:Ben Metcalfe Blog

In the past couple of days I’ve been involved with the cleaning up of a number of successful SQL Injection attacks on WordPress blogs, including one that was running the most recent version 2.9.1.

Then last night I read that TechCrunch was also hacked (their post on it seems to re-direct to an interstitial ad – which I’ve never seen on TC before and makes we wonder whether they are trying to put up ‘interference’ here)..

From what I can see it looks as though the vector that I have seen could also have been used to do this to TechCrunch. I don’t know what version of WordPress TechCrunch runs.

I’ve decided not to give the details who was affected or too much info about the attacks, although the two common occurances I’m seeing with all of the sites exploited are:

1. They are using WP-Cache or WP-SuperCache
2. They are running on the RackSpace Cloud Sites serving platform

I should state for the record that at this point I do not have any evidence that RackSpace Cloud Sites is vulnerable, I’m just noting that all of the examples I’ve seen have occurred on RackSpace Cloud Sites, and I believe TechCrunch runs on Rackspace Sites too. Conversely I’ve not heard of any non-RackSpace Cloud Sites blog having any problems, and I’ve not had any issues with my blogs either (other than a botched upgrade to 2.9.1 just now due to human error, doh!).

Although I don’t want to give out specific information, some interesting discussion is occurring on a thread of HackerNews, especially this sub-thread.

Advice

While we wait to see if/how the WordPress developer community responds to this, my only advice is to make sure all of your directories and files are locked down (chmod 700 works fine on RS Sites), and that you are running the latest version of WP & all of your plugins. You might want to keep an extra eye out if you are using RackSpace Cloud Sites (or your hosting reseller does) and make use of WP-Cache/WP-SuperCache

I remain a massive fan and supporter of WordPress.

Today’s NYTimes article “With Kindle, the Best Sellers Don’t Need to Sell” waxes lyrical about the opportunities independent writers smaller publishing houses have found by publishing their works free of charge for Kindle. By doing so, many have made it into the Amazon Kindle Bestseller List.

Indeed, at the time of writing this, the top two books in the Kindle Bestseller List (Cape Refuge and Southern Storm both by Terri Blackstock) are free. In total, 15 of the current top 25 Kindle Bestseller books are available free of charge.

(UPDATE: Terri Blackstock left useful comments below)

But what doesn’t add up is that Amazon forces authors publishing works into the Kindle Marketplace to set a minimum price of $0.99c (see notes in red near bottom of the page).

I’ve just checked and confirmed this important fact, missed by Motoko Rich who wrote the NY Times piece, with my partner Violet Blue. Violet is an Amazon Bestselling author herself who has published 24 of her books into Kindle format.

Using her account in Amazon’s Digital Text Platform (DTP) I confirmed she is unable to set any of her books below 99c. In fact, she told me she would like to offer some of them for free if she could. (Violet has screen-grabs of her DTP interface on Flickr)

Back to the New York Times article, it paints a now familiar “free culture kicks it to the old guard” story of how independent writers smaller publishers are publishing their works to Kindle for free and then getting signed/distribution deals with publishing houses to sell hard-copy versions commercially.

Something fishy going on

But this doesn’t stack up, as it is impossible for an independent author like Violet to publish free for Kindle. From what I can see there is one of two possibilities here, both of which make a much more deeper and interesting story:

Possibility #1: Amazon is entering into special agreements with certain independent writers smaller publishers – and thus not playing a square game with the rest of their authors. Perhaps this is to drive traction to their e-reader, but to the detriment of maintaining a level playing field and equal publishing ecosystem. Or…

Possibility #2: Mainstream publishers (who apparently use different platforms to publish ebooks into Kindle marketplace) are able to set a zero price on their books. I note this option because those two free books written by Ms Blackstock are also available as ‘hard-copy’ paperbacks for $10.19 published by publishing house Zondervan.

I’ll leave the fact that Zondervan is an overtly Evangelical-style Christian publisher, and thus the burning question as to whether they are gaming the Kindle ‘free gets you to the top of Kindle Bestseller” hack to spread covert pro-Christianity rhetoric in the forms of works of fiction, to the conspiracy theorists out there.

I write the above with the disclosure that I find the DRM-laden nature of the Amazon Kindle almost as abhorrent as the spreading of pro-religious rhetoric via means that appear secular on initial inspection (see Alpha Course, books by C. S. Lewis, etc.)

UPDATE: Upon a second read of the NY Times piece in follow up to a comment left below, I noticed that the piece was centered around smaller publishers rather than independent authors per se, so I have struck out those references where made. However, there remains a big story here which is why publishers are able to offer books for free when the independent authors seemingly can’t.

Yahoo!’s announcement that it is shutting down its Yahoo! Shopping Web Services API should send a cautionary note to anyone relying on the one-time darling of the open API landscape to continue to provide them all the API services they currently enjoy.

Now, I’m not trying to paint a dark and bleak picture of the current situation. But it is fair to say that future of Yahoo!’s API landscape going forward is confused and unclear.

And I say that not as a nay-sayer or doom-merchant – I’ve been a champion of open API’s for a long time now and even supported Yahoo! by actively participating in their Hack Days around the world, building hacks on top of the platform and even famously slapping a stupid sticker on my forehead to promote the cause (which I hear was a favorite slide in the decks of certain Yahoo! executives for a while).

However the bottom line is this: Yahoo! has successfully dug deep roots in the API platform space over the years, probably more so than any other company I can think of. And if some of these roots are dug up and removed it’s going to leave massive holes in the ecosystem.

The Yahoo! Shopping API is one example that has already occurred. Practically speaking the impact of this particular API is not massive as it was hardly a core API proposition. However, I still remain very concerned about the future feasibility of core services such as Yahoo! BOSS given that Yahoo! is retiring it’s search activities and handing the baton over to Bing. Its not clear to what extent the platform will be serviced and maintained once search is powered by Microsoft.

I know many startups that are utilizing BOSS openly and many more that utilize it covertly behind the scenes – the loss, should it be removed, would be great.

Another example where developers have demonstrated caution has been Yahoo!’s implementation of OpenSocial across it’s many properties. Not only has the implementation been unclear (there isn’t even an official “OpenSocial on Yahoo” homepage) but developer have found it difficult to justify building apps for platforms that could be deadpooled or sold off with little notice.

So where does this leave us?

Well, Yahoo! in it’s current position is probably doing the right thing to trim back the fat by closing under-serving properties (and the API’s that go along with them). But it leaves a cautionary tale for both API vendors and API consumers.

API Vendors need to consider their long-term strategy of what they are propositioning. That big “we’re so open it hurts” fanfare is going to cost you down the road if you can’t maintain it. In many ways, removing an API is worse then not offering it all.

API consumers need to consider carefully the viability of the services they are using, especially if they are leveraging them for commercial use or as an intrinsic part of their value proposition. Look for freemium models that indicate viability, or build agile adapters that can be quickly swapped out to a different vendor at short notice (assuming there is one).

My prediction for 2010 is that we will see a lot of APIs and platforms go dark during the year, especially in the ‘free’ space. It will be interesting to see the fall out from these and the way that startups pivot around the sudden departure of a key provider in their value chain.