Heckman Consulting Newsletters
Why Document Manage-ment: A White Paper
No.34 Spring 2008: AMD Alive and Well at Lexis Nexis.
Blog from Heckman Computer Consulting
DMS Issues from Heckman Computer Consulting
Cheatsheets from Heckman Computer Consulting
Seminars from Heckman Computer Consulting
Law Office Computing Articles
Business Automation Checklist
Services Provided: Technology Consulting, Software Support, Planning Support
Supported Software Products: Amicus Attorney, CaseMap and TimeMap, ContactEase, WordPerfect, GroupWise, HotDocs, PC Law, Summation, Time Matters, Worldox
Email Policies
Backup Issues
Virus Issues & Alerts
Useful Links from Heckman Consulting
About Us - Heckmanco.com
Clients of Heckman Computer Consulting


No. 14, Summer 2000 Click for PDF Version

ASPs May Carry Lethal Sting

    One of the hottest topics in the computer industry today is the subject of "Application Service Providers" or ASPs. Instead of buying a copy of Word, WordPerfect or database software for several hundred dollars or more, you would lease it from an ASP over some form of Internet connection for a few dollars a month. The ASP would take care of upgrades, bug fixes, virus checking, maintenance, backup, and similar functions. Since the vast majority of the cost of owning software today lies in maintenance, tech support and service, this would take a tremendous burden off the shoulders of the companies involved, in addition to (perhaps) saving money. In essence, this amounts to "outsourcing" the computer programs you use.

    While everybody is rushing head over heels to get into the act, in my view the problems with an ASP solution for a law firm are insurmountable, at least within the next five years or so. Bob Butler of Time Matters has also addressed a number of these issues in his recent article in Law Technology News (May 2000). The main problems at issue can be summarized under three headings: Access, Security, and Functionality.

Access to Your Data

    The first issue is bandwidth. A network connection typically runs at 10 Mbps, with newer networks running at 100 Mbps. This is 200 to 2000 times as fast as a 56Kb dialup line and 40 to 400 times faster than a 512K DSL connection. The fastest Internet connection available, a T3 line, is likely to cost in the neighborhood of $3,000 per month for a fifth the speed of a network (prices vary sharply depending on specific local areas and phone companies). And this is on a good day. When the provider's server goes down or the connection is clogged and slow, you may not be able to access your applications and data. Think of your reaction when the server in your office is "running slow." Then consider your current access to the Internet: would you trust mission critical data even to an improved version of it?

    The main law firm applications - word processing, e-mail, calendaring, case management programs - are typically programs that users open at 9 am when they arrive and close at 5 pm (if they are so lucky as to leave that early). This dooms any Citrix-type approach from wide-scale implementation, since users will dial in when they arrive in the morning and occupy the phone line continually until they leave. A company trying to use Citrix could need as many phone lines as they have users, which is not feasible. Most ASPs are targeting implementations for programs that require only occasional use, i.e., once a day, a couple times a week. The bandwidth needs for basic law firm applications are far beyond anything anyone even has on the drawing boards today.

    Some real-life examples may serve to drive this point home. A major New York law firm had a T3 line between an outlying building and their main office over which they were running their e-mail application. They had to abandon it because of vociferous complaints about slowness. Or consider the PointCast craze of a couple of years ago. People loved the instant access to news, stocks, etc. However, many corporations had to shut off access to it because their networks could not handle the traffic. 

Security of Your Data

    The security issue that has received the most attention is securing your data from hackers or thieves. Will your data be on a dedicated server (probably not); how will you know who has access to your most confidential data (you won't); will the data physically be housed at your ASP's site or at the site of some server farm run by major ISP subcontractors or phone companies? In addition to the risk of compromising data, hacker attacks could take the form of Denial Of Service attacks such as those that brought giants AOL and Yahoo to their knees for hours or days at a time. If hackers can crash AOL's servers, they can certainly do it to an ASP's server. What, if any, provisions will there be for accessing your data if the ASP goes down? None of these issues have been addressed in ways likely to satisfy law firms.

    Anyone who proposed building a network for a law firm that might randomly have outages of several hours to several days would rapidly be shown the door. Why should law firms trust their data to a system where such outages have and will continue to occur, just to "save" few bucks?

    Then there is the question of the availability of your data in the event of a dispute with the provider. Suppose the ASP cuts off service over a dispute, the way Time Warner did briefly with ABC/Disney. With the passage of the UCITA act in a number of states this is a serious possibility. Whether the dispute is resolved in your favor or not, you could still be without your data for an unacceptable amount of time. 

    Finally, what about professional liability in the event client confidentiality is breached? Law firm e-mail messages are increasingly carrying the same sort of disclaimers traditionally associated with faxes. Will every single wordprocessing document have to carry a similar warning?

Program Functionality

    Will full-featured programs be available? To date, efforts at "Internet suites" such as those from Corel and Star Office have been largely unsuccessful due to slow response time and limited features. In a culture where users complain about having to make an extra mouse click or two, what will be the reaction when it takes two minutes to save a document or footnotes are not available?

What Will Work?

    There are currently intermediate options that combine some of the advantages of outsourcing with maintaining your data securely. These typically take the form of web-enabled applications that can be accessed using a simple web browser from anywhere with an Internet connection, but with the data still residing on your system. Novell's GroupWise has had this capability for several years (a very long time in "Internet years") and has gotten to a point where the web version has almost identical capabilities as the normal office version.

    Document management programs such as Worldox, PCDocs or iManage are releasing Internet-enabled products that allow a firm to access its documents via a simple web browser. These programs allow you to search for your documents, view them and "check them out" to your local hard drive to work on. When you have finished, you can then upload them via the Internet again. These are "half-way houses" but work well for limited use, e.g., you are at home and want to work on a document.

    It is unclear how effective this approach will be in terms of database-intensive programs such as case management programs. The closest analogy today is probably On-Line shopping services. Ask yourself the question: when you purchase something on line, how long does it take between the time you click OK and your purchase is actually registered (i.e., written to the database). Would you accept this kind of delay for your calendar or case management program?


    In order for an ASP model to work, vendors will have to offer full featured programs at near current network speeds. To date, that does not seem to be even close to happening.

Love/Hate Viruses

    The recent "I Love You" worm virus and the subsequent, even more lethal, versions once again demonstrate the need for extreme care concerning e-mail and other viruses. Major corporations were forced to shut down their e-mail systems for a full day or more to eradicate the virus and smaller companies with fewer resources may have been even worse off. Users of Microsoft products (Word and Outlook) have to exercise special care, since these products are designed to be wide open, including to the effects of the current strains of viruses. For the first time, a number of analysts in the computer trade press have suggested that companies who really want to provide security against viruses should consider getting rid of Outlook. Microsoft has taken a very hard line that the security holes in their products are beneficial to their customers because of other uses to which they can be put, such as seamlessly downloading information from the Internet or extracting information from your PC for the benefit of Microsoft. Especially in light of the half-hearted "patches" Microsoft has issued in the wake of this incident, it is unlikely that it will take security issues any more seriously in the future.
The most immediate line of defense is never to open an e-mail attachment directly. Always view it or delete the e-mail directly. If you are using Internet Explorer, disable Active X controls. In addition, be sure to turn on the file extensions so that you can spot any attachment with a ".vbs" or ".vba" extension and delete it immediately. Unless you really need it, uninstall the Windows scripting host. The best source for information concerning this and other Microsoft issues is Woody's Office Watch (at www.wopr.com).
Users of "always on" internet connections (cable modems, DSL connections) must get a home user-type firewall. Two of the best software-based firewalls are Zone Alarm (free from at www.zonealarm.com) and Black Ice ($39 from www.networkice.com).
Hardware firewalls for the small or home office are also available for a few hundred dollars.
If you have any doubts, check out Steve Gibson's monitoring software, Shields Up, at www.grc.com. You will probably be unpleasantly surprised about the security of your Internet connection.

Viruses and Finger Pointing

    Although it may be emotionally satisfactory to indulge in knee-jerk finger pointing when it comes to the responsibility for the spread of various viruses, we need to set a more analytical foundation before offering an opinion (from which I certainly will not shirk).
Analogous to medical viruses, there are three elements necessary for a virus to live and spread:

1. What is the structure of the virus take (VB, mapi, activeX controls, etc.)?
2. What host does the virus require to live and spread?
3. What mechanisms (anti-bodies) does the host have available to stop the virus and what sort of inoculation through anti-virus programs work?

    Viruses are written in various languages. These can include: Visual Basic, ActiveX, Windows Scripting Host, various macro languages, CGI and Perl scripts, Java scripts, C++ and others (for the MAC, for example). 
Various viruses are capable of existing only in specific programs. Thus VB viruses at home in Word or Outlook, but could not run in a WordPerfect/GroupWise environment. Similarly, ActiveX scripts can run with IE 5.0, but could run under Netscape only if ActiveX has been installed. CGI and Perl scripts could run with almost any browser. A WordPerfect macro virus could only be launched as a standalone file (which must have a *.wcm extension to execute) or from a template (which must have a *.wpt extension). The cannot be launched just from a document, contrary to the structure of Word. One of the main issues in other platforms is the extent to which viruses/worms can propagate. Thus for example, GroupWise is open to mapi-driven viruses but would not let them propagate. 
Word/Outlook (i.e., VB) viruses have been most prevalent because (a) they are very easy to write, (b) they can self-propagate (which hypothetical WordPerfect macros could not) and (c) the dominance of those programs gives the critical mass necessary for the propagation of the viruses. Thus Microsoft's insistence that viruses can exist for any platform is technically true, but totally irrelevant. 
Perhaps the key issue when assessing responsibility is what various vendors do to make it harder for macros to run/propagate. Microsoft has aggressively taken the position that the consumers have requested the ability to run VB scripts and that this capability far outweighs any "theoretical" downsides to viruses. Therefore its "security" is essentially non-existent. The three-level "warnings" in Word are generally turned off by users because they are so annoying, and some programs (such as Amicus Attorney document assembly) will not even function with the level set to "high" in Word. 
The after-the-fact patch being issued to Outlook is very limited and does not address the more general issue of openness to macros. In addition, not only does the patch not work with Outlook Express, it seems that you cannot pick and choose which part of the patch you apply, and that applying the patch is likely to disable most third party integration with Outlook, including some PalmPilot synchronization programs. If you change your mind and want to go backwards, the only solution is to completely uninstall and then re-install Outlook.
Woody's Office Watch (a must subscribe for all users of Word and Outlook) summarizes the patch as follows:

"if Microsoft persists and releases this awful, terrible, dysfunctional, dreadful, appalling, atrocious, horrendous, inexcusable patch, you should not use it yourself and you should tell all your friends not to consider the patch."

    There is also a security breach in the Office Assistant that could allow virus intrusion. WOW summarizes:
"Unlike some other security breaches, this is a result of a deliberate design decision that would have been made at a relatively high level. It demonstrates clearly that Microsoft doesn't consider the security implications of their work."
The Microsoft architecture (Word, Outlook, Excel) is designed to provide functionality that offers easy pickings for virus writers. Because this is a fundamental design option for Microsoft, future versions of MS products can be expected to have similar security holes. Microsoft will no doubt propose partial remedies only after the fact and only after massive outcry. Microsoft users are thus forced into minute reconfiguration of their systems, registry hacks to turn off settings, etc. And all this in the name of "ease of use" and "the customers want..."
So it seems fair to conclude that Microsoft continues to exhibit a negative interest in security: it wants to configure access to systems to provide the greatest openness with no consideration of security. This is clearly a conscious option: security does not HAVE to be an either/or. It would be possible to put in place security provisions that would (a) allow the user to make reasonable choices concerning them and (b) would not be so intrusive as to be unusable. However, at present, as several industry analysts have suggested in the wake of the I Love You virus, the only real "protection" against viruses/worms in Microsoft products is to stop using them and switch to other options.  

Blog: Does It Compute? | Contact UsUseful Links | About Heckman Consulting
Partial Client List | What's New ? | Software Supported | Service | Home

2001- Heckman Consulting, Old Lyme, Connecticut.  Law Firm Consulting & Support
Web Site by Consultwebs.com, Specializing in Legal Webs


No.21 April 2002
Future of Case Management Programs
No.20 October 2001
Disaster Recovery Small and Medium Firms
Previous Issues