Blog

  • Can you build a Big Business on Apple's App Store?

    A good friend refers to the Apple App Store as the California Lottery. So I thought I’d do some rough numbers on how feasible it is to build a big software business creating apps for iPad and iPhone and selling them in Apple’s App Store.

    The Apple App Store will still own three quarters of mobile app revenue by the end of 2011. It’s the place to be if you want to develop paid mobile applications.

    According to Apple, they had paid out developers $2.5 billion since the creation of the app store until July this year. I’m including this as a sanity check on my numbers below.

    According to this article, the combined revenue of all app stores will be $3.8B in 2011, with Apple owning 75% market share. That’s $2.85B total revenue for the app store in 2011 with 30% going to developers so total payout to devs will be approximately $1.995B for 2011 (which roughly gels with the total all time payout number above).

    The app store just passed 500,000 approved apps in May 2011. (Edit: fixed a typo. Apps, not developers)

    In May of this year:

    • $3.64 was the average price for paid apps.
    • There were 244,720 paid apps.
    • There were 85,569 unique developers.
    If those paid apps split Apple’s projected 2011 revenue to developers of $1.995B between them, they each earn $8152.17 per year. There will be more paid apps by the end of 2011 than there were in May, so the same calculation for 2010 revenue to developers gives us: $2.1 total sector revenue X 75% apple’s market share X 70% developer share gives us $1.1025B / 244,720 paid apps = $4505 per app in 2010.
    I’ve calculated both 2010 and 2011 revenue per app because the only data I have on total paid apps is from May.
    So total revenue per app now is roughly between $4K and $8K per year based on my back of the envelope calculations.
    While app store revenue is increasing, so is the number of developers in the app store, exponentially:
    Lets say you create a startup producing Apple App Store apps. You manage to completely dominate the app store in 2011 and capture 1% of the total 2011 app store revenue of around $2 billion that Apple will pay out to developers.  That’s $20 million in annual revenue. Remember, you’ve just owned 85,560 other unique developers and a quarter million other paid apps, which is not impossible.
    To put this in perspective, here is the 2010 annual revenue from a collection of well known software companies, leaving out the eye watering revenue from companies like Oracle, Microsoft, Apple, Google and the like.
    Sources:

    Food for thought.

  • WordPress Security: Have you been hacked?

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    I’m reposting this again because many of the emails I’m getting say “if you’re still interested”. Please contact me at mmaunder at gmail.com if your wordpress installation has been hacked. I need you to send me any files the hacker left on your system. To return the favor I will include you in a free beta program we’ll be launching within weeks that will solve your WP security problems for the forseeable future.

    Email any compromised WordPress files, malware, WordPress backdoors or trojans to mmaunder at gmail.com. Thanks.

  • Your Vision May be Clouded

    I took a lot of crap when I decided to vertically integrate our business four years ago and I invested around $40,000 with Dell to buy our own server cluster. Right then THE CLOUD was the hot new thing, and still is and I was not getting on board. I leased a rack at a respectable Seattle based hosting facility and my wife added the ability to unbox and rack Dell 2950 servers to her long list of talents. The hosting facility team would have done it for us, but we like to get our hands dirty.

    That was the most work we did to set up our own server cluster. Four years later we have a 99.9% uptime record and we run a profitable company with an ad network, real-time analytics product and a free virally distributed service off our cluster of 20 machines. When we mail our customers we send over half a million emails in less than 24 hours off our own email server. We serve between 400 and 800 application requests per second all day long.

    During the last four years I’ve watched friends and acquaintances get burned by the cloud either due to down time or cost. We pay $3400 per month to host our 20 dedicated machines in a single rack. We have a gigabit connection to the Net and our average bandwidth throughput is around 125 megabits per second constantly.

    I’m tired of the Wired Magazine crowd giving me crap for not “being in the cloud” or “getting with the cloud” or whatever. So I’m throwing this down: During the last 4 years I’ve had 99.9% uptime and I’ve spent a total of $190,000 during those 4 years on hosting, which includes the capital investment in the servers. We’ve had a constant throughput of 80 to 120 megabits per second (increasing over time) and roughly 40% avg CPU usage on 20 dual CPU machines (with dedicated Intel E5410 CPU’s each with 4 cores).  As I mentioned we do 400 to 800 app requests per second and we also have an average of 25,000 concurrent connections on our front-end server. I’ll bet anyone who reads this a beer that you won’t find a cloud provider who can do this for you for less than 3X what I’ve paid. [That works out to $3,958 per month.]

    If you think having your own dedicated servers in a colocation facility ties you geographically to one place, it doesn’t. I work wherever I want. For 3 out of the last 4 years I was in Seattle. The last year I’ve been in Colorado. I spent 3 weeks in France this month and while I was there I diagnosed a failing drive in one of our servers, ordered the replacement from Dell which will arrive today and be racked by the support team at our hosting facility. We’ve done hardware replacements or upgrades like this many times, including ordering new servers, upgrading memory, upgrading Ubuntu versions and it’s no big deal. A local support person with an anti-static strap and a basic knowledge of linux shell commands can resolve 99% of issues that come up.

    I encourage everyone reading this to challenge the marketing hype around THE CLOUD. Go to Dell’s site, get a feel for price/performance, call your local colo provider and get prices on a full rack with a gigabit connection. You will almost certainly be surprised at the bang you’ll get for your buck and how easy it is to manage your own physical machines.

    Understand that THE CLOUD exists as a buzzword to help software companies sell more software as a service. It’s sad when software startups who should be using the buzzword to sell more service get taken in by the marketing and outsource their core infrastructure.

  • Be Right Back – with a solution to your problems

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    I’m driving through Europe for the next week so am not very available online. Currently in awesome Andorra. So if I’m not very responsive to your WordPress security needs I apologize. However, I have been working on a permanent fix to help with the recent spate of WP hacks and will be making it available as soon as I’m back at work. So apologies for the delay and thanks for your patience.

  • Blogspot security hole lets others view unpublished blog entries

    If you use the “new” Blogspot interface, try saving a draft post and then previewing it. You’ll see you’re previewing it using a link that looks something like:

    http://example.blogspot.com/b/post-preview?token=<long-encoded-string>&postId=532662776851272&type=POST

    One would assume that Blogspot knows you are “you” because you are signed in to Blogspot and it identifies you using a cookie. So it shouldn’t be possible for anyone else on the Net to view your unpublished blog post right? Wrong.

    If anyone else sees that link with the token, they simply paste it into their browser and they can view your unpublished blog entry.

    I thought that this would present a problem if you’re previewing a blog entry and you click an external link you included in your blog post. This would send your “preview” URL to that external site as a referrer, which means that external site can access your unpublished blog entry. Google seem to have anticipated this and they prevent you from clicking anything on the page by putting a DOM overlay on the preview page.

    However, all widgets on the page load. That means if you’re using a Facebook Like button, a stats widget, popular pages widget or any other external javascript widget that logs the current URL (pretty much all of them) then those external sites can access your unpublished blog entry. More importantly anyone who those external sites share the URL with can access your unpublished blog entry.

    I thought perhaps if I logged out of Blogspot, that security token would expire and no one would be able to access my unpublished blog entry. Nope. It’s still accessible.

    Providing security through the hope that no one will discover a hidden URL in a world where URL sharing has become a deep part of everything we do is not a good design. Blogspot team please fix this. Thanks.

     

  • A peek into our Space Intelligence Community

    I spent the day in a secure area on Buckley Air Force Base called ADF-C or Air Force Data Facility, Colorado. A relative of mine works there and I got an invite to a family day, which I thought was impressive so I thought I’d share some of what I saw.

    Walking into ADF-C we had to leave all cellphones, cameras and electronic devices behind and produce two forms of ID to get in. Once inside, there were a wide variety of military personell mixing with civilian contractors. What has surprised me about Buckley on previous visits and again today is the international presence including Canadian and Australian military personell.

    The base colonel did an impressive speech on opsec and the importance of the work done on Buckley including the sacrifice families in secure jobs make. “Hi Honey, what did you do at work today?”. “Oh nothing.”. Most families I know, including my own immediate family, talk passionately about our jobs among each other, debate decisions we made, discuss colleagues and work events and so on. Families in secure jobs, including many of my extended family, can never discuss things they work on now or worked on many decades ago. This includes military contractors. Maintaining that discipline is an impressive sacrifice that I don’t think many people appreciate.

    Walking into the base, there were many areas we could not access. But they had put together an impressive display for us. The first desk absolutely blew me away. The National Geospatial-Intelligence Agency is based at Buckely. I’ve been using their data for years and recommending it to others and I walked up to the young sergeant behind the desk and literally shook the guys hand and thanked him for the awesome data they make available to the public. Any online business, world-wide, that provides a city or point of interest radius search, uses the NGA’s data and probably dont’ even realize it.

    Next up was AGI that makes software to track objects in orbit. The demo they had up was impressive, tracking items in low and medium earth orbits in real-time. The guy was telling me they provide API’s in .NET and Java for developers and as I was listening I looked over my shoulder and totally lost interest because….


    The National Security Agency had a booth there. My wife and I immediately headed over and the three people behind the desk were incredibly friendly and forthcoming about their work. But the real treat was that they had a working original enigma encryption machine from WWII. The engima created the strong awareness of the importance of cryptography we have today and it’s one of the main reasons the NSA exists today. Most of the folks behind the desk were mathematicians or worked with, or are married to mathematicians. They have a presence on Buckley and they told us that post 9/11 they diversified beyond Fort Meade (Maryland).

    Next up was the National Reconnaissance Office or NRO. These are the guys who actually launch and operate the spy satellites that the NSA and other agencies use. I picked up these cool postcards of a few of the 2010 and 2011 launches they’ve done:

    I also chatted to folks from a software division in Lockheed that have designed a 3D walkthrough app that uses real-world photography taken from a reconnaissance aircraft to create a model of an environment. Imagine a Quake walkthrough game of Vegas with actual footage taken at an instant in time of the city. That’s what they had on a demo system. It’s designed to take battlefield intel and provide a walkthrough for folks planning an operation.

    We went back to the NSA booth later to play with that enigma some more. It has 3 sets of numbers that are synchronized when two machines are together. Then before a transmission is sent, the sending station will broadcast how much the receiver needs to increment their machine’s numbers by in order to receive the code. The NSA person I spoke to told me that was one of the weaknesses that helped the Polish cryptanalysts (and then Blechley Park) crack the code. That transmission containing the increments always contained no data.

    Next up, we took a tour of one of the base radome’s, but on the way I spotted an interesting plaque on a wall in the hallway. It said “Echelon” with a coat of arms and the slogan “Acta Non Verba”. I went back and did a double-take. One the way back I did a triple take. Some amazing history there if you know anything about signals intelligence.

    I always thought those Radome’s contained radar systems for local aircraft, considering it’s an Air Force base. But they contain 85 ft diameter satellite dishes that weigh almost 200 tons and rotate at 2 degrees per second when they’re moving. The dome’s are constructed out of a material that seems similar to mylar (main sail material) and are kept at a positive pressure to strengthen them. They can handle winds up to 125mph. If you live in Colorado you’ll know they dot the landscape for hundreds of miles in the Denver and Colorado Springs areas.

    I chatted to a bomb tech for way too long about a display they had. Did you know you can fire a rifle into C4 and it won’t detonate? Or the most time consuming explosive to dispose of is sweaty dynamite? My wife chatted to a hostage negotiator. They had a glider and pilot from the civil aviation patrol and we chatted to him for ages about local gliding conditions and riding thermals into Wyoming and back.

    They had a cool karate demo at the end of the day – a full contact style I did briefly some time ago called Ken Po. The acrobatics were matrix-like and the base commander broke a pile of 8 bricks and didn’t even flinch when I shook his hand as we were leaving. Cool guy and he seems to be an inspirational leader.

    Thanks to all the volunteers at Buckley for spending your Saturday morning letting us civilians peek behind the curtain.

     

  • Has your WordPress Blog been Hacked? Email me now!

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    If your WordPress blog has been hacked, please email me. I’m collecting data on intrusion methods and backdoors. If you’ve been hacked, I’ll examine your server free of charge, share what I find with you and will make recommendations on how to repair your site, all at no cost. Please note that I will need “Shell” access to your machine. In other words I’ll need a username and password and will log in via SSH to examine the server that hosts your WordPress blog.

    If you’re in dev or ops and have an attack vector you’d like to share, please zip it up and email it to me with as much technical detail as you can.

    Email me at mmaunder at gmail.

    Thanks!!

  • Rescued kitten Stix, 9 months after being found in the gutter with a broken pelvis

    My wife, Kerry, went down to California last thanksgiving for a brief trip with her sister Sandy. They were driving along in Fountain Valley with my niece and spotted a kitten lying in the gutter. As they approached her she hauled herself out of the gutter in a badly injured way.

    They immediately stopped and tried to get the kitten out from the bush she’d crawled into. The neighbors said she’d been hiding in that bush for at least 2 days. Animal control had been out and couldn’t catch her.

    It took the three of them 45 minutes to get her out with my wife crawling under the bush coaxing her the whole time. She eventually caught the little thing and they took her to the Vet ER.

    Turns out Stix, as she came to be called, had a broken pelvis. She was 9 weeks old. Three breaks, with the largest one highlighted on the xray below. This xray links to the hi-res full body xray if you’re interested.

     
    Kerry and Sandy had to leave immediately to drive back to Colorado from California and they took Stix with in a cat carrier.

    Stix was paralyzed from the base of her tail down and Kerry was told the kitten may not be able to use the bathroom properly. On the drive back to Colorado, in a Vegas hotel room the first time Stix peed in the catbox there were cheers. Later that night she pooped, and more cheers. In that hotel room when Kerry cleaned her cat carrier the blanket was covered in dead fleas that had fallen off from the anti-flea medication the vet gave her. She also wolfed down her first meal like she was starving.

    Kerry started by saying she’s just going to foster her and find her a good home once she’s recovered. The road to recovery was long. Kerry kept her in a cat carrier initially. As she healed she bought a large pet playpen and kept her in there to limit her movement. She recovered further and eventually got to roam around the house supervised.

    Of course attachments grew and she became our cat.

    The first time she lifted her paralyzed tail slightly was a big day. A few months later we were watching TV with her and she actually twitched the end of her tail and we were shocked. More cheers.

    It’s now 9 months later and she’s the new favorite child of our three pets. We have an australian cattle dog and Stix doesn’t realize she’s a cat. She imitates our cattle dog so much we’ve called her a cattle-cat. When Joey chases the ball, she goes after him. And she follows us around when we take Joey for a walk. That’s in between wrestling with our oversized orange tabby.

    This is a video of her at the end of a 20 minute walk in 90 degree heat out here in Colorado. She’s very camera shy so it’s taken me a while just to get this footage. I’ve never known a cat that comes when you call her. She’s awesome and for starting life with a broken pelvis she’s turned into a great hiker and runner which is highly unusual for a cat.

    Our cattledog has always been partial to me – they tend to be a one person animal. When Kerry is sitting reading, Stix will jump on her chest and snuggle right under her chin. So she jokes she finally has a pet of her own.

    Not all rescues have a happy ending like this and the prognosis for Stix was very bad when Kerry and Sandy rescued her. But I see similar stories online and I think animals are tougher than humans because they don’t know that they’re injured or disabled and so they lack self-pity. As far as Stix is concerned, everyone else’s tail is just a little too active and for some reason in the last few months her back legs got all grasshoppery and now she just wants to run everywhere.

     

     

  • WordPress Security: Hardening and Malware list removal

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    I spent some time yesterday reaching out to folks I know to try and get some input on WordPress security, avoiding getting listed as Malware and how to get removed from the Malware list. Rand Fishkin, the founder of SEOMoz and all round SEO God was kind enough to introduce me to Justin Briggs who is an SEO consultant and guru. Justin quickly came back with the following advice:

    WordPress is certainly more susceptible to malicious attacks due to its popularity and the large number of sites that can be compromised with an exploit.
    The best preemptive solution is to keep up on updates and increase security associated with WordPress.
    Here are two good articles on ways to improve WordPress security.
    WordPress offers an article on hardening WordPress:
    If a site is compromised, Google will make an effort to get in touch with you. They outlined these details of how they attempt this here:
    http://www.google.com/support/webmasters/bin/answer.py?answer=163633#3
    They also offer some additional tips:
    Once a site has been cleaned up, you can send a request to Google:
    I’ve had a friend’s site who was exploited several months ago. It was a bit of work to get it cleaned up, but the warning was removed relatively quick after submitting the request to Google.
    I contacted friends who are current and former Google employees but no luck getting in touch with the Malware team. In general it’s hard to connect with folks inside the big G with questions that are usually handled by support teams. [As I’ve been politely told in the past]. 🙂

  • Breaking: Google starts to block hacked WordPress blogs as attack widens

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    I’ve had two reports in the last 12 hours of WordPress blogs that were compromised via the Timthumb hack being listed as malware by Google. If you try to visit either site, you are confronted with the following:

     

    These sites are listed with the warning that “This site may harm your computer” in Google’s search results and Google blocks access to the site with a warning forcing you to manually type the URL into your location bar if you really do want to visit the site:

    One of the site owners sent me the detailed info that Google Webmaster Tools was giving her:

    This malicious code is appearing intermittently on this author’s WordPress site. I’ve seen this same pattern recently in blogs I’ve repaired and the way it works is that the site is periodically downloading new PHP code from a remote site run by the attacker and re-injecting it into the wordpress code. That allows the attacker to add, remove and update whatever code he/she is executing on your blog. So they could for example update any spam links every few hours.

    To prevent your site being listed as malware clean it as fast as possible

    The fastest way to do this, although it doesn’t gaurantee a complete clean, is the following:

    1. Remove all old plugins and themes you aren’t using.
    2. Upgrade all your plugins and themes to the latest versions and make sure none of them use an old version of Timthumb.
    3. Clean any Timthumb cache directories.
    4. Upgrade your entire wordpress installation, even if it’s at the latest version. This overwrites all wordpress files.
    5. Search your directory tree for any remaining suspicious files that contain base64_decode wrapped in an eval() statement or URL encoded data. More info on how to do this search here. Delete any files you find. NOTE: If you don’t find any additional infected files in this step, it’s highly likely that your site is not clean. Every attack that I’ve seen so far using Timthumb gets in by uploading a file into the cache directory and then uploads an additional file into a writeable directory on the blog to ensure continued access once the cache is cleaned. Make sure you find that additional file.
    6. Make sure the only directory that is writeable in your wordpress installation is wp-content/. Directories like wp-admin and wp-includes should be read only by the web server.

    If you are already listed as malware by Google, here is what to do

    Clean your site using the above steps. You can find more suggestions on how to clean your site on this page.
    The fastest way to get your site removed from Google’s malware list is to request a review through Google Webmaster Tools. You can find the help file on requesting a malware review on this page.
    The process takes about 24 hours to get your site removed. You can find out more about Google’s Malware list and safe browsing report on this page.

     

    Potential long term impact of this vulnerability

    The fact that I’ve seen the same domain being used by attackers on multiple blogs suggests this attack may be partially or fully automated. The worst case scenario is that we end up with a WordPress botnet with thousands or tens of thousands of servers on high bandwidth links compromised and able to send spam emails or launch a huge DDoS attack.

    Keep in mind that most botnets are compromised windows machines on relatively slow home broadband connections. Their uplink speeds are around 512kbps. These WordPress servers are on links that are a minimum of 10 Megabits per second each, so they have plenty of firepower for a coordinated attack. One WordPress server is equal to at least 20 infected PC’s in terms of pure bandwidth firepower.