PayPerPost Is Now Officially Absurd

Next Story

Cingular's Treo 680 on November 5 at $175: Bank On It

Many commenters in previous TechCrunch posts on PayPerPost compared their business model to payola in the music industry. At PayPerPost, bloggers are offered cash to write about products. Disclosure is optional, and often the bloggers are required to only express positive comments. The company is now well funded, and a number of competitors have launched. This “virus” seems here to stay.

Don’t look for PayPerPost to require blogger disclosure anytime soon. Instead, they are creating a distraction, designed to keep the buzz about PayPerPost going strong, as well as to move people’s attention away from the core issue of blogger disclosure of product shilling.

In a move reminiscent of big tobacco funding tobacco research, PayPerPost is announcing a new initiative on Monday called DisclosurePolicy, which “provides policy creation tools, best practices and forums for discussing the delicate balance between content creator freedoms and audience transparency expectations.”

DisclosurePolicy creates a disclosure policy for bloggers to post on their blogs, based on their answers to a few questions. They will also pay every blogger who posts a PayPerPost disclosure policy on their blog $10.

While that sounds like a fine idea, PayPerPost bloggers should also be disclosing the fact that they are being paid for their post prominently within the post, not on some separate page in their blog. Also PayPerPost subtly works with the language they use, particularly around the definition of “compensation” to suggest that all blogs have bias (and therefore PayPerPost isn’t really that bad). Here are the three choices – bloggers must choose one:

This blog does not accept any form of advertising, sponsorship, or paid insertions. We write for our own purposes. However, we may be influenced by our background, occupation, religion, political affiliation or experience.

This blog does not accept any form of cash advertising, sponsorship, or paid topic insertions. However, we will and do accept and keep free products, services, travel, event tickets, and other forms of compensation from companies and organizations.

This blog accepts forms of cash advertising, sponsorship, paid insertions or other forms of compensation.

If you are a PayPerPost blogger, or the New York Times, or anything in between, you must pick the third option. That’s because “taking advertsing” and “paid insertions” are defined as the same thing. And even if you have no form of advertising or other revenue on the site, you have to admit to bias based on “background, occupation, religion, political affiliation or experience.”

Blurring the lines in this way – facilitating the pollution of the blogosphere while creating an illusion of doing something good for the public, is a good business move for PayPerPost. But it is a terrible development for the blogsphere and public trust. I hope that very few bloggers are suckered into going along with this.

  • J Novak

    Actually, you mis-read the quote about how “most databases either don’t accept blah blah”. It is the case that the database SAVES RAILS, not that it’s to blame this problem. If you have a database and filter unicode through it, you’re safe(r).

    • José Valim

      @Novak is right. They say that almost all databases probably do not accept those UTF8 weird characters, so the database saves you at the end of the day.

      They *don’t* blame the database at any time.

    • Nik Cubrilovic

      you might be right – they say at the top its a vulnerability in the form helper, and in ‘impact’ talk about the db. reading now – thanks.

      • Brock Batsell


        Care to explain why, after being informed 8+ hours ago that your last paragraph is completely factually incorrect, and seeming to acknowledge that fact, the piece still stands uncorrected? That’s absolutely insane. The Rails security release doesn’t even remotely say what you claim it does; simple reading comprehension would have disclosed that.

      • sponge j

        It is cute, techcrunch giving advice on development. Add this one, don’t take development advice from techcrunch.

        Anyone using RoR is foolish. Anyone sensible from that community bailed long ago. Funny you mention the disinterest of the basecamp guys, since they are “the” RoR guys. They mainly care about cash and ego.

        Last bit of advice, techcrunch, you should bail on your RoR systems, future fail comming for you.

      • Tyler

        4 days later and still no correction. Keep it classy.

  • j user

    Nik, are you just trolling for attention with this article? For fun, I started googling web-dev frameworks to see which had XSS vulnerabilities. I ran out of time looking for one that didn’t.

    Your obviously just using this as an excuse to sling mud. Lame.

    • Nik Cubrilovic

      everything else also being vulnerable makes me feel better and explains why 37s handled this so well. thanks.

  • Nikolay Kolev

    Isn’t Twitter using Scala nowadays?

    • Nik Cubrilovic

      possibly middleware – they never confirmed it. the web is def still RoR

    • Paolo

      They started using Scala for some background jobs and liked it.

      This is an interview to the Twitter team

      Quoting from that article: “We find Ruby and Scala are very complementary. We use Ruby, actually specifically Rails, for things that it is very strong at. All the front end stuff that it does very well. […] our plan for the long run is to move more and more of our architecture into Scala. The vast majority of our traffic is API requests, and we want most of those to be served by Scala, either at an edge cache layer or a web application layer. Hopefully by the end of 2009 the majority of users’ interactions with Twitter are going to be Scala-powered. ”

      Don’t know at which point they are now but it seems to me that the front end (that is, the HTML pages) will be served by Ruby on Rails for the time being.

      • Nikolay Kolev

        Twitter’s front end is very simple. Probably it has more JavaScript nowadays than Ruby code – it’s not a big effort to port it to Scala’s lift, for example, and standardize entirely on one technology.

        Now, on the funny side… Ruby is being developed in Japan and historically has been having issues with Unicode that is designed to solve problems with non-English locales.

  • New Gadgets | RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence

    […] Original post by TechCrunchIT […]

  • Andrea Giammarchi

    I totally agree about “having a clear contact page for security issues” … but not only open source projects.
    For instance, I tried to contact both Microsoft and Ryanair ages ago for a serious security problem. No way to reach them, good stuff, huh? Dunno how many good guys there are here though, specially after negative responses like these.
    Good luck companies

    • http:/ Jonathan Cohen

      Ryanair would probably charge you $20 for the privilege of submitting a security report to them.

  • Ed

    It’s because we don’t have many real developers anymore. It’s all people cutting and pasting together snippets of code and building sites on top of frameworks they don’t understand.

    Why would a large traffic site like Twitter ever use a framework? The functionality of their site is so limited that they could hand-code the entire back-end of that site in a matter or days or weeks.

    The same applies to websites that simply keep dropping in huge bits of javascript everywhere to perform simple functions.

    • Nik Cubrilovic


    • Steve

      A framework makes development a heck of a lot easier, and saves an incredible amount of time.

      Thousands of people use off-the-shelf identikit WordPress installs and noone ever complains, yet someone goes off on their own to code their own site+application using a base framework that merely undertakes the most menial of tasks, and you complain that they’re not “real developers”.
      Why reinvent the wheel?

      I also *highly* doubt that a single developer or small development team would be able to code something more secure that RoR first time (unless they were actively focusing on the security issue).
      Every platform has security issues, we can only ever delay hackers, never stop them.

      • Nik Cubrilovic

        its about understanding the framework and what it does – not read howto + copy + paste

      • Rob Knight

        It’s still a bad argument. Developers always have to assume that the code they’re building on top of is secure. RoR is just one layer in a stack that includes Rails, a web server, a database server, the Linux OS and possibly all kinds of other software/hardware for load balancing, caching, proxying and so on. Yet nobody would suggest that it’s wrong to run a web app on Linux unless you understand exactly how it works. In fact, we generally measure technical progress by the number of things a person can do without having to understand exactly how they work.

        RoR is widely adopted, both commercially and non-commercially, tested by many people in many circumstances, and provides security comparable with any other web framework, and substantially more security than the default ‘no framework’ option. It has flaws, just like the rest of the stack will have flaws, but fixing them is the responsibility of whoever maintains that level of the stack, not the people who use it.

  • Calin

    Nice touch with the Reservoire Dogs image :)

    • Nik Cubrilovic

      “your gonna be ok!” :)

  • Jeremy Kemper

    We screwed up. Application security is not a customer support issue. See for my full response to Brian.

  • RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My … | Hack In The Box

    […] this article: RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My … Share and […]

  • Social Milestone » Blog Archive » RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My …
  • Bob Gregory

    If your database won’t accept UTF-8 then you’re in for a world of pain when you come to internationalise your app anyway. I can’t see why that’s a good thing.

    We recently spent a couple of weeks finding and killing XSS bugs in our code-base; next up is XSRF, which is even more of a killer. I’m not sure that XSS is a responsibility of a framework.

    PS. @Ed – you’re absurd. If you can write a scalable real-time many-to-many messaging service in a matter of days, I’ll give you a biscuit.

    • Nik Cubrilovic

      there are some frameworks that will give you a set of functions where you can allow certain classes of input (eg. A-Za-z0-9, all alpha-num plus some punctuation, some html tags etc.) these can come in handy. key is everything off by default and then whitelist. i have a list of regexp’s here i should post at some point – been using it for years.

      • Pete Austin

        People don’t only use Western European languages.

  • Paolo

    Nik, thanks for the info. I just patched a server of mine waiting for the official release.

  • Peter Smith

    not sure why Twitter gets off the hook. they took days to respond. didn’t respond. and then only responded when a security employee was contacted directly. is that supposed to inspire confidence?

    • marcus

      Yes, classic case of ‘who you know’. Ping a guy you know on the security team at Twitter = response. Put in a support ticket like any other person = crickets.

  • RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence

    […] By Techcrunch […]

  • itsnotvalid

    It is so true that white-listing is the real correct way on handling taunted data. Block everything, then open up things that get needed. Even if it would become too clumsy, it is just what developers have to live with.

  • Saravanan

    and this vulnerability did not affect IE 8 thanks to its built-in XSS filter says Arstechnica

  • oops

    almost as buggy as Omnidrive!

  • pffft

    I wonder why I never had these problems… Oh that’s right. I use java

  • Elton

    Some more insight into Twitter’s architecture.

    John Adams, “Fixing Twitter: Improving the Performance and Scalability…”

  • WHAZUP – iPhone MMS, Android Market, Opera 10, Snow Leopard, Wetoku

    […] Ruby On Rails XSS Vulnerability discovered Brian Masterbrook discovered a vulnerability on the uber-famous Ruby On Rails framework. The vulnerability impacted Twitter, Basecamp and the many applications written using Ruby On Rails. […]

  • Basecamp Review

    As a ruby developer and user of both Twitter and basecamp I appreciate you bringing this to our attention.

  • Week 36 in Review – 2009 | Infosec Events

    […] RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence – Today came news that an XSS vulnerability had been found in the RubyOnRails development framework. […]

  • If Web 2.0, then IT Security 2.0 « ::: Smart Oze Blog :::

    […] case we need some examples of the bad news, just in the last few days see here, here, here, and […]

  • Web Browsers Exploited by XSS Attacks « ROAM DATA Smart mCommerce News

    […] RubyOnRails XSS Vulnerability Claims Twitter, Basecamp And My Confidence ( mcommerce, mobile commerce   ECOMMERCE, FRAUD, HACK, m-commerce, MASTERCARD, mcommerce, mobile banking, mobile commerce, mobile payments, mobile phone, PCI, PIN DEBIT, ROAM DATA, ROAMDATA, SMARTPHONE, Triple DES DUKPT, VISA, Web Security   « Western Union Limitation Causing Big Problems    11 Charged in Minnesota Cloned Card Scheme » […]

blog comments powered by Disqus