Tom Dalton :: Doer of Good

Have you ever searched for yourself online? Or for other people? I do all the time. (Both.)

And it turns out -- there are a lot of Tom Daltons out there!

I can't give company names on this one, but I dealt with two lawsuits in one week, once. One turned out to be an idle threat, and the other was filed in the District Court and served in triplicate.

Intrigued? Here's how it went down:

It really bugs me when I see a result in a Search Engine Result Page (SERP) that looks exactly perfect -- then I click it and get redirected to a page telling me to "subscribe and see the full article!"

So I figured out a way to get around it, at least in certain conditions.

Hey, everybody! Ambient Light is pleased to introduce to you the next great revolution in Internet Gambling.

InstaWin

Win money faster than ever before! Win more money than ever before! 98% payout guaranteed! Experience the purse-gripping thrill of InstaWin by clicking on the link below:

The greatest thing about InstaWin? You're guaranteed to win! Every time!

That's right; every single time you play InstaWin, you're a winner!

How much can you win? That's up to you! For every dollar you send us, you'll win $.98 -- instantly!

Send us $100, and you'll get $98! A play of $1000 nets you a cool $980 cash!

All the fun of gambling, without the smoky environment, depressed and malnourished addicts, and soulless employees. With InstaWin, gambling is truly a great pasttime once again!

Q: There are a number of sites I've seen that have more META tags than just
description and keywords. Are any of the others (such as revisit-after)
valuable?

http://www.html-reference.com/META_name_revisitafter.htm

A. Good question. I'll answer it, and give you the helpful Parable of the Retarded Newspaper Boy to help answer many of the other questions that you might come up with.

(And no, you're not the retarded one for asking.) (And I use this analogy with a keen awareness of the political incorrectness of so doing -- please forgive me; I mean no harm.)

I searched for "Paul Allen."

Yahoo suggested, "Did you mean 'PAUL ALLEN OCTOPUS?'"

I figured that must be what I meant, really, so I clicked on that.

The first result was this fine example of Internet Spam:

http://www.yachtinglovers.info/yacht-rental-chicago/paul-allen-yacht-octopus.html

Check out this compelling marketing copy:

==================
If you're looking for a high standard paul allen yacht octopus site you know you can count on, we suggest the above web site. We have taken the tiresome task out of your paul allen yacht octopus shopping and reduced our list of paul allen yacht octopus web sites down to only finest around.
==================

It boggles the mind, hey? But at least it will speed up my paul allen yacht octopus shopping.

Thank goodness for the awesome power of the Internet.

Want to sell stuff on eBay? The picture makes all the difference in your final price.

Here are a collection of articles with enormously practical tips for taking professional-looking product photos.

http://pcworld.about.com/news/Oct142003id112658.htm >> General overview of taking the picture and applying perspective

http://www.graphic-design.com/Photoshop/extracting/index.html >> Talks about the "extract" filter -- a quicker, often better tool than the simple lasso tools

http://www.graphic-design.com/Photoshop/Tips/rotating.html >> An overview of Photoshop "actions" -- a system to automate removing backgrounds, applying the "auto-levels", or whatever else

http://www.betterphoto.com/forms/qnaAll.asp?catID=198 >> A Q&A-style forum with relevant questions and some very practical, simple advice (scroll down!)

http://www.connectedphotographer.com/issues/issue200407/00001331001.html >> Another detailed article with good suggestions for taking the picture right to begin with

Remember, when taking pictures for the web: high resolution is not that important. Good lighting is the most important thing!

(And, yes, I did post this just as a reference for me, someday.)

This amazing story was emailed to Google and posted on their site. Briefly, a couple's baby was diagnosed as needing an immediate blood transfer. The couple Googled the condition on their cell phone and found a medical journal that suggested the symptoms the doctors saw were actually quite normal for twins (of which their baby in question was one). They showed the phone and results to their doctor, who went quickly and met with several others. Couple hours later, they came back and and agreed that they didn't need to perform the transfusion.

Search literacy is literally saving lives. The Internet gives us access to more information than anyone could ever hold in their brain. "Access to is better than ownership of..." A financial principle that applies to knowledge as well.

Original story at the "read more" link...

According to a recent study by Stanford researchers, overall graphic design is three times more important than the actual accuracy of the information on a website, in helping people determine credibility.

Why isn't every web design company in the world posting this data to their homepage?

The following elements come from a study conducted by BJ Fogg and the Standford Credibility Project. (That's probably not it's real name, but I'm in a hurry.) They had 2500 people take an online survey, where each person assessed two sites from each of ten different categories (sites chosen from a pool of 10 for each category). Participants reported their opinions of the credibility of each site, and researchers coded the responses into the following groups:

This justifies a pretty expensive designer, if you ask me. Amazing.

Stopdesign.com -- a beautiful site. I knew I'd enjoy reading as soon as I stumbled across it, and then I ran into this collection of sites:

http://www.stopdesign.com/examples/css/vault/

It's 144 astonishing sites, a great resource for budding designers or anyone looking for some ideas.

I'd also highly recommend poking around Stopdesign. The portfolio section is probably my favorite portfolio I've ever seen, and he offers a free set of templates for a photo gallery. (You might even see those templates here, one of these days!)

Omniture is one of the leading web analytics vendors in the world. Their program, SiteCatalyst, uses cookies to track visitors for websites such as eBay, Novell, and Ameritrade. For these websites, the data SiteCatalyst provides is incredibly useful and important.

Wonder if you've visited a site tracked by Omniture? Of course, you can "view source" on whatever page you question, and look for a set of tags that say "Omniture" in a commented header. You should see something like the following:

var s_server=""
var s_channel=""
var s_pageType=""
var s_prop1=""

(I won't put more, because the code is copyrighted...)

More sneakily, though, you can check to see if you have a cookie from 2o7.net. That's the domain Omniture uses for their tracking cookies. If you've got one, congratulations! You're helping some smart web-marketer make more money.

Layers of sarcasm aside, there is no actual danger presented by the 2o7 cookies. I actually rely on the information we get from Omniture to help our clients, and I've tested to make sure it's not leaking information.

If you are concerned, you can set your browser to allow cookies "for originating site only." Your personal information won't be any more secure, but you will have thwarted (or at least hindered slightly) the efforts of those who would cater the Internet to your tastes.

I've tried to stay out of the fray, so far, telling clients that they can pick whatever tracking system they want -- that SiteCatalyst and WebTrends both offer a good tracking system and we can work with whatever. Trying to do some conversion enhancement for a client who uses WebTrends today, though, has been so frustrating that I am forced to throw my lot in with Omniture.

SiteCatalyst, in my humble (professional, but still humble) opinion, beats the pants off of WebTrends. The default reports in SC are so much more intuitive and helpful. Every single thing I wonder about my current client's site requires me to jump through hoops to answer in WebTrends.

For instance: from the home page, which page is the most popular next page?

The default report that WebTrends gives me shows the most popular second page -- regardless of what people's first page was. How is that useful? And even from that default report, I can't figure out how to get the report that I really want. Clicking on the individual pages doesn't bring up the reports starting from those pages; it brings up those pages in new browser windows.

It's almost painful.

Another interesting (frustrating) example: when I look at the "referring domains" report, WT gives me five bars. One is "direct traffic," which drives the most by far, and then there's one for each of the major search engines. And nothing else. Nothing to indicate what percentage of the total traffic I'm looking at. When I clicked the button that I thought might expand the report and give me all the information, it "minimized" it for me, instead.

Improving conversion rates should be based on data. When that data is reduced to a few, colorful bars, my recommendations are similarly reduced.

I'll spare you the rest of the examples. If you want to switch to Omniture, give me a call! We can hook you up for a good price, install it for you, and help you make good decisions with the information.

One of the problems I've been pondering for a while is how to automatically arrange a set of words into the logical order.

"New Restaurant York," for instance -- should probably be written as "new york restaurant."

How do we get computers to know that? One idea is to just run each possible arrangement of words through Google (in quotes), and see which comes up with the most results. But that uses so much bandwidth that Google will shut down any IP address pretty quickly, if you need to test more than a handful of words.

However, Google Suggest provides the data we need, much more quickly and without formatting it into a messy html page.

http://www.google.com/complete/search?hl=en&js=true&qu=tom+dalton

I wonder how closely they're watching this link for traffic surges. They've got to allow more queries on that address than the main Google pages. It's an interesting option, anyway.

I still think the best approach, though, is to spider the net and make my own database to work from. And there are so many other cool things that I could do with that data.

Hey! Tom LeBaron and I won first place in an Omniture-sponsored web analytics contest. I've always, always wanted an oversized novelty check. That's even better than a trophy! We just appeared again on the front page of the Marriot School eBusiness Center newsletter:

Web site analysis technology became the buzzword across campus this past semester through the first Web Analytics Competition. Students who participated in the competition had the opportunity to expand their knowledge of web site analysis and develop skills that put them ahead of their peers.

Seventy students composed the thirty-two teams that participated in the competition which was sponsored by the Kevin and Debra Rollins Center for eBusiness and Omniture Inc., a web analytics company.

“A lot of them did it just for the experience,” said Derrick Davis, the eBusiness Center student lead in charge of curriculum and competition. “Students wanted to learn more.”

Students used Omniture’s SiteCatalyst, a product that tracks statistics from other companies’ web sites. Omniture sent one of their own trainers to explain how to use SiteCatalyst and to introduce the company hobbytron.com, which served as the students’ client during this hands-on experience.

“‘Omniture University,’ is the training Omniture gives its professionals, which usually is a two-day class,” Davis said. “This was condensed into two hours for students.”

Students had two weeks to work on the project by themselves until they presented their finding to the judges, which consisted of Omniture CEO Josh James, NextPage Marketing Vice-President Cydni Tetro, and other Omniture executives.

Four finalist teams were called back to the final competition on 11 November. Davis said that the judges commented that half of the groups did better than their employees.

Cameron Barnes, Omniture group manager, said they were not disappointed with students’ performance and were very pleased with the quality of their work.

“Students displayed high caliber of work and professionalism,” Barnes said. “The site they were working with had some hard-to-find traps, and yet some of the students did.”

The final presentations had the flavor of real world events, with surprises such as the fire alarm going off in the middle of a presentation.

“That’s something I didn’t expect,” said Davis, who was in charge of coordinating the competition from its concept to the final day of events. “I told everybody to get out and come back as soon as possible when the alarm was cleared.”

Tom LeBaron and Tom Dalton received the first prize of $2,500. Brent Dance and Patrick Hillery’s team placed second and was awarded $1,000. The third place prize of $500 went to Jarom Adair. These team’s members received a job interview with the company. “We are grateful for the Omniture Team’s financial and logistical support of this event,” said Dr. Stephen Liddle, director of the eBusiness Center. “Omniture is a great partner and they help us deliver a high-value experience for our students.”

Davis said Omniture executives showed interest in participating again and making it an annual competition.

I'll try and hunt down our Powerpoint presentation -- it has more headlines than content, because we wanted to be able to adjust our presentation to the types of questions and feedback we got from the judges, but it's still interesting.

The tactic that won the day (in my opinion): we presented an executive-level overview. Enough specifics to show that we knew what we were talking about (and some very, very specifics to show that we knew better than anyone else) and then a strategic discussion of how to move forward in cooperation with their IT and marketing teams. Nobody wants to hire an arrogant, hard-to-work-with consultant, and nobody wants to be dependant on that consultant forever. You're going to hire the guy who will work well with your existing (and permanent) teams. We stressed that we didn't want a lifelong dependance, either -- one of our chief goals is to train your team to be able to do this on their own.

It was a great, great day.

Businessweek reports that the first wave of Google Print advertisers were disappointed -- 9 to 1. Only one of ten advertisers saw returns sufficient to justify their investment. Businessweek was quick to declare the death of this program.

I'd like to consider a few points not mentioned in their article (nor in any other coverage I've seen of the matter):

1. How many traditional advertisers can track activity back to a single print ad well enough to justify it on its face? Probably not many. Any single ad is just a blip in an ocean of marketing activity surrounding a brand or product. If (as it appears was the case in this survey) direct marketers are trying to gauge the performance of their print ads with the same level of detail that they judge their Adwords campaigns, of course they were disappointed. What metric were advertisers using to measure conversions from their print ads?

   Consider a kid who read the ad and thought, "That's just the thing for me!" What could that kid then do, that would alert the advertiser to the fact that it was that magazine ad that brought them to the site to buy? Tracking URLs get stripped. People use Google to find URLs even if they have the whole thing there in front of them. The kid could have even come through an Adword ad to get to the site, if the advertiser was bidding #1 on his own brand name or whatever the kid happened to type.

2. The companies participating in this trial probably had no experience in print advertising. Copywriters trained to compose 30-character lines of text to fit in an Adwords slot would have a hard time competing with the Madison Avenue folks also advertising in the magazine. People reading a magazine are in an entirely different mindset than those using Google to search for products. How many of the first wave of advertisers considered the implications and produced creatives as well-tuned for this target market as they are for their online market? (Do any of them remember how successful their first online campaigns were?)
3. Google needs to recognize it is 'leveraging' a different strength here. The Adwords program provides two benefits -- one is the contextual targeting model, which ads in magazines will largely lack. The other, however, is the low-friction marketplace for advertising. As a middleman, Google can provide a much less painful way for advertisers to deal with publishers. If they focus on that, this program will succeed.

The concerns of advertising tainting editorial content are mitigated by Google Print. The constant negotiating and mind-games are removed.

As a vehicle to allow tiny companies to advertise in the great publications of the world, this initiative is probably doomed. But as a step forward in the development of the advertiser/publisher relationship, this is fantastic.

Here's a first-and-last sort of thing: a podcast! I won't be doing this on a regular basis, even though it's almost no work at all. I don't really like the sound of my voice.

But I wanted to show anyone who's interested how very easy it is to make a "professional" podcast. So here's my attempt.

Download MP3: 10x Marketing and Cheap Microphones

The PodCast:

dalton podcast

Here's some nuggets of humor from Yahoo's FAQ about their PPC program:

1. How do I know the Click Protection System is working?

First of all, to verify the effectiveness of the Click Protection System, you must have a tracking URL in place on all of your listings.

With the tracking URL, you are able to review your Web logs for the phrase "source=yahoo." You will be able to see that Yahoo is delivering you lots of targeted traffic, including lots of traffic from sites like Yahoo!, MSN and AltaVista. Read more about tracking URLs.

Um... That doesn't address the question at all. It's a nice, long answer, and most people will probably never read it to realize that it has nothing to do with what was asked, but I did.

2. Does Yahoo! Search Marketing monitor the effectiveness of its Click Protection Software?

When situations arise in which our specialists discover click patterns that do not seem to be valid clicks, Yahoo! Search Marketing immediately refunds affected advertisers.

We had some fun with this one recently. We got charged $14,000 for clicks on an account where we had budgeted $30. We were told it will be four weeks for them to investigate. That's a pretty drawn-out "immediately."

3. How close to my budgeted amount will I actually spend?

...your monthly spend comes very close to 30 times your daily budget.

Great. I'll tell accounting right away. We'll be very close to our budget, folks. Yahoo assures me. How close? Which way? Will be slightly overdrawn? Do I need to deposit an extra 5% to cover the potential overage? An extra 20%? I dunno. Maybe I'll go check their FAQ.

4. Can I modify my budget amount after I've set it?

Yes, you can change your budgeted amount at any time on the Budgeting page under the Money Manager tab by logging into your account. Please note that any changes you make to your budget will take effect within a few hours, and only affect your spend going forward (your target monthly budget will be recalculated and a new 30-day period will begin).

This is fantastic. Not only will my changes be implemented within a precise "few hours" (is it 3? or 8?) but Yahoo will helpfully start managing my budget on 30-day cycles from that point. So if I see my spend is a bit too high on the 15th and I nudge it down, Yahoo will begin sending me traffic spikes on the 16th of each month. Unless one of the months is February, or one of the other non-30-day months. (Count your knuckles.)

I won't mention the references to their monthly minimum fee, which was discontinued months ago.

How can Yahoo do this? They're an Internet company. They're supposed to be good... aren't they?

I thought Google's PPC program was clunky and hard to work with, but Yahoo has changed my perspective rather dramatically.

I probably shouldn't be so obsessive about searching for my own name on search engines. But, see? Sometimes I get great results, like this ad for me. "Buy tom, just $4!" And no minimum fees.

What a deal!

Security through obscurity is not Good Security. I know.

Anybody who knows anything about security knows that the worst possible kind of security is secrecy. "I'll hide my million dollars under the mattress!" Or in the Internet world, "I'll post these sensitive files without any links to them!"

You should have good access control and authentication. But obscurity can be an incredibly significant next step in securing a system.

Why?

Because obscurity buys you time and makes you less "low hanging fruit." Vulnerabilities are discovered every day. Popular systems, even the secure ones, have routine security updates. It's important to stay on top of them, but organizations make mistakes. Admins go on vacation. Updates aren't always applied as soon as they are available.

On the Internet, hackers can use Google to find every single instance of a system. When a new vulnerability is discovered, a hacker can find every site using the affected system and run an automated attack against all of them. The five percent that haven't gotten around to installing the latest update yet are all hit.

But if you've taken the step of obscuring your system, you won't show up when the hacker scans. If your site says "powered by phpBB version 1.02.3b" -- you've got a flag that will catch the attention of anyone looking. If you've removed that tag, you're invisible to the kind of scanning that would alert zero-day hackers.

Depending on the system you're using, there will be more flags like that. Description tags, certain styles in the CSS, javascript function names, whatever.

Take the time to look for those and make sure you're not going to be the first victim next time a system you're using is updated.

It's not "good security," but it's a good idea.

Click fraud is all over the news these days. You know the little ads that show up on the right side of search results in Yahoo and Google? Companies pay Yahoo for clicks on those ads. It's called Pay-Per-Click. (See?)

The old story was that people hired companies in India to have armies of people click on competitors' keywords and drive them out of business or at least make them waste tons of money. Yahoo claims to have fixed this with a series of security improvements, such as tracking the IP addresses and click patterns on the ads.

But sometimes companies want to bid on words that people don't search for all that often. Yahoo can't show the ads often enough to get the company as many clicks as it wants. So Yahoo contracts with other websites to host ads there and share revenue with the partner site.

Yahoo -- $.40 per click from Company
Official Partner Site -- $.15 per click from Yahoo

As long as Yahoo is careful about which companies it partners with, all is well. But it turns out, Yahoo has not been careful enough in choosing partners. Some of their partners are setting up unauthorized, third-tier ad serving relationships. People who Yahoo would never approve contract with Official Partners and set up an arrangement where they get the ads from the Official Partner and send clicks back to that Official Partner. The Official Partner sets up unique tracking code on those ads, so it can credit the Unauthorized Site. Then the Official Partner reencodes the link and simulates clicking on its own ad.

Yahoo -- $.40 from Company
Official Partner -- $.15 from Yahoo
Unauthorized Partner -- $.05 from Official Partner

And the coup de grace: the unofficial partner could be using adware, generating popups or even entirely artificial clicks. The Official Partner has no incentive to monitor the validity of the clicks. And Yahoo can't trace the clicks back all the way through to the Unauthorized Partner.

This is what I call "click laundering."

Some researchers have stumbled across instances of adware that used Yahoo-generated ads. This highlights the problem, but it does not suggest a wholesale way to fix it, or even detect all of it.

A properly managed PPC program will be profitable, no matter the extent of invalid clicks, because it is an auction-based system and people can just lower their bids. Unlike the old, targetted attack rumored to be conducted by Indian (or other countries) firms, this type of fraud is broad and affects all the companies bidding in a given keyword space.

So it that the answer? Until Yahoo starts a much more thorough vetting of their programs, or develops a novel use of reverse-proxies, or finds a way to actually enforce serious penalties for violators... Yes.

This is just one more reason you should have professionals (in-house or outsourced, whatever) running your PPC program.

A lone voice, crying in the wilderness:

"What is the definition of click fraud?"

Google just released a new feature that shows advertisers the percent of invalid clicks they've received. What's the criteria for that?

A few ideas: bots, India-based competition-smashing companies, high-school kids researching topics for school papers, Firefox extensions that pre-download pages for you, greasemonkey scripts, people whose browsers or connections timeout after they've clicked, curious competitors who click on your ads to see what the landing pages look like...

Without a clear definition, I have to view Google's 'feature' as nothing more than a flimsy PR stunt. And I don't think the problem will be solved until we come up with a definition that ties into conversion rates -- which just shifts the problem to a different issue.

Arbitrage: buying low and selling high. Impossible in a market with perfect information and perfectly efficient transactions. Possible where there are information gaps or barriers to transactions. Lucrative where those gaps and barriers are larger.

Keyword: the phrases people enter into search engines. The basis for Google's highly profitable AdSense and AdWords programs and the dozens of copycat keyword-based advertising programs.

Keyword Arbitrage: buying low-cost keyword ads (cost-per-click) in search engines and other places, then placing more valuable ads on the landing pages.

For instance: I agree to pay Google $.15 for every person who clicks on my ad which will show up when someone types "lung damage ailment." Not many people will type that phrase and it's fairly broad, so it's cheap. When they click, they are taken to my site, LungDamageAilments.com, where I have an article about mesothelioma, a lung disease. I've also signed up with Google AdSense, so my site shows ads. Since the article is about mesothelioma, Google shows ads related to that keyword. Fortunately, ads for that keyword are paying out $10 to $40. I get a cut of that, say $5. But only when people click on one of those ads! Most people who hit my site will bail immediately. But if 1 out of 10 does, I'll net $3.50 per 10 people who click on my "lung damage ailment" ad.

The Risks: Sounds great, huh? There are a number of serious drawbacks to this idea.

1. Low Traffic - to get the cheapest words, I'll be looking at words that may only be entered into a search engine 100 times per month. Maybe, maybe 30% of those people will click on my ad. That's 30 clicks -- from the example above, that would net me $10.50 revenue for the month.

2. Poor Relevance - again, for cheap words, I'll be targeting general or otherwise irrelevant words and trying to drive people into much more specific ads on my site. The 1 out 10 I conjectured above would typically be pretty high for such a campaign -- many campaigns run at closer to 1 out of 50 or 100. Or less.

3. Automated Traffic - this is functionally equivalent to poor relevance, but the approaches to correct it are entirely different. Robots that simulate browser sessions, poorly configured robots, popunders, and other automated approaches to inflate click traffic are, depending on who you believe, rampant in all of the popular pay-per-click networks. I've seen first-hand how easy it is to fake some of this stuff, so I tend to believe the worst.

4. Low Price Differences - the $.15 and $5 in the example above are still realistic, in some areas, but competition is increasingly pushing those numbers closer together. The marketplace fluctuates a great deal and within a single day it's possible to see those prices change so much the one is higher than the other -- you're losing money on each click, even if every single one clicks through to another ad. Reporting in all of these systems is delayed enough that these fluctuations can have a dramatic effect before you ever know it.

5. Low Value to End Customer - to my mind, the most significant risk of this all is that it will drive useless traffic to the poor saps paying the high click prices I'm using to make money off this system. Long-term, that will force those prices down or force people out of the market altogether.

The search engines lock up much of the information that would eliminate this arbitrage. Perfect information is hard to come by and transactions are difficult. (The search engines point to their APIs, but if you haven't used them, you have no idea how sloppy and inefficient an API can truly be.)

So if you're willing to wade through the difficulties that make this tactic possible at all, there's still a lot of 'lucrative' left in it.

And if you're a search engine, please release a standardized, stable API that people can comfortably build into applications. You don't make any money off arbitrage and it hurts the industry overall. Perfect information and efficient transactions will be better for everyone who ought to matter to you.

Ha ha ha. AOL released two gigs of searches from the last three months with all sorts of personally identifiable information included in it. You can find out what people were searching for and learn all kinds of horrible things about them. In a discussion thread about this on one website that I visit (far too often), someone made the following insightful comment:

My initial reaction was holy [cow]. I’m now rethinking this incident. I’m not an AOL member, but I looked at their privacy policy on www.aol.com. I don’t see an area which was violated.

For that person, and anyone else who feels the same way, I hereby offer my very own...

TomDalton.com Privacy Policy!

By using this site, you agree to grant me, Tom Dalton, unconditional permission to break into your house at night, rob you blind, and install Windows 98 on your home computer. Further, you warrant that I may use your credit card for anything I want to buy and that I may take your car and back it out of your garage without first opening the garage door (something which, you must agree, everyone has wanted to do at some point during their lives).

I will not, however, release your personal information, unless someone offers to pay me a lot of money, or I happen to feel like it.

This story won't get much publicity, so I'll echo it here:

Minneapolis - A College Park, Maryland, computer hacker was sentenced today in federal court in Minneapolis for defrauding two companies out of nearly $500,000. Larry Edward McPhillips, age 39, who pled guilty to computer fraud in December of 2005, was sentenced by U.S. District Court Judge Joan Ericksen to thirty months in federal prison. He also was ordered to pay the two companies victimized by his crime, Innuity, Inc., and Digital River, Inc., $497,793 in restitution.

According to court documents, McPhillips founded CCNow Incorporated (“CCNow”), a company that collected credit card payments on behalf of Internet vendors. In 2000, he sold CCNow to Innuity, Inc. (“Innuity”), a Minnesota-based company. After the sale, McPhillips continued to work in the CCNow division of Innuity. Beginning in July of 2001, he used his intimate knowledge of the CCNow business and its computer system to hack into Innuity’s computer server. After accessing the server, McPhillips created false credit card transactions. Those transactions caused Innuity to make payments to bank accounts controlled by McPhillips. He repeated his illegal hacking twice a month, every month. Over the next year, those fraudulent payments to McPhillips totaled $388,397.

In March of 2002, Digital River, Inc. (“Digital River”), another Minnesota computer company, acquired the CCNow business from Innuity. Following that acquisition, McPhillips began to hack into the Digital River computer server. Using the same scheme, McPhillips caused Digital River to make fraudulent payments to bank accounts controlled by him until his illegal hacking was uncovered in July, 2002. Losses to Digital River amounted to$109,395.

After sentencing, the prosecutor in this case, Assistant United States Attorney Joseph T. Dixon, said, “The public needs to know that computer hacking is illegal and will be prosecuted. Individuals who access institutional computer systems without authority are on notice. They are breaking federal law and will face serious consequences. In this case specifically, I want to thank Digital River for bringing this criminal offense to the attention of federal authorities, so Mr. McPhillips could be brought to justice. Without the support of corporations, such as Digital River, many of these crimes would go unnoticed and undeterred.”

Originally at: http://www.usdoj.gov/usao/mn/press/econ/econ0091.htm

Woah. I *play* with hacking stuff all the time -- my own stuff. In a legitimate sense, I have to get onto computers at work that have had all their user accounts screwed up, or open files that were encrypted with passwords that the author then forgot. Recovering data, reconfiguring things.

As a proof-of-concept only, and with full consent from all relevant parties, I have hacked into a couple interesting systems at work. The real question, of course, is what one astute coworker asked me once after I told him about one of the jobs: "So how can you make it so nobody can do that again?"

Developers have a great deal of access and power in corporate networks. Sensitive systems really do need to be designed to protect against abuse from internal agents and should be audited thoroughly by outside agents. One of the scary aspects of the McPhilips story is that his fraud was apparently never detected at Innuity -- the company that sustained the greater damage. If he hadn't continued his illegal activity at Digital River, if CCNow had been purchased by a different company where that attack wouldn't have worked, he might never have been caught. Innuity might never have realized what happened.

This is all particularly relevant because I work at the entity that is now Innuity. (A descendant of the Innuity mentioned in the article, though much changed from 2001.) We have a CC processing division and I wonder how different the security is today. (I'm sure it's much better.) Wild.

How can I make the best forms for my site? What should I ask? How many questions can I ask?

I dunno. It depends. Here is how you can figure out, though!

1. Require as little information as possible -- requiring info people don't think you need will lead to high rates of false info
2. Clearly mark what information is required and what is not
3. Fewer pages is not necessarily better -- use logical page divisions and be willing to experiment with them
4. Provide a prominent link to your privacy policy and explain in simple English what you will and will not do with the information
5. Validate early and validate often! Rather than letting users fill out a long form and then telling them all the mistakes they've made, use Javascript to validate on-the-fly. Here's a great tutorial on that:

Form Validation Tutorial

This may not be as specific as some people would like to get, but anything more specific will really depend on your exact situation. Most variables will have different 'ideal' values for different sites. The most important single idea is that you must be willing to test changes to your forms. Try different things and watch what happens.

Without too much effort you can have great conversion rates!

Why do people host with IIS? And why is ASP still around?

At any rate, it is. So if you need to migrate a site from one domain to another and it's hosted on IIS, here's a way to do it:

Replace every page on the old site with the following code:

<%
OriginalURL = Request.ServerVariables("URL")
RedirectURL = "http://www.NEWDOMAIN.com" & OriginalURL
Response.Status="301 Moved Permanently"
Response.AddHeader "Location", RedirectURL
%>

The typical examples you'll see on most web sites redirect all pages to a single, new URL -- this is not what you want to do, if you care about search engine rankings. Fancy games with the 404 error page don't really work so well for a page-wise redirect, either, because IIS strips the referer and the URL is the 404 error page by the time any script runs there, so you'd have to be playing games with each individual page anyway. And as long as you're doing that, you might as well plug in the above code instead of settings cookies or session variables and then reading them from the special 404 page.

Anyway, I don't care if this all makes sense to you because I wrote it so I'd remember next time I need to do it. Yay!

This is how secret you are:

This nifty tool grabs the IP address your computer is using and connects it to Google Maps to show right where you are.

How close is it? It zeroed in on me at work really well.

If you want to appear to be somewhere else, check out TOR. (Google it.)

Okay, I can't think of many serious applications for this, but I'm storing it for posterity anyway. Here's a URL you can use to go to a site and make it look like you found it from Google:

http://www.google.com/url?sa=D&q=http://www.wherever-you-want.com

Have fun!

I took a funny 'SEO Quiz' today. It asked ten questions and told me that with my score of 6/10, I'm an SEO Technician. While I could go into great detail on why I differ with the answers they felt were correct, the funnier thing that made me want to jump over here and post was the following quote:

"john[at]site.com is the accepted spam-free way of writing e-mails."

Ring problematic to anyone else? How dumb do they think spammers are? The instant an approach to hiding email addresses from spammers becomes "accepted," it becomes part of the next update patch to all the spam harvester programs. I'm almost tempted to write one myself, just to look for anything[at]anything.com.

This is another small area in which security through obscurity is actually the best approach. Come up with your own, unique way to hide your email address. Put something like myemail*at* sitedotcom. It doesn't have to be brilliant or beautiful, just different enough from what everyone else is doing that it doesn't match the patterns plugged into the harvester programs.

Security through genetic diversity has worked well for the human race. There's no reason it shouldn't help software. Small differences, variety ensures that no one attack will take down everything. A key part of defense in depth should be obscurity!

You're running X-Cart for your site and you've got Omniture tracking code plugged in all over the place in a global footer. You've got some 70% of all the reports SiteCatalyst can offer, according to something I think I read in one of their manuals once. But you want to integrate the commerce tracking stuff.

So you ask your friendly, neighborhood Internet marketing company to "take care of that" for you.

And suddenly I'm handed a few X-Cart logins.

It looks like the SC code is plugged into a global footer. So it's already there, sans important page-specific variables that I want to insert on the "thank you" page. (Which took some finding all by itself, actually -- the "thank you" page is in the 'Edit Templates' menu under /customer/main/order_message.tpl. Intuitive!)

And then I call you back and say we can't do this for free. An Omniture Implementation Engineer would do it, but I'm a 'third party.'

Suddenly, you're interested in doing it yourself.

It's the circle of life!

Analyzing an online dating site, I ran across the following piece of advice (on their 'Online Dating Safety Tips' page):

5.Don't believe anything you read online

I find the source hilarious, but agree that this is probably the best piece of advice I've ever seen a website give. And it applies to so many areas!

A friend of mine asked me to talk about the links Google sometimes drops on its homepage. Just after the Superbowl, for instance, Google.com hosted a prominent link to a YouTube video channel with all the ads. My friend asked, given the enormous PageRank of Google.com, why didn't that Youtube channel page show up in the rankings of a search for "superbowl?"

A good question, because one of the key factors in ranking is the quality of links coming in to your site. But quality is measured along several dimensions, and that is the first part of the answer to the question. Google doesn't like links that are ads or otherwise not 'natural' links. They must be keenly aware that their own homepage is a screaming example of purely artifical links. They're temporary, promotional links probably placed by an internal advertising team. (In this case, advertising another Google product, even!) So while the link is on a high PageRank page, Google discounts it because of its commercial, artificial nature.

Some other thoughts about Google: They doesn't index their own homepage daily. A quick look at the Google cache from my IP shows the Feb 3rd page, right now -- almost a week later. So they're only crawling their own site once a week or so, and different datacenters store different cache dates. (As shown by my friend's cache query -- run before mine, and showing a more recent cache date...) And they seem to be running host detection on their site, as evidenced by the various ads and popups that will appear depending on which browser you visit them with, where you visit them from, etc. So Googlebot might not trigger the ads consistently anyway. All just more reasons for Google to ignore its own promotional links.

However, even if that link did count for quite a bit, it's still only one link. If I were ever asked what my ideal link would be, I'd say that it would be one that was so compelling, lots and lots of people would want to put it on their own sites, too. Any single link -- even The Perfect Link with great anchor text and on a 10 PageRank page -- is just one link. Google tries to be a democracy, and so while they do have to weight links, they don't want that weighting overriding the importance of multiple links as a better indicator. So the ideal link would be part of a contest or something, formatted just as you described, but then with a chance for payoff in the end. Tied to something that's not directly the link -- maybe create a "Fans of MySite" club, and say that one lucky fan will win a new car at the end of the month. To be a fan, of course, all you have to do is host this link... :o)

So, there's my thoughts about the matter. For whatever they're worth. (Not even the paper they're printed on!) (Ha ha...)

"Theoretically, a hacker could set up a proxy server, and then use it to capture information about the Web sites you visit. And if you type in user names and passwords, he could steal those as well."
-- ComputerWorld

Theoretically? Why else would somebody set up a proxy server?

1. Somebody could set one up out of the goodness of their heart. That seems a stretch, but it's the core belief of the CW article and lots of other 'helpful hints' about how to browse safely.

2. Somebody who wants to anonymize his own traffic would need to wash it in with a bunch of other traffic.

3. Or maybe they want to run some click fraud through Google or another PPC network.

4. Or maybe it's the government setting up honeypots and sting operations to watch for terrorist or other serious illegal activity

5. How about for marketing research? It provides deep insight into a weird audience.

6. Maybe even just for legitimate marketing? Running a proxy allows you to insert ads wherever you like on the pages you serve.

7. Or less legitimate marketing -- overwriting ads from competitors with your own. Insert your own affiliate ID in place of others.

Hmmmmmm... I think I should deploy my own anonymizing proxy server. What an interesting experiment.

Okay. Lots of big companies use Omniture's SiteCatalyst to track their websites. Omniture charges the companies a certain price for page views, companies rely on accurate reporting of page views to understand what's happening on their sites. And right now, Omniture's tracking system is quite unsecure. If you were the wrong sort of person, you might want to exploit this to totally mess with Omniture and their customers.

This tracking works by Javascript code that's plugged into every page they want to track. So every time that code is run, Omniture records a page view for the client identified in the code. But there's nothing to really validate where that code is being run from. (And even if there were, it would be by HTTP referrer codes, which are easily altered.)

So let's say I wanted to make Ford think that two hundred million people clicked on one of their recent campaign pages. I would copy the code off one of Ford's pages, stick it on my own site, and run it like mad.

Now, people have been actually doing this with Google's PPC program. But there was lots of money involved, so Google got active (or vocal, at least) about fighting click fraud.

With SiteCatalyst, it's not nearly so visible. Clients would end up paying Omniture a little more. Not much -- tracking individual clicks is vastly cheaper than Google's PPC. So a handful of people actively playing this game could get away with a great deal of manipulation without ever being noticed.

And the resulting skew in data could send competitors off in really weird tangents, or undermine their faith in their entire reporting system. What if Ford started seeing large surges of traffic to all of its Vietnamese pages? If it were handled subtly enough, I bet somebody could trick Ford into launching all kinds of Vietnamese advertising content. Even more significant would be the impact this type of activity could have on media companies -- CBS, CNN, Times...

In fact, this could lead to a whole new type of PPC manipulation. Playing with the PPC market from the backend -- manipulating advertisers directly, rather than just messing with clicks and all the Google controls that are already in place. Wow.

A force so powerful, it can only be used for good or evil.

But I'd a lot rather just edit my highscores in Flash games. Breaking actual laws has never held much appeal to me.

(Except as intellectual exercise, of which I suppose I get rather too much.)

Yeah-hoooooo!

The actual implementation of Firedoodle stinks. The idea, though, rocks my world. You can draw on any web page. When you come back later, your drawing is still there. I deleted it moments after installing it because the drawing tools are lousy and slow and bleah.

Then there's MyStickies. Same deal, but with text-based sticky notes instead of drawing. Lower technical requirements result in better implementation. The verdict: MyStickies is good enough for now, I've installed it and I'm keeping it.

The future: a hybrid of both that actually works. With easy sharing. And a social ranking system for other people's notes and comments. And customization of the social ranking so I can say "always show me comments by the following people." Organized into layers, maybe. Like Google Earth. Let me see public commentary. Let me see my friend's comments. Let me see editorial comments. Whatever.

And why only have comments on pages where the comments are enabled by the administrator? That also means that the admin can modify and delete comments at will. A third-party comment manager will be more fair and ubiquitous. Why should I only see Amazon reviews that Amazon allowed to remain on the site? Why not have a comment thread on every single web page in the world?

Whee! I dunno. This is one of those things that just totally fires my cool engines.

And then the future future: marked up reality.

We can't markup reality, yet. Physical reality. But the web is a great playground for technology that might migrate to physical reality someday. That will be soooo cool when it does.

Cell phones with GPS -- one big step in that direction. Man, I want a phone with real GPS access. Not like Sprint's lousy restricted system. I want to have GPS-triggered alerts, with a web-based backend for management.

The dilemma: I needed to log in to Omniture's SiteCatalyst as somebody else. For just a moment, just to verify something. I've got an admin account so I could lookup the username. But I couldn't look up the password.

The easy answer: In real life, I just called the client and asked him to send me his password. But while I was walking around waiting for my computer to reboot, I wondered what I could have done if for some reason I couldn't have just asked the client to send me his password. Like if I were... a hacker!

The fun answer: I could have reset the password, which would have gotten me in, but then the client would know the next time he tried to log in and his old password didn't work. I needed to actually find out what the current password was.

1. Find the original email -- back when the account was setup, somebody in my company must have created the login and sent the information to the client. They may have just done it over the phone, but more likely it was emailed. I figured out how to hack everybody's email accounts on the Exchange server long ago. Simple enough to go search everybody's old 'sent' mail for anything with the user name in it.

2. Call the client -- without directly asking for the password, tell him we're rebuilding all the accounts and he needs to tell me his old password if he wants to keep it the same.

3. Call the client (sneakier) -- I suppose if I needed to, I could reset the password and login, then call and tell him the password database was corrupted so they've all been reset to "password01." Insisting, of course, that he not tell me his old password for security reasons, I tell him he should go in and change it back to his old password. That doesn't get me the old password, but it covers my access to it.

4. Monitor the client's network -- visit their building and inject myself into his upstream so I can monitor all the traffic. Hm. Major drawback: the login page is SSL encrypted. Probably renders this approach infeasible.

5. Monitor the client's machine -- as long as I'm visiting their building, I could install a physical or software keylogger. I could pretend to be a janitor, except the janitors themselves would probably not be cool with that. But if I dressed in a shirt and tie and showed up just as they did, I could probably get in the building and pretend to work for that company. While the office door is open (if they're like most janitors, they open all the doors first then start working) install the thing. If there's no tight security on the computer, a software keylogger would be better so I didn't have to come back and get it. Otherwise, a physical plug would work and I'd just have to come back a few days later.

6. Check the client's machine -- Of course, let's not forget the easy things. If I'm in there with the client's machine and I've got a minute, I should check his email archive. It's probably still stored in there from when it was setup. And he may have written it on a piece of paper or something that would also have lots of other interesting passwords.

7. Monitor Omniture's network -- Again, the SSL on the login form probably precludes me from doing this. But I could hook into Omniture's side of the network by renting office space in the same building they use. Request my computer be co-located in the central area where their servers are also. Then just plug in one time while I'm down there working on it.

8. Spoof the client's network -- This would address the SSL problem. If I can get access to the client's computer, I can set his browser to use a proxy server. A proxy server that I have specially set up to pass everything through normally, unless he goes to the secure Omniture sign-in page. When he does that, my proxy server actually sends an insecure version of the page that looks the same. When he logs in, I grab the clear password, then transmit it along and continue the session normally. He would never notice. When was the last time you checked your proxy settings to make sure nothing had been changed? And I could change it in the browser, in the hosts file, or at the DNS, depending on what kind of security his computer has.

I think those are the most realistic options. Number seven is the biggest stretch. I really like number eight! And there's a lot more you could do with that.

I want a big, white van with no windows. I'll paint BLISP on the side, "Binary Logistics ISP: portable business and personal networking solutions." There's a truck that would look okay anywhere you go with it. No matter how many antennas and weird stuff it had. Fill it with a couple computers and my boxes of spare, magical parts.

I'm gonna' write a book about that. An Internet marketer turned network penetration tester who accidentally uncovers a terrorist plot and has to singlehandedly save the President. Woot!

Today's essay question:

What are the infinitely huge ramifications of a Google/Yahoo/MSN disallowing anyone who tries to bid on a trademarked term other than the registered owner? Obviously bid prices would drop substantially, but what are some of the other consequences that may not be readily apparent? Do you support the free market system in the online advertising arena?

The entire Internet is based on the free market. That's what allows Internet businesses to succeed or fail so quickly. "Ready, shoot, aim." Our legal system has developed a process for dealing with trademark violations that includes recourse to the courts. Slow and expensive. And even there, the use of a competitor's trademark for comparison is okay.

So why would we introduce all that slowness and expensiveness into a great system?

The idea comes from selfishness and shortsightedness. Large companies see small companies showing up on searches for their trademarks. Consider the viewpoint of a trademark-owning behemoth:

• They've paid millions in offline branding to build that trademark
• When people search for that trademark, small competitors show up
• To beat them, the owner has to outbid them
• Even then, that only bumps the little guy down a slot

So a policy change prohibiting those little guys from bidding at all not only saves the behemoth money but totally removes the little guy from the listings. Perfect ending!

...or is it?

A consumer searching for a trademark is obviously already 'aware' of the product (in the classic AIDA model). The fact that they are searching also means they are at least at the 'interest' phase -- searching for more information about the product. It's natural for the manufacturer to want to be the only source of information. But consumers have come to expect seeing both sides of the situation. And they're going to, one way or another. Even if there were no PPC ads, there would still be natural search results!

The other case is a consumer searching for a trademark because he's actually at the 'action' phase. He's looking to buy your specific product. A competing ad, of the sort that some people want to remove, would either be for a competing product or simply another reseller of the same product (slightly discounted, with a commission due to the reseller).

If the problem is resellers competing, the company needs to reevaluate how it compensates resellers and whether its strategy makes sense. The answer is internal, though, and shouldn't be addressed by forcing external changes to the search engines.

If the problem is competing products that are so compelling they can peel buyers away when they're in the very act of purchasing your products, you need to reevaluate your competitive position. Again, the answer is internal. Trying to force external changes on the search engines is a crude, ham fisted approach to solving business problems.

So, that's the 'principled' approach to an answer.

Practically speaking, the policy would be as tough to implement as Google's only partially successful 'no attack ads' rule. Proctor and Gamble owns "Tide" as a trademark. A strict implementation of the no-competition policy would preclude other soap manufacturers from bidding on 'tide' and talking about how they are better. But it would also prevent me from bidding on the word 'tide' to promote my new movie, "Tide of the Titans." And what about the radio manufacturer who sells maritime radios with live tide and surf condition reports?

How would Google decide where to draw the line? Manual review of each account that would require arbiters to actually visit each site? That's what Google hates. ("That's what Bilbo Baggins hates.")

So, the suggestion that trademark owners be allowed to prevent anyone else from bidding on 'their' keywords is unprincipled and impractical.

That's what I think, anyway. Once I'm a major trademark holder, I'll probably feel differently about it. But that's only because I'll be fat and lazy, reclining on my hammock in the Caribbean.

Mmm... hammock...

I have been grossly deceived. For all the hype and buzz and glamor surrounding it, I figured the iPod and its accompanying iTunes software must be the bees' knees. (All of their knees collectively, I suppose.)

Well, imagine my surprise upon discovering that iTunes actually doesn't do what I wanted it to do, and it's slow, and it's crummy! Imagine it. Seriously. Picture me, sitting there looking at my iPod as nothing happens. My movie playlist is empty. Quite the striking mental image, hey?

That image is copyrighted to me, so you owe me $2.00 for imagining it.

But that's not the point of this entry. I really, legitimately just wanted to share with the world my shock at discovering that iTunes is no better than any other music or media management program I've used. Windows Media Player, even!

I spent a long time bringing all my files into my library in iTunes. Once I finally got them all imported, I synchronized iTunes with my iPod. Twenty minutes or so. The songs went over, the movies did not.

The helpful messages telling me why the movies didn't move over? Nonexistent.

The intelligent, automatic reformatting of my movies to move them over? Nonexistent.

Apple's support for avi and quicktime and mpg? Nonexistent.

My jaw-dropped delight at having an iPod? Meh. Not nonexistent, but also not nearly as strong as I realize now I had subconsciously expected it to be.

So that's Word One on the new iPod. Words two and beyond as events and blocks of free time warrant.

Social networking, at its best, harvests our combined intelligence to create things better than most of us would create on our own. Digg is a pretty good example -- technology news and other nerd news, compiled and gatekept far more effectively than centralized sites like CNN can do. It's the whole war between socialism and capitalism, waged in Media.

And like capitalism, social networking can sometimes be applied to wide ranges of things. Like celebrity. Capitalism promotes Lindsay Lohan and Paris Hilton to self-destructive heights of stupor and celebrity. Social networking now has an answer: CelebrityGossip.com.

Since CG is the sponsor of this post, and celebrity pictures is the phrase they want me to hyperlink, I've taken the liberty of hyperlinking it. I'm friendly that way. The site is like Digg, in that it features lots of stories with votes and comments. So if you're really in to celeb gossip, I can only assume that it's WAY better than reading People or watching that horrible TV show that used to have that guy who writes all the new age music now. And he has that radio show. John Tesh.

The great advantage a site like Digg has is that 100% of its target audience is online and rating things and posting comments and being geeky. I think for a site like CG to succeed, it needs to make rating and posting easier. Let people rate and post by texting. No need to log in or register -- every post comes with a unique phone number.

And pink?

Not for me.