Oliver Thylmann’s Thoughts

XSS stands for cross site scripting. Another interesting acronym is Cross-site request forgery (CSRF). All in all, what most of you should think about is that for web sites that are written without security in mind, or that simply have a bug, you can possibly infiltrate code of your own as an outsider. A good example of this would be the MySpace Worm which enabled the creator to have somebody who visited his MySpace profile, automatically add him as a friend. Additionally, that person automatically added his little code to their profile, automatically making all people that visited that persons profile the authors friend again.

So let’s see how long it took him to get a few friends. He included a little bit of code on his profile when he had 73 friends, an hour later somebody looked at his profile (1 more friend, bit more code on that persons page), 7 hours later he had 221 friend requests, one hour later 480, then another (he since accepted the 480 ;)) 561 another hour later, … 3 hours later 2503 friends and 6373 request; 5 hours later 2503 friends, 917084 requests, a few minutes later over a million friend requests.

Now that’s really fun. I mean nobody was hurt. But what follows next can be just a small little addition to that little worm, or an add you see, or a forum posting, or an article, … .

As seen in this article that has just been published, entitled U R Insecure - how URl exploits are changing the webappsec landscape, you can at this time on firefox, or ie, or any other browser really as long as it is on windows, infect the file system. What does that mean again? It means that provided I have somehow been able to inject code on a web site you are visiting, I can open a command prompt on your machine without you noticing, download a small application, install it, and then can do virtually anything to you. What could that be?

• I delete all contents of your hard drive (actually don’t need the app for that)
• I turn of your computer
• I scan all network drives for a file with “financial”, “next”, “quarter”, “confidential” or something mixing those (of course then sending me those files)

Just to connect this again to the MySpace Worms. Within a few hours I’d have turned off a million PCs, or scanned them for confidential material. You will by now come up with your own ideas. The thing is that the door is wide open because a system in browsers allows you to open another application. There might be a joost:// prefix on your machine and Joost might be insecure (not saying it is!) and I embed a link that will open joost://something that will again give me access to the file system.

This is not posted to make anyone afraid, but it should alert us all that this Web 2.0 idea, and all the JavaScript usage, doesn’t make things easier. We can’t just bang out an Alpha release of something without some idea of security. This is possibly getting dangerous and we need to be aware. With suddenly being able to get online apps offline the problem will only be bigger. We can write great apps that run in a browser and I am looking forward to more cool things coming there, but keep in mind that it’s not all as simple as it sounds. Imagine this working on the iPhone (I am not aware that it is). I’ll just call a few numbers and you are broke and I am rich.

Yesterday I got my new Wacom Bamboo, a tablet that is ment to be a mouse replacement and I have to admit that it actually is. The biggest switch seems to be that I need to get used to holding a pen in the left hand and moving around on the screens with my left hand, instead of with my mouse on the right. At the moment I actually have both sitting at my laptop which is cool. I am missing the scroll wheel a little bit which is kind of there on the tablet but still a bit weird.

There are actually two settings you will have on the Mac if you plug it in and install the driver. One is for Ink and the other one for the Wacom Bamboo configuration. There you can configure the 4 special buttons on the tablet and the two buttons on the pen. The cool thing is that you can set these buttons to full keystrokes, meaning that the buttons FN1 and FN2 on the tablet are copy and paste (Applekey + C or V) and the top button on the pen is Apple+W which closes the active window, cool for using the browser. I might come up with other wonderful key compinations. The other keys on the tablet are TAB and Ink On/Off and right click for the second key on the pen. It is working pretty well with these kind of keys.

Another important setting is whether you want to use the tablet as a mouse or pen. I am using it as a pen meaning that the surface of my tablet kind of is the surface of my two monitors together. Tapping top left, will put the mouse top left on the left monitor, then top right on the top of the right monitor. The cool thing here is that you will get used to the Bamboo and the size ratios and slowly but surely know where to move the pen to have the mouse where you want it to be and that is a real time saver.

There are also some nice smaller things. I open GMail, click a mail, tab the one key on the tablet to enable ink, draw a Y on the screen and boom the mail is archived. Now that is wonderfully easy. I will have to play a bit more with Ink to really get used to using that one.

All in all I am starting to get really happy with using a pen instead of a mouse. That’s really what the tablet is built for. I having drawn with it yet but it might actually be too small for that. But more posts on playing with Ink will likely follow.

What do we hear there? TechCrunch alerted me that AOL seems to have bought Tacoda. The New York Post is talking about it too, citing prices between $200 and $300 million. the NYP article was actually linked right from the Tacoda Homepage. We had some turmoil some weeks ago in the ad server market and AOL only got the small player in AdTech (not the conference, the ad server ;)) And now it seems like they got themselves an ad network. Actually it really goes into the behavioral targeting world, about which  Jeremy Liew has some good thoughts.

The thing is though that this might hot up the behavioral ad market too.  It is important to note though that Tacoda also is a network, even though I am not sure how the network is booked, e.g. do they get the rests from publishers because they can monetize them better (Update: seems like it.), do they pay fixed up front and hope to make a margin, or are they first choice and simply really pay more. AdWeek has a good article on behavioral ads, in that they might even click worse, but have higher conversions afterwards.

The thing is that AOL already has advertising.com, and they are a network of sorts, and I don’t know what Tacoda ads to the equation. The thing is that some big publishers might cancel their relations with Tacoda due to a possibly buy from AOL. We really need an independant player in that market.  wunderloop might be one (Disclosure: Michael Kleindl is Chairman of wunderloop and Investor in Ormigo) or nugg.ad.

One thing is important though. Whoever gets to see people on niche sites, gets to target them on the big non-focused sites. So I might agree with Jeremy that that is the really important part for the behavioral market guys. Happy to learn more.

People are going back and forth about Facebook but there is one little misconception in the discussions going on. A good post comes from Scoble that highlights the good sides of Facebook. And it is really what the ultra pro gang likes to heard. Facebook is amazing, the widgetization will continue, Facebook will grow without end.

I actually don’t think anybody tries to deny that. What people are disputing is the valuation part of the entire thing. Valuations on the stock market depend on revenues and profits. Otherwise it is hype, and that is what we had in the first bubble and as soon as that hype entered the normal stock market, real people got hurt because they invested in beliefs.

To take a look at the other side you should read this post which talks about a 2008 IPO. The thing most interesting in there is the calculation that Microsoft promised some revenue to Facebook due to a 2006 deal they did. This might be the source of the main revenue of the $100 million Facebook is talking about as revenues for this year. Google’s amazing growth engine has a Price to Sales multiple on the stock market of 14. This means that even at $100 million of revenues, with amazing growth, Facebook shouldn’t be more valuable than $1.4 billion now, with growth factored in as in the case of the Google stock price. Now think if Google’s expertise and business model is something where you can understand that revenue and profit growth will come. Now think about Facebook. The metrics are not as clear. The upside is good but nobody out there has proven it yet. That’s like investing in a start-up and that shouldn’t be something unexperienced people do.

This is what some people think is nuts, and I have to admit I am one of them. $8 billion is just too steep, unless somebody buys it that really needs the expertise and entry into the web area and has an amazing sales team to make money of the site. Let’s see what happens. I have obviously been wrong before.

Update: Of course if they would IPO, then long term it might end up at several billion USD, hence the idea of the IPO. I wouldn’t sell either … but not for the valuation part but simply because Facebook might become a real company with long term potential.

So Facebook is worth $8 Billion. I agree it is worth a lot and it can be something that is very powerful in the future. I actually believe it will. But the $8 Billion are surely not based on current revenue. They had 15.8 Billion Page Impressions in the last month. Let’s presume they have all available inventory sold. Judging by this post they would make $2.6 Million a month, so $30 Million a year, meaning $8 Billion is a price to sales multiple of 266! And if you take this post, then you will start to wonder if they are fully booked because the ads do not really work well.

I remember the old times when monetizing discussion boards was hard and social networks are similar. People are just not there to buy something but are there to interact. Facebook can probably make good money on strong branding campaigns (needs to be something more than banner ads), and have a good revenue floor with CPA deals, but making a billion or two in revenue in the near future seems unlikely.

Just presume the traffic from Facebook converts amazingly well (which as I hear it doesn’t), so you have a lead rate of 10% on a lead campaign where you make $30 per lead. Then 100 Clicks makes you 10 Signups and hence $300. At the 0.05% click through rate that seems to be average on Facebook, that means you need 200.000 ad impressions to get those clicks. You could then spend $1.5 CPM to not turn a loss. Based on other numbers, the CPM is more at $0.17, meaning that the lead rate is more at 1%, which seems likely.

The cool thing is though that you might, through the exploitation of Facebooks Application Platform, keeping people on the platform with the ads, fostering more trust, embedding conversion there, … increase your conversion … then it gets interesting.

So will they be bought under $8 billion? Nope. The potential is there, it is just not clear yet what it is. With Google it was different, there was real revenue there and real reason why it would grow.