The rise of the online ticketing bots

A new report describes the depth of criminality across online ticketing websites. I guess I was somewhat naive before I read the report, “How Bots affect ticketing,” from Distil Networks. (Registration is required.) The vendor sells anti-bot security tools, so some of what they describe is self-serving to promote their own solutions. But the picture they present is chilling and somewhat depressing.

The ticketing sites are being hit from all sides: from dishonest ticket brokers and hospitality agents who scrape details and scalp or spin the tickets, to criminals who focus on fan account takeovers to conduct credit card fraud with their ticket purchases. These scams are happening 24/7, because the bots never sleep. And there are multiple sources of ready-made bad bots that can be set loose on any ticketing platform.

You probably know what scalping is, but spinning was new to me. Basically, it involves a mechanism that appears to be an indecisive human who is selecting tickets but holding them in their cart and not paying for them. This puts the tickets in limbo, and takes them off the active marketplace just long enough that the criminals can manipulate their supply and prevent the actual people from buying them. That is what lies at the heart of the criminal ticketing bot problem: the real folks are denied their purchases, and sometimes all seats are snapped up within a few milliseconds of when they are put on sale. In many cases, fans quickly abandon the legit ticketing site and find a secondary market for their seats, which may be where the criminals want them to go. This is because the seat prices are marked up, with more profit going to the criminals. It also messes with the ticketing site’s pricing algorithms, because they don’t have an accurate picture of ticket supply.

This is new report from Distil and focusing just on the ticketing vendors. In the past year, they have seen a rise in the sophistication of the bot owners’ methods. That is because like much with cybercrime, there is an arms race between defenders and the criminals, with each upping their game to get around the other. The report studied 180 different ticketing sites for a period of 105 days last fall, analyzing more than 26 billion requests.

Distil found that the average traffic across all 180 sites was close to 40% consumed by bad bots. That’s the average: many sites had far higher percentages of bad bot traffic. (See the graphic above for more details.)

Botnets aren’t only a problem with ticketing websites, of course. In an article that I wrote recently for CSOonline, I discuss how criminals have manipulated online surveys and polls. (Registration also required.) Botnets are just one of many methods to fudge the results, infect survey participants with malware, and manipulate public opinion.

So what can a ticketing site operator do to fight back? The report has several suggestions, including preventing outdated browser versions, using better Captchas, blocking known hosting providers popular with criminals, and looking carefully at sources of traffic for high bounce rates, a series of failed logins and lower conversion rates, three tells that indicate botnets.

The dangers of DreamHost and Go Daddy hosting

If you host your website on GoDaddy, DreamHost, Bluehost, HostGator, OVH or iPage, this blog post is for you. Chances are your site icould be vulnerable to a potential bug or has been purposely infected with something that you probably didn’t know about. Given that millions of websites are involved, this is a moderate big deal.

It used to be that finding a hosting provider was a matter of price and reliability. Now you have to check to see if the vendor actually knows what they are doing. In the past couple of days, I have seen stories such as this one about GoDaddy’s web hosting:

 

And then there is this post, which talks about the other hosting vendors:

Let’s take them one at a time. The GoDaddy issue has to do with their Real User Metrics module. This is used to track traffic to your site. In theory it is a good idea: who doesn’t like more metrics? However, the researcher Igor Kromin, who wrote the post, found the JavaScript module that is used by GoDaddy is so poorly written that it slowed down his site’s performance measurably. Before he published his findings, all GoDaddy hosting customers had these metrics enabled by default. Now they have turned it off by default and are looking at future improvements. Score one for progress.

Why is this a big deal? Supply-chain attacks happen all the time by inserting small snippets of JavaScript code on your pages. It is hard enough to find their origins as it is, without having your hosting provider to add any additional burdens as part of their services. I wrote about this issue here.

If you use GoDaddy hosting, you should go to your cPanel hosting portal, click on the small three dots at the top of the page (as shown above), click “help us” and ensure you have opted out.

Okay, moving on to the second article, about other hosting provider scripting vulnerabilities. Paulos Yibelo looked at several providers and found multiple issues that differed among them. The issues involved cross-site scripting, cross-site request forgery, man-in-the-middle problems, potential account takeovers and bypass attack vulnerabilities. The list is depressingly long, and Yibelo’s descriptions show each provider’s problems. “All of them are easily hacked,” he wrote. But what was more instructive was the responses he got from each hosting vendor. He also mentions that Bluehost terminated his account, presumably because they saw he was up to no good. “Good job, but a little too late,” he wrote.

Most of the providers were very responsive when reporters contacted them and said these issues have now been fixed. OVH hasn’t yet responded.

So the moral of the story? Don’t assume your provider knows everything, or even anything, about hosting your site, and be on the lookout for similar research. Find a smaller provider that can give you better customer service (I have been using EMWD.com for years and can’t recommend them enough). If you don’t know what some of these scripting attacks are or how they work, go on over to OWASP.org and educate yourself about their basics.

How great collaborations occur

What do the Beatles, Monty Python, the teams behind building the Ford Mustang and the British Colossus computer, and the Unabomber manhunt have in common? All are examples of impressive and successful collaborative teams. I seem to return to the topic of collaboration often in my writing, and wrote this post several years ago about my own personal history of collaboration. For those of you that have short memories, I will refresh them with some other links to those thoughts. But first, let’s look at what these groups all have in common:

Driven and imaginative leadership. The Netflix series on the Unabomber creates a somewhat fictional/composite character but nevertheless shows how the FBI developed the linguistic analysis needed to catch this criminal, and how a team of agents and a massive investigation found him. Some of those linguistic techniques were used to figure out the pipe bombing suspect from last week, by the way.  

A combination of complementary skills. The Beatles is a good example here, and we all have imprinted in our early memories the lyrics and music by John and Paul. On the British code-breaking effort Colossus,  that team worked together without actually knowing what they each did, as I mentioned in my blog post. Another great example is the team that originally created the Ford Mustang car, as I wrote about a few years ago. 

Superior writing and ideation. An interview that Eric Idle recently gave on the Maron WTF podcast is instructive. Idle spoke about how the entire Python team wrote their skits before they cast them, so that no one would be personally invested to a particular idea before the entire group could improve and fine-tune it. Many collaborative efforts depend on solid writing backed by even more solid idea-creation. There are a number of real-time online writing and editing tools (including Google Docs) that are used nowadays to facilitate these efforts. 

Active learning and group training. A new effort by the Army is noteworthy here, and what prompted my post today. They recognize that soldiers have to find innovative ways to protect their digital networks and repel cyber invasions. They announced the creation of a new cyber workspace at the Fort Gordon (near Augusta Geo.) base called Tatooine, which refers to the Star Wars planet where Luke spent some time in the early movies. The initial missions of this effort will focus on three areas:

  • drone detection,
  • active hunting of cyber threats on DoD networks, and
  • designing better training systems for cyber soldiers.

Great communicators.  Many of these teams worked together using primitive communication tools, before the digital age. Now we are blessed with email, CRMs, real-time messaging apps, video chats, etc. But these blessings are also a curse, particularly if these tools are abused. In this post for the Quickbase blog, I talk about signs that you aren’t using these tools to their best advantage, particularly for handling meeting schedules and agendas. In this post from September, I also provide some other tips on how to collaborate better. 

Unique partnerships. All of my examples show how bringing together the right kinds of talent can result in the sum being bigger than the individuals involved. At the Army base, both military and civilian resources will be working together, and draw on the successful Hack the Army bug bounty program. On Colossus, they recruited people who were good at solving crossword puzzles, among other things. The Python group included Terry Gilliam, who was a gifted animator and brought the necessary visual organization to their early BBC TV shows. 

Certainly, the history of collaboration has been one of fits and starts. As a former publication editor, I can recall the teams that I put together had some great collaborative efforts to write, edit, illustrate and publish the stories in our magazines. And while we continue making some of the same mistakes over again and not really considering the historical context, there are a few signs of hope too as the more modern tools help folks over some of these hurdles. That brought me a solid appreciation for how these best kinds of collaborations happen. Feel free to share your own examples if you’d like. 

iBoss blog: What is HTTP Strict Transport Security

 

 

Earlier this summer, I wrote about how the world of SSL certificates is changing as they become easier to obtain and more frequently used. They are back in the news more recently with Google’s decision to add 45 top-level domains to a special online document called the HTTPS Strict Transport Security (HSTS) preload list. The action by Google adds all of its top level domains, including .Google and .Eat, so that all hosts using that domain suffix will be secure by default. Google has led by example in this arena, and today Facebook, Twitter, PayPal and many other web properties have supported the HSTS effort.

The HSTS preload list consists of hosts that automatically enforce secure HTTP connections by every visiting browser. If a user types in a URL with just HTTP, this is first changed to HTTPS before the request is sent. The idea is to prevent man-in-the-middle, cookie hijacking and scripting attacks that will intercept web content, as well as prevent malformed certificates from gaining access to the web traffic.

The preload list mitigates against a very narrowly defined attack that could happen if someone were to intercept your traffic at the very first connection to your website and decode your HTTP header metadata. It isn’t a likely scenario, but that is why there is this list.  “Not having HSTS is like putting a nice big padlock on the front door of your website, but accidentally leaving a window unlocked. There’s still a way to get in, you just have to be a little more sophisticated to find it,” says Patrick Nohe of the SSL Store in a recent blog post.

This means if you thought you were good with setting a permanent 301 redirect from HTTP to HTTPS, you aren’t completely protected.

The preload site maintains a chart showing you which browser versions support HSTS, as shown above. As you might imagine, some of the older browsers, such as Safari 5.1 and earlier IE versions, don’t support it at all.

So, what should you do to protect your own websites? First, if you understand SSL certificates, all you might need is a quick lesson in how HSTS is implemented, and OWASP has this nice short “cheat sheet” here. If you haven’t gotten started with any SSL certs, now is the time to dive into that process, and obtain a valid EV SSL cert. If you haven’t catalogued all your subdomains, this is also a good time to go off and do that.

Next, start the configuration process on your webservers: locate the specific files (like the .htaccess file for Apache’s web servers) that you will need to update with the HSTS information. If you need more complete instructions, GlobalSign has a nice blog entry with a detailed checklist of items, and specific instructions for popular web servers.

After you have reviewed these documents, add your sites to the preload site. Finally, if you need more in-depth discussion, Troy Hunt has this post that goes into plenty of specifics. Healso warns you when to implement the preload feature: when you are absolutely, positively sure that have rooted out all of your plain HTTP requests across your website and never plan to go back to those innocent days.

Software shouldn’t waste my time

One of my favorite tech execs here in St. Louis is Bryan Doerr, who runs a company called Observable Networks that recently was acquired by Cisco. (Here is his presentation of how the company got started.) One of the things he is frequently saying is that if a piece of software asks for your attention to understand a security alert, we don’t want to waste your time. (He phrases it a bit differently.) I think that is a fine maxim to remember, both for user interface designers and for most of us that use computers in our daily lives.

As a product reviewer, I often find time-wasting moments. Certainly with security products, they seem to be designed tis way on purpose: the more alerts the better! That way a vendor can justify its higher price tag. That way is doomed.

Instead, only put something on the screen that you really need to know. At that moment in time. For your particular role. For the particular device. Let’s break this apart.

The precise moment of time is critical. If I am bringing up your software in the morning, there are things that I have to know at the start of my day. For example, when I bring up my calendar, am I about to miss an important meeting? Or even an unimportant meeting? Get that info to me first and fast. Is there something that happened during the night that I should jump on? Very few pieces of software care about this sort of timing of its own usage, which is too bad.

Part of this timing element is also how you deal with bugs and what happens when they occur. Yes, all software has bugs. But do you tell your user what a particular bug means? Sometimes you do, sometimes you put up some random error message that just annoys your users.

Roles are also critical. A database administrator has a lot different focus from a “normal” user. Screens should be designed differently for these different roles. And the level of granularity is also important: if you have just two or three roles, that is usually not enough. If you have 17, that is probably too many. Access roles are usually the last thing to be baked into software, and it shows: by then the engineers are already tired about their code and don’t want to mess around with things. Like anything else with software engineering, do this from writing your first line of code if you want success.

Finally, there is understanding the type of device that is looking at your data. As more of us use mobile devices, we want less info on the screen so we can read it without squinting at tiny type. In the past, this was usually called responsive design, meaning that a web interface designer would build an app to respond to the size of the screen, and automatically rearrange stuff so that it would make sense, whether it was viewed on a big sized desktop monitor or a tiny phone. If your website or app isn’t responsive, you need to fix this post-haste. It is 2017 people.

Joey Skaggs and the art of the media hoax

I have had the pleasure of knowing Joey Skaggs for several decades, and observing his media hoaxing antics first-hand during the development and deployment of his many pranks. Skaggs is a professional hoaxer, meaning that he deliberately crafts elaborate stunts to fool reporters, get himself covered on TV and in newspapers, only to reveal afterwards that the reporters have been had. He sometimes spends years constructing these set pieces, fine-tuning them and involving a cast of supporting characters to bring his hoax to life.

His latest stunt is a documentary movie about filming another documentary movie that is being shown at various film festivals around the world. I caught up with him this past weekend here in St. Louis, when our local film festival screened the movie called The Art of the Prank. Ostensibly, this is a movie about Skaggs and one of his pranks. More about the movie in a moment.

I have covered Skaggs’ exploits a few times. In 1994, he created a story about a fake bust of a sex-based virtual reality venture called Sexonix. I wrote a piece for Wired (scroll to nearly the bottom of the page) where he was able to whip up passions. In the winter of 1998, I wrote about one of his hoaxes, which was about some issues with a rogue project from an environmental organization based in Queensland, Australia. The project created and spread a genetically altered virus. When humans come into contact with the virus, they begin to crave junk food. To add credibility to the story, the virus was found to have infected Hong Kong chickens, among other animals. Skaggs created a phony website here, which contains documentation and copies of emails and photos. Now remember, this was 1998: back then newspapers were still thriving, and the Web was just getting going as a source for journalists.

As part of this hoax, Skaggs also staged a fake demonstration outside the United Nations headquarters campus in New York City. The AP and the NY Post, along with European and Australian newspapers, duly covered the protest, and thus laid the groundwork for the hoax.

Since then he has done dozens of other hoaxes. He set up a computerized jurisprudence system called the Solomon Project that found OJ guilty, a bordello for dogs, a portable confessional booth that was attached to a bicycle that he rode around one of the Democratic conventions, a miracle drug made from roaches, a company buying unwanted dogs to use them as food, and more. Every one of his setups is seemingly genuine, which is how the media falls for them and reports them as real. Only after his clips come in does he reveal that he is the wizard behind the curtain and comes clean that it all was phony.

Skaggs is a genius at mixing just the right amount of believable and yet unverifiable information with specific details and actual events, such as the UN demonstration, to get reporters to drop their guard and run the story. Once one reporter falls for his hoax, Skaggs can build on that and get others to follow along. Skaggs’ hoaxes illustrate how little reporters actually investigate and in most cases ignore the clues that he liberally sprinkles around. This is why they work, and why even the same media outlets (he has been on CNN a number of times) fall for them.

In the movie, you see Skaggs preparing one of his hoaxes. I won’t give you more details in the hopes that you will eventually get to see the film and don’t want to spoil it for you. He carefully gathers his actors to play specific roles, appoints his scientific “expert” and gets the media – and his documentary filmmaker – to follow him along. It is one of his more brilliant set pieces.

Skaggs shows us that it pays to be skeptical, and to spend some time proving authenticity. Given today’s online climate and how hard the public has to work to verify basic facts, this has gotten a lot more difficult, ironically. Most of us take things we read on faith, and especially if we have seen it somewhere online such as Wikipedia or when we Google something. As I wrote about the “peeps” hoax in 1998, “a website can change from moment to moment, and pining down the truth may be a very difficult proposition. An unauthorized employee could post a page by mistake. One man’s truth is another’s falsehood, depending on your point of view. Also, how can you be sure that someone’s website is truly authentic? Maybe during the night a group of imposters has diverted all traffic from the real site to their own, or put up their own pages on the authentic site, unbeknown to the site’s webmaster?”

Today we have Snopes.com and fact checking efforts by the major news organizations, but they still aren’t enough. All it takes is one gullible person with a huge Twitter following, (I am sure you can think of a few examples) and a hoax is born.

In the movie, trusted information is scarce and hard to find, and you see how Skaggs builds his house of cards. It is well worth watching this master of media manipulation at work, and a lesson for us all to be more careful, especially when we see something online. Or read about it in the newspapers or see something on TV.

The current state of online ad blockers (plus podcast)

The online advertising world is undergoing a massive transition right now, trying to cope with an increasing technology war between the advertisers and us, the people that view their advertising. It is messy, it is contentious, and no one really knows what is going to happen in the coming months and years.

Recently, Facebook made changes to the way it works with displaying online ads. They say in that linked post, “We’ve all experienced a lot of bad ads: ads that obscure the content we’re trying to read, ads that slow down load times or ads that try to sell us things we have no interest in buying. Bad ads are disruptive and a waste of our time.”

Here is the problem: one person’s “bad” ad is another person’s opportunity to sell you something that maybe you might want. So they have attempted to clarify the issue, and give users more control over their ad experience. So far, it hasn’t been good.

How many of you Facebook users know about this page to control your ad preferences? I don’t see many hands being electronically raised. Take a moment, click on the above link, and spend a few minutes browsing around to see what they have done. You will be surprised.

facebookads

The page is full of confusing controls and has a really poor user experience. For example, as you can see from the screen shot, I have given my personal information to three different advertisers, two of whom that I didn’t recognize. When I deleted these two – because I don’t want to hear from them ever again – they first fade, before disappearing from view if I would return back to this page.

Andrew Bosworth, a VP at Facebook, says, “Some ad blocking companies accept money in exchange for showing ads that they previously blocked — a practice that is at best confusing to people and that reduces the funding needed to support the journalism and other free services that we enjoy on the web.” (my emphasis added)  That is a lofty thought.

But let’s not just blame Facebook. At least they are trying to take control over the situation and make improvements, so that users will click on more relevant ads and they will be able to charge more for them. How about the traditional news generators, like newspapers and other media companies? What are they doing about online ads?

The short answer is that they are selling every square pixel they can and finding new ways to pop-up, pre-roll, roll over, mix sponsored and editorial content, and in general pollute the overall browsing experience of their online properties. Just about every publication that I want to read places some obstacle (and that is what I think about them) in my way when I try to click on an article that I want to read. Their home pages automatically start playing noisy videos that have me using the mute button on my PC as a default setting, just so I can have some peace and quiet when I am reading in the mornings.

I know, they have to make money. Print advertisers are leaving in droves, subscribers are few and far between, and newsrooms are ghost towns.

So a few years ago, technology comes to the rescue and creates browser plug-ins called ad blockers. These sense pop-ups and other devious methods, and prevent them from displaying ads. It is a great idea, and most modern browsers have incorporated some of their features too.

However, the problem is the blockers worked too well. So Facebook and other major sites who benefit from advertising revenue have decided to block the blockers. Now we have a cat-and-mouse game, where as one side adds new features, the other side figures out a way around them. Malware authors have been doing this for decades.

“More publishers will have to look to more innovative ways to incorporate their commerce with their content.” So says TechCrunch, who ran this story not too long ago. They proposed a sensible argument for how ad blockers can improve the overall experience and at least eliminate the cheesy online ads. But what is happening is that innovation has turned into just using as many ways as possible to put up online ads.

The pre-eminent ad blocking company is called Ad Block Plus. On their blog, they announced a new version of their software that is used by hundreds of millions of users. It is called “Acceptable Ads Platform.” Basically, they get to choose which ads are “good” and which aren’t. They will continue to block the bad ads, but allow good ads by default. You can change this setting and not allow any ads whatsoever.

The New York Times has said, “instead of blocking bad ads, AdBlock allowed ads it deemed acceptable to be seen, often for a price.” This strikes me as something we used to call “bait and switch.” The Ad Block Plus company now wants to be known as a “web customizing” company. This seems a bit naïve, or misleading, or both. It also puts this company in the hot seat to decide what is acceptable and what is not. They claim to be putting together a panel of judges. We’ll see how well that will work.

As I said, this is all early days for what will come. While the web has been with us for decades, and online advertising too, it seems we need to work together to figure out how to best serve up ads that won’t block the editorial content that we were trying to view and still allow the publishers and media companies to make money from our interests. So far, it is sub-optimal for nearly everyone involved.

To hear more about this matter, listen to our latest podcast from Paul Gillin and I where we discuss this issue. Or leave your comments here.

When searching for yourself isn’t just for vanity

How often do you search for yourself or your own business? This isn’t an idle curiosity, and it isn’t just because we have huge egos. There are legitimate business purposes. And I can thank my wife for the idea for this column.

My wife owns her own business, an interior design firm. She has gotten some great help (not all from me, I should point out) about how to get to the top of the search rankings on Google along with other sites that her potential customers would look for her services such as Yelp, Houzz, and others. And as part of her SEO assurance program, she regularly searches for her company.

Usually in her searches she finds her company at the top of the results page. The last time though there was an interesting twist: her company’s name had a link that led to another interior design firm in town. They had purchased her company name as a keyword for a paid ad. What? Little did I realize, there are folks in this world who would do this. Is it legal? Apparently, if you don’t own your name or don’t have it trademarked. (She doesn’t have a mark.) Is it ethical? I don’t think so.

She was able to call the other firm and speak to their “web guy” and get this eventually corrected. At least, we think so. Searching now brings up her website with the appropriate link, just as it is supposed to be. But I started thinking about all the things that a small business owner has to deal with when they start a business. And before we get to talk about the online stuff, trademarks should be one of the first things to consider.

When I started my business in 1992, I thought long and hard about a clever name but eventually just incorporated my own name. Then in 1995 I started writing a weekly newsletter and posting the columns to a website. This was the beginnings of Web Informant.

A few years later, I got a call from Informant Communications Group in California. They had print publications such as Oracle Informant and some other tech pubs, and wanted to start one called Web Informant. Before I did anything, I hired a lawyer and submitted a trademark application. This was fortunate, because a week later so did they. On their application, under first use, they stated some bogus date (in 1990, way before the Web was even invented), but luckily because my application was first I got the mark.

It taught me a lesson: just because you came up with a name doesn’t mean that someone else doesn’t want to appropriate it. Today those guys in Calif. are still around, and they own the domain informant.com. Good for them, I guess. Just stay away from my domain!

But the trademark is just one aspect about your branding and identity. There is the matter of your online presence. For most of us, we think about buying a domain name. It used to be so simple: back in the day when I registered my domain, you didn’t even have to pay hard cash money for your domain name. You just sent an email to InterNic, the only registrar at the time, and within a minute or two you got a confirmation note that the domain was yours.

Back in those days, few folks knew about the Internet or domains or whatnot, and there is this amusing article by Josh Quittner in Wired magazine about how he got McDonalds.com and then tried to get someone from Hamburger HQ to understand what happened. He wasn’t altogether successful, and it took some effort on his part to get their attention. But once he did, he was able to engineer the transfer of the domain name back to McDonalds, with the proviso that they wire up a magnet school in Brooklyn.

Quittner had written a piece about the school and how one of the teachers was using the Internet in her classroom. By then, Quittner had moved to Time magazine, and they also agreed to “kick in some shekels for a high-speed Internet connection for the school,” as he told me in a recent email. Before the upgrade, the school had been using a 2400 baud dial-up modem: they got the whopping speed of a 56kbps switched line. “I am pretty sure my current iPhone hits the Internet at three times that speed.” It was about the same time, in the mid 1990s, that I got my own upgrade in my office to a 128 kbps ISDN line: that seemed fast at the time.

But enough about speeds and feeds. Let’s get back to branding. Today things have gotten much more complicated. When I got strom.com, for example, I didn’t even think about davidstrom.com, let alone strom.org or strom.whatever. Too bad for me. Then there are lot more top-level domains besides the classic ones of .com, .net, and .org. You have ones that don’t even seem like domains, such as: .travel, .biz, .rocks and .xyz, just to name a few. Do you just buy the dot com or do you blanket all or most of the other ones? Then you have to grab onto likely other cyberspace locations: A WordPress blog address, a Twitter handle, a Pinterest user name, setting up your Facebook page, and more.

My favorite time-saver for this part of a search is Knowem.com, which will look through more than 500 different places across the Internet. If you want a consistent brand identity and you are too busy to deal with it, they will do it for you for the first 25 sites for $85, and more sites for more dough.

So if you are starting a new company, heed these examples. Get the domain names that you need up front, as many as you care and dare. Use KnowEm and sign up for the other stuff too. Get your trademark application in quickly; you never know if someone is riding on your heels. And don’t forget to do a search every now and then, just in case someone has squatted on your brand.

The goodness that Yahoo has brought us is mostly gone

Back in November 2011, Yahoo’s then CEO, Carl Bartz was fired. I wrote about this event for ReadWrite.com (then called ReadWriteWeb). I thought it was worth recalling today, on the news that much of Yahoo’s core products has been sold to Verizon. 

Firing Carol Bartz made us go into the Wayback Machine to recall the many good things that Yahoo has created over its life. While there are many that are lining up to take shots at the Yahoos certainly justified, there are still some things worth noting.  (Below is an early home page, others can be found at ITworld here.)

Some of Yahoo’s developer services were way ahead of their time, and many of them are no longer with us (updated with 2016 information):

  • FireEagle (location services), one of the early geo-location services, before there was Foursquare and so many others. Still around, barely. Closed in 2013.
  • Hadoop (Big Data): Yahoo initiated and put up some heavy investment in this project. It is the go-to framework for big data and an integral part of Yahoo’s cloud businesses. Very much living and breathing, especially since  it has been taken over by Apache.
  • Delicious (tagging/shared bookmarks), one of the pioneers in tagging and early crowd sourced bookmarked recommendations of content, sold earlier this year to the founders of You Tube. Still here, but not top of mindSeems to be gone for good, despite a series of corporate maneuvers.
  • Yahoo Pipes (mashup tool), probably still one of the most useful development tools that anyone has ever invented. Pipes can manipulate RSS feeds and extract content from a variety of Web programming languages. Sadly, it was killed off in 2015.
  • Yahoo Query Language (programming language), a programming language that works across Web services, somewhat akin to what SQL does with databases. Still supported in 2016.
  • BOSS (build your own search service), open search and data services platform that can use Yahoo’s search technology. Wait, you didn’t know that Yahoo has its own search technology? Just kidding. Sill supported in 2016.
  • Blueprint (mobile site creation), it was an early effort in building mobile Web sites. Closed in 2011.

Yes, Yahoo was always a day late and a dollar short when it came to its webmailer, its IM client, and eventually its search service. But still, it has traffic. One Internet commenter said, “they should use their front page as a fire hose, projecting mainstream users onto these platforms” such as the ones mentioned above. Fair enough. And once upon a time, I thought their Yahoo Groups email list service was terrific: the last few years haven’t been kind to this service. And while my Yahoo email inbox seems perennially spam-filled, their financial and movie pages are top-drawer.

Many comments around the ‘Net seem to label Yahoo as an engineering company that can’t get its products marketed or gain any adoption. One said “Yahoo lost its motivation, its excitement.” Now it is has lost its CEO. Maybe Bartz’ successor can see their way towards a better future. Sadly, that last prediction wasn’t to be.

Best practices for corporate bloggers

In my various retrospective pieces leading up to my 20th anniversary party of Web Informant, ironically one topic that I didn’t dive into was the evolution of the art form of the blog itself. I guess I take it for granted that blogs are here to stay.

But then a reader reminded me of an article that I wrote nine years ago for Computerworld about the best practices for corporate blogging. And as I reread the piece, I realized that not much has changed in those nine years, at least when it comes to blogging. “Everything you recommended in that piece is still applicable today,” said my former podcasting partner and B2B social media strategist Paul Gillin. “This means you’re either psychic or common sense really is the best guidance.”

Maybe you could chalk it up to my being so prescient, but I don’t want to take all the credit. Doing a great blog really comes down to doing just a few things well: telling a series of great stories, being true to your corporate voices, and delivering great and compelling content that will keep your audience coming back for more.

I spoke to Lionel Menchaca last week when I was in Austin. He was the original blogger for Dell, now no longer with the company, but still writing about business blogging. “Focus on making [your blog post] content useful to anyone who reads it,” he says in a current post.  He and I bemoaned how some business bloggers don’t understand these basic tenets, still.

What a great corporate blog is NOT about is “controlling the message” or putting onerous workflow conditions in the way of the publishing process. I have written for many of these types of blogs over the years, and many of them have died because they tried too hard to toe the corporate line and forget these basics. But rather than be depressed by these failures, it shows that there is still lots of life left in blogging, even in 2015.

Sure, a lot has happened in the past decade: social media, Instagram, and Twitter, just to name a few. But blogging is still the heart and center of any business communication strategy, and can help amplify these other tools.

One final piece of advice from Jeremiah Owyang that didn’t make it into my original story: “Don’t accept blog advice from people that are not bloggers.”

So take a moment to review my nine-year old article in Computerworld. It isn’t often that something that I wrote so long is still very much in force today. It is ironic, though, that a technology that has been around for so long is still so relevant.