Posted on

Seven Blunders of the Internet World

I’ve been involved with web hosting since the early 1990’s, and every week some hopeful bright spark comes to me with a great idea about making a fortune as an Internet entrepreneur. Whilst I hate to rain on anyone’s parade, a quick reality check is in order. Just because Amazon can make a fortune selling books on-line, doesn’t mean they can. Amazon got there first and they’ve got a slick, well organised operation. In short they can buy the books cheap, store them efficiently and, most importantly, stuff them into envelopes and post them quickly and cheaply. This doesn’t mean it’s impossible to compete with Amazon, but they were there first and have a massive advantage. If you decided to by a Cessna and try to compete with American Airlines on the London to New York run everyone would (rightly) say you were nuts, so why should it be a surprise to learn the same applies on-line.

Whatever you do, remember the ease of starting up on the Internet works for you and the competition. You need a unique selling point; a barrier to entry that only you can cross. If you don’t have one you’re competing with the rest of the world.

Here are seven popular but doomed ideas I’ve seen time after time…

  1. Auction Sites. eBay’s doing well, but they’re a bunch of *****s so you want a slice of the action. Unless you’re selling something very specialised (i.e. that eBay can’t handle) then you’re wasting your time. Why should anyone list items with you when you can’t match eBay’s user base? Whatever you think of eBay’s business methods, items auctioned to millions of potential buyers are going to fetch a better price and sellers know that.
  2. Social Networking Sites. So you want to be the next Facebook? Ask yourself why anyone would network their social life through you when there are bigger networks on Facebook (for home users) and LinkedIn (for professionals). Google is, I believe, planning to muscle in. They’re going to find it tough, but they’ve got almost limitless funds they can afford to speculate with, and their developers know exactly what they’re doing (well their top ones do). They’ll still need one hell of a good unique selling point.
  3. Blogging sites. Get someone to provide the content while you rake in the advertising revenue. How many mugs do you think you’ll find? People can either run their own site (and keep the advertising revenue) or use Blogspot.
  4. Directories. If your bright idea is to create a directory of business and get them to pay for a listing, I have to tell you it’s been done. If every business paid to be in every such directory they’d go bust in no time – they’re wise to it. They know that people will find them through Google, not you. There are ways this can sort-of work with advertising support but you’ll be lucky if they cover hosting costs this way.
  5. On-line shops. These do work if there’s a real shop behind them. If you’re plan is to buy a copy of Actinic or download a free copy of Zencart or one of the dozens of on-line shops, put something up and see who bits, forget it.

    Selling on-line you’re competing on price, order-fulfilment and uniqueness of stock – if people can get it cheaper and quicker somewhere else, they probably will. If you’re selling “unique” artefacts such as antiques or objet de art you’re competing with eBay or the artisans producing them, who would need a good reason not to set up their own web site and sell direct. If you’re thinking producers will pay for you to list them, ask yourself why they’d pay you rather than eBay or Amazon, where they’ll get far more exposure.

  6. Web Design Company. Great idea! Download some web template generator for Joomla and make a fortune creating web sites for… well your friends, family and then what? The problem is that there is very little barrier to entry and the market is flooded with the unemployed (and possibly unemployable) looking for a work-from-home job without getting their hands dirty. The real web design companies have real programmers and cater for customers with specialist needs. If you’re thinking of using Joomla you’re not in that league. Sorry.
  7. Internet multi-level marketing seller. Anyone can be a web hosting company, telephone company, ringtone provider or what-have-you – it’s easy! Just sign up to an affiliate programme, choose your branding and sell, sell, sell – along with thousands of others selling exactly the same thing. If it was easy to sell the provider would be selling direct, wouldn’t they?

    All of the above are tried and failed businesses. If you’ve got a plan that doesn’t fall foul of any of the above it’s either completely crazy or it might just work – in which case give me a call. There are some ideas that might just work, but I’m hardly going to reveal them here

Posted on

Sally Bercow

I’m riding home on the tube with my complimentary copy of the Evening Standard, looking at a photo of Sally Burcow (New Labour activist wife of the Speaker) wearing “nothing but a sheet”, accompanied by an interview concentrating on how “sexy” the office of Speaker and politics in general cab be.

This is either part of a plot to deliberately discredit her nominally Tory husband, or perhaps she really is that naive. If it’s the latter, you’d have thought he’d know better, at least.

Actually, I don’t think John Berco needs any more discrediting – it’s time for him to go.

Incidentally, it’s not the choice of sheet that bothers me personally, it’s the nature of the interview.

Posted on

Egypt – be careful what it wish for

Obama (and the British government, to an extent) seem to have the knives out for President Mubarak at the moment. It’s called populism, and theyre trying to make themselves popular with certain sections of the middle east. Mubarak seems to have been a pretty good ruler given the standards in the region, but he’s got the skids under him already so they’re toadying up to his opponants.

Of course, when meddling in the internal affairs of another country they need an excuse. In Iraq it wasn’t regime change, it was weapons of mass destruction. In Egypt the best they can come up with is democracy. The Egyptions deserve democracy and Mubarak isn’t letting them have it. He’s given them peace and stability, but apparnetly democracy is more important.

I’m not so convinced. Failing third world countries are seldom helped by it. Where they have it, it’s left over from colonial days and tends to be used to get a new dictator in place, often with disasterous results. Look at the exmaples – Rodeshia, India, Pakistan, Ivory Coast – pick a third world country and try to find ways democracy has helped. I’ve been trying hard and I can’t think of any exanples. How about Russia? They threw off the corruption that developed under communism and replaced it with…? Okay, there’s East Germany – they’re probably better off in all respects.

Mubarak and his clan are hardly squeeky clean, but its a matter for the people of Egypt and the west is never thanked for interfering , but we never learn. Our leaders might find themselves stuck with embaressing “friends”, and the people of Egypt may end up blaming them.

Posted on

Scrapping fuel duty is the right thing – a greenie writes

George Osborne is listening to those who want to scrap the fuel duty increase that New Labour said was a good idea. Any tax that can be called green was fashionable to the New Labour Islington set and therefore considered a good idea.

It’s hardly a secret that I’m somewhat anti-car. There are far too many of them, most used for frivolous purposes and government policy has always pandered to the motoring lobby rather than good sense. However, motoring taxes are not the way forward. Why? Because the only people they affect are the poor, people in rural areas and those for whom motorised transport is a necessity. Blair and Brown thought it a good wheeze to tax the poor back on to bicycles.

Taxing cars based on fuel consumption or engine size is also anti-poor. The rich can and do buy new cars frequently, and therefore avoid the effect of the taxes. It also encourages car production, wasting natural resources (although promoting jobs/votes in the motor industry). Those using second-hand cars are the ones that suffer. If you can’t afford a new lower-energy car you’re hit with the taxes; if you can, you’re not. If you make do with an old car, helping the environment by not scrapping it but repairing and reusing it, you get taxed for your trouble.

Perhaps the poor don’t deserve to use a car. That appears to Blair/Brown/Milliband’s idea. I wonder how they’d like it if their cleaner couldn’t get to work, or the nurses at the hospital or the teaching assistants at the schools in the affluent areas in which politicians live, but the low-paid workers have to commute to. Its good to see a Conservative chancellor forgoing a good chance to make a quick buck in the name of being green and looking after the people.

Posted on

Christmas Hackers 2010

 The 2010/2011 cybercrime season has been one of the most prolific I remember. There have been the usual script-kiddie attacks, wasting bandwidth. These largely consist of morons trying to guess passwords using an automated script, and they’re doomed to failure because no serious UNIX administrator would have left guessable passwords on proper accounts. And besides which they’re guessing system account names you only find on Windows or Linux.

What seems to be a bigger feature this year is compromised “web developer” software written in PHP. This is set up by designers, not systems people, and they really don’t understand security – hence they’re a soft target.

This year it appears that phpMyAdmin has been hit hard. This seems to be a vulnerability caused by poor installation (leaving the configuration pages up after use) and using a weak version of the code that was actually fixed a year ago. When I looked I found several copies of the old version, still active, and dating from the time when the web designer had initially commissioned the site.

The criminals appear to be using a mechanism that’s slightly different from the original exploit documentation, but is fairly obvious to any programmer looking a the setup.php script. It allows arbitary uploads to any directory that Apache has write access too.

The nature of the attacks has also been interesting. I’ve seen scripts dropping .htaccess files into all likely directories, redirecting accesses elsewhere using the mod_rewirte mechanism. This appears to intended as a simple DoS attack by overloading target servers (homelandsecurity.gov and fbi.gov being favourite targets).

That this is the work of script kiddies there is no doubt. They’ve left botnet scripts written in perl and python all over the place on honeypot machines. Needless to say this makes them really easy to decode and trace, and you can probably guess which part of the world they seem to be controlled from.

My advice to users of phpMyAdmin (a web based front end for administering mySQL) is to learn how to use SQL properly from the command line. If you can’t do that (or your hosting company won’t let you, which is a problem with low-cost web hosts), at least secure it properly. Upgrade to the latest version, keep it upgraded and remove it from the server when not in use. If you don’t want to remove it, at least drop a .htaccess file in the directory to disable it, or make it password protected.

Posted on

chkrootkit finds bindshell infected on port 465

The current version of chkrootkit will throw up a warning that bindshell is INFECTED on port 465 in some circumstances when this is nothing to worry about. What it’s actually doing (in case you can’t read shell scripts, and why should you when there’s a perfectly good ‘C’ compiler available) is running netstat and filtering the output looking for ports that shouldn’t be being used. Port 465 is SMTP over SLL, and in my opinion should very definitely be used, but it is normally disabled by default.

As to whether this should worry you depends on whether you’re using secure SMTP, probably with sendmail. If you set up the server you should know this. If someone else set it up and you’re not too familiar with sendmail, the tell-tail line in the .mc file is DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl. Note the ‘s’ on the end of smtp.

Assuming you are using SMTPS, you can easily stop chkrootkit from printing an error (or returning an error code) simply by modifying the bindshell() subroutine to remove 465 from the list of ports to check. It’s on line 269 on the current, 0.49, version of the script.

I’m not so convinced that chkrootkit is any substitute for an experienced operator, but it’s out there, people use it and its better than nothing.

Posted on

FBI hacks every VPN on the planet

Can VPN’s be trusted?

I got wind of an interesting rumour yesterday, passed to me by a fairly trustworthy source. I don’t normally comment on rumours until I’ve had a chance to check the facts for myself, but this looks like it’s going to spread.

Basically, the FBI paid certain developers working on the OpenBSD IPsec stack to and asked for back-doors or key leaking mechanisms to be added. This occurred in 2000/2001. Allegedly.

The code in question is open source and is likely to have been incorporated in various forms in a lot of systems, including VPN and secure networking infrastructure.

Whilst I have names of the developers in question and the development company concerned, it wouldn’t be fair to mention them publicly, at least until such code is found. If you’re using the IPsec stack in anything might want to take a good look at the code, just in case.

However, if the code has been there for nearly ten years in open source software, how come no one has noticed it before?

Posted on

Prince Charles’ attackers lucky to be alive

At about quarter past eight this morning, on on Radio 4’s Today programme, the head of the Metropolitan Police (Sir Paul Stephenson), remarked that the protection officers in Prince Charles’ car had “shown restraint” last night when the Prince and his wife were attacked by anarchists. The presenter (Sarah Montague, I think) picked up on this, and asked what he meant by “restraint”, sensing he might be implying that the armed officers might have shot some of the rioters. He declined to spell it out. So, in spite of it being obvious, I will.

The bodyguards to the heir of the throne (and, come to that, the Prime Minister and various other establishment VIPs) are there for one purpose – to protect him from those that would do him harm. They’re carrying guns, not pea-shooters. So, faced with a situation where a bunch of enthusiastic republicans are smashing through the window of his car and shouting that they wished to kill the occupants, what are SO14 officers going to do? Well if the rioters were a credible threat, get out of the car, or get off their bikes and shoot them before they get a chance to kill or injure their intended victim. They’d already broken a window – if they’d got any further into the car I’d have said they were a credible threat.

Sarah Montague, and the rioters, need to grow up.

Posted on

WikiYawn

So, Wikileaks has dumped a whole load of US diplomatic dispatches on the web. What fun. What interesting tit-bits can be gleened?

Well, it seems like some US diplomats think Robert Mugabee, Kim Jong-il and Mahmoud Ahmadinejad are all bad news. Fancy that. Who’d have thought it? Another diplomat thinks Prince Andrew was a rather forthright on a trade mission – calling the abortive fraud investigation a waste of time. What did this diplomat expect? Kissing babies and collecting flowers?

Apparently a lot of people on the Middle East don’t trust the Iranian’s nuclear programme and want something done about it. No kidding!

This isn’t news. There’s no conspiricy theory being confirmed. This is all an exercise in the art of the obvious. It might have been interesting to learn that South Korea and China weren’t perparing for a change of reigime in the North, but no, they’re on the case.

With no jucy conspiricy being reported, one might wonder what all the fuss has been about. So here’s a conspiricy theory about the conspiricy theory: The news media are reporting all this non-news to distract attention from some really interesting stuff buried in the 250,000 documents released. Perhaps, but given that (apparently) two and a half million American government employees have access to this stuff anyway, if there was anything really new to be found it’d be out in the open anyway.

Posted on

Error 0x8002007 installing Security Essentials

Good one this! If you’re trying to install Microsoft Security Essentials and it crashes out with Error 0x8002007, clicking on the Help link doesn’t really help.

If you read the technet blurb it relates to the Windows Update service not working, and if you believe this you’re going to waste a lot of time trying to repair it. I did. But the solution was really simple.

If you’re using Windows XP the Microsoft site will give you the Vista/Windows 7 version by default! Hunt around for the Windows XP 32-bit version, download that and it’ll probably work. Just don’t click the “Download Now” button because it doesn’t check which one you need – or give you the choice.

Some genuis programmers at Microsoft didn’t bother to check the version number as soon as start to run the installer. I wonder why not.

The one you get by default is:

mssefullinstall-x86fre-en-us-vista-win7

The one you probably want is:

mssefullinstall-x86fre-en-us-xp