Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: essay

  • Understanding Zero-Day

    Understanding Zero-Day

    If you run a website or work with computers much at all, you’ve heard the term ‘Zero-Day Exploit’ and you probably had no idea what that meant.

    At its heart, a “zero day” attack or exploit is one that happens before any of the developers are aware of it. It’s pretty straight forward, in that the attacks take place in that window of opportunity between code release and code patch. Logically, you’d think that all exploits are ‘zero day’ because a programmer would never release a product with known vulnerabilities. Right?

    Wrong.

    We already accept the fact that human beings are not perfect and thus, by extension, neither is our code. We cannot make every product work on every setup, otehrwise there wouldn’t be browser and OS wars. Keeping that in mind, we have to accept the fact that there will always be security holes in code. And sometimes we developers are well aware of them, but consider them acceptable risks. brorwser wars - by Shoze This means that when a vulnerability is plastered as a zero day, the question becomes ‘By whose calendar is this a zero day exploit?’

    If you found a zero-day flaw in a product, the ethical thing to do is privately communicate with the product developers ‘Hey, if I do this, I can get access to THAT.’ At that point, the product developers should take the time to craft a fix and quietly push it out to everyone. The public often isn’t told about this until the patch is written and available, and even then, details are withheld a few days so that, during the critical time it takes everyone to upgrade, people aren’t exploited further. This also allows people to apply one patch instead of 17, as multiple fixes can be wrapped up into one install.

    Of course that’s a perfect world scenario. There are multiple cases of exploits being announced in the wild before a fix has been made. Sometimes it’s a case of an over enthusiastic reporter, but also sometimes the people who report the bug get mad at how long it takes to fix it, and release the information in order to speed up the process. There are unprintable words for those fools, and the fact that they can’t understand how they’re making the situation worse is sad.

    By its nature, an exploit no one knows about is the one you can’t protect yourself from. That’s why vulnerability disclosure is such a touchy subject. Sometimes the fixes are really easy, but more often they’re not. Like a vulnerability exploit in your car is the gas tank. Anyone can walk up, unscrew your fill cap, and pour in anything they want. That they don’t has more to do with the fear of retribution than anything else, but they certainly could. Also vulnerable? Your mail. I can’t tell you how many times I see the mailman leave the cart on the sidewalk while she goes in to deliver our mail. Someone could steal the mail, but rarely does that happen.

    In 2008, there a DNS cache poisoning vulnerability was discovered.(ZDNet – Has Halvar figured out super-secret DNS vulnerability? by Ryan Naraine | July 21, 2008, 2:12pm PDT) The details of the exploit itself are inconsequential to this story. When the vulnerability was discovered, the folks ‘in charge’ asked for a thirty-day embargo where no one would ask about it or talk about it, to allow the code to be patched and deployed. This radio-silence would end with a news release and explanation. This did not work as well as one might have hoped. (ZDNet – Vulnerability disclosure gone awry: Understanding the DNS debacle by Ryan Naraine | July 22, 2008, 7:09am PDT) People accused the organizers of performing a bit of media hacking (i.e. social hacking) and spinning the news to make a bigger impact for themselves. Essentially, they claimed there were no altruistic reasons to keep the lid on the issue.

    When you seen a report of a zero-day exploit, the important thing is not to panic. Firstly, check to see if there’s already a patch. Secondly, remember that just because you’re vulnerable does not mean someone’s spiked your gas tank. Thirdly, accept reality for what it is and know that you’ll be impacted at least once in your life, and that’s okay.

    If you know how to recover from this, you’re better off. But that’s another topic.

  • Introducing HEO

    Introducing HEO

    We all know that SEO is ‘Search Engine Optimization.’ I humbly suggest we pay better attention to HEO – Human Experience Optimization.

    After you spend hours and hours optimizing your site for search engines, you should sit back and think about how the humans who are reading your site. This should be blindingly obvious to everyone, but more and more we hear about how you should make your URLs SEO friendly, or your post excerpts/slugs/format/meta-data the best to get highly ranked in Google. At a certain point, you’re missing the goal of a website.

    A website is not for search engines, a website is for humans.

    Humans like to be able to find what they want relatively painlessly. They like to know when something was written (or when whatever it’s about took place). They like to be able to search, sort, surf and select. They like to know weird things. It’s your job to make sure that when a user hits your site, they stay.

    Fonts

    I’ve mentioned before that font choices matter on your site. Perhaps the most important thing to remember about fonts is that people have to be able to read them. A lot of sites make their fonts very small, which force viewers to hit Ctrl-+. This is one of Jakob Nielsen’s pet peeves. Users should be able to control their font size, but you should also set your font starting size to something legible.

    Imagine my surprise when I went to a site and saw this:
    Example of a site with teeny tiny text

    I had to zoom in to read. That font is set to font: 11px/13px "Lucida Grande"..... Just by changing it to 12px/20px it was easier to read, but to make it a perfect starting point, it should really be 14px/20px. You’ll need to balance on your font choice with the size, though, as too-thick and too-thin fonts are equally painful for people to read.

    Colors

    I’m in my mid-thirties with the best worst vision you’ll find before someone gets classified legally blind (that said, I have fantastic night vision). I cannot read black backgrounds with white text for more than a few seconds without getting after-images. I’m not in the minority of the world. There’s a reason books, eReaders, newspapers and magazines tend to print dark text on light backgrounds, and it’s not just the cost. More people can read that setup. On top of that, don’t use background images. The busier the background, the more difficult it will be to read and you’ll draw the attention away from the text.

    The colors on your site need to be easy to read, and not strain the eyes.

    Layout

    Did you know that users tend to read to the left? This sort of flow makes sense when you consider that most languages are read left-right. Jakob Neilsen points out that people spend “more than twice as much time looking at the left side of the page as they did the right.” (Jakob Nielsen’s Alertbox, April 6, 2010: Horizontal Attention Leans Left) Not only that, but people actually tend to read pages in a pretty distinct F-shaped pattern. (Jakob Nielsen’s Alertbox, April 17, 2006: F-Shaped Pattern For Reading Web Content)

    So how do you best layout your website? I tend to think people read content better if it’s on the left, so I put the body of my text left and the sidebars right. I also take into account that newspapers and magazine break up text into columns for readability reasons, and set a fixed width to my site. That choice is somewhat controversial among my friends, but I like to look at the iPad and Kindle for examples as to why you want to not allow forever-width pages. Monitors are big, browser windows can be huge, but in the human head, eyes are spaced in a certain way. Making your page’s content too wide is a drain.

    Page Length

    There used to be a concept of ‘The fold’, which was basically that people didn’t scroll down on webpages in the early days of the web, so if they didn’t see your important content on the top half of your page (i.e. above the fold), they weren’t going to see it at all. It’s 2011. People know to scroll down a page.(Jakob Nielsen’s Alertbox, March 22, 2010: Scrolling and Attention) But you still need to make sure your site has the most important content ‘above’ the fold.

    Where’s the fold these days, though? Monitor size is a lot more variable today than it was in 1995, and the break-point on a page is getting pretty difficult to figure out. Unlike a newspaper, where the ‘fold’ is pretty obvious (unless you’re the Chicago Sun Times), you have to take a pretty good guess at where the ‘top’ of your site is. Oddly, this is a lot easier with the iPad, which currently is my benchmark for ‘the fold.’

    Keeping that in mind, page length matters! I try to keep each post no more than 1200 words, because of human attention span. If I happen to dip longer, I’ll consider breaking the post into multiples.

    Permalinks/URLS

    Samuel Wood (aka Otto) said it simply:

    Humans care about dates. Leaving a date identifier (like the year) out
    of the URL is actually de-optimizing the site for humans.

    Not everything should have a date, mind you. Resources like WikiPedia or other sites that act as repositories for static, timeless material (like a book), certainly do not need date stamps. Deciding if your site needs to include the year in the URL (like I do here), or not at all (like I do elsewhere), is something you need to think long and hard about. If you’re making a ‘traditional’ blog, or a newspaper, or some site that acts as a repository for time-based information, the answer is simple: Yes you do.

    In addition to sorting out if you need dates or not on your site, you have to think about the post format. I’m a huge proponent of pretty URLs, so I tend to lean to custom crafted URLs. On WordPress, I always review the permalink and, if I think it could be better shorter, I do so. MediaWiki defaults to whatever you want to name the page and puts that in as your page title(Oddly you can only override this with {{DISPLAYTITLE:Custom title}} , which has weird results in searches.), but WordPress uses the ‘title’ of your post and makes that your page title.

    Permalink Example

    This is pretty easy to change, though. Just click on edit and make it shorter (which I strongly suggest you do in most cases).

    What else?

    I could go on and on. Like how you shouldn’t use too many ads (and whatever you use, they shouldn’t be bigger than your post content!), don’t use flashing images/text, and keep in mind your audience! What are your hot-button topics for making your site human friendly?

  • The Truth In Presentation

    The Truth In Presentation

    By now, the internet knows about how the Gay Girl in Damascus was a hoax and Paula Brooks of Lez Get Real is a straight man. These aren’t the first people to be caught ‘faking it’ to tell a story. In fact, both Tom MacMaster (‘Amina’ from Gay Girl in Damascus) and Bill Graber (‘Paula’) claimed to do what they did with the best intentions. They had seen the way gays are treated and felt that, as men, their point of view would be dismissed. Where this crosses the line from ‘best intentions’ and wanders right into out and out deception, however, is where they begin lying to cover their tracks.

    Look, this isn’t new. George Eliot (who wrote Silas Marner) was a woman. James Chartrand of Men with Pens fame is actually a woman. George Eliot did it to protect her personal life, James Chartrand did it to make a living. (Her story about the whys, hows and repercussions is pretty awesome.) There’s a long history of people using pen names, and a lot are mentioned in Carmela Ciuraru’s new book Nom De Plume: A Secret History of Pseudonyms.

    Pretending to be someone else is draining. You’re constantly aware of pronouns and speech patterns. Do I sound like who I am supposed to be? I’ve done it before as a social experiment in college, to see if someone can ‘fake’ being a man online so well that no one would know.(Of note – this was in the early 90s, so things were pretty new then.) I did it so well that, when I carried on doing it for a few more years, there was a hilarious point where I was flirting with my girlfriend (she knew the truth behind the ‘character’) on a public forum, and someone felt it was important to tell me that she was both taken and a lesbian.(This may be why so many people think I’m a man online… I guess I ‘write male.’)

    Using a pen name is something we all accept and can understand. It’s when you delve into the complete fake persona that the world gets a little hinky. ‘Paula’ was a deaf lesbian, who had a girlfriend, kids, and a father who answered the phone and ‘interpreted’ for her (most people think the ‘father’ was actually Graber). At some point, ‘Paula’ killed off her girlfriend. And ‘Amina’? She told in depth details about her parents, how she hid in secret rooms (ala Anne Frank), and how most of her family had to leave the country.

    These people became deceitful when they crafted complex dramas for their fake lives, and wrapped in layers upon layers of excuses and explanations as to why they can’t meet you.(My excuse is the truth – I’m really shy and nervous around meeting new people.) The bigger the lie, the more likely they are to get caught. ‘Amina’ was caught because her blog claimed she was arrested and no one in Damascus could find information on her.

    And this is where the technology aspect of the drama unfolds. This becomes a post about technology and not just a rant about deception when you realize how careful you need to be to keep up the lies. If ‘Paula’ left a comment on my blog, her IP address would be logged. If she, subsequently, said ‘I’m in Amsterdam this week and…’ I could look at her IP and sort out where she really was. If she was using something like The Tor Project (aka Onion routing) to hide her location, I would be suspicious.

    Thankfully, for people like me who spend time worrying about impersonators, you can peel back the onion layers of Tor and deduce who people are. Currently, there is no 100% reliable way to back-trace an IP through all the Tor layers, but simply the use of it on common, casual sites would be enough to raise eyebrows and some risks.(If you’re really interested in tracing Tor/Onion users, read Practical Onion Hacking) In 2007, a German blogger acting as a Tor providor was arrested because someone used his service to download child porn.

    Why would someone want to use Tor at all? Tor is great for doing things you aren’t supposed to be doing, and while a lot of the time that means impersonation, trolling and general internet asshollery, it also can be used to allow information to be posted from places where a repressive government doesn’t permit, or where it would be socially unacceptable if you were found out. Like if ‘Amina’ had been real, her use of Tor would make sense. If you really were a persecuted lesbian in a hostile environment, you would use Tor to make your blog posts so the local government couldn’t track you down at your house. Assuming they don’t know how to hack a Tor setup.

    Besides the technical aspects, there’s a lot of social engineering that goes on behind impersonation. ‘Paula’ turned herself in after constant questions from the news(I should mention that the Paula Brooks story is even more intricate and crazy than originally though! Bilerico reports on the inconsistencies and the more we learn the less we seem to know about the ‘real’ person behind Paula Brooks.), but ‘Amina’ was found out only after red flags were raised when people tried to help the poor arrested girl. In both cases, there were enough holes in their stories that people began to question the ‘facts’ as well as the motives. There is a difference between using a pen name to protect yourself (or to advance your career) and creating a whole persona. The difference between James Chartrand and someone like JT LeRoy is that James didn’t create an elaborate backstory, James just wrote under a pseudonym. It’s most likely that no one ever asked if James was really a man, they just assumed. There are a lot of ways, legally, to do that. Get a good lawyer you can trust, and they can act as your proxy in all things. Now no one has to know.

    Law & Order has done a couple episodes based on this phenomena. Some are about the people who use plastic surgery to hide themselves, another on the woman who hired an actor to ‘play’ her male persona and was betrayed, and so on and so forth. It makes for good TV, I’ll admit, but the truth is that all of those people were found out, and many times before their ‘death.’

    I think the most ironic thing to come from the whole mess is this:

    In the guise of Paula Brooks, Graber corresponded online with Tom MacMaster, thinking he was writing to Amina Arraf. Amina often flirted with Brooks, neither of the men realizing the other was pretending to be a lesbian. (Source: Washington Post – ‘Paula Brooks,’ editor of ‘Lez Get Real,’ also a man)

    Between the technical and social engineering weaknesses, using a pen-name to craft an entirely new identity is something that can get your credibility shot. There’s a reason we leave false identities up to people like WitSec or the CIA. It’s hard, and the costs of being found out are devastating.

  • The Redistribution of Apps

    The Redistribution of Apps

    Mac is going virtual. They’ve finally agreed they’re a hardware company (yay) and they’re trying to make it easier to install software. No longer will you go to the store, but you will logon to the App Store and download. Apparently the App Store is already bigger than Best Buy. The big news of the month was iCloud (and iTunes Match), where you can sync your data across multiple devices. Wirelessly. Okay, that is pretty cool. But the announcements didn’t get everything right.

    The concept of mobile redistribution of applications is not a new one, but Apple, as always, is attempting to do it more elegantly than before. At the very least, the ability to sync (for free) my documents among multiple devices at once is worth the price of admission. I like to write on my iPad and my laptop, after all. While iCloud isn’t out to the public yet (Lion, the next OS 10.7, comes out in July, so I would expect iCloud by Christmas), we can speculate on how it will handle the sharing of more than just data.

    Here’s what I think they need to have to make this a winner:

    Torrent-style downloads

    I have two laptops and three iOS devices. That means I have to run upgrades multiple times, and some of these are pretty big. Do you know what happens if your net craps out in the middle of a 200meg download of iOS 4? You get to start over! The new Lion OS is a 4G install, and it’s a disk-less revolution. Great, that means it’s cheaper ($30 vs $130), but that also means I have to download it for each computer I need to upgrade, and I have to pray my net doesn’t blow up in the middle. Which brings me to…

    Backup to Disk

    I know we’re going diskless, and that’s great, but if I legitimately buy a product, I should be able to sneaker-net if I want to. Frankly, it’s going to be faster than downloading if I have to upgrade more than 10 computers. I won’t bottle neck things with 10 concurrent 4G downloads all at once. While you can’t really do that with the iOS stuff, I wish I could use one download for all my iDevices. Of course, with the new idea of AirDrop we could…

    Copy Between Computers

    Why not come up with a way to flag up to 5 computers as your ‘home network’ and, if they’re all on the same IP range, let them share installs? So I download Lion, and then AirDrop it to my other computer. Done! To a degree, it looks like iCloud will be able to do this, but it seems to only be for data. For photos, music, documents, etc that’s great. Those aren’t all of what I do. I write code. What about webpages I work on? I like to have those backed up too. In fact, the best way to do this would be….

    iCloudShare!

    If I have a Time Capsule, why not let me store all my installers there, register my computers on TC, and then have a local repository of my paid for installs, so I can download them at any time? Think of it as having your own personal little cloud where all your stuff is there, and then when you want to re-install, off you go! Mind you, I already know from experience that if I restore from backup between computers, I can copy over all my apps and preferences. With the new iCloud they’re working on this for iOS apps, which is something they certainly can do. Then you can bring in ….

    MyCloud

    The real replacement for MobileMe would be MyCloud. Work with ISPs so you can plug a Time Capsule (now renamed Cloud Maker) into your network hub, and it automatically makes it so you can connect your registered computers no matter where they are. I would restrict full backups to LAN (local area network – i.e. only at home) only, but you can sync docs and whatever else you want no matter where you are (like DropBox, only at home).

    So what do you say, Apple?

  • Responsibility, Responsibility, Responsibility!

    Responsibility, Responsibility, Responsibility!

    So you’ve put your blood, sweat and tears into a site. You finally made it popular. You have regular visitors who comment, retweet, like and share your stuff. You’re getting traffic and the ads are actually paying for things! Everything should be smooth sailing, right? Wrong.

    Last year, I touched on the Dangers of an Unchecked MultiSite. While that was specific to the trials and tribulations of WordPress’s (then new) feature of MultiSite, it hammered home the lesson that you, who runs the site, are responsible for what goes on there. There’s a reason I have a comment policy on this site and a terms of use. I am aware of my responsibilities, but I don’t take responsibility for everything.

    You have to look at your website like a business. If you ran a business, you would be responsible for whatever crap your employees looked at on-line, how they used their phones, etc etc. If someone uses your services to do something illegal, you’re responsible. That’s why you have to sign your life away in blood. Not that anyone reads that stuff for most things, but you do agree to not break the law when you install your operating system, for example.

    At the end of the day, when you’ve made a site, you become responsible for the content (with some exceptions). You’ll note that the Terms of Use for this site have a pretty hefty bit of disclaiming going on, and outright says I’m not responsible for the contents of any message (i.e. comment). That’s a mostly legally safe claim to make, and I’m being up front saying ‘Hey, if someone’s a dick in the comments, that’s on them.’ Later on I say I reserve the right to delete anything I damn well feel like, and I do, but the point is I’m still responsible for your antics!  That’s why a big part of running a site is moderating the community.

    If someone makes a comment you (or your visitors) deem to be offensive, it’s in your best interest to quickly take decisive action.  Make a choice, pick your stance, and stick by it.  Don’t waver or feel guilt. This is your site, your responsibility (there’s that word again). If it makes you understand it better, this is your job. The easy part of the site is building it, the hard part is maintaining it. For those of you who just spent months getting your site to look just right, the idea that something is harder than that may be daunting.

    First you put in the sweat equity to make the site. Then you spend hours researching and writing posts. You’ve already found out about how much time you have to put in fighting spammers. Now here I am telling you that you get to spend even more time and energy keeping the community of your site going. It’s okay to hate me. I actually spent more time these days keeping people in line and tending to them than I did anything else a couple years ago. That’s the real reason a lot of sites go in for moderating teams. It’s a lot of work to keep track of everything. Since then I’ve turned to what I call ‘community moderation.’ Plugins like BP Moderation (for BuddyPress users) and Safe Report Comments let your visitors flag posts for you to come back and review.

    Regardless of this, there remains one person responsible for this site: Me. I’m responsible for what people who have accounts do here. I’m responsible for what I say and what they say. I’m responsible for your comments and the ads on this site. Everything here is my responsibility and I take it seriously. To carry it up a level, if your site sells a product, you are responsible for all of that product.

    Recently there was a kerfluffle when Joost de Valk announced that his SEO plugin was being infringed on by WPMU Dev. Of course there was a public rebuttal by WPMUDev and a response to the rebuttal. Even WPCandy stepped in.

    Before everyone gets het up about this one, I honestly don’t care who’s right or wrong for the purpose of this post. My opinion, and yes, I have one, doesn’t matter.

    See, no matter what else, at the end of the day, a company is 100%, totally, unequivocally, responsible for their own products. Full stop. Everyone can agree to this (and as far as I can tell, everyone does agree on this point). No matter what, WPMU Dev is responsible for their products. No one is arguing this. The fact that they pushed a flawed product that slipped through their checks and balances is the point. They can’t blame the developer without blaming themselves for not checking his work. Regardless of if they failed to check the plugin, or forgot to tell the developer to always attribute his work, or whatever it may be, the company who hired the developer assumed all responsibility for the work which was then pushed forth in their name.

    They weren’t the first people to make this sort of error, and they won’t be the last. Making the error, in and of itself, is monumentally stupid, but you know what? We’ve all been there. We all take responsibility for these screw ups. It’s horrifying, the first time you realize you’re responsible for something that you’re not in control of, but there you are. You run a company. Sometimes things go wrong in ways you never predicted and should have, but didn’t. In 2009 Microsoft yanked code they’d stolen. I know, stealing is a dirty, hot-button word, but that’s what it is. PC World says it right:

    Third parties or not, though, Microsoft is responsible for making sure its software isn’t stolen, and it’s simply not doing the job. (Microsoft yanked code they’d stolen – PC World)

    Think it’s just software? Think again. Last winter, a small magazine called Cooks Source lifted someone else’s work, wholesale, and put it in their magazine. The author was attributed, certainly, but not compensated. When the author found out, she contacted them and asked for a $130 donation to the Columbia School of Journalism. She got a pretty awesomely horrible reply, and posted it on her livejournal. From there, the Internet exploded. (If you go to http://illadore.livejournal.com/ you can see the crazy first hand.) How far did it all go? Well the magazine is no more, after the Internet got their hooks in it. People called up the advertisers to tell them that Cooks Source was a plagiarist, and more than one advertiser bailed. Then it turned out they’d stolen multiple articles from multiple sources, non paid, and photographs as well. Let’s not get into the website, which had stolen content all over the place.

    It’s your site. It’s your name. You are responsible. Make all the excuses you want, but it doesn’t exculpate you from that role.

  • SEO “Experts” Are Lying To You (About Backlinks)

    SEO “Experts” Are Lying To You (About Backlinks)

    Stop me if you’ve heard this one.

    “For just $19.95, we offer hundreds of certified backlinks!”
    “Quality backlinks for your site!”
    “In just one week, we can make your site in Google Searches!”

    I see people ask, a lot, what the best WordPress plugin is to generate backlinks. And I always reply something like this: “The best way to get backlinks is to write good posts that people will link to and share.”

    But what is a backlink anyway? As obvious as it sounds, a backlink is a link from someone else’s site back to yours. So when I say things like “Yoast’s explanation on how BlogPress SEO Plugin generates spam is an invaluable resource”, I’ve linked back to his site and made a backlink. If he has pings on, he’ll see my remark and link, and it’ll show up on his site in the comments section.(I actually turn pings off, because of the high number of spammers and the low value it was giving me. If the only reason you’re linking to someone is to get the link BACK to your site, you’re doing something wrong, but that’s another blog post.) Backlinks, honest ones between two good sites, are great. I love getting linked to from CNN (it happened once) or other sites who like my writing. It’s a great compliment.

    However, people seem to think that backlinks are going to ‘generate SEO.’ First off, they’re not using the words correctly. SEO stands for ‘Search Engine Optimization.’ My first grown-up job, where I wasn’t just fiddle-farting around on the computer, was to optimize meta-data for sites to get them ranked first on AltaVista, so yes, I do know what I’m talking about here. Due to that early work, I’ve got pretty awesome Google-Fu, because I used to spend hours going over the specs for search engines, and reading up on how they worked, what their algorithmic engines were, and how to get legitimately good results for my key words. I also learned what keywords are useless.

    Back in the day, search engines would rate your site based solely on your self-contained content. One of the ways we would promote our sites would be to use hidden text or meta keywords that only the search engine would see. We’d list all the keywords related to our site about dog biscuits, and awesomely, we’d get rewarded. Naturally some people would shove totally irrelevant keywords in, to game the system for other searches. Which is why sometimes you’d search for ‘free range catnip’ and get a link for ‘wetriffs.com'(Note: wetriffs.com is NOT SAFE FOR WORK!). Today, no search engine relies on keyword meta data because of that (though most sites still include it).

    Nothing can ‘generate’ SEO, because by it’s nature, optimization isn’t something you generate. It’s something you can leverage and build on, but we don’t generate it. Backlinks are, certainly, a component in getting your site highly ranked on Google for your keywords, but you’re really not optimizing your site for backlinks by doing anything other than making good posts, if you think about it. Maybe I’m splitting hairs, but your page rank (i.e. how cool Google thinks you are) is going to be build on a few things, and while backlinks are one of them, it’s not everything.

    Here’s how you make a good site that’s highly ranked in Google:

    1. Write good content
    2. Include decent meta data in your site’s HTML (If you need help with that, check out Google’s page on Meta Tags.)
    3. Network with other (related) sites to share links
    4. Advertise

    So why do people get all fired up about backlinks? Google themselves say:

    Your site’s ranking in Google search results is partly based on analysis of those sites that link to you. The quantity, quality, and relevance of links count towards your rating. The sites that link to you can provide context about the subject matter of your site, and can indicate its quality and popularity.(Link Schemes – Google.com)

    Sounds great, doesn’t it? If a lot of people link back to me, like WikiPedia, then my content is proven to be good, and I win! You knew it wasn’t that simple, right? Google’s smart. They actually care about the quality and relevance of people linking to you! Heck, Google actually agrees with me when we both say the best way to get a good page ranking is to make good content. More to the point, those get-backlink-quick tools are going to engage in what basically amounts to spam, which will adversely impact your page ranking.

    Of course, there are good backlinks. Like mine to Yoast’s (not that he needs the ‘link juice'(The term ‘link juice’ is what we use to call the ‘value’ of a link coming back to our site. If I link to you, I give you ‘juice’ which boosts your page rank. In Yoast’s case, he doesn’t need any help, but I give it anyway.)). But the best way to get those is to get yourself known in your arena. People don’t link to new sites because they don’t know about them, so you need to get out there and get known. Talk to a site you admire (or people you admire) and ask them if they’ll read and review your site. Post your articles on twitter/facebook/digg/whatever and basically put in the sweat equity to make your site shine. And if that sounded like a lot of work for you, then you’re right. It is work. It’s hard work.

    The obvious question now is that if these so-called experts are telling you that they can generate hundreds of backlinks, what are they actually doing? They’re ripping you off. There’s no automatic, auto-generated, way to create backlinks. So if someone tells you that they can do it for $19.95, they’re not lying, but they are cheating you out of money, and giving you something useless. If you’ve fallen for one of those scams, I’d cancel that credit card ASAP. I have a horror story about a guy who got scammed and then ripped off for a couple grand.

    The lessons learned from this are pretty simple: There is no quick fix, no magic bullet, no perfect tool that will make you popular. You have to find your audience and pitch good content to them. You have to work hard and yes, this takes a lot of time and effort. Anyone who says differently is selling something. Of course, optimizing the hell out of your site (with caching software and minification and CDN) is a great thing to speed your site up, but at the end of the day, all advice in the world boils down to this: If there’s nothing here for people to read and find beneficial, your site is useless.

    Before you get depressed and think there’s nothing you can do to improve your site, I refer back to Joost de Valk. When people tell me they’re an SEO expert, I compare their website and work to Yoast, because in my opinion, he’s the example of what an SEO expert looks like and he doesn’t call himself an expert. He says he’s a ‘SEO and online marketer.’ Sounds to me like a guy with his head on staight. Pretty much everyone else I ignore. And he’s written the Ultimate SEO Guide and it’s free for anyone to use.

    SEO Folks I Would Hire (culled from my ‘Folks I’d Hire’ list):