Acro.net – Technology Rants & Raves by Acroplex®

After reading Rick Schwartz’s latest blog post about how Google AdSense closed down his account over minisite content, I had an obvious question: why did Rick pay TENS of THOUSANDS of dollars for 10 minisites?

The term “minisite” was coined as an obvious bait for the domain community, sometime in the past year and a half. It indicates a quick and dirty development of a web site, often with no graphical user interface, with no custom images and with content of dubious quality. Creation of such “mass developed” minisites is aimed at those with a very small budget that want “something” to go live, in order to monetize it via the placement of AdSense ads or ads from other networks.

There are several such firms that provide development of small web sites, catering to the “minisite” domain gang. Quality of work varies – however, a minisite is a minisite and it does not really qualify as true web development.

With parking revenue dwindling, panicking domainers often opt for the cheapest alternative, not considering long-term results and consequences of pushing out badly executed content. The alternative option would entail the following elements:

• A proper business plan
• A budget
• A development expert
• Time

However, all these elements can be addressed, as long as there is proper focus on what one is trying to achieve.

If the need is for short-term cashflow, minisites *might* work – until Google pulls the plug as in Rick’s case. If the need is for long-term revenue from the development of web sites that actually provide content and add value to the Internet community, the answer is simple: full-fledged web development.

So get your paper pads and pens out and start outlining your next project. Big or small, it does not matter. What matters, is quality of work and control over its execution. So hire a true web development professional. Mass developed mini-sites stand no chance.

Revenue is severely down across the domain parking industry, as PPC companies slowly but surely pass the “benefits” of trickle-down economics to the domainers.

Meanwhile, the main advertising providers, Google and Yahoo post record revenue while they’re reducing ad revenue paid to domain holders. Time to develop your domains.

Click on the image below and enjoy your Friday!

I read a very informative and full of substance blog post today, from fellow domainer and web developer, Tia Wood. It offers a concise analysis of a strategy often overlooked by domainers, who opt to park their domains: Lead capture.

Tia explains what the two basic categories of lead capture, incoming and outgoing, are about. Remarkably, it appears that PPC companies are acting simply as middle men to large advertising feeds, such as Google and Yahoo, without taking advantage of the sheer amount of traffic that passes daily through these channels.

Imagine that you went to a fish-rich bay with a huge fishing net that has holes sized for large fish: you’d let the majority of the fish pass through. In a similar manner, your daily traffic passing through the parking pages offered by PPC companies has little chances of being captured – either for analysis or for generating sales leads.

I have found that the simple insertion of a contact link at parked pages, e.g. at a domain parked via Parked.com can both capture and generate leads: you can track visits, clicks and offer a contact form for further inquiries from non-domainer visitors.

But read on, at Tia’s blog.

It’s no secret that when things go wrong with Sedo – or any other service-oriented company – I tend to run my mouth a bit; out of frustration about the things that go wrong. But I’m also the one that praises them when things go right, or when wronged things get fixed pretty painlessly.

In light of this “brand new me” – since it’s a brand new year, 2009 – I decided to post a few tips that have worked for me, when it comes down to ironing things out with Sedo-related issues.

• Respond to each notification email by explaining exactly what you did at that step. E.g. “Domain xxxxx.com was pushed to the Sedo account, abc123, with GoDaddy.” This way there is a tracking record in the transaction agent’s mailbox and yours.
• If you’re the buyer, pay for the domain you won immediately after. If you are the seller, push the domain immediately after you’re asked to do so – don’t put things off! This way, you’ve done your part and you encourage and prompt the other party – and Sedo – to act accordingly.
• Keep a personal, friendly relationship with the Sedo personnel and the agent that handles your transaction. Personalize all communications by signing your emails with your full contact info.
• Call Sedo’s offices on the phone as needed, to ensure a transaction’s status is updated the same day. E.g. if you paid for or pushed a domain, give them a call at the closest location to you. Your agent might be in Germany or the UK but if you are in the US call the US office; they have the ability to sync transactions.
• Give them credit when credit is due; they are people that have jobs like everybody else. This seems to be the most neglected issue on the list.
• For the most part, avoid PMing them on forums, especially for support matters, although they seem to offer this type of feature. Use their support/ticket system, email or phone to resolve matters, in order of importance.

My next blog post will be about a large domain sale that Sedo assisted me with – don’t miss out!

In yet another hasty move, Sedo has inexplicably begun to remove political domains from its marketplace. It is uncertain how far the pattern searcher reaches, however Carolyn from the support department mentioned that their legal department decided to remove domains that contain the name of the US political candidates, Obama and McCain. I expect that the black-listing filter contains the names of Palin and Biden as well.

Now, I am not an opportunist that’d go around registering dozens of names of every possible combination for the party tickets, like others did. I own two domains, both hand-registered for their brandability value: Obamagram.com and Oreobama.com

Sedo’s email was yet another blow in the face of the growing number of users that choose the Sedo marketplace as a selling platform:

We are writing to inform you that the domains listed below have been suspended from Sedo’s services because this domain(s) is a potential violation of Sedo’s policy against domains that include obscene or illegal subject matter. While Sedo strives to protect our users rights to exercise free speech and maintain a marketplace with a vibrant and diverse collection of domain names, we apologize any inconvenience that this may cause.

It’s definitely ironic to see the words “free speech” and “blacklisted” in the same email. Currently there are dozens if not hundreds of political domains on Sedo’s marketplace so the blacklisting process has just begun.

Time to move your domains to Parked.com or elsewhere.

Less than 24 hours after introducing a series of features that exposed seller data to anyone with the will to acquire it and basic scraper-scripting skills, Sedo.com changed the way the “Meet the seller” link functions.

In a dry and short statement issued on DNForum, Sedo’s Customer Relations Associate Monica Ibrahim said:

“As a quick FYI, our tech team has made sure to remove all personally identifiable member ID data from the Seller’s Activity Index. We apologize for the initial issue. Please note that member IDs are not present in the Seller Activity Index or on the Domain Portfolio Links (which can be deactivated if you wish as mentioned earlier)”

Prior to this statement, Sedo vehemently denied that any privacy breach had taken place while maintaining their position that the newly introduced features will benefit the sellers and buyers that use Sedo.com as their domain marketplace.

Indeed, Sedo programmers scrambled to change the database interfacing from using an open sequential id to a hashed (encoded) string unique for the period of time the user clicks on the “Meet the seller” link. Upon my suggestion that Parked.com should offer assistance to the Sedo.com programming team, Donny Simonton exclaimed:

“I wish we could offer some help. As a programmer I do understand what they are trying to do. They are being lazy, been there many times. I would think they could easily change it to a md5 hash of the id + the domain or something similar. Something that can not be reversed.”

Despite the fact that these changes were quickly implemented upon my public announcement of how exposed the seller info has been, Sedo has yet to fix the way their auctions are referenced, using the same non-hashed open id. Currently, all 39,000-something completed and on-going auction pages are exposed to scraping by data miners.

Most importantly, Sedo has not changed the way the new features are utilized under a user’s profile: the user’s country location, seniority at Sedo, arbitrary ratings (zero to five stars) as a seller and a buyer and how long a particular domain has been at Sedo – all these are openly available to any logged-in user, without permitting the account holder to turn these features off.

Sedo has so far kept a low profile on the matter, but the reaction of the serious, active traders has been sharp and full of negative criticism towards the way that Sedo has decided to shove down the throat of users these new features. With offices in the UK and Germany, Sedo is challenging a series of strict laws protecting the privacy of individuals and corporations; stricter than US regulations about personal data safekeeping. Meanwhile, Sedo has stated that if a user decides to leave the Sedo selling platform and delete their user profile, their data remains with Sedo indefinitely. This has serious implications for any potential data breach in the future: user accounts contain a lot of financial and other private information and Sedo’s programming methods reveal a lax approach to security.

Keep contacting Sedo via the email support@sedo.com and their support hotline at (617) 499 – 7200 (keypress 3) to voice your opposition to the lack of an ON/OFF switch for the newly introduced features.

Yesterday, I ate lasagna for dinner. I bought two history books from Barnes & Noble. I applied for a home loan. I played Counter-Strike for the first time after two months. I shaved off my goatee.

These are random, daily functions that pertain to me, the person. They are isolated incidents of my life that occur, more or less often, in various forms. Unless you live with me or you have a view through my home windows, they remain private to me or to whoever I decide to disclose them to.

Privacy, in today’s electronic maelstrom of a society, is a commodity as rare as honesty and loyalty. We have somehow been led to believe that if we buy items at the store using a credit card, it’s okay for the store to call or email us with offers of similar products. We have been led to believe that our eating, drinking and partying habits are okay to be shared, in photographs and videos on MySpace, hi5, Facebook and other “social networking” venues.

We have been shown the wrong way of living.

As if Mondays are not *the* worst days of the week alongside Fridays, today Sedo.com announced that a new set of features will be enabling users to conduct sales and business in an easier, transparent manner.

In all reality, what Sedo created today, is the prelude to doomsday as it pertains to privacy of domain transactions on this marketplace, that boasts millions of domains for sale.

Essentially, Sedo stopped short of announcing a “MySpace” type environment, with options such as seniority of sellers, the geographic location that they trade from, a rating system and a display of their tax options fully displayed via a link to any other person logged in the Sedo platform. Other added features that somehow made it past beta-testing without any concern from the management or the programmers, include displaying how long a domain has been listed for sale on Sedo and the option to link to their entire portfolio via the profile of any other domain they have on sale.

Sedo did one thing right and all of the rest wrong.

What Sedo did right, was the *option* to link to the rest of the domains in one’s portfolio – defaulting it to “No linking”. This, is solid programming concept at work. It’s the well-thought design of the programmer who wants to offer options but also respects people’s choices.

What Sedo did wrong, was the rest of it.

To create a Sedo account one needs a few seconds. It’s like signing up for Gmail or registering with Papa John’s pizza online. Once you create a Sedo account, the fun begins. The newly introduced features allow *anyone* with very basic programming skills to scour the live data of Sedo and scrape it.

It’s as if Sedo allows *anyone* with an account to take a long, satisfying snoop into your lounge while you eat. While you order books from Amazon.  Whether your home loan was approved. How many kills you landed at Counter-Strike. If you’re wearing aftershave or not.

It’s all about offering raw data, easy to be mined by anyone.

Sedo programmers need to be fired for a series of fundamental programming flaws. First off, the same suicidal approach that was used with the identification of the auction system is being used again: sequential numbers, ranging – for example – from 000001 to 99999999 and beyond. In order to view and gather transaction details, all one has to do is increase the number of the parameter describing the auction and store the results in a database. No confirmation needed. No session variables. Just full path variables that are exposed and tweaked to reveal the next in line. No captcha used in order to stop a scraper dead in its feet.

Having fun yet?

Sedo’s new profile features can be exploited to store aggregate data, linking each and every auction on Sedo to the person that made it. It’s not just like NameBio storing domains and sales prices scraped off the front page of Sedo; it’s about storing *every* auction’s info, the seller’s profile, their location, their ratings as seller and buyer, how long they have used the Sedo platform and how long the domain has been offered for sale – all IDENTIFIED by a unique, open (not hashed) id number.

Read further to understand how poorly Sedo thought of this new set of features.

Once our rogue scraper guy has created their Sedo profile, they can scrape the entire database of Sedo’s users – all 1.3+ million of it – including their unique id number and their location. Then, that unique id number can be further looked up and store their seller and buyer profile info. Once a sale occurs, the auction’s information can be stored as well.

The problem lies with the ability to link all these three together. It’d be a database containing identifiable information that can very easily be enriched with WHOIS data to fully pinpoint a seller’s achievements, strategies in pricing and time that these sales occured.

Did I mention that a lot of domains have WHOIS privacy protection but once listed on Sedo the seller’s location is revealed?

I will refrain from creating a proof of concept, at this time. But frankly, it takes $50 to pay a programmer from India that’d rummage through the freely available “features” and safely store it all away, without Sedo even being aware of it happening. To them, these are “features” that enable users to conduct business better. To me, it’s a violation of my privacy rights and an open welcome to data miners.

Programmers take orders from project managers. Whoever managed this project needs to go back to college.

I urge everyone who sells domains on Sedo.com to contact support@sedo.com and raise their strong objection to this set of wide open trapdoors on the domain selling floor.