Changing the World, One Blog at a Time…Unite!

August 19, 2007 | Comments (6) | Filed under: General

I missed announcing this by a couple of days, but I thought it was still worthwhile to do so in case some of you out there still haven’t heard. The folks behind the “Blog Action Day” weblog are organizing the first annual, well, Blog Action Day! On October 15th, 2007, bloggers from all over the blogosphere will unite in a single cause by universally discussing the same topic on the same day, worldwide. This year, that cause is the environment. The idea behind the site is that if everyone is talking about the same topic on the same day, you can help bring awareness to the issue in a way that simultaneously reaches the masses far and wide. I wish they had done a blog action week, but a day is a good start

I signed up Bookmark Bliss today, and I’ll most likely discuss something that deals with ways to improve your business without stepping on the environment. You can write about something in your niche dealing with the environment, or go completely off topic and talk about something else. The choice is yours! I encourage all of you out there to sign up as well. The official launch was only 3 days ago, but already they’ve rallied more than 1,000 blogs to the cause. By the time October 15th rolls around, I think that number will be pushing into the 10’s of thousands if not 100’s or more. If you don’t have a blog, they also list several other methods that you can use to participate.  

It’s a great cause and you can head over to their site to read more about it and ultimately sign yourself up should you feel so inclined.

I did a quick scan of the list of already participating members, and I thought I would do a little “call to action” for a few of my favorite blogs who I didn’t notice on the list (if you are on there, I apologize, the list is pretty long!).

Here are some blogs I’m hopping to see sign up:

• Blogging Tips
• Randa Clay Design
• David Airey
• John Chow
• Half Pixel
• SEOCracy
• Tech Traction
• Shoemoney
• Frucomerci
• Esplanade
• Dosh Dosh
• Earners Blog
• PVP Online
• Wil Weaton
• Blue Hat SEO
• Read Write Web
• Michael Kwan
• Net Business Blog
• Bittbox
• Cash Quests

I hope everyone will take the time to signup, and encourage others to do so as well. Here’s looking forward to October 15th, 2007!

How to Prevent your own Facebook-Style PHP Leak

August 13, 2007 | Comments (1) | Filed under: Programming

I don’t know if any of you have kept up on the recent problem Facebook is facing, but it’s actually a fairly interesting topic. For those of you who haven’t followed, basically what happened was some of the PHP code used to power their website, was accidentally leaked to the public, and someone decided to post it on their blog for everyone to see. I actually managed to have this happen to me directly, when using Facebook on Thursday, and I made a copy in notepad with the hopes of checking it out down the line, for curiosity’s sake. Since then, however, the whole issue has ballooned into something big, pretty much overnight, with people challenging Facebook’s ability to keep user data private and questioning whether anyone’s details are actually safe.

For the most part, I think most web developers are somewhat lazy when it comes to security for their sites, especially bloggers. This is especially true whenever someone is using a free open source content management system (CMS) like Wordpress because they figure there is nothing worth protecting anyway. This is a dangerous viewpoint to take because even with a system like Wordpress, there is a lot of data you wouldn’t want the public gaining access to. For example, your config file containing your database username and password or your customized theme directory containing everything a person needs to copy your site layout.

While the problem at Facebook has been officially clarified as an apache/mod_php bug, there are only a few things that could have caused the problem. Either it was an accident and someone didn’t shut off some output code, it was malicious, or there was a problem with mod_php processing the file which caused it to be displayed as plain text. Facebook says:

“Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.” It seems that the cause was apache and mod_php sending back un-interpreted source code as opposed to output, due to either a server misconfiguration or high load (this is a known issue). It is also apparent that other pages have been revealed, and that this problem has occured before, but only now has somebody actually posted the code online.

Here are some general tips you can apply to your own site and web server to prevent the same thing from happening to you:

Always, ALWAYS, test your code first before uploading it to your web server. I know I’m guilty of this, and so are a lot of us. When you’re in a rush, and you just need to make a few quick tweaks to your site, it’s easy to quickly connect with Dreamweaver (or another code editing package) and make the changes directly on your live site. You should always maintain a local installed version of your sites where all modifications are made. This way you can test them out in a closed environment, and update your public site once you’re sure the changes are implemented correctly. Installing a local version of PHP, Apache, and MySQL is getting easier all the time and with tools like WAMP available, so there is almost no excuse not to have a local install. If you absolutely can’t run a local version, you can always setup a “test” version on your web server that is password protected on an unknown URL.

Enhance the security of your site using .htaccess. There are simple additions you can make to your .htaccess file that will make it more difficult for people to “accidentally” gain access to your code. In the event that mod_php is unavailable, or fails to load, you can take steps to ensure your php files won’t be displayed as plain text. Simply add some code such as the following to your .htaccess file (making sure to adapt it slightly depending on your mod_php version):

<ifmodule !mod_php4.c>
  <filesmatch ?\.php$?>
    Order allow,deny
    Deny from all
    Allow from none
  </filesmatch>
</ifmodule>

What this code will do is prevent access to any file ending in .php in the event that mod_php is unavailable.

Modify your default file type for unknown files. This is one of the simplest changes you can make to your configuration, that takes almost no effort and really shouldn’t effect the way most of you currently run your site. In your .htaccess file, you can simply add the line:

DefaultType application/<any application type>.

You can pretty much use any application type you want. All this does is tell your web server to interpret any file extension it doesn’t recognize as something other than a text file. By default, apache assumes everything it doesn’t recognize is a text/plain type, so in the event that PHP is not being processed correctly, it will return your files as plain text. Try out a few different application types until you find one that works right for your site.

Try and keep as many of your files as possible outside of web accessible directories. This is not always an option, for packages like Wordpress, but for any of us writing our own sites from scratch, this is a simple measure that can help protect your private data. In PHP, all data files are added to your site using include statements. For example, if I want to get at a configuration file I have containing database access information like usernames and passwords, I might do something like:

 <?php include( ‘config.php’ ); ?>

If config.php is located inside the root of my web folder (i.e.. anywhere under the www or public_html folder on most apache installs) then technically it is accessible via the web. The only thing that prevents people from being able to see the contents is that you have mod_php installed, which tells your server to interpret all .php files as code to process and not plain text. You could easily protect yourself further by moving config.php outside of the web root:

<?php include( ‘<path to inaccessible directory>/config.php’ ); ?>

The less you have stored in your web root, the less opportunities there are for public visitors to access your private data files. For a site like Facebook, where you have full control over the placement of all files (because you designed it yourself), you can setup almost any structure you want moving most private data files outside of the root folder.

Limit your code access list to trustworthy partners. This seems like a DUH point, but I think it bares mentioning anyway. The best way to prevent malicious code leaks or even accidental code leaks is to limit the number of people with access to your code. On several projects I’ve worked on, we’ve had large teams that included business managers, CEO’s, software engineers, graphic designers, database guys, marketing teams, etc etc. On one project in particular, it was considered “bad form” to prevent any of those people from accessing the source code. At the time I was just software engineer 1 of 20, but I bet you can guess what happened next. One of the business guys decided to “get his feet wet” with the programming aspects of the site and ended up showing off a ton of features that were not ready for release, giving our competitors a leg up. At the end of the day, transparency is key to good synergy within a team, but very few people need access to the live builds of sites and software, and the less people who do, the better.

These are just a few suggestions you can readily implement to help protect your site from a similar PHP leak. It’s always a good habit to get into a security based mind set when it comes to working with the web. This is much more crucial when it comes to designing your own systems for your projects, where the onus of protection is on you entirely. Keep in mind that if you are using a decent web host, many of these changes may have already been made for you on a server-wide level. Nonetheless, it is better to be safe than sorry, so always check first and make sure things are locked up tight. Anyone else have any suggestions for ways in which to improve your security from file leakage?

Update: Nik Cubrilovic, the original reporter on Tech Crunch, has posted his own set of tips on how to ensure your site is leak proof. His article was posted after I finished my first draft on this article, but it contains a few additional tips, and some interesting comments as well, on how to keep your site as secure as possible. Nik Cubrilovic recommends using application/x-httpd-php as a type for the default file type solution. I thought this was a pretty good idea, as it will force your web server to treat anything it doesn’t recognize, as if it was a php document needing to be processed by the PHP interpreter. You can still experiment with different types, and almost all of them will give you the same desired outcome…protected php files.

Balls and Brains: The Lethal Combo of Online Business Success

August 6, 2007 | Comments (5) | Filed under: General

If you rundown the list of successful bloggers, I guarantee every one of them has at least two traits in common, balls (the mafia kind) and brains. With a new blog born every two seconds and more than a million blog posts published every day, you have be better than your competition in order to stand out in the crowd. This holds true for every online business, including blogging. To be successful you have to constantly think like a businessman, and stay one step ahead of your competition at all times.

Do some self analysis and see where you stand when it comes to Balls and Brains.

If you have Balls, you’re likely to…

• …push the envelope, try things others aren’t even thinking about. When everyone is is going right, you go left. When everyone else is playing it safe, you try something daring. If you truly want to stand a top a mountain of your fallen competitors, you have to think of things they aren’t thinking of and really push the limits of what you can do with your site.
• …not back down from a good fight. Think of the number one person in every niche as the UFC champion. They might be tough, but no one is untouchable. If you have an idea that you think has potential, never let competition stand in your way. In many cases, you’ll find their roar is much mightier than their bite. If you need a little inspiration, try learning a few lessons from 300.
• …exist in the Gray. Don’t be afraid to test the limitations of rules and find the right balance between good techniques and evil techniques. Rules exist for the masses and those who are unwilling to test how far they can bend. If you don’t push the boundaries of what content you can publish or the ads you can display, you’ll never tap the full potential of your site. Never be afraid to try something out.
• …not be afraid of experimentation. That’s how innovation works and if you want to get ahead you have to constantly think of new ways of doing things. It’s cliche, but thinking outside the box really does apply. If for every 10 ideas you experiment with one idea converts into something long term, like increasing your subscribers or doubling your revenue, shouldn’t you hurry up and get the 9 that don’t work out of the way?
• …try new technologies. Every day someone is publishing a new plugin for Wordpress or a new programming language library for powering your website. Some of these technologies can save you time, money, and effort. Keeping on top of new technology and testing out new methods for achieving your goals can potentially give you an advantage long before your competitors catch on.  

If you have Brains, you’re likely to…

• …diversify yourself. Never put all your eggs in one basket, and this goes for all aspects of online business. Don’t trust all your revenue to one or two ad services. Don’t trust all your site backups to one web host. Don’t trust all your money to be invested in one thing. If you diversify, your business will withstand the test of time. As the old saying goes, the one legged man has only one leg to stand on. The smart entrepreneur has many legs, like a tripod!
• …network and communicate, expand your reach. If you want to be successful, than you have to extend beyond your own site. Form partnerships with advertisers and competitors help push your brand out as a worthwhile resource. At the end of the day, you could have the best site in the world, but if no one knows you exist, what good is it?
• …not reinvent the wheel. By using other peoples hard work to your advantage, you can quickly climb the ladder toward your competitors without necessarily having to do everything they did. You can literally find hundreds of posts on the web detailing ways to increase your traffic, tools to use, plugins to install, revenue options to make money, or even ways to gain readers to your site. If you’ve got brains, you can take this hard work done by others and apply it to your own methods putting you that much father along toward your goals. Knowledge is power… 
• …generate a brand that improves your image. When it comes to branding, a smart well designed logo and a catchy domain name can make the difference between being a star or being forgotten. Your brand should be an extension of what your site has to offer to your visitors. Something that grabs their attention, and is memorable enough to stick with them even when they leave your site.
• …play to your strengths. Not all of us are web designers, and not all of us are web developers. Unfortunately, we can’t all be super heroes and single handedly take care of every single aspect of our online business. Knowing your strengths and weaknesses is the first step to improving your productivity and ensuring your competition doesn’t pass you by while you agonize over a frustrating piece of PHP code. 

Some bloggers are intelligent. They are always thinking outside the box and analyzing all the angles. Without Balls though, they never get anywhere because they’re too afraid to act on their game plans and shake up the status quo. Some bloggers have balls. In a heartbeat they’re willing to try new things and test the marketplace with ideas that may or may not end up successful. Without Brains though, they never focus on the intelligent things you need to do to survive and all the balls in the world won’t save you from the fate you lay out for yourself if you push things too far and end up punished as a result.

It’s the combo of these two traits that’s truly lethal when it comes to online business. Keep your wits about you while never shying away from something new, and I guarantee you’ll have a long and successful blogging career.