If you want to comment on one of the blog posts, you can use the site’s contact form. If you tell me that you want your comment to be public, I will consider adding it to the post in question.

Heute habe ich mich entschlossen, diese Website an die Datenschutz-Grundverordnung anzupassen. Keine Cookies, kein Google Analytics, keine Verarbeitung personenbezogener Daten und keine Logdateien. Dies ist eine einfache persönliche Homepage und ich brauche das alles nicht wirklich.
Ich hoffe, dass die Website damit den Anforderungen der DSGVO entspricht, kann mir aber nicht sicher sein, ob mich das in unserer schönen regulierten Welt tatsächlich vor allem juristischen Fallstricken und Abmahnwellen schützen wird.
Ich fürchte, das ist alles, was ich derzeit tun kann, um mich zu schützen. Ich würde sonst viel Zeit investieren müssen, wie zum Beispiel in das Verfassen einer langen wasserdichten Datenschutzrichtlinie. Auch müsste ich den Zweck aller Cookies erklären, eine Opt-Out-Technologie dafür bereitstellen. Ein SSL-Zertifikat ist bereits installiert, um persönlichen Daten in Kommentaren und Kontaktanfragen zu schützen.

Wer einen der Blogposts kommentieren möchte, sollte also das Kontaktformular der Website verwenden. Der Kommentar kann dann gegebenenfalls zum betreffenden Beitrag hinzugefügt werden.

I also changed the blog’s design, giving it a nice contemporary template. Hope you like it.

Apple’s developer support avoids clear answers on questions about the guidelines. If your question is a tricky one, they will much rather refer back to the guideline or recommend you simply submit you app and give it a try.

When an app is rejected there is often only a very general statement about why this happened. Usually it’s just a boilerplate message referring to a section in the guideline, including a brain dead recommendation to rectify the issue, like taking out a feature altogether.
The most annoying experience I had with Apple recently was a discussion on the phone with an employee who suggested that closing an app programmatically may be acceptable if we were to change it from a free app to a paid one. The app concerned is a free program to promote a pharmaceutical product with a cool Google Maps based reporting tool. Being a pharma app, the tool must have a one-time disclaimer message which the user needs to agree to before using the tool. But what if the user does not want to accept the terms? We thought it would only be logical to close the app, even though this may not be in compliance with Apple’s interface guidelines. The app was nevertheless accepted on first time submission. The rejection occurred however when we uploaded another release about one year later:

Don’t Quit Programmatically!

We decided not to accept this decision and started a debate, telling Apple that pharma market conditions require promotional tools like apps to be very clear about the legal frameork they operate under. There must be Legal Terms, and if the user rejects them, the app must dutyfully close. That’s what our users expect. If we let them end up in a you-must-accept-these-terms loop, they might feel like being tricked into accepting something they don’t like. Also, there are multiple apps out there which terminate when you reject the one-time disclaimer.

After having read our justifacation, Apple decided to escalate the issue. I received a phone call from an employee who did not seem to be very interested in discussing the Guidelines and our initial response. Instead, he suggested that closing this app would make more sense if we were to charge for it, „like 99 cents“.
What? Why would a charge justify this? I tried not to express my annoyance and I explained in much detail that this is a free promotional tool, and that under no circumstances we would ever charge for it. The Apple person patiently listened, but his response was no more than a suggestion to resubmit the app and await a decision. I thought „That’s it“. The app will never get approved again. All that money was wasted. So I once again tried to convice this guy, no less dedicated, and no less detailed. He again listened patiently, he again did not comment, and he again just recommended to resubmit.

Guess what happened? When I resubmitted the app, it was approved in no time. I of course cannot tell whether it was Apple’s sole intention to change the app into a paid one, but what I was told during this phone call made no sense to me at all.

Computer and network security is a big issue, don’t underestimate the risks. I first noticed this years ago when I installed a free personal firewall on my PC. Only seconds after the program started to do its job, it alerted me of suspicious activity on ports and protocols that I even didn’t know existed. Steve Gibson calls this activity Internet Background Radiation. Much of this is not merely junk but malicious traffic. To protect my personal computers, data, and privacy, I have taken a number of simple security measures which I want to share with you.

Hardware

Use a router
No matter whether you have a cable, DSL, or ISDN connection, buy a router and let it block all unwanted traffic. Modern routers include a hardware firewall which will close or „stealth“ all machine ports that do not need to listen for incoming network traffic. Make sure that all network ports are stealth (invisible), or at least closed (unresponsive). You can use the Shields Up online tool to challenge your computer’s ports.

Security tokens
Paypal/Ebay implements two-factor authentication. For very little money you can purchase a small device (see image above) which generates a unique key each time you log in. So even if somebody knows your password, they cannot log into your account because they don’t know the extra number which changes each time. Verisign offers a similar system which you can use to secure your OpenID account. Many online banks have similar tokens or devices that generate one-time keys using the bank’s card.

Encryption

Use encrypted connections to the Internet whenever possible. If a web shop or service offers a secure (SSL, https) connection, use it. Try to set up your email client with a secure connection (TLS, SSL) to the mail server. Encrypt sensitive emails or email attachments.

If you run a WLAN, encrypt your traffic. Do not use WEP to do this as this protocol can be cracked within minutes! All modern routers have WPA which is much more secure. If your access point and connecting machines support WPA2, often also referred to as AES or CCMP, use this. For regular WPA encryption (a.k.a. WPA1 or TKIP) a vulnerability was recently reported which could allow a hacker to decrypt very small data packets under certain circumstances. With both WPA1 and WPA2 your WLAN is definitely protected from eavesdropping as long as you use a secure password. Generate a strong password here.

My Laptop’s harddisk is encrypted with TrueCrypt [comment Nov 10, 2014: Truecrypt is no longer supported by its developers, see truecrypt.sourceforge.net]. Should it ever get stolen, nobody will be able to see the data.

I never connect my private Laptop to a wireless access point in an Internet Café or hotel. On my company Laptop I can use a secure VPN connection. If you don’t have company VPN, use a service like OpenVPN to get your data encrypted before it is aired on an insecure WLAN.

Software

Operating system updates

Always install all security patches immediately.

Firewall

Since service pack 2 of Windows XP every windows machine fortunately runs Microsoft’s software firewall. It only blocks incoming traffic though which is why I run the Sygate free software firewall. Sygate alerts me when a program on my computer wants to connect to the Internet. I would therefore be able to quickly identify and block any trojans that try to phone home. Once malicious software finds its way into your computer it can disable the software firewall. A hardware router therefore provides better protection.

Antivirus programs

I run Avast free Home Edition on my PC. Needless to say that every computer should have Antivirus software installed. Computer viruses ar no longer ditributed via floppy discs or email attachments. Most infections happen on websites these days so you better have virus tool scan the incoming traffic

Anti Malware tools

Next to Avast I run Spybot Search & Destroy. There is much more junk out there than just viruses.

Virtual machines

A virtual machine will protect you from any damage caused by viruses and malware because it is a self-contained operating system environment which can be easily reset to a previous state if it was compromised. If you like to surf the darker corners of the Internet, get yourself a copy of VMware.

Web browser

Use the most recent version of your web browser of choice. Don’t stick to older versions as they have known security vulnerabilities that got fixed in more recent releases. Configure the browser to block 3rd party cookies. Delete permanent cookies from time to time. Do not allow unknown or even dubious websites to run Javascript in your browser. Use Internet Explorer’s trusted zones or the Firefox NoScript add-on.

Secunia PSI

This useful tool helps you to always run the most recent and secure versions of software. It scans your PC and reports programs that should be updated.

Good security practice

A number of additional simple measures will significantly increase your security and privacy.

Do not work and surf with your computer’s Admin account, create a less privileged user account.

Make your hosts file read-only to prevent malware from tampering with it.

To prevent keystroke logging, copy-paste user names and passwords, don’t type them.

To prevent cross site request forgery, log out on a passwor protected website before you surf to another one.

Some USB drives (SanDisk, Lexar, Kingston, IronKey) have hardware encryption built in, but when it comes to encryption, I prefer to stay away from proprietary implementations.

Well, the Ironkey is proprietary of course. However, after Steve’s interview with Ironkey’s CEO I was very curious how the thing would actually work. For my daily needs Ironkey’s level of security is more than I need anyway. And I’m not a big fan of conspiracy theories. Ironkey is very likely not a subsidiary of the NSA. And should I ever be concerned about some government agency breaking into it, I can still encrypt the data on my Ironkey with PGP. Call me paranoid but actually I run a copy on the Ironkey and use it to encrypt the hundreds of entries in my master passwords file.

Gnu Privacy Guard

So do I encrypt all my email? No. I wish I could, but none of my friends and colleagues uses email encryption. There is only two things I can do: Download my mail with a secure protocol to at least encrypt the last hop, and never forget that emails are like paper postcards that not only the postman can read.

Free encryption software (1): Introduction
Free encryption software (2): File encryption on USB flash drives
Free encryption software (3): Hard disc encryption

Bild von Monfocus auf Pixabay

In an effort to meet accessibility requirements, I was looking for tools to check whether users with a variety of color blindness conditions can actually use our websites. Posters and brochures can already be difficult to read for color blind people. On web sites another dimension is added to this problem because certain features may be rendered useless by choosing a bad color palette. Colored links for example, if not underlined, may not be seen as links because they appear to be of the same color as all other text.
When website accessibility is discussed, the focus is usually on screen reader compatibility and blind people. Accessibility issues caused by a bad color palette are actually much more common. In the USA alone there are 3.5 million people with some form of color blindness. Most have difficulties to discriminate red and green hues („red-green blindness“). A website visitor who cannot see the difference between a red word and a green word will not be happy if these colors are used to markup navigation elements or highlight important content. Checking your website palette for such issues therefore is a good idea.

There are online services that accept a URL and return the corresponding web page with color modifications that match a particular color vision deficiency. The modified page is either returned as a web page or screen shot. A standards compliant page may not be returned in a useful format, as some of these services have only limited CSS support.

Examples:

The Colorblind Web Page Filter
Vischeck Webpages

Other services accept an image file and return its modified version. While this method requires a bit more work to create, save, and upload a screen dump, it produces much more reliable results.

Examples:

Color Blindness Simulator
Vischeck Images

If you prefer to install your own tool, try Colorfield Insight, a Photoshop plugin. There is also free software available to convert web pages into what will be seen by a color blind person. ColorDoctor from Fujitsu works great!

Testing your sites for color related accessibility issues (contrast, brightness, color blindness) is not a low priority thing. It should be part of your regular review and sign-off procedures.

A new model

Most presentations were oriented around the same general theme. The traditional pharma sales model is changing quickly and dramatically. Some US presenters even stated that it is about to collapse because many physicians don’t (want to) see reps anymore.

Less blockbuster drugs, shrinking product differentiation, and ageing product portfolios force companies to adjust their marketing approach, in particular:

• closing the loop,
• moving from push marketing to dialogue marketing,
• recognizing the value of the “long tail”.

Many of the marketing terms used during the conference reflected these trends. Here are some of them:

• Closed Loop Marketing (CLM)
• Relationship Marketing
• 360° view
• Micromarketing
• Multichannel marketing

The underlying concept for all these terms is the same. Doctors spend less time on listening to elaborate product detailing presented by sales reps. Instead, they prefer on-demand information tailored to their specific needs and presented to them at the time and place of their choosing. Online media in particular have enabled them to be in control of all important aspects of communication, the what, the how, the when, and the where. A recent Manhattan Research study shows that in the EU 85% of physicians want online product information. They prefer a mix of channels, including email, web, and traditional offline communication.

New marketing skills

All big pharma companies are in the process of adapting their marketing communication to their customer’s preferences. The online medium offers great tools to customize marketing communication for both doctors and marketers. eMarketing concepts and tools therefore are an integral part of pharma’s new marketing communication strategy. This also affects the brand marketer’s daily work. Offline-online marketing integration is essential. Understanding the Internet and how eMarketing can be added to the mix was identified as being a key skill for advanced pharma marketers. More and more job titles on the delegate lists of marketing conferences express this trend. Taken from this event’s list:

• Multi Channel Marketing Manager
• Director Integrated Business
• Marketing Excellence Manager
• CRM and eBusiness Manager

The delegate list also contained a large number of marketing roles without an “e”, so brand managers want to keep up.

Role of the sales force

Several presentations addressed the role of the sales force in this process. Reps are still considered a very important part of the relationship building process. They are needed for closing the loop, so they must support CRM. A successful sales force uses all available customer information to deliver the right messages, and they feed new insights back into the system. eMarketing tactics like email marketing or online meetings can be made more effective if sales reps participate.

Conference take-home message

The pharma marketing model continues to transform from product-oriented “spray and pray” push marketing to integrated relationship marketing involving time and place shifting. Online communication tools have some unique features to support the new model, and therefore play an ever increasing role in this process.

Internal policies and procedures need to be established to make sure that relevant website standards are defined, implemented and maintained. For new websites some level of standards compliance is usually applied today. Finding a budget for making existing sites compliant can be challenging though. The site may not look much different afterwards.

“So what did you need all that money for?”

Don’t answer this question by just listing insider terms such as brand consistency, usability, browser compatibility, accessibility, W3C compliance, or search engine optimization. If you have read PAS 124, your answer around these terms will be much more elaborate and meaningful. The document explains what web standards are, why they are important, how they save money in the long term, and why they improve the quality of your sites to provide a better user experience.

PAS 124 is not a comprehensive technical reference for the standards themselves. Please refer to other resources if you want to learn more about website accessibility or semantic HTML.

A free summary of PAS 124 can be downloaded from the sponsor’s website. You can purchase the full document at BSi’s web shop.

Web standards are crucial, make sure that your web agency and internal staff are familiar with them.

I insert the USB drive and open a command prompt window (Start > Run > cmd).

PGP file encryption:

pgp -c filename

PGP file decryption:

pgp filename.pgp

In conventional -c encryption mode PGP uses a symmetric block encryption algorithm (IDEA) with a key size of 128 bits. Together with a good pass phrase this is really strong encryption.

Don’t forget to securely delete the plaintext file afterwards:

pgp -w filename

Since this version of PGP was developed for DOS, it only supports 8 character file names (8.3).

PGP 2.63i is still available from Ståle’s pgpi.org site  [download].

Back in 1996 I contributed the “self-sign FAQ” to the PGP community.

Other Flash drive encrytion options for Windows, Mac and Linux

Many different free and commercial PGP versions and clones are available. See pgp.com, pgpi.org, and gnupg.org. I still use PGP 2.63i because it is an easy-to-use lightweight program that provides strong encryption and can be put on any device by simply copying one small file.

Truecrypt in “Traveller Mode” can be used to create an encrypted file container on Flash memory. Truecrypt is free and provides super strong encryption, too. However, you need to have administrator privileges on all machines that you decrypt the container on. I’m not an admin on my machine at work but need access to the passwords on my keyring there, too.

Some USB drives (SanDisk, Kingston, IronKey) have hardware encryption built in, but when it comes to encryption, I prefer to stay away from proprietary implementations.

Free encryption software (1): Introduction

Free encryption software (3): Hard disc encryption

Free encryption software (4): GNU Privacy Guard