Over here in John Andrews Land we fight the status quo. Wordpress is great, and the plug-in architecture is great, but we don’t build businesses on free, open source code unless we trust it. And we don’t trust free, open source code unless we have checked it. And we don’t rely upon free, open source Wordpress plugins unless we know we have taken appropriate risk-management steps, addressing what we consider to be typical concerns when dealing with software, but which the modern world seems to think are optional:

• does the code conform to programming best practices? At least a little?
• does the code include obvious or less-than-obvious security flaws?
• does the plugin abide by the rules to help support the idea of upgrade? Will Wordpress break when next upgraded?
• does the plug in warrant a plug-in? Maybe it doesn’t do enough to be worth the risk?
• is the Wordpress plugin “phoning home”, sending business intelligence to the plugin owner, or otherwise exposing us to unexpected consequences of use, such as hidden links or cloaking?

It sure costs more to do things right, but it sure costs a lot to fix problems in real time, too. Which is your preference?

We can’t check all of Wordpress. We rely on that large community of eyeballs looking at it for months prior to release, and the even larger community of eyeballs looking at it during the months after release, to help make sure it is worthy. That’s how Open Source works. But that is NOT the case for plugins. A plugin author may never share his code until publication time. Many plug-ins see very few installs compared to large open source projects. Even 1,000 users will not lead to good code if that is 1,000 non-programmer users (common with Wordpress plugins). We look at plugin code very carefully.

This morning I reviewed another plugin from a well-respected SEO plugin author, and there in the code are all sorts of “potential problems“. All around the web you read “you should have this plugin for SEO” and yet, a quick review by my far-less-than-professional PHP coding eyes shows divide by zero gotchas, opportunity for injections by hackers, and risky reliance on system variables that are not as genuine as the PHP manual might suggest. This isn’t rocket science, but it is web programming, and we’re talking about the basics of web application programming in PHP here. i don’t need to send this one to a php security expert. I know it’s dead just by looking at the code myself.

What is the cost of a bad plugin? Well, you may not care if one day your visitors see a PHP error on the screen. You may even have error reporting turned off completely. You can get problems fixed in a day or so anyway, so no harm done, eh? Well, when was the last time you looked at what is in your Wordpress database? I mean looked at the content in the database… using some database tool. Time and again I find volumes of bad data filling Wordpress databases, which are hidden from the blogger because Wordpress is smart enough to skip over them at display time. But they are still there… and with every upgrade, they carry forward. And one day the database tables break. Or some injected code gets run. What. A. Mess. Or WAM v2.0

A good SEO consultant charges in excess of $200 per hour for routine technical work, as does a good PHP security consultant. That reflects the cost of maintaining the ability to perform as a knowledgable consultant. It takes time to audit code, but not a lot of time, especially when compared to what it takes to rebuild a database that has been corrupted with invalid characters or mussed-up attempted code injections. Unless your risk management plan includes “just start over”, it seems wise to spend a little money and get your site checked out before there are problems.

Not every “SEO plug in for Wordpress” is a must-have, and some are not even worthy of the time it takes to download them. How do you know?

Everyone is talking about Google’s PPC click thru rate being lower than expected… flat growth for January according to Comscore. I think there’s astory in there about reliance on Comscore-like reports, but that will be addressed soon enough. Perhaps a more interesting story is suggested by this comment from a pro-Google investment entity, as cited by AlleyInsider:

In our view, efforts by GOOG to improve search quality and make online retail a more efficient experience for consumers will deflate paid clicks and inflate price-per-click. As long as lower volume continues to come with higher pricing (as it did in Q4), we are not concerned with GOOG’s ability to grow revenue.

Sort through SEO leads these days and you find site after site that is not able to convert incoming paid traffic. For these business owners, PPC is over. Money flying out the window to Google for PPC ads that bring traffic that does not convert into revenue. These owners moved into Google’s ad program to get traffic, but that “just signup and get traffic” do-it-your approach is just a small piece of the pie. If the site isn’t prepared to convert that traffic into sales, Google gets rich and the ad buyer fails (and scrambles to get some SEO to “get me free traffic from search optimization”). And if the owner isn’t savvy enough to manage the PPC spend in light of competitive pressures, it can be a fast budget drain.

The above comment suggests that Google is going after the revenues on the high end, and shouldn’t care about that low-end where the ad buyers fail to monetize. As click prices increase, presumably because of “quality scores” reflecting that traffic is converting when delivered to the right place, those poor quality sites are filtered out via market economics. Overall clicks go down, as revenues ramin strong or perhaps grow. Sounds great for Google.

But I don’t agree that SERP quality tracks that shake-out, because there are so many good sites that are unable to convert. Those sites represent quality “answers” to Google queries, even if they have not been designed to sell anything or designed to enable conversion tracking. Let’s not forget Google bases it’s judgement of quality on factors it has access to, not magic or divine knowledge of the truth.

Google needs to maintain SERP quality, yes, but that equates to making sure the organic results are high quality as well (or perhaps even especially). Which means reward relevance with rankings. Yes… improve search quality, but more free organic traffic. That’s Google giving away traffic it was passing through (low quality?) PPC ads. if the publishers are disappointed in Google’s ad payouts (due to low quality scores etc), but now they are getting free organic traffic, how does that help Google’s revenues?

Google chose to play both sides of the buy/sell ad game, so Google has to manage customer expectations on three fronts: searcher, ad buyer, and ad publisher. At best Google helps everyone find their way to a piece of the pie. At worst, everyone hates Google. Which one is better for revenues?

When a former Google customer (someone who has quit AdWords out of disgust) asks an SEO to help “get free search traffic from Google” it represents a person who is no longer willing or able to play by the established rules.  It’s not a sign of criminal intent, mind you, so don’t go hyperbolic on me with the BlackHat WhiteHat stuff. But from a demeanor persepctive, that former customer is willing to try things outside of the “let’s do business together” avenue, without telling Google, and recognizing that he is now in competition with Google, his former business partner.

Again, how is that good for Google’s revenues?

This post will be a live blog, updated every few minutes with additional content as we go… just for fun. AffiliateSummit 2008 in Las Vegas.

Monte has done his homework, and is prodding the audience with insider knowledge of the affiliate game as he can. PlayOffGames.com had little interest, and Monte started chiding the “ticket affiliates” for not considering the potential for that domain. He was right, but it didn’t sell.

Real Estate name BrooklyAppraisals.com at $1,750 .. SOLD for $2,250. Again, not a bad sale for the seller.

SeniorFares.com is now at $85k having been bid to $75 but that wasn’t enough to cover the reserve. Now OnlineDiscounts.com… $15,000 in the room..didn’t sell.

GamingLessons.com.. auctioneer says it’s a GREAT name, but I don’t see it. $1750 SOLD on the Internet.

DiscountShipping.com thrid and final call for $3000 not sold.

CashDiscounts.com is up. Again, I don’t see the value but I am not in that market (whatever market that is)… someone likes it for $3500 didn’t sell.

CreditApproved.org… starts at $500 in the room, sold for $1,750. Again, a nice return for the registrant if obtained at reg fee. RetirementPolicies.com went for $1000 - another one I don’t get. LosingPounds.com is at $1,250 already…now $1,500 via Internet. SOLD. Someone wanted it.

ChemoTherapyCenters.com is an obvious paid inclusion directory domain. Bid up $600 and SOLD.

AdultSuperstore.com is interesting.. gets 95,000 uniques per year and earns $21,000 per year in affiliate income. I’m guessing that is as a parked page, because that is WAY low for affiliate incom ein the adult market. Closed bidding at $150,000 because the reserve was up around $175,000.

Offer.com is a pretty domain.. now at $165,000… $180,000 comes in from Internet…SOLD for $180,000. I look forwards to seeing what goes up there or if it was to hold as an asset. AromatherapyCandles.com is up.. that’s a generic and probably pretty good. What’s it worth at an affiliate auction? At $1,750 already, now $2750. Up to $4k already. Very fast bidding… thi smust be a CJ match (haha). At $5,250 and $5,500… not sur eI’d go that high. Someone wants it at $6,250 and “the Internet” like sit at $6500…. wow.. at $8,000 (that’s a lot of candles). Would you believe $9,250? hpw about SOLD for $22,000. Wow.

BagelShops.com is another good directory name, SOLD for $5,500. I think that’s a pretty high price for an affiliate name, so I’d gues sit’s a generic plural being bought as a domain asset.

NebraskaInsurance.com didn’t sell with a $6,000 bid and neither did LowPricedFlights.com at $15,000. It’s 4:30 and the crowd in the back has thinned considerably. I count 54 people in the room at this point.

Live ta th auction, finally got a WiFi connection. The energy levels are high, partly due to the energy of the Moniker guys. These guys are UP BEAT and doing a good job. The room has plenty of empty seats in the front 10 rows, but the back is full of “lurkers”. I suspect the affiliate participants are more curious than active in the auction, although I have no knowledge of actual paddle distribution.

Bombers.com is at $4000…. a bid in the room. $5k from the Internet,  topped at $5250 in the room. Now 57 1/2…. and I have no place to plug in my laptop. Looking for $6k but no interest, SOLD for $5750. Not a bad sale.

For many of us “regular people” working in technology, the Supreme Court Justice appointment system is an obscure political process into which we have little input. However, as recent events demonstrate, the individuals assigned life long Supreme Court powers can have a tremendous impact on how our technology and our entrepreneurial activities play in the legal and civil world in which we live. Quite simply, as the following shows, the individuals appointed to the Supreme Court can personally decide whether your pioneering entrepreneurial activities are legal or illegal.

All you domainers, Internet marketers and web publishers should think about that. As you forge new rules as entrepreneurs, taking action first and expecting to sort it all out later, select individuals are making judgements that can make or break your financial status as well as your social status after the fact. Should you pay more careful attention to who gets elected, and who they want on the Supreme Court?

According to a recent release from E.P.I.C., the Supreme court ruled that police trusting their database/technology can arrest someone and pursue additional criminal evidence against them, even if the initial arrest was misguided because of something like a database error. Despite the initial mistake, new evidence found is admissible as evidence for new charges. Think about that. The “mistake” that got you interrogated is forgivable, and if they found anything using the capture/seize/interrogation powers they were granted by that error (powers they otherwise do not have, since you have Constitutional rights), you lose.

We all know how common errors are in the systems we build and use everyday, but did we know that something as serious as law enforcement is trusting those systems with our freedom at this very local level? Now enter the Supreme Court Justice once again, a few years later. When considering very similar situation more recently, the same Supreme Court Justice decided completely differently, citing a new (personal?) perspective on technology and its application. This time, the statement is (as reported by E.P.I.C.):

“In recent years, we have witnessed the advent of powerful, computer-based record keeping systems that facilitate arrests in ways that have never before been possible. The police, of course, are entitled to enjoy the substantial advantages this technology confers. They may not, however, rely on it blindly. With the benefits of more efficient law enforcement mechanisms comes the burden of corresponding constitutional responsibilities.”

So before, based on an individual’s perspective, the ruling was

…a man was searched, evidence was gathered against him, and he was arrested based on incorrect information in a government database..the police relied on an arrest warrant that had been rescinded five months before…Justice O’Connor “notes that the invocation of the good-faith exception…should depend on the reasonableness of the police officers’ reliance on the record keeping system itself…

and the evidence found was allowed. Now, that same case is being reconsidered because that opinion doesn’t seem to be in place today:

…Justice O’Connor also wrote, “In recent years, we have witnessed the advent of powerful, computer-based record keeping systems that facilitate arrests in ways that have never before been possible. The police, of course, are entitled to enjoy the substantial advantages this technology confers. They may not, however, rely on it blindly. With the benefits of more efficient law enforcement mechanisms comes the burden of corresponding constitutional responsibilities.”

Now I am not a lawyer, and I had to cut up alot of that to help it make sense here, including the legally-important fact that the first error was made by a court clerk and not a police officer, but it seems to me that the individuals on the Supreme Court have a tremendous amount of power interpreting the impact of complex technologies we build, and which our non-tech neighbors are deciding to deploy in our society every day. These are older people, by the way, not raised on technology and not likely to “get” much of what we type into our keyboards every day.

Something to think about?

Just in case anyone was looking for Wikileaks.com, since their domain name was confiscated.

The Search Engine Strategies Conference and Expo is scheduled for March 17-20 in New York City, just 4 weeks away. I attended SES San Jose last year, my first time ever at an SES (Last year I attended SMX Advanced, Adtech, SES, Domain Roundtable, T.R.A.F.F.I.C. East, and Pubcon in order to get a fresh personal look at each of them). I have been to several Pubcons before, but those were my first times at the rest. Since I have posted about SMX and Pubcon, it’s only fair I post about SES.

Looking back at my personal experiences last summer/fall, SES San Jose produced more active business activity than SMX and Pubcon combined.

Looking back at my personal experiences last summer/fall, SES San Jose produced more active business activity than SMX and Pubcon combined. On the face of it, that seems reasonable because SES is such a large show, and has a heavy corporate participation level. Pubcon draws a large number of small business owners and operators, while SMX seems to me to attract the search society people more than corporations. Maybe since I am mostly interested in search marketing as business strategy, the SES audience was a better fit for me?

I did notice that of the new people I met at SES in August, few were also at any of the other events I attended. This was especially true of domainers. I did meet a few domainers at pubcon and SMX, but I met far more active domaining companies at SES San Jose. This may have been because SES is traditionally the search show, and because San Jose is the Silicon Valley show? I’m not sure. Of the people I met at T.R.A.F.F.I.C. East (the serious domaining meeting), those who knew of search knew of SES and not the other shows.

So for some reason I met more business contacts at SES. I did not speak or sit on any panels at SES, as I did at others, so my own participation level wasn’t an obvious factor. Several people told me they planned to always attend SES as their search marketing show, which might explain it. I did have two side meetings scheduled at SES because the business execs were attending the show and asked if I would be there (and so, at the last minute, I planned to be there). Again, suggesting that SES is a productive environment for business?

There are a few people out there in Internet land who rate these shows for quality as we attend them, half jokingly but also half seriously. By whisper when we sit together, or via twitter clues or texting, we question the value of each session or event, comparing SES to SMX to pubcon, sometimes calculating the dollar cost per minute for the lesser presentations, and sometimes noting the dollar value of rare gems of zero-day information. That is fun, but also real: we independents pay our own way to these things, and waste is not a good thing for any business.

If you’re going, Search Engine Strategies offers a $150 discount for registering before February 29th, which prompted my post today. I saw there is another 10% off for members of SEMpdx members, which only costs $125 a year, so that’s a good deal for coupon cutters out there. If you have any personal experience with SES New York vs. SES San Jose, I’d love to hear about it.

When Microsoft announced Microsoft Health Vault, for storing and retrieiving sensitive personal health records over the public Internet, I commented with “Microsoft is first out of the gate announcing Health Vault, an online personal health information database of Google proportions.” Now that Google has regained its composure in the health database area, it is testing a Google version of Health Vault in collaboration with the Cleveland Clinic.

Reportedly, this new sensitive medical data will be yet another aspect of the standard Google account. The same Google account that they use for tracking analytics, advertising spend (for those who advertise), ad consumption (for those who click ads), online video watching (for those who use YouTube), email (for those on GMail), saving whatever you search for on the Internet for practically forever, and so much more (”so much more” referring to DoubleClick data, library data being archived by Google, news wires, government records, etc).

Yes, the very same Google accounts which have been compromised by security holes in the very recent past (remember when we learned that others could read our GMail accounts?) will now be used to store and access your sensitive medical records. Hey, it works for YouTube, so why not your genetic screening test results?

This is under test with the Cleveland Clinic. Tests, of course, of how well it can make money for Google and the Cleveland Clinic. Oh sure the testing involves some safety issues, but the kind like “did any patients get hurt by errors?” (because that would create liability), and “did anything get seriously, obviously mucked up?” (ecause that would be ambrasssing). I doubt very much it is a test of real security or feasibility of exposing the records to International hackers via the Internet… youknow the people who sit back in their repaired Aeron chairs over in the-regions-recently-bombed-to-hell and try just about anything possible to access social security numbers, bank account data, or sensitive information that can be sold for currency.

Our commercial deployers of technology still insist on trying to promise security, while ignoring the obvious, known problems (storing encryption keys on local hardware(PDF)) and trying to convince us they are more innovative than everyone else (not).

If Google wants to test the feasibility of this Google Health Vault, they should put up billboards around the world saying “Solve this puzzle and get a job at Google”, and then challenge the worlds “brightest minds” to find a way in to that sensitive health data. Go ahead, Google. I triple dog dare ya!

I will be speaking at the SearchFest in Portland on March 10, which is hosted by SEMpdx.com. Todd Mintz asked to interview me and then crafted some very interesting “a-typical” questions that were actually fun to answer. I’m not as confident as Todd that people want to know my views on Internet Privacy and How to Raise Kids to be Online Entrepreneurs, but the search marketing and SEO questions were very good. I appreciate the interest and the opportunity to appear on the SEMpdx.com blog, especially in advance of SearchFest.

You can read the interview here, and check out the SearchFest 2008 Agenda.

Like most approaches to automated anything, as “Web 2.0″ advances, it gets lazy. And as users adopt Web 2.0 “styles” of publishing, they assume the risk associated with that “laziness“. All growth markets suffer periodic “corrections”, but in the case of web publishing and security, a correction can be more like a Kick In The Teeth than a helpful reminder because it comes from security breeches and hacks and attacks. Is Web 2.0 about to get kicked? Take a look at this talk on the agenda for the current Black Hat security conference:

DAjax, Web Services and Rich Internet (Flash) are redefining application security scanning challenges and strategies. We are witnessing some emerging attack vectors like Cross Site Scripting with JSON, Cross Site Request Forgery with XML, WSDL scanning, XPATH injection with XML streams etc. This presentation will cover Web 2.0 attacks, new scanning tools for assessment and approaches for Web 2.0 code analysis with demonstrations. Professionals can apply knowledge in real life to secure Web 2.0 application layer.

This presentation will focus on core Web 2.0 security issues along with assessment toolkit developed by the presenter. 1.) It is imperative to analyze Web 2.0 application architecture with security standpoint. We will evaluate real life vulnerabilities with Google, MySpace and Yahoo. 2.) Web 2.0 technology fingerprinting is very critical step to determine application security posture. 3.) Crawling Ajax driven application is biggest challenge and we will cover approaches to address this critical issue by dynamic DOM event management with Ruby. 4.) Scanning Web 2.0 application for security holes is an emerging issue. It needs lot of JavaScript analysis with DOM context to discover XSS and XSRF vulnerabilities in Ajax and Flash with new attack vectors hidden in payload structures like JSON, XML, JS-Arrays etc. 5.) Addressing assessment methods and tools to discover security lapses for SOAP, REST and XML-RPC based Web Services along with innovative fuzzing.