A Federated Media For Podcasting

John Battelle’s Federated Media is a medium sized company which aggregates the eyeballs of several of the worlds most popular blogs (including the highly influential and chaotic Boing Boing), and sells them to advertisers.

Result – blog authors can finance their writing and the growth of their sites, while advertisers get a single point of content to help them target and run campaigns. There’s an instant firewall around editorial decisions – as advertisers have no direct input into blog content; and sites can choose to accept only advertising that accords with their perspective (and *puke* branding). Advertisers get an instant audience (Boing Boing alone gets 3 million uniques a month), cheap.

Why does this not yet exist for podcasting?

While individual podcasts garner listeners at most in the hundreds of thousands (although there are perhaps a few that crest a million uniques) together they represent an growing, economically solvent and highly educated audience. An audience, in the US alone, of over 18 million listeners!

There are organisations like Adam Curry’s ‘Mevio‘ (formerly Podshow Network). These guys throw automated adds into hundreds of small – medium casts, and provide a revenue stream; claiming exclusive rights to content for contract duration in return.

What I’m suggesting here by contrast, is a limited service that would work with top 20 or 100 (independent) podcasts only- dealing with advertisers directly in geographically specific markets (this is how itunes distinguishes its podcast rankings, which largely dictate downloads); and allowing podcast hosts to craft their own discursive in-show adverts, in their own voice – as Leo Laporte does in his enormously popular This Week in Tech podcast. This way, advertisers get known quantity shows with large, established audiences and (internally) consistent content and presentation. While at the same time growing indies can fund production costs and the development of their creative enterprise- via a personal relationship with a single company, who are ‘on their side’. The reality of ‘new media’ is that (especially in audio production, but increasingly in video) a small group working with a tiny budget can create compelling, high production quality content. What they cannot do, is replicate the services of a sales force. Nor should they try, as direct advertiser / editor contact, almost inevitably results in watered down, less appealing creative work (or ‘content’, for you marketdoids).

Marketing on Demand for Authors

Small publishers and independently published authors are increasingly switching to Print On Demand (POD) services for short run (in the low thousands), academic and older titles (slow but steady sellers). Companies like Lightening Source provide a dirt-cheap ‘just in time’ printing facility, with constant improvements in the quality of the finished book. Additionally such POD services facilitate ISBN numbers (which allow bookstores to order and stock a title) and work closely with Amazon to ensure books are available to purchase (and more importantly deliver quickly) online.

These companies also remove the distribution headache, delivering directly to the public and retail, without the necessity of publishers direct involvement. Such services are not perfect. The finished product may not always rival a traditionally printed book (and of course the design is still reliant on the talent of the publisher / author side artist). More importantly POD cannot replace the direct relationships between publisher and retail chain / indie bookshop, which dictate placement of the book at retail, how long a title is stocked, and whether it is for sale at brick and mortar stores at all. Accepting that, they can be an important tool for small publishers who wish to take a risk on a book they could not otherwise have published, or authors who have a pre-existing audience they can sell to directly. I’m thinking of the Wil Wheatons and Amanda Palmers of this world- actors, musicians, and fine artists who maintain a direct relationship with their fan communities, either through blogging, podcasting, convention appearances or what have you. Personalities who may obtain much greater targeted sales dealing with their audiences directly. Here’s an interesting quote from the Wheaton interview linked in the last sentence, on his experiences with his book ‘Dancing Barefoot’..

The publisher insisted on marketing it in a way that did nothing to expand the audience I was already able to reach on my own, and basically blew me off when I repeatedly begged them to change course. I hired a PR firm at great expense, and they did pretty much the same thing. I vowed that I would never again go the “traditional” route with my future books.

So POD is great, but what’s this business that’s missing?

What’s missing is a marketing firm specially tailored to the needs of micropublishers. A company that knows the net, understands how to build an audience, AND can work with traditional media outlets to arrange interviews, reading tours, store promotions and television, radio and new media advertising. This is the one facet of traditional publishing that has not been replicated as a paid service.

With the suicide of the music industry, musicians are abandoning record labels to deal directly with, and sell directly to, their audiences. Probably the two best known examples are Radiohead’s In Rainbows release, and the Nine Inch Nails record Ghosts, which were both released directly online using donation, and fremium models respectively. Both records sold extremely well (in Radiohead’s case, better than their previous three albums).

What’s less well known outside the industry, is that artists are turning to next generation promotion companies like Live Nation, to handle the other important aspects of getting music out there- promotion and touring. These are services that an artist (beyond a certain popularity) cannot themselves handle without a label or label replacement. More importantly, as the perceived value of music recordings drops to zero (as will inevitably happen with books, Kindle or no Kindle), such tours provide the revenue stream that musicians need to keep creating.

Where is the equivalent in publishing? Where are the television and radio adverts for books? Where is the radio talk channel devoted to the enormously popular audio book genre? Who is organising paid and highly publicised public readings? Who is organising and promoting book tours for a set fee or a percentage of profits? Answer- no one. This is a service that could work at a variety of levels, from festival main stage readings by Chuck Palahniuk, to book promotions of unknown but compelling new fiction and non-fiction authors.

Two businesses that should exist, but don’t. Yet.

Synopsis:

I detail my experiences with a WordPress hack across multiple shared hosting sites, the steps taken to recover WordPress and secure against future attacks.

Introduction:

On the December 15th I discovered a number of my WordPress installations had been compromised. Rather than a concerted attack, this was likely the result of widely available scripting tools that allow ‘crackers’ to exploit known vulnerabilities in out of date WordPress installs. Due to the large number of WordPress installs on my server, and a reluctance to run bleeding edge software, I’d been a little remiss in updating WordPress. While none of my installs were more than a couple of months out of date, 5 of my 8 WordPress installs were infected.

Viewing the source code of my sites in Firefox confirmed that advertising links had been inserted directly into the wordpress PHP code – behind a DIV visibility tag – presumably to increase the Google ranking of trojan or spam sites. Additionally, the SQL databases in which WordPress stores it’s data had, in several cases, had additional users added. These fictitious users were most often called simply “WordPress”.

I’m going to outline in this post the steps I took to deal with this infection and to reduce the chance of future attacks. I’m not a security professional, or even a programmer, so my advice is provided ‘as is’. Implementing these measures won’t protect you from a dedicated hacker – if someone wants to crack your website in particular, especially on shared hosting, no amount of effort will stop them. However, these techniques should recover your site, and make WordPress a little less vulnerable to automated scripting attacks.

Option 1 – The Nuclear Option

After you’ve been hacked, the best way to ensure that WordPress is completely free of nefarious links (which can be hidden in obscure lines of code in your theme, WordPress itself, or even plugins), is to use WordPress’s export feature (Tools -> Export) to download an XML file of all of your posts. You can then set up a new directory on your server, install WordPress from scratch – using a new database, new passwords etc, and import all of your previous posts. Finally you can delete your original WordPress install and database.

This method however, has an enormous number of drawbacks. Not least is that you’ll have to manually copy your uploaded media files to your new wordpress folder – either by downloading them and reuploading them via FTP or SFTP, or by copying them using a shell command like scp. [Aside: If you have shell access to your server, you can login using terminal on OSX, or a programme like Putty on Windows]. You’ll also need to confirm that your .htaccess file rules and permalinks structure are replicated in the new install. Likely too, you’ll have to manually update the location of images in each of your old posts, or run an SQL command from phpMyAdmin to do this. Any customisations you’ve made – and failed to back up – to your WordPress theme, will have to be manually redone. Finally, you’ll need to manually rebuild all of your blogroll and other sidebar links, as these are not included in WordPress’s export.

I was forced to do the above for one of my WordPress installs (actually this site) which refused to work after an update to the latest version (at the time of writing 2.7). This method should be reserved for situations when (the user front end of) WordPress has broken down after a hack and attempted repair, or when you have reason to believe that changes have been made to the SQL database underlying WordPress: specifically, changes you may not be able to find or safely remove.

Don’t forget, you’ll still need to check the content of individual posts, as it’s possible – though unlikely – an attack may have pasted spam links into posts themselves – see ‘Checking for Damage’, below.

Option 2 – The Conservative Option

When it came to most of my WordPress installs, cleaning the infection was less arduous. First of all I upgraded (via SFTP, FTP’s encrypted brother) to the latest version of WordPress. SFTP is available in most FTP clients (E.G.: Filezilla, Fetch), although your host may not support it.

Next I deleted any unusual WordPress users, and changed the passwords of my existing users. You can do this pretty safely in phpMyAdmin, which you should be able to access from your hosts admin panel. Instructions on changing the passwords are available here – wordpress allows quite strong passwords, including symbols. You can generate new passwords using a variety of online services, like this one.

It’s also advisable to change the wordpress ‘admin’ user name to something else, you can do this in phpMyAdmin when you are changing the password – just remember to keep a (secure) copy of your new login names and passwords!

To delete dodgy users simply delete their fields in the ‘browse’ view of the wp-users section of your WordPress database (again in phpMyAdmin). Hint: If you can’t remember your database login and password information, you can find it stored (unwisely) in plain text, in your wp-config.php file, which you can get to via SFTP or Shell.

Next I changed the user passwords of my SQL databases to the strongest allowed by my host. In Dreamhost this is done in the admin panel, by going to Goodies -> Manage my SQL -> Users with Access, and clicking on the user name listed in your wp-config.php file.

Just to be clear, these are not the WordPress passwords stored in my databases (the ones I use to login to wordpress), but rather the passwords of the databases themselves (the ones I recovered from the wp-config.php files). After I’d changed my SQL user passwords, I also need to update my wp-config.php files with the new passwords (so my WordPress installs could login to their respective databases).

So to recap. So far – for each of my wordpress installs – I had 1) reinstalled WordPress, 2) deleted strange users, 3) changed my database user login name and password, both in my host’s database management panel and in WordPress’s wp-config.php.

Checking for Damage

Now I needed to check that there were no remaining stolen advertisements or malware scripts hanging around WordPress. I did this in two ways. First I checked my sites themselves, as the world see them, by surfing to each site in turn, and checking the outgoing links on a variety of pages. Firefox used to have a feature which did this automatically, but this has been deprecated in recent releases. Fortunately you can reinstall it via this plugin. After you’ve installed the plugin and restarted Firefox, just go to Tools -> Page Info -> Links, in Firefox, to see the links present on any page. It’s an excellent way to quickly scan for links that shouldn’t be there.

Second, I checked (as best I could) that there weren’t any strange scripts or backdoors left in any of the WordPress themes or files left over from my update. As this can include an enormous number of files when plugins are taken into account, I completely removed all plugins from my WordPresses, and reinstalled each of them.

Getting plugins set up is now much easier – as the latest version of WordPress allows you to install them directly from the dashboard, without having to download, unpack and upload manually.

Once I’d done this, I checked the remaining files (i.e.: all the contents of my wp-content folder, except my new plugins) in a text editor via SFTP. This can take a while, and it can be difficult to know exactly what your looking for, especially if like me your knowledge of PHP comes from playing around with WordPress. As of right now, I’m not aware of any automatic way to confirm the integrity of these files.

Ok – so at this point I’d updated my WordPresses and cleared out any dross left over from the attack. What could I do to protect from this happening again?

Protecting WordPress From Future Attacks

Backups

Database backups won’t protect WordPress, but they could make it a great deal easier to restore my databases after any future attacks.

A variety of plugins have been designed to optimise this process. I use WP-DB-Backup, however backups created via WP-DBManager might be easier to ultimately restore (however this plugin has not been updated for the latest version of WordPress, so use at your own discretion).

With DB Backup, I scheduling an automated emailed backup once a week. I set up a new Gmail account created for this purpose, with a strong password – as these backups include all of my WordPress passwords and content (although passwords are MD5 hashed).

I also created a Gmail filter which lets through all emails containing “WordPress Backup” (the subject in emails created by WP-DB-Backup), as some hosts (including my host Dreamhost) have made Google’s greylist, and emails can get automatically discarded to the spam folder.

Next, I manually backed up my customised themes, something I’d neglected to do as often as I should have.

NB: It wasn’t enough to secure just WordPress. I needed to update and secure other CMS installs on my server, as it only takes one compromised service to infect your server with hideous nasties. For me, these included Gallery 2, MediaWiki, and Moveable Type installs. I also used this opportunity to delete older unused CMS’s and databases which were creating a risk on my server.

NB2: I learnt not to rely on Google to tell me if my sites have been compromised. While, Google do automatically scan pages, advising surfers and webmasters if pages have begun to carry a payload, it’s worth noting that despite 5 of my installs becoming infected Google only notified me of 2 of these penetrations.

In other words, if you haven’t updated WordPress for a couple of months, and or if you’ve discovered an infection on one of your sites / installs, it’s highly advisable to manually check all of your sites.

Securing Access To My Host

The ability to recover after a hack is reliant on access to your host’s (in my case Dreamhost) admin panel. I strengthened my password, and confirmed that my account details – phone number, security questions, associated email accounts etc, were up to date.

I chose to turn FTP off altogether, in favour of SFTP (FTP with SSH encryption). On Dreamhost, I did this in manage users -> edit -> tick ‘disallow FTP’.

Your host may also provide specific security functionality to help you lock down access to administrative functions. For the rest of this section I’m going to list Dreamhost specific security options.

Dreamhost Specific Security

I enabled Dreamhosts enhanced user security, by going to manage users -> edit -> and ticking ‘Enhanced Security’.

I also manually backed up my entire account.

I checked that no one else had access to my account, in account privileges.

Dreamhost allow you to link your login to their admin panel to a specific IP. As I’ve got a static IP address and only need to access my admin functions from a limited set of locations, I did this in Edit Profile section of the Dreamhost admin panel. In Preferences -> tick ‘ Require email confirmation…’.

NB: If you’re planning this, make sure that your correct email address is saved here, and that it is working. Once you enable this option, you’ll be logged out of your web panel till you confirm access to your IP address by email.

WordPress Security Plugins

A variety of plugins are available to improve the (pretty awful) default level of security in WordPress. I’ll list the ones I found useful, and briefly outline some of their functionality.

1 – WP Security Scan – Scans WordPress directories for appropriate permissions, automates production of strong WordPress passwords. The makers promise new features, including WordPress admin protection and one click folder permissions change, in future releases.

2 – WP DB Backup – See backups section above.

3 – Login Lockdown – protects WordPress against brute force / dictionary attacks. It’s something that you might assume WordPress does by default. It doesn’t.

4 – Bluetrait Event Veiwer (BTEV) – This fantastic plugin provides a widget (which I dragged to the top of the dashboard for instant visibility), letting you know who has tried to login to WordPress (and whether or not they’ve been successful), what emails have been sent from your install, what plugins have been activated or deactived, and lots of other useful stuff.

5 – AsakApache Password Protect – I actually haven’t been successful in enabling this plugin in a dreamhost shared hosting environment, but it may be useful for you. The plugin protects a variety of WordPress folders from third party access. If the PHP environment ever crashes or is horribly misconfigured on your server, as happened to Facebook, this could prevent the outputting of raw code, passwords etc, to anyone who loads the right address.

NB: Be careful with this plugin – if it locks you out of wordpress folders incorrectly, you may find your wordpress install inoperative until you manually remove (via SFTP) both the plugin and all of the .htaccess files it has created.

6 – UTF8 Sanitise – After I updated wordpress across my sites I found a huge number of older posts containing odd characters where accents, umlouts and punctuation should be. What happened is that more recent WordPress versions display characters using UTF8 rather than latin characters. So anywhere I’d cut and pasted from word, the web or acrobat into WordPress, I found that extra characters had been added. UTF8 Sanitise lets you manually resave older posts, repairing their encoding in the process.

You can also do this for all your posts at once using UTF8 Database Converter, but again this hasn’t been updated to work with WordPress 2.7, so I’d be cautious using it (considering the database modifications).

Conclusion:

With such an enormous number of blogs being attacked, and such a short time between vulnerabilities being discovered and exploited, it seems the perfect time for the equivalent of anti-virus to emerge – software to actively scan for vulnerabilities and nefarious changes to WordPress, and indeed such scripts are becoming available. One such tool is WP Scanner, which uses a combination of wordpress plugin and website to check for vulnerabilities.

NB: Once again, be careful uploading .htaccess files to wordpress subfolders. On my server, using .htaccess to block outside access of wp-content or wp-admin folders severely impairs wordpress’s functioning.

For more information on securing wordpress, check out BlogSecurity’s whitepaper on the topic.

The most important thing I’ve learned is to update WordPress, as soon as possible after a new update – ideally within days. This is fortunately now a lot easier with WordPress’s automatic update functionality.

I’ve wiki’d some notes on event. Ina O’ Murchu of DERI should be posting videos of the talks in due course.

Particularly interesting was the response of designated Bebo’s spokesperson, Mark Tarbatt of webvertising firm Generator, to my questions about potential Bebo censorship. The impression Mark (whose firm seem solely responsible for selling branding on Bebo, at least in Ireland) gave was that, in the event of a conflict between a user video or community (the example I provided was a hypothetical ‘killer coke’ video on Votetube’s bebo profile) and a Bebo advertiser, such a user or community could be removed. This seems credible given that Mark stated Bebo’s recent adoption of comment moderation occurred not in response to problems of user abuse or sexually explicit spam, but to satisfy the desire of Coca Cola (a bebo advertiser) to prevent ‘harassment’ on it’s branded bebo site.

A quick search of Bebo indicates the existence of just such a conflict.

Update: Jackdawfool.com it is.

As in..

The lions sing and the hills take flight.
The moon by day, and the sun by night.
Blind woman, deaf man, jackdaw fool.
Let the Lord of Chaos rule!

To access the feature, log into your Gmail, click ‘Settings’, and open the ‘Accounts’ tab. This feature is not yet available on my account, so don’t be too surprised if you don’t currently have it enabled.

Via: Techcrunch.

Addendum: Normally I wouldn’t repost a story from such a widely read source, but I actually received news of this in an email and had the post written before I did a citation search, so what the hey!

TCD email users may still forward their email, ridding themselves of the horrible kludge of Trinity email altogether.

If many young students are not yet using modern technology to express themselves, three have done so successfully. Technolotics.com is billed as an irreverent look at technology, politics and the media by three Irish students and for a year it stood as one of the few Irish videoblogs.

Technolotics is cheap and cheerful and it proves an important point. Viewers don’t need RTE-grade production values to engage with new personalities. Technolotics found an audience.

Makes me happy and sad at the same time. At last a media mention from someone we hadn’t met personally, but unfortunately a little after the ship has sailed. Sadly it doesn’t look like a Trinity Digicast society is going to become a reality this year, but who knows, perhaps after this whole final year project ship has sailed, I’ll have the energy for another podcast or vidcast project. There are definitely more avenues to explore in this space than are currently getting attention, particularly in the sketch comedy area.

C:\>ping uk.mail.yahoo.com

Pinging rc1.vip.ukl.yahoo.com [217.12.6.29] with 32 bytes of data:

Reply from **.***.***.***: Destination host unreachable.
Reply from **.***.***.***: Destination host unreachable.
Request timed out.
Request timed out.

Ping statistics for 217.12.6.29:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Not getting anything from google news, technorati, or google blog search on this – but I’ve tried accessing through a few proxies, so it’s certainly not a local problem (although it could certainly be limited to a small subset of Yahoo’s tens of millions of users). This brings up two issues, our current overdependence for our communications infrastructure on large, centralised, commercial providers who aren’t necessarily capable or willing to ensure quality of service; and the difficulty of getting accurate timely information about recent events on the web.

Update: Mark Stephen’s latest Cringely column happens to focus on the latter issue.

Update 2 (01:09, 24/7/06): Problem’s now been going on for at least 12 hours! The only thing close to an explanation I’ve found is (a completely unreliable) post on yahoo answers.

I’d suggest four broad possibilities..

1) Difficulties with the MSN / yahoo messenger integration
2) A technical failure / power outage / viral infection in yahoos systems
3) A continuing denial of service attack
4) DNS misconfiguration

In any case, its monstrously unprofessional of yahoo not to have made an announcement by this point, and a sorry confirmation of the Cringley column’s criticism of news reportage in the blogosphere.

Update 3 (09:30, 24/7/06): Sites backup..Outage wasn’t quite 24 hours then..Pfft.

Firefox 3, or its equivalent, won’t function primarily as a traditional link / url -> page display browser, rather, users will navigate through outline directory trees to reach their ultimate content destination – which may be any of a whole variety of open document types, inclusive of audio, video, and traditional text / graphic / interaction models.
Nodes will be linked dynamically, and updated at numerous trusted hubs (the del.icio.us’s of tomorrow). Such links will create sub webs, navigable and discoverable through reputation systems, tagging and recommendations.
Further, users will not merely navigate such OPML trees laterally, but through any of a whole variety of interface paradigms.

Where today each link on a site sits in relative isolation, the browser of tomorrow will aggregate all links on a given page in real time, construct and meaningfully ‘geographically’ categorise link feeds, which will provide both an additional outliner navigation layer, and a new means of scanning the content laid out within a document. This will be the hardest element to get right, as it departs most radically from out the web works today. My guess is that the ultimate solution will be something like newsvine, dynamically constructed, parsed through link, feed, and generator templates (e.g.: blogging engine, CMS) from any given page site or outliner – both in real time by the browser, and by next generation sitemaps (in reality linkmaps). Think google news, for every site on the web (and its linked sub pages and sites).
Todays feed grazers could be the templates for tomorrows browsers. Such browsing paradigms may finally provide an advantage for three dimentional interfaces – though my guess is two dimensions will remain more comprehensible and intuitive.

A few more interface ideas before I lay down the crystal ball. Pre-cached feed branches displayed as graphical document previews in a mouse over ‘mind map’. A home feed bucket which rises from the browser bottom to catch feeds, pages and documents dragged and dropped (think OS X’s dock, with icons representing not programmes, but outlines in your home OPML). Or how about a dynamically generated zooming interface like Jeff Raskins Archy project.

The best part is, such novel methods of navigation could be implemented today in AJAX as proof of concept, sitting on top of the web as a hotkeyed interface, which is arguable what the Flock guys are positioning themselves to do; but ultimately such technologies are unlikely to be fast enough to produce a robust solution.

As we all gradually transition from getting our news and information from a series of site visits, to subscribing to tailored feeds of postings, postcasts, vidcasts and media streams, methods of rapidly, accurately, and inclusively navigating the morass of information will become increasingly important.
Already I’m finding it difficult to track my feeds through a unified single window web service. There are lots of alternatives: Netvibes, and Page Flakes will allow you to keep a live front page of headlines – but pageflakes cant yet browse deeper into the feed, and netvibes takes up too much space displaying headlines to allow more than a dozen feeds to be easily tracked.
Bloglines allows you to create a publically accessible page listing all your feeds (check), and lets you easily keep track of numerous feeds (check) – but won’t display storys linked by enclosure clips within the ‘frame’ of its interface. No (online) service yet seems to be everything I’m looking for; essentially a less ugly version of Feed Show, which lets me offer a public front end, eats its feed live from my own ompl XML, and can display audio and video content (ideally with live conversion to flash) – why should I have to log in just to read my feeds, and shouldn’t I also be able to easily present a link to them on my website?

None the less, aggregating feeds has gotten easier. With a service like OPML Manager, you can (for the moment painstakingly) create an opml feed containing all your RSS and URL links, ready to be thrown into the feedgrazers which are almost ready for prime time.

Thanks to OPML Manager, and the insanely cool OPOD javascript OPML viewer widget, you can now view my opml feeds live on this site (see sidebar – below Digicasts) [Link via Eirepreneur!].