WordPress Site Hacked: NoIndex and NoFollow All Links

Yes… You Know Who You Are

This morning I made the startling discovery that an important WordPress site belonging to one of our clients had been hacked.

A Little History

If you’ve heard me speak in the last 5 years, you know that I’m a huge believer in the power of content marketing. We regularly recommend and teach business blogging basics to our clients. We have no desire to turn them into bloggers per se, but we’ve trained them that producing fresh, high quality content is a fantastic way to achieve visibility online and even provide fodder for social media outlets like Facebook & Twitter.

So… one of our clients who hired us to build out their WordPress site and for whom we’ve provided a fair amount of training and coaching for some time now began to experience a decline in search engine rankings. In their case, WordPress is installed on a separate domain from their main website. Their main website was historically not performing well from a search engine point of view (although it was great from virtually every other perspective when it was built), so WordPress was being used as a way to help prop up the main site. And it worked. Really, really well.

Imagine my surprise, then, when this particular site began to drop in the rankings for no apparent reason. Nothing had changed that we could tell. We did a little research and paid attention to what the competitors were doing and could see nothing significant enough to account for the change. It was very much an anomaly, because all of our other clients who were doing what we trained them to do were doing just fine.

So today, quite by accident, we found the culprit.

The WPRef Plugin

We were reviewing a piece of content before it got published when we discovered that a couple of the links had a rel=”nofollow” attribute. The content writer who was working on it had no knowledge of how to manually create that type of link (we certainly don’t train people to do that… especially for links that are created intentionally for search engine purposes!), so we knew something was up.

I inquired a little further to find out where the link had come from, and the answer was, “I copied it from another post.”

Hmmmm…. well… I assumed at first that something had crept its way into an earlier post and perhaps it had been duplicated a couple of times. I wasn’t looking forward to hunting down the original link. As I heard someone say recently, it’s like looking for a needle in a needlestack! But then I noticed that there was more than one link acting that way. So… I used the WordPress “preview” function to take a look at how the new post would look, and decided to “view source code” to see if the changes I’d made were taking effect.

That’s when I noticed this:

Every link within the content had been modified with a and a rel=”nofollow” sitewide.

That would be a problem. The site’s being running for a while and there was a significant amount of content.

Digging a little deeper, I found that a plugin had been installed and given the name “WPRef”

We had backed up and upgraded the site to the latest version of WordPress on February 3rd. So… we checked our backup and found that the plugin was not contained in it. On the server, we found (via FTP) that a file called “wpref.php” had been copied to the /wp-content/plugins folder on February 10th.

Not only had the plugin been placed in that folder, it had been activated.

Checking a little deeper, we discovered that the plugin’s only function was to add a tag and a “nofollow” attribute to every outbound link in the site’s content.

This amounts to a very specific, malicious attack. The only purpose of it can be to cause Google (and other search engines too) to ignore the site’s links.

Needless to say, I was infuriated. We’ve taken steps to harden that particular site. All my searching and other efforts to find evidence that others have encountered a hack like this have turned up nothing. It appears that (at least for now) this is a one-off, one-shot hack job. It’s hard not to believe that this site was specifically targeted on purpose.

The amusing thing was that the plugin added an options panel into the “Settings” menu. Within that, it output a bunch of gibberish, including some Russion domain names.  In the “Active Plugins” area, it purported to have “code.google.com” as its “plugin site” and its author was listed as, “Sergei Brin.” I was so distracted by the infuration and frustration of the whole thing that I failed to recognize that it wasn’t just a Russian-sounding name to match the other Russian references… it’s the (botched) name of the famous Google co-founder.

Humorous.

So… we’ve saved a copy of this little piece of php code. Obviously, we’ve removed it from the site in question and have tested the site out. Our links are back to normal now. Presumably, this client’s search engine rankings will return back to their prior positioning. Actually, since the rankings were declining, we’ve stepped up the game for this client with some additional efforts and so the rankings should actually move higher than ever. So… if this was, in fact, a malicious attack which singled out this particular business… the plan has backfired.

Thanks. Whoever you are.

BarCamp Sarasota 2011

**Update** The BarCamp Sarasota Fall 2011 event takes place October 15-16 at GWIZ. Epiphany Marketing is making presentations there as well. We hope to see you!

I’m writing this from inside an Entrepreneurial Roundtable session being facilitated by locally-based technologist Stan Schultes. The ideas being generated within this “open source” group of people are absolutely stellar. There are folks in the room who have been there, done it, and are looking for an opportunity to share back and forth.

This is just one example of the benefits of having an event like BarCamp Sarasota. This year’s event is being held this weekend at GWIZ, which turns out to be a perfect venue because of their various small rooms that seem ideally suited for sessions like those you’ll find at a BarCamp event. The sessions are on a wide variety of topics — both technology-focused and otherwise. Skimming through upcoming session for today, here are some of the topics on the menu:

  • “Leadership and Community Building, Why Now More than Ever?” with Sara Hand
  • “The Zen of Building Sustainable Technology” with Lorrie Vervoordt
  • “Programming Humans” with  Tracy Ingram
  • “Facebook Marketing & SEO” with Thao Tran

At 11am, we’ll be presenting…

Making It All Pay: Growing Your Business with 21st Century Tools

Yes… technology is great! We love it… but without a comprehensive, written, measurable strategy in place, most every business will find themselves floundering in a sea of unfinished initiatives — nearly all of which have failed to produce any significant result from a business standpoint.

For example… how many businesses have websites, blogs, Facebook pages, Twitter accounts, etc. but can’t point to any new business that they have produced? Or (perhaps worse) know that some business has been produced, but the metrics aren’t in place to identify how much and from which initiatives.

So… we’ll be talking about the strategy piece of the equation… and lining up all the elements in a way that gets you the result you desire. For most businesses, this means new customers, bigger  market share and long-term profitability.

Hope you join us for our session… More reports from this year’s BarCamp event later!

RIP: PayPal Plug-In – No More Single Use Debit Cards

PayPal Plug-In: Single Use Debit Cards

Recently, I received word from PayPal that they’ve decided to discontinue the incredibly useful PayPal Plug-in.

As the final day approaches, PayPal doesn’t seem to be backing down from its impending termination. September 22, 2010 is officially the last day to use the tool.

It’s a sad day. This has been, by far, one of PayPal’s most valuable features.

What Are Single Use Debit Cards?

To anyone who makes online purchases, having the ability to generate a valid, disposable card number is a dream come true. If you’ve ever had a debit card number compromised — either because of bank error, security breaches, or just jerks who get lucky with their random card number software — you know how painful it is to clean up the process. You get to contact the issuing bank, cancel the card, go without usage of it for days or even weeks while they replace it, and deal with the whole issue of getting your money back from whomever may have successfully nabbed some.

What a mess!

It’s like “Identity Theft Lite.”

A couple of years ago, we went through a nasty streak of these problems at my house. On multiple issuing banks, we had several business and personal debit cards compromised. In some cases, there were fraudulent charges (or in some cases, just authorizations). In other cases, we were informed by the bank that there was a breach of security and they recommended immediate replacement.

It’s not a fun situation. Especially when you have meticulous habits (as we do in my house) around using card numbers at reputable sites only, always verifying SSL status before punching a card number in, using firewalls when surfing at public hotspots, etc…

It seems that you can’t be too careful. And even when you’re doing your best, you can get stung through no fault of your own.

So, imagine my delight when I discovered that PayPal was offering a free piece of software that permitted me to generate a brand new card number on demand. There was no physical card attached at all. It was merely a valid card number, complete with its own expiration date (usually about 2 months from the date it was generated), valid CVV digits, and billed to the billing address on my PayPal account. And the best thing? It could only be used once.

So… about to make a purchase from an online retailer that wants to store your credit card information (for your convenience, of course!)? Just open the plug-in, login to PayPal with your password, and in a click or two and about as many seconds on the clock, you’d have a card number that would be approved right away for your purchase… but would forever be declined thereafter.

They even gave me an option of creating multiple use card numbers for recurring billing purposes. Need to be able to track charges from a certain retailer, vendor, or supplier? No problem. Just generate the a multiple-use card number for that vendor, and you’re in full control. You can cancel the number at any time to stop them from charging you… without having to go through the hassle of replacing your physical card and getting stuck without the ability to use it in the meantime.

Don’t have your wallet close by while you’re trying to check out of a website with a purchase? No problem. Just open up another browser window and crank out a valid card number on the spot.

I could go on and on. The usefulness of this fantastic service seemed to grow by the day.

In All Fairness…

The software itself left something to be desired. Originally, I installed the plug-in on my Firefox browser. Over time, as Firefox was updated, the plug-in didn’t get along with it so well. So… I ended up having to install it on the dreaded Internet Explorer. That was a pain… especially since I trust Internet Explorer as far as I can throw it. (Ever tried to throw a piece of software?)

But… despite the rather clunky user interface, and the annoying and odd fact that there was no way to get to your previously generated cards, receipts inbox or the other nifty features of this tool from the main PayPal website (the only way to open that part of their site was to use the plug-in… which took you to that magical part of the site), the tool was still nothing short of invaluable.

What To Do?

Honestly, I don’t know. I’m searching for “Virtual Debit Cards,” or “Secure Debit Card Generator,” or “Single Use Debit Cards,” or “Disposable Debit Card” online. Nothing so far seems to be a good match. I’ve found a number of complaints in the PayPal community forums where users like me are publicly lamenting the loss of this tool. There are some complaints from international users that they never had access to the tool to begin with (apparently it was only for US customers).

But nothing that looks like it could serve as a replacement for this valuable tool.

I can’t help but suspect that I’ll be using PayPal less and less. And I’ll probably be more inclined to move any balance in my PayPal account much more quickly into my main business checking account. I’m sure I’ll still use the PayPal debit card that I carry for my business… but probably less often.

Will that hurt PayPal? Probably not much. I’m certainly only one business owner… and I’m guessing that adoption of this tool wasn’t very widespread (otherwise they’d be more aggressively announcing alternative features). So… I’m sure they calculated the risk associated with cancelling the tool and decided it was worthwhile for whatever reason.

But I’ll be moving at least some of my PayPal business once I find a replacement solution.

How to Get a Faster Sprint Hero

Update: On September 18th, a stable release of CyanogenMod 6.0 became available. Details are here. (The post below refers to my experience with the “release candidate,” which is the predecessor to the new stable release.) I updated my phone on October 23rd to the stable release and can attest it’s faster and better than ever! I was happy with the release candidate, but I’m even happier now!

HTC Hero for Sprint: Is There Any Hope?

I absolutely love my HTC Hero. I have since day 1, which for me was November, 2009.

But I’ve hesitated to recommend it to people… primarily because of the frustrations I’ve experienced with the device. It is plagued with significant lag (delays between when you expect something to happen and when it actually happens), some of the Android functions weren’t quite ready for prime time, and its battery life left something to be desired.

Nevertheless, I’ve been so thrilled with the Android operating system as a whole that I’ve personally just looked beyond those frustrations and made the best of it.

But a couple of months ago Sprint royally ticked me off. I’ll explain in a moment.

Cupcakes, Donuts & Eclairs

It may help here to provide a little background. My Hero originally shipped with Android “Donut,” which was version 1.6 of the Android Operating System.

For clarification, “Android” is the name of the open source operating system that is developed by Google (or has been since they acquired Android, Inc. about 5 years ago). There remains some confusion over terminology since Verizon licensed the term Droidâ„¢ from Lucasfilm, LTD. Verizon produces and sells several different devices under the name Droidâ„¢ as a way to brand their family of phones that run the Android operating system.

But any manufacturer is free to develop devices using the Android operating system. And many do. The devices began to take off when Android 1.5 (AKA “Cupcake”) released in early 2009. Google’s “Market” (their version of Apple’s “App Store”) began to explode with fantastic apps and the devices became more or less ready for daily use.

HTC Sense UI

So back to my Sprint HTC Hero. The Hero shipped with “Donut” (the successor to “Cupcake”), and as I said before, I loved it from day one. An important reason for it got so much love (from me and from others) was because HTC (the device’s manufacturer) developed an array of apps, widgets and modifications to the Android operating system that they labeled the “Sense UI” (UI is geek-speak for “User Interface”). Anyone who has used the Sense UI is spoiled.

I didn’t realize how spoiled I was until I picked up a friend’s Verizon Motorola Droidâ„¢ thinking I could use it. It was substantially clunkier and actually quite unfamiliar. I was surprised by the learning curve I had (considering I had owned and used my Android device regularly for months). But most surprising to me was how blazingly fast the Droidâ„¢ was in comparison to my Hero.

It was then that I began to realize just how unhappy I was with all the lag and the other frustrations I was experiencing.

This wasn’t just a case of device envy. I was syncing my Hero to an Exchange server and a Gmail account. I was regularly unable to answer calls because the lag was so long that they would go to voicemail before my phone was ready. Text messages were difficult at times. The browser was clearly powerful (especially when compared to my previous Blackberry and Windows Mobile browsers) but so painfully slow that it was rendered almost unusable.

So… imagine my delight when Sprint and HTC announced the availability of a significant upgrade from “Donut” (Android 1.6) to “Eclair” (Android 2.1) in May. Eclair boasted faster speeds — even on the same hardware (a rare occurrence in the world of hardware/software relations), and HTC had made substantial improvements to the Sense UI.

I backed up all my data (using an app that was readily available from the Android Market) and performed the upgrade. It was painful to watch the process run so slowly, but when it was over, my phone was noticeably more responsive.

But not responsive enough.

And even more painful was knowing that Eclair’s release date was October of 2009, fully 7 months before Sprint & HTC bothered to roll out the update. And also that “Froyo” (Android 2.2) was released by Google right about the time that I was downloading the Eclair update from HTC’s servers.

The Froyo Frustration

So… I said earlier that Sprint had ticked me off. Several things happened all about the same time in the world of Sprint. In June, they announced the HTC EVO… which they widely proclaimed the nation’s first 4G phone. It boasted a bigger screen, faster processor, and a big fat price tag. And even though I’m a Sprint “Premier” customer, I was still nearly 6 months away from qualifying for their “upgrade pricing.”

Another Sprint event: a leak. Word leaked out that although the EVO would be getting an upgrade to Froyo, the Hero (and a couple of other lesser phones) would not.

Whatever the reasons for their decision, here’s how it came across to the community of HTC Hero owners: a slap in the face. Some of them had just purchased the Hero, and in fact Sprint still sells it brand new today.

My wife is eligible for a Sprint upgrade and has been for probably 18 months or so since her last contract expired. No matter how easy to use, there was no way I was going to have her purchase the HTC Hero… because I knew that to a non-techie the problems I was experiencing would be absolute showstoppers.

But given Sprint’s attitude (“We’re not going to provide the software update, just buy our new $500 phone if you want something better…”), I seriously began contemplating a switch to another carrier.

I know, I know… they all screw their customers. And frankly, I’ve had almost no trouble at all with Sprint over the years… nor with Nextel prior to Sprint’s acquisition of it. Signal is good. Billing is accurate. Customer service (on the rare occasion when I’ve required it) has exceeded my (admittedly low) expectations.

So… why would I want to switch? It just felt like the decision was made purely to dangle a real expensive carrot in front of customers like me who pay significant fees every month for service.

It also happened that around July I began to face the fact that my dependence upon Microsoft was coming to an end. I’ve owned, managed or leased space on Exchange Servers for nearly 1o years. I’ve synced with a variety of mobile devices (as I mentioned before) and I am an enormous believer in “the cloud.” In fact, when I switched from my last smartphone (a Windows mobile device) to the Hero, my 1000+ contacts and an untold number of emails (even in the 3-day sync window) were synced before I left the Sprint store.

Realizing how good the sync is on the Android platform (including Facebook and Twitter integration), and that Google isn’t going anywhere, I decided to take the plunge and test out Google Apps For Your Domain (“GAFYD”). Holy cow. I wish I’d done it sooner. The Gmail platform (private-labeled for my team) is unbelievably powerful and easy to use. The extremely low cost ($50 per user per year) is an enormous cost savings over using (and supporting) the Exchange platform, and no software (Microsoft Outlook, you know who you are) is required.

So… a number of pieces were coming into place for me. I’m seeing a long term commitment to Google’s platform — including Android.

But man… the Hero was frustratingly slow.

So… last week, I bit the bullet and “rooted” my phone.

To Root or Not to Root

No… I’m not digging around in the soil. And no… I didn’t let it get acquainted with nature in an attempt to get an insurance upgrade (ever known anyone who’s tried that trick?)…

I did, however, void my warranty. At least temporarily.

The Android platform is closely related to Unix. On a Unix system, the “Administrator” (to use Microsoft’s terminology) is called the “Root” user. This user has “root” (the highest level of) access to the operating system.

For reasons that I’m sure are relatively obvious, Sprint (and every other carrier) does not provide “root” access to the operating systems on its devices. Instead, it locks down most configuration options and system areas so that the end user can’t screw things up too badly (and so that rogue apps don’t have the ability to behave too badly). Apple does the same thing with its devices.

Of course, there’s a vibrant community of hackers who will teach you how to gain root access to your Android device… and even provide software tools to avoid the most complicated, error-prone steps.

Why would you want root access? Well… for a long list of reasons, most of which involve gaining a higher level of control over the device. Want to overclock your processor? You need root access. Want to reconfigure your LED? You need root access. Want to do just about anything aside from installing the sanitized apps from the market? You need root access.

Want to install Froyo (Android 2.2)? You need root access.

Wait a minute… you can install Froyo? The same Froyo that boasts 3x-10x speed improvements (yes… on the same hardware) over Eclair? The same Froyo that allows for tethering (providing internet access via a USB cable from your phone to your laptop when not in range of wifi service… a feature blocked by Sprint in Eclair) and hotspot (turning your phone into a wifi hotspot so your laptop and other devices can utilize its internet connection… something Sprint charges an extra monthly fee for on the EVO even though it’s a built-in feature) and significantly-improved multiple Google account support?

Well… officially, no. You can’t have Froyo. You’re stuck with a slow Hero.

But unofficially… once you make the decision to take a few liberties with your device… you can do all of the above.

And let me tell you… the difference is nothing short of amazing.

On Saturday, I decided to take the plunge: root the phone and install Froyo. Of course, there’s no chance of just going to Google’s Android site and finding a download for Android 2.2 that’s going to actually work on your phone. But thanks to the community of developers/hackers I mentioned earlier, there are ready-made distributions available that are tailored to your carrier, device and desired configuration.

Let me be clear: this process is not for the faint of heart. There are portions that are highly technical in nature, and it’s best if you don’t expect someone to hold your hand. The community has produced a dizzying array of blogs, wikis and most importantly: forums, where answers can be found for all manner of technical questions.

I’m personally writing this post to inform some of the non-techies in the world that there are ways to get yourself a much better experience with your HTC Hero on Sprint (or just about any other Android device, for that matter). But I’m unable to provide technical expertise or guidance on this aside from sharing a few details that worked for me and pointing you toward the true masters of this game… the ones who have devoted untold hours to writing code, testing and supporting their work.

To these individuals — the ones who dared to say to Sprint, “Take that!” — I am truly grateful. I have today what amounts to a brand new phone. Yes, the hardware is no different. But how it performs… there’s absolutely no comparison.

So… let me provide a brief summary of the steps I took to get this amazing result.

The Process… Summarized

First and foremost, as with any operation that has the potential to affect valuable data, perform a backup. I highly recommend a phenomenal paid app from the Android Market called MyBackup Pro. Open the Market from your device, fork over a mere $4.99, and you can backup everything from your emails, contacts and calendar all the way to applications and even the layout of your homescreen. It will save to your device’s SD card and, if you choose, upload a backup to the developers’ servers where it can be retrieved later from the same device or from a replacement (if you’re switching hardware).

For me, my emails, contacts and calendar were all synced to Google accounts, so there was no need to actually store that data. But my call log, SMS (texts) and MMS (multimedia messages) and apps were valuable to me. I guess some people don’t see a need to hang on to those, but I like being able to refer back to things in the future. So I backed ’em up.

After you’re satisfied that you have a backup and can restore your phone to its current state if necessary (either because things go badly or because you need warranty service from Sprint because of hardware issues), then you can get under the hood and really start tinkering.

The short version is this:

  1. Gain root access to your device
  2. Download and install a recovery image (provides a boot platform as well as backup and other valuable tools)
  3. Perform another backup using Nandroid (part of the recovery image)
  4. Download and install a ROM that contains the distribution of Android and the configuration you’re looking for)
  5. Install the ROM
  6. Install the Google Apps (Market, Gmail, Maps, etc…) so that you can use the basic functions you’re expecting from Android
  7. Install/configure Launcher software (if you choose — as I did — to go with something different than what came with the ROM you installed)
  8. Selectively restore data from your backup (the one you performed prior to step 1). For me, this meant: call logs, SMS/MMS messages, and apps.
  9. Locate some new apps (as desired) to replace the stuff from HTC’s Sense UI that you might miss.
  10. Experience blazing speeds, better battery life, and overall… a fantastic phone!

I’ll provide a little more detail for you below. But here’s my caveat: this stuff changes… sometimes daily. Whatever I post here will be outdated by the time I hit publish, not to mention by the time you read it.

So… I’m going to point you in the direction of the valuable resources I have found. There are a few major players worth highlighting, but there are countless other players who may not be as visible or noticeable who have also played an enormous role in making this level of customization to your device possible. These are the real heroes, in my opinion. Obviously, Google and the original Android team deserve some major props as well.

The developers who have gone the “last mile” to us end users can be found in the forums at XDA-developers.com. This is where you’ll find heroes like Darchstar — who created the final actual ROM I’m currently using and would highly recommend — and theimpaler747, who is one of many who deserve recognition for their tireless support answering questions from people like me who are trying to wrap our heads around what it takes to get the job done.

So, by topic, here are some important links you’ll need in order to undertake the process. (Note: these links apply — in most cases exclusively — to the HTC Hero on Sprint and may be out of date — see my red ink above. If you need stuff for a different device or a different carrier, then search the forums for your specific situation. Chances are, you’ll find great results.)

  1. Learn about (and download tools to gain) root access to your device here.
  2. Download the ROM Manager from the Android Market (using the Market app on your phone). It will only work after you have root access. Give it “Superuser” permissions and it will install the appropriate recovery image and the other tools (such as Nandroid for backups) to your device.
  3. Reboot to the recovery image and run a Nandroid backup to your SD card. This is a much more comprehensive, system-level backup of your entire device.
  4. Wipe your device. In hacker parlance, this means perform a “factory reset.” This is required in order to effectively install the ROM you’ll need. Alternatively, you can download the desired ROM and install it via the ROM Manager, which will prompt you for the wipe (which you should have it perform in this case).
  5. Here’s where to find Darchstar’s Froyo ROM RC1 for the Sprint Hero. (“Release Candidate 1” means it’s stable enough for you to use, but isn’t officially considered a full release yet as they’re still tinkering). Darchstar built upon the fantastic work of the CyanogenMod community in bringing us Froyo. This particular distribution bears the date of August 15, 2010. I’m sure I’ll be flashing (installing) a newer ROM when it becomes available — either RC2 or a formal release. There are also “nightlies” (nightly builds) available that may have newer features but may also be less stable. I’m not using the nightlies because my phone is something I absolutely depend upon on a daily basis and I can’t afford the luxury of testing at the bleeding edge for now.
  6. Darchstar also maintains a link to the latest version of the Google Apps distribution you’ll need. It’s posted on the same forum topic as his distribution. Grab it. You’ll want it. You “flash” this ZIP file right on top of the ROM (don’t perform a wipe this time) that you just installed. I used ROM Manager to do it, which Darchstar was kind enough to include in his Froyo distribution.
  7. Test, tinker and tweak.

I dug through the forums and decided to purchase the Launcher Pro App from the Android Market (after I synced my Google account, naturally). This brought some of the features of the Homescreen back that I would’ve missed from HTC’s Sense. I also gained some fantastic new features in the process (e.g. more rows for icons, a nifty all-new App Drawer, and some more fun stuff.)

I also decided to download the Dialer One app to regain some of the experience inside the actual phone functions that I liked from HTC Sense. It looks different, but performs very well. You can also turn it off and switch back to the standard Android dialer if it isn’t what you like.

For text messaging, I went with chompSMS. This was something I’d already switched to prior to rooting and upgrading to Froyo. It has a fantastic UI… including popups that appear when you receive an incoming text so you can answer (or not) without interrupting what you were doing. The threaded conversations are fantastic and visually appealing as well.

One of the most noticeable elements of HTC’s Sense UI is the big digital clock with the animated weather icons that typically adorned the Homescreen of most users. While Launcher Pro comes with some options, I ultimately decided to get the Beautiful Widgets app (and pay for the upgrade) from the Market. It has some obvious visual differences, but there are replacement widgets that look as good as (and are frankly more configurable than) the ones that come with Sense.

There are lots more tweaks available. And a few lingering issues are minor annoyances as well. The whole experience has opened my eyes to just how powerful the Android platform really is. At this point, I’m not sure I could ever be talked into buying an iPhone. Apple’s reputation for closing itself off to proprietary platforms is legendary… and ultimately not in the best interests of users. There are certainly those who think Google could be evil… and I’m mindful of the possibility that they could turn that direction somewhere along the line. But their commitment to open source development is clear. And there’s a clear path for getting your data off of their platforms at any point in time if you decide you want to switch.

As for the annoyances, there’s a lag that remains when you bring the phone back from sleep. Some users have overclocked their phone’s processors using “uncapped kernels” (another piece of software you can optionally flash on top of Darchstar’s Froyo ROM if you’re extra brave) and claim to have gotten rid of this. Frankly, I’m aware of it (it’s longer than the lag I had previously with Eclair/Sense), but it’s not a big deal. The blinding speed I get with every other function on the phone far outweighs any complaint I might raise about this lag. But the forums are filled with questions about it (typically the same question over and over), so some people are more annoyed by it than I am.  Occasionally, I uncover some other “missing feature” that I realize was part of Sense. But there are replacements for almost all of these. There’s a bug that occurs when you try to open the camera from inside the gallery (something I did regularly before) that causes the phone to hang. The fix is nifty: you get to pull the battery from your phone in order to reboot it. Not cool, but as with the other issue: it’s something I’m aware of and in this case, I can avoid it!

All in all, I’m so thrilled with my experience that I wish I’d done it a lot sooner. Of course, every day that goes by produces better and better code from the crew that’s working on it. So… perhaps the timing of my switch was good.

Either way, if you own a Sprint HTC Hero, I highly recommend that you root your phone and upgrade it to Froyo. You won’t regret it… and if for some reason you do, you can go back to the configuration you have today (if you really want to) by using the ROM that Sprint/HTC made available when they rolled out Eclair back in May.

This may be the longest post I’ve ever written here. But… what can I say… I’m thrilled with my Hero! And I’m running Froyo on it.

Incidentally, there’s a fantastic thread now running on XDA-developers.com that was started by the aforementioned theimpaler747 for users of any of the CyanogenMod ROMs for the Hero (this includes the one I’m using from Darchstar). In addition to the thread containing Darchstar’s ROM download, this one is highly useful.

I hope this post helps you make the decision to move forward with upgrading your Hero. It’s worth every minute of effort you spend learning your way around and going down the road, as complex as it may be!

The Machine That Goes “Bing!”

And now for something completely different: In a bizarre move, Microsoft does something brilliant.

At first I thought,

“Well… they grabbed a 4-letter domain name that’s easy to remember… they couldn’t possibly have intended to connect it to the Monty Python sketch…”

That was when I first started seeing the bing.com commercials about the tangential search results. The commercials are humorous, although for me they purport to solve a problem I don’t have.

But now… they started using the funny little high-pitched male voice saying, “Bing!”

And really… what Python fan in the world could forget this moment from The Meaning of Life?

Until Apple managed to emerge from the 1990s somehow still in business, I had always thought of Microsoft as a corporation that was brilliant in its marketing. In retrospect, my admiration was actually aimed at what I would now classify as business strategy. Apple is without question a brilliant marketing machine, and to say they’ve successfully trumped Microsoft in that department is like saying that Alexander the Great had some military victories.

But I must admit… the “Bing!” thing is a brilliant marketing move on many levels.

Whether the “new” search engine actually offers any unique value remains to be seen.

Long Awaited: BarCamp Sarasota!

Though it’s still in the early stages of getting organized, I’m thrilled to announce the recent discovery of BarCamp Sarasota! Some old friends along with some friends I’ve not yet been introduced to are responsible for making this happen.

Things have gotten underway with a new home on the web and a Ning group which is all accessible at the BarCamp Sarasota website. Already there’s been an organizational meeting and another one is on the calendar.

So… calling all techies, bloggers, social media types, programmers, eggheads, geeks, propellerheads, etc.

Get over there and check out what’s going on… then get involved!

Then perhaps if there are enough WordPress users around the Sarasota area, we can manage to put together a WordCamp too!

(With apologies to all of my Geek friends for the photo… I’d hate to be accused of trafficking in stereotypes! Especially when we’re planning the takeover of the world! Oh… and… for the record, that is NOT a picture of me… from any point in my life!)

WordPress 2.7 – I’m Officially a Fan

Typically, when a new version of WordPress is announced — and particularly when there’s a lot of fanfare around it — I’m prone to delay upgrading. WordPress is, for the uninitiated reader, the software that runs this site as well as countless others that I own and/or manage (I’m serious… I’ve truly lost count).

Since I’m a classic “early adopter,” this behavior might seem a bit odd. I assure you it’s entirely pragmatic. The upgrade process, though not complex, can take time — especially if the number of sites you’re working with is measured in the dozens (at least). Then there are the compatibility issues (or potential compatibility issues) with themes (not usually critical) and plug-ins (sometimes these are dealbreakers).

For example, my favorite statistical tracking plug-in had problems with WordPress 2.5 for months. I found some workarounds, but it’s hard to complain or apply too much pressure to a hardworking developer who writes these plug-ins and gives them away. (Ain’t it great?!)

2.7: A Big Fat Exception

Like many, I’ve been paying attention to the previews and the news about the 2.7 release candidates. Like I said, typically this pre-release “hype” doesn’t move me.

I have, however, been seriously looking forward to the re-write of the user interface for the backend of the system. What that means in plain English is that the WordPress developers have given you — as the owner or author of the site — a completely new system to look at and work with. The whole experience of writing on and managing your site is new. Most significantly, they engaged in significant usability testing that incorporated laser eye-tracking and other sophisticated ways of measuring whether or not we’re all going to like it and find it easier to use.

By the way, you can find a nifty preview video posted here to take a look at the new management console.

So… after noticing that the final release had been posted yesterday, I decided to go out on a limb and upgrade one of my newest sites. It’s a personal blog for me (David Johnson) and it’s brand new and doesn’t have many plug-ins installed — nor complex customization — so it seemed likely to be be a good place to test. Very little stuff to break.

The upgrade process was quick and painless. I always back everything up first (good habit), which was what took the longest. And aside from an annoying message about my favorite tagging plug-in which told me I’d have to switch (and which thankfully turned out to be false), there were zero complaints. Initially, I had problems with all the nifty new Ajax features, none of which seemed to work in my browser. After rebooting and otherwise trying to make the problems go away, it occurred to me to empty my browser’s cache. Since I’m a Firefox user and have the nifty “web developer toolbar” installed, this was a mere mouse-click and a few seconds of waiting — not nearly as painful as doing the same thing in Internet Explorer. Voila! Everything worked as pictured in the video.

The result? Let me tell you… it’s gorgeous. It’s delicious. It’s easy to use. It’s very well done.

I’ve not yet tested every single plug-in I use and recommend for compatibility yet, but I’ve now upgraded 3 of my sites. I’ll be shooting a training video on the upgrade process for members of our marketing training program, so let me know if you’re interested in getting your hands on that video (we’ll have a new enrollment opportunity coming up shortly). The members of that program that are currently in training will have the luxury of finishing their training using this delightful new version of WordPress. It’ll be good!

How ‘Bout You?

What?! You don’t have a WordPress-based website yet? Hmmmm… that probably explains why you’re not ranking well in the search engines for your real prospects’ actual searches. Stay tuned for help on that! Or better yet… subscribe to updates over at the Epiphany Marketing site!

Is Ad Surf Daily a Scam?

I’ve gotten a lot of questions from friends and business associates about the Ad Surf Daily Cash Generator program. Now that the US Attorney’s office has seized assets and filed suit, with Florida Attorney General Bill McCollum right behind, it seems likely that the program will not continue.

A Few Facts

Initially, I was approached by people who wanted me to look at the program to see if it seemed legit. My friends know that I do not join multi-level marketing programs, nor anything that seems like it might be a network marketing venture. Nonetheless, I took a peek at this program to find out if there was anything suspect about it on behalf of those friends.

The first clue that there might be something “up” was that people were wondering if it might be a scam.  Why? Well… the good old adage, “If it sounds too good to be true…” comes to mind.

Here’s the premise: you sign up for the program (even with a free account, if you prefer) under a sponsor. You then begin to “auto surf” ads every day. There are rewards for doing this, including the right to place a website of your own into the ad rotating system so that other people will be forced to view your site.

At this point, it sounds a little bit like a modified version of Pay-Per-Click advertising (PPC).  With PPC, which most people are familiar with because of the right-hand side of your Google search results, advertisers bid to have their ad show up on certain sites and then only pay when someone “clicks” on their ad.

Ad Surf Daily seems to provide a cost-effective way to do this… at first glance.

But what you quickly learn is that the vast majority of people who join (and later “purchase ad packages”) don’t actually have anything to advertise. So… the question becomes, “Why are they signing up?”

It turns out that if you “purchase ad packages,” (which the US Attorney’s Office has now labeled “investing”) you have the opportunity to “earn rebates” by faithfully viewing advertisements every day.  I won’t get into the mathematics of it, but let’s just say that this appears to be highly profitable because you can earn more in rebates than you “purchased.”

There are numerous incentives and rewards built into the program that are designed to get you to purchase more ad packages. Also, as a member of the program, you are incentivized to leave your earnings in the program because the higher your “cash balance,” the more rebates you’ll be able to earn.  You can even increase your rate of earnings by paying for a monthly membership at several different levels.  There are even big rallies where you can obtain much larger bonuses by “purchasing” ad packages on the spot…

And… of course, there are commissions.  This is where some of the biggest incentives are.  This is the part where you convince your friends and family (or even random acquaintances, like some of the people who have spammed my inbox about this) to sign up under you.

I Smell A Rat…

If you’re around the participants for very long, you hear amazing stories of large cash payouts. You hear about credit card debt being wiped out, even millionaires being created.  All of this occurs in short periods of time.  You hear about the explosive growth.  You hear about the founder, Andy Bowdoin, and his impressive award that was given to him by the President of the United States.  You hear about his many successful businesses over the years.  You also watch videos online which focus repeatedly on “we’re good guys” without providing any substantive information about why you should expect this program to continue.

But I have a fundamental question:

If the bulk of the customers have no need for the item they are purchasing, where is the value that this company is actually bringing to the marketplace?

In other words, they claim their goal is to be the biggest seller of online advertising in the world. They even claim to be threatening Google’s position as market leader.  But one thing I’ve noticed… the people/companies buying ads from Google (and other PPC establishments) have one thing in common: they all have something to advertise.

One friend of mine has a local contracting business.  My question for him was, “What are you advertising in the ASD system that people might be interested in purchasing?”  The answer: his local contracting business.  My next thought is, “What the heck does someone in Bolivia do when they see an ad for a contracting business in Florida?”

As a marketer, my next thought after that is… that’s a little bit like buying a billboard on a California freeway for your McDonald’s in Memphis.

Poor use of advertising dollars.

Not so poor, perhaps, for those who have a digital product with universal appeal, or perhaps those selling something that can be purchased and then shipped anywhere in the world.  Again, however, the key would be that it has universal appeal.

Like… toothbrushes.  We all need those, right?

Anyway…

Is It Sustainable?

Back to my fundamental question.  How long can this program carry on — even if they’re careful not to promise to pay out too much money in “rebates” — when their basic product is not needed by the people who are purchasing it today?

Can it be that the only reason they are buying advertising is so that they can earn a rebate?

The answer is: absolutely, 100%, unequivocally, “yes!”

And that, my friends, creates a problem: as soon as the market figures out that:

a. there are better ways to buy advertising, and

b. this is only sustainable as long as there are more people willing to buy something they don’t need,

the whole thing comes tumbling down…

…not unlike a Ponzi scheme.

Precisely, by the way, what the US Attorney in Washington D.C., otherwise known as the Attorney General, concluded.

Is anyone guilty of a crime here? Well… that remains to be seen.  In the meantime, no one is surfing the “ads.” No one is “purchasing ads,” and nobody is spending the $53M in cash that was seized while the investigation and the lawsuits proceed.

Bad news for those who used their life savings to buy something they didn’t need.

Snoop Dog Hack – SQL Injection

If you’ve been following my blog for a little while, you know about the recent “Snoop Dog Hack.” I’ve spent countless hours recovering from this nasty attack on my content, which replaced real content with ghetto slang, but only when viewed in certain Microsoft browsers.

Hopefully, it will never happen to your website. If it has, however, allow me to save you the trouble of doing all of the research to resolve this.

-John

First, a little background…

SQL Injection

SQL Injection involves entering SQL code into web forms, eg. login fields, or into the browser address field, to access and manipulate the database behind the site, system or application.

When you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you’ve entered against the relevant table in the database. If your input matches table/row data, you’re granted access (in the case of a login screen). If not, you’re knocked back out.

One of the most popular SQL Injection scripts of the past decade is known as the “Snoop Dog SQL Injection Hack.” Often created to be unique to Internet Explorer 7, this hack makes it especially tricky for web development teams to spot and fix.

The Snoop Dog SQL Injection Hack

In its simplest form, this is how the Injection works. It’s impossible to explain this without reverting to code for just a moment. Don’t worry, it will all be over soon.

Suppose we enter the following string in a Username field:

' OR 1=1

The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:

SELECT * FROM users WHERE username = ‘USRTEXT '
AND password = ‘PASSTEXT'

…where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form.

So entering `OR 1=1 -- as your username, could result in the following actually being run:

SELECT * FROM users WHERE username = ‘' OR 1=1 -- ‘AND password = ‘'

Two things you need to know about this:
[‘] closes the [username] text field.

‘--' is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes:

SELECT * FROM users WHERE username = " OR 1=1

1 is always equal to 1, last time I checked. So the authorization routine is now validated, and we are ushered in the front door to wreak havoc.

Already Been Hacked? Here’s How to Fix It and Avoid Future Attacks…

  • If you utilize a web content management system, subscribe to the development blog. Update to new versions soon as possible.
  • Copy and paste the following code into every page with forms on your website…


<?php echo "HAPPY APRIL FOOL'S DAY PAUL AND KEVIN ?>

<?php echo "FROM JEREMY" ?>