Google Puts Pressure on Made-for-AdSense Sites

Have you heard of what's called "click arbitrage"?

It works very simply: you buy lots of visitors by bidding the minimum amount per click on AdWords. The visitor ends up at a site that has been developed to display more expensive AdSense ads.

So, you spend 10 cents on a click per visitor, and hope that visitor clicks on an ad that generates you more than the 10 cents in income.

Google's coming down hard on these made-for-AdSense sites by increasing the minimum bids required for sites with what it deems to be sub-standard landing pages. So, if your site provides little quality content, but lots of AdSense ads, you can expect to pay more per click/visitor.

This can make such sites unprofitable and, in turn, help to eradicate the low-value pages from the Google advertising network. The ultimate flow-on effect is that the Google user experience improves.

The lesson to be learned from this development is obvious: regardless of what you're doing with your site, pay attention to the user experience. Are you providing quality? If you can answer "yes," your site will have a much better chance of success with Google AdWords.

The MySpace SWF Hack

This past weekend, popular social networking site MySpace suffered from a self-propagating virus in its personal profile system. By simply visiting an infected profile, you could have your own MySpace profile overwritten with code that would infect others.

Like any high profile site that hosts user-generated content, MySpace must balance the sometimes conflicting requirements of freedom and security. MySpace, for example, goes to great lengths to block users from publishing in their profiles JavaScript code, which could forge requests on behalf of any user that visited the affected page.

One concession to user freedom that MySpace makes, however, is to allow its users to display Flash movies using <object> and/or <embed> tags. And that's what led to this past weekend's spate of overwritten and infected profiles.

A curious developer dissected the MySpace virus, revealing the method of attack. A Flash movie can execute JavaScript code by instructing the browser to load a URL beginning with javascript:. MySpace aggressively filters this type of URL out of the HTML content on its site, but it can't keep such URLs out of Flash movies.

The JavaScript code in the virus is able to retrieve a couple of cookies stored in the victim's browser and use them to forge a request to overwrite the victim's MySpace profile page. Because the victim has permission to do this, so does the JavaScript code.

Adobe clearly sees this type of vulnerability as an undesirable side-effect of allowing Flash on your site, because Flash Player 9 prevents untrusted Flash movies from loading any URL into the browser window displaying the movie.

MySpace on Tuesday posted an announcement encouraging its users to upgrade to Flash Player 9. Of course, Flash Player 9 isn't yet released for Mac and Linux platforms, and it will be quite some time before all MySpace users upgrade.

In the meantime, the only way for MySpace to block this type of attack would be prevent its users from posting Flash movies, and that's clearly something it isn't willing to do.

They Said "Get It On eBay", I Doubt This Is What They Meant

The idea of using security exploits to make some cash certainly isn't anything new -- online extortion schemes have been fairly popular, even if script kiddies are killing the margins. But apparently discovering security vulnerabilities and selling them off to the highest bidder is a growth industry, according to one security firm, even being brazen enough to put them up on eBay.

It's hardly surprising to see hackers and malware writers searching for some remuneration for their efforts, particularly with the explosion in phishing, identity theft and other potenially lucrative crimes, and their dependence on staying a step ahead of security companies. What's slightly more interesting, though, is that many security companies themselves are shelling out for the vulnerabilities, under the guise of the greater good, but really getting the information to give themselves a head start in closing the vulnerabilities, and enhancing their products and reputation.

Economists love to talk about the value of incentives in motivating people to particular behavior -- perhaps giving malware authors incentives to turn their work over to software developers or security companies isn't such a bad idea.

Judge Explores Why Telco Mergers Were Allowed

A few weeks ago we noted that famous anti-trust lawyer Gary Reback was pushing the courts to look into whether or not the big telcos broke the law in getting their various mergers approved. It appears those efforts have paid off. Federal District Judge Emmet Sullivan has now asked the Department of Justice for more info, noting that to his untrained eyes, the mergers definitely seem harmful to competition and the market -- so he'd like some more info on why they were approved. This could certainly get interesting pretty quickly. While it seems unlikely that he'd be able to turn back the clock and break up the mergers, it could lead to additional restrictions on the companies. Unfortunately, that might be the worst of both worlds, with the companies merged, but with the government (or the courts) trying to come up with the best way to create competition.