Funny Pictures

So here are some of the generic statements (aka “facts”) that I see daily:

• Cloud is not secure
• Application  XYZ failed therefore the cloud is a failure
• You are crazy if you put mission critical applications in the cloud

I could go on and on but you get the point.  So let’s discuss these “facts” one at a time.

Cloud is not secure

This one drives me nuts!  I heard a well respected industry analyst at a well respected conference declare “I just don’t understand how you can put customer data in the cloud.  When you buy Amazon, you don’t buy security”.  I raised my hand and asked, “When you buy a rack of servers from IBM, are you buying security?”.  The point is, you don’t buy security, you architect for it.  Whether you are using a SaaS, IaaS, or PaaS provider, you must understand what security features are addressed, what isn’t, and what the risks are.  Then you must design to mitigate those risks.  It is not different than what you should be doing on-premise.  Understand your requirements, and build (or buy) the appropriate solution.  So to sum it up, the cloud by itself is often not secure enough.  You may outsource your infrastructure but don’t outsource your brain.  There are still things you must do to secure your systems and services in the cloud.

Application XYZ failed therefore the cloud is a failure

Whether it is GMail, Tmobile losing Sidekick data, Ma.gnolia database crashes, or Coghead going out of business, any failure of an off-premise solution seems to feed the myth cloud computing is too risky.  However, we continue to fail miserably each day with our on-premise solutions but we can keep it from the press because it is behind our firewall!  In each one of the above mentioned failures, the issue lies with operational issues on the side of the provider and not issues with the cloud infrastructure itself.  I would argue that GMail, which is free, is at least as reliable than most corporate Microsoft Exchange implementations (at least for the companies that I have worked for in the past).  Also, if you are using SaaS solutions, you should have a mitigation strategy in place for lost data.  Outsource the business processes but not your brain!  You still need business continuity, disaster recovery, record retention policies, etc.  And when did on-premise become so perfect? How many companies do you know keep the lights on by having employees run around with duck tape and bailing wire plugging up the holes in the bottom of the boat.  Let’s face it, most failures are due to issues in architecture, design flaws, missed requirements, human error, weak controls, or poor implementations.

You are crazy if you put mission critical applications in the cloud

This one really drives me nuts.  The problem here is semantics and we really should be careful what we say.  It is one thing to say mission critical apps don’t belong in the public cloud and another to say it doesn’t belong in any cloud (which is how it often gets interpreted).  But even the term mission critical means different things to different businesses.  Even though you and I might not see Twitter as a mission critical application to our business, it is for others.  Some companies exist solely because they leverage Twitter’s APIs to deliver their products and services.  Now we all know Twitter’s track record of reliability.  But their performance and up-time was failing miserably before they moved to the cloud.  It improved once they migrated to Amazon.  Twitter’s problem is a flawed architecture, it is not a cloud computing issue.  I have written in the past about our secure hybrid cloud solution for processing micro-payments.  As a startup, I would argue that I would be crazy not to build this in the cloud.  In an era where it is difficult to raise money, my costs would increase ten-fold had I opted for an on-premise solution.  I would have to build or lease at least two data-centers and staff them accordingly.  Instead I can use a combination of cloud vendors coupled with a sound architecture to secure these transactions and meet all regulatory requirements.  If I already had an existing data-center, I would not have been forced to look beyond the opinions of others and try to solve the security and compliance requirements that my business required.  I just think that many people’s opinions about the cloud are focused primarily on their specific business models or domains.  So what may be true for their world does not necessarily apply across the board. We tend to generalize too much.

Summary

There are many opinions out there about cloud computing and there are many smart people offering them.  Unfortunately, many of these these smart people have not rolled up their sleeves and tried to solve real business problems in the cloud (nor do they need to).  In my case, as a matter of survival, we had to find out for ourself.  By no means, do I consider myself an expert in cloud computing.  But I do believe that spending a year actually working on delivering enterprise solutions in the cloud from scratch does entitle me to challenge the opinions that are deemed facts.  At the end of the day, it all comes down to knowing your business and technical requirements and applying sound architectural practices to provide a secure and compliant solution, whether it is in the cloud, on-premise, or both.

Comments

It’s an unexpected update, given that version 2.8.1 was released less than two weeks ago. But good to see that the community involved in WordPress development is on the case and with a quick fix.

The announcement post says this about the issue:

WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site.  Download 2.8.2 or automatically upgrade from the Tools->Upgrade page of your blog’s admin.

I’m updating and I recommend you do, too, if you run WordPress.

Comments

Dave’s Answer:

The way that Mac OS X and its underlying Unix foundation are designed, it’s relatively easy to set up account and computer names and related on first run, but can be quite complicated to change them once you’ve gotten apps installed, documents created and otherwise have used the machine for a while.

In fact, I recently changed the admin account on a MacBook, including the home directory, and it took almost half an hour of careful steps, most done from the Terminal at the command line, before I was convinced it was done correctly and wouldn’t blow up on the new owner of the system when they tried to restart or log in. (if you’re trying to do that, you might well find that the Apple support docs are insufficient for 10.5 and above too)

Changing the name of your used iMac on the network shouldn’t be quite so difficult because there’s a place in the System Preferences to do just that, but what is a bit tricky is that you have to change the name twice for it to work.

First off, go to Apple –> System Preferences…. You’ll see this:

What you seek here is “Sharing”, almost exactly dead-center in the window.

Click on it and you’ll jump into the sharing configuration window:

As you can see, I already have a name collision on my network, which is why this computer is identifying itself as “Dave’s MacBook Pro (2)”: the “(2)” is added by Mac OS X when it finds another computer on the network with the same name. Not so good, but let’s fix things in order. First, click on the “Edit…” button:

Change the computer name here to what you want to have as your computer’s identity on the local network, and click “OK”.

Now, while you’re at the main Sharing window, change the name here too:

If you close this window and restart the computer, you should find that your iMac now identifies itself with the new name you’ve specified.

Good luck with your new Apple iMac!

Comments

This content is broken up into tiny parts and stored across distributed networks of computers, until someone makes a viewing request at which point Bittorrent or another P2P technology will draw the pieces together and put them back in the right order, ready to watch as a film or TV show.  The problem, of course, is that this distribution method is not sanctioned by the people who make and own the content, most of which appears without any advertising.  That’s the advertising that pays the wages of the people who make the films and TV shows in the first place.  In the Pirate Bay case these good folk were represented by the IFPI (aka Hollywood).

So why does the world’s entertainment industry persist with legal recourse, instead of listening to the ‘demand signals’ being sent to them through P2P?  The main reason is that P2P file-sharers have been seen as people who steal valuable IP. They must, therefore, be treated as thieves.  But that’s misreading the signals.  The real driving force behind the growth of P2P is that it’s convenient and gives people what they want, when they want it.  What if you don’t want to wait a week to see the next episode of 24?  Or maybe a friend abroad has told you about a great new movie and you want to see it now so you can discuss it?

And, vitally, P2P is also a way for regular folk to distribute their own content and pursue the rock star dream.  Furthermore, with one third of all broadband users worldwide admitting they use P2P there’s a massive network effect in place.  One that the entertainment industry will probably never be able to reverse.  However, the truth is that all of these signals are just too terrifying for people in the industry to listen to.

As Mark notes about the latest Digital Britian bashola, many executives in the entertainment industry and beyond, ‘are paid to keep the current model going and just don’t want to see the digital technology as anything but a means to turbo-charge the current model. It’s just too scary to contemplate anything else.’  And this is why Pirate Bay is just one part of the massive bout of creative destruction occuring in our time.  After all, there are plenty of others perfectly happy to listen to the market signals if the uncumbents are too scared.  And despite this court case, Pirate Bay and others like it just keep on rolling, allowing people to create personal media platforms and services of their own design.  As Doc Searls says, ‘in networked economies the demand side supplies itself’.

Comments

P2P, Bittorrent in particular have legitimate uses, and I use Bittorrent for a great many things on the internet. I also use Bittorrent when a client has asked me to do Intellectual Property operations, find out what is out there, where it is, who has it, and how popular is it. Companies like Big Campaign and others use Bittorrent data to work out how popular titles, tracks, and movies are. Blizzard uses P2P like protocols to distribute game updates; there are a lot of very good uses for P2P protocols, and the systems that ride on top of them. Many of them are legitimate, and the open source community and the public domain community’s use P2P to distribute massive files worldwide.

That does not mean that illegally downloading a movie is always a smart move. It is far too easy to track and trace what is happening on Bittorrent. But we do need to ask what is being downloaded when our friends and family start saying that they are downloading movies off the internet. The video below should be shown more often.

What is interesting is the ethical dilemma that security engineers find themselves in when it comes to P2P. Security engineers are held to a high standard in how we deal with ethics, the ISC2 security engineer code of ethics sets some of those ethical baselines when we use them, but then not every security engineer is a CISSP. When people we know and care for are engaging in activities like downloading a movie, we find ourselves holding them to our Security Engineer standards, and putting themselves at risk of huge fines. We should say something, but what to say is often a complex if not confusing jumble of thoughts in our heads.

The issue of downloading material is not cut and dried, the whole world of intellectual property is complex made even more complex by the internet. I’m not going to say there is a moral, ethical, and legal absolute on this question. However, making rationalizations is the wrong way to come to a solution. Source: Voltage Security

We rationalize many of the things we do, and as Steve Burnett found out, it is very hard to listen to your friends when they are admitting that they downloaded a movie. What is not apparent though in the article is was it a public domain movie; a Creative Commons released movie, a fan flick, or something else. We immediately jump to the conclusion that it was a first run movie, one that is protected by copyright. Bittorrent and P2P have been so stigmatized at this point, that we automatically jump to the conclusion that someone is doing something illegal with it, when there are a lot of legitimate uses for the protocol and the software that we use to access it.

What I primarily use Bittorrent for is research; it is fascinating to watch the dance of protocols, data, and to see some of the more buried data in the system. Just hook up a network monitor to your computer when Bittorrent is working and you can watch a complex interplay of data, protocols, signaling data, search data, and update data. It is also invaluable in working out how some of the more interesting ways that Bittorrent can be made to work, obfuscate the data sets and points. In intellectual property research and interdiction, that interplay is vital to make sure you are getting it right, and handing over the right IP addresses that are downloading the file. You want to make sure you don’t end up in a honey pot somewhere or downloading from someone else hired by the same company to do the same thing.

When I talk about these things though, the assumption is that I am automatically doing something illegal, that I am downloading the latest movie, music, or software that has been broken into somehow. We need to move away from the stigma, and start working on the idea that there are a million legitimate uses for a technology, and not all uses for a technology automatically equate to doing something illegal.

The unfortunate part is that Bittorrent has its legal and illegal uses, and every time we fire up the software, we make a choice on what we are going to use it for today. Security engineers have a legitimate reason to use the software too, some hacker tools are only available via Bittorrent, research, protocol analysis, and IP operations all rely on the software and the protocols. If you hear someone saying that they are downloading something, ask them what they are downloading, then choose your answer to that question from there.

Comments