trouble installing psycopg2 on OSX ?

I had some trouble with a new virtualenv — psycopg2 wouldn’t install.

I remembered going though this before, but couldn’t find my notes. I ended up fixing it before finding my notes ( which point to this StackOverflow question ) , but I want to share this with others.

psycopg2 was showing compilation errors in relation to some PostgreSQL libraries

> ld: warning: in /Library/PostgreSQL/8.4.5/lib/libpq.dylib, missing required architecture x86_64 in file

so then I checked how the file was built:

lets see how that was built…

$ file /Library/PostgreSQL/8.4.5/lib/

> /Library/PostgreSQL/8.4.5/lib/libpq.dylib: Mach-O universal binary with 2 architectures
> /Library/PostgreSQL/8.4.5/lib/libpq.dylib (for architecture ppc): Mach-O dynamically linked shared library
> /Library/PostgreSQL/8.4.5/lib/libpq.dylib (for architecture i386): Mach-O dynamically linked shared library i386

Crap. it’s built i386 only. The fix is easy right? We just need to export archflags and build.

$ export ARCHFLAGS=”-arch i386″
$ pip install –upgrade psycopg2

That works perfect, right?


> File “/environments/example-2.7.5/lib/python2.7/site-packages/psycopg2/”, line 50, in
> from psycopg2._psycopg import BINARY, NUMBER, STRING, DATETIME, ROWID
>ImportError: dlopen(/environments/example-2.7.5/lib/python2.7/site-packages/psycopg2/, 2): no suitable image found. Did find:
> /environments/example-2.7.5/lib/python2.7/site-packages/psycopg2/ mach-o, but wrong architecture

I was dumbfounded for a few seconds, then I realized — Python was trying to run 64 bit (x86_64) , but I only have the 32 bit library.

the right fix? Rebuild PostgreSQL to support 64bit.

My PostgrSQL was a prebuilt package, and I don’t have time to fix that, so I need to do a few hacky/janky things

basically , we’re going to force python to run in i386 ( and not 64bit )

go to our virtualenv…

cd /environments/example-2.7.5/bin

back it up

cp python python-original

strip it…

# note that our last arg is the input, and the 2nd to last it output
lipo -thin i386 -output python-i386 python

replace it

rm python
mv python-i386 python

now install psycopg2

export ARCHFLAGS=”-arch i386″
pip install –upgrade psycopg2

yay this works !

now get some work done and save some time so you can build a 64bit PostgreSQL

On Advertising and the Boston Marathon Tragedy

I like to read recaps of late-night talk show monologues. Craig Ferguson’s really resonated with me ( paraphrased: I’m sick of this shit ).

Then I clicked to this HuffingtonPost article for a recap of Conan O’Brien. It infuriated me.

As I start reading a recap of Conan O’Brien’s monologue, all of the sudden there’s audio coming out of my computer of an incredibly annoying woman talking. WTF?

I’m not watching a video. There’s no ad on the screen. I keep scrolling down several page heights.

And there it is… the Huffington Post has pre-roll video commercials running auto-play as pre-roll to a gallery after the article — more than 2050 pixels down the screen.

This is shitty beyond belief.

* The obvious issue is that I’m hearing an incredibly annoying ad for Dannon yogurt while reading a story about a terrible tragedy. This is not a great moment in content adjacency — this is quite horrible.
* Add the fact that it’s a hidden ad that just started playing , without me triggering anything — and it’s quite offensive.
* This is as horrible a “media buy” as one could imagine.
** Long Pre-Roll ads aren’t a good ad unit. 30 seconds without the ability to skip out is really bad and makes the brand look bad to users.
** Pre-Roll is supposed to be a “premium” ad unit. Selling a premium unit to client — but then delivering it as both an autoplay ad AND on an *incredibly* off screen page element — cheapens the unit beyond worth. This is an antagonistic unit to both the brand and consumer. As a consumer, I had to hunt to look for an ad on the page. As a brand, I pay for impressions and views. AOL/HuffingtonPost created an advertising product that effectively hid the ad unit on screen, keeping people from turning it off — or even actually viewing the ad unit.

Stuff like this doesn’t happen by accident. Having worked in advertising and publishing, some scenarios are the more likely reasons:

* AOL/HuffingtonPost was incredibly shady, and started pumping “premium” ad sales into non-premium units in order to fulfill an inventory order or take advantage of traffic spikes.
* AOL/HuffingtonPost purposefully sold a sub-standard unit to Dannon’s media buying agency, claiming it’s premium inventory.
* AOL/HuffingtonPost and Dannon’s media buying agency colluded to divert a portion of their spend of “premium units” into non-premium units like these.

The least likely scenarios ?

* Dannon’s media buying agency wanted to buy units like this, because they thought it was a great investment for their client.

* This is all just a mistake, and AOL/HuffingtonPost is not greedy or doing anything shady – their technology and advertising teems are just grossly inept.

If I had to choose only one option, I’d guess that AOL/HuffingtonPost is trying to earn extra revenue by hiding “premium” videos on traffic spike ( Boston tragedy related ) pages. Welcome to the wonderful world of online publishing.

I feel sorry for Dannon and am really disgusted by AOL/HuffingtonPost. I can’t seem to figure out who buys digital inventory for Dannon; Havas’ MPG unit ( now Havas ) handled TV media for Dannon as far back as December, but there doesn’t seem to be any mention about online buying.

Attached, a stitched screen…

The blue line is approximately 2050 pixels down the screen; the ad unit is the “embedded gallery” directly below it. The average browser window hight right now is around 750pixels, making that ad unit appear on the 4th page.

Possible Security Exploit in Domain Transfers

I’ve been transferring my domains over to after & both turned out to be run by complete assholes. ( reference [ is doing some really sketchy stuff]( )

During the Dreamhost transfer process, I noticed an odd behavior and brought it up with their Customer Support team. After numerous back & forths, they don’t seem to understand the issue I’ve brought up. Perhaps you will…

When you receive an confirmation request from Dreamhost at the ‘outbound’ registrar’s email address, you’ll read this message:

Re: Transfer of

New Dream Network, LLC (dba has received a request from

jonathan vanasco

via our web administration panel on 2013-03-18 for us to become the new
registrar of record.

You have received this message because you are listed as the
Registered Name Holder or Administrative contact for this domain name
in the WHOIS database.

Please read the following important information about transferring
your domain name:

* You must agree to enter into a new Registration Agreement with
us. You can review the full terms and conditions of the Agreement at

* Once you have entered into the Agreement, the transfer will take
place within five (5) calendar days unless the current registrar of
record denies the request.

* Once a transfer takes place, you will not be able to transfer to
another registrar for 60 days, apart from a transfer back to the
original registrar, in cases where both registrars so agree or where a
decision in the dispute resolution process so directs.

If you WISH TO PROCEED with the transfer, you must respond to this
message via one of the following methods (note if you do not respond
by 2014-03-18, will not be transferred to us.).

* please go to our website,

to confirm.

If you DO NOT WANT the transfer to proceed, then don’t respond to this

If you have any questions about this process, please contact

You might have noted that the text of that email just says “Do you want to approve this transfer from Godaddy to Dreamhost?”. It doesn’t say who at Dreamhost initiated the request. It doesn’t give a “Transaction ID” that can link the request I made when starting this Transfer , to this confirmation request.

The webpage you click onto is equally as cryptic:


Re: Transfer of

New Dream Network, LLC (dba has received a
request on 2013-03-18 08:37:23 for us to become
the new registrar of record.

You have received this message because you are listed as the
Registered Name Holder or Administrative contact for this domain name
in the WHOIS database.

Please read the following important information about transferring
your domain name:

  • You must agree to enter into a new Registration Agreement with
    us. You can review the full terms and conditions of the Agreement at

  • Once you have entered into the Agreement, the transfer will take
    place within five (5) calendar days unless the current registrar of
    record denies the request.

  • Once a transfer takes place, you will not be able to transfer to
    another registrar for 60 days, apart from a transfer back to the
    original registrar, in cases where both registrars so agree or where a
    decision in the dispute resolution process so directs.

If you WISH TO PROCEED with the transfer, please click “Approve”
below. (Note if you do not respond by 2014-03-18, will
not be transferred to us.)

If you DO NOT WANT the transfer to proceed, then ignore this page, or click “Deny” above.

If you have any questions about this process, please contact

While both the email and webpage seem to have “SOME_BIG_NUMBER”, they’re a transaction ID that appears on the email as a query_string, is a hidden value on the HTML page, and something I’ve never seen before during my transfer initiation.

Perhaps I’ve become a bit too security-minded in my age, but this scenario really jumps out at me — if someone knew that I was likely to transfer a domain to Dreamhost ( which is something more than a few people have tweeted about ) , another party could ostensibly try and transfer a domain at the same time — and I would have no idea what I’m approving. Granted, one would need to get a Registrar Authorization Code in order to initiate a domain transfer — but there are plenty of stories online involving email hacking, password guessing, and registrar manipulation to get that done. While the email does state my name, if I wanted to trick someone into giving up their domain… I could just use their public whois data ( or their twitter info ) to have that seemingly populated.

An exploit like this is admittedly an edge case… but it’s possible and there’s such a silly little fix to this sort of situation — giving the transaction a unique id ( which is probably already has ) , and making that ID clear to both the account requesting a transfer and the one approving a transfer.

Do you wish to approve the transfer DomainXYZ from GoDaddy to Dreamhost ?

Could so easily be…

Do you wish to approve the transfer DomainXYZ from GoDaddy to Dreamhost, with the TransactionID 12345 ?

SoundCloud and Responsive Design

I noticed something interesting while resizing a browser window – there is (at least) a three phase responsive layout.

Phase 1 – Any windows under ~800px wide are a single column. Cross that threshold and…

Phase 2 – A second column pops up on the right. If you make the window a bit wider…

Phase 3 – The artwork on the lefthand column enlarges.

The Phase3 shift is the most interesting to me. I don’t think i’ve seen something like that in responsive layouts before.

An Open Letter to


Yesterday I noticed, via a typo, that your name servers are performing a “DNS Hijack” on all Third-Level domain queries. If an exact Third-Level domain is not configured , instead of responding with a NXDOMAIN (non-existant domain) status, your servers direct users to a “domain parking page” which you fully control and monetize.

After blogging about your practice of [Hijacking DNS for failed queries yesterday]( I learned that you have been doing this for years, and have frustrated countless bloggers and consumers on sites such as “Get Satifsaction”. Thanks to it trending on [HackerNews]( I also learned that many other internet professionals have been subject to your antics over the years ( [even 2 years ago on HackerNews]( ) )

You’ve defended this practice multiple times as being enabled by your registration services agreement:

* [](
* [](

And in your own words you state:

> It is standard practice in the registrar world, and it is spelled out in our TOS.

I have some news for you : this is completely not standard for a registrar. And when I read your TOS more closely, it seems to completely runs afoul of your TOS too.

Let me be clear about this : Your DNS Hijacking is beyond being sketchy and wrong — it is illegal and not covered by your Terms of Service justifications.

Section 21 of your Terms of Service states:

>21. Parked domain service

>All domain names registered via will automatically be provided a Parked Domain Service. All domains will default to our name servers unless and until you modify your default settings. At any time, you may disable the placeholder page by updating, modifying or otherwise changing the name servers for the relevant domain name.

>Domain names using our Parked Domain Service may display a placeholder page for your future website. These placeholder pages may include contextual and/or other advertisements for products or services. will collect and retain any and all revenue acquired from these advertisements, and you will have no right to any information or funds generated via the Parked Domain Service.

>You agree that we may display our logo and links to our website(s) on pages using the Parked Domain Service.

> will make no effort to edit, control, monitor, or restrict the content displayed by the Parked Page Service. Any advertising displayed on your parked page may be based on the content of your domain name and may include advertisements of you and/or your competitors. It is your responsibility to ensure that all content placed on the parked page conforms to all local, state, federal, and international laws and regulations.

>It is your obligation to ensure that no third party intellectual or proprietary rights are being violated or infringed due to the content placed on your parked page. Neither nor our advertising partners will be liable to you for any criminal or civil sanctions imposed as a direct or indirect result of the content or links (or the content of the websites to which the links resolve) displayed on your parked pages.

>As further set forth above, you agree to indemnify and hold and its affiliated parties harmless for any harm or damages arising from your use of the Parked Domain Service.

Let’s focus on what has happened in the context of the first two paragraphs of Section 21 ( and ignore the egregious and abusive language on the rest of the clause , which you should be totally ashamed of) :

* I registered my domain with
* I updated my DNS record entries with
* You continued to serve “parked pages” and monetize DNS failures

Upon configuring DNS services for my domain by modifying the default settings despite remaining with, I effectively and legally opted-out of your Parked Domain service for that domain. I literally “unparked” the domain when establishing specific DNS records. Additionally, while my “Domain Name” specifically fell under the “Parked Domain Service” terms which your lawyers explicitly crafted , the third-level domain names which you are monetizing against do not.

There exists no items in your Terms Of Service that state :

* DNS failures will be treated as a parked page and/or monetized
* Third-level domain names will be monetized ( your lawyer specifically identified the “domain names” registered , not the subdomains which fall under the aforementioned domain’s registration )
* Users of for DNS services will also be covered by a Parked Domain policy

I’d also note that there exists no space on your administration console that notifies users that their unspecified third-level domains are falling under a “parked domain” monetization scheme or that ( according to your blog instructions ) a “*” wildcard entry must be created to disable these monetization pages. And to speak for a moment from a technical standpoint — aside from breaking the RFC describing how DNS should work, your system is completely unable to deliver a NXDOMAIN status code — pushing a wildcard entry to a specific address or TXT entry is not that same thing as saying “I don’t exist”.

Technically, Legally, and Ethically you are completely in the wrong.

At this point, you’ve lost me as a customer. There’s nothing you can say or do — I don’t have enough time in my day for bullshit like this. I’m in the process of finding a new registrar and I would never consider using you again. Your actions and defenses are beyond redeemable. They are underhanded and downright sleazy.

I’m writing you to strongly suggest that you to “Do the right thing” for all your remaining customers – and yourself – and stop this practice immediately. By immediately, I mean “you should really call in your CTO and VP Engineering as you read this , and have turn things off before they go home tonight”.

Your underhanded scheme to generate revenue compromises the security and privacy of every domain under your DNS services. Unless a user knows the bizzarre trick to disable your “Domain Parking” pages , their website is vulnerable to XSS ( Cross Site Scripting ) attacks through your monetization partners. Additionally, unless a consumer’s cookie was locked down to a single Fully Qualified Domain Name, those cookies would be sent to your business partners as well. ( I’d also add that while suggests you operate these services yourselves , yesterday the domains were displaying logos for )

If you’re not familiar with DNS Hijacking or all the risks that you’ve put your customers at, I suggest you start reading this [WikiPedia entry on DNS Hijacking](

Aside from the various privacy concerns this raises, or the laws this breaks in specific jurisdictions — as these “Parked Pages” occur from DNS Failures on domains configured via your systems — the indemnifications and blame shifting available under Clause 21 would likely not be applicable and you would fully liable. I’m not a lawyer, but having dealt with numerous contracts and negotiations on behalf of technology companies , I really can’t imagine any lawyer, judge or jury agreeing that the near-infinite number of “Third Level Domains” (or 4th, 5th, etc) for an explicitly configured “Second Level Domain” fall within the terms of you Domain Parking language , or that any of your claimed rights exist after a DNS entry has been updated.

I’d also note that, until this deceptive and underhanded practice is stopped, every new client signing up for your service is a candidate for a potential class action lawsuit. Your greedy and indefensible attempt at generating negligible revenue has put the security of countless internet users at risk, in addition to exposing your own customers to serious security and legal complications.

Jonathan Vanasco

Attention: Customers,

If you use for DNS services , [a comment on Hacker News by Machrider]( ) suggests a very effective way to quickly address your situation

Quoted below:
> My workaround for this was to add a TXT record for * that just returns a string like “Unused”. This seems to stop them from hijacking any subdomains, and it’s not an A record so undefined subdomain names do not resolve, just like if you had not defined them in the first place.
> (Workaround shouldn’t be necessary of course, but this kind of bullshit is par for the course with cheap hosting companies.)

Stop Patent Trolls, but Oppose the SHIELD act.

In the wake of patent trolling against some Podcasting companies, several House members have devised the SHIELD act to protect people from Patent Trolls.

This is a horrible, terrible bill. I am firmly against it.

If you read the actual bill – — it legislates the scenario where a non-original inventor must post a bond covering full court costs in order to litigate a patent claim.

The costs of serious Patent litigation ( not a trolling one ) where it is proven that one party violated another’s patents , averages $3-5 million dollars. Under this law, if an independent inventor wants to sell their invention ( I’m not sure what would happen if a company is acquired ), that invention is no longer covered by the clause and effectively tremendously devalued — requiring bonds that are potentially millions of dollars to be posted if litigation were ever to happen.

The free market effects of this are obvious – it creates an economy where independent inventors have a tremendously reduced ability to sell their innovations , and secondary patent holders can be infringed upon with almost guaranteed impunity.

* Who wants to buy a Patent if you need at least 5 Million dollars to defend it ?
* Why respect a patent if you know the rightsholder won’t be able to raise enough money to sue ?

On top of all this, some of the most notorious Patent Trolls are totally immune from this law. Many of these companies set up co-owned trusts/business entities or licensing schemes where there is joint ownership of the IP Rights with the inventor — enabling them protections under the “original inventor” clause of this bill.

This law does little but ensure that patent litigation can only happen between a David and Goliath, precludes small/medium businesses from exerting patent protections, and seriously undermines the incentive for independent entities or small businesses to support innovation.

It is horribly misguided.

If you want to directly fix the situation, address 35 U.S.C. § 285 : “court in exceptional cases may award reasonable attorney fees to the prevailing party.” Tone down “exceptional” and attorney fees can be awarded when appropriate. Create a USPTO review and recertification process for (oft?) litigated patents. Create a variety of means to directly address the issue of Patent Trolling , without damaging inventors.

Stopping Patent Trolls can – and should – be done… but this law is an attack on individual inventors and the incentive to innovate / fund research & development. is doing some really sketchy stuff

A lot of people read this and say “I read the Terms Of Service, and it says in shady language they can do that.” I read it too — and I actually went through it carefully, line by line. The TOS does not permit 3LD DNS Hijacking. As I explain in this follow-up posting [An Open Letter to]( the TOS — in very clear terms — merely permits for 2nd Level “Parked Domains” as a default activity. In no way whatsoever does’s TOS suggest that they have the right to control 3rd Level domains if you use their DNS services.

Like many other people, I got frustrated with Aside from the founder being a jackass… there were endless upsells, constantly increasing prices, and a need to use crappy online ‘coupon’ sites whenever I renewed a domain. I decided to slowly move off them, and in the wake of their misguided SOPA/CISPA support I went with

I really regret that now. They seem to be jackasses too. They are Hijacking DNS ( aka squatting ) all 3rd level domains registered through them.

I registered a few domains with for a new project. One of them is for shortened urls ``. The following illustrates why i’m pissed.

`` uses’s nameservers (DNS), pretty standard when you use a registrar. I configured my account on to direct a handful of `A records` to specific IP addresses – which is also pretty standard.

If I `whois` the domain, I see these nameservers :

>> Name Server:NS4JPZ.NAME.COM
>> Name Server:NS2NSW.NAME.COM
>> Name Server:NS1FKL.NAME.COM
>> Name Server:NS3GMV.NAME.COM

Great. Things appear to be working.

If I want to test my DNS records, I use another tool — `dig` — and I query their nameservers directly.

If I `dig @NS4JPZ.NAME.COM` , as expected, I get the DNS records that I’ve updated with Yay.

; <<>> DiG 9.6-ESV-R4-P3 <<>> @NS4JPZ.NAME.COM
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60866 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: 300 IN A ;; Query time: 43 msec ;; SERVER: ;; WHEN: Wed Feb 27 19:24:3

Now, this is where things get weird...

If I query a domain name that doesn't exist, I'm supposed to see a failure. The `status` above should read `NXDOMAIN` and I'd get something like when I `dig` a non-existant domain from Microsoft using `dig` :

; <<>> DiG 9.6-ESV-R4-P3 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64226 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ; IN A ;; AUTHORITY SECTION: 3600 IN SOA 2013022601 300 600 2419200 3600 ;; Query time: 521 msec ;; SERVER: ;; WHEN: Wed Feb 27 19:28:26 2013 ;; MSG SIZE rcvd: 95

Now, if i `dig` a non-existant third-level domain against ``, here is what i see ( `dig @NS4JPZ.NAME.COM` ):

; <<>> DiG 9.6-ESV-R4-P3 <<>> @NS4JPZ.NAME.COM
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46513 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: 300 IN A ;; Query time: 226 msec ;; SERVER: ;; WHEN: Wed Feb 27 19:31:23 2013 ;; MSG SIZE rcvd: 50

Instead of returning a `NXDOMAIN` status (non-existant domain), is returning a valid status and directing the user to the ip address of "" while still showing the domain name. That IP address displays a "parked domain" , managed by and filled with a mix of advertising and search engine marketing, which one of those two parties ( or controls. I use the phrase "directing" because you are not redirectied, and the original url still appears on the browser. is telling your computer that ip address corresponds to the domain, and the Sedo site is serving the marketing material off of your domain.

Instead of saying "This domain doesn't exist" -- as expected -- has created a system where any wildcarded third-level domain name that fails a real DNS query is treated like a real domain... a real domain that I don't control, but instead they do , and are trying to monetize.

In fact, if you make a DNS query against ANY fully qualified domain name ( FQDN ) that is not entirely configured on, you are redirected to the same marketing sites. You can try querying any domain registered elsewhere -- they'll all point to as the configured ip address for that domain. As far as is concerned, there doesn't seem to be any such thing as a non-existant domain.

I am beyond mad:

- I didn't sign up for this.
- There is no way to opt out of this on any of their screens.
- This practice actively hurts the business and brands of domain owners by associating low-value content on third-level domains with the second-level domain.
- This has serious security implications in regards to Cross-Site Scripting and how cookies are locked down into a domain.
- This violates the IETF's RFC 2308, which pretty much states "how dns should work"

I'm now looking to transfer these domain names elsewhere. I only found out about this, because of a typo.

I've put in a support request with to address this, I sure as hell don't trust them do the right thing - this is a dirty and backhanded practice that should not have existed in the first place.

As a quick addendum: this practice is called "DNS HiJacking". It's popular with a handful of ISPs who try to monetize DNS failures. I've never heard of a Registrar doing this before. You can read about it more here:


After looking on Bing and Google against "" + "dns hijack", it turns out this has been going on for a LONG time


and if you look on the GetSatisfaction site, it's filled with people complaining over the same thing :

Update 2 - reached out over twitter, and pointed to a blog posting defending this practice on technical grounds and that it's hidden in their TOS. I call bullshit. Hiding things in a TOS doesn't make it right, and there are no technical grounds to trying to generate revenue.

Update 3 -

Apologies if you had trouble reading this. WordPress Caching was not enabled, and my server failed.

What a Product Manager Is and Isn't, and Why You Should Probably Stop Trying to Hire One.

I’ve had a lot of people contact me over the past two years trying to recruit me for a Product Manger role or looking for referrals to qualified candidates. I have a solid network and am well respected in NY Technology, Advertising and Publishing circles — so I’m used to constant pings by Executives I’ve consulted with or recruiters I’ve worked with and am happy to help when I can.

I feel compelled to write a post because out of several dozen inquiries for positions titled with some variation of “Product Manger”, only one was actually involved with any sort of product management. The rest? Sigh…

There’s been a huge conflation of terms with regard to “product management” in the past few years and it seems to be over-represented in NYC area. This conflation really needs to stop. Now.

The role of a Product Manager has a bit of variation in it’s definition, but it’s usually something around the lines of “the person who is ultimately responsible for a product”. In a large organization, Product Managers are essentially divisional GMs or ‘micro-ceos’; in smaller ( and tech ) organizations, they tend to be inter-disciplinary people who might report to a “head of product” or directly to the CEO.

Generally speaking: Product Managers are highly skilled and highly experienced professionals, often with extensive background across one or more areas, who are tasked with developing or fine-tuning what a ‘product’ should be to best achieve business goals.

Most “Product Managers” I’ve known can be categorized like this:

* Most have 10+ years of professional experience, with pretty impressive track records; rarely do they have less than 5years experience;
* They either have advanced degrees like an MBA, MS, PHD or work-based equivalent, i.e. a C/VP/D level employee who have done some stellar work;
* All are experts / authorities in at least one discipline — and can somewhat function in whatever roles they oversee/interact with, as they’ve quite a bit of experience working across them. They understand when the Engineers are slacking off or overworking, when the Marketers have a ridiculous request, and when the project managers are over/under promising.

Sometimes people have a strong technical background – but that’s not a requirement, it’s a bonus over their experience leading teams and deeply understanding the marketplace they’re working in.

To give some quick examples:

1. I was recently at eConsultancy’s Digital Cream NYC event, in a room full of 150 people who were mostly Chief Marketing Officers / VPs of Marketing. If I were a technology company in the advertising space or a publisher looking to sell innovative new ad solutions, I would want to recruit a Product Manager from the attendee list. This is rather simple – the person who could best manage my advertising product, would be an expert in advertising. Few (if any) people there had any coding experience whatsoever.

2. Several publications that I know of built out Editorial Product departments staffed with former Senior Editors and Operational Editors. What better way to deliver on editorial needs than by hiring a seasoned journalist ?

3. A friend literally wrote the book on a certain technology, and is often called in to advise on different implementations of it — addressing the costs to scale/iterate, user behaviors, implementations, etc. He tends to advise people in a very “product management” capacity.

4. When Facebook buys a startup, their executive staff tend to be acquired as Product Managers to own a section of the Facebook experience.

Some of the things a Product Manager typically does is:

* Understand and manage the business goals: identify the best business opportunities , create and push products to address them.
* Understand the functionality and scope of the product: if it’s technology, they can code; if it’s a marketing product, they understand how and why advertising is bought.
* Understand the customers: make sure people will want to consume the product
* Make decisions and be qualified to make them: balance a mix of Strategic Decisions ( into markets or users ) and Operations ( costs to iterate – both financially and team morale )
* Manage the process : work with P&L sheets, quarterback the scope/design/build/deploy/sales process.
* other things I’m too tired to note. Product Managers are tasked with balancing the goals of the Organization against the needs of multiple types of Consumers and the people/resources to build them. It’s a lot of work, but it’s amazing fun for a lot of us.

The scores of “Product Manager” positions that are plentiful in NYC right now are nothing like my descriptions above – they tend to be a hybrid of skills belonging to a Digital Producer ( in the adverting world ) and Project Manager ( in , well any industry ). They are mostly what I consider entry level – with a max of 3 total years work experience , but often in the 1-2 range.

These positions tend to be highly administrative , require no expertise or inter-disciplinary skills, and don’t even have access to seeing budgets — much less managing them or trying to affect revenue operations. Sometimes they’ll include a bit of customer development work, but most often they don’t. These positions completely lack a “Strategy” component, tending to either be a very entry level position or a mislabling for the most incredibly experienced and talented Project Manager you’ve ever met.

Almost always these roles become filled by someone who honestly shouldn’t have that job. One of my more favorite “Product Manager” interactions was with someone who had just assumed the new role as their second-ever job, with their first job being several years as a Customer Service representative. If the company provided Customer Service, it would have been a really good fit — but the company provided a very technical service, and their “Product Manager” was really functioning more like a mix of an “Account Manager” and “Digital Producer”, they were visibly out of their element and unable to understand the needs of their clients or the capabilities of their team.

This is really a dis-service to everyone involved.

* It makes a potential employers look foolish to actual Product Managers , and labeled as a company to avoid.
* It skips over a huge pool of extremely talented Digital Producers and Project Managers who would excel at these roles.
* It creates a generation of early-career professionals with the title of a Product Manager, but without the relevant experience or skills to back it up.

Because “Product Manager” is so often a role that an experienced professional transitions into, it’s not uncommon to see someone with 1-2 years of “Product Manager” in their title, but a resume that shows 3 years as a Vice President and 5 years as a Director at a previous employer. You might even see someone with 3 years of “Product Manager” as a title — but an additional 9 years of “Digital Producer” or “Project Manager” experience behind them as well. Plenty of professionals from the Production side transition into Product Management too, once they’re well versed in their respective industries.

Mindless recruiters ( and certain nameless conglomerates ) of NYC don’t understand this though. They just focus on buzz-words: if someone has been in “product” for 2 years, they target them as if they’ve only been a professional for that long. It’s all too common for the salary cap of a not-really-a-product-manager position to be 1/4 the targeted recruit’s current salary. The compensation package and role should be commensurate with the full scope of someone’s work — i.e. 12 years, not 3 years.

So my point is simple – if you’re hiring a “Product Manger” you should really think at what you expect out of the role.

* If you’re really looking for a “Project Manager” or “Digital Producer” — which you most likely are — change your posting and recruit that person. You’ll find a great employee and give them a job they really want and care about. If you manage to get a Product Manager in that role, they’re going to be miserable and walk out the door.

* If you realize that you’re looking for a role that its both strategic and operational — and is going to be one of the most important hires for your organization or division, then either hire someone with relevant Product Management experience OR hire a relevant expert to be your “Product Manager”.

Dreamhost UX Creates Security Flaw

Last week I found a Security flaw on Dreamhost caused by the User Experience on their control panel. I couldn’t find a security email, so I posted a message on Twitter. Their Customer Support team reached out and assured me that an email response would be addressed. Six days later I’ve heard nothing from them, so I feel forced to do a public disclosure.

I was hoping that they would do the responsible thing, and immediately fix this issue.

## The issue:

If you create a Subversion repository, there is a checkbox option to add on a “Trac” interface – which is a really great feature, as it can be a pain to set up on their servers yourself (something I’ve usually done in the past).

The exact details of how the “one-click” Trac install works aren’t noted though, and the integration doesnt “work as you would probably expect” from the User Experience path.

If you had previous experience with Trac, and you were to create a “Private” SVN repository on Dreamhost – one that limits access to a set of username/passwords – you would probably assume that access to the Trac instance is handled by the same credentials as the SVN instance, as Trac is tightly integrated into Subversion.

If you had no experience with Trac, you would probably be oblivious to the fact that Trac has it’s own permissions system, and assume your repository is secured from the option above.

The “one click” Trac install from Dreamhost is entirely unsecured – the immediate result of checking the box to enable Trac on a “private” repository, is that you inherently are publicly publishing that repo from within the Trac browser.

For example, if you were to install a private subversion and one-click Trac install onto a domain like this:

The /svn source would be private however it would be publicly available under /trac/browser due to the default one-click install settings.

Here’s a marked-up screenshot of the page that shows the conflicting options ( also on )

I totally understand how the team at Dreamhost that implemented the Trac installer would think their approach was a good idea, because in a way it is. A lot of people who are familiar with Trac want to fine-tune the privileges using Trac’s own very-robust permissions system, deciding who can see the source / file tickets / etc. The problem is that there is absolutely no mention of an alternate permissions system contained within Trac – or that someone may need to fine-tune the Trac permissions. People unfamiliar with Trac have NO IDEA that their code is being made public, and those familiar with Trac would not necessarily realize that a fully unsecured setup is being created. I’ve been using Trac for over 8 years , and the thought of the default integrations being setup like this is downright silly – it’s the last thing I would expect a host to do.

I think it would be totally fine if there is just a “Warning!” sign next to the “enable Trac” — with a link to Trac’s wiki for customization , or instructions ( maybe even a checkbox option ) on how a user can have Trac use the same authorization file as subversion.

But, and this is a huge BUT, people need to be warned that clicking the ‘enable Trac’ button will publish code until Trac is configured. People who are running Trac via an auto-install need to be alerted of this immediately.

This can be a huge security issue depending on what people store in Subversion. Code put in Subversion repositories tends to contain Third Party Account Credentials ( Amazon AWS Secrets/Keys, Facebook Connect Secrets, Paypal/CreditCard Providers, etc ), SSH Keys for automated code deployment, full database connection information, administrator/account default passwords — not to mention the exact algorithms used for user account passwords.

## The fix

If you have a one-click install of Trac tied to Subversion on Dreamhost and you did not manually set up permissions, you need to do the following IMMEDIATELY:

### Secure your Trac installation

If you want to use Trac’s own privileges, you should create this .htaccess file in the meantime to disable all access to the /trac directory

deny from all

Alternately, you can map access your Trac install to the Subversion password file with a .htaccess like this:

AuthType Basic
AuthUserFile /home/##SHELL_ACCOUNT_USER##/svn/##PROJECT_NAME##.passwd
AuthName “##PROJECT_NAME##”
require valid-user

### Audit your affected code and services.

* All Third Party Credentials should be immediately trashed and regenerated.
* All SSH Keys should be regenerated
* All Database Accounts should be reset.
* If you don’t have a secure password system in place , you need up upgrade

## What are the odds of me being affected ?

Someone would need to figure out where your trac/svn repos are to exploit this. Unless you’ve got some great obscurity going on, it’s pretty easy to guess. Many people still like to deploy using files served out of Subversion (it was popular with developers 5 years ago before build/deploy tools became the standard) , if that’s the case and Apache/Nginx aren’t configured to reject .svn directories — your repo information is public.

When it comes to security, play it safe. If your repo was accidentally public for a minute, you should wipe all your credentials.

Want to win? Make it easier, not harder.

In March of 2011 I represented Newsweek & The Daily Beast at the Harvard Business School / Committee of Concerned Journalists “Digital Leaders Summit”. Just about every major media property sent an executive there, and I was privileged enough to represent the newly formed NewsBeast (Newsweek+TheDailyBeast had recently merged, but have since split).

Over the course of two days, we covered a lot of concerns across the industry – analyzing who was doing things right and how/why others were making mistakes.

On the first day of the summit we looked at how Amazon was posturing itself for digital book sales – where their profits were hoping to be, where their losses were expected, and strategies for finding the optimal price structure for digital goods.

Inevitably, the conversation sidetracked to the Apple Ecosystem, which had just announced Subscriptions and their eBooks plan — consequently being their new competitor.

One of the other 30 or so people in attendance was Jeffrey Zucker from NBC, who went into his then-famous “digital pennies vs. analog dollars” diatribe. He made a compelling, intelligent, and honest argument that captivated the minds and attention of the entire room. Well, most of the room.

I vehemently disagreed with all his points and quickly spoke up to grab the attention of the floor… “apologizing” from breaking with the conventional view of this subject, and asking people to look at the situation from another point of view. Yes, it was true as Zucker stated that Apple standardized prices for digital downloads and set the pricing on their terms – not the producer’s. Yet, it was true that Apple allowed for records to be purchased “in part” and not as a whole – shifting purchase patters, and yes to a lot of other things.

And yes – Jeffrey Zucker didn’t say anything that was “wrong” – everything he said was right. But it was analyzed from the wrong perspective. Simply put, Zucker and most of the other delegates were only looking at portion of the scenario and the various mechanics at play. The prevailing wisdom in the room was way off the mark… by miles.

Apple didn’t gain dominance in online music because of their pricing system or undercutting retailers – which everyone believed. Plain and simple, Apple took control of the market because they made it fundamentally easier and faster for someone to legally buy music than to steal it. When they first launched (and still in 2012) it takes under a minute for someone to find and buy an Album or Single in the iTunes store. Let me stress that – discovery, purchase and delivery takes under a minute. Apple’s servers were relatively fast at the start as well – an entire album could be downloaded within an hour.

In contrast, to legally purchase an album in the store would take at least two hours – and at the time they first launched, encoding an album to work on an MP3 player would take another hour. To download a record at that time would be even longer: services like Napster (already dead by the iTunes launch) could take a day to download; torrent systems could take a day; while file upload sites were generally faster, they suffered from another issue that torrents and other options did as well – mislabeled and misdirected files.

Possibly the only smart thing the Media Industry has ever done to curb piracy is what I call the “I Am Spartacus” method — wherein “crap” files are mislabeled to look like Top 40 hits. For example: in expectation of a new Jay-Z record, internet filesharing sites are flooded with uploads that bear the name of the record… but contain white noise, another record, or an endless barrage of insults (ok, maybe not the last one… but they should).

I pretty much shut the room up at that point, and began a diatribe of my own – which I’ll repeat and continue here…

At the conference, Jeffrey Zucker and some other media executives tended to look at the digital economy like this: If there are 10 million Apple downloads of the new Beyonce record or the 2nd Season of “Friends”, those represent 10 million diverted sales of a $17.99 CD – or 10MM diverted sales of a $39.99 dvd. If Apple were to sell the CD for 9.99 with a 70% cut, they’re only seeing $7 in revenue for every $17.99 — 100 million times. Similarly, if 10MM people are watching Friends for $13.99 (or whatever cost) on AppleTV instead of buying $29.99 box sets, that’s about $20 lost per viewer — 10 million times.

To this point, I called bullshit.

Digital goods such as music and movies have incredibly diminished costs for incremental units, and for most of these products they are a secondary market — records tend to recoup their various costs within the first few months, and movies/tv-shows tend to have been wildly profitable on-TV / in-Theaters. The music recording costs 17.99 and the DVD 29.99 , not because of fixed costs and a value chain… but because $2 of plastic, or .02¢ of bandwidth, is believed by someone to be able to command that price.

Going back to our real-life example, 10MM downloads of “Friends” for 13.99 doesn’t equate to 10MM people who would have purchased the DVD for $39.99. While a percentage of the 10MM may have been willing to purchase the DVDs for the higher price, another — larger — percentage would not have. By lowering the price from 39.99 to 13.99, the potential market had likely changed from 1MM consumers to 10MM. Our situation is not an “apples-to-apples” comparison — while we’re generating one third the revenue, we’re moving ten times as many units and at a significantly lower cost (no warehousing, mfg, transit, buybacks, etc).

While hard copies are priced to cover the actual costs associated with manufacturing and distributing the media, digital media is flexibly priced to balance convenience with maximized revenue.

Typical retail patterns release a product at a given introductory price (e.g. $10) for promotional period, raise it to a sustained premium for an extended period of time (e.g. $17), then lower it via deep discounted promotions for holiday sales or clearance attempts (e.g. $5). Apple ignored the constant re-pricing and went for a standardized plan at simple price-points.

Apple doesn’t charge .99¢ for a song, or $1.99 for a video because of some nefarious plan to undervalue media — they came up with those prices because those numbers can generate significant revenue while being an inconsequential purchase. At .99¢ a song or $9.99 an album, consumer’s simply don’t think. We’re talking about a dollar for a song, or a ten dollar bill for a record.

Let me rephrase that, we’re talking about a fucking dollar for a song. A dollar is a magical number, because while it’s money, it’s only a dollar. People lose dollar bills all the time, and rationalize the most ridiculous of purchases away… because it’s only a dollar. It’s four quarters. You could find that in the street or in your couch. A dollar is not a barrier or a thought. You’ll note that a dollar is not far off from the price of a candy bar, which retailers incidentally realized long ago that “Hey – let’s put candy bars next to the cash registers and keep the prices relatively low, so people make impulse buys and just add it onto their carts”.

Do you know what happens when you charge a dollar for something? People just buy it. At 13.99 – 17.99 for a cd, people look at that as a significant purchase — one that competes with food, vacations, their children’s college savings. When you charge a dollar a song – or ten dollars a record – people don’t make those comparisons… they just buy.

And buy, and buy, and buy. Before you know it, people end up buying more goods — spending more money overall on media than they would have under the old model. Call me crazy, but I’d rather sell 2 items with little incremental cost at $9.99 each than 1 item at $13.99 — or even 1 item at $17.99.

Unfortunately, the current stable of media executives – for the most part – just don’t get this. They think a bunch of lawyers, lobbyists and paying off politicians for sweetheart legislations are the best solution. Maybe that worked 50 years ago, but in this day and age of transparency and immediacy, it justq doesn’t.

Today: you need to swallow you pride, realize that people are going to steal, that the ‘underground’ will always be ahead of you, and instead of wasting time + money + energy with short-term bandaids which try to remove piracy ( and need to be replaced every 18months ) — you should invest your time and resources into making it easier and cheaper to legally consume content. Piracy of goods will always exist, it is an economic and human truth. You can fight it head-on, but why? There will always be more pirates to fight; they’re motivated to free content, and they’re doubly motivated to outsmart a system. Fighting piracy is like a chinese finger trap.

Instead of spending millions of dollars chasing 100% market share that will never happen (and I can’t stress that enough, it will never happen), you could spend thousands of dollars addressing the least-likely pirates and earn 90% of the market share — in turn generating billions more in revenue each year.

Until decision makers swallow their pride and admit they simply don’t understand the economics behind a digital world, media companies are going to constantly and mindlessly waste money. Almost every ( if not EVERY ) attempt at Digital Rights Management by major media companies has been a catastrophe – with most just being a waste of money, while some have resulted in long term compliance costs. I can’t say this strongly enough: nearly the entire industry of Digital Rights Management is a complete failure and not worth addressing.

Today, the media industry is at another crossroads. Intellectual property rights holders are getting incredibly greedy , and trying to manipulate markets which they clearly don’t understand. In the past 12 hours I’ve learned how streaming rights to Whitney Houston movies were pulled from major digital services after her death to increase DVD sales [ I would have negotiated with digital companies for an incremental ‘fad’ premium, expecting the hysteria to die down before physical goods could be made ], and read a dead-on comic by The Oatmeal on how it has – once again – become easer to steal content than to legally purchase it [ ].

As I write this (Feb 2012) it is faster to steal a high quality MP3 (or FLAC) of record than it is to either: a) rip the physical CD to the digital version or b) download the item from iTunes ( finding/buying is still under a minute ). Regional release dates for music , movies and TV are unsynchronized (on purpose!) , which ends up in the perverse scenario where people in different regions become incentivized to traffic content to one another — i.e. a paying subscriber of a premium network in Europe would illegally download an episode when it first airs on the affiliate in the United States, one month before the European date.

Digital economics aren’t rocket science, they’re drop-dead simple:

  1. If you make things fast and easy to legally purchase, people will purchase it.
  2. If you make things cheap enough, people will buy them – without question , concern, or weighing the purchase into their financial plans.
  3. If you make it hard or expensive for people to legally purchase something, they will turn to “the underground” and illegal sources.
  4. Piracy will always exist, innovators will always work to defy Digital Rights Management, and as much money as you throw at creating anti-piracy measures… there will always be a large population of brilliant people working to undermine them.

My advice is simple: pick your battles wisely. If you want to win in digital media, focus on the user experience and maximizing your revenue generating audience. If your content is good, people will either buy it or steal it – if your content is bad, they’re going somewhere else.

I’m glad to no longer be in corporate publishing. I’m glad to be back in a digital-only world, working with startups , advertising agencies, and media companies that are focused on building the future… not trying to save an ancient business model.

2016 Update

Re-reading this, I can’t help but draw the parallels to the explosion of Advertising and Ad Blocking technologies in recent years. Publishers have gotten so greedy trying to extract every last cent of Advertising revenue and including dozens of vendor/partner javascript tags, that they have driven even casual users to use Ad Blocking technologies.