Mike Shema is the engineering lead for the Qualys web application scanning service. He has authored several books, including Hack Notes: Web Application Security, and he blogs on web security topics at the companion site for his latest book, Seven Deadliest Web Attacks.

It’s astonishing that 10 years of technological progress have produced web application behemoths like Facebook, Twitter, Yahoo! and Google, while the actual technology inside the web browser remained relatively stagnant. Companies have grown to billion-dollar valuations (realistic or not) by figuring out how to shovel HTML over HTTP in ways that make investors, advertisers, and users happy.

The emerging HTML5 standard finally breathes some fresh air into the programming possible inside a browser. Complex UIs used to be the purview of plugins like Flash and Silverlight (and decrepit, insecure ActiveX). The JavaScript renaissance seen in YUI, JQuery, and Prototype significantly improve the browsing experience. HTML5 will bring sanity to some of the clumsiness of these libraries and provide significant extensions.

Here are some of the changes HTML5 will bring and what they mean for web security

Cross-Origin Resource Sharing

An HTML5 feature with possibly the most potential for mistakes is the Cross-Origin Resource Sharing (CORS) that relaxes the fundamental security mechanism of a browser, the Same Origin Rule. CORS isn’t an arbitrary change; it’s a step towards standardizing what developers are already trying to do in order to build higher-performance sites.

Basically, CORS defines a group of client and server headers that enable a site to define origins that are allowed to interact with another origin’s context. It also provides granularity of lifetime and request methods for this site-defined access control. The following headers show how simple this is to implement from a server’s perspective. (Obviously, we’re just showing the HTTP headers and skipping the server-side code to generate and verify these.)

Access-Control-Allow-Origin: http://domain
Access-Control-Max-Age: 86400
Access-Control-Allow-Methods: PUT, DELETE

The first one, Allow-Origin, is where the worst mistakes will happen. We’ll see who the first sites are to use * in this field — thereby allowing sharing with any domain. There’s already precedent for this in Flash crossdomain.xml file vulnerabilities.

The domain of the Origin matters, not its path, as the spec emphasizes in section 3 — Security Considerations: “… only cross-origin security is provided and that therefore using a distinct origin rather than a distinct path is vital for secure client-side web applications.” Woe to developers who implement cross-origin requests without understanding this precaution.

Watch for potential “space invader” attacks in this area. Origin lists are space-delimited. For example, the following URL is intended to produce an Origin header from http://allowed.origin:


But a browser bug might turn this into:

Origin: http://malicious.spoof http://allowed.origin

Or worse, a server-side bug might turn this into an allowed destination for XHR requests if the page for some reason is building dynamic headers from the URL. In this case, the attacker would look for a weakness in the allowed.origin site that would enable CORS with the malicious spoof site. The vulnerable link might be something like this:


That produces an insecure access control header:

Access-Control-Allow-Origin: http://other.allowed.origin http://malicious.spoof

This last bit about space invaders is pretty speculative at the moment, but possibly not too far off considering the history of browser security. Browser hackers will no doubt be targeting their fuzzers to see how well browsers parse and serialize these headers. URLs may be prone to all sorts of errors, from invalid domains, to invalid ports, to IDN characters — the incorrect handling of which might lead to a buffer overflow or security bypass.

Spoofed headers are a serious threat for CORS and have several possible attack vectors. Unencrypted Wi-Fi combined with HTTP are a recipe for disaster (the least of which is spoofed headers). In the past, browser plugins like Flash have been used to spoof headers in order to bypass security restrictions. Browser plugins are notorious for breaking browser assumptions and playing outside their security sandbox.

Web Storage

The push for richer browser-based functionality also brings the desire to store more data in the browser than normally handled by cookies. Cookies have been the historically clumsy method of saving stateful data. The HTML5 Web Storage specification provides a more flexible way for sites to store data in the browser using essentially a key-value database.

Like most security boundaries in the browser, web storage is based on the Same Origin Rule. As the spec itself reminds readers, this means that the more general threats of DNS-based attacks pose a risk to the security of data stored by a domain. The Same Origin Rule is an implementation of the “Vegas principle:” What happens in one domain is supposed to stay in that domain. The browser assumes that content coming from a domain name is always legitimate, but that isn’t always the case if DNS isn’t secure.

The other danger of web storage will be sites that rely too heavily on it for storing a user’s sensitive data. We’ve already seen instances of sites that don’t properly encrypt passwords in their database. Now we may see sites that store sensitive, personal information via web storage APIs. If the site has a cross-site scripting (XSS), then an attacker would be able to trivially extract this information.

Then there’s the threat of malware. A site might be free of XSS vulnerabilities and otherwise secure, but store lots of valuable information in the browser. Many malware payloads already scan disks
for items like financial information and gaming credentials. Now they’ll start searching for data in these browser stores as well. Diligent devs will use this data storage to improve the user experience, but not at the risk of exposing sensitive information.

Speaking of XSS, HTML5 might have some unexpected consequences for validation routines. An XSS filter might be tripped up by new elements and attributes present in HTML5 that didn’t exist in HTML4. Whitelisting-based filters should be more resilient because the new elements won’t be handled. In any case, devs need to be aware that even though <audio> and <video> may be the most popular new tags, they’re not the only new ways XSS could manifest.

Sins of the Past

The most dangerous security problems won’t be due to features of HTML5. Too many experienced people have been working on the specs to leave egregious errors in the design or in browsers’ implementation of it. The worst problems will come from developers who rush into new technologies without remembering sins of the past. It’s far too easy to fall into the trap of trusting data from the browser just because some hefty JavaScript routines have been assumed to perform all sorts of security validation on the data.

Once data leaves the browser, an attacker can modify it in any way before it reaches the server. Trusting the client to always serve well-formed, valid data is the sure path to SQL injection, XSS, and worse vulnerabilities.

HTML5 doesn’t just have security implications for web developers. The browser has become a highly coveted target for malware. With each browser’s implementation of new HTML5 features will come buffer overflows and other coding mistakes that malware will seek out. As the browser’s end user, there’s little you can do on this front other than to keep your software up to date. All of the new HTML5 features will take a while before they’re securely baked into the browser. Attackers will continually look for bugs by pushing different limits in the browser: Cross-origin requests for thousands of origins, deeply nested elements, resource consumption attacks (DoS) using multitudes of Web Worker threads, and so on.

Luckily, browser developers haven’t been lazy this whole time. The last few years have seen laudable forays into better security and privacy protections. Browsers are starting to implement new headers that can protect against broad classes of attacks. For example, cross-site request forgery and clickjacking can be reliably defended against with Origin and X-Frame-Options headers. This stands in stark contrast to problems like cross-site scripting, for which no easy solution has been found.

Browsers have been pushing the privacy front as well with Do Not Track headers and private browsing options. It’s important to keep perspective on the topic of privacy. While the browser can take steps to make your data protection easier, it has no control and little influence on how a web site will use and protect that data. HTML5 briefly touches on privacy issues and security has direct consequences for privacy.

HTML5 is not a security solution. It’s a long-awaited update to the HTML spec. An update that took the time to be more explicit about both security and privacy issues. The new features of HTML5 will lead to exciting, powerful applications delivered through the browser. As such, it’s important for developers to keep in mind a few basic security tenets: Validate all data from the client, prefer whitelisting approaches over blacklisting, use HTTPS wherever possible, and test your site to make sure it’s performing how you intended.

Interested in more Dev & Design resources? Check out Mashable Explore, a new way to discover information on your favorite Mashable topics.

More About: dev and design, HTML5, technology, web security

For more Dev & Design coverage:

The Web Development Series is supported by Rackspace, the better way to do hosting. Learn more about Rackspace’s hosting solutions here.

You don’t have to get hit by the proverbial bus to know it hurts, and you don’t have to make the same mistakes other devs have made on your way to a functional, widely used, efficiently managed API. In our final post on API management, our panel of experts has returned to give a few oft-committed mistakes for companies or developers offering an API for the first time — and how you can avoid them.

Clear & Fair Docs & Guidelines Are Key

Of course, offering an API involves a lot more than just creating the API itself. Guillaume Balas is an executive at 3scale, which offers full-featured API management and monetization tools. He says many of 3scale’s customers make mistakes such as not including documentation, sample code, or examples. He said that having no Terms and Conditions or unclear T&Cs is also unfortunately common.

Oren Michels is Mashery‘s CEO. His company does API management and strategy for more than 100 brands and 25,000 applications. He agrees that “lousy or inaccurate or missing documentation” is a common mistake, as is “terms and conditions that say ‘no commercial use’ or other things that suggest to developers that for some reason you get to make money and they don’t.”

And with your API, as with many other aspects of your business, “Keep It Simple, Stupid” is a dictum you can’t afford to forget. “Complex registration and key issuance protocols, or worse yet, requiring people to email a key request and wait for someone to get around to responding” is a practice Michels cautions you to avoid.

Be Prepared to Market Your Butt Off

Shanley Kane works on the product team at Apigee, a company that offers a range of API tools for developers and software companies. She says a common mistake is hiding your API under a bushel. “For companies new to the API game, opening up can be scary. Many companies make the mistake of not talking about their APIs — to press, developers and partners — and then wonder why no one is using their API. Commit to making your API a success by embracing the new rules of developer marketing.”

Augusto Marietti founded Mashape, a marketplace for building, distributing and hacking with APIs. He says the biggest mistake many API-offering companies make is not having enough focus in the marketing in the initial months after an API launch.

“You have to target not all kinds of developers,” he says, “but only the developers who need your API to solve a real problem they have. You have to look around, find and contact them, one by one. Those early adopters will spread your API to the world and thousands of other developers.”

Moreover, he notes that in addition to focus, you’ll need a good plan, a lot of resources and a certain amount of stamina. “Launching an API is like launching a new product, in that you have to give it all of your effort for at least six months. [You must] go to meetups, organize contests with interesting prizes that devs really want to have, evangelize your API around the world and organize hackathons.”

Marietti also recommends partnering with other companies with APIs related to your business. You’ll attract more business and split the cost of marketing your API.

Dimitri Sirota is an executive for Layer 7 Technologies, which offers its own suite of API management tools for the enterprise. He says another marketing (or PR) mistake is “having references that don’t relate to your business. Make sure you have references that look like you. For instance, if you are an enterprise, make sure you have enterprise customers supporting and referencing you.”

Get Feedback & Use It

Kane also cautions API-offerers to get feedback “early and often” to have a successful launch.

By “early and often,” she means getting select developers on-board and using your API in its most nascent stages. Invite a few trusted devs to use a private, “pre-alpha” version of your API, and put your API through a thorough beta stage, too.

While in these more formative stages, use the feedback you get to improve your design, find and squash bugs, and generally “make sure that the API is usable and pleasurable when you go live,” says Kane.

Brace Yourself for Traffic

Kane also says many API noobs are not prepared for the scope and scale of API traffic, which, she warns, is quite different from the traffic your web app might see.

“Your API will be accessed by mobile apps, web services and potentially hundreds of connected devices and platforms. Supporting that traffic means building out an API stack that will scale, prevent abuse and misuse, support mobile optimization and give you visibility and control.

“There are a number of API-specific solutions out there … but the most important thing is to understand how API traffic is different, and then you build your infrastructure accordingly.”

Sirota says many companies make the mistake of “not using a robust proxy that can provide a range of security and management controls.”

Understand How the API Will Affect Your — & Devs’ — Business

Michels gets the sage final word, saying that
many companies make the mistake of not truly understanding how an API can grow their business. Instead, companies believe developers should all be paying for API access and should only get limited access, at that.

You might want to change directions, he says, if your API offers “no path to success — limits on traffic or usage that can’t be raised if someone is successful.” Or if your company is charging for your API, “believing that developers will plunk down a credit card and pay by the call, or by the thousands of calls.”

The overarching mistake here, he notes, is “not understanding how and why the API will improve and grow your business and focusing on making sure it does that.”

Sirota makes a similar point, saying a big mistake is “starting too big and worrying about revenue from the get-go. Start small. Get an API out there and learn — worry about revenue later.”

Do you have other tips for avoiding API mistakes? Let us know in the comments.

Series Supported by Rackspace


The Web Development Series is supported by Rackspace, the better way to do hosting. No more worrying about web hosting uptime. No more spending your time, energy and resources trying to stay on top of things like patching, updating, monitoring, backing up data and the like. Learn why.

Image based on a photo from iStockphoto user alxpin

More Dev & Design Resources from Mashable:

Ruby on Rails: Scaling Your App for Rapid Growth
Should Your API Be Free or Pay-to-Play?
HOW TO: Get Devs to Use Your Company’s API
Should Your Company Offer an API?
10 Tools for Getting Web Design Feedback

Image based on a photo from iStockphoto user alxpin.

More About: api, api management, api series, APIs, developers, web development series

For more Dev & Design coverage:

When it comes to social networking sites, there’s really nothing quite like Twitter. The simplistic design and layout belies it as a basic program, when it’s really just the opposite. It’s actually extremely complex, using a number of incredible and unique coding designs, trackers and searches. Entering the world of Twitter is like entering an internet realm all its own.

Twitter gives you the ability to gain a pretty serious following through just the connections of mutual friends alone. It’s not like other sites, where a friend request allows a huge amount of access. It’s an open-format chat setting that invites communication and connections with anyone who happens by. This is why you might need a little extra something to help keep track of all of your followers.

These are five of the best trackers to help you organize the people who watch your Twitter, or conversely whom you watch in return.



A seemingly simple application, TwitterKarma allows you to view both everyone who follows you and whom you follow. You can distinguish who’s following whom by the green or red arrow indicators moving from one username to another. You can also be more selective on whom you want to view based on actions such as who’s recently updated or who’s new on your list. It is an easier way of looking at recent tweets without dealing with all the clutter.



A level of Twitter etiquette has developed which most people like to follow. One of these unwritten rules is that when someone follows you, it’s only polite for you to follow them in return. But what do you do when your list has become so large it makes it difficult to keep track of who among whom is a mutual tweeter? FriendOrFollow allows you to enter your Twitter username and see not only who’s following you, but also whom you’ve followed and vice versa.



ReFollow is probably one of the most extensive trackers I’ve come across. It not only shows you followers and those you follow, but also anyone who happens to be in the interconnection of them. Which means you can easily see friends of friends, and from there you can see friends of friends of friends, and…well, basically as far as you like.

You can also search people by things like their location, sex, age, specific keywords in their bio, or a number of other things. You can then sort them a dozen different ways, including whether or not they have ever @username’d you. For those of you who want full control over your account – ReFollow can be extremely helpful.

Tweepler (down)


While there is a certain Twitter etiquette, it’s definitely no requirement that everyone who follows you must be followed back. Sometimes we just don’t have the interest or time to invest watching what certain people are up to, and Tweepler makes this an easier matter. You have two ‘buckets’ to put users into. In one, you will be able to save those you want to follow, and it will do this en masse. In another, you will have the people you want to ignore, which it will also do all at once for you. Easy to use, and very handy.

Of course, these are only a few possible Twitter trackers that you can use. Do you have one you are especially fond of? Let us know in the comments!

Check out the SEO Tools guide at Search Engine Journal.

5 Great Twitter Track Tools to Organize Followers

Prince William, son of Prince Charles (heir apparent to both the throne of England and the Commonwealth) and Princess Diana (may she rest in peace), is getting married to his long-time girlfriend Kate Middleton, daughter of two people who are significantly less famous than Charles and Di. (For those who are truly interested, Kate is from a family of airline enthusiasts; her mother is a flight attendant and her father is a flight dispatcher). If you’re one of the nine people who wasn’t already aware that the “royal wedding” is taking place today – right now, even – then it’s time you get a move on! Luckily, there are still ways you can check out video of the wedding itself, view live streams of remaining events, check out highlight reels, and get updates in a variety of other formats. Here are five ways you can check out the royal wedding in all its many forms.

1) Via Streaming Video

While the wedding itself took place earlier this morning (11am BST, 7am EDT), there are still events that can be viewed through live streaming – including the reception and, of course, commentary and highlights from events earlier in the day. Here are just a few of the places you can check out what’s going on now:

Want more? Check out last night’s SEJ entry, which contains a full list of streaming resources. And don’t worry: many of these resources are likely to broadcast a trimmed-down version of the ceremony itself once a little editing/commenting time has been allowed.

2) Via Twitter

Are you a tweet-a-holic? No doubt, Twitter will be flooded with posts about #rw2011 – the official hashtag of the event. Meanwhile, #RoyalWedding is likely to see plenty of hits, and the ABC-invented #RoyalSuccess and #RoyalMess will help people get a narrower view of the goings-on. Additionally, there are a few dedicated channels for event tweets, including:

Further, individual anchors and news sources are sure to post their own insights:
And don’t forget to pay attention to @kate_middleton (we’re pretty sure it’s the legit Princess Kate, but no one seems to have the official verification). Prince William, sadly, officially has no Twitter account.

It’s anticipated that media tweets, as well as links to other commentary, clips, and more, will be linked like mad.

3) Via Tumblr

Love the microblogging service? Check out the official royal wedding page or add to it yourself. Thus far, this page seems primarily devoted to funny pictures and a few on-the-scene snapshots, but more is expected to be uploaded as the day progresses – with a huge swarm of media once those who made it to the event make it back home with their digital cameras.

4) Via Flickr

Image junkie? Flickr has two major resources for you: the official British Monarchy account, which will be uploading authorized pictures of the event, and the People’s Royal Wedding group, designed to show the groundlings’ view of the wedding. You can also check out the royal wedding Life gallery, which will include both wedding photos and images of responses, related events, and so on.

5) Via the Official Site

One of the best resources for those who want a bit of everything is the official royal wedding site. Not only will the site be showing off the official video stream of the event (it’s the same one as you’ll find on YouTube’s “Royal Channel”), but you’ll also see content pulled from the official Facebook page, the Flickr account, and the Twitter page. Additional resources (descriptions of the event proceedings, an FAQ, background information on the bride and groom, suggestions for ways to wish the couple a happy life together, related news stories, and more) are also present and accounted for on the official site.

Know of another place to find great content about the royal wedding? Know a site that’s already showing off a video of the ceremony itself? Let us know by using the comments section below.

Check out the SEO Tools guide at Search Engine Journal.

Royal Wedding Online: 5 Ways to Watch Video of the Royal Wedding

Posted by randfish

Out of the many recent accomplishments that we’ve had, perhaps none is more exciting than the recent publicity we received from being named in Seattle’s Top 10 Places to Work by Seattle Met Magazine:

Seattle Met: Best Places to Work
What do rubber band balls, coffee, cupcakes & a workspace w/ no computer have in common? The cover of this month’s Seattle Met magazine!

But, magazine articles aren’t the only things that should entice you to join our ragtag bunch…

Our Office

When you step foot inside SEOmoz, you’ll be forced to breakdance… Well, OK, that’s only if you mindlessly obey floor diagrams. You will, however, find a space that’s fun, productive, light-filled and only a block away from the Pike Place Market. We have pretty cool meeting rooms, too.

Lots of windows help keep the gloomy Seattle weather from damaging our sun-starved bodies

Xbox Kinect on Friday Nights

Our Team

The 34 people who work at the MozPlex are absolutely amazing. I noted in the Seattle Met piece that we bias toward folks who are not only smart and capable, but fit our culture of TAGFEE. That’s resulted in a group that I’m proud to call co-workers and friends.


Cyrus + Jen from Marketing, Chas from Engineering + Miranda from Product 

If you’ve met Moz team members at events or interacted with us over the web or phone, you’ve probably already been impressed. If you haven’t… you should apply for an interview at one of the positions below just to come to say Hi! 🙂 (OK, probably not really, but you should at least come to our NYC meetup May 12, the Distilled Boston conference or MozCon this summer).

Our Mission: Simplify Organic Web Marketing

We’re privileged to tackle a huge, meaningful problem in a massive market. It’s our goal to take what is today a massive, complex set of tasks + challenges and make them accessible to non-experts, trackable via solid data and provide recommendations + automation to make improvement easy.

Inbound Marketing

This stuff is really hard. We’re building software to make it less so. If that’s something you’re passionate about, we think there’s no better place to be.

Our Customers + Community: More than a million strong!

In March, SEOmoz + OSE had its first ever combined 1million+ visit month:

SEOmoz's Traffic in March 2011

Open Site Explorer March Traffic 

As if you needed another reason not to trust Alexa, Compete, Quantcast, etc. 🙂

Over the years, millions of people have used our tools + resources to learn more about search/web marketing and improve their sites. Our market position is an exciting one, filled with opportunity, but we know that great responsibility comes with that privilege. One of the best things we can offer to prospective employees is the chance to have a big impact on an emerging field – it’s the same thing that makes me excited to come to the office (or hop on a plane) every morning.

We’re Hiring Eight Exceptional People!

In addition to our ongoing search for world-class software engineers, I’m thrilled to announce eight new positions on the Moz team:

SEOmoz wants people who believe in our mission and in TAGFEE. We’re unique in focusing not only on great talent, but great fit with our team. If you read the blog regularly or have stumbled across a few posts from us and feel a kindred spirit, we’d really love to talk. If you’re new to SEOmoz but curious to learn more, we are too and we hope you’ll take that first step by clicking and applying to one of the positions below:

Awesome Job #1: Marketing Oracle (aka Quality Content Honcho)

Producing exceptional content has been the foundation of our strategy since the beginning. We’re looking for someone to produce extraordinary content for us and manage our entire content production process (the blog, news, guides, videos, and lots more). Whether it’s original research, data analysis, or thought leadership in the inbound marketing space, we’re looking for someone who can become our best blogger and produce our most linked-to content. You should have a proven track record of producing quality, engaging content for social media audiences, experience and knowledge of all forms of inbound marketing, and the ability to see where things are headed (i.e. be a marketing oracle).

Quality content is of the utmost importance to us, and you must share this obsession. You should be able to distill complex ideas into simple ones, create visualizations and infographics of data sets, and have a deep-rooted desire to teach and communicate ideas online. You’re abreast of the latest industry news and able to quickly respond and communicate the implications to our community. This position is unlike any you’ll find at other companies — there are few formal requirements. If you’re passionate about producing phenomenal content, then this job is for you!

Apply for this job or refer a friend

Awesome Job #2: Online Marketer

We’re looking for an amazing online marketer. You know how to dominate paid marketing channels and are obsessed with managing them every day—making adjustments for daily performance gains, performing detailed analysis in Excel, and creating key performance indicators in Google Analytics. You’re obsessed with managing data to a positive ROI. You know how to take charge of new channels that aren’t even popular yet (Twitter Advertising, for example) or can learn how to very quickly. You make use of acronyms like PPC, CRO, CPA, CPM, CPC in daily conversation. You don’t just know these acronyms, you have years of practical ex
perience working with them.

When it comes to performance marketing, you believe in a data-driven culture and the power of ongoing testing. If you like getting creative on a daily basis, testing new marketing waters, and collaborating with other passionate marketers, then this position is all you. But most of all, you really want to work for the awesome and talented Joanna Lord.

Apply for this job or refer a friend

Awesome Job #3: Systems Administrator

To be a Mozzer System Administrator, you should be a Mac ninja and Google Apps whiz, have a good sense of humor, and have The Office Tivo’d. You have a desire to work with a bunch of technology rockstars who are passionate about developing stellar Internet marketing software. You often find yourself daydreaming about networking, development support, and production support. People often catch you using words like Cisco, MySql, and Samba constantly. You’ll provide desktop support for over thirty MozStaff and those to come in our rapidly growing office. We would love for you to work with and support the development team from prototype to staging to production; providing systems resources, setup, and monitoring.

You should know administration of Macs and some Windows and Linux systems, network administration including Cisco ASA with VPN, wireless networking, and Google Apps for your domain. Joining SEOmoz would a great opportunity to learn new technology and show your skills by enhancing what is already in place. We run part of our systems in the cloud, part hosted, and development is virtualized—so, you’ll spend part of your day on the ground (managing our office’s computers), and part of your day managing our cloud systems—we won’t be upset if your head is up in the clouds.

Apply for this job or refer a friend

Awesome Job #4: Graphic Designer (Web UX/UI)

We’re looking for a web designer with the ability to create mind-lasers with his/her design talents and destroy web zombies with his/her Photoshop cannon abilities. Swoosh. Explosion. If you have the ability to liquefy rainbows and concentrate their pantones into web-safe colors, we want you! You’ll participate in site discussions, information gathering, team brainstorms, critiques, and presentations with the product team and marketing team. Daily tasks center on a comprehensive understanding of the design vision of SEOmoz, leading to the creation of new visual assets, concepts and the production of a full suite of site material and interface components. This role will also be involved with periodic maintenance of current site design material.

You should be a solid communicator (iambic pentameter optional), actively seeking and spreading inspiration, regularly challenging the status quo of our current designs, and curiously seeking out and learning about new tools and design trends. Did we mention you should have mad Photoshop and Illustrator skills, like pie, and wear Threadless t-shirts? Those who do not love tightly-kerned Helvetica Bold need not apply, or have a good reason not to. 😉

Apply for this job or refer a friend

Awesome Job #5: Customer Service Expert

Do you <3 the Internet, love helping people, and laugh easily and often? Do your friends call you when their computers barf up strange error messages? Does Search Engine Optimization fascinate you? Are you unafraid of the early morning—or love making copious amounts of coffee? If this sounds like you, then we should chat. As a Customer Service Expert on our morning shift (6:30am to 3:30pm), you will contribute to the team by assisting our customers with all of their SEOmoz site and billing problems.

This includes the technical problems they encounter using our site and tools, and the billing questions they have about their accounts. You’ll diagnose problems and provide helpful advice across several different platforms: Firefox, Chrome, Safari, IE, Windows and Macs. By understanding our customers’ needs and working closely with the product and marketing teams, you will help us build high quality, delightful products.

Apply for this job or refer a friend

Awesome Job #6: Community Attaché

Our community is one of the most vibrant on the net. The Community Attaché, along with Jen Lopez, our Chief Community Wrangler, will connect, develop and nurture that community. Seriously, you want to have our community over for a sleep over. One of your primary responsibilities will be managing the day-to-day operations of our PRO Q&A Forum—you should be excited about increasing participation, quality and functionality. You’ll ensure questions are answered quickly, and that great answers are rewarded and recognized. You don’t mind rolling up your sleeves and reviewing dozens of questions daily. You’ll connect weekly with lots of community members and develop and manage a team of associates and moderators who will help you keep things running smoothly.

You’re passionate about user-generated content and will encouraging participation in YOUmoz (our user-generated blog), walk new authors through the process, help edit submitted posts, and publish and promote finished content. You love SEO and social media and should have experience with both. Most importantly, you aren’t afraid working with a wonderfully diverse set of people (including some very occasionally grumpy ones) who are passionate about online marketing and SEO. You must also enjoy giving and receiving hugs. 😉

Apply for this job or refer a friend

Awesome Job #7: Business Development (Chief Friendmaker, API Guru)

You like to create things, whether that’s partnerships, creative new uses for our API, or lasting friendships with SEOmoz customers. Maybe you’ve worn a suit in the past and want to work somewhere where shorts and a t-shirt are typical attire. You’ve got technical chops and are able to devise creative ways for others to use our data. You want to create
new distribution partnerships that develop new marketing channels for SEOmoz PRO. You should have experience and knowledge with the SEO industry—you’ll be helping large agency and enterprise customers adopt our software. You’ll also be the primary point of contact for our API customers and always be on the lookout for new opportunities. You’ll feed new technology ideas to our product team who will make those ideas a reality. You’ll foster a community of API developers and host developer hack days.

You should have business development experience but not be afraid of a company that encourages honesty and informality in business dealings—we prefer friendships to partnerships. You should also be a super-friendly person that people love to spend time with—big plus if you can do a cartwheel, know how to make friendship bracelets, or love talking partnerships over Happy Hour.

Apply for this job or refer a friend

Awesome Job #8: Software Engineers!

We’re still hiring Software Engineers and offering a $12,000 bounty both to the engineers who are hired and those who referred them. To get the full scoop, see this earlier blog post.

Why You Should Work Here in One Photo:

So, if all this seems interesting, we’d love to chat with you, and if you know one someone who’d be a good fit for any of these positions, please send them our way; there’s a nifty "Send JobVite" link on each jobs page that lets you share a position via Twitter, Facebook and LinkedIn.  We’ll always keep our careers page updated with the latest positions at www.seomoz.org/about/jobs. Oh, and we’re definitely an equal opportunity employer.

p.s. We do offer re-location packages and assistance, but we can only accept folks who can legally live/work in the US (much as we’d love to make more international hires, navigating the US visa system is, as yet, beyond our means).

Do you like this post? Yes No

Microsoft Corp. today announced third-quarter revenue of $16.43 billion for the quarter ended Mar. 31, 2011, a 13% increase from the same period of the prior year. Operating income, net income, and diluted earnings per share for the quarter were $5.71 billion, $5.23 billion, and $0.61 per share, which represented increases of 10%, 31%, and 36%, respectively, when compared with the prior year period.

The world adores a royal wedding. Prince Charles and Princess Diana had a televised wedding with three quarters of a billion viewers back in 1981 – and their son, William, will likely break past the billion viewer point. After all, the event will be broadcast on TV and live on the web, thanks to 21st century technology. There are a great many sites streaming the event live, and several offer unique advantages, commentary, or perspectives.

Some general notes: Most broadcasts start between 8:00am and 10:00am BST (British Standard Time). BST is four hours ahead of EDT and seven hours ahead of PDT. The wedding itself, which is expected to last about an hour, will take place at 11:00am BST – with coverage of the events before (expected to be comprised mostly of commentary on – as ET puts it – the “pre-nuptial frenzy”) and after (including the procession and reception) being covered by the almost all live broadcasts.

Now, here’s a quick breakdown of recognized news sources that are streaming the event live:


The “Royal Channel,” the official YouTube channel of the British royal family, will broadcast the event live starting at 10am BST (5am EDT). The Royal Channel also has a number of videos currently posted which discuss the wedding, and users can even submit their own “best wishes” video for the bride and groom.

ABC will be using Hulu Live to broadcast the event starting at 9am BST. Coverage will be provided by veteran anchors Diane Sawyer and Barbara Walters.

CBS News is covering the event starting at 9:00am BST. Katie Couric will be doing coverage and commentary.

PBS NewsHour is broadcasting the event on Ustream starting at 9:30am BST (4:30am EDT).

MSNBC will stream the event on their own site, presumably starting somewhere between 9 and 10 am BST (with exact details as of yet unconfirmed).

CNN is covering the event starting at 9am BST. It will be streamed both on their site and through their smartphone and tablet applications.

Fox News will also broadcast on Hulu Live, with their coverage beginning at 10am. It will be anchored by Shepard Smith and Martha MacCallum, with assistance from Gretchen Carlson, Jonathan Hunt, and Joan Lunden.

The Associated Press will be on the scene and broadcasting via Livestream starting at 6am BST. Their coverage will be the earliest available on the web, commencing from the arrival of the very first guest.

ITN (Independent Television News) will be broadcasting their live stream via Facebook – allowing users to view and share a more natively British perspective.

Entertainment Tonight (ET) and The Insider are using Livestream to broadcast the event starting at 10am BST.

E! Online will broadcast on Facebook starting at 9am BST. Facebook users will be able to stream the event on their own wall using the E! Online video link. Mobile users can also view the E! Online broadcast on nearly any modern smartphone.


If you’re looking for a less “news-oriented” take on the event, there are also some specialized and niche broadcasts taking place. Those include:


Tila Tequila will be giving her commentary via Ustream starting at 10am BST (though what, precisely, she will be focusing on has yet to be said).

Popsugar, broadcasting on Ustream, who will give a running commentary on fashion (primarily hair styles and dresses) and flowers during the event starting at 8am BST.

Jason Mewes and Kevin Smith, more commonly known as Jay and Silent Bob, will broadcast the special event “Jay and Silent Bob Get Married” via Ustream starting at 10am BST.


Know of another location streaming the event? It’s not too late! Give us a shout and we’ll add it to the list, or provide your own link in the comments section below.

Check out the SEO Tools guide at Search Engine Journal.

How to Watch the Royal Wedding Online

Posted by Aaron Wheeler

 Last week, Rand discussed the importance of correlation data in general and how you can use it for SEO research. It’s a lot easier to get things done if you know which tasks are high priority and which are low, and correlation data can help. This week, Rand finishes off this two-part series on correlation data by discussing some specific observations we’ve made about correlations between SEO tactics and their effects on rankings. There are some very interesting conclusions, so check it out! Also let us know in the comments below if you’ve been able to draw any correlations of your own.


Video Transcription

Howdy, SEOmoz fans. Welcome to another edition of Whiteboard Friday. This week the second in our two-parter on correlation data for SEO and social media analysis. I’m really excited about this one. We’re going to be talking about very specifically a few of the really interesting things that we’ve observed from correlation data.

Last week, if you recall, we talked about a lot of the basics of correlation data. I showed some simple examples why it’s useful both in aggregate and when studying some of your own stuff.

Today I’m going to be talking about some of those big aggregate average numbers collected from thousands of points of data to see what predicts better rankings over all. I want to be really clear, just to reiterate from last week. Remember that correlation is not causation.

One of my favorite examples, the one I like to use a lot is the one with dolphins. So, dolphins swim in pods, and some of the ones that swim in the front of the pods have different characteristics than ones that swim at the end of the pods, just like things in the search results have different features at the front of the search results – the top of the search results position 1, 2, 3 – than the things that are further down on the search results, 5, 10, 15, 20. Right?

So, we look at an analysis of what makes for front of the pod swimmers in both scenarios. With dolphins, it’s things like, well, they have larger dorsal fins and they’ve got stronger flippers. They also have more damage. They’ve got like scars and pieces of glass or something like that, like cuts and scrapes in their flippers.

So two of those things, the bigger dorsal fins and the stronger flippers, that probably is causal. That’s what’s causing them to be front of the pod swimmers. But the damage is that really, it has a high correlation, it’s got a good correlation with swimming at the front of the pod. Does that mean that more damage means you’ll swim at the front of the pod? If we were to bash up a dolphin’s fins who’s swimming at the end of the pod, would he suddenly move to the front?

No. Right, it’s correlation not
causation. It’s features that predict what people will look like up there. So when we are looking at things that are rankings, just remember this is correlation, not causation. Some of the features here might be things like damaged flippers, not stronger fins. So keep that in mind as we’re looking at this.

That said, let’s talk about some of these cool things. Number one, one of the things that we saw last June, we did a big analysis of Google versus Bing and the different ranking factors, looking at correlation across 11,000 search results in both. We had a very, very small standard error so that we can be very sure that these correlation numbers go across probably all the search results at the time.

We looked at things like number of linking root domains and the keyword in the title, the keyword in the domain name, document length. We looked at the length of the title and mozRank and PageRank and dozens of other features. What we found was that Google and Bing are not so different. In fact, on a lot of the SEO basics, the things that you would do for Google or for Bing are the same that you would do for the other engine.

That’s really cool to learn because it means that we don’t have to develop one site that’s trying to rank well in Google and one site that’s trying to rank well in Bing. We do different things for different ones of them. No, in fact, these engines are really, really similar. Then, of course, we found out in January of this year that Google had been running these experiments because they thought Bing’s rankings looked too close to Google rankings. They were worried, and so they did this click stream, honey pot, and, of course, discovered that Bing was essentially measuring through Internet Explorer where people click after they perform search on any engine, including Google. Google got upset about this.

Nevertheless, I think that says, oh well, our analysis that these two engines are pretty similar, kind of verified by some other data including Google people thinking, hey, wait a minute these are looking really, really similar, right?

We get this big takeaway that, unlike the late ’90s or even the early 2000s when SEOs used to build different websites targeting different search engines because they wanted different things, today we can really build one. That’s a great takeaway. God, it saves us a ton of time and worry.

Number two, Facebook shares are highly correlated with Google rankings. This was one of our takeaways very, very recently, in March of this year, so just about a month ago, maybe a little less, depending when this Whiteboard Friday airs. You can see here that Facebook shares, in fact, were our single highest correlated, number one. Highest correlated metric with ranking higher, predicting that you would rank higher in Google among all the things that we measured.

We measured about 150 different factors, everything from keyword usage on the page to link metrics, to things like tweets and that kind of stuff. Those Facebook shares just seem to have an incredibly good correlation. A correlation so high, especially in, remember this 0.29 on a scale of 0 to 1 would not be that high. In a really simple system, where there’s only one or two metrics that predict, 0.29 would be probably kind of low. But in a system where there’s supposedly 200 plus unique ranking factors – probably much more than 200 plus at this point – but in a system with that much complexity to see one metric that predicts such a high correlation is extremely rare. In fact, we’ve only seen a few metrics that are up in that 0.29, 0.3 range ever in the history of looking at correlation data.

We can kind of say, huh, seems like Google must be using these Facebook shares. Not necessarily directly. They might be getting more data from Facebook, but there’s something going on there. Of course, Google themselves and Bing as well admitted in an interview with Danny Sullivan on Search Engine Land that yes, we use data from Facebook and from Twitter directly in our web rankings to help with our algorithmic search. Facebook shares, you can see that correlation. You’ve got to be thinking, as an SEO, how do I get me some of those Facebook shares on my pages?

Number three, we looked at, one of the weirdest things to come out of our March 2011 data was the fact that no-follow links seemed to have a positive correlation with rankings. One of the things we did when we saw no-follow links having a really high correlation was we went, well that’s just weird. Maybe what’s going on here is that no-follow links and followed links have a high correlation with each other, and in fact, they do. If you have lots of no-follow links, you tend to also have lots of followed links. So, that makes sense. All right maybe that’s all that’s causing it. But then there’s this one weird, weird data point – well, there’s several weird ones – but there’s this one weird data point around the percentage of followed links having a negative correlation, kind of a strong negative correlation with rankings, which sounds weird, but it suggests that websites and web pages that don’t have any no-follow links aren’t performing as well as those who have at least some or some reasonable percentage of them.

You kind of think about it. You scratch your head, like, "What? Wait, does Google want me to have no-follow links?" When you think that way, just remember correlation, not causation. So, it’s not necessarily that Google’s saying, "Oh, well, this website doesn’t have a lot of no-follow links so let’s rank them lower." That seems kind of crazy to me. I don’t think that ‘s the case. Possible but I don’t think that’s what’s happening.

What I think that’s happening is that people who do natural things, normal websites, this is not normal. It is not normal to have a website that only has followed links. It’s almost like, man, you must be doing something funny because normal websites earn links from no-follows. They get linked to on Wikipedia, which is no-follow. They have blog comments that people leave and point to them. Those are no-follow. They have social media profiles. Almost all of those are no-follow. People tweet about them. Those are no-follow. There are all of these no-follow links that exist from sort of good places on the Web where you would naturally be mentioned if you’re a good website.

So, to have only followed links is weird. No wonder . . . I don’t what it is exactly. We don’t know what it is exactly that Google’s measuring here, but I’m sure they’re looking at this, not at this but at metrics that say, huh, this website does not interact in its ecosystem. One of the things that predicts those is no-follow links, and that’s why you see that negative correlation.

Lots and lots of cool stuff, interesting data that we can take away from correlations even though we know it’s not causal. We can say to ourselves, huh, this probably means, right? This probably means, oh, I’d better be interacting in the environment, and I shouldn’t worry about getting no- follow links. This is not going to hurt me. In fact it might actually predict that I’m doing more good things on the Web.

In this case, right, it’s saying, oh, you know what, Facebook likes have a much lower correlation, because liking something on Facebook, clicking that thumbs up button is so much easier than sharing and actually posting to your wall. I know the like textually posts to your wall, but it doesn’t show up in top news. It only shows up in recent updates. So sharing, oh, that’s a good behavior to start encouraging. Maybe I should be encouraging more shares than likes on my pages. Having this, the Google and Bing data says, oh, I can build one website and do a lot of the key basics that are going to be the same for all of them.

This type of data is incredibly useful. We love doing it. We plan on doing a ton more. If you’ve got requests for things that you would like to see us do, please put them in the comments and we will be happy to try to measure them in the future.

Hope this data is inter
esting for you. Hope lots of you start doing more correlation analyses, rigorous data analyses of this type. I think it will be assume if we, as a community, start to make a lot of our insight and our intuition a little more scientifically based, math based. I’m very excited for it.

All right, everyone. Thanks for watching these two Whiteboard Fridays. We will see you again next week. Take care.

Video transcription by SpeechPad.com

Do you like this post? Yes No

Google has released a stable version of Chrome 11.

The new version, released Wednesday, brings bug fixes as well as some fascinating translation and speech-to-text features, GPU-accelerated 3D CSS and a simplified new icon.

Users can download Chrome 11 at the official Chrome page.

With the speech-to-text support, users will be able to click an icon and speak into the computer’s microphone, and Chrome 11 will transcribe the speech into text. Developers can add this feature to their website or web app.

This magic is made possible by the HTML5 speech input API, which you can also see in action at HTML5Rocks.com. Another nerdy implementation of the same feature can be seen in this Captain Kirk Bot.

Google Translate in Chrome 11 takes great advantage of the API, giving users the ability to translate spoken words into another language; users can both read and listen to translated speech.

As far as bug-squashing goes, Google shelled out a record $16,500 to individual developers who pitched in on taking the release from a beta to a stable version. The company paid between $500 and $3,000 for patching such vulnerabilities as corrupt node trees with mutation events and dangling pointers.

Google also gave special thanks to Apple Product Security team members miaubiz, kuzzcc, Sławomir Błażek, Drew Yao and Braden Thomas who helped take the browser to a less buggy stable release.

More About: chrome, chrome 11, Google

For more Dev & Design coverage:

As a self-proclaimed Excel fanatic, it’s pretty clear why I’d want my spreadsheets available everywhere. There are some great app options for the business minded person who enjoys the benefits of spreadsheet programs as much as I do. These allow you to look at anything from profits and annual earnings, to employee checks and monthly expenses. They work on the iPhone just as well as they do on a PC, and they’re available at your fingertips anytime, anywhere.

There are dozens of iPhone apps available for this purpose to choose from, but these five picks are arguably the best around.

1. Spreadsheet



Most people have Excel, which remains the most widely used financial program around the globe. With the Spreadsheet app, you can upload Excel files for viewing and editing with easy to use cut-copy-paste functions – an important Excel staple. Another great feature is being able to open files created with other platforms, such as OpenOffice, as long as the files were saved as an Excel specific spreadsheet.


2. Documents 2 Go

Documents 2 Go


This app is in many ways similar to Spreadsheet. However, Documents 2 Go uses a larger font, which for some can make a big difference. People with eyesight as awful as mine will find it a relief being able to read this app’s larger font in comparison to most other programs. Highlighting is a cinch, and again, you can cut, copy and paste.


3. Quicksheet



Quicksheet is one of the few iPhone spreadsheet apps that allows you to use password protected files. It’s also easier on the eye than most, with an attractive blue, gray and white motif, with black text.


4. Sheet2



If your needs extend beyond Excel, Sheet2 is compatible with Excel as well as with Numbers and NeoOffice. It also has a more unique and interesting look than other interfaces, as it gives the appearance of a chalkboard, complete with written chalk lettering.


5. Spreadsheet LX

Spreadsheet LX


If you’re looking for more of a number crunching type program – Spreadsheet LX is for you. It may not be as neat as most, but it works wonders as an advanced calculator capable of saving results and creating quick expense run downs. I actually like this program because it’s the definition of simplicity. The one downside is that it has limited compatibility with other formats.


These are only five out of dozens of options available, but they’re solid, useful, and interesting applications that you can use anywhere. Have some suggestions of your own? Let us know in the comments section!

4. Sheet2








Check out the SEO Tools guide at Search Engine Journal.

5 Awesome Spreadsheet Apps for the iPhone