The company, Boundary, explains that their product is different because the more traditional solutions measure statistics on the individual hosts. This is useful but Boundary says it’s not enough for Big Data applications. “Whereas traditional applications will often fail with a single root cause, Big Data applications will typically suffer degradation, rather than up/down failures and will more often fail in a distributed manner resulting from a series of seemingly unrelated issues.” They accomplish this by examining the header of every single packet and sending the gathered information to Boundary once a second. Users can then view the data in a web browser, again, updating every second. Boundary can also be tied in with data from third party vendors to customize the information the client sees.

It has been 6 weeks since Boundary has gone live with it’s service and, at this point, they have 21 paying customers who seem to be singing the service’s praises. DNSimple CEO Anthony Eden explains that the service allowed him to monitor his server traffic far more closely than previously possible. So close that he was able to spot odd patterns of what he refers to a crafted traffic coming from China. Now that he’s aware, he’s able to monitor the new traffic. Another customer says the service offers data five minutes faster than his previous provider, an amount of time that is, to him, no paltry matter when five minutes is more than enough time for an issue to balloon from anomaly to absolute failure.

There are still some unanswered questions, however. With it’s current 21 customers Boundary is processing 17 Billion records per day, 200k per second, according to Gary Read Boundary’s CEO on the Boundary Blog, and an astounding 1Tb of data in one day. While that’s impressive, Higginbotham also points out the obvious concern: how scalable is the service? “Boundary starts culling data at the one-day and one-year mark, so at 1 month you might have minute-by-minute data and after a year you only have hourly data.” While Read mentions that customers can pay for additional storage, the longevity of the service remains to be seen.

According to ComputerWorld, the privacy-breaching tool can uncover the IP address of a Skype user by simply looking at the user’s general information and log files. Skype, which was acquired by Microsoft last year, assured the user community that they were on the case and said in a statement:

We are investigating reports of a new tool that allegedly captures a Skype user’s last known IP address. This is an ongoing, industry-wide issue faced by all peer-to-peer software companies. We are committed to the safety and security of our customers and we are takings measures to help protect them.

While knowing a last known IP address won’t reveal the Skyper’s name or physical address, it’s still a privacy concern nonetheless. As ghacks points out, the IP address can be used to pinpoint the general location (such as the city) of the Skype user, which could be concerning for the paranoid and can-never-be-too-carefuls.

Given that Skype’s seen a swell of users this year, it’s not likely that the exploit will remain unattended to for too long. Having recently crossed the milestone of 40 million concurrent users, Skype doesn’t want to see that number take a dip. They may already have a solution in the works for this exploit given that a research paper was published last October in which details of how to secretly determine a user’s IP address were explained.

Comments

Quantum cryptography is, in principle, a foolproof way to prevent hacking. It ensures that any attempt by an eavesdropper to read encoded communication data will lead to disturbances that can be detected by the legitimate users. Therefore, quantum cryptography allows the transmission of an unconditionally secure encryption key between two users, “Alice” and “Bob,” in the presence of a potential hacker, “Eve.” The encryption key is communicated using light signals and is received using photon detectors. The challenge is that Eve can intercept and manipulate these signals.

“Photon detectors have turned out to be an Achilles’ heel for quantum key distribution (QKD), inadvertently opening the door to subtle side-channel attacks, most famously quantum hacking,” wrote Dr. Charles Bennett, a research fellow at IBM and the co-inventor of quantum cryptography.

When quantum hacking occurs, light signals subvert the photon detectors, causing them to only see the photons that Eve wants Bob to see. Indeed, earlier research results by Professor Lo and independent work by Dr. Vadim Makarov of the Norwegian University of Science and Technology have shown how a clever quantum hacker can hack commercial QKD systems.

Now, Professor Lo and his team have come up with a simple solution to the untrusted device problem. Their method is called “Measurement Device Independent QKD.” While Eve may operate the photon detectors and broadcast measurement results, Bob and Alice no longer have to trust those measurement results. Instead, Bob and Alice can simply verify Eve’s honesty by measuring and comparing their own data. The aim is to detect subtle changes that occur when quantum data is manipulated by a third party.

Specifically, in Measurement Device Independent QKD, the two users send their signals to an untrusted relay – “Charlie” – who might possibly be controlled by Eve. Charlie performs a joint measurement on the signals, providing another point of comparison.

“A surprising feature is that Charlie’s detectors can be arbitrarily flawed without compromising security,” says Professor Lo. “This is because, provided that Alice and Bob’s signal preparation processes are correct, they can verify whether Charlie or Eve is trustworthy through the correlations in their own data following any interaction with Charlie/Eve.”

A proof-of-concept measurement has already been performed. Professor Lo and his team are now developing a prototype measurement device independent QKD system, which they expect will be ready within five years.

As a result of implementing this new method, quantum cryptography’s Achilles’ heel in the fight against hackers has been resolved. Perhaps, a quantum jump in data security has now been achieved.

I recently came across a server that, over the years, has accumulated quite the iptables definition. A given ip was banned anytime it was identified as performing malicious activity. Sometimes whole ip blocks were banned. Although there was no documentation on a per-ip basis, the assumption is made that any ip or block banned was likely involved in a ddos, unmetered scrape of a website/database, or some other sort of Doofenshmirtz scheme. This particular iptables file ended up over 5,000 lines long. An analysis of the iptables definition conformed to the Pareto principle; a large majority of the problems arose from a small percentage of origin countries. The executive decision was made to block entire countries from accessing the server and its services. Before we delve into whether or not this is good policy, let’s first examine how we attempted to go about this.

First, we utilized a database like countryipblocks.net to gather ip blocks associated with a given country. Then, we ran the these ip blocks through a little Perl magic to format our iptables definitions. Finally, a cross check against the existing iptables definition was performed to make sure any ips not covered in the final group of ip blocks were added back into the list. Our bans are lifetime, baby.

Before launching this ethnocentric network policy, various benchmarks were set and obtained. Geo data from our analytics software, like Google Analytics or Piwik, played a large part in both decisions as to what to exclude from the 20% of problem countries and what benchmarks should be set to monitor. Monitoring these benchmarks is an ongoing process, as variations could force an immediate need to unban a given country.

The internet purist in me cringes at the thought of blocking such a large volume of ips. Even the permanent ban policy mentioned above makes me queasy. However, from a business perspective, this policy makes sense if a target market is not in a given country, and the only noticeable interaction from said country is malicious. This is where the balance between the freedom and openness of the Internet meets the security and profit margin of the businesses that power a large part of the web.

Comments

Have you made the switch to NGINX? Let us know in the comments.

Many http servers utilize virtual hosting. Through virtual hosting, you can host various web properties from separate domains on one single http server utilizing, if you so desire, only one single IP address. In Apache, a virtual host looks something like this:

<VirtualHost *:80>
  ServerAdmin mmarr@ientry.com
  ServerName webpronews.com
  ServerAlias  www.webpronews.com
  DirectoryIndex index.php
  DocumentRoot /path/to/document/root/html

  <Directory /path/to/document/root/html>
    AllowOverride All
  </Directory>

  ErrorLog /var/log/httpd/webpronews_error_log
  CustomLog /var/log/httpd/webpronews_referer_log
</VirtualHost>

This VirtualHost directive tells Apache that any request coming in for the domain webpronews.com or www.webpronews.com gets passed along to the DocumentRoot of our website, in this case “/path/to/document/root/html”. Thus, www.webpronews.com/some-file.html gets sent over to /path/to/document/root/html/some-file.html and serves that file, if available. This vhost directive also tells us to allow .htaccess files to override the Apache settings on a per directory basis. Finally, we specify our log locations for all the errors and requests for this virutal host. Although not perfect for all implementations, this is a very standard and sufficient Apache virtual host configuration.

All the same above can be accomplished in NGINX, except for, unfortunately, the .htaccess support. NGINX doesn’t support .htaccess files, so any url rewrites in NGINX will have to be included in this same nginx virtual host directive. Here’s the same configuration for NGINX:

server {
   listen 80;
   server_name: webpronews.com www.webpronews.com;

   location / {
      root /path/to/document/root/html;
      index index.php;
   }

   access_log /var/log/nginx/webpronews_access_log main;
   error_log /var/log/nginx/webpronews_error_log error;
}

Personally, I find this NGINX configuration example considerably cleaner. However, since there is no PHP module for NGINX, you’ll have to add somewhere in the server block to pass all your PHP files through a proxy. NGINX provides a few examples of how to do this in the default nginx.conf file. After adding the PHP handling and any rewrites, the NGINX virtual host configuration can get pretty messy.

I’ve been in the process of migrating literally thousands of Apache virtual host configurations to NGINX, and it ain’t easy. I won’t complain if NGINX makes a tool to efficiently migrate an Apache virtual host configuration file plus any .htaccess files in the root directory of the virtual host to a single NGINX virtual host directive. Until then, I’ll simply have to continue manually migrating these configurations over in order to enjoy the benefits of NGINX.

Comments

Pretty urls (http://somedomain.com/nice-article-title versus http://somedomain.com/?p=12345) have become the norm on the web. These little beauties leverage rewrite engines, and it’s very likely you’re familiar with mod_rewrite if you’ve been using Apache. Rewriting is something you won’t have to sacrifice when making the move to nginx, as it has a full functioning rewrite engine. The transition from mod_rewrite to nginx’s rewrite engine is relatively easy. If you’re familiar with Perl’s implementation of regular expressions, then the switch should be even easier, as nginx url rewriting has some Perl flavor to it.

mod_rewrite basic redirect

RewriteRule http://somedomain.com/old-busted-article http://somedomain.com/new-better-article [L,R=301]

nginx basic redirect

rewrite http://somedomain.com/old-busted-article http://somedomain.com/new-better-article permanent;

mod_rewrite WordPress redirect

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

nginx WordPress redirect

if (!-e $request_filename)
{
   rewrite ^(.+)$ /index.php last;
}

Like Apache, nginx’s rewrite engine can leverage various system variables to make powerful and precise redirects.

When encountering a mess like this, always remember your towel to keep your cool. Your goal in cleaning up a mess like this should be to (1) minimize downtime, and (2) clean up the mess to make future maintenance easier. The emphasis here is definitely on (1), as (2) is really just a sub-point to your overall network goals of keeping all services up with minimal disruptions. So, despite the urge to completely unplug and rip everything out, take a deep breathe and tackle things in a methodical calm manner. Eventually, you’ll end up with much more manageable racks.

How do you reduce downtime to get from point A to point B? One server at a time. Here’s a short checklist of things to do before powering down a server:

• Check scheduled tasks/cronjobs and make sure none are running when shutdown commences. Run any missed vital tasks manually upon restart.
• Work with end-users to make sure downtime occurs at most convenient time (taking into consideration other items in this list).
• Have a space, if possible, ready for after the server is shutdown. If you’re moving it, that means install rails (if available) or, at least, the space clear where you’ll want to install it. If simply keeping it in place, but needing to shut it down to switch power or untangle cables, have everything ready to perform that task.
• Work in pairs. Keep one person on each side of the rack to efficiently remove and install server.
• Breathe.

Hopefully, you and/or your predecessors have done the job right the first time and you’ll never have to encounter such a mess. If you are unfortunate enough to find yourself doing such a job, you have my deepest sympathy. Good luck.

I’m sure all of you already know (or should already know) that Wi-fi speeds are measured in Gigabits per second, but currently most Wi-fi implementations are running at 150mbps or less. Apparently, next-gen Wi-fi will come in two different frequencies, 5GHz (802.11ac) and 60Ghz (802.11ad), which will push out data at 1.3Gbps and 7Gbps, respectively. IEEE has moved away from using the 2.4GHz frequency, as it has become ridiculously crowded with a vast array of wireless devices. Anybody can see what a ridiculous jump in performance that is, and what a difference this is going to make for Wi-fi users (more or less everybody in the developed world).

I feel that I should go ahead and note that neither of these standards is fully developed yet, and will probably not be certified for about another year. There are companies that are already starting to premier their new pieces of hardware that implement the new standards, and some will be out before the certification.

Even if the new stuff isn’t working perfectly at that point, don’t worry too much as everything is backwards compatible. For example, even if you have an old card and there is only a 802.11ac access point in your vicinity, you can use it, just without the benefits of the new technology. Honestly, I love the idea of not having to wait forever for my movies on Netflix to load up, as I would like to get on with my life.

If you’re not getting better, you’re getting worse.

My high school football coach used to consistently remind us that by failing to improve, we were actually getting worse. In the land of competition, there is no treading water. As soon as you think you no longer need to improve, your competition catches up, or worse, passes you up. Apparently, Amazon is well aware of this. As the leader in cloud services, they have chosen to continue to expand and improve upon their services, and have finished up 2011 strongly. In case you missed it, here’s some of the highlights for 2011.

Elastic Beanstalk

Elastic Beanstalk was introduced in January this year as a way for developers to quickly and easily launch and manage cloud based solutions. Although this feature currently only supports Java on Apache Tomcat, it “is designed so that it can be extended to support multiple development stacks and programming languages in the future.” Various improvements where made throughout the year, however, additional language support was not one of them. It will be interesting to see in 2012 what additional languages become part of the Beanstalk platform.

Simple Email Service

Amazon’s Simple Email Service (SES) is a bulk mailer platform. Also launched in January, SES takes the headaches out of complying with all the various ISP mail handling policies for those needing to send bulk mail. With the recent addition of SMTP support, SES can easily be utilized by simply configuring your application to use a SMTP server instead of a custom Amazon AWS SDK call.

New Locations

Amazon has added the following edge locations (utilized in Route 53 and CloudFront) in 2011:

• Paris, France
• Stockholm, Sweden
• South Bend, Indiana
• San Jose, California
• New York, New York (second location)

Amazon has added the following regions (everything, including EC2) in 2011:

• Toyko (two zones)
• Oregon
• Sao Paulo, Brazil

Pricing!

Amazon continued to drop prices this year. On July 1, they completely removed costs for transferring data in, as well as added additional pricing tiers for > 1 PB. CloudFront prices were also dropped across the board on this date. AWS Direct Connect was also introduced in August to help assist with data transfer pricing. This service simply establishes a relationship between your office and/or datacenter with Amazon Web Services, and thus gives you a discounted price for transfers between those locations. EC2 Reserved Instances also saw price optimization, as you could define your usage on your reserved instance to gain further savings.

ElastiCache

Amazon’s own caching engine was announced in August. ElastiCache is basically a MemCache clone running on EC2 instances at a reduced cost. As ElastiCache continues to see use, Amazon will likely improve the service to be more efficient and hopefully cheaper. Amazon built this service with MemCache users in mind, as existing MemCache libraries typically play nice with ElastiCache without the need for additional configuration.

Check out the complete list of announcements in 2011.

The Data Center Network solution was developed by the two companies to allow users an easy way to store and move data across networks. According the Alcetec-Lucent website, it “targets the network interconnecting data centers and also optimizes all infrastructure resources, to improve functionality, performance and scalability.” Supposedly, this new solution increases the flexibility of an organization’s infrastructure and lowers costs dramatically when compared to traditional methods. He is a list of benefits from the site:

• Increased network performance with faster, more reliable throughput
• Improved time-to-market through an integrated end-to-end hardware, software and services solution
• Increased uptime by protecting against data loss
• Enhanced flexibility and agility with an open-standard based design
• Reduced total-cost-of-ownership

The other product, CloudSystem, is not brand new like the Data Center Network solution, but it is now being integrated with technology from Alcatel-Lucent. According to HP, the update will

“enable communications services providers to deliver high-value cloud services using carrier-class network and IT. The combination of IT infrastructure, software and telecommunications-grade network lets communications services providers automate the provisioning and management of cloud resources through a highly reliable network.”

It is clear that the announcements of these two products being so close to each other is no coincedence, as they very clearly are meant to interact with each other. For more information on the collaboration between to two companies, go the the site for the HP and Alcatel-Lucent Strategic Alliance and learn more. Be sure to stay updated for future updates, as this collaboration could offer some very interesting possibilities.