes me is your eight-page description of research. I’d bet the managers didn’t even read it, since they are chronically short in time and attention. Can you put your description in one page?

This improvement would also help you to compress your research intent into a digestible and communicable format.

Cut out all the details and focus on the essentials (e.g., drop the literature, methodology, hypotheses/expectations…). Speak in more general terms, eliminating scientific lingo. Be clear on how
your research would benefit a client organization; thus, focus on practical contributions and drop the research implications and considerations in general.

In a word, frame yourself as a consultant rather than researcher (you still are a student-researcher, formally speaking, but you act at a more mature and self-confident level that managers can more easily relate to). Your pitch: you will be providing a free piece of potentially a valuable advise.

Make sure you don’t save words in guaranteeing confidentiality of info you’ll collect (disguising persons, organization’s name; promising to sign a non-disclosure agreement; citing that you are bound by the ethical norms of academic research).

My guess is that the 8-page proposal probably scared them, or maybe had them running for legal advice. Naturally, we don’t want to deceive our participants, but it may not be necessary to disclose a lot of information that may not be relevant (I can’t say for sure not having
seen your proposal).

I was able to gain access to two different types of organizations, two electric power companies, and a submarine research and development lab. I have to confess. I had major connections with the
submarine research lab and wouldn’t have gotten within a hundred miles of the place without them.

With the power companies, it only took a casual acquaintance to get me in the door and high up in the chain of command. My situation was a bit different than yours. I was looking to conduct interviews, so I only needed about 10 people from each environment.

In any case, I think the best way in is to have/develop a relationship with someone on the inside. Schmoozing the right people can be the biggest help. I hope this helps. Best of luck with the research.

1) Go to a conference or meeting where likely prospects might be, and introduce yourself. Industry conferences, discipline-specific conferences, SIM chapters, Executive Women International, UT Alumni groups, academic departmental advisor boards, etc. Be able to explain who you are and what you are trying to do in about 30 seconds. Ask them first if you can setup 15 minutes with them to explain your project, and get on their calendar. If they won’t, ask them if there’s someone else at their organization who can help. Take along your advisor or a committee member if s/he is available. Don’t give them the 8 pages unless they ask for it. But DO explain what insights they can get from your work.

2) Send your email to someone you know at a prospective company to forward along. (UT Alumni groups might be able to help here as well. Also, ask your committee members who they know. And what about their former undergrad and master’s students, where are they working now? What about your former students? What about your Facebook lists?) Internal emails will receive more attention than external emails. Include a one-paragraph summary in the email. Make sure the attachment is small in size, or just don’t include it in the initial email. Few people will be interested in opening a document from someone that they don’t know.

Also, keep in mind that a Fortune 500 company will have many different people who could potentially help you. So a rejection by a specific individual does not mean a rejection by the company. And not hearing from a given person is more likely to reflect that they never read your email than they read it and rejected your proposal.

Finally, ask for funds if you need it, or make it optional. The higher up the corporate ladder you go, the more the issue is not their money, but how much of their time you will need.

I have worked with many companies in the past 5 years and my experience is that the shorter the description of the project the better. I personally never write a proposal longer than 1 page or that is longer that what can be shown on one screen. A proposal should explain to the business what is the question you are investigating, what data will you need from them, and what
they can learn from it. Your model(s) will probably be very different than the model (data analysis) that you will provide to the company. I wouldn’t try to explain to them exactly what models I’m running. The focus for the company is on the lessons learned. Hope this helps. Let me know if you have further questions.
8 pages is a problem Lisa – try one page with emphasis on the value proposition to them. You’re a risk with no clear reward. Show them how you will mitigate the risk (e.g., employee time is a cost, you could cause political problems for them, … ) and maximize the reward (i.e., tell them what’s in it for them). There’s other considerations but I’d need to know more about what you’re trying to do to be helpful.
My experience shows that the following are key to getting the cooperation of senior management, who are the only gate to get access to their organization:

  1. Use personal contacts to get to the highest hierarchy. It only works top down, no chance for bottom-up. Personal assistants are excellent contacts.
  2. Send VERY short research descriptions, 1-1.5 pages. they don’t have time to read 8 pages.
  3. In the executive summary you send focus on the following:
  • how they will benefit from cooperation
  • why it is not risky for their organization to cooperate
  • what they are required to invest in the process.

When (a) is high and (b) and (c) are low, plus the assistance of a trusted or close person, you might succeed. The most difficult thing, however, is to
get the attention of a (very) senior manager.

See OCIS PhD students website, there is a very interesting interview with Dr Kevin Desouza – he has some great advice to share about gaining access to those companies. And — do join the discussion if you find it interesting…
Hi: This is one of the greatest challenges we have as researchers. Here are some suggestions/questions for you to consider:

  1. Why does this have to be Fortune 500? Sometimes local orgs with ties to your institution are more amenable and just as suitable. Why do you need four sites? Can you change your research appproach to perhaps mine or or two in deeper ways?
  2. What’s in it for them? Managers of firms need to justify why they would have staff spend time on YOUR project. What possible benefit – in immediate terms – will accure to them? In other words, what relevance (in real not fake academic terms) does your proposed research have for them?
  3. How much time do you think they have? An 8 page proposal scares them off! Managers are NOT readers the way academics are. An initial one pager covering key issues from their perspective should suffice to gauge interest.

I sincerely hope this is helpful. Good luck with your research.

The most important thing to remember is that managers don’t have the time or desire to read 8 page research proposals. At the most they will read a 1 page summary and it should be written in business language (avoid all academic jargon).Personal connections are quite important to gaining access to organizations. Some other ideas that might be helpful to consider:

Ask you PhD supervisor/committee members to help you gain access – they are likely to have better contacts than you.

  1. Offer something back to the company. Be sure that what you offer doesn’t impact the independence of your research. You might offer to write up a short report at the end of the field work that would provide them with insights about all the companies where you conducted field
    work (anonymized).
  2. Be willing to open up your research design and reconsider the factors that are limiting you. For example must you study F500 companies? Do you have contacts in other companies/sectors that would make just as interesting a study? Of course you want to make your decision about
    fieldwork on more than just convenience and willingness of the company to participate, but we can often find the rationale for our choices once we have a viable company to work with.
  3. Use the prestige of the School to gain access and talk about the value to the company of partnering with the university (they can put this sort of information on their PR material). Some folks buy into the idea of helping to shape knowledge but others want to know how your study will
    help them.
  4. Find the right level of contact person – someone too high up will likely ignore it and worry about how the findings might effect the company’s reputation whereas someone too low (line level manager) will not have the authority to authorize the study and will be very busy…so
    your proposal will stay at the bottom of the pile.

Hope these ideas are helpful. Best of luck.

Three thoughts:

  1. Make your connection with someone relatively senior in the organization. You want to be in touch with someone who can approve your project and commit the resources to it. If your contact is too low, then s/he can only say “no”, never “yes.”
  2. Use your alumni relations office to identify graduates of your school. They may be more receptive to your proposals due to institutional affinity.
  3. When you make contact, do an excellent job. E.g., prepare thoroughly for meetings, follow up promptly, prepare excellent deliverables (be they memos, proposals, etc.) In other words, use every means you can to illustrate that you are going to be a good person for the organization to work with.
I’m a PhD candidate in a very similar situation. What is working for me is to offer organizations I want to work with something that’s of interest to them in the short term (i.e., not the results of the thesis in x years). It can take the form of a report or recommendations from what I have learned in their organization. I’m presenting this as a way for the organizations to better understand their own practices and thus to be able to improve them. This approach is also useful as a form of validation of the initial data analysis.
One thing that struck me in your message was the 8-page proposal. The companies that I’ve worked with have wanted significantly shorter requests – 3 pages at most (with lots of white space) but oftentimes, only 1 page. Once I’ve received the OK, the person designated as my contact has sometimes wanted more detail, but usually, nothing more than the original proposal.I suggest creating a 1-page executive summary of the proposed project that outlines what you want to do, what type of involvement is required by the company, and how the company will benefit. For example, you might organize the page into the following sections:

Introduction – 1 paragraph that describes the problem you want to address and the goal/objectives of the research.

Organizational benefits of participation – 1 paragraph about how the company will benefit. A sentence or two followed by 3-4 bullet points followed by a concluding sentence or two is all that’s needed.

Study participation requirements – here, you have 2 subsections, job shadowing and employee survey. Include shadowing requirements (How many people, how long will you follow people? Will you observe or ask questions?) and for the survey, how many people, how long to complete (I suggest aiming for 20 minutes since that usually doesn’t scare people off). You may find it helpful to include a third element – a timeline (e.g., 1 quarter for the shadowing, 1 quarter for the survey, 1 quarter for data analysis and feedback, and 1 quarter, assess benefits of ongoing research).

Conclusion – statement about absolute confidentiality for individuals and organization, along with contact info. I suggest including your advisor’s info along with yours.

Gaining access can be challenging, but field research is the most rewarding for me. Best of luck.

One of the things that I learned from doing my own dissertation research was that these managers need more than just a liking (or real interest in) your research topic. I did interviews across all employment levels of a multi-national company to study the implementation of an ERP system. What (I am pretty sure) gained me access was to point out to the General Manager (who became my ‘sponsor’ of sorts) the value to him of what I was doing. In the end, we agreed that I could do my research freely but I was to provide the GM with a short paper/report answering some of his concerns: what did the employees feel was done ‘right’, what was done ‘badly’, what should be done again/not done again in a similar initiative.Try ‘selling’ your project on its merits to the company: it may just give you that edge.
First, did you include an executive summary in your proposal? I know, from my own research experiences, that executives are too busy to read an 8-page proposal. Secondly, be persistent, but considerate. We must remember that accommodating academic researchers is not a high priority in their exceedingly busy lives. And third, do you have any contacts who might intercede on your behalf? Are there senior researchers (an advisor?) who could pave the way, so to speak? Could you make use of the school’s (or university’s) advisory council/board? Those individuals are already involved with academia, and it is more likely that they would have a personal interest in seeing you succeed.

Other creative avenues would be building rapport through local organizations: Toastmaster’s, Rotary Clubs, Country Clubs, etc. For example, you could volunteer to give a program for a Rotary meeting. Then at the end of your presentation, make a verbal request for participation. Have business cards and a 1-page outline ready to distribute. You are very fortunate — there are 14 Rotary Clubs in the Austin area. You can make contact with the clubs, explain what you need, and see if they’d be interested. This link shows meeting locations, date/times, and contract numbers for your area.

My biggest problem was the high turnover of executives in the companies in which I had already gained access. Essentially, I had to start from scratch twice, re-building relationships with those organizations after my dissertation.

In a nutshell, be concise in your explanation of the project, be specific in requesting what you need from them, and communicate what they can hope to gain from helping you. It doesn’t hurt to offer to make presentations on your results, perhaps finding a solution to an issue relevant to the executive.

Hope that helps a little. Gaining access to corporations is often difficult. Best of luck,

I saw your message on IS World and sympathize with the difficulties you’re having. I’ve been doing this for 20 years and have visited hundreds of companies, but it’s always a challenge. It mostly takes a lot of persistence and using any network that you can access. One good place to meet managers is at conferences where they are attending or giving talks. You can just walk up and introduce yourself, instead of going through all the e-mailing and phone calls just to meet them (you still have to do that to set up an appointment).
One suggestion. You said that “Using my personal network and some creative emailing, I’ve managed to get some initial nods of interest from two managers at different companies. However, I am having trouble “closing the deal.” After I’ve sent them both 8-page proposals outlining my research plans and questions, I’m not receiving any replies back.” I would send people a one page outline of your research, with another page at most of questions. A long proposal or very extensive questionnaire can scare people off. Also, leave out any questions that are likely to put them on the defensive. Save those for then end of the interview after you’ve gotten the rest of the information you need. Finally, let them know you won’t use their name or company name without their permission, and that you’ll show them what you write before publishing it in case there’s any sensitive or proprietary information they don’t want published.
The good news is that this can be the most fun part of research, talking to real people and learning from their experience. Good luck.
I don’t know if this is any help in your situation but the best thing I found was to work initially with a professional organisation (in my case the Insolvency Practitioners Institute ) and sell them on my ideas, then I was able to contact their members with their permission and support. The other important thing is to make sure the organisations you contact can see a benefit for them. In my case I targeted early career practitioners and was doing research into DSS design for a particular task, so I was able to frame it and sell it as free training. I ran my data collection sessions strictly in accordance with my research needs, then did a subsequent de-brief and interactive discussion which was all about the learning for the participants, and nothing to do with the research. I probably would suggest you cut back the proposal material also – a short zippy single page overview with an offer of more detail later if required is more likely to be read than a longer detailed story.
I’ve just been through that process (finished my dissertation one year ago), and routinely work through that issue with various clients, and various research methods (quant, case study, etc.).Several thoughts:
– In my most successful instance (my dissertation research) I was working through people I’d known in industry for some time. Even though all I was seeking was access to documents (which I would return, and which would be anonymized before publication of research) and access to people (for interviews, with no human subjects risk), there was still considerable friction, esp. due to the large company (a large bank).
– To overcome that friction, it was critical to give them a “what’s in it for them”. Even though these were people I’d known for a while, if there’s any up-chain reviews, they need to be able to explain it. So while an 8-pager is good, a 1-pager may actually serve you better, as execs won’t read 8 pages.
– What do you need from them?
– What are the risks?
– What are you doing to protect them? (confidentiality, encryption, anonymization in writing, …)
– What benefit do they get? (These could be meaningful to them as a company, as well as the altruistic “benefit to the educational system, to others, …”)

– One resource you might look at is The Art and Science of Non-Disclosure Agreements. It was intended to look at the legal aspects of these relationships, but there’s a lot of good material there about relationships as well.

Posted August 27, 2008 by padraic2112 in information science, msis, research, science, tech

6 shy of 600   4 comments

Ramblin’ thoughts today:

Did a little cleaning in the office; Kitty took Jack and Hannah to Kidspace for a birthday party, and I did a couple of minor things that have fallen off my task list for… well, several months now. Finally got around to mounting the wireless access point on the wall so that it didn’t take up desk space – things like that.

I also decided to get around to ripping and filing the 20-odd CDs I have purchased since I did my “great CD rip project”. During this project I got rid of a very large piece of furniture and over 500 crystal cases.  Now all my CDs are nestled in giant binders, and the album art and liner notes are currently locked away in a bin, awaiting… something. The total number in the binders now hits 594, if you count the Star Trek sound effects disk.

Of course, adding a bunch of CDs to a filed collection involves moving almost all of the disks; not too time consuming, but annoying enough that it took some inertial buildup to get it off the bottom of the to-do list.

Since I was touching most of them anyway, I decided to quality check a random selection while I was at it. In spite of the fact that I starting buying CDs in 1989, my collection is in remarkably good shape. They’re all playable without skips, and very few scratches overall… Ann or Megan will attest that this is largely due to rampant disc paranoia on my part. I’ve forbidden access to my CD collection to people who have left discs lying around instead of putting them back into their crystal case and filing them in the appropriate spot in the CD rack.

Oddly enough, although Kitty and I have a pretty large overlap on the things we like to listen to, we don’t actually have that many overlapped discs, so if you count Kitty’s 180-200 CDs, we come close to the 800 mark combined (my music player reports 776 albums in the repo). The rip collection is a little out of sorts, about a dozen discs didn’t rip when I made the repository, and I’ve never gotten around to fixing that up. Maybe I’ll start that project next weekend.

In the last 15 years, I’ve had to replace only three albums. The first is Pearl Jam’s Ten, which disappeared out of my apartment after a party. Why “Ten” and nothing else, I have no idea. The second is Rush’s Moving Pictures, which I’ve lost twice. The first time was the gold master copy, I’m still irritated about that one. I have to take the blame on that one myself, since I simply have no idea when or how it disappeared – I slipped the crystal case out of the rack one day and it was empty. The second copy was accidentally discarded with old computer equipment, also all on me (that’s what I get for using my own audio CDs to test work equipment). The final lost soul is the Beastie Boys’ License To Ill, which unfortunately was left in a rental car and lost forever.

Posted August 23, 2008 by padraic2112 in noise

To Infinity… And Beyond!   3 comments

I found this, and showed the video to Kitty, and she said, “Oh, yeah, this was months ago. You didn’t see this?”

No… how did I miss this!?!? Justin, this is supposed to be your job, finding stuff like this and forwarding it to me.  You’re on double-secret probation.  This is the coolest hobby ever (albeit totally bonkers insane).

Posted August 22, 2008 by padraic2112 in tech

The Ring… OF FIRE!   2 comments

Very cool (found via the Bad Astronomer).

Posted August 22, 2008 by padraic2112 in noise

Oopsy Daisy.   Leave a comment

From RedHat:

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers.

In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages, and have published a list of the tampered packages and how to detect them at

Man, would I love to see how package signing occurs at Red Hat.  I’m going to guess that they’re doing it wrong.

Basically, someone’s managed to get a trojaned SSH package signed by the RH signing authority.  Since they were (apparently) unable to get the compromised package into the Red Hat Network, all RHEL customers that use RHN for their updates should be okay.

However, if you use… say… CentOS in your enterprise, it’s probably a good idea for you to take a long hard look at your package repository.  You can’t rely on “hey, signature checks out!” to verify trustworthiness.

This is one of those security announcements that is of small immediate practical impact, but worrisome in implications.  How does RH sign their packages?  How did this occur?  How do we know it won’t occur again?  I expect the answers to those questions are (a) we’re not going to tell you (b) we’re not going to tell you and (c) trust us, nothing really bad happened this time, right?  Slashdot thread.

Full disclosure time, boys.  Who screwed up?

Here’s an interesting blog post detailing… well, not much.

The risks mean we’ve had to be really careful who has signing privileges with the legacy key and how the key signing is handled.

The new key, in contrast, was created in a hardware cryptographic device which does not allow the unprotected key material to be exported. This means we can give authorised signers the ability to sign with the key, but no one can ever can get access to the key material itself. This is an important distinction. If for example a current authorised signer switches roles and is no longer responsible for package signing we can instantly revoke their rights and know that they no longer have the ability to sign any more packages with that key.

Two immediate possibilities spring to mind: someone was able to socially engineer a signer into signing a package, or the process has some level of automation in it, and the attacker was able to inject the bad package somewhere in the automation.  Either way, it illustrates the point that cryptography isn’t generally the hardest part of security, it’s process that’s the sticky widget.

Posted August 22, 2008 by padraic2112 in linux, news, OS, security, software, tech