SSH HTTP Proxy Setup

SSHirking work - part 1		tech
A little while ago I mentioned that I've been tunnelling my web traffic out of work and through my home connection. That post inspired a firestorm of public interest (one person emailed me about it). Here's the beginning of how to implement such a setup yourself. When it's working your boss won't be able to snoop on which websites you're visiting, or block them, or really tell anything about your internet traffic apart from how much of it there is (and that it's strangely hidden). First, the big picture. I've explained the idea behind ports at least a couple of times. We're going to take our browser's web traffic — the stuff going out through port 80 — and send it through an encrypted tunnel to a PC at home that's running a proxy server. The proxy server will make an unencrypted request for the webpage we're trying to access (using our home connection) and send the data back through the encrypted tunnel. We're going to need a few things. We'll need a PC that's at home and turned on at whatever times the link should be available. And we're going to need to make some assumptions. So this is going to be a Windows tutorial. All the software required is free and open source, though, and you could certainly accomplish this setup under OS X or Linux. In fact, in some regards it'd probably be quite a bit easier. But Linux users don't need my help setting up a proxy server, and Mac users are used to being ignored. If anybody with a Mac really wants this functionality, just let me know. I'll be happy to dig up the relevant links. Finally, I'm going to assume you know how to open up ports on Windows firewall (or at least turn it off) if you're running a version of XP that has it installed. Same thing with ZoneAlarm, or whatever other software firewall you might be running. I can't account for everything, people! So let's get started. In this post we'll take care of the software that supports the encrypted tunnel. This is the hard, but not that hard, part. We're going to use SSH for this, a technology that on its face is a secure replacement for telnet, but also provides the ability to redirect ports on a client machine to arbitrary ports on any machine accessible to the server. This'll make sense later -- for now, just trust me as I tell you how to install OpenSSH for Windows. Start by downloading the binary installer from that site, then unzipping and running it. Here's the first important decision. What port should we run this thing on? SSH usually runs on port 22 — but we're going to have to make it publicly accessible. Script kiddies scan IP blocks for SSH servers (among other things). SSH servers make for ripe targets because they generally indicate a system more interesting than a typical grandmother's email box, and because if it can be accessed a large new class of exploits can be run against the machine. Don't be scared — none of this is very likely to happen. But it's worth thinking about. A bigger consideration is your firewall at work. Your workplace might block unknown ports for security reasons, or productivity reasons, or just to be mean. Unless you have a job-related reason for using port 22 it might not be available. To get around this, you could run your server on port 80 — that's pretty well guaranteed to work, so long as you can access the web. But it might also attract attention, in this case from your ISP. Broadband providers generally don't like folks hosting websites on their home computers. Cablemodem ISPs tend to be the biggest jerks about this. So while port 80 might be more foolproof for work, it also might bring up bureacratic hassles with your internet provider. Decide accordingly. UPDATE: Thanks to a reader in comments who points out that port 443 is almost always open (for SSL-enabled websites), is commonly used for encrypted traffic, and less likely to attract script-kiddy attention. So, run the OpenSSH installer. Accept all the defaults. If you need to use a port beside 22, edit c:\program files\openssh\etc\sshd_config in a text editor like Notepad, remove the hash (#) mark from in front of the line that reads "# port 22", change the port number appropriately, and save the file. Now we've got to set up a user for this SSH server. We'll do this by adding one to your windows machine. Make sure you're logged in as an administrator, right click on "My Computer" and choose "Manage". Expand "Local Users And Groups", right-click on "Users" and choose "New User". Enter a username — I'll assume "sshuser", but you can use whatever you'd like — and enter a good password (I'm fond of this generator for producing them). You'll probably want to uncheck "User must change password at next logon", and if I were you I'd go ahead and check the boxes next to "User cannot change password" and "Password never expires". One last thing. Click on "Start", go to "Run" and type "cmd". Now type this in: cd \Program Files\OpenSSH\bin mkgroup -l >> ..\etc\group mkpasswd -l -u sshuser >> ..\etc\passwd That sets up OpenSSH to use the user account we just created Finally, go to the Control Panel, then select "Administrative Tools", then "Services". Find "OpenSSH Server" and go to its properties (you can doubleclick on its name to get to them). Make sure "Startup Type" is "Automatic", then click the "Start" button. Congratulations. Your computer is now an SSH server. Why don't you try connecting to it? Download PuTTY and run it. Click the SSH radio button, enter "localhost" into the "Host Name" box (assuming you're running this on the same machine onto which you just installed OpenSSH). The port box should read "22" — if you installed the server on a different port, enter that number instead. Then click the "Open" button. You should get a one-time warning about the server's key, then be able to log in using the sshuser name and password. And bang! You'll get a command line prompt. Very exciting. Alright, maybe not. But trust me, this is good. If for some reason you can't get to this point, leave a message in comments and I'll try to help you fiogure it out. There's only one more step to getting this SSH server up and running: open it up to the world. So if you're behind a router, go to portforward.com and look up instructions on how to forward whatever port you're using (22, 80, or whatever) to the server machine. You'll need to look up the server's IP as well — portforward.com should have instructions, but the short version is start|run, "cmd.exe" then "ipconfig". If everything's gone right, you've got a working SSH server that's accessible from the internet. When you're at the office you'll have to use your internet IP to access the machine. You can find that out here; alternately, it might be a good idea to register for a dynamic DNS service (be sure to install the updater software) so that you don't have to worry about the IP expiring. This is a useful thing to have in its own right, but it's going to be really useful once we install Privoxy, configure the SSH tunnel and modify your browser's proxy settings to use it. But we'll get to all that in the next post. For now, take heart in the knowledge that the worst is over.

===========================

When last we left our hero — that'd be you — he had a functioning SSH server running on his Windows machine. You've poked a hole in your firewall and/or router, and maybe you've signed up for a dynamic DNS service. That, or you at least have an IP address. The bare minimum is the same: to proceed from here, you ought to be able to connect to your OpenSSH server with PuTTY when you're away from home.

The remaining tasks are pretty easy:

1. Install Privoxy on the server
2. Set up the SSH tunnel using PuTTY
3. Configure your web browser to use the SSH tunnel

So: Privoxy. You can download it here — you'll want the most recent Win32 release. Run it and use the default configuration. It should start up the Privoxy console. Everything is pretty well ready to go with the default settings. You can hit the "X" on the console, but retain the shiny new blue P in your system tray. You've now got an HTTP proxy server running on your machine — one that, it's worth noting, will only accept requests from the local machine. But that's okay, because (counterintuitively) that's exactly where they'll be coming from.

Alright. Let's get this SSH tunnel going. From your non-home location (let's just call it work), start up PuTTY and enter the information necessary to connect to your SSH server. But don't connect yet. In the menu tree on the left, navigate to Connection | SSH | Tunnels. You should see this dialog:

Enter the information as you see it here (if you can't see the image, see here), then click "Add". Let me explain what this all means.

SSH allows you to forward ports between the client machine (on which you're running PuTTY) and the server machine (on which you installed OpenSSH and Privoxy). In this case it's a Local port — that's what the radio button is set to, and it means that traffic that comes into the relevant port (specific in the "Source Port" textbox) on the client machine will be encrypted, sent to the OpenSSH server, and then sent from there to the address specified in the "Destination" textbox. If the "Remote" radio button was specified it would work in exactly the opposite direction, with traffic getting collected at the server and sent out through the client.

One more thing. You might already know this, but that "127.0.0.1:8118" has two parts: the IP address and the port number. 127.0.0.1 is a special IP address, called "loopback" or "localhost" that always refers to the current machine. The colon followed by "8118" specifies the port number. So: this tunnel will collect traffic coming into the client on port 8118; it'll then be sent through the SSH tunnel; and the server will decrypt it and send it to 127.0.0.1:8118 — port 8118 on itself. Which happens to be the default port on which Privoxy listens.

You might want to go back to the startup PuTTY screen, enter some text in the box under "Saved Sessions" and click "Save" — this'll let you reload the settings quickly in the future. Every time you want to use this tunnel, you'll have to open PuTTY, reload (or reenter) these settings, then connect and log into your SSH server as normal. It's important to note that the tunnel won't be set up until the login is complete — otherwise this would be a pretty huge security hole. And, as a result, you'll have to keep that PuTTY window open for as long as you're using the proxy setup each day. It's not that irritating, I promise.

Alright, last step. With the tunnel established, set up your browser to use an HTTP proxy. In Firefox this is under Tools | Options | General | Connection Settings. In Internet Explorer it's under Tools | Internet Options | Connections | LAN Settings | Advanced. Either way, set your HTTP proxy to point to 127.0.0.1, port 8118.

That's it! Start browsing. If you'd like to and feel up to it, download Ethereal to see what's going across the wire — all of your web traffic should be encrypted.

I should mention a few details. First, you'll probably notice that this system is a little slower than proxy-free web browsing. That's to be expected — your connection at home is assymetric, meaning that you have more available download capacity than upload capacity. Normally this works out fine, because receiving a webpage or a file or streamed audio takes more bandwidth than does asking for it. But our setup turns this on its head, because all traffic will have to be shoved back up through your home internet connection. It shouldn't be too irritatingly slow, but it will be a noticeable difference.

Second, you might occasionally see Privoxy assert itself. The most obvious way is in big, bold error pages that come up when Privoxy can't access a website. Usually refreshing the page will solve this problem. By default Privoxy also filters some ads. If you'd like to turn this capability off, consult its documentation. I've found it to be a pretty unobtrusive feature.

Finally, if you're using Firefox, I'd recommend installing SwitchProxy, an extension that lets you easily change which proxy you're using to browse (configuration is pretty intuitive; use the same settings as those outlined above). SwitchProxy comes in handy when you're about to start a high-bandwidth transaction -- a file download, for example, or streaming audio from an internet radio station. Just switch the proxy off, then start the transfer. It won't go through the tunnel, and consequently won't eat up the tunnel's limited bandwidth. As soon as the connection is initiated you can turn the proxy back on. The just-started transfer will remain outside the secure tunnel (and, of course, be visible to the public).

That pretty well wraps things up. Folks on your network at work won't be able to see what you're accessing. From a network perspective, it'll look like you're browsing from home. The SSH tunnel will be visible, but its contents will be encrypted. Odds are that no one will bother you about it. If they do, I'd suggest making up a line about your personal webmail not supporting SSL — that's plausible enough. Do keep in mind, though, that a record of your browsing activities will still exist on your hard drive. If you're really worried about it, be sure to clear out your browser's cache and history before heading home each night.

There are a few more useful things you can do now that you've got this SSH tunnel set up, the most notable being remote control of your computer at home with an application called VNC. I'll try to write something up on that later — it's very straightforward. In general, whatever other network services are available from home but not work, can be made available — with a couple of noteworthy exceptions. First, SSH only tunnels TCP, the slower-and-steadier of the internet's two packet types (UDP is its speedier, unreliable sibling). The tunnel's slow, so you wouldn't want to use it for playing Quake anyway. But the lack of UDP support rules out some streaming applications, like iTunes on the PC (Mac users can use iTunes without needing UDP by forwarding TCP port 3689). More notably, despite Windows filesharing working over TCP, it can't be redirected over SSH (at least not easily). If you need to get to windows shares on your home network, you'll want a real VPN solution, like OpenVPN. Unfortunately the OpenVPN tutorial I did a while ago is now outdated (it should still work for a single user, but it'll probably be a bit slow). If there's any interest, I'll write up a new one.

As before, let me know in comments if you have any trouble with the above instructions. Besides newfound guilt over dereliction of your official duties, I mean.

UPDATE: I forgot to mention that many apps besides web browsers can use HTTP proxies. Most obvious is your IM client — if you'd like secure IM traffic, check out its connection settings and configure it to use an HTTP proxy using the same settings as you did for your web browser.

Korea is Pissed at Goolge

South Korea is the latest country to raise its concerns over Google's satellite photo service, Google Earth. The country is worried about sensitive sites being visible from space by the service's users, including the presidential Blue House and military bases, as it remains officially at war with its neighbour, North Korea.

The presidential office in the country is reportedly planning to raise its fears with US officials. The roofs of some sensitive sites in the US - including the White House - have already been blacked out by Google, but that hasn't happened with its satellite imagery of South Korea. Images of the secretive North Korea are also available.

American Scientist Stamps

History of LSD

The latest issue of the Canadian Journal of Psychiatry includes a trip into the roots of psychedelic culture, titled "Flashback: Psychiatric Experimentation With LSD in Historical Perspective." The paper was written by Erika Dyck, a doctoral student in the Department of History at McMaster Univsersity in Ontario. From the abstract:

In the popular mind, d-lysergic acid diethylamide (LSD) research in psychiatry has long been associated with the CIA-funded experiments conducted by Ewen Cameron at the Allen Memorial Institute in Montreal, Quebec. Despite this reputation, a host of medical researchers in the post–World War II era explored LSD for its potential therapeutic value. Some of the most widespread trials in the Western world occurred in Saskatchewan, under the direction of psychiatrists Humphry Osmond (in Weyburn) and Abram Hoffer (in Saskatoon). These medical researchers were first drawn to LSD because of its ability to produce a “model psychosis.” Their experiments with the drug that Osmond was to famously describe as a “psychedelic” led them to hypothesize and promote the biochemical nature of schizophrenia. This brief paper examines the early trials in Saskatchewan, drawing on hospital records, interviews with former research subjects, and the private papers of Hoffer and Osmond. It demonstrates that, far from being fringe medical research, these LSD trials represented a fruitful, and indeed encouraging, branch of psychiatric research occurring alongside more famous and successful trials of the first generation of psychopharmacological agents, such as chlropromazine and imipramine. Ultimately, these LSD experiments failed for 2 reasons, one scientific and the other cultural. First, in the 1950s and early 1960s, the scientific parameters of clinical trials shifted to necessitate randomized controlled trials, which the Saskatchewan researchers had failed to construct. Second, as LSD became increasingly associated with student riots, antiwar demonstrations, and the counterculture, governments intervened to criminalize the drug, restricting and then terminating formal medical research into its potential therapeutic effects.

Link

New Material Harder Than Diamond

Diamond is no longer the hardest substance known to man. Scientists have created a new material, called "aggregated diamond nanorods" by compressing carbon-60 under high heat. From the article: 'The hardness of a material is measured by its isothermal bulk modulus. Aggregated diamond nanorods have a modulus of 491 gigapascals (GPa), compared with 442 GPa for conventional diamond.

Nanotech Coating Prevents Fogging

MIT scientists have applied for a patent on a coating process that reduces or eliminates fogging on glass surfaces (car windshields, eyeglasses, etc). The new coating was described today at the 230th national meeting of the American Chemical Society.

Linux is So Tuff

I love Linux. I use it on my servers, I use it on my desktops, and I use it on my entertainment center, where it powers my HDTV TiVo and my D-Link DSM-320 media player, which turns my network into a media library with terabytes of storage. Heck, I even run Linux on my Linksys WRT54G Wi-Fi access points, which hook the whole shebang together.

But, Linux isn't for everyone. Seriously. Here are my top five reasons why you shouldn't move to Linux . . .

Reason number one: Linux is too complicated

Even with the KDE and GNOME graphical windowing interfaces, it's possible -- not likely, but possible -- that you'll need to use a command line now and again, or edit a configuration file.

Compare that with Windows where, it's possible -- not likely, but possible -- that you'll need to use a command line now and again, or edit the Windows registry, where, as they like to tell you, one wrong move could destroy your system forever.

Reason number two: Linux is a pain to set up

It's true. After all, with modern Linuxes like Xandros Desktop or SimplyMEPIS, you need to put in a CD or DVD, press the enter button, give your computer a name, and enter a password for the administrator account.

Gosh, that's hard.

On the other hand, with Windows, all you have to do is put in a CD or DVD, do all the above, and then immediately download all the available patches. After all, Symantec has found that an unpatched Windows PC connected to the Internet will last only a few hours before being compromised.

Unpatched Linux systems? Oh, they last months, but what's the fun of that?

Reason number three: Linux doesn't have enough applications

Really now. I mean, most Linux systems only come with secure Web browsers, like Firefox; e-mail clients, like Evolution; IM clients, like GAIM; office suites, like OpenOffice.org 2.0; Web page editors, like Nvu; and on, and on, and...

Microsoft, on the other hand, gives you Internet Explorer and Outlook Express, the most popular Web browser and e-mail client around -- even though they do have a few little, teeny-weeny problems. Of course, Windows also has an IM-client, Windows Messenger, which, come to think of it, has also had some problems.

And, Microsoft also has Microsoft Office, which -- oh wait, you don't get that with the operating system, do you? You also don't get a Web page editor either, do you?

Well, still, with Windows you get so many more choices of software, don't you? Like Lotus 1-2... oh really? I didn't know that. Or, WordPerfect... oh, pretty much dead too.

Still, so long as you want to run Microsoft programs at Microsoft prices, Windows is the operating system for you!

Reason number 4: Linux isn't secure

If Microsoft says so, it has to be true! So what, if you can scarcely go a week without reading about yet another major Windows security problem in our sister publication, eWEEK.com's security section! Who would you rather believe -- Microsoft, or your own eyes?

Reason number 5: Linux is more expensive

Are you calling Microsoft a liar? Those nasty Linux companies, like Red Hat or Novell/SUSE charge you a fee for support. Others, like Linspire sell you the product. How dare they, when you can download free, fully-functional versions of almost all the Linux distributions.

Your computer, on the other hand, almost certainly came with Windows pre-installed! For free!

Oh wait, it's not free? Windows' actually makes up a large percentage of your PC's price?

Hmmm. Well, still, it's already on there, and it has everything you need.

Right? Of course, right!

Except, of course, you might still want to buy an anti-viral program (Norton Anti-Virus: $40), anti-spyware software (McAfee Anti-Spyware: $25); and a full-featured firewall (Zone Alarm Pro: $35). But, hey, who needs those when you have a secure operating system like Windows!

And so...

When you really think about it, you can see why there are lots of reasons not to use Linux.

There just aren't any good ones.

A9's Blockview Mapping

A9 (the search engine owned by Amazon) has a fully enabled Beta Website preview of their new Blockview mapping program. This website allows you to view high detailed pictures of street-level view of selected addresses. They drive around certain cities (see below) with a gps device and 2 digital cameras then plot the corresponding images with the street address...Thereby allowing you to see your destination before arriving. Great tool for researching locations, coffee shops, resturaunts, clubs, etc

Here is the LINK

The most powerful technology A9.com invented for Yellow Pages is "Block View," which brings the Yellow Pages to life by showing a street view of millions of businesses and their surroundings.

Using trucks equipped with digital cameras, global positioning system (GPS) receivers, and proprietary software and hardware, A9.com drove tens of thousands of miles capturing images and matching them with businesses and the way they look from the street.

The whole process (except for the driving!) is completely automatic, making it fast and efficient. Block View allows users to see storefronts and virtually walk up and down the streets of currently more than 10 U.S. cities using over 26 million photographs. We are driving and at some point hope to cover the whole country.

Current List of Cities Having Block View Images

The current list of cities and their surrounding areas include:

• Washington DC
• Phoenix
• Miami
• Houston
• Fargo
• Atlanta
• Boston
• Dallas
• Chicago
• New York City (Manhattan)
• Denver
• Los Angeles
• Seattle
• Portland, Oregon
• San Francisco and the Bay Area

Coverage of Manhattan – partial map (driving over the bridges was not exactly intentional). Here's one of our trucks covering Manhattan.

Liberal Websites

Some Liberal Websites for your viewing pleasure:

• The Onion
• Air America
• Liberal Oasis
• One Thousand Reasons
• Michael Moore
• BBC News
• MoveOn.org
• Daily Kos
• Crooks and Liars
• Baghdad Burning
• ACLU
• Amnesty International
• Sierra Club
• The Nation
• American Prospect
• The Al Franken Show
• skippy the bush kangaroo
• Talking Points Memo
• House of Scandal
• Center for American Progress
• The Daily Show
• Democratic Underground
• Snopes.com
• Bartcop
• Backwards Bush
• NPR
• The Lefty Directory
• Swerve Left
• Organic Warfare
• The Huffington Post
• TalkLeft
• Eschaton
• Terminus
• Lean Left
• David Sirota

Robertson's Quotes

Remember: People Actually Give Him Money

---

Jesus may love you, but I'm going to get some pipe-hittin' Liberians to go to work on you with a pair of pliers and a blowtorch!

---

Time to rearrange the Pat Robertson atrocity board. In a just world where a Sky Fairy actually exists, he would dressed in eight layers of filthy clothing in a public park and be muttering to squirrels about CIA broadcasts through his fillings and the invisible atheist gnomes that are stealing his day-old charity bread:

(1) "What we need is for somebody to place a small nuke at Foggy Bottom [headquarters of the State Department]"

(2) On gay days at Disneyworld: "I would warn Orlando that you're right in the way of some serious hurricanes, and I don't think I'd be waving those flags in God's face if I were you, This is not a message of hate -- this is a message of redemption. But a condition like this will bring about the destruction of your nation. It'll bring about terrorist bombs; it'll bring earthquakes, tornadoes, and possibly a meteor."

(3) "Just like what Nazi Germany did to the Jews, so liberal America is now doing to the evangelical Christians. It's no different. It is the same thing. It is happening all over again. It is the Democratic Congress, the liberal-based media and the homosexuals who want to destroy the Christians. Wholesale abuse and discrimination and the worst bigotry directed toward any group in America today. More terrible than anything suffered by any minority in history."

(4) "You know, I don't know about this doctrine of assassination, but if he thinks we're trying to assassinate him, I think that we really ought to go ahead and do it. It's a whole lot cheaper than starting a war." (bonus church sign here.)

(5) "[Planned Parenthood] is teaching kids to fornicate, teaching people to have adultery, every kind of bestiality, homosexuality, lesbianism -- everything that the Bible condemns."

(6) Feminism is a "socialist, anti-family political movement that encourages women to leave their husbands, kill their children, practice witchcraft, destroy capitalism and become lesbians."

(7) "Religious broadcaster Pat Robertson accused President Bush of 'undermining a Christian, Baptist president to bring in Muslim rebels' by asking Liberian President Charles Taylor, recently indicted for war crimes, to step down."

(8) "One justice is 83 years old, another has cancer and another has a heart condition. Would it not be possible for God to put it in the minds of these three judges that the time has come to retire?"

(8a) "Well they can interpret it any way they want to. I'm talking to God, and it's up to Him to make a decision and if some of these folks don't like what I'm praying for and want to pray the other way -- have at it! Let the Lord decide."

(9) Robertson purchased rights from Mobutu to dredge for diamonds in a remote portion of the Zaire river near Tshikapa. Diamond mining is an expensive proposition... In a cost-cutting move, Pat ferried his cargo aboard planes owned by Operation Blessing, a tax-exempt charity of Robertson's working to deliver medical supplies.

(10) "You say you're supposed to be nice to the Episcopalians and the Presbyterians and the Methodists and this, that, and the other thing. Nonsense. I don't have to be nice to the spirit of the Antichrist. I can love the people who hold false opinions but I don't have to be nice to them."

And, just narrowly being nudged out of the top 10, because it's rather implied by the other atrocities, is "[Separation of church and state] was never in the Constitution. However much the liberals laugh at me for saying it, they know good and well it was never in the Constitution! Such language only appeared in the constitution of the communist Soviet Union." Plus he farts a lot and blames it on Satan's dog.

Sucessful Web 2.0 Company

10 Steps to a Hugely Successful Web 2.0 Company

Do you want to make money in your own home?

Forget real estate scams, tupperware, or becoming a spammer.

Create your own Web 2.0 company NOW!!

Its easy. Just follow these 10 simple steps and you, too, can be seen in fine dining establishments like Jamba Juice and speaking on panels for conferences like Distribucate 2.0, Fred, Bloggerstock and Elfdex.

1. Solve the smallest possible problem (that is still big enough to matter) for the user and know exactly what problem you're trying to solve. Google's first and primary job was very simple: Help people find stuff. They didn't start layering on everything else until much later. Brad calls this the "narrow point of the wedge." Its the easiest, simplest version of what you're trying to do... the smallest bite your users will ever have to chew--small enough to get hooked on very easily.

2. Get a responsive and chatty audience using the product. The del.icio.us community eats new features like piranhas. They pour over the service, discuss it, promote it, and complain when they don't like stuff. You couldn't have hired a better, more thorough, or more passionate group of alpha testers. Don't rush to get the service so easy that my dad can use it, because he's not going to really be helpful to you in the early days when you need really hardcore Beta testing.

3. Launch. Now. Tomorrow. Every day. Don't wait until its perfect to put it out in the open. No more closed invite-only betas. Your idea of perfect may not jive with your users' ideas of perfect. Put whatever you can out there and get people using it as soon as possible. Feed them daily with new features to keep them interested and coming back. No one likes waiting six years for new releases.

4. Distribute. Distribute. Distribute. Don't force your users to play on your site in a walled garden. Let them take the service and use it wherever they want. (See Flickr badges, Google Ads, Amazon affiliates, Indeed jobrolls, del.icio.us linkrolls, moblogging, RSS, e-mail alerts, etc., etc....) Instead of building it so they will come, go out and get them by placing little bits of your service everywhere on the web. Be where they are.

5. Don't hold users against their will. If they want to leave, let them pick up with all of the content they created while they were on your site and leave... for free. Charging $0.29 to get back each of the hi rez photos you uploaded to the site (See my upcoming Snapfish post) is thievery. You have to let the barn door open and focus on keeping your customers fed, so they want to come back, instead of coming back because they're stuck.

6. Be mindnumbingly simple. Extra clicks are deadly. People just won't do it. Indeed: One search, all jobs. Two boxes: What job and where. You can't get any easier than that and all it takes is for someone to put one search in for people to go, "Wait...what's this... links to Monster AND Careerbuilder??"

7. Get people hooked on free. Craigslist wouldn't have become Craigslist if it wasn't free for so much for so long. Even now, they're very profitable and they're only charging for just a few small pieces of their service in just a handful of their 120 markets. The world is changing. Service is cheaper to provide now than ever and users are expecting to get more for free than ever before. Its hard for a lot of big companies to accept that. I just had lunch recently with a couple of friends from a music publisher. They were signing some bands to "incubator" deals for just a couple of songs to test the market with them. I said, "And you're giving those songs away for free, right?" They nearly choked on their food. :) Well, why the heck wouldn't they? Give a few songs away for free, generate buzz, get lots more people to buy future albums. Seth Godin did that with his books, releasing e-books that generated buzz around hardcover sales. Free sells. Do you think the Facebook would be the Facebook if you had to pay for your smooches like you do on Match?

8. Don't waste any money on marketing. Word of mouth has never ever been easier or less expensive in the history of human communication. Things go viral in a hurry... when they're good. Ever see a Skype superbowl commercial? No, but they've had 146 million people download it. If you don't have the service and the quality to back it up, no amount of fancy marketing is going to help... and people are so quick to share cool stuff, because they want to be the person "in the know". When they're satisfied, they'll blog about it and e-mail everyone they know. And they'll tag it furiously on del.icio.us, too.

9. Don't overfund. Do you know how many times a day I see companies get funded on Private Equity Week and I'm like, "What the heck are they going to do with all that money??" Underfunding a company can be a problem, too, but thinking that more money makes you better is a fallacy. It probably makes you a bit sloppy and fuzzies your focus. When you raise $2 million, you're much more likely to have a clear sense of exactly where that money is going to go than if you raised $20 million.

10. No one sucks. I hate it when someone says that a whole service sucks. Now, I say it myself, I'll admit, but what that does is it teaches you to discount and generalize, and probably miss a lot of small opportunities that add up. Now, I think Ofoto sucks versus Flickr, but people still use it. Why? There's got to be something there. AOL sucks... or does it? They still have 20 million users, so it can't entirely suck. You should look at every competitor and take the best of what they do right and do it yourself, even if that's only one thing and the rest of their service sucks.