Wolfpack of Lies – Hack Baiting Web 2.0 Startups For Diggs

MyBlogLog

This seems to be a growing trend, and so many bloggers are falling for the linkbait, poorly researched content, and unethical marketing practices.

Reactionary development of computer products and services can prove to be a disaster both for development cycles and the feature set of a product. An extremely careful balance has to be achieved between supporting the wishes of hardcore supporters of a product, and achieving core goals and maintaining a development schedule.

I have experienced this first hand in the computer games industry being the middleman both between publisher <> development team, and consumer <> development team. I know that I have significantly disrupted development of products in the past, and at times I even ignored or delayed passing information from a publisher or customer on to a development team simply because of the disruption it could cause. Sometimes I used a middleman, passing information onto my only superior, the company MD, and allowing him to decide whether the feedback should be passed on to the development manager or development team members.
I was also in charge of sales and marketing internationally, and even though we had a relatively small organisation, channels of communication existed to prevent disruption to the development schedules. Here is a good article on the subject.

If someone is attempting to hack your website, steal your content, or damage your business, the expected reaction shouldn’t be to pat them on the back, thank them for their help and offer them all kinds of bonuses and credibility.

In a web environment, the logical first step to people abusing your site is to block their IP – this is what various spam control systems do. How many bloggers have a terms of service stating that if you spam them with comments they will block your IP address?

It shouldn’t matter how influential a blogger thinks they are, the tail shouldn’t wag the dog.

The first sign Shoemoney received that he had been banned from MyBlogLog was a 403 Error. From the w3.org site:-

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

If someone was spamming me, scraping me, or hacking me, and I could pinpoint it down to a single IP address, that is exactly what message I would give them. It doesn’t matter who the hell it is.

I doubt Shoemoney was sending signals such as:-

Hey this is Shoemoney, I am hacking your site for hackbait to get links and subscribers, but it is all harmless and not really intended to damage your business

Now on one point yesterday I was wrong, it seems that whilst an email was claimed to have been sent a month ago regarding the cookies problem with MyBlogLog (but from the French site), it might have got lost in various technical and logistics problems.

Another insight, Shoemoney had been asked specifically by the MyBlogLog team to give them a heads up before posting any more hacking MBL information.
Here is what Eric posted in a comment on Li Evans post:-

Li —

Here’s the thing. We *did* have reach out to Shoe. Every time he posted a hack we thanked him in his comments for pointing out a vulnerability.

Then a couple days before this was posted, Scott Rafer emailed him and said, basically, “dude, I understand you’re pissed at Jeremey Zawodny and so be it. But keep in mind that he’s not part of the team and it still just us five guys bangin away. We’ve had a good relationship with you and we would just appreciate a heads up before you post your next exploit.”

And then he posted this.

(I had previously omitted the previous info because I was unable to get in touch with Rafer last night to request permission to discuss his email exchange.)

OMG A Tracking Service is Tracking Clicks

Today I have read yet another piece of Hackbait on Shoemoney’s site, though admittedly by his partner in crime DDN.

He has come up with the absolute revelation that tracking programs track clicks on adverts.

He thinks it is a scandal that a Yahoo owned company can track clicks on Google adverts.

Something Stinks & It is Not MyBlogLog

Google Analytics can be used to track Yahoo clicks in exactly the same way as MyBlogLog can be used to track Adsense clicks, and people have been doing it for a long time.
Aaron Wall posted code to do this in November 2005, and it was also discussed on Digital Inspiration in December 2005.

I keep a reasonable eye on discussions regarding analytics. I have never seen anyone claim that Google shouldn’t be allowed to have tracking information on Yahoo clicks or for that matter any other monetization links.

In many ways MyBlogLog having this tracking information as part of Yahoo is a good thing.

  1. Defending on Clickfraud – A Yahoo owned tracking service would be looked on as a more credible source of data than a self hosted script.
  2. Personal Data – MyBlogLog probably have enough data not just to isolate the IP address, but possibly who clicked the advert – for defence of your Adsense account, surely that is an ideal scenario

You should always have some form of tracking for advertising – both Google Analytics and MyBlogLog (Yahoo) fall short in this capacity, and I hope they improve in the future making this more accessible for average users to improve their advertising returns. Microsoft are also entering this field, and I doubt very much they will prevent tracking of clicks on Yahoo or Google adverts. That would actually make their tracking system useless.

Tracking systems should track advertising… period

In many ways anyone looking to earn revenue from their blog should demand more tracking and interoperability and not less.

MyBlogLog could easily become a universal tracker for the masses, it is so easy to switch between different sites to check stats, and Google Analytics for an average user is a little confusing.

I am not in a position to prove whether Yahoo ads can be tracked with Google Analytics.

With Adsense the code can be placed on any site, so I could just stick some Adsense on this site for people to test, either with my own publisher ID or… someone elses.
I am not sure whether that works with Yahoo, they might lock advertising code to a particular domain in their beta testing, but I am not going to use someone elses Yahoo code just to prove a point.

The Danger Of Controversy

Now if your content is deliberately controversial, and especially regarding hacking, you are not just placing your MyBlogLog account in danger.

Yahoo YPN Terms

Here is a small excerpt from the YPN FAQ

We will not show results on pages that contain problematic content, including but not limited to:
[snip] # Propaganda, potentially offensive or controversial content
# Defamatory, libelous, threatening or other material that advocates against any individual or group
[snip] # Political, religious or charitable organizations, issues or causes
[snip] # Hacking, surveillance, interception or de-scrambling equipment

Google Adsense Terms

Taken from the Google Adsense Policy:-

Sites displaying Google ads may not include:

* Violent content, racial intolerance, or advocacy against any individual, group, or organization
[snip] * Hacking/cracking content
* Deceptive or manipulative content or construction to improve your site’s search engine ranking, e.g., your site’s PageRank
[snip] * Any other content that is illegal, promotes illegal activity, or infringes on the legal rights of others

The wrong kind of linkbaiting is seriously playing with fire, though some people it seems are meant to have asbestos suits.
Whlist I don’t have YPN or Adsense on this site, I have been very careful not to link to anything that has hacking related content, and as far as I am concerned, Shoemoney is now effectively “grey boxed”, a bad neighbourhood to link to containing hacking information.

If someone wants a link condom plugin so they can make all links to Shoemoney nofollow just let me know, it would be easy to modify the Wikipedia nofollow plugin. Hmm I think Matt Cutts might even have linked to Shoemoney in the past, it wouldn’t be good to link to a hacking site.

Today for the first time I am actually ashamed of Techcrunch, Michael Gray, Lisa Barone, and Duncan Riley.

For some true reflections on MyBlogLog, which I actually feel are unbiased despite being a sister company, try a co-founder from Flickr.
I can even claim a gripe against Flickr having a 2 month old support case on commercial usage that I really should “bump” again, but that is in all honestly my own fault. If I haven’t had a response, and I still have a problem after a few weeks, I should chase it up.
Sometimes honest communication does get lost – I have at least 2 issues with Google that haven’t been responded to, one regarding use of Google CSE with Toolbar Buttons, and for some reason no response to submission of toolbar buttons I have created.

MyblogLog have responded to the adverts tracking feature.

Unfortunately Eric has succumbed to the Wolfpack of lies, and just made Shoemoney, the guy who started his MyBlogLog recruitment campaign by carefully selecting and inviting 8000 contacts as “featured user” in the MyBlogLog panel. I am sickened. Shoemoney hasn’t removed any of the previous posts. Was he threatening to expose more?

Update:

Pamela Heywood puts some nice perspective on the tracking situation after examining the Google terms of service.
I would like to point out to Tony Hung that he doesn’t have a comments policy on the Blog Herald or on Deep Jive Interests. You really shouldn’t block people from comment spamming you without some kind of ToS or policy. I wonder if he realises that it is almost impossible to use any tracking service without some conflict of interest or insecurity, and he will need something if he is going to monetize his blog. In fact I don’t personally know of any tracking service or script that doesn’t represent some risk or conflict.
Mathew Ingram has made a fairly balanced post, but I think he like others might not be aware that Shoemoney was specifically asked not to post another exploit without giving a heads up.
I would love to know what Thomas Hawk would do if someone was attacking his servers with a denial of service attack… maybe block their IP? What happens if someone was trying to hack into private data? Block their IP?
Would he send them an email first asking them to kindly notify him before revealing whatever exploit the hackers discovered.
I wonder how much it would cost to pay an East European programmer to come up with some Zooomer hacks and exploits, or maybe Indian would be slightly cheaper. It seems that as long as you are not looking to change the data on Zooomr, then any hacking is allowed, and providing information on how to change data or tools would also be within the ToS.

Unauthorized attempts to infiltrate the Web Site electronically for the purposes of changing some part of the service are actively monitored and are prohibited. This includes, but is not limited to, ‘cross-site scripting,’ ‘worms,’ ‘viruses,’ and ‘trojan horses.’

Then again maybe you don’t really need a ToS (though MBL do have one now) to prevent someone hacking you or causing disruption for your clients.

Actually, if you read the ToS from Yahoo, it looks like it is a blanket ToS that covers all Yahoo services. Obviously as most people at one time or another have established a Yahoo account, everyone has read the Yahoo ToS at least once, and would know that it covers all Yahoo services, including any new services introduced.
Thus the Yahoo ToS has been in effect since the day MBL was acquired by Yahoo. Yes I am sure they forgot to link to it, and maybe they should get you to agree to it again when you next log into MyBlogLog, just to avoid any confusion. I am sure everyone would have read the ToS if it had been linked to from the MBL page.

Realistically, no one reads terms of service completely, but most people are aware of what is looked upon as good conduct. Hacking isn’t looked on as being socially acceptable unless you are a 14 year old script kiddie.

Update 2

There seems to be some confusion regarding how visible the advertising tracking might be, and the confusion is predominately among high traffic blogs who have so many external clicks that any Adsense clicks would be right at the bottom of the list.
You have to remember that the majority of MyBlog users that everyone seems to be so worried about, and encouraging to abandon MyBlogLog are lucky to have 100 unique visitors per day, and don’t get as many external clicks. They are much more likely to see the advert clicks and rather than be worried about it, they are going to be happy, and rush off to discover they made $0.20 in their Adsense account – yes, if you are only receving one click per day you can get fairly granular about how much it was worth.

Here is a screenshot I have taken from an account that is not upgraded, and clearly displays some Adsense clicks. Just a thumbnail you can click for the full size as I wanted it to be very clear that this was a basic free account.

MyBlogLog Adsense Clicks
I did modify the image to remove data that could be used to determine CTR for the short period of time these stats were for this morning.

Update 3

Here is a write up on MyBlogLog I missed over the weekend by Rex Dixon, and he doesn’t mince his words.

Technically Speaking, Shoe screwed Shoe. If he was really concerned about security, he could have reported it to the MBL crew asap via proper channels. What is that? He could have messaged Rafer, Eric or anyone else at the MBL staff. He chose to make more money for Shoe, and for that Shoe, you got booted. Please don’t come off as the innocent and hurt entrepreneur to the world. When I worked in the IT realm, YOUR type was the most scary to deal with.

Conclusion

This is my last update on this post, but nothing is really concluded. The hacking information is still being displayed along with Digg buttons. The poorly researched tracking story is still there as well.

Lots of bloggers jumped on this hackbaiting train, with poorly researched material, and even possible conflicts of interest or lack of disclosure.

I have seen people suggest that MyBlogLog banned Shoemoney for the exposure – what a badly thought out statement. They don’t need to rush promotion or increase support or PR time. They are still working on migration to new servers, hiring a community manager, probably looking for other staff to help with the problems of a growing demanding user base.

Then there are the “unknowns” like Measuremap that Google recently purchased. I have no idea what data that service tracked regarding advertising, possibly not just Google Adsense. Measuremap has been in private beta for as long as I can remember, though Michael Arrington still uses it on Techcrunch for more than a year.

I am sure there is going to be more on Techmeme all weekend.

Liked this post? Follow this blog to get more. Follow

Comments

  1. says

    Andy, your side of the argument is insightful no doubt. And having read it twice to get a better understanding of it, I do agree with you. But you have to also understand why people are unhappy with MBL and not ShoeMoney.

    For one, MBL was created to track external clicks. The ad clicks feature was added later on, therefore making the number of people knowing MBL was tracking ad clicks far from many, not to mention when they had implemented that feature. In fact, nobody had ever written on that. To have it exposed or reported so suddenly esp. since a fiasco with MBL and Shoe is going on, and from the latter’s mouth would surely put MBL in bad light.

    While I do not think this is a scandal, I also do not think of MBL as an “real” analytic software (at least not yet) so the fact that it is tracking my ad clicks makes me feel uncomfortable and probably others feel so too.

    As per your latest insight, ShoeMoney was indeed wrong to have posted the IDs without first contacting MBL, and with that, probably deserved the ban. Yet, the ban has solved nothing but added fuel instead. Was it a wise move? Not necessrily by looking at the repercussions.

  2. says

    Leonard many are blogging about this either based on existing friendships or the chance at linkbait, and for them it has worked.

    I have had the ad clicks reported for as long as I have been using MyBlogLog, though the only site where I have Adsense and MyBlogLog together is my WordPress plugins site, which isn’t a pro account.

    There are lots of 3rd party services – I don’t think Yahoo’s involvement makes any difference.

    When you start looking in-depth at the ownership of every advertising tracking company, Yahoo seems like the best option. If you run scripts, your hosting company has access to the databases, and with the way sites have been hacked recently, that is just as much liability.

    As just one example, and I don’t want to infer any negativity, as I love the idea of the service, Crazyegg which everyone loves can track clicks on adverts. Crazyegg is owned by reputable people in the industry. The same people also now have financial ties with Text Link Ads.
    Have you read any scandal stories about tracking or their connections? No – there is no personal vendetta.

    Some people have managed to have their Adsense account switched back on after they have been banned, simply by providing accurate tracking data. That is data which Google Analytics by default cannot provide.

    Effectively you have to use a 3rd party solution of one kind or another and I am fairly sure 90% of people using Adsense don’t currently use any.

    Whilst the interface isn’t very advanced for ad tracking, I am sure that can be fixed. If you had a problem with an Adsense ban for fraudulent clicks, and you were finding it difficult to extract data from MyBlogLog, I am sure some kind of solution would be possible, because the data has been collected, is secure, and can’t have been manipulated in any way.

  3. says

    I’m a total z-lister, but I’ve been mulling over talking about this for the past few days. The insanity about this dust-up is that the “wronged” party in this case is someone who games search engines and social media for a living.

    I hold no ill-will towards SEO or SMO experts, and I love me some Digg and some widgets (in fact, in my day-to-day job at a shared web hosting company, we’re trying to implement such tools to reach out to our customers). But the gall of someone who makes his living exploiting the very systems that he then moaned about being banned from takes a whole-nother level of nerve.

    I used to read folks like Andy Beal and considered him alongside Danny Sullivan as a much read in the SEO industry, as it was about how the engines work and how to optimize your site to rank well. He’s lost a lot of shine in this mess, as well (for what it’s worth, I agreed with Jeremey Zawodny in their little beef).

    What I’m slowly learning, from both the web hosting industry and this field of SEO/SMO is that there’s a distinct and defined line between the dorks and the marketers. It used to be that the two groups had a bit more of a give-take relationship, but lately I feel like the SEO and SMO marketing folks have moved away from optimizing within the scope of the tools (search engines, digg, widgets, or in my industry — overselling) and instead do it at the expense of the users. It’s distasteful. This is just the latest in that linkbaiting trend. Pissing and moaning about being banned from a free tool that you’d spent weeks demeaning is just about the last straw for me.

    That was a bit long-winded and probably should have been on my blog, as opposed to your comments, but I appreciate the outlet.

  4. says

    Ryan glad to have provided somewhere as an outlet, and it wouldn’t have mattered to me if you had posted the opposite to my own opinion. Everyone is entitled to their views.

    I read Shoemoney’s blog – sometimes he posts some great worthwhile content, but I totally agree there is a line, and he among others is crossing it more and more frequently in my opinion.

    I am worried about the knock on effect – I know how many good hackers there are out there who would look on this as fun, and any pocket money just a bonus. I am not talking typical script kiddies

  5. says

    I’ve been following this saga. The ‘startling revelation’ Shoemoney posted about the ad-click tracking was totally calculated. What half-way serious Adsense’r could fail to notice the ad tracking the very first time they checked their MBL stats? Duh.

Trackbacks