:Ben Metcalfe Blog

Yahoo! Taiwan 2009 Hack Day Stripper-gate: an addendum

Wed, Oct 21st, 2009

Yahoo! have been mopping up the PR fallout from the stripper show that occurred during the Yahoo! Taiwan 2009 Hack Day (if you missed the story, check out Violet Blue or Simon Willion’s posts).

Well, the plot thickens as the most damning photos of the event have mysteriously been removed from public viewing. Flickr user CocoChou had taken probably the most damning photos of the the stripping event and uploaded them to his Flickr set of the Hack Day under a Creative Commons license.

However, the 4 photos – which many blogs were embedding and linking to – have been made private in the past few hours, although curiously all of the other 72 photos from the event are still public.

It’s not clear whether Yahoo!, which of course owns Flickr, has put pressure on CocoChou to remove them or whether he removed them independently of any interference. However, it’s difficult to think of reasonable motivations why someone would remove these 4 particular photos from their original 80 and keep the rest up. I have, of course, emailed CocoChou to find out – and I’ll update this post if/when I hear back.

Fortunately I downloaded copies of these photos before they were removed, and in the public-spirited nature you’ve all come to know and love, I’ve re-uploaded them to my Flickr account. Of course I am able to do so legally as they were originally released under a Creative Commons license, which I have perpetuated:

User aqusition: easy-come should be easy-go

By: Ben

Mon, Oct 19th, 2009

Thoughts and Rants

Metric-orientated user acquisition is definitely the hot topic of the moment here in the Valley (along with “frictionless customer conversion” as my rad friend Ethan Bloch of Flowtown would say)

But as we optimize funneleing and conversion for user acquisition within our startups, how many of us have a solid user relinquish process for those users who might want to leave?

As a technologist and generally curious geek, I like to check out most new start-ups that are launched. In fact it’s kinda my job to, and to that end I probably create at least two or three new accounts somewhere a day.

I visit, I sign up, I create an account (“just username, password and email address!”). But that’s the beginning of a probably well-oiled slippery slope. My interest is piqued, I upload my photo, fill out the profile data, connect my Facebook, etc, etc…

But what if I’m now done? “Nah, not interest in what you are doing”. Or even more importantly “Er, um!.. I’m put off by this weird thing you’re doing in your site. I don’t like it so I’m outta here”.

How many sites actually let me delete my account and leave?

Or conversely, how many sites have stubs of my personal data sitting on their servers because there is no easy way for me to remove it – despite being clear I no longer wish to use their service?

Now, I don’t consider myself some crazy privacy whack. I just think it’s pretty reasonable to suggest that if I really have absolutely no interesting in using your service at all then I would like to know that you will completely remove my data and forget about me. Data ~~Portability~~ ‘Removability’, if you will

Two examples from the real-world…

Earlier today I decided to delete my Tangler account (nothing personal to Tangler, I just don’t use it and it sends me a digest email every week that is just spam to me). I logged in but found no “delete this account”, so I twittered my frustration. Later on Rai from Tangler @replied to me to say that this could only be done via email.

That seems like a FAIL to me.

On the other hand I had a similar-but-positive-outcomed experience with Dropbox last week. Having unshared all of my computers from my account I still had 2gig of orphaned personal files in my storage account that were proving difficult to remove. Bug or user-error I wasn’t sure, but I decided I just wanted to nix my account and start again.

To DropBox’s credit had a “delete this account” option, accompanied by very clear warnings that it was an irreversible decision. They even had a data-capture form to give me the option of explaining my reasons for leaving/deleting my account – which someone personally followed up with me when I mentioned I was having file deletion issues.

Top marks on responsibility, implementation best practice and most optimized reason-for-leaving collection mechanism (alluded to in #5 in this great blog post on customer feedback)

And that’s all this really as to be: a “delete my account” button at the bottom of your settings/account profile page, a confirmation box and perhaps some way for the user to explain why they want out. On the back-end, a quick purge of that user’s record and perhaps a separate archived audit log so that if a backup is restored deleted accounts can be consolidated.

A user relinquish strategy is good for your business

Good user relinquish practice is not only the fair thing to do for your users but it makes sense for business.

What value is there in holding all of this information about users that no longer wish to use your service? Depending on the nature of the service you may even be provisioning resource for these ghost users – resource that you will never see a return on. And VC’s/boards don’t want to see exaggerated raw account numbers, they (should) want to know monthly uniques, return visitors, etc.

And if we get into a %age game, removing users from the database who have totally left the service will actually increase the %age of your userbase that returned in the last month!

There may also be boring data-storage compliance issues, especially if you trade physically in Europe.

So, that leaves the question: what is your user relinquish strategy?

[photo CC Image Zen]

My GMail password scares me with its power!

By: Ben

Wed, Oct 7th, 2009

Thoughts and Rants, Tools

Google’s GMail blog has some “handy” advice on how pick a good password to project your email account.

Don’t use dictionary words, use mixed case, your eldest kid’s name is a bad choice, etc etc. Yeah that’s great.

But the much bigger security issue I fear is that my GMail username & password is also the same username & password for:

My calendar (Google Calendar)
My confidential documents (Google Docs)
My credit card (Google Checkout)
My website’s analytics (Google Analytics)
My RSS feed admin (Feedburner)
My phone number, voicemail, IM’s (Google Voice + GTalk)
Some experimental projects (App Engine)
My photos and videos (Picassa and YouTube)
+ more (see your list of Google services you use)

Given the legitimate places you need to put your username and password in order to access your email (ie your email client, which might be sending it in the clear each time it fetches mail), is it too much to rely on it’s security and integrity for all these other ancillary Google Services?

I am a strong believer that you shouldn’t give your Google username and password to ANYONE for this reason. It pains me to have to give it to RIM but it’s the only way they can push email to my Blackberry.

Security through segregation

It’s really about time Google separated GMail, and perhaps GTalk, authentication from the rest of their properties. At the very least I’d like to see the ability to create a separate password for IMAP/POP access that I can enter into my email client and give to RIM that doesn’t give access to the rest of my Google Account.

However, as Google becomes an ever more vital and relied-upon part of our online workflow (see how many services I use, above), I wonder whether there would be value in offering an optional RSA-style keyfob to help protect access – perhaps for a $20-$50/year fee. I know I would pay, and that PayPal have been offering a product like this for some time at $5 a fob.

WOW it’s expensive to use Freshbooks and Harvest at scale

By: Ben

Fri, Oct 2nd, 2009

Swordfish Corp, Thoughts and Rants, Tools

I don’t subscribe to the “everything muse be free” meme that basically ignores the intrinsic value a product or service gives you. If a product or service provides me with a real value then I am happy to pay for it – either through purchase/subscription or from being monetized via ads/usage data etc.

But I’m surprised at just how expensive some of the darlings of the Web2.0 SaaS era work out to be when used at scale.

Like a crack dealer, giving you the first hit free, most of them offer a “free” plan that is clearly designed to be severely limited the moment things begin to work out for you and your business takes off. There’s nothing new with this way of doing business, but have you seen just how much your hits costs once you get addicted?

Two examples that are particularly of mind are Freshbooks and Harvest. Both are great products; built by great people I have had the honor of meeting over the years.

Time tracking service Harvest starts out at $12/month ($144/year) for a single user but at Swordfish Corp there are now three of us, requiring the 5 user plan @ $40/month ($480/year). Not much change short of $500 seems pretty expensive for a year of time tracking.

Invoicing service Freshbooks has a free and slightly limited option for individuals but a company of three would need to use the 3-staff plan @ $39/month ($468/year) but I notice that once we take on a fourth person we would need to skip to the 10-staff plan @ a jaw-dropping $89/month ($1068/year).

When researching these plans, I’m also considering what my future business needs are. With services like these, I want to pick providers who can scale with me as my business (hopefully) grows.

I should point out that one way of getting around this is to share accounts, but for time tracking this doesn’t work and for invoicing, everyone at Swordfish does their own invoicing on their client accounts.

Now, I’m not against paying for these kinds of services in general. Between myself (personally) and Swordfish, I have paid subscriptions to NolaPro (Hosted accounts package), Shoeboxed (receipt and business card data entry) and Flickr.

And I’m not saying that it’s not worth $480 a year to the company for good time tracking. I’m just saying I’m not sure a service like Harvest is offering me $480 of value a year over and above using a simple Google Spreadsheet created in 20 minutes, for free, and shared within the company.

I’m a fan of the Freemium model, but if it’s going to work the numbers can’t exponentially increase as your usage increases – it’s not fair (a form of bait-&-switch from the free accounts) and it’s also not reflective of the true cost of SasS where the cost should exponentially flatten out at scale.

Changes to BBC News Website reduces choice for users outside UK

By: Ben

Mon, Jun 15th, 2009

BBC News Website, News, Thoughts and Rants

Like many of its counterparts, the BBC News Website maintains two distinct versions of it’s front page – a ‘domestic’ orientated front page and an ‘international front page. The domestic front page contains a mixture of British and world-news orientated stories, whereas the international front page only includes British news if it’s of world-wide interest.

Any visitor to the site could select which version they wanted to receive.

Until last week, that is, when the BBC decided to start forcing it’s visitors to take the version intended for the territory from which they are visiting.

As an ex-pat living in San Francisco, California that means I am now forced to take the international front page despite being very interested in British news (I’m a British citizen, tax payer, voter and still have interests in the UK).

BBC News Website screenshot

Those of you who know my background will also know that I spent six years working at the BBC, predominantly on the BBC News Website – in a technical and product development capacity. I’m therefore doubly interested in this change, as I still feel very proud of the work that I contributed to at what is (in my opinion) the most upstanding source of news around.

Disgusted of Tunbridge Wells, New Mexico (?)

The changes have angered a lot of people, as you can well imagine. Check out the comments on the BBC Editors blog post – which Steve Herrmann (Editor, BBC News Website) tries to address on another post.

The heart of the matter is that the BBC News Website is serving three distinct user stories:

I am a UK user wanting to view British and International news
I am an International user wanting to view world news
I am an International user wanting to view British and International news

Sadly, the changes made no longer allow for the last use case – which is a pretty vocal set of people.

Technical challenges that have caused this change

The BBC says it’s doing this for a number of reasons. Serving video has become complicated – pages designed for a UK audience don’t play the video intended to accompany the page when viewed internationally as the BBC rarely has rights to show such video. The BBC is also now serving display and text-link ads to international users – it needs to maximize the efficiency of those ads and design pages layouts that accommodate them while at the same time running a domestic version of the site that contains no advertising whatsoever. The BBC also points out that a section listing UK News is included on the international front page – although I would counter that it is included ‘below the fold’ and doesn’t reflect the same editorial list as the Domestic Front Page.

While I understand and sympathize with the issues raised by the BBC I believe both are solvable very easily and am disappointed that this course of action has been taken.

5uP3r W1z4rd H4XoR

The great news is that due to the way the BBC News Website is built, you can still access the “UK Front Page” via a special hacked-up URL, which I have bundled into a convenient bit.ly url:

http://bit.ly/ukbbcnews

I would suggest adding that to your bookmarks or updating your default start page with this url.

UPDATE: Following on from demand, I’ve also created http://bit.ly/intbbcnews as a dedicated url to the international front page.

Below I have pasted an email I sent to Steve Herrmann, along with Nic Newman (Technology Controller, BBC Future Media: Journalism), Pete Clifton (Head of Editorial Development, Multi-Media Journalism and former Head of BBC News Website) and Richard Sambrook (Head of BBC World News):

Hi Steve,

Just wanted to drop you a line to say that I’m really disappointed with the change to the site today. As you may know I’ve been living in San Francisco since leaving the BBC, so I’m an international-based user these days

Understanding the way the site is published I completely comprehend the point on your blog post that “all the same content will be available as now so you’ll still be able to get both UK and international news wherever you are” but that’s only true in so far as the stories themselves.

The specific editors decision as to what is most current and prominent across the domestic and international newscape for a British-focused audience – ie the UKFS Front Page – is no longer available to me (well it is at http://news.bbc.co.uk/nol/ukfs_news/hi/default.stm – but that’s only because I know the hidden urls of the system).

Today is a pretty international news-orientated day because of the Iranian elections, North Korea issues and Guantanamo Bay. However, I notice that a number of uk stories that appear high up in the UK homepage right now have no placing in the top 9 slots of the International Front Page at all. The “News from UK” is way down below the fold, and requires scrolling to get to – it’s nothing more than an after-thought.

I guess I’m not communicating anything new that hasn’t already been voiced by others, other than to say that I’m really really disappointed – both has a user and as a former employee. I understand the technical issues you are dealing with around serving templates built for advertising to the international audience while maintaining non-advertising templates for UK users. And I understand the video issues as well, where rights are not available.

From a product development perspective there are three user stories the BBC News Website has always served:

I am a UK user wanting to view British and International news

I am an International user wanting to view world news

I am an International user wanting to view British and International news

By implementing the changes to have made today, you have effectively trashed that third use case. Or incorrectly assumed the last two are the same, which they are not. It’s very sad and disappointing.

Let me know if I can brainstorm with you guys solutions that you could implement to help you get back to offering all three use-cases. I’m guessing that no one that works on the product development for the site actually uses it outside of the country, so let me know if I can be an advocate to that.

Best wishes,
Ben

Steve wrote to thank me for the email and promised to pass it on to the product development team. I will update this page if/when I get any further replies.

Update: Or, you could just check out the amazingly hilarious yet familiar looking NewsArse instead.

Disclosures: I am a former BBC News Website employee and companies I have a financial interest in supply technology to BBC

Get early access to Wolfram|Alpha now

By: Ben

Fri, May 15th, 2009

News

Much hyped Wolfram|Alpha is due to launch later tonight (or later) but I managed to ‘sneak in via the back-door’… essentially query the site directly by circumventing the holding page.

Here’s a test query to start you off and get you in there: http://www.wolframalpha.com/input/?i=who+invented+the+telephone

So far I’m impressed with the Natural Language Processing of plain-text queries and the amount of factual data it has – but I’m not clear where it really adds a lot of value of my life (so far, at least).

Let me know what you think.

Seesmic for Facebook desktop client

By: Ben

Sat, Mar 14th, 2009

Links, News

Here at SxSW we’ve just launched a glimpse into some future product direction we’re working on at Seesmic. During the Facebook panel, we announced Seesmic for Facebook.

Seesmic for Facebook lets you keep track of your friend’s Facebook status and easily update your own. It is based on the technology behind Twhirl, our popular desktop client for twitter, seesmic and indenti.ca.

This is very much a beta release from us (for those who remember the old skool definition of beta). We wanted to get something out soon, to gauge people’s reactions and product requirements. We’re not sure (/not saying!) where this is all heading but rest assured we’ll be bolting on a lot more functionality onto the Facebook client as we further develop it and the Facebook API matures further.

You can try out Seesmic for Facebook by checking out the application on Facebook. It’s based on Adobe AIR, so you will need to have that installed already (don’t worry, it’s free and painless).

“hey! 23/Female. Come chat with me on my webcam thingy” attack on Twitter

By: Ben

Fri, Mar 6th, 2009

Links, News

Can’t believe this hasn’t been picked up by the major blogs yet, but I’m seeing a lot of friends having their twitter account compromised with this unauthorized tweet:

hey! 23/Female. Come chat with me on my webcam thingy here www.chatweb*********.com

(redacted by me).

A quick search on Twitter Search shows this is happening to a very large amount of people. (If you do visit the site, be aware it’s NSFW).

How is this happening?

The most likely vector of this attack is probably via one of the numerous 3rd party Twitter services that ask for your username and password in order to provide additional functionality (statistics, alerts, etc).

It’s unlikely that any reputable service would have done this intentionally, but very likely someone was able to maliciously gain access to their database and steal all of the twitter username/passwords. Because these services must authenticate with Twitter directly it’s not possible for them to store the passwords hashed.

The answer to this is oAuth, which Twitter is in the process of launching.

A most recent check of Twitter search shows that the last message was posted 2 hours ago of the time of writing, which probably means Twitter put a stop to this – presumably by blocking any posting of the specific string of text. That doesn’t mean the attackers won’t try again with a different message

My advice is:

Change your password, especially if you have been attacked by this.
Never use the same password you keep for Twitter anywhere else
Limit the number of sites you put your Twitter username/password into.
Change your password often to stop old sites you don’t use still having access to your account

Why you want to have crackers in your security team

By: Ben

Thu, Mar 5th, 2009

Thoughts and Rants

A couple of thoughts on today’s news that Jason Calacanis employed John Schiefer, at Mahalo (or more accurately, that he didn’t fire him when he found out about his past). For those who don’t know, before he worked at Mahalo Schiefer got caught up in creating a botnet that was later used to raid people’s financial accounts.

I usually give Jason Calacanis a rough ride – the guy wants to be a “jock of the internet”, comes across as such and so the nerds are going to throw shit from the peanut gallery. I don’t get what why that’s really a big surprise – I just get frustrated that I just become part of the spin as I feed into it.

But on this one I actually congratulate Jason for having the courage and the integrity to make a decision based on the actual situation rather than bowing to ‘keeping a front’ that would be more media and investor friendly.

As Jason points out in his blog post, many of us with powerful technical skills and understanding have at least experimented with putting those skills to less-savory uses. We all have a past, even people like me who don’t work directly in any IT-security related areas of the industry. But from what I can tell John was employed to work in a security-orientated position and those are the very people you want to have a past in this area – so they know their field of expertise inside or out.

I’m not sure I’d hire any engineer or ops person to work in a security-related position who I knew didn’t have a history on the other side of the line. Of course, I would want to know they are done with that part of their lives.

This is true for other areas in technology: If you’re building an online music store you’d hope that your product people download a lot of music illegally using bit torrent and kazzar (so that they are totally across the other options out there). If you’re developing Windows OS for Microsoft, it would be a good idea to regularly use Apple and *nix operating systems to understand what’s out there. This is a design pattern I don’t see anywhere near enough in business, and it’s the root to a lot of failures.

Back to the Schiefer story: some folks in the media, such as Rafe Needleman on Webware, have spun up a load of FUD around whether Schiefer had access to personal information and the level of ‘supervision’ he was given once Calacanis found out about his past.

What Rafe and others needs to consider is that all technical employees at a company have full and complete access to their customer’s data. In fact they have the root and master accounts, so they don’t even need to know any cracking skills to gain access. The fact Schiefer could crack doesn’t give him any greater access to this data.

Now, the argument could be raised that Schiefer’s history meant he shouldn’t be trusted. But I ask you to consider what %age of Google, Facebook or any other tech company’s engineering team is made up by people who have dabbled in illegal technical activity? The fact they may or may not have been caught shouldn’t reflect on whether you trust them more or less. The bottom line is most people are not caught. One of the biggest employers of engineers who have been caught committing cyber-related crimes are governments.

Further still, what about people with the same level of ‘master’ access at companies you patronize who have committed other crimes of moral turpitude? This even follows through not only to engineers but non-tech staff too, even as far down as call center staff.

The bottom line is that all companies need to have measures in place to protect their customer’s data inside the firewall, as well as outside. And it varies as to how good a job they do.

But to take issue like this specifically because someone had a history of cracking shows a vast naivety of the business. You want people who have this kind of history in your security team.

Facebook’s ‘open’ move into the data mining space

By: Ben

Wed, Mar 4th, 2009

News, Thoughts and Rants

It’s been interesting to read many people describe the recent Facebook announcements (including today’s) as “Facebook opening up”. While it is true, they are – and should be congratulated for it – there are greater reasons for them doing so than just for ‘pure alteruism’ as some people have suggested.

It seems pretty clear to me that Facebook’s business model is shifting towards one of data mining and analytics – where they are able to leverage the collective thinking of everyone contributing their ‘stuff’ into the Facebook bucket.

Let’s take a quick look at the theme of Facebook’s recent announcements:

early Feb: Terms of Service changed to give FB perpetual right to keep all data you give them (later repealed due to public outcry)
Feb 19: Commenting on public pages with FB Connect
Mar 4: New Publisher (twitter like) and Highlighter (ranking content) functionality,

Let’s take a quick look at what those announcements gave us:

First off was the ToS changes – which for me was a clear indicator Facebook wanted to do more with the data it holds then just display it to your friends and use it to make recommendations on other content you might be interested in. If Facebook is going to move into a data play then it needs to make sure it can retain all of that data despite what the user might want to do with their view of it. It becomes tricky to have to remove arbitrary data from the cube because a user requests it, plus it devalues your model – and why would you want your model devalued?

OK, so they backed off with those sweeping changes, but only because of the fallout it created for the company. At that point, they had still partially shown their hand.

In addition to the data Facebook keeps inside it’s database there is also the metadata that Facebook can gather about what’s going on outside it’s domain – and that’s where functionality like commenting on external pages, released at the Facebook garage come into play. Putting Javascript calls on foreign pages also allows Facebook to match up visitors with a Facebook cookie and track their usage of that site even if they never interact with any Facebook powered functionality.

Today’s announcement of the Publisher functionality built on top of rudimentary twitter-like functionality with status requests that we’d begun to see with the Facebook comment boxes used during the Presidential Inauguration and more recently the live streaming of Demo 09. Highlighter also further aids the recommendation and collaborative filtering of content by peers in order to work out what is currently most interesting and most engaged with. Facebook call the subset that you can see of your friend’s output as your “social lens”. This is true, but at the macro level of the system, Facebook ends up with a complete lens of what everyone is filtering and sorting and ranking.

So where is this all going?

Facebook is moving into a new gear, encouraging constant flow of status updates and conscious thought (publisher, status messages), creating deeper indicators of intent and interest (highlighter, like functionality, etc) and behavioral indicators (integration with location based services such as brightkite, events, etc).

What this gives Facebook is the ability to gauge what is hot, popular and current in real time. It also gives Facebook historical data to track changing interest and attention over time. There are many uses for this data – including in the financial and trading sector, brand management, competitor analysis, real time consumer attention tracking.

Twitter is also doing this, but they have one dimension of data (text). Facebook has many dimensions of data that can go into their cube, and their sample size is much higher given their 175 million users vs Twitter’s 4-6 million.

I spent a lot of time working with MySpace last year, and one of the things that impressed me the most was their ability to monetize their pages with advertisements – ones that used a combination of technology (for user targeting) and business development (for high-yielding ‘take over pages’, sponsorships, promo tie ins, etc). They’re probably the best in the business at it.

However advertising on it’s own is a Web2.0 business model, and while I don’t want to go so far as to say data mining is going to be the Web3.0 business model, I do think we’re going to see a greater use of it moving forward – with industries who can benefit from it becoming a lot more receptive and engaged with the process in the same way that the digital agencies became popular as advertising wanted to move into the online space.

Risks for the ecosystem

The benefit of being ‘open’ and part of the ecosystem is that everyone gets to play and share and new 3rd party innovation and business can be created with it. While this is true, those 3d party participants in that ecosystem need to be careful not to loose sight of their own ability for commercial success. All of these announcements have included new ways to leverage the Facebook APIs to help users shovel more stuff into the Facebook Bucket. Those ‘spades’ must be clear how they will make money given that they will not have access to the data or ability to monetize it like Facebook will.

I’m not trying to be bearish on the Facebook API or platform – far from it. I merely wish to offer a sense of perspective and to urge developers to consider carefully the business models of everyone within the stack they are participating in. There is opportunity and success in here for everyone, but we must all be cognizant of where it lies and to what extent each level in the stack is able to capitalize upon it.

Page 5 of 79« First «...3 456 7...10 20 30...»Last »

:Ben Metcalfe Blog

Yahoo! Taiwan 2009 Hack Day Stripper-gate: an addendum

User aqusition: easy-come should be easy-go

My GMail password scares me with its power!

WOW it’s expensive to use Freshbooks and Harvest at scale

Changes to BBC News Website reduces choice for users outside UK

http://bit.ly/ukbbcnews

Get early access to Wolfram|Alpha now

Seesmic for Facebook desktop client

“hey! 23/Female. Come chat with me on my webcam thingy” attack on Twitter

Why you want to have crackers in your security team

Recent entries

Categories

Recent comments