In the past couple of days I’ve been involved with the cleaning up of a number of successful SQL Injection attacks on WordPress blogs, including one that was running the most recent version 2.9.1.

Then last night I read that TechCrunch was also hacked (their post on it seems to re-direct to an interstitial ad – which I’ve never seen on TC before and makes we wonder whether they are trying to put up ‘interference’ here)..

From what I can see it looks as though the vector that I have seen could also have been used to do this to TechCrunch. I don’t know what version of WordPress TechCrunch runs.

I’ve decided not to give the details who was affected or too much info about the attacks, although the two common occurances I’m seeing with all of the sites exploited are:

1. They are using WP-Cache or WP-SuperCache
2. They are running on the RackSpace Cloud Sites serving platform

I should state for the record that at this point I do not have any evidence that RackSpace Cloud Sites is vulnerable, I’m just noting that all of the examples I’ve seen have occurred on RackSpace Cloud Sites, and I believe TechCrunch runs on Rackspace Sites too. Conversely I’ve not heard of any non-RackSpace Cloud Sites blog having any problems, and I’ve not had any issues with my blogs either (other than a botched upgrade to 2.9.1 just now due to human error, doh!).

Although I don’t want to give out specific information, some interesting discussion is occurring on a thread of HackerNews, especially this sub-thread.

Advice

While we wait to see if/how the WordPress developer community responds to this, my only advice is to make sure all of your directories and files are locked down (chmod 700 works fine on RS Sites), and that you are running the latest version of WP & all of your plugins. You might want to keep an extra eye out if you are using RackSpace Cloud Sites (or your hosting reseller does) and make use of WP-Cache/WP-SuperCache

I remain a massive fan and supporter of WordPress.

Today’s NYTimes article “With Kindle, the Best Sellers Don’t Need to Sell” waxes lyrical about the opportunities independent writers smaller publishing houses have found by publishing their works free of charge for Kindle. By doing so, many have made it into the Amazon Kindle Bestseller List.

Indeed, at the time of writing this, the top two books in the Kindle Bestseller List (Cape Refuge and Southern Storm both by Terri Blackstock) are free. In total, 15 of the current top 25 Kindle Bestseller books are available free of charge.

(UPDATE: Terri Blackstock left useful comments below)

But what doesn’t add up is that Amazon forces authors publishing works into the Kindle Marketplace to set a minimum price of $0.99c (see notes in red near bottom of the page).

I’ve just checked and confirmed this important fact, missed by Motoko Rich who wrote the NY Times piece, with my partner Violet Blue. Violet is an Amazon Bestselling author herself who has published 24 of her books into Kindle format.

Using her account in Amazon’s Digital Text Platform (DTP) I confirmed she is unable to set any of her books below 99c. In fact, she told me she would like to offer some of them for free if she could. (Violet has screen-grabs of her DTP interface on Flickr)

Back to the New York Times article, it paints a now familiar “free culture kicks it to the old guard” story of how independent writers smaller publishers are publishing their works to Kindle for free and then getting signed/distribution deals with publishing houses to sell hard-copy versions commercially.

Something fishy going on

But this doesn’t stack up, as it is impossible for an independent author like Violet to publish free for Kindle. From what I can see there is one of two possibilities here, both of which make a much more deeper and interesting story:

Possibility #1: Amazon is entering into special agreements with certain independent writers smaller publishers – and thus not playing a square game with the rest of their authors. Perhaps this is to drive traction to their e-reader, but to the detriment of maintaining a level playing field and equal publishing ecosystem. Or…

Possibility #2: Mainstream publishers (who apparently use different platforms to publish ebooks into Kindle marketplace) are able to set a zero price on their books. I note this option because those two free books written by Ms Blackstock are also available as ‘hard-copy’ paperbacks for $10.19 published by publishing house Zondervan.

I’ll leave the fact that Zondervan is an overtly Evangelical-style Christian publisher, and thus the burning question as to whether they are gaming the Kindle ‘free gets you to the top of Kindle Bestseller” hack to spread covert pro-Christianity rhetoric in the forms of works of fiction, to the conspiracy theorists out there.

I write the above with the disclosure that I find the DRM-laden nature of the Amazon Kindle almost as abhorrent as the spreading of pro-religious rhetoric via means that appear secular on initial inspection (see Alpha Course, books by C. S. Lewis, etc.)

UPDATE: Upon a second read of the NY Times piece in follow up to a comment left below, I noticed that the piece was centered around smaller publishers rather than independent authors per se, so I have struck out those references where made. However, there remains a big story here which is why publishers are able to offer books for free when the independent authors seemingly can’t.

Yahoo!’s announcement that it is shutting down its Yahoo! Shopping Web Services API should send a cautionary note to anyone relying on the one-time darling of the open API landscape to continue to provide them all the API services they currently enjoy.

Now, I’m not trying to paint a dark and bleak picture of the current situation. But it is fair to say that future of Yahoo!’s API landscape going forward is confused and unclear.

And I say that not as a nay-sayer or doom-merchant – I’ve been a champion of open API’s for a long time now and even supported Yahoo! by actively participating in their Hack Days around the world, building hacks on top of the platform and even famously slapping a stupid sticker on my forehead to promote the cause (which I hear was a favorite slide in the decks of certain Yahoo! executives for a while).

However the bottom line is this: Yahoo! has successfully dug deep roots in the API platform space over the years, probably more so than any other company I can think of. And if some of these roots are dug up and removed it’s going to leave massive holes in the ecosystem.

The Yahoo! Shopping API is one example that has already occurred. Practically speaking the impact of this particular API is not massive as it was hardly a core API proposition. However, I still remain very concerned about the future feasibility of core services such as Yahoo! BOSS given that Yahoo! is retiring it’s search activities and handing the baton over to Bing. Its not clear to what extent the platform will be serviced and maintained once search is powered by Microsoft.

I know many startups that are utilizing BOSS openly and many more that utilize it covertly behind the scenes – the loss, should it be removed, would be great.

Another example where developers have demonstrated caution has been Yahoo!’s implementation of OpenSocial across it’s many properties. Not only has the implementation been unclear (there isn’t even an official “OpenSocial on Yahoo” homepage) but developer have found it difficult to justify building apps for platforms that could be deadpooled or sold off with little notice.

So where does this leave us?

Well, Yahoo! in it’s current position is probably doing the right thing to trim back the fat by closing under-serving properties (and the API’s that go along with them). But it leaves a cautionary tale for both API vendors and API consumers.

API Vendors need to consider their long-term strategy of what they are propositioning. That big “we’re so open it hurts” fanfare is going to cost you down the road if you can’t maintain it. In many ways, removing an API is worse then not offering it all.

API consumers need to consider carefully the viability of the services they are using, especially if they are leveraging them for commercial use or as an intrinsic part of their value proposition. Look for freemium models that indicate viability, or build agile adapters that can be quickly swapped out to a different vendor at short notice (assuming there is one).

My prediction for 2010 is that we will see a lot of APIs and platforms go dark during the year, especially in the ‘free’ space. It will be interesting to see the fall out from these and the way that startups pivot around the sudden departure of a key provider in their value chain.

This morning’s TechCrunch post and last Friday’s Startup Crawl heralds the public announcement of my new startup – Plato’s Forms.

I’ve been working with Darryl Siry (former CMO Tesla Motors) on this project since Spring, with us producing a demo for investors in September/early-October. That seemed to be successful because we managed to raise $545k angel round, led by a group of private investors, Darryl and ZelkovaVC (although the note remains open to $750k if anyone wants to get in at this early stage!).

So what are we building?

Well, the problem space we are addressing is the perpetuation of of miss-information and inaccurate information within the online news environment. A piece is written up about your product/service/company that contains some incorrect facts or draws a conclusion that didn’t include a pertinent piece of information. Maybe you are frustrated the journalist didn’t reach out to you during the creation of their article and you want to reach out. Or perhaps a piece on a competitor misses an opportunity to present an alternative perspective around your product/service/company.

The solution is a professional communication platform that allows PR/corporate communication professionals to engage journalists and pro-bloggers in a ‘velvet rope’ vetted environment. There are a number of products we’re building on top of this platform, but we’re not talking about implementation points right now — we have some very interesting ways to solve these problems.

Some of these problems (and solutions) are new. Some are just reducing the friction of the existing communication mechanisms these folk already have in place.

What’s under the hood?

Everything is Ruby on Rails… very agile, very rapid development. It’s my first time working with RoR and I’m really enjoying the experience. Pivotal Tracker continues to be an amazing productivity tool for development, and I’m beginning to wonder how I ever worked before DropBox, EtherPad and BaseCamp.

BTW if this all sounds like fun (which it is) we’re looking for top Ruby on Rails talent right now, working out of our digs in South Park, SF!

Busy bee

Plato’s Forms is obviously going to be my main project and focus moving forward, although for now I will continue to work with Seesmic on a small scale (my BlackBerry app shipped last week) and maintain my advisory board responsibilities with my portfolio.

Oh and I’m going to be in Europe for most of December – MC’ing at Le Web in Paris again, and then Christmas at home in London.

Yahoo! have been mopping up the PR fallout from the stripper show that occurred during the Yahoo! Taiwan 2009 Hack Day (if you missed the story, check out Violet Blue or Simon Willion’s posts).

Well, the plot thickens as the most damning photos of the event have mysteriously been removed from public viewing. Flickr user CocoChou had taken probably the most damning photos of the the stripping event and uploaded them to his Flickr set of the Hack Day under a Creative Commons license.

However, the 4 photos – which many blogs were embedding and linking to – have been made private in the past few hours, although curiously all of the other 72 photos from the event are still public.

It’s not clear whether Yahoo!, which of course owns Flickr, has put pressure on CocoChou to remove them or whether he removed them independently of any interference. However, it’s difficult to think of reasonable motivations why someone would remove these 4 particular photos from their original 80 and keep the rest up. I have, of course, emailed CocoChou to find out – and I’ll update this post if/when I hear back.

Fortunately I downloaded copies of these photos before they were removed, and in the public-spirited nature you’ve all come to know and love, I’ve re-uploaded them to my Flickr account. Of course I am able to do so legally as they were originally released under a Creative Commons license, which I have perpetuated:

Metric-orientated user acquisition is definitely the hot topic of the moment here in the Valley (along with “frictionless customer conversion” as my rad friend Ethan Bloch of Flowtown would say)

But as we optimize funneleing and conversion for user acquisition within our startups, how many of us have a solid user relinquish process for those users who might want to leave?

As a technologist and generally curious geek, I like to check out most new start-ups that are launched. In fact it’s kinda my job to, and to that end I probably create at least two or three new accounts somewhere a day.

I visit, I sign up, I create an account (“just username, password and email address!”). But that’s the beginning of a probably well-oiled slippery slope. My interest is piqued, I upload my photo, fill out the profile data, connect my Facebook, etc, etc…

But what if I’m now done? “Nah, not interest in what you are doing”. Or even more importantly “Er, um!.. I’m put off by this weird thing you’re doing in your site. I don’t like it so I’m outta here”.

How many sites actually let me delete my account and leave?

Or conversely, how many sites have stubs of my personal data sitting on their servers because there is no easy way for me to remove it – despite being clear I no longer wish to use their service?

Now, I don’t consider myself some crazy privacy whack. I just think it’s pretty reasonable to suggest that if I really have absolutely no interesting in using your service at all then I would like to know that you will completely remove my data and forget about me. Data Portability ‘Removability’, if you will

Two examples from the real-world…

Earlier today I decided to delete my Tangler account (nothing personal to Tangler, I just don’t use it and it sends me a digest email every week that is just spam to me). I logged in but found no “delete this account”, so I twittered my frustration. Later on Rai from Tangler @replied to me to say that this could only be done via email.

That seems like a FAIL to me.

On the other hand I had a similar-but-positive-outcomed experience with Dropbox last week. Having unshared all of my computers from my account I still had 2gig of orphaned personal files in my storage account that were proving difficult to remove. Bug or user-error I wasn’t sure, but I decided I just wanted to nix my account and start again.

To DropBox’s credit had a “delete this account” option, accompanied by very clear warnings that it was an irreversible decision. They even had a data-capture form to give me the option of explaining my reasons for leaving/deleting my account – which someone personally followed up with me when I mentioned I was having file deletion issues.

Top marks on responsibility, implementation best practice and most optimized reason-for-leaving collection mechanism (alluded to in #5 in this great blog post on customer feedback)

And that’s all this really as to be: a “delete my account” button at the bottom of your settings/account profile page, a confirmation box and perhaps some way for the user to explain why they want out. On the back-end, a quick purge of that user’s record and perhaps a separate archived audit log so that if a backup is restored deleted accounts can be consolidated.

A user relinquish strategy is good for your business

Good user relinquish practice is not only the fair thing to do for your users but it makes sense for business.

What value is there in holding all of this information about users that no longer wish to use your service? Depending on the nature of the service you may even be provisioning resource for these ghost users – resource that you will never see a return on. And VC’s/boards don’t want to see exaggerated raw account numbers, they (should) want to know monthly uniques, return visitors, etc.

And if we get into a %age game, removing users from the database who have totally left the service will actually increase the %age of your userbase that returned in the last month!

There may also be boring data-storage compliance issues, especially if you trade physically in Europe.

So, that leaves the question: what is your user relinquish strategy?

[photo CC Image Zen]

Google’s GMail blog has some “handy” advice on how pick a good password to project your email account.

Don’t use dictionary words, use mixed case, your eldest kid’s name is a bad choice, etc etc. Yeah that’s great.

But the much bigger security issue I fear is that my GMail username & password is also the same username & password for:

• My calendar (Google Calendar)
• My confidential documents (Google Docs)
• My credit card (Google Checkout)
• My website’s analytics (Google Analytics)
• My RSS feed admin (Feedburner)
• My phone number, voicemail, IM’s (Google Voice + GTalk)
• Some experimental projects (App Engine)
• My photos and videos (Picassa and YouTube)
• + more (see your list of Google services you use)

Given the legitimate places you need to put your username and password in order to access your email (ie your email client, which might be sending it in the clear each time it fetches mail), is it too much to rely on it’s security and integrity for all these other ancillary Google Services?

I am a strong believer that you shouldn’t give your Google username and password to ANYONE for this reason. It pains me to have to give it to RIM but it’s the only way they can push email to my Blackberry.

Security through segregation

It’s really about time Google separated GMail, and perhaps GTalk, authentication from the rest of their properties. At the very least I’d like to see the ability to create a separate password for IMAP/POP access that I can enter into my email client and give to RIM that doesn’t give access to the rest of my Google Account.

However, as Google becomes an ever more vital and relied-upon part of our online workflow (see how many services I use, above), I wonder whether there would be value in offering an optional RSA-style keyfob to help protect access – perhaps for a $20-$50/year fee. I know I would pay, and that PayPal have been offering a product like this for some time at $5 a fob.

I don’t subscribe to the “everything muse be free” meme that basically ignores the intrinsic value a product or service gives you. If a product or service provides me with a real value then I am happy to pay for it – either through purchase/subscription or from being monetized via ads/usage data etc.

But I’m surprised at just how expensive some of the darlings of the Web2.0 SaaS era work out to be when used at scale.

Like a crack dealer, giving you the first hit free, most of them offer a “free” plan that is clearly designed to be severely limited the moment things begin to work out for you and your business takes off. There’s nothing new with this way of doing business, but have you seen just how much your hits costs once you get addicted?

Two examples that are particularly of mind are Freshbooks and Harvest. Both are great products; built by great people I have had the honor of meeting over the years.

Time tracking service Harvest starts out at $12/month ($144/year) for a single user but at Swordfish Corp there are now three of us, requiring the 5 user plan @ $40/month ($480/year). Not much change short of $500 seems pretty expensive for a year of time tracking.

Invoicing service Freshbooks has a free and slightly limited option for individuals but a company of three would need to use the 3-staff plan @ $39/month ($468/year) but I notice that once we take on a fourth person we would need to skip to the 10-staff plan @ a jaw-dropping $89/month ($1068/year).

When researching these plans, I’m also considering what my future business needs are. With services like these, I want to pick providers who can scale with me as my business (hopefully) grows.

I should point out that one way of getting around this is to share accounts, but for time tracking this doesn’t work and for invoicing, everyone at Swordfish does their own invoicing on their client accounts.

Now, I’m not against paying for these kinds of services in general. Between myself (personally) and Swordfish, I have paid subscriptions to NolaPro (Hosted accounts package), Shoeboxed (receipt and business card data entry) and Flickr.

And I’m not saying that it’s not worth $480 a year to the company for good time tracking. I’m just saying I’m not sure a service like Harvest is offering me $480 of value a year over and above using a simple Google Spreadsheet created in 20 minutes, for free, and shared within the company.

I’m a fan of the Freemium model, but if it’s going to work the numbers can’t exponentially increase as your usage increases – it’s not fair (a form of bait-&-switch from the free accounts) and it’s also not reflective of the true cost of SasS where the cost should exponentially flatten out at scale.

Like many of its counterparts, the BBC News Website maintains two distinct versions of it’s front page – a ‘domestic’ orientated front page and an ‘international front page. The domestic front page contains a mixture of British and world-news orientated stories, whereas the international front page only includes British news if it’s of world-wide interest.

Any visitor to the site could select which version they wanted to receive.

Until last week, that is, when the BBC decided to start forcing it’s visitors to take the version intended for the territory from which they are visiting.

As an ex-pat living in San Francisco, California that means I am now forced to take the international front page despite being very interested in British news (I’m a British citizen, tax payer, voter and still have interests in the UK).

Those of you who know my background will also know that I spent six years working at the BBC, predominantly on the BBC News Website – in a technical and product development capacity. I’m therefore doubly interested in this change, as I still feel very proud of the work that I contributed to at what is (in my opinion) the most upstanding source of news around.

Disgusted of Tunbridge Wells, New Mexico (?)

The changes have angered a lot of people, as you can well imagine. Check out the comments on the BBC Editors blog post – which Steve Herrmann (Editor, BBC News Website) tries to address on another post.

The heart of the matter is that the BBC News Website is serving three distinct user stories:

• I am a UK user wanting to view British and International news
• I am an International user wanting to view world news
• I am an International user wanting to view British and International news

Sadly, the changes made no longer allow for the last use case – which is a pretty vocal set of people.

Technical challenges that have caused this change

The BBC says it’s doing this for a number of reasons. Serving video has become complicated – pages designed for a UK audience don’t play the video intended to accompany the page when viewed internationally as the BBC rarely has rights to show such video. The BBC is also now serving display and text-link ads to international users – it needs to maximize the efficiency of those ads and design pages layouts that accommodate them while at the same time running a domestic version of the site that contains no advertising whatsoever. The BBC also points out that a section listing UK News is included on the international front page – although I would counter that it is included ‘below the fold’ and doesn’t reflect the same editorial list as the Domestic Front Page.

While I understand and sympathize with the issues raised by the BBC I believe both are solvable very easily and am disappointed that this course of action has been taken.

5uP3r W1z4rd H4XoR

The great news is that due to the way the BBC News Website is built, you can still access the “UK Front Page” via a special hacked-up URL, which I have bundled into a convenient bit.ly url:

http://bit.ly/ukbbcnews

I would suggest adding that to your bookmarks or updating your default start page with this url.

UPDATE: Following on from demand, I’ve also created http://bit.ly/intbbcnews as a dedicated url to the international front page.

Below I have pasted an email I sent to Steve Herrmann, along with Nic Newman (Technology Controller, BBC Future Media: Journalism), Pete Clifton (Head of Editorial Development, Multi-Media Journalism and former Head of BBC News Website) and Richard Sambrook (Head of BBC World News):

Hi Steve,

Just wanted to drop you a line to say that I’m really disappointed with the change to the site today. As you may know I’ve been living in San Francisco since leaving the BBC, so I’m an international-based user these days

Understanding the way the site is published I completely comprehend the point on your blog post that “all the same content will be available as now so you’ll still be able to get both UK and international news wherever you are” but that’s only true in so far as the stories themselves.

The specific editors decision as to what is most current and prominent across the domestic and international newscape for a British-focused audience – ie the UKFS Front Page – is no longer available to me (well it is at http://news.bbc.co.uk/nol/ukfs_news/hi/default.stm – but that’s only because I know the hidden urls of the system).

Today is a pretty international news-orientated day because of the Iranian elections, North Korea issues and Guantanamo Bay. However, I notice that a number of uk stories that appear high up in the UK homepage right now have no placing in the top 9 slots of the International Front Page at all. The “News from UK” is way down below the fold, and requires scrolling to get to – it’s nothing more than an after-thought.

I guess I’m not communicating anything new that hasn’t already been voiced by others, other than to say that I’m really really disappointed – both has a user and as a former employee. I understand the technical issues you are dealing with around serving templates built for advertising to the international audience while maintaining non-advertising templates for UK users. And I understand the video issues as well, where rights are not available.

From a product development perspective there are three user stories the BBC News Website has always served:

• I am a UK user wanting to view British and International news
• I am an International user wanting to view world news
• I am an International user wanting to view British and International news

By implementing the changes to have made today, you have effectively trashed that third use case. Or incorrectly assumed the last two are the same, which they are not. It’s very sad and disappointing.

Let me know if I can brainstorm with you guys solutions that you could implement to help you get back to offering all three use-cases. I’m guessing that no one that works on the product development for the site actually uses it outside of the country, so let me know if I can be an advocate to that.

Best wishes,
Ben

Steve wrote to thank me for the email and promised to pass it on to the product development team. I will update this page if/when I get any further replies.

Update: Or, you could just check out the amazingly hilarious yet familiar looking NewsArse instead.

Disclosures: I am a former BBC News Website employee and companies I have a financial interest in supply technology to BBC

Much hyped Wolfram|Alpha is due to launch later tonight (or later) but I managed to ’sneak in via the back-door’… essentially query the site directly by circumventing the holding page.

Here’s a test query to start you off and get you in there: http://www.wolframalpha.com/input/?i=who+invented+the+telephone

So far I’m impressed with the Natural Language Processing of plain-text queries and the amount of factual data it has – but I’m not clear where it really adds a lot of value of my life (so far, at least).

Let me know what you think.