While the press gives us the view of the bailout of the Big Three and the Wall Street banks at the 20,000 foot level, let me tell you how the economy looks from the ten foot level.

This year started out like most other years, but it was pretty clear to us a year ago that the 4th quarter was going to tank.  In fact, as we recently prepared our 2009 budget and revenue projections, I pulled out the budget guidance from December 2007, and found that we said we should expect a major downturn in Q4 of 2008.  I don’t completely remember now why I thought that at the time, but I guess it was obvious to me that we were entering a recession and the economy was about to turn down, and would turn way down by October.  So what’s the forecast for 2009?  I’ll save that for another blog post.  This one is about how it looks at the moment.

What we noticed late last year was that a couple of clients that depend heavily on donations from financial firms and major computer firms were having problems raising money.  This was a strong indication of things to come.  Some of those clients essentially went out of business by June 2008.  Based on our experience in 2000/2001, we knew that the association and not-for-profit market would lag by about 9 months for seeing impacts of the business downturn, so I think we must have guessed that the early warning signs in late 2007 were going to hit us hard in late 2008.

What we didn’t really anticipate is the severity of the downturn in all sectors, particularly with banks.  Each year is a learning experience, and this one is a rare chance to watch and experience what happens in the severe recessions, which may be a once in a lifetime opportunity to learn.  (I remember the recession in 1974, the one in the late 80’s, and the more recent one in 2000, but don’t remember much about the others in my lifetime.)  This one is definitely different.

Our banking clients are helping us understand the impact of the recession on their business.  The crisis at the top end of the banking world is a very different scale than at the community bank level, and the bailout packages are not yet trickling down.  In simple terms, the recession is being seen in things like dramatically fewer transactions at the teller line, just like there are fewer sales in the retail stores.  People are getting laid off because there is simply less work to do, just like in a factory.

What compounds the problem for the community banks is the lending situation and real estate valuation situation.  Since banks have to “mark to market”, the value of loans in their portfolios drops with the decline of the real estate market, which creates a trickle-down effect.  For those banks with widespread loan problems, the story gets worse.  For those community banks that invested funds in the stock of Fannie Mae, that money is gone.  People are getting cut because you have to do it to slash costs, so that the institution can survive.  Nobody would have ever thought that this combination of circumstances would happen.

For the services firms we work with, the impact is mixed.  We have one client whose business is exactly dealing with complex and major problems with banks - this environment must be a golden opportunity for them.  For other services firms, like the average small law firm or the mid-sized consulting firm, they are all wondering how bad things will get and watching their pennies.  Fortunately - and we are all watching closely - but the services firms in this area seem to be doing better than OK so far.

For the retail firms we work with, business seemed pretty solid until about September.  Then October looked pretty scary for them, and then November was at first dreadful, but by the end, not so bad.  December is actually turning out to be better than last year, but not by a lot.  So, for the retail firms, it looks like the worst is actually over.  Let’s hope that is in fact the case.

For the construction businesses and developers we deal with, the smart ones saw this coming and hunkered down.  Those firms are doing pretty well right now.  For the not-so-prescient ones, time will tell.

For our own company, we are fortunate that we have a focus on different vertical markets so that the economic swings are smoothed out.  Yes, when all markets are swinging up, we do very well, but there has not been a time, in the last recession or in the current severe one, where all markets were swinging down on the same cycle.

What is also interesting to watch is the whip-saw effect of commodity prices and currency prices.  This is a new phenomenon for me to see, too.  The last thing I expected was a sharp rise in oil prices, followed by a rapid rise of the dollar versus the Euro, followed by a sharp drop in oil prices.  This is so crazy.  Now I’m thinking, “so what is the most ridiculous thing that could happen next?”  That’s how we’re approaching the 2009 budget.

In the course of marketing our services, occasionally I come across banks that host their web site with a hosting company that is a general hosting provider.  I have to shake my head when I find this out.  A couple of weeks ago, we were doing some business development with a community bank, and I noticed their web site was down.  When I asked about the problem, I learned that the hosting company they use had been hacked and therefore the bank’s web site was down.  This went on for more than a day.  How can a bank afford to let this happen?  If you are in charge of a web site for a financial institution, what possible reason can you have for hosting at a company that doesn’t host other bank or credit union web sites, and has the necessary security controls in place.

According to this Ektron knowledgebase entry , eWebEditPro is incompatiable with FireFox 3.

eWebEditPro is does not appear in Firefox 3.0. Do not upgrade to Firefox 3.0 . We will continue to monitor the development of Firefox and work with the maker of the Esker ActiveX plugin.

According to this post on the Ektron DevCenter forum, this problem has been known since early June.  For now, Ektron recommends delaying the use of FireFox 3 until further notice.  Subscribe to the RSS feed to be notified once this issue has been resolved.

According to the Xobni web site , Xobni is “the Outlook plug-in that helps you organize your flooded inbox.” I’ve been using Xobni for the past few days, and it’s much more than that. With apologies to Jose Canseco, it’s Outlook on steroids

Installing Xobni is a breeze. The first time you run Xobni, it will index the e-mails that are currently in Outlook. For me, this process took around 15 minutes. Once your e-mails are indexed, you don’t really notice the indexing of new e-mails that goes on in the background.

Once Xobni has indexed your e-mails, the main Xobni sidebar shows several things about the person that sent you the current e-mail selected in Outlook. The top panel contains the Person Profile. Xobni shows a histogram of e-mails received from that person across different times of the day. While the display is well done, the information itself wasn’t all that helpful to me. Most of the histograms followed a normal, bell-shaped distribution curve. In that same section, Xobni shows the number of incoming and outgoing e-mails to that user, as well as how popular that contact is (in terms of e-mails sent and received) vis-a-vis other contacts in Outlook. The last bit of information that Xobni shows about the contact is her phone number, which is pulled from Outlook contacts or e-mail from that contact. In most cases, the phone number is correct. In some cases, Xobni selects the wrong information. The nice thing is that it shows you the source of the phone number, whether it’s an Outlook contact item or an e-mail. You can change the information if it’s incorrect.

The next panel is the Network. In this section, people that are included in e-mail conversations between you and contact show in the Person Profile are listed. People listed in the top of the Network are those that are included most often in e-mail conversation between you and the contact. A nice touch is the color coding of people in the Network. An orange icon represents people you’ve contacted directly, while a gray icon represents people you’ve never e-mailed directly. In addition, distribution lists have a different icon.

The third panel lists Conversations. E-mails are displayed in a threaded style, very similar to Google’s Gmail. Xobni groups individual e-mails into conversations based on the subject of the e-mail and the people in the To and CC fields. Conversations are listed in descending chronological order, with the most recent conversations listed at the top.

The last panel, and the one I find most useful, is the Files Exchanged. How many times have you wanted to find the document that you sent someone six weeks ago? Xobni pulls out all attachments that you’ve sent to, or received from, the contact and lists them in descending chronological order in the Files Exchanged panel.

That’s a quick overview of the Xobni Sidebar. Xobni also provides analytics for your Outlook e-mails also. The analytics shows things like mail traffic by hour, response times (most helpful), and unique contacts. It’s nice eye-candy that can show some interesting trends and patterns visually.

The most impressive feature of Xobni is its search capability. It’s lightning fast and well-integrated in the Xobni sidebar. Xobni will search on e-mail addresses, names, e-mail content and attachment names. Unfortunately, it doesn’t search on contents of files (yet).

All in all, Xobni is a fabulous productivity tool that every heavy-duty Outlook user should own. Yes, there are a few things that Xobni doesn’t do yet, but the public beta shows tremendous promise and is worth the (small) investment of time and energy required to install and learn the product.

With the rise of SQL injection attacks recently we’ve started taking a look at ways to prevent them on the server level.  We host a lot of sites that we did not create or maintain.  A lot of our customers look to us when issues like this arise.

These attacks mask their payloads in HEX using the CAST() function in SQL.  In the IIS logs you see something like this.

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300...%20AS%20NVARCHAR(4000));EXEC(@S);

After thinking about the problem we found a pretty simple solution, that so far, has worked well.  We needed a way to intercept the URLs that pass in the hex code so we could deny access to the page.  IIS lacks a simple URL rewrite engine like apache’s mod_rewrite, so we had to look for a 3rd party tool.

We found a solution in Helicon Tech’s ISAPI Rewrite.  This is a comercial product that comes with a free Lite version.  The lite version doesn’t allow for per site rules, but in this case you probably want to protect all the sites with one global rule.  There are some other very useful things ISAPI_Rewrite can do (SSL redirects for one) and the paid version is well worth the $99.

Once ISAPI_Rewrite is installed you can simply add this rule to the configuration.  This rule blocks anything in the URL that contains a CAST( or EXEC( function.  These should never show up in a HTTP GET.

RewriteCond %{QUERY_STRING} (exec.*\()|(cast.*\() [NC]
RewriteRule .? - [F,L]

When a request matches this rule IIS returns a 403 Forbidden error back to the user/client.  Note this rule will not protect against SQL injections that use the HTTP POST method (Forms).  These require proper validation in the code.