This is really interesting, Amazon.com are now selling downloadable MP3s without any DRM protection. Plain vanilla MP3s that can be played in any MP3 capable player.

You don’t want to hear me rant on about DRM protection schemes, but they simply suck. All of them, for a number of reasons.

Awhile ago, iTunes Store started to sell DRM free music, but to a higher price than the protected downloads. That sucked, too, but I’ve been wondering which company would be able to compete with Apple and I had a hunch that it would be Amazon. Now they are launching the new site, already populated with 2 million songs. That’s not even close to the amount of songs iTunes offers, but it’s a good start.

Amazon is big enough to negotiate with the big labels, but they also have all the logistics in place to handle the smaller ones. After all, Amazon is already selling everything from baby shoes to gazebos from small manufacturers.

Being an Amazon affiliate, I’m quite excited about this. Even though MP3s are low ticket products, there should be enough room to earn affiliate commissions from this.

<shameless plug> Yes, my product AmazonHunter 2 does of course support the MP3 store… </shameless plug>

Link: Amazon MP3 store

Have you heard of Web 2.0? Of course you have. Do you know what it is? Sure you do. Well, your definition may differ from other peoples. The term Web 2.0 is redefined all the time and usually it’s just a marketing buzzword. ”I’m working with Web 2.0” could even be used as a pickup line, at least if you’re trying to lure an investor.

From a more technical point of view, most sites claiming to be Web 2.0 are using a technology called AJAX. This makes it possible to build applications that runs in your web browser with (almost) the same look-and-feel as a ”real” application running on your computer. AJAX allows the web page to be more interactive and responsive.

So what is so scary about this?

AJAX wasn’t exactly designed with security in mind. Some of the developers using AJAX today doesn’t even understand it, they are just building their application on top of any of several AJAX frameworks that are available. The problem is that there is a great chance that their final application will be open to something called Cross Site Scripting or XSS.

Cross site scripting means that a web page you are visiting can have embedded code that makes a call to another web page.

Here’s an example.

If you’re using Gmail, you probably have a Gmail browser window open all day long. At some point, you visit a web site with malicious code embedded into the page. The page may be making a call to Gmail in the background and there will be nothing visible for you to notice.

The code could for example send out an email from your Gmail account, or it could copy the contents of your address book.

I’m only using Gmail as an example here, I don’t believe Gmail is more vulnerable than any other site built with AJAX. It could happen on any of the popular Web 2.0 sites, Myspace, Facebook, LinkedIn, Hotmail and Yahoo to mention just a few. The evil web page you are looking at could be changing your Facebook profile or send messages to your friends network and you wouldn’t know about it before your friends starts asking you strange questions.

However, web based email is more vulnerable for one reason. The data you store in your email account may be of great value to the attacker. You probably received lots of emails that contains your secret password to web sites you are using. When the attacker gains access to your email, he also gains access to all those sites.

What can you do about it?

If you’re a developer, learn about XSS and what you should do to build code that is as secure as possible. Don’t fall into the trap of thinking “but my site doesn’t contain any information that has a value”. If there are users on your site that contribute content, that decision should be made by the user, not by you. You should do everything you can to protect the data your user provides.

If you are a user, be aware of this problem. Don’t become paranoid, but think twice before storing any sensitive data on a web-based service. Don’t use old web browsers because they are usually more vulnerable. Make sure you have anti-virus software that is updated.

People have been telling me that I should start a personal blog. Usually, my reply is “nah, I did that in 1996″. It’s true, I did publish some random thoughts on my web site in 1996, published with a simple “content management system” that kept track of my posts, but of course, it wasn’t called blogging at the time.

But, here I am now. There may be some tech stuff, some bits on internet marketing and even something slightly political sometimes.