Research before buying web software – script security is important

We spend a good deal of time researching software before we buy it, and even then we are at time disappointed with purchases we had hoped would make web sites function better. Whether it’s server side software for web site addons, or complete web site scripts, take the time to research the piece of software and the company behind it before you try it.

Over the years we have considered hundreds of scripts and programs, a few of those have proven to be excellent choices, but many are half baked, don’t do everything you want them to, or even worse, leave huge hacker / security vulnerabilities for you, and perhaps the other web sites hosted on your web server. Our most recent consideration is one of those, if the price and features combination seems too good to be true, maybe it is?

We have been looking for new chat programs to launch on as server addons for various client web sites, and integrations with a forums or membership system is a key functionality that has been requested. After on hour of research we determined that there were 4 programs that seemed to be a good fir for our client, so we decided to big deeper and see if we could narrow it down.

It would have been easy to just choose the most expensive and well known solutions, but we try to find options that will save our clients money, and often times not every site needs all the full blown features that the most expensive and well know companies make available. Looking for more affordable options we came across a piece of chat software that seemed to have a ton of features, and a very fair price. Wondering if it was perfect for our client, or too good to be true, we decided to do further research and see what other people were saying at other web sites.

Searching for their program and company name in google brought up tons of results, and most of them were from other places that were offering the program, places like hotscripts and the tons of clones out there, none of these were very helpful as far as finding critiques of the company. After digging a few hundred search results into google, we started finding security vulnerabilities posted at about a dozen sites. That;s red flag number one – but these could all be fixed in a current release – so we had to spend more time to find out.

More research revealed some posts on a forum where a particular user was complaining that it did not work in his current server / software environment and had received no support what so ever from the programs author. Red flag number two, but I looked further, and it appears that the post in question was on a forums that was for a similar, or competing product, so not as trustworthy of a review as we would like.

I will be contacting the author of this script to see id they have been aware and fixed the security issues that have been posted online. I will also be asking for a demo of the product to make sure that it works with the membership system that our client is using. Sure it says that it works with that particular program, but which version? Do ALL features work? Better to find out before purchasing if possible.

Before purchasing scripts, or even using free scripts online it’s best to look around the web and see if you can find and security or support issues with the company. Some web sites to definitely check include:

http://www.us-cert.gov

http://insecure.org/

http://secunia.com/

http://www.securityfocus.com/

http://www.f-secure.com/vulnerabilities/SA32603#

http://www.securitytracker.com/search/search.html

This method of research has saved tons of trouble in previous new business development. Working with clients for a new business plan they were setting everything up based upon a company’s affordable piece of social networking software. It looked good, the demo was decent, the pre sales support was fast. They put their entire business plan around the use of this product. I can’t remember what it was that led us to a bad forum thread about it, but that thread led us to links that found many more horror stories about the company, and then we realized that particular script would not work, and that too-good-to-be-true price and feature combination was indeed, too good to be true.

Lessons learned, even when a demo works and pre sales support is fast, it does not mean that everything will work as you planned, and it does not mean that you will get the support you have expected, and if the program will work as it was advertised.

New chat and community portals coming to the web

We have been consulting with a client about opening a new chat portals and community web site. There are many premium options for establishing an online presence in the chat and social software arenas, and we suggest several. For clients on a tight launch budget, we recommend free and open source software to get started.

Many of our clients are in the early launch and beta test phases of new web projects, and the early steps of new online business models require at least some web presence to get started. We know that everyone wants to have a super slick, tricked out, full featured web site, but when funding is tight, getting things started is more important that getting things full blown and polished.

It doesn’t take a lot to show concepts and get options from colleagues, teammates and investors. We have found by installing basic software and apps, giving people a demo of how things will flow, and showing some rough examples of color schemes is the best way to launch a new project. Many times we have seen clients spend time and money developing the web site’s look at feel with fancy graphics, only to have them completely reworked later in the public announcement phase. This is why we suggest getting the core functionality first, and then develop the look and feel later.

With all that in mind, we have a pre-launch of the new online chat forums up and running. It’s a start, and a great skeleton for future development.

New sites – welcome to the web

There are a few new web sites that we’d like to welcome to the web. We have been impressed with the new web sites being created with the open source blogging software from wordpress. With the various theme options and settings now available such as static front page and such, there are some great web sites being creating that look nothing like the standard default wordpress blog.

New sites like the TBS blog and Danny writes are coming together quickly, from people that just got their web sites started this year. With the themes and customization options available along with a plethora of plugins, people are making great fully functioning web sites with a simple server side script.

We have also been consulting with some web sites using the wordpress backend for multiple blog hosting and are really excited about the social network plugins that are being released for wordpress mu, upcoming social network sites massage groups and others will be pioneering a new generation of easy use, self hosted social networks. We are looking forward to the data portability possibilities and hope that these sites are hugely successful.

We will begin consulting with new clients who want to launch their own hosted social networks as soon as testing and upgrades are completely with our current projects. Look for custom profile and other buddypress themes to be made available from us in the near future as well. Looks like 2009 will be a great new year!

WordPress as social network backbone suggestions

Social networks and the software that runs them will continue to grow and evolve, and people like you sharing your comments about ways to improve will constantly make it better.

As Louis James points out in another of the comments there, flickr is already very social,

From the RSS feeds, we found a post from Matt linking to an article about one person’s suggestions for making wordpress.com more of a social network.

My comment on this post about wordpress fixes to make it more of a social network, from Rashmi.

There have been several wordpress MU sites that incorporate similar features, as dr mike pointed out in an earlier comment. There have even been a couple sets of plugins specifically made to turn a wordpress installation into more myspace like look.

I think there are a few single instance wordpresses running with multiple authors and contributors registered, that share similar pages to the ones you described aren’t there?

I do look forward to more unique blends of wordpress to shine across the internet for a while to come, it is constantly improving and there are many people using it in many different ways. I can’t wait to see what the community creates over the next couple of years, and I am sure you will see many more social networks using wordpress as a core. We are currently testing an MU based social network (or two 😉

I appreciate your points and suggestions for ways to make it function more like a facebook-like social network, I believe your ideas are valid.

The comments there have made me think what it would be like to create a custom page theme template (for the about page) that would add the author information into the top of the about page. This would be a simple easy way to get the author info shown, now to just get everyone to fill it all in.

As open Id and data portability continue to grow as well, I hope that it becomes easier for internet authors to fill in their info quickly, accurately, and with choice of which information to propagate and share.

Social networks and the software that runs them will continue to grow and evolve, and people like you sharing your comments about ways to improve will constantly make it better.

As Louis James points out in another of the comments there, flickr is already very social, I in fact recommended it in an email to an old friend just the other day, and sent her my flickr address. Flickr is an easy sell to people with it’s free photo sharing and the ability to mark some pictures just for friends and some pictures just for family. Of course you can also have some set for public, and you do have somewhat of a profile with flickr. Hadn’t quite looked at the profile that way, but it does have a lot of info there. neat observation Louis.

Social network software rising

We’ve been consulting for several clients about social networks and keeping a close eye on the developments of various social network software and the niche sites that are springing up and using them. There have been some new developments in both areas, here’s a few we’d like to highlight.

Automattic (wordpress parent company, creators of BBpress and Akismet spam eliminator) has recently gotten 29 million dollars in funding. Automattic has decided to hold off on being bought out entirely and is looking to furtherit’s anti-spam, identity, wikis, forums, and more – small, open source pieces, loosely joined with the same approach and philosophy that has brought them this far. Today I stumbled upon a new theme for wordpress that makes it easy to use wordpress as a twitter like, many to many messaging system for groups, private or public. Can’t wait to see how people hack it up and what kind of cms social network mashups will be created using this functionality.

In other recent finds, we stumbled upon a list of 350 social networks listed at Mashable. We also found a social networking watch site with info about new social networking sites. We found several linked to articles at mahalo about a new adult social network type of site called zivity.

We also found a USA today article describing how it is very difficult to verify ages for those who sign up for social networks. an excerpt:

MySpace has recently implemented policies designed to better separate kids from adults. Among the changes, adult MySpace users must already know a 14- or 15-year-old user’s e-mail address or full name to initiate contact or view a profile containing personal information.

However, because age is self-reported, as it is at similar sites, adults could simply sign up as minors.

There are tools to verify age, but they work best for porn, wine-sales and other sites meant for adults only.

A credit card, for instance, could demonstrate that a user is of age, notwithstanding a teen’s ability to “borrow” a card from Dad’s wallet.

More robust techniques like those from IDology Inc. and Sentinel Tech Holding Corp.’s Sentry check addresses, birth dates and other information users provide against public databases, such as voting and property records.

But many social-networking sites cater to both adults and teens – and teens can be difficult to verify.

Minors “do not possess as many unique identifiers as adults do,” said Adam Thierer, a senior fellow with the Progress and Freedom Foundation, a technology think tank that shuns government regulation. “They are not voters yet. They don’t have home mortgages or car loans. Most don’t have drivers licenses until they are 16.”

Many states restrict the disclosure of drivers license data on minors, and school administrators guard their registration records fiercely.

“Do parents really want … that kind of information available on their children?” Collier asked.

Connecticut Attorney General Richard Blumenthal said raising the minimum age to 16 from 14 would help because many teens have drivers licenses by then. He has called for federal incentives for sites like MySpace to perform age verification.

Attorneys General Jim Petro of Ohio and Greg Abbott of Texas, meanwhile, support verification via credit card, while Massachusetts’ Tom Reilly has called for unspecified “age and identity verification.”

“Don’t tell me it can’t be done,” Blumenthal said. “It’s a question of whether the company in good faith really wants to know those ages and sacrifice some of the excitement and coolness that comes with anonymity.”

Getting a reliable system developed could require expenditures and perhaps result in a smaller base of users, he said, “but if we can invent the Internet, … surely there are means to verify the ages of those individuals, or such means can be developed.”

Facebook takes a stab at verification by restricting access only to those with a valid e-mail address from a high school, college or participating company. It is happy to have 8 million registered users, less than 10% of MySpace’s.

Industrious Kid Inc.’s imbee, for kids 8 to 14, requires parents to submit credit cards to vouch for their children.

Of course, an adult may “vouch” for an alter ego and use that to chat with kids. Thus, all imbee profiles are initially private, and adults can’t do much without tricking a parent into letting them join a child’s network, said Tim Donovan, imbee’s vice president of marketing.

Zoey’s Room, a site for girls 10-14, has verified each of its 300 members with a school or youth group. It charges $15 a year.

“It does cost to create safe communities,” said Erin Reilly, co-founder of the organization that runs Zoey’s Room. “I would rather have a manageable population and keep them all safe … instead of looking for a million unique visitors.”

IDology believes its technology could help keep children safe. A verified adult could be given greater access and the ability to share profiles openly. Anyone not willing or able to be verified, including teens, would be left with limited access and private profiles.

But any technical solution tough enough to work would penalize legitimate users who cannot be verified, said John Cardillo, Sentry’s chief executive. Even 18- and 19-year-olds aren’t fully in public databases yet, he said.

MySpace, instead, has been trying to catch minors after the fact.

It has technology to scan for inconsistencies and teams of employees to investigate further. For example, a user who claims to be 18 might mention a sixth-grade class elsewhere in the profile, or feature a photo of a birthday cake with only 13 candles.

Safety experts warn that creating too many barriers could drive kids to another social-networking site with fewer controls, or perhaps free-for-all chat rooms.

And ineffective solutions, they say, could give parents and children a false sense of security, increasing the dangers.

Ron Teixeira, executive director for the National Cyber Security Alliance, said parents should teach children an online equivalent of “Don’t take candy from strangers.” That way, he said, kids will know what to do should social networking be replaced by the next big fad.

 It seems that social networks are increasingly in demand for communicating today, and there will continue to be new ways for users to share information. We had even seen a short video somewhere that talked about ways to use linkedin as a business networking social app. Certainly there will be much learning for everyone on the best ways to use these powerful communication tools, and there will undoubtedly be more technology coming to help keep everyone happier, more productive and in touch.

It is our hope that the openid standard will continue to flourish, and that it will be easier for people to take a certain amount of profile information from one network to another, so we don’t have to keep typing in tons of information for every social circle we want to participate in. Of course safe guarding data, privacy, ease of use, and data portability should be at the fore front of these emerging technologies.

We are getting there. There are many great ways for people to communicate and share today, there are certainly going to be some growing pains, but the numbers show that there is great need for millions of people to do more online together, and the companies that do it right stand to make millions happy.

Pluck hooking up media outlets with social networks

from yahoo news / reuters

Pluck hooking up media outlets with social networks

By Robert MacMillan 30 minutes ago

NEW YORK (Reuters) – Online media syndication company Pluck Corp said on Wednesday it would give traditional media companies the ability to link their Web sites to online social networks like MySpace and Facebook.

The move would allow people to leave comments on news Web sites that then show up on their social network profiles, allowing the traditional media outlets to reach people where they are spending increasing amounts of time on the Internet, said Pluck Chief Executive Dave Panos.

This is important to media companies that are trying to build up their online audiences as they lose readers and advertising revenue for their print editions.

“If I comment on a story about the presidential primary, the story itself is going to be noted on my Facebook profile, and so is the comment I made,” he said.

Companies using Pluck’s technology include USA Today publisher Gannett Co Inc (GCI.N), Discovery Communications, the Canadian Broadcasting Corp, Runner’s World publisher Rodale and Better Homes & Gardens publisher Meredith Corp (MDP.N).

“People are interested in sharing experiences around news,” said Jim Brady, executive editor of The Washington Post Co’s (WPO.N) Web site, washingtonpost.com, which also is participating.

Brady said that could build up more loyal readers for the Web site while exposing the Post’s news to many of Facebook’s 55 million users worldwide. MySpace, owned by News Corp (NWSa.N), has about 110 million users worldwide.

“We’re not trying to be Facebook or MySpace,” he said. “By giving ourselves a hook into the bigger social networks, it allows us to get more pollination.”

The move allows traditional media companies to associate themselves with popular social networks whose members — typically younger than the average newspaper reader — are considered the most valuable to advertisers on- and offline.

“If you’re a media company, you’re now attracting more users to your site,” Panos said. “For them, I think it’s about reaching a broader audience, and maybe a younger demographic.”

Reuters Group (RTR.L) (RTRSY.O) which made a $7 million investment in Pluck last year and has an undisclosed ownership stake, also is a participant.

Media companies will be able to link up with Facebook starting in the first quarter of 2008, Pluck said. Networks that are part of Google Inc’s (GOOG.O) OpenSocial technology for independent software developers — which includes MySpace as a member — will be able to use Pluck’s technology by mid-2008.

(Editing by Carol Bishopric)

I am glad to see so many social network deployments these days. Competition keeps things healthy. Hopefully we will all benefit from multiple companies pushing various software for social networks and they will all keep getting better and better. We are currently testing a few social network platforms for various clients of different sizes with different needs. There is also much talk around the shop about sharing information among the social networks. You can see this similar goal being developed with google’s open social, and the openid platform. Of course avoiding end user privacy issues is always a concern, but making things easier for end users to log into and use the various social sites and choosing which information to share or keep private and semi private is going to be of paramount importance.

Moveable Type adds social network features

Maybe it’s a beta, I have not yet had time to look through all the information about the new features that Moveable Type is adding, but I like where they are going with it, and I love the language skills of the people interviewed and quoted on Tech Crunch from the MT team. I’d love to have a version of this to play with, and I should have figured it’s only a matter of time; there are several similar features and a few social network type sites that have been rolled with with the wordpress mu platform already. Hopefully both will learn from each other and the flexibility of these great apps will be improved and internet discussions will become better and better.

An excerpt from the article at tech crunch:

 Dash emphasized that MTCS is a “serious commercial product.”

It’ll likely cost a few thousand dollars to start, and the target audience is serious, large-scale communities like media companies, major brands, educational institutions, and intranet/enterprise deployments. I suspect that smaller independent sites will mostly grab a small number of free plugins that reproduce some of this functionality on a smaller scale and use that with the free version of MT if they are price-sensitive.

Read the whole article at tech crunch and see what I mean about the excellent language used to describe the move by the MT team.

Link to demo of the features from MT.

The blog here at Global Advanced Media was originally started with the movable type platform, we have since moved to the wordpress software, but we have always had an affinity for the MT features, ever Leo Laporte mentioned it on Tech TV years ago. We’re glad to see that MT is moving forward.