Blog

  • Does your Representative oppose Job Creation and Support a Warrantless Gag Order? Ask them.

    SOPA is a bill (HR 3261) sponsored by Lamar Smith (R-VA), John Conyers (D-MI), Bob Goodlatte (R-VA), Howard Berman (D-CA) and several co-sponsors. The first hearings on this bill will begin in congress tomorrow, November 16th.

    If SOPA is passed, it will give the US Government control of the Domain Name System in order to allow them to “cut off” blacklisted websites. This is tantamount to giving the US government control of major newspapers at the printing press. If an edition is deemed unsuitable, it never leaves the press.

    The bill has been branded as a device to protect “our” intellectual property and something that is targeted at software pirates, thieves and criminals.

    The reality is that SOPA will give the government control over who has the right to speak.

    Print, radio and television are being replaced by Internet delivery systems from streaming music to video on demand, online newspapers and blogs. Every one of these relies on DNS to stay online. If our government has control over our DNS system, it has the ability to issue an instant warrantless gag order to any individual, corporation or organization if it doesn’t approve your message or content.

    The World has moved online. If this bill passes and is signed into law, it will go far beyond ending the Free Internet. It will remove the press freedoms we had before the Internet existed.

    SOPA’s effects are far reaching and go beyond government control of DNS. The effects will include harming businesses that rely on user generated content and preventing the creation of new businesses like Facebook, WordPress, Twitter, Google’s YouTube and many others. The bill will effectively kill a powerful job creation machine at a time when we need it most.

    Use this link to contact your congressman and express your view on SOPA.

    You can learn more about SOPA and the destruction it will wreak at:

  • Can you build a Big Business on Apple's App Store?

    A good friend refers to the Apple App Store as the California Lottery. So I thought I’d do some rough numbers on how feasible it is to build a big software business creating apps for iPad and iPhone and selling them in Apple’s App Store.

    The Apple App Store will still own three quarters of mobile app revenue by the end of 2011. It’s the place to be if you want to develop paid mobile applications.

    According to Apple, they had paid out developers $2.5 billion since the creation of the app store until July this year. I’m including this as a sanity check on my numbers below.

    According to this article, the combined revenue of all app stores will be $3.8B in 2011, with Apple owning 75% market share. That’s $2.85B total revenue for the app store in 2011 with 30% going to developers so total payout to devs will be approximately $1.995B for 2011 (which roughly gels with the total all time payout number above).

    The app store just passed 500,000 approved apps in May 2011. (Edit: fixed a typo. Apps, not developers)

    In May of this year:

    • $3.64 was the average price for paid apps.
    • There were 244,720 paid apps.
    • There were 85,569 unique developers.
    If those paid apps split Apple’s projected 2011 revenue to developers of $1.995B between them, they each earn $8152.17 per year. There will be more paid apps by the end of 2011 than there were in May, so the same calculation for 2010 revenue to developers gives us: $2.1 total sector revenue X 75% apple’s market share X 70% developer share gives us $1.1025B / 244,720 paid apps = $4505 per app in 2010.
    I’ve calculated both 2010 and 2011 revenue per app because the only data I have on total paid apps is from May.
    So total revenue per app now is roughly between $4K and $8K per year based on my back of the envelope calculations.
    While app store revenue is increasing, so is the number of developers in the app store, exponentially:
    Lets say you create a startup producing Apple App Store apps. You manage to completely dominate the app store in 2011 and capture 1% of the total 2011 app store revenue of around $2 billion that Apple will pay out to developers.  That’s $20 million in annual revenue. Remember, you’ve just owned 85,560 other unique developers and a quarter million other paid apps, which is not impossible.
    To put this in perspective, here is the 2010 annual revenue from a collection of well known software companies, leaving out the eye watering revenue from companies like Oracle, Microsoft, Apple, Google and the like.
    Sources:

    Food for thought.

  • WordPress Security: Have you been hacked?

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    I’m reposting this again because many of the emails I’m getting say “if you’re still interested”. Please contact me at mmaunder at gmail.com if your wordpress installation has been hacked. I need you to send me any files the hacker left on your system. To return the favor I will include you in a free beta program we’ll be launching within weeks that will solve your WP security problems for the forseeable future.

    Email any compromised WordPress files, malware, WordPress backdoors or trojans to mmaunder at gmail.com. Thanks.

  • Your Vision May be Clouded

    I took a lot of crap when I decided to vertically integrate our business four years ago and I invested around $40,000 with Dell to buy our own server cluster. Right then THE CLOUD was the hot new thing, and still is and I was not getting on board. I leased a rack at a respectable Seattle based hosting facility and my wife added the ability to unbox and rack Dell 2950 servers to her long list of talents. The hosting facility team would have done it for us, but we like to get our hands dirty.

    That was the most work we did to set up our own server cluster. Four years later we have a 99.9% uptime record and we run a profitable company with an ad network, real-time analytics product and a free virally distributed service off our cluster of 20 machines. When we mail our customers we send over half a million emails in less than 24 hours off our own email server. We serve between 400 and 800 application requests per second all day long.

    During the last four years I’ve watched friends and acquaintances get burned by the cloud either due to down time or cost. We pay $3400 per month to host our 20 dedicated machines in a single rack. We have a gigabit connection to the Net and our average bandwidth throughput is around 125 megabits per second constantly.

    I’m tired of the Wired Magazine crowd giving me crap for not “being in the cloud” or “getting with the cloud” or whatever. So I’m throwing this down: During the last 4 years I’ve had 99.9% uptime and I’ve spent a total of $190,000 during those 4 years on hosting, which includes the capital investment in the servers. We’ve had a constant throughput of 80 to 120 megabits per second (increasing over time) and roughly 40% avg CPU usage on 20 dual CPU machines (with dedicated Intel E5410 CPU’s each with 4 cores).  As I mentioned we do 400 to 800 app requests per second and we also have an average of 25,000 concurrent connections on our front-end server. I’ll bet anyone who reads this a beer that you won’t find a cloud provider who can do this for you for less than 3X what I’ve paid. [That works out to $3,958 per month.]

    If you think having your own dedicated servers in a colocation facility ties you geographically to one place, it doesn’t. I work wherever I want. For 3 out of the last 4 years I was in Seattle. The last year I’ve been in Colorado. I spent 3 weeks in France this month and while I was there I diagnosed a failing drive in one of our servers, ordered the replacement from Dell which will arrive today and be racked by the support team at our hosting facility. We’ve done hardware replacements or upgrades like this many times, including ordering new servers, upgrading memory, upgrading Ubuntu versions and it’s no big deal. A local support person with an anti-static strap and a basic knowledge of linux shell commands can resolve 99% of issues that come up.

    I encourage everyone reading this to challenge the marketing hype around THE CLOUD. Go to Dell’s site, get a feel for price/performance, call your local colo provider and get prices on a full rack with a gigabit connection. You will almost certainly be surprised at the bang you’ll get for your buck and how easy it is to manage your own physical machines.

    Understand that THE CLOUD exists as a buzzword to help software companies sell more software as a service. It’s sad when software startups who should be using the buzzword to sell more service get taken in by the marketing and outsource their core infrastructure.

  • Be Right Back – with a solution to your problems

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    I’m driving through Europe for the next week so am not very available online. Currently in awesome Andorra. So if I’m not very responsive to your WordPress security needs I apologize. However, I have been working on a permanent fix to help with the recent spate of WP hacks and will be making it available as soon as I’m back at work. So apologies for the delay and thanks for your patience.

  • Blogspot security hole lets others view unpublished blog entries

    If you use the “new” Blogspot interface, try saving a draft post and then previewing it. You’ll see you’re previewing it using a link that looks something like:

    http://example.blogspot.com/b/post-preview?token=<long-encoded-string>&postId=532662776851272&type=POST

    One would assume that Blogspot knows you are “you” because you are signed in to Blogspot and it identifies you using a cookie. So it shouldn’t be possible for anyone else on the Net to view your unpublished blog post right? Wrong.

    If anyone else sees that link with the token, they simply paste it into their browser and they can view your unpublished blog entry.

    I thought that this would present a problem if you’re previewing a blog entry and you click an external link you included in your blog post. This would send your “preview” URL to that external site as a referrer, which means that external site can access your unpublished blog entry. Google seem to have anticipated this and they prevent you from clicking anything on the page by putting a DOM overlay on the preview page.

    However, all widgets on the page load. That means if you’re using a Facebook Like button, a stats widget, popular pages widget or any other external javascript widget that logs the current URL (pretty much all of them) then those external sites can access your unpublished blog entry. More importantly anyone who those external sites share the URL with can access your unpublished blog entry.

    I thought perhaps if I logged out of Blogspot, that security token would expire and no one would be able to access my unpublished blog entry. Nope. It’s still accessible.

    Providing security through the hope that no one will discover a hidden URL in a world where URL sharing has become a deep part of everything we do is not a good design. Blogspot team please fix this. Thanks.

     

  • A peek into our Space Intelligence Community

    I spent the day in a secure area on Buckley Air Force Base called ADF-C or Air Force Data Facility, Colorado. A relative of mine works there and I got an invite to a family day, which I thought was impressive so I thought I’d share some of what I saw.

    Walking into ADF-C we had to leave all cellphones, cameras and electronic devices behind and produce two forms of ID to get in. Once inside, there were a wide variety of military personell mixing with civilian contractors. What has surprised me about Buckley on previous visits and again today is the international presence including Canadian and Australian military personell.

    The base colonel did an impressive speech on opsec and the importance of the work done on Buckley including the sacrifice families in secure jobs make. “Hi Honey, what did you do at work today?”. “Oh nothing.”. Most families I know, including my own immediate family, talk passionately about our jobs among each other, debate decisions we made, discuss colleagues and work events and so on. Families in secure jobs, including many of my extended family, can never discuss things they work on now or worked on many decades ago. This includes military contractors. Maintaining that discipline is an impressive sacrifice that I don’t think many people appreciate.

    Walking into the base, there were many areas we could not access. But they had put together an impressive display for us. The first desk absolutely blew me away. The National Geospatial-Intelligence Agency is based at Buckely. I’ve been using their data for years and recommending it to others and I walked up to the young sergeant behind the desk and literally shook the guys hand and thanked him for the awesome data they make available to the public. Any online business, world-wide, that provides a city or point of interest radius search, uses the NGA’s data and probably dont’ even realize it.

    Next up was AGI that makes software to track objects in orbit. The demo they had up was impressive, tracking items in low and medium earth orbits in real-time. The guy was telling me they provide API’s in .NET and Java for developers and as I was listening I looked over my shoulder and totally lost interest because….


    The National Security Agency had a booth there. My wife and I immediately headed over and the three people behind the desk were incredibly friendly and forthcoming about their work. But the real treat was that they had a working original enigma encryption machine from WWII. The engima created the strong awareness of the importance of cryptography we have today and it’s one of the main reasons the NSA exists today. Most of the folks behind the desk were mathematicians or worked with, or are married to mathematicians. They have a presence on Buckley and they told us that post 9/11 they diversified beyond Fort Meade (Maryland).

    Next up was the National Reconnaissance Office or NRO. These are the guys who actually launch and operate the spy satellites that the NSA and other agencies use. I picked up these cool postcards of a few of the 2010 and 2011 launches they’ve done:

    I also chatted to folks from a software division in Lockheed that have designed a 3D walkthrough app that uses real-world photography taken from a reconnaissance aircraft to create a model of an environment. Imagine a Quake walkthrough game of Vegas with actual footage taken at an instant in time of the city. That’s what they had on a demo system. It’s designed to take battlefield intel and provide a walkthrough for folks planning an operation.

    We went back to the NSA booth later to play with that enigma some more. It has 3 sets of numbers that are synchronized when two machines are together. Then before a transmission is sent, the sending station will broadcast how much the receiver needs to increment their machine’s numbers by in order to receive the code. The NSA person I spoke to told me that was one of the weaknesses that helped the Polish cryptanalysts (and then Blechley Park) crack the code. That transmission containing the increments always contained no data.

    Next up, we took a tour of one of the base radome’s, but on the way I spotted an interesting plaque on a wall in the hallway. It said “Echelon” with a coat of arms and the slogan “Acta Non Verba”. I went back and did a double-take. One the way back I did a triple take. Some amazing history there if you know anything about signals intelligence.

    I always thought those Radome’s contained radar systems for local aircraft, considering it’s an Air Force base. But they contain 85 ft diameter satellite dishes that weigh almost 200 tons and rotate at 2 degrees per second when they’re moving. The dome’s are constructed out of a material that seems similar to mylar (main sail material) and are kept at a positive pressure to strengthen them. They can handle winds up to 125mph. If you live in Colorado you’ll know they dot the landscape for hundreds of miles in the Denver and Colorado Springs areas.

    I chatted to a bomb tech for way too long about a display they had. Did you know you can fire a rifle into C4 and it won’t detonate? Or the most time consuming explosive to dispose of is sweaty dynamite? My wife chatted to a hostage negotiator. They had a glider and pilot from the civil aviation patrol and we chatted to him for ages about local gliding conditions and riding thermals into Wyoming and back.

    They had a cool karate demo at the end of the day – a full contact style I did briefly some time ago called Ken Po. The acrobatics were matrix-like and the base commander broke a pile of 8 bricks and didn’t even flinch when I shook his hand as we were leaving. Cool guy and he seems to be an inspirational leader.

    Thanks to all the volunteers at Buckley for spending your Saturday morning letting us civilians peek behind the curtain.

     

  • Has your WordPress Blog been Hacked? Email me now!

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    If your WordPress blog has been hacked, please email me. I’m collecting data on intrusion methods and backdoors. If you’ve been hacked, I’ll examine your server free of charge, share what I find with you and will make recommendations on how to repair your site, all at no cost. Please note that I will need “Shell” access to your machine. In other words I’ll need a username and password and will log in via SSH to examine the server that hosts your WordPress blog.

    If you’re in dev or ops and have an attack vector you’d like to share, please zip it up and email it to me with as much technical detail as you can.

    Email me at mmaunder at gmail.

    Thanks!!

  • Rescued kitten Stix, 9 months after being found in the gutter with a broken pelvis

    My wife, Kerry, went down to California last thanksgiving for a brief trip with her sister Sandy. They were driving along in Fountain Valley with my niece and spotted a kitten lying in the gutter. As they approached her she hauled herself out of the gutter in a badly injured way.

    They immediately stopped and tried to get the kitten out from the bush she’d crawled into. The neighbors said she’d been hiding in that bush for at least 2 days. Animal control had been out and couldn’t catch her.

    It took the three of them 45 minutes to get her out with my wife crawling under the bush coaxing her the whole time. She eventually caught the little thing and they took her to the Vet ER.

    Turns out Stix, as she came to be called, had a broken pelvis. She was 9 weeks old. Three breaks, with the largest one highlighted on the xray below. This xray links to the hi-res full body xray if you’re interested.

     
    Kerry and Sandy had to leave immediately to drive back to Colorado from California and they took Stix with in a cat carrier.

    Stix was paralyzed from the base of her tail down and Kerry was told the kitten may not be able to use the bathroom properly. On the drive back to Colorado, in a Vegas hotel room the first time Stix peed in the catbox there were cheers. Later that night she pooped, and more cheers. In that hotel room when Kerry cleaned her cat carrier the blanket was covered in dead fleas that had fallen off from the anti-flea medication the vet gave her. She also wolfed down her first meal like she was starving.

    Kerry started by saying she’s just going to foster her and find her a good home once she’s recovered. The road to recovery was long. Kerry kept her in a cat carrier initially. As she healed she bought a large pet playpen and kept her in there to limit her movement. She recovered further and eventually got to roam around the house supervised.

    Of course attachments grew and she became our cat.

    The first time she lifted her paralyzed tail slightly was a big day. A few months later we were watching TV with her and she actually twitched the end of her tail and we were shocked. More cheers.

    It’s now 9 months later and she’s the new favorite child of our three pets. We have an australian cattle dog and Stix doesn’t realize she’s a cat. She imitates our cattle dog so much we’ve called her a cattle-cat. When Joey chases the ball, she goes after him. And she follows us around when we take Joey for a walk. That’s in between wrestling with our oversized orange tabby.

    This is a video of her at the end of a 20 minute walk in 90 degree heat out here in Colorado. She’s very camera shy so it’s taken me a while just to get this footage. I’ve never known a cat that comes when you call her. She’s awesome and for starting life with a broken pelvis she’s turned into a great hiker and runner which is highly unusual for a cat.

    Our cattledog has always been partial to me – they tend to be a one person animal. When Kerry is sitting reading, Stix will jump on her chest and snuggle right under her chin. So she jokes she finally has a pet of her own.

    Not all rescues have a happy ending like this and the prognosis for Stix was very bad when Kerry and Sandy rescued her. But I see similar stories online and I think animals are tougher than humans because they don’t know that they’re injured or disabled and so they lack self-pity. As far as Stix is concerned, everyone else’s tail is just a little too active and for some reason in the last few months her back legs got all grasshoppery and now she just wants to run everywhere.

     

     

  • WordPress Security: Hardening and Malware list removal

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    I spent some time yesterday reaching out to folks I know to try and get some input on WordPress security, avoiding getting listed as Malware and how to get removed from the Malware list. Rand Fishkin, the founder of SEOMoz and all round SEO God was kind enough to introduce me to Justin Briggs who is an SEO consultant and guru. Justin quickly came back with the following advice:

    WordPress is certainly more susceptible to malicious attacks due to its popularity and the large number of sites that can be compromised with an exploit.
    The best preemptive solution is to keep up on updates and increase security associated with WordPress.
    Here are two good articles on ways to improve WordPress security.
    WordPress offers an article on hardening WordPress:
    If a site is compromised, Google will make an effort to get in touch with you. They outlined these details of how they attempt this here:
    http://www.google.com/support/webmasters/bin/answer.py?answer=163633#3
    They also offer some additional tips:
    Once a site has been cleaned up, you can send a request to Google:
    I’ve had a friend’s site who was exploited several months ago. It was a bit of work to get it cleaned up, but the warning was removed relatively quick after submitting the request to Google.
    I contacted friends who are current and former Google employees but no luck getting in touch with the Malware team. In general it’s hard to connect with folks inside the big G with questions that are usually handled by support teams. [As I’ve been politely told in the past]. 🙂