If you have a web site or service that appeals to the younger web-savvy demographic, you are basically crazy if you do not build a Facebook application for it. We are building our first Facebook application at the moment and have been impressed with just how super easy it is. If you make the Facebook application super simple and virally attractive to Facebook users, its about the quickest way gain a massive amount of users out of anything that you can currently achieve with the internet.

The number of applications available is exponentially growing. The ones that bubble to the top are starting to be worth money, as just like traditional web applications, if they have a large number of users on board, that is worth money - regardless of whether it exists inside the bounds of Facebook or not. Because Facebook allow developers to include their own sponsored advertising listings in their applications, its completely up to the developer as to how they want to try to generate income from their apps.

This Christmas application showed up in the Facebook Developers Discussion board, listed on Ebay for US$6600, with members remarking “great another 10 day old app trying to get 6 figures”. The author responds with “Have another look - it’s 4 figures, then a decimal point, then another 2 figures. That’s a 4 figure sum. Hopefully it’ll go for more than that though? I reckon there’ll be over a million users by 1st Dec”. There is a lot of this caper going on at the moment.

Basically, once these developers understand the simplicity of building Facebook apps, they are quickly pushing out new ones and listing them on Ebay as little as just a week after launch. This is only made possible by Facebook being the perfect platform to virally spread applications, allowing them to attract large numbers of users super quickly, creating an immediate dollar value.

Lately, I have been dealing with the founder/managers of a group of Australian web sites, mostly via email. Some of the sites are fairly prominent ones that you could easily assume are run by dedicated full time teams or individuals. But so many of these webmasters are off busy at their full time jobs, with their site ticking over in the background. Therefore a lot of the correspondence happens after hours when the webmaster gets home from their day job and excitedly checks their site’s Inbox for the day’s proceedings. Proof is in the fact that I often receive emails from their home/site address and again separately throughout the day from their completely different work address which might be from a major company’s domain for example.

A lot of them are pulling it off quite well. Sites where content needs to be hand-reviewed often have hardcoded quarantine delay periods where user-submitted content simply sits idle until the webmaster gets home from work and clicks on the “approve” button. But this is all seamless to the users of such sites, who still see quality content trickle out as each day passes.

Its a mix of enthusiast type sites performing great user-centered services that have little or no business model; and sites with a serious business model that just don’t have the momentum for the founder to leave their main source of employment. Both categories of sites are also in the hope of being bought out - I believe mostly due to the MySpace and YouTube hype that is spreading like a rash lately. The biggest thing these two heavyweights have done is inject fresh inspiration into the IV of young web entrepreneurs who now have this dream that their site doesn’t have to have a business model to make them rich. Hence I am seeing a lot of dedication and large hours being put into what one might label as charity web sites.

Next time you pay for a service from a seemingly busy or successful web site, think about the possibility that the guy who runs it is making coffee at work for his 9-5 office job boss or working in an IT helpdesk somewhere.

Thanks to technology and the rapidly declining prices of high quality monitors, I am at the point where I am almost prepared to not care so much about designing for 800×600 any more.

In 1999, you seriously had to develop everything to still work in 640×480 as there were still lots of people using it. Anyone into computers and the internet was already using 1024×768 since 1996-1997 onwards. But you can’t write web sites for the tech-savvy though, you have to cater for all users, especially those not interested in technology, as much as reasonably practicable.

Half of the people still running 800×600 now days do so because they have trouble reading smaller fonts in the larger resolutions. However, they should be using the enlarged fonts and accessibility features of their operating systems to combat this, not stifling the screen resolution.

The other half are the ones who haven’t upgraded their computer since 1996. Unfortunately, computers are technology, and technology evolves. I think after 10 years, with the price of computers now, you have no excuse to be still running 800×600. Its technological irresponsibility. Its like chosing to drive a thirsty V8 Holden Commodore and complaining about Petrol prices at the same time. Its your choice. If you choose to run 800×600, many web sites will force you to deal with horizontal scroll bars.

There are also of course, the internet enabled mobile phones and palm pilots which run small resolutions due to physical limitations and readability. Telstra’s i-mode system relies upon cut down versions of web sites written in CHTML (Compact HTML). However, many more sophisticated mobile devices simply access the “normal” internet, i.e. the full quality, full size versions of web sites. So for this growing number of devices its a bad idea to disregard resolutions like 800×600.

So where does this leave you?

Its just a fact of life, that web sites are becoming more and more loaded with useful information - the internet is exploding. So I think you can’t get away from pages on average becoming busier and requiring larger screen sizes. However, a really popular solution is starting to appear all over the place, and I think its the way to go. This solution is also best suited to 3 column layouts. Usability tests have confirmed that the right-most column in 3 column layouts attracts slightly less attention that the left and center columns. So this is usually the column where you will place either advertising or less critical information. So you design the site so that the first two columns show up perfectly in 800×600, with a horizontal scroll bar providing access to the third column. But the third column is really an optional extra, so you design the site so that you don’t mind so much if the 800×600 users don’t see it. Its most important that you are giving them two entire columns of your crucial content - you can’t always have your cake and eat it too. Then of course, all 3 columns show up perfectly in resolutions of 1024×768 and above. I love it, and I think it works great.

If users refuse to upgrade from 800×600 or they have physically compact mobile devices, then its not a big ask to scroll to the right a little to see the “not so important” column. Most of them won’t bother and will happily use the main area of your site.

Now, an example of a prominent site that has implemented this approach. Download the awesome NILS toolbar for web developers, select the option to resize your browser size to emulate 800×600 and then check out www.news.com.au. Note that line neatly separates the critical content from the optional stuff and its spot on in 800×600. The browsing experience for the user is still excellent. Its a good all round compromise that makes everyone happy.

This is what some Year 10 High School script kiddy did to www.aaconsult.com.au sometime early this morning:

And..

If you want to know how to search on the internet for common vulnerabilities to exploit on widespread web platforms such as Wordpress, then you can contact this joker “hotturk@hotturk.com” - hah! That’s all this guy did.

This is a good lesson to anyone running any kind of web based software that is freely available and widely used to make sure you always update to the latest version as soon as it becomes available. I hadn’t upgraded this site’s Wordpress installation for quite some time. I was running Version 2.0 which clearly must have had some security holes, hence a High School kid has searched on how to exploit Wordpress v2.0 and got into this site by targeting it from a specially directed Google Search. I have now upgraded to the latest version and retrieved the post that was deleted. Ahh Google cache - Its like a free weekly backup.

I was lucky that this particular student only decided to erase my most recent article and change my admin password. I was able to get straight back into the database directly to reset the admin password and upgrade Wordpress - it could have been much more annoying if this guy had no fear. But when they have no fear like that, that’s when they get reported to the Federal Police and people start tracking their IP addresses down geographically. There is always a trail.

I have played around with a lot of ways to exploit web applications and its gobsmackingly scary just how many web sites have enormous gaping holes in them. There are so many extremely simple, common coding oversights which will make a site vulnerable. One time I was playing with a particular exploit which would sometimes let you gain access into other people’s login forms if they were coded in Classic ASP using SQL Server or MS Access as the database. I crafted up a couple of very basic searches in Google to return me a list of affected pages precisely named login.asp. Google brought me back pages of results and I actually went through about the first 8 pages of results trying each and every one of them. I managed to get into about 15 web sites out of 80 - certainly not a bad strike rate when a couple of the sites were fairly prominent Australian sites. A couple of them let me into full featured admin areas where I could add and create other administrator accounts and control the site content - when you are hacking login forms, many of the exploits will give you access to the main admin account of a system simply because more often than not this is the first row in the Users table of someone’s database. Of course I just logged in and logged straight out without touching anything, but either way it illuminated just how many web developers were completely unaware that they were pushing out terribly dangerous web site code on very important, prominent web sites.
And this was merely one particular type of vulnerability!

So many of the web 2.0 sites being rushed out in BETA versions are quite vulnerable at launch time as most of them place a huge emphasis on gaining users quickly as opposed to releasing a perfectly polished product that took an additional 3-6 months to build. That said, I still hands-down agree with the launch fast approach. Noone wants to hack a site that has no users or “weight”. Users are everything, you need as many of them as soon as you can and you can tighten up the cracks later on quietly in the background. If you have developed the site yourself from scratch, then your chances of being targeted are much much lower because noone can easily identify your platform or any commonly documented weaknesses unless they start going over it with a toothpick.

You know that something is spreading or that a new trend has arrived when you discover handy tools for generating commonly needed objects.

I found ajaxload out of the need to get my hands on some nifty ajax-style anim gifs. Check it out.

Well done to designer Kath who created this handy tool.