Monday, June 29, 2009

Free or Fee: Gladwell vs Anderson

In a previous post, I explained why WASP isn't free, and recently, I promoted my consulting services with the headline "Web Analytics brain available - for a fee" and I've done my share of inflamatory posts about the utopia of "Free".

Malcolm Gladwell, author of three books I loved reading (The Tipping Point, Blink! and Outliers), replies to Wired editor Chris Anderson and adulated author of "Free: The Future of a Radical Price" (honestly, I read the article and had enough).

I go with Daniel Tunkelang, blogger at SmartDataCollective, who wrote "Malcolm Gladwell to Chris Anderson: No “Free” Lunch", which led me to the New Yorker article "Priced to sell: if free the future?". Tunkelang says:
Ultimately, Gladwell dismisses Anderson as a “technological utopian.” That’s harsh, but I think it’s on target.
I agree.

In his usual style, Gladwell brings very good arguments to go against Anderson's views:
Free is just another price, and prices are set by individual actors, in accordance with the aggregated particulars of marketplace power.
Why are the self-interested motives of powerful companies being elevated to a philosophical principle?
Apple may soon make more money selling iPhone downloads (ideas) than it does from the iPhone itself (stuff). The company could one day give away the iPhone to boost downloads; it could give away the downloads to boost iPhone sales; or it could continue to do what it does now, and charge for both.
    Hmmm... Enough said :)

    Wednesday, June 24, 2009

    Google Analytics targeted by hackers

    The twitersphere is on fire over a Google Analytics support forum thread. I was chatting with Eran Ben Sabat, a London-based fellow web analytics consultant who said "have you seen the latest with the GA code? The regex thingy sending trafic to a another domain". I relayed the info on Twitter, which was picked up by several people and started to spread like crazy.

    This post is a summary of several threads and resources about this exploit.

    Is my GA being hacked?

    The thread shows several accounts of websites using GA were the default implementation script was replaced with a gibberish string of JavaScript code. It's fascinating to see the thread evolving with the help of people contributing various hypothesis: ftp security, software hole, etc.

    Have you been infected?
    1. Visit your site home page
    2. Do a view source
    3. If the typical Google Analytics script code block contains a string of weird characters, your site has been infected
      (another similar exploit uses an IFRAME, so check your source code for something like "document.write("<"+"i"+"f"+"ram"+"e"..., which creates an IFRAME referencing a site named "trughtsa.com")
    Tip: To help identify if Google Analytics isn't behaving as expected, you can install the Web Analytics Solution Profiler. If it doesn't show Google Analytics while you expect it, check your source code.

    The exploit is as follow:
    1. htttp://www.google-analytics.com/ga.js is being change by the regex to
    2. http://91.212.65.148/ga.js
    3. which runs http://91.212.65.148/image/pfgt.php
    4. this executes an Adobe Reader exploit BID27641 and BID 34169 (Symantec call this the Bloodhound.Exploit.196)
    5. files with typical names such as login, index, default, home with PHP, ASP or HTML extensions are targetted
    Bloodhound.Exploit.196 is a heuristic detection for files attempting to exploit the Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641) or the Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (BID 34169).
    http://www.symantec.com/security_response/writeup.jsp?docid=2008-080702-2357-99
    We now have an explanation of the exploit, but we still don't know how the code is being altered.

    The injection

    Some accounts reports as much as 25% of Joomla (a popular platform running on Apache servers with PHP) forum posts being about this and several other threads discussing similar issues. The reality: the injection is an exploit on week security settings on Apache HTTP servers and unencrypted FTP passwords saved by popular tools used for editing websites. Once a client machine is infected, all commonly used tools are harvested to collect more unencrypted FTP passwords and contribute to the dissemination of the attach.

    Is it a Google Analytics security issue: No
    Is it a Google Analytics exploit: Yes

    This hack is not a Google Analytics security issue, it is not an Apache or PHP issue either. It is a server security & maintenance issue. Some fellow tweeters have pointed this out, however, the onsite malicious javascript code is disguised as Google Analytics code.
    ...as the onsite malicious javascript code is disguised as Google Analytics code, then and it may have implications for the trust in the Google Analytics brand. Thus it might be worthwhile for Google investing resources trying to help web developers fix and also prevent from happening in the future.
    The 1st message in the forum thread was on June 16th, and the 1st Google employee reply came a week later, on the 23rd, merely saying it is NOT a Google Analytics security issue and pointing to some general best practices on good website management. But none of them really address the specifics of this exploit.

    The fact Google Analytics is so widely used, and the script code block is always identical, certainly made it a target of choice for this exploit.

    Closing the door

    Google suggests to look at those resources:
    Interesting, but certainly not to the point, instead, do this:
    1. Start with your own computer. Scan it with anti-virus and anti-spyware tools.
    2. Once you are sure your computer is clean, change all site passwords. (You might want to change computer and network passwords too.)
    3. Make sure you have the latest Adobe Acrobat reader
    4. Now keep the new passwords secure. Don’t use auto-upload features of your web site editors. Enter passwords every time you upload new content instead. Use SFTP instead of FTP if possible.
    5. Now remove the malicious code (the iframes/regex) from your files on server. The easiest way to do it is upload a clean content from a backup.
    6. Scan your server directories for any new/suspicious files (don’t forget to check hidden files). Remove anything that should not be there.
    7. If your site was flagged by Google, request a malware review via Webmaster Tools.
    8. Regularly check your site with diagnostics tools of your choice
    Hope that helps!

    Friday, June 19, 2009

    A tale of Web Analytics near miss

    Wikipedia defines a "near miss" as being an "unplanned event that did not result in injury, illness, or damage - but had the potential to do so". I was reading Jim Novo's latest post about Analyze, Not Justify, relating a conversation with a client that didn't became one... I wanted to do such as post for a while and I figured out "what the heck, I'll share one of my experience". Of course, in doing so I will try to "protect the innocent". So here goes.

    The agency who wanted to be

    I was contacted by a traditional marketing agency (call it "ABC") that also does websites and online campaigns. They wanted me to help out with one of their clients (let's call them "XYZ"). Since I offer to "coach and empower web agencies" this sounded like a perfect opportunity. Furthermore, I had been referred by one of my very best client.

    The agency wanted me to jump right in: fix that darn web analytics tool; make magic happen. At the same time, they were talking about very ambitious web initiatives for XYZ and how they would measure all of it. I smelled "risk ahead" and I was able to convince them to start with a Web Analytics Maturity Assessment which you can view bellow (click for larger view):


    The outcomes from the assessment were pretty clear, both from an agency and a client perspective... Also, the goal was to go from virutally nothing and jump more than 1 level in the Maturity scale, which is also an important risk.

    SixSigma DMAIC to the rescue

    Knowing the risks is already a pretty good start. To alleviate those risks I addressed the project from a SixSigma problem resolution perspective (which I always do anyway). Starting with a Definition of clear objectives, then Measuring the actual state of the union (then doing Analysis, Improvement and Control). We went on to define and clarify business objectives, identify the stakeholders and the required metrics, identify which info would need to be communicated in dashboards and how often, etc.

    The wall

    Measuring the actual state is where we found the "politiwall" - the political brick wall. XYZ is the canadian branch of a much larger organization; a typical multi-national, multi-product global corporation. They are obviously accountable for success in Canada and as such, they maintain the site content and define the marketing strategy. However, figure this scenario:
    • CMS tool is under the responsibility of head office, but content and accountability for success is XYZ responsibility
    • XYZ tools are developed by local partners, one of those partners being the ABC agency. Accountability for success of those process-driven tools is also under XYZ responsibility
    • Head office standardized on Omniture and did a fantastic implementation. They obviously want to offer a global perspective on all XYZ websites. This is a perfectly valid approach.
    As I noticed in a previous post, multi-national head offices tend to use "best of breed" tools and "impose" a level of standardization. On the other end, local branches of those larger organizations tend to use Google Analytics more, for a number of reasons: locally perceived control, costs, and maturity.

    In the actual context:
    • XYZ is not allowed to add Google Analytics to the CMS framework
    • XYZ is not allowed to add Omniture tags to locally developed applications
    • Yet, we want to have a complete view of the user's interaction with the whole XYZ ecosystem (i.e. all components of the online presence, including the CMS, tools and promotional sites)
    We are clearly facing a governance and ownership issue here. So tell me, what would you do?

    My recommendations

    Considering XYZ accountability for success, here are the next steps I'm envisioning:
    1. Demonstrate the direct and logical correlation between "accountability for success", "means to measure" and "power to take action". Escalate at the appropriate level (beyond current local director level).
    2. Since the headoffice have an implementation and best practice document, it could be reviewed to accomodate for more flexibility for local sites (something I've seen with another client who standardized the core implementation but allow for a level of flexibility on over 200 websites)
    3. Make sure to follow the implementation guidelines and best practice in implementing locally developed tools, with collaboration of the head office to make sure they are comfortable with the implementation
    Point #1 is critical. If you don't solve it now it will always come back to haunt you!

    Help me help you

    Latest status was "the business case was presented to head office" and I'm waiting for feedback. At one point I had the impression the agency was putting the blame on me for failing to deliver. I had not insisted on starting with the right approach they would certainly be right (in fact, I'm refusing to work with a client if we don't start with a Maturity Assement). As an independent consultant, my role is to tell things as they are and guide you in the right direction. But you are ultimately driving and taking the decision to follow my recommendations or not.

    I think this would make a great case for the "Creating and Managing the Web Analytics Culture" course I'm tutoring!

    Any thoughts and feedback welcome!

    Wednesday, June 17, 2009

    Web Analytics Tuesday, July 7th, sponsored by AT Internet

    In March we joined force with "Utilisabilité Québec" to discuss the relationship between usability and analytics.

    In July, the Web Analytics Wednesday will be on a Tuesday! Nicolas Babin, COO for AT Internet, will present a Case Study featuring European client Ryanair. This content was originally presented together with Dara Brady, Head of Advertising at Ryanair during Internet World London this past May. The case study will demonstrate how AT Internet delivered against Ryanair’s 2009 online priorities: site redesign and conversion.our event is sponsored by AT Internet.

    When: Tuesday, July 7th, 5:00pm - 9:00pm
    Location: the greatest place to host a WaW: Le Local
    Where: 700 William, Montréal, H3C 1P1, 514-397-7737
    >>> RSVP at WebAnalyticsDemystified service <<<
    Sponsor: AT Internet

    17:00h: Welcome and networking, beer & tapas!
    17:30h Summary of eMetrics in San Jose and industry news (Stéphane)
    18:00h: AT Internet presentation (Nicolas Babin)
    ...: Networking...
    20:00h: Event end

    Please sign up now!