When developing a new site from scratch, I like to make critical use of the time that the web site is not known by anyone. You’ve registered the domain and nobody knows about it. Its just a brilliant idea in your own head, yet to be executed.

How quickly can you code up a reliable ALPHA version before Google indexes it? This is the challenge!

In production, with no users yet, you have nothing to lose. So you go berzerk - half the time the site works and half the time its broken. If anyone found it yet, you would be upset. But they haven’t and you still have more time to keep coding..

I am doing this right now to a brand new site, which I am very excited about. But I was very surprised to find out that its already been indexed by Google after approximately only 1 week. Nothing links to it yet, but if you typed in its exact name, you would find it at the top of results. I’m pretty sure its because I placed an Adsense strip down the side of the home page, so Adsense immediately knows which site the ads were being rendered on and then goes off and tells the Googlebot to come check it out. This pressure has made it more important for me to really hurry up and launch the BETA version.

Now already, the site is working pretty well, does not crash and already provides the main service that it was intended to do. I’m really just deepening the feature set and usability at this point, but the raw core service is there.

So what do you think has happened? Its gone into BETA mode already without me even launching it. That’s right, some users have found the site via Google as well as small leaks from the site founders to family and colleagues. Now I find myself ultra excited each day when I get home from my consulting contract only to find fresh user-submitted information on this web site which isn’t even launched yet. And this is not fake testing information designed to pump the site up so that it looks busy from launch day one (which I normally recommend to do!). This is real, production quality information that is gold and will now stay there and be part of the finished site.

How exciting, automatic BETA launching, live from day one! You can’t beat that - users wanting to use your site before its even finished.

I am finding this ultra helpful already. I have quickly fixed a few bugs thanks to things that the users did, plus the best thing is that it makes me more excited and passionate about pushing ahead full steam as quickly as possible because real users are getting a kick out of the site.

I have stressed this before, but definitely do not wait until your site is 110% polished before you launch it. Someone else may have launched their own version of your idea by that time. Put your stake in the ground and get the users trudging through your live sandpit. That feedback is gold and will build a better site.

My site right now is still totally vulnerable to XSS style attacks, because I haven’t put in the regex’s to block them yet. But I will, later. Because I know its far more important to have the site working and looking good for users. Noone will XSS attack me until the site is prominent, but I have to get there first. I’d rather gain ten times the number of users that I currently have in the meantime, then fix the XSS leaks in a few weeks time.

Thanks to technology and the rapidly declining prices of high quality monitors, I am at the point where I am almost prepared to not care so much about designing for 800×600 any more.

In 1999, you seriously had to develop everything to still work in 640×480 as there were still lots of people using it. Anyone into computers and the internet was already using 1024×768 since 1996-1997 onwards. But you can’t write web sites for the tech-savvy though, you have to cater for all users, especially those not interested in technology, as much as reasonably practicable.

Half of the people still running 800×600 now days do so because they have trouble reading smaller fonts in the larger resolutions. However, they should be using the enlarged fonts and accessibility features of their operating systems to combat this, not stifling the screen resolution.

The other half are the ones who haven’t upgraded their computer since 1996. Unfortunately, computers are technology, and technology evolves. I think after 10 years, with the price of computers now, you have no excuse to be still running 800×600. Its technological irresponsibility. Its like chosing to drive a thirsty V8 Holden Commodore and complaining about Petrol prices at the same time. Its your choice. If you choose to run 800×600, many web sites will force you to deal with horizontal scroll bars.

There are also of course, the internet enabled mobile phones and palm pilots which run small resolutions due to physical limitations and readability. Telstra’s i-mode system relies upon cut down versions of web sites written in CHTML (Compact HTML). However, many more sophisticated mobile devices simply access the “normal” internet, i.e. the full quality, full size versions of web sites. So for this growing number of devices its a bad idea to disregard resolutions like 800×600.

So where does this leave you?

Its just a fact of life, that web sites are becoming more and more loaded with useful information - the internet is exploding. So I think you can’t get away from pages on average becoming busier and requiring larger screen sizes. However, a really popular solution is starting to appear all over the place, and I think its the way to go. This solution is also best suited to 3 column layouts. Usability tests have confirmed that the right-most column in 3 column layouts attracts slightly less attention that the left and center columns. So this is usually the column where you will place either advertising or less critical information. So you design the site so that the first two columns show up perfectly in 800×600, with a horizontal scroll bar providing access to the third column. But the third column is really an optional extra, so you design the site so that you don’t mind so much if the 800×600 users don’t see it. Its most important that you are giving them two entire columns of your crucial content - you can’t always have your cake and eat it too. Then of course, all 3 columns show up perfectly in resolutions of 1024×768 and above. I love it, and I think it works great.

If users refuse to upgrade from 800×600 or they have physically compact mobile devices, then its not a big ask to scroll to the right a little to see the “not so important” column. Most of them won’t bother and will happily use the main area of your site.

Now, an example of a prominent site that has implemented this approach. Download the awesome NILS toolbar for web developers, select the option to resize your browser size to emulate 800×600 and then check out www.news.com.au. Note that line neatly separates the critical content from the optional stuff and its spot on in 800×600. The browsing experience for the user is still excellent. Its a good all round compromise that makes everyone happy.

This is what some Year 10 High School script kiddy did to www.aaconsult.com.au sometime early this morning:

And..

If you want to know how to search on the internet for common vulnerabilities to exploit on widespread web platforms such as Wordpress, then you can contact this joker “hotturk@hotturk.com” - hah! That’s all this guy did.

This is a good lesson to anyone running any kind of web based software that is freely available and widely used to make sure you always update to the latest version as soon as it becomes available. I hadn’t upgraded this site’s Wordpress installation for quite some time. I was running Version 2.0 which clearly must have had some security holes, hence a High School kid has searched on how to exploit Wordpress v2.0 and got into this site by targeting it from a specially directed Google Search. I have now upgraded to the latest version and retrieved the post that was deleted. Ahh Google cache - Its like a free weekly backup.

I was lucky that this particular student only decided to erase my most recent article and change my admin password. I was able to get straight back into the database directly to reset the admin password and upgrade Wordpress - it could have been much more annoying if this guy had no fear. But when they have no fear like that, that’s when they get reported to the Federal Police and people start tracking their IP addresses down geographically. There is always a trail.

I have played around with a lot of ways to exploit web applications and its gobsmackingly scary just how many web sites have enormous gaping holes in them. There are so many extremely simple, common coding oversights which will make a site vulnerable. One time I was playing with a particular exploit which would sometimes let you gain access into other people’s login forms if they were coded in Classic ASP using SQL Server or MS Access as the database. I crafted up a couple of very basic searches in Google to return me a list of affected pages precisely named login.asp. Google brought me back pages of results and I actually went through about the first 8 pages of results trying each and every one of them. I managed to get into about 15 web sites out of 80 - certainly not a bad strike rate when a couple of the sites were fairly prominent Australian sites. A couple of them let me into full featured admin areas where I could add and create other administrator accounts and control the site content - when you are hacking login forms, many of the exploits will give you access to the main admin account of a system simply because more often than not this is the first row in the Users table of someone’s database. Of course I just logged in and logged straight out without touching anything, but either way it illuminated just how many web developers were completely unaware that they were pushing out terribly dangerous web site code on very important, prominent web sites.
And this was merely one particular type of vulnerability!

So many of the web 2.0 sites being rushed out in BETA versions are quite vulnerable at launch time as most of them place a huge emphasis on gaining users quickly as opposed to releasing a perfectly polished product that took an additional 3-6 months to build. That said, I still hands-down agree with the launch fast approach. Noone wants to hack a site that has no users or “weight”. Users are everything, you need as many of them as soon as you can and you can tighten up the cracks later on quietly in the background. If you have developed the site yourself from scratch, then your chances of being targeted are much much lower because noone can easily identify your platform or any commonly documented weaknesses unless they start going over it with a toothpick.

mmmzr went live just over a week ago, I have been watching it for the past 7 days. mmmzr is a super simple idea (call it a scheme) that offers two things to investors.

1. Placement on a web page that is being talked about a lot. And;
2. The chance to receive their investment back, or even better still, double it.

Early mmmzr customers have already reported sharp increases in traffic and the doubling of their investments.

When I first tuned in, all 7 columns were going for $1024 - there had been 10 purchases per column already. The site attracted attention very quickly and plenty put their money on the table while it was still cheap. At about this stage, I made a mental note that there would have to be a certain threshhold, not too many tiles into the future, where the going price would exceed the value of placement on the site and future investors would become increasingly wary of participating in a game of Advertising Chicken.

Soon after, most of the columns reached an $8192 asking price and have stayed there for the best part of 7 days. The site appears to have reached some kind of ceiling, but whether mmmzr busts through that ceiling totally depends on how much exposure the site gains from here on in. One or two articles about mmmzr on some heavyweight sites could make this thing really take off. The more exposure, the better value the $8192 current asking price becomes and the more chance you as an investor have of doubling your investment. Right now, I think Tadashi san is going to struggle to attract 8 grand until the site reaches the next tier of internet popularity.

But don’t discount it yet, we are talking about a web site that has been on air for merely circa 2 weeks. If my calculations are correct, Tadashi has pocketed about $5632 thus far, minus paypal transaction fees. The simple formula dictates he gets to keep 25% of each tile sold.