Taylor Davidson
About
Blog
Projects
Financial Models

August, 2010

« Previous Posts
Newer Posts »
Privacy is valuable. Spend it wisely.

Privacy is valuable. Value it, consciously, and spend it, wisely.

Found, @Newseum, Washington DC
Found, @Newseum, Washington DC

Privacy is a conversational black hole. “Drop the subject into the middle of a room and it sucks everybody into a useless place from which no light can escape.” (link)

We all love to talk about privacy. The reality, however, is that:

Most users care about privacy but don’t think about it in day-to-day life.

Few people truly value privacy.
Seriously. We all value privacy in the big, philosophical, fundamental “human right to privacy”, in the sense that we agree that it’s important, and we hold the idea near and dear to our heart, and we’ll get upset, justifiably, if our right to privacy is violated.

But few people value the marginal costs and benefits to privacy at the granular level that would allow us to make reasoned decisions about what we choose to share and not share. What’s the price of privacy? What’s the value of publicity?

Example: do you consciously think about the pros and cons, the marginal value and benefit, the full impact of what you share on the web, or a Tweet, a Facebook post, a Flickr picture or a blog post? Do you consider what could happen in the short and long-term?

No. Why? In many ways, we can’t.

We haven’t developed these heuristics yet. Our guts are still figuring out the equations that compress a lot of information and thought into a “gut call” about the impact of what we do online.

It’s hard. And as Alan Patrick has pointed out many times over the past two years, widespread adoption of web services have contributed to privacy erosion. Fundamentally, individual users don’t have the power, incentive or ability to reliably influence how companies use our data, thus our data is free but everywhere in chains. Companies haven’t given us enough information or guidance about how our data is (and will be) used, we evaluate each decision on the margin without considering how all our decisions add up, and we undervalue our privacy, making poor decisions about how we use web services.

But of course, not only do we get something for using those services, but we also get something for spending our privacy.

My comment to my friend Jim Goldstein on his post Privacy: You’ve Just Given It Away What Next?

What about the value of making something public?

There are valuable, tangible, even measurable benefits to making information public. As long as it’s within our control, and we can value the benefits and costs of our decisions, that’s all that matters. Private, public, whatever.

The issue isn’t about privacy per se, but control over data, where it goes, who sees it, putting it into (and taking it out of) the stream of information that people see, interact with, and act upon.

But this is a conversation we’ve had before :)

I share what I choose to share because it creates the friction that brings people and passions together. It’s not the only way, and I don’t share everything: but I share what I share because I think the benefits are worth the costs. Maybe I’m wrong. But I’ll learn by doing and testing. I’ll learn by spending my privacy.

Wisely, of course.

How? Consider the misplaced debate about privacy; the real debate is over control, not privacy.

Noah Brier, Stalked? Not Really: Noah Brier Responds:

At the end of the day a breach of privacy requires some reasonable expectation that something would be kept private. Not only did I not have that expectation, but for much of the information I put on the web I hope for exactly the opposite.

Exactly.

We don’t just “give away privacy.”
We use services and exchange our time, money and attention to get something back from using that service. There’s a value exchange there. We’re explicitly opt-ing in to use the service under those terms, good and bad. Don’t like it? Quit.

Why did “quit Facebook day” flop? Because even if we don’t like how Facebook handles their product decisions, privacy settings, etc., we get enough value out of using it that it’s worth it to put up with the pain.

Remember that Facebook is a business. Their choice on how to manage privacy is a business decision. As my buddy Ethan put it:

“The business model they appear to be pursuing makes Facebook’s interest to erode/obfuscate privacy *just* to the marginal point before which there would be a mass exodus. No more “privacy”, no less.”

And to be honest, we shouldn’t expect Facebook to look at it in any other way. It’s up to us, the market, the aggregate of all of us, to tell Facebook what we want. Not just tell, but to *do*. What we do indicates what we agree on; markets are aggregations of actions. That’s how a market works, whether it’s a market based on money, attention or any other measure of value. And if enough people don’t like it, or use it, or pay for it (depending on the business model), then it won’t be successful, and it won’t exist.

And the fact that we didn’t quit en mass says something pretty powerful.

Yes, Facebook “should” make it easy for people to manage how their data flows. But I argue it’s not because of morals or ethics, but just good business.

Granted, increasingly, in many ways today opt-ing out of technology is opt-ing out of society. We’re drawn into using some services because we simply have to. But we can still choose how we use them.

Underlying this is a powerful investment opportunity. More personal data, services, networks and connections creates the opportunity for better curators, filters, blockers, and routers of data. The value in content isn’t in content but in how it flows, how it gets added to, remixed, rerouted, represented.

But that’s a thought for another day.

Posted August 12th, 2010 in Featured, Perspective, Photography.
How I recovered from a Malware attack on my WordPress site

Not this site, luckily. This one. Fit as a fiddle now, but here’s how I fixed my WordPress blog to recover from a malware attack.

The other day I got an odd email from Google Webmaster Tools telling me NOLAlicious was infected with malware. Given the sample of infected pages the email reported, I knew the old, neglected WordPress install had been compromised. Since the current site isn’t run from the neglected WordPress, it was an easy fix: delete the WordPress. Done. Submitted a request through Google Webmaster Tools to review the site. Hour or so later, all fixed.

Later that night at 1:30 AM I got a second email reported a malware infection, but this time for my blog on Unstructured Ventures.

Email from Google reporting malware

Hmm. Deleting isn’t an option here. At one time, that blog was my main voice for analysis and commentary about business, entrepreneurship and venture capital, and was ranked in the top 30 VC blogs (and still in the top 50, according to one site). Although I don’t blog on this site anymore, it’s still garners a significant amount of traffic.

Thus, this wasn’t going to do:

Reported Attack Site

So I dug into Google on two fronts: exploring Google Webmaster Tools, and searching for terms to figure out how to fix my WordPress blog from a malware attack.

Google Dashboard

Google Webmaster Tools

Google Webmaster Tools had a range of articles, links and advice about assessing the damage, cleaning a website, and resubmitting it to Google once it’s cleaned.

I ended up depending on two articles to understand and find the sources of malware on my website: Mediatemple’s Recovering from a site compromise and StopBadware’s Tips for Cleaning and Securing your site proved tremendously valuable for me.

Google’s Webmaster Tools also helped me understand the source of the infection and test my revisions. The Malware diagnostics page (under “Diagnostics” on the Google Webmaster Tools Dashboard) allows one to understand which pages are infected; the Fetch as Googlebot tool under “Labs” on the same dashboard) is a great way to “see the page that Google sees” for an infested site. Unable to safely view the page in my browser, I was able to use the Fetch as Googlebot option to look at infected pages and find the offending code.

Safe Browsing

I originally searched for a hidden iframe in my WordPress PHP code, but didn’t find anything. My second route, searching for unescape() and eval() javascript functions, quickly led me to the javascript function creating a huge block of obfuscated code right after and before the body and /body tags, respectively.

FTP’ed in, fixed the code in the WordPress PHP scripts, re-uploaded and tested the site with the Fetch as Googlebot tool: clean. Submitted a request for Google to review the site, and a couple hours later, the malware attack notices disappeared.

Clean. Done. Right? We’ll see.

Addendum

Well, that lasted a week.

Another “Malware attack” email from Google Webmaster tools pointed out that I only cleaned up my site half-way.

So I started digging again to find out what was wrong.

In response to a question about security, Mediatemple actually sent me a useful email that detailed out some helpful links, captured below:

To begin moving forward, we strongly recommend that you utilize this article to work on recovering from a site compromise:
http://mdtm.pl/9wZwhZ

If you happen to be running WordPress, and you have noticed the appearance of an unexpected WordPress user in your database, for example “johnnyA”, “johnnyB”, or “amin”, you will want to remove those users as soon as possible. Also, here is a third-party article that you may find helpful in removing any injected code:
http://mdtm.pl/a9B5YF

If you are experiencing a “redirect hack”, in which your domain is unexpectedly redirected to an external site, please go here:
http://mdtm.pl/97iaeu

Here are instructions on how to “harden” a WordPress blog:
http://mdtm.pl/92GwYG

Additional WordPress hardening suggestions:
http://mdtm.pl/9py2Mj

For a helpful list of security best-practice articles and additional security information related to (mt), visit our newly created security resource in the (mt) wiki:
http://mediatemple.net/security

To get a wide view of more of our most recent security-related efforts, please take a look at this comprehensive blog post regarding security at (mt):
http://mdtm.pl/9gx2GB

Lastly, if you do not feel comfortable resolving compromise-related issues yourself, Sucuri.net has extended a substantial discount on their scan/cleanup services for (mt) customers:
http://sucuri.net/mediatemple

And once I started digging in, I realized I had fallen prey to the JohnnyA attack.

Using the info about JohnnyA WordPress malware on MediaTemple, I ran a search for “eval(” and found three infected files tucked away in various parts of my WordPress installation.

Re-cleaned the HTML, cleaned the PHP, re-uploaded, and everything worked again.

I then looked further into hardening WordPress, listened to Brad Williams on WordPressTV, from WordCamp Boston 2010, and took a serious look at Sucuri, making more changes and modifications to lock some things down further.

Done. For now.

When did we all have to learn to be webmasters? Sheesh.

Posted August 11th, 2010 in Announcements, Perspective.
« Previous Posts
Next Posts »

 

MORE: Financial Models for Entrepreneurs
Copyright 1976-2012 Taylor Davidson