My how things change in just a few years. Today, AP reporters proudly proclaim their “investigation” of a security loophole on Facebook, describing how they used the hack to peruse materials that clearly were posted to Facebook with an expectation of privacy:

“A security lapse made it possible for unwelcome strangers to peruse personal photos posted on Facebook Inc.’s popular online hangout, circumventing a recent upgrade to the Web site’s privacy controls. The Associated Press verified the loophole Monday after receiving a tip…Using Ng’s template, an AP reporter was able to look up random people on Facebook and see the most recent pictures posted on their personal profiles even if the photos were supposed to be invisible to strangers. The revealed snapshots showed Italian vacations, office gatherings, holiday parties and college students on spring break. The AP also was able to click through a personal photo album that Facebook co-founder Mark Zuckerberg posted in November 2005. — http://ap.google.com/article/ALeqM5ijANq3fmx9AZNNrf7Q1PwCN1cKUAD8VK51UG1“

Just a few years ago, Adrian Lamo was hunted as a fugitive for justice for similar URL playfulness:

“Lamo has become famous for publicly exposing gaping security holes at large corporations, then voluntarily helping the companies fix the vulnerabilities he exploited — sometimes visiting their offices or signing non-disclosure agreements in the process. Until now, his cooperation and transparency have kept him from being prosecuted. Lamo’s hacked Excite@Home, Yahoo, Blogger, and other companies, usually using nothing more than an ordinary Web browser. Some companies have even professed gratitude for his efforts: In December, 2001, Lamo was praised by communications giant WorldCom after he discovered, then helped close, security holes in their intranet that threatened to expose the private networks of Bank of America, CitiCorp, JP Morgan, and others. http://www.securityfocus.com/news/6888“

They ordered Lamo to pay $65,000 for so-called “use” of Lexus Nexus (even though the usage was on an unlimited plan) and 6 months home confinement, plus probation. Truth is, when he hacked the NY Times and exposed their sloppy-at-best online security, he demonstrated how unworthy the Times was of trust, and thus how foolish some very high profile people were for trusting the New York Times:

“…he penetrated the New York Times, after a two-minute scan turned up seven misconfigured proxy servers acting as doorways between the public Internet and the Times private intranet, making the latter accessible to anyone capable of properly configuring their Web browser. Once inside, Lamo exploited weaknesses in the Times password policies to broaden his access, eventually browsing such disparate information as the names and Social Security numbers of the paper’s employees, … a database of 3,000 contributors to the Times op-ed page, containing such information as the social security numbers for former U.N. weapons inspector Richard Butler, Democratic operative James Carville, ex-NSA chief Bobby Inman, Nannygate veteran Zoe Baird, former secretary of state James Baker, Internet policy thinker Larry Lessig, and thespian activist Robert Redford. http://www.securityfocus.com/news/6888“

Today it’s not only OK for the AP reporter to browse around inside, but to write about it as if it were good investigative reporting. We only know what they tell us they looked at… they could probably have looked at anything on Facebook, which I believe, is why legislators made that sort of activity illegal years ago:

“Lamo has been charged in New York under Title 18 U.S.C. 1030 and 1029…The federal laws prohibit unauthorized access to a protected computer, and illegal possession of stolen “access devices” — a term that encompasses passwords, credit card numbers, and the like. — http://www.securityfocus.com/news/6888″

I followed a link to RescueTime.com, a Web 2 ot Doh! application that keeps track of your time. You install a piece of spyware toolbar widget timer app, and RescueTime keeps an accounting of how long you are using a particular desktop application (like Word or Excel or Outlook) or web site (like Sphinn). I’m not sure I want to know how much time I spend on some web sites, but I do like the idea of capturing time (that is why I used Timeslips before I started to hate it).

This is what I clipped from the Privacy Policy assurance statement, which directs you to read the privacy policy:

“…the only thing we track is the names of the apps and sites you use and the times that you use them”

Um… is there anything else they could track? I mean, shy of taking screen shots of what I do or logging every keystroke I type (which reminds me, eBlaster  has been upgraded), they are recording a lot of personal activity data. What is that worth to you? A free time usage data logger?

It would take a lot more than a free time accounting widget for me to hand over tracking of every website I visit and when and for how long, every desktop application I use and when I use them, and perhaps most importantly how often, when, and how I use my computer and Internet connection. Using Skype? Vonage wants to know! Visiting Vonage.com via https? Skype wants you to know it’s cheaper! An active eBayer? Never use eBay?  Good to know! Downloading IRS forms? Spending time of PlentyOfFish? All good to know.

Someone emailed me today and called me curmudgeon-y. So I looked it up. Grumpy old man. Hah. I am not that old, and I am not grumpy. And I dislike that SearchEngineLand has labeled it’s hard-core SEO blog roll as “Old Fart SEOs”. I like appearing there, but I don’t like the label. Yeah yeah, all in fun. I also go this email today after my last post:

Looks like you’re doing everything possible not to get invited to the “select” PubCon parties

I suppose my blog is not as “SEOMozy” as many search industry blogs. I read this comment on SEOMoz today :

Showering love on a community is one of the best ways to generate a reaction - it’s a win-win proposition for the author and the readers!

followed by this:

linking out and praising the community is a great way to generate buzz! Some quality links there too - everyone should check out the whole list.

and this:

As to this being one of the best communities - I’m totally in agreement. Particularly as far as the signal to noise ratio goes - this community has the highest signal and the least noise in the industry. Both in the blogposts and commentaries.

Really? Let’s all just praise each other and everything will be win-win for all of us, eh?

Well I come from a background in real research and hard core Engineering (Big E, not little “e” like all those Google “engineers” and “software engineers”). Accountability is built-in, not optional. And when everyone just says “everything’s positive”, it sets that stage for complacency, laziness, and other tools of deception. If in fact SEOMoz is the highest signal to noise ratio search industry community alive today (a claim I do not make), it is surely not because of a stellar signal to noise ratio. It might be because the politics of the search industry prevent a truly high signal to noise ratio community from thriving. Is that win-win?

What happens when everyone is rosy and everything is great and we all pat each other on the back and say “good job!” and nobody is curmudgeon-y? Well, in the news this week we see :

Last week, the UK government announced the biggest loss of personal information in the UK’s history. Two unencrypted computer disks containing the personal records of all families in the UK with a child under the age of 16 went missing en route from the Revenue and Customs department to the National Audit Office. UK’s Information Commissioner, Richard Thomas, stated that, “[t]his is an extremely serious and disturbing security breach.”

The disks comprised Revenue and Customs’ entire collection child benefit payment data. The disks were being sent to the National Audit Office using an internal courier system, but documentation of the transmission was not recorded or registered. The child benefit data listed on the disks includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people. Revenue and Customs chairman Paul Gray resigned after the announcement of the breach.

That’s financial and personal data on every family in the UK with a child under 16, lost to accountability. Over 25 million people were legally required to hand over personal information and bank account information to their government, and that government shipped the data around unencrypted, unscheduled, untracked, and lost it. Based on the comments made by the government officials, including the one that resigned immediately, that same government assumes it is the hands of criminals. And the follow up is they plan to limit what they collect next time, but include your biometrics. Let me ask you this — can you revoke your biometric? Is it physically possible for you to get a re-issue of your biometric if it is stolen? And this will be better?

What’s going on? We can assume that if criminals wanted that data, it is valuable. The system keeps going, and you lose.

Complacency. Things are ok. It’s win-win. Everything’s good. That curmudgeon-y guy who was complaining  last year about having to hand over personal data for central archiving, with no legal assurances for protection? Just an old fart, probably.

A few years ago every complaint about Google was labeled a conspiracy theory. Posters who cautioned of trusting Google were labeled “contrarians” and said to wear “tin foil hats”. AdSense was buying webmaster loyalty for pennies on the dollar. Now, in 2007, things have changed. I won’t point to some of the available information sources I have now, because they are ridiculously irresponsible. Want to know every domain ever registered by PUT-YOUR-FAVORITE-SEO-HERE? It comes cheap today. Want to find out the affiliate tiering of PUT-YOUR-FAVORITE-AFF-MARKETER-HERE, with her upline and downline? It can be had for pennies on the dollar compared to its value. The public tools for competitive intelligence are a joke compared to what can be had through “channels”, and what Google has because you all give it to Google for pennies on the dollar.

But this is the competitive SEO/Search marketing industry. What about us?

Is it possible to knock someone’s web site down in the SERPs without their involvement? No, of course not, right? Everything’s good, everything’s ok. Good job all around. And when a business is knocked out and loses 65% of the traffic it had, what then? That loser should have diversified, right? Big mistake keeping all the eggs in one basket, right? And of course no accountability for why Google dropped the site. If your search marketing contract is worth $100k per year, and generates $1million in client revenue, is it worth $25k to knock you out?  That’s $100k in Chinese money, and much more in other currencies in locations where very talented people operate computers attached to the Internet. Services can be procured.

The majority of my professional work involves working with corporations that hired advertising and marketing and SEO agencies but soon found themselves stuck with unexpected dependencies, large bills, ill-defined contracts, and Internet performance below expectations. My work is very positive — identify the fluff, trim the fat, help the corporation find the loopholes and hold the providers accountable for the initial goals and objectives. It is interesting and challenging work, to say the least. If you are a search marketer or SEO chances are good that I am on the other side of one of your contracts, helping your client to help you do your best work, while they adapt to help provide you with what you need to do your best work. The goal is success, as it was supposed to be when you were hired.

So keep doing good work and working hard. In the mean time keep asking the hard questions, and reconsider how quickly you might be “rewarding” those in our community who “showering love on the community”. Word on the street is, there’s an agenda being played. Did you know?

A few weeks back I was Matt Cutts Watching when I noticed he was participating in a Law Bloggers meeting. Mental note made; move on. Now I see Matt report from his blog about the Bay Area Blawgers meeting. Best bit: Matt notes how the US Copyright Office houses a database of domain names associated with registrations for Online Service provider status. In order to technically qualify for the Safe Harbor provisions of the DMCA, a company or web site must register with the copyright office. That registration costs $80, and includes a place to name the business and list alternative names for the business. In other words, it’s a self-registered list of domain names owned/operated by a legal entity, identified in the public records.

Now Matt didn’t identify it as such… that’s what you need me for :-) Matt simply commented on how Kurt Opsahl of the Electronic Frontier Foundation polled the table about DMCA takedown notices, and pointed out how easy it was to register as an Online Service Provider. But if I were Matt, and that was news to me, I would take a look at that US Copyright web site and when I saw page after page of webmasters listing all of their “other domains” I would say aaaahhhhh…. and fire off an email to a junior Googler to “organize this information”.

If you look around the US Copyright filings for Online Service Provider you will see many, many webmasters listing dozens or more domains under one registration. Some of the big boys also list domains together, while others seem to register single domains. Warner Bros Entertainment for example listed entertaindom.com and conspiracytheory.com, which have WHois records assigned to Warner Entertainment, but they also included orgymusic.com on the same registration form, which has a Whois registrant of Astro America, LLC in San Francisco. Nice find for Google, as this allows Google to associate orgymusic.com with Warner Brothers when, based on Whois alone, that was not obvious public knowledge. That’s just one example for you.

I am sure it would be fun to dig around the site further, but I don’t have time. Besides, Google can make it searchable and cross-reference-able, which would be MUCH easier the scanned PDFs. I am sure Google could ask for this information direct from the copyright office in electronic form,or perhaps make a trade of indexing for access. In many cases this makes a nice addendum to Google’s efforts to associate web sites to each other and webmasters to web sites (via email address at the very least, names and legal representatives, etc). Right now it looks like mostly big corps and adult web sites, but it seems clear that this is a likely addition to the legal requirements for web publishers and so … another tool for Matt’s Top Secret Spam Fighting VPN-connected laptop computer!

I just hope that when Google organizes this part of the world’s information, it makes it accessible to all of us and not just the competitive teams inside Google. Maybe that’s a good idea for the Copyright office… if you give away our data, require that the indexed form also be freely available to the public? Maybe a Taxpayers Content License or something?

There is a draft post in my Wordpress system called “Hand over your Lupins”. I never published it. I haven’t finished it yet. I don’t want anyone to read it in the current form, because it contains notes and suggestions for further development, including references to some key figures in SEO Celebrity Land. If that was published as it is, I’d get some heat for sure. But isn’t that the case for most “draft” posts? Certainly you would not expose your draft posts to the public, right?

But the only thing between those draft posts and the public is a Wordpress front controller that checks a “publish” bit and passes over the drafts. On every page load. Those draft posts exist in your Wordpress database, the same as your public posts do. That database is readable by the public-facing Wordpress, and it is very reasonable to think that they might be “exposed” by a clever hack. Ever hear of a vulnerability in a Wordpress plug in? Sure you have. It’s only a matter of time before somebody builds a popular plug-in which enables access to draft posts. It’s not terribly difficult… virtually any access hack could enable it.

So what would that reveal about you and your business? What do you have lurking in your drafts folder? What does your competitor potentially already know about your desire for Lupins, which until now you have been so careful to conceal?

I just read about HP’s board hiring investigators to find the source of a boardroom leak, and admitting that pre-texting was used by the investigators to obtain the cell phone records of reporters and board members. Pre-texting is the name given to a social engineering technique - you call the phone company and pretend to be the cell phone owner, and ask for the records. In this case, someone used Yahoo! email addresses to claim the online accounts of the cell phone owners, knowing as little as their names and last 4 digits of their social security numbers.

HP’s board found their leak, and 2 people so far are not expected to be on the board anymore. The attorney general people of course are now involved, and I assume the investigators are in for some hot water. Small price to pay to find two board members and an information leak? If it seems so, that might just fuel a handful of million dollar lawsuits (I hope).

Everyone should claim their own online account, even if they don’t use it. And also tell (don’t ask… tell) the cell phone company to put a password on your account that only you know. I did this with Verizon a year ago after reading about some Colorado Senator who had a company that re-sold cell phone records obtained through pre-texting (yes, it really is true). Verizon locked my account with a password, and it has been a hassle ever since because I picked a hard-to-pronounce password (what was I thinking… duh!). Anyway, at least it is safer than normal.

Is claiming your account secure enough without the extra password, which some cell companies might not be prepared to handle? No. The cell phone device is used as a token, so that if you process a “lost password” sequence and have the device in your hand, you can reset the password. All you need is two minutes with the device, which is easily done by “making a call”. Maybe not easy for some overseas hacker to get your cell records, but a piece of cake for a fellow board member (ahem) who just needs to make a quick call.

Oddly, the CNet article actually published the IP address used to execute the pre-texting. It was 68.99.17.80, which appears to be a Cox cable IP address in Nebraska. The IP is assigned geocoordinates 41.2603, -96.0463. If that is correct, not too smart, guys. There goes the neighborhood, at least. Unless it was a zombie proxy, which I suppose we’ll find out in the next few weeks as the privacy concerns are addressed in the media. oh, and isn’t it coincidental that the FBI has offices in that same neighborhood?

One of the more interesting aspects of my work is competitive intelligence. Who is competing in the market, using what tactics, and with what success? When limited to online activities, CI shows you what they *have been* doing, not what they may be doing now. However, as I learned quite well during my 10 years working with neuropsychologists, past behavior is indicative of future performance when it comes to humans. People will do what they’ve done before.

So when I see an SEO in his late forties with a new yacht, I am desperate to examine his web properties and PR image. Where did he find his success, yes, but more importantly is his success built upon a foundation of outdated websites and a circa 2001 online business model? or even better, *one* outdated website in one vertical?

What are the odds that a comfortable #1 spot holder with a family of teenagers and a world-capable yacht will rise to a modern day SEO challenge to his top spots?

One argument is he has the funds to kick into gear and hire the best staff to retain that top spot in the face of a threat. True. But that human behavior thing suggests that he did not hire the best and brightest on the way up. In fact, it appears he kept things very close to his chest (including profits). Odds are very strng that he would do as he has done before, having been reinforced for the behavior with a yacht.

Another argument is that he will sell his holdings rather than fight, even if he doesn’t act until he is #3 and #4 in the SERPs having lost the top placement to my challenge. I accept that possibility, but it has nothing to do with me as competing SEO. All that does is further distract him from meeting the competitive challenge, or further underline this as an opportunity for me. A perfectly ripe pear hanging from a tree branch must be picked or it will rot. Someone has to eat it.

Modern day SEO can overcome many current top placeholders in the SERPs. I have had clients approach me after they watched their business lose the top spots to a newcomer over more than a year’s time. What were they doing for that year? You got it: watching their properties drop from the #1 spots, and watching the new guy get energized with his success as he rose to the top. What they see now is a new guy at the top, but they don’t see what he is doing now. What he did before is indicative of what he will continue to do - challenge the incumbants, compete, and dominate. What will they do now, after watching themselves get overrun for a year?

It’s not a pretty picture. I encourage them to hire some quality SEO talent and get out of the way as much as possible.

I wrote this post because I have always viewed SEO as a form of competitive webmastering, while many webmasters consider SEO as a set of tricks to rank in search engines. Webmasters don’t need to hire SEOs. Business owners should hire SEOs to out perform other webmasters.

Yes, it’s “Hack a Mac in 60 seconds” and “Macbook easily hacked” and all about the Mac being susceptible to a remote wireless hack that gives the hacker complete access to the local machine.

Is it true? Well, not really. The hack attacks a device driver that is used by some companies wireless cards, and some Mac’s use those cards. Thus, some Macs are vulnerable. As are any PCs using vulnerable drivers. I guess it’s more fashionable to mention “Mac” than “device driver”.

This PR nightmare for Apple comes from it’s smugness - or rather the smugness of the “switch” commercials. The security researcher who deliberately tied the Mac to this security exploit stated that he did so because he was annoyed by the people in the Mac commercials. They seemed too smug about security. Hah. Smugness leads to PR nightmare. Lesson learned?

I didn’t go to Black Hat or DEFCon this year. It’s too damn hot in Vegas, and too darn nice here on the coast.

The video is here. The smugness is evident here. The most factual technical article I found in today’s coverage is here.

Update: I find blogging interesting because it encourages authors to publish before analyzing their thoughts, and sometimes that can be very revealing.  If these IT professionals are afraid of Black Hat Briefings, they should take a look at DEFCon. Oh, and shall we say “Mission Accomplished” for raising awareness of security issues?

A friend just asked about getting up to speed with RSS and I sighed. What to suggest… Bloglines is so slow, I’m enjoying Earthlink’s new Feedreader but it’s…well, it’s Earthlink. So why not just put him onto Flock so he can enjoy what a modern browser feels like, and use it for feeds as well? Good idea.

I’ve been with Flock since the beginning, and was awed by the marketing behind it, and wondered about the business model. That was a year ago, and lately it gets a lot more play time on my computer than Google’s browser FireFox. I still need FF for some of the extensions, but Flock is killer for it’s blog management tools, speed, and trouble-free js/java handling. I don’t know too much about what goes on behind the scenes with Java and complicated javascript screen maniuplation stuff (like fading menus and such) but I do know that my FireFox crashes way too often, and can’t do Hushmail. The current Flock has been a dream to use.

For feeds in Flock just click an RSS icon and bingo.. Flock parses the feed into an HTML page *and* provides a left side column for subscribing. A feed reader in the browser. NICE. Firefox (current release) doesn’t know the feed: protocol. I’ve been redirecting to feedburner to give webified feeds to visitors and to facilitate the transition to syndicated reading, but if more people would adopt modern browsers like Flock (heh heh) I wouldn’t need to hand my traffic over to that third party commercial entity.

Yes, I know the next Firefox has all the greatest features and more, and Flock is better at getting them out to the world, etc etc. whatever. I leave that stuff to the ubergeeks that download the nightlies and such. I just need a browser that works and Flock works for me right now.

Feedburner bought BogBeat for analytics, and got a new analytics exec. Everybody is busy watching Google.