Planet SysAdmin

TechRepublic IT Security: Are microkernels the future of secure OS design?

Mon, 06 Sep 2010 12:00:32 +0000

MINIX 3, and microkernel OSs in general, might show us the way toward the future of secure OS design.

Andrew S. Tanenbaum created the MINIX operating system in the 1980s as an instructional tool. He wanted to provide an aid to helping people learn about the design of operating systems, and did so by creating an incredibly simple — in some respects, too simple for any serious use — Unix-like OS from scratch, so that his students could examine and modify the source code and even run it on the commodity hardware of the time. He and Al Woodhull co-authored a textbook that focused on the MINIX OS.

Since then, 1.5 and 2.0 versions of MINIX have been created as well, with the same goal: to serve as a study aid. By contrast, the current iteration of the MINIX project, known as MINIX 3, is being developed with the aim of providing a production-ready, general purpose Unix-like operating system. In Tanenbaum-Torvalds debate, Part II, Andrew Tanenbaum describes the relationship of MINIX 3 to its forebears:

MINIX 1 and MINIX 3 are related in the same way as Windows 3.1 and Windows XP are: same first name. Thus even if you used MINIX 1 when you were in college, try MINIX 3; you’ll be surprised. It is a minimal but functional UNIX system with X, bash, pdksh, zsh, cc, gcc, perl, python, awk, emacs, vi, pine, ssh, ftp, the GNU tools and over 400 other programs.

Among Tanenbaum’s key priorities in the development of MINIX 3 is the desire to improve operating system reliability to the level people have come to expect from televisions and automobiles:

It is about building highly reliable, self-healing, operating systems. I will consider the job finished when no manufacturer anywhere makes a PC with a reset button. TVs don’t have reset buttons. Stereos don’t have reset buttons. Cars don’t have reset buttons. They are full of software but don’t need them. Computers need reset buttons because their software crashes a lot.

He acknowledges the vast differences in the types of software required by these different products, but is optimistic that the shortcomings imposed by the necessarily greater complexity of software in a desktop computer can be mitigated to the point where end users will no longer have to deal with the crashing behavior of operating system software. As he puts it, “I want to build an operating system whose mean time to failure is much longer than the lifetime of the computer so the average user never experiences a crash.”

There are already OSs that meet that goal under extremely limited, tightly constrained circumstances, but he intends to provide the same stability and reliability under the harsh, changeable circumstances of general-purpose consumer computer use. It is an ambitious goal, but his approach is well thought out and shows great promise. Given that many of the stability issues we see in operating systems using monolithic kernels result from the fact that a crashing driver can crash the OS kernel itself, his intention to solve the problem by moving drivers out of kernel space may be on the right track.

In fact, if a driver fails to respond to what he calls a “reincarnation server”, which monitors the status of active drivers, the reincarnation server can silently swap out the hung or otherwise failing driver process for a fresh process that picks up where the original left off. In most — if not all — cases, the user may not even know anything has happened, where a monolithic kernel OS would likely crash immediately.

While his primary interest is in reliability, rather than security per se, there are obvious security benefits to his microkernel design for MINIX 3. Without going into too much technical detail, there are mechanisms in place that restrict a driver’s access to memory addresses, limiting it to its own assigned address space in a manner that in theory cannot be circumvented by the driver. Drivers all run in user space, keeping them out of kernel space, whereas kernels loaded as part of a monolithic kernel design can typically touch any memory addresses at all.

A number of countermeasures have been invented and employed in various OS designs over the years, but keeping drivers out of kernel space entirely certainly seems like the most effective and inviolate protection against driver misbehavior. As a result, this may all but eliminate the possibility of buffer overruns and similar problems in kernel space.

Further, mediated contact between drivers and other user space systems in MINIX 3 extends the strict privilege separation of Unix-like systems to protect other processes than the kernel process, as well. In short, whole classes of common system vulnerabilities may become extinct within the family of OSs that may develop in the wake of MINIX 3.

MINIX 3 itself is still in development, but it is currently a working OS with many of Tanenbaum’s intended reliability assurance features already implemented. You can download it from the MINIX 3 Website and boot it from a LiveCD though, as Tanenbaum states, you should install it to a partition on the hard drive of a computer if you want to do anything useful with it.

It will not replace MS Windows, MacOS X, Ubuntu Linux, or FreeBSD right now, but it may well be the future of general purpose OS design — especially secure general purpose OS design.

Adnans Sysadmin/Dev Blog: Links for 2010-09-05 [del.icio.us]

Mon, 06 Sep 2010 07:00:00 +0000

WineD3D builds for win32

MDLog:/sysadmin: MongoDB is Web Scale

Mon, 06 Sep 2010 06:27:27 +0000

NoSQL fun… 5 minutes Q&A session covering NoSQL and relational databases; very funny. Check it out:

Chris Siebenmann: An observation from changing my password

Mon, 06 Sep 2010 03:58:40 +0000

An observation from changing my password

I've changed my password at work, or started to change it at least (this will be an extended process). Doing this has reinforced some things that I know but rarely think about, and exposed a surprising inconvenience in how I do things.

The big thing is that you don't really remember how many machines you have accounts on until you try to work out how many different places you need to change your password. This is not really an issue for users (if us sysadmins are doing our job right, they change their password once and it magically propagates everywhere), but as a sysadmin I have access to all sorts of isolated machines that are not part of our password propagation system. Which means that I get to change my password on all of them, assuming that I can remember what they all are.

(In looking at this, I see that usermod on Linux machines actually has an option to just staple a new encrypted password into place. This reduces the problem to running a command as root on most of those machines, which is a mostly solved problem around here. In fact, I was already using 'run a command everywhere' to check /etc/shadow to see if I'd updated my password by looking at the last-changed field.)

The surprising inconvenience is that I have set up ssh identities to give me passwordless access to my account on most machines; in fact, a lot of my usual environment relies on it. This did not strike me as a problem until I changed my password and suddenly started wanting to type the new one as much as possible to reinforce it in my mind and my fingers. Suddenly all of that passwordless access was inconvenient as well as convenient, since it meant that I'm really not typing my password all that much. This has both surprised and amused me, because sometimes I am easily amused by the perversities of life.

(Turning my ssh identities off completely would likely make various parts of my environment explode in even less convenient ways, so I've resorted to modifying an ssh cover script I already had lying around to turn this off, and using the cover script periodically just to reinforce things. You might wonder why I have an ssh cover script lying around, one that I do not mind hacking up this way; the answer is that it's set up to ignore my known-hosts file, which is very convenient when you keep reinstalling virtual machines that you want to ssh in to.)

(One comment.)

HolisticInfoSec.org: Everybody Loves REMnux

noreply@blogger.com (Russ McRee) — Sun, 05 Sep 2010 19:52:00 +0000

A quick read of the SANS Forensics blog, courtesy of Gregory Pendergast, and you'll get a feel for all the positive feedback for Lenny Zeltser's REMnux.
Lenny has dedicated himself to furthering the malware reverse engineering cause, both as a teacher and analyst; his SANS courses are popular for good reason.

September's toolsmith covers REMnux and offers some detail specific to its use.

One area I often use REMnux for is malicious Flash analysis.
Evil Flash, distributed in particular via online advertising platforms, is a constant concern for online providers. Suffice it to say that my team has encountered such problem children more than once. ;-)
As an example, an older sample (MD5: 525445764564B34070CF2F9DCC6C2DAA) makes for a great test case. You can grab the sample for your own testing at OffensiveComputing.net.
Imagine you've grabbed the sample via wget from your REMnux VM, after proxy-based analysis of the malicious URL.
A simple check for interesting results might be the likes of
flasm 525445764564b34070cf2f9dcc6c2daa.swf, which would result in a .flm file named identically for SWF file analyzed. Figure 1 shows the concatenated results.

Figure 1

While flasm is convenient, the preferred method would be
swfdump -Ddu 525445764564b34070cf2f9dcc6c2daa.swf
The -D switch provides full (everything) output, the -d switch prints the hex output, and -u shows the Tag IDs.
Figure 2 offers the results.

Figure 2

Note that that the DEFINEBUTTON2 config for Tag ID 4 grabs an URL then issues the ActionScript FSCommand:exec to execute arquivo.scr (never a good thing).
Tag ID 4 was conveniently named "bot" by its creator; why bother hiding, right?

With a modicum of effort, maliciousness confirmed, you're ready to take action: report the malicious SWF to the provider, or remove it you are the provider.

You'll enjoy REMnux; it's an excellent collection of useful tools gathered in a simple but functional distro.

Cheers.

">
">
" title="Everybody Loves REMnux
">del.icio.us |
">
">
">digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

High Scalability: Hilarious Video: Relational Database vs NoSQL Fanbois

Sun, 05 Sep 2010 16:47:35 +0000

This is so funny I laughed until I cried! Definitely NSFW. OMG it's hilarious, but it's also not a bad overview of the issues. Especially loved: You read the latest post on HighScalability.com and think you are a f*cking Google and architect and parrot slogans like Web Scale and Sharding but you have no idea what the f*ck you are talking about. There are so many more gems like that.

Thanks to Alex Popescu for posting this on MongoDB is Web Scale. Whoever made this deserves a Webby.

TaoSecurity: One Page to Share with Your Management

noreply@blogger.com (Richard Bejtlich) — Sun, 05 Sep 2010 09:45:16 +0000

I thought this brief question-and-answer session, Richard Clarke: Preparing For A Future Cyberwar by Kim S. Nash extracted the essence of advanced persistent threat problems and how to address them. I'd like to publish the whole article, but instead I'll highlight my favorite sections:

Nash: How can the federal government protect companies?

Clarke: Do more. As a matter of law and policy, the federal government should actively counter industrial espionage.

Most U.S. government counterintelligence operations are focused on intelligence against the government, not companies, and most of those are focused on spies. It's a very 20th-century approach.

Until someone makes law or policy changes that say the U.S. Cyber Command can defend AT&T or Bank of America, it doesn't have the legal authority to do that. I think it should. The government also has to explain the threat to corporations.

Also:

Clarke: Until CEOs and boards of directors are faced with black-and-white evidence that they have lost a terabyte of information and that this has resulted in some other company beating them to market, until they have their noses rubbed in it, they're reluctant to do anything special...

Often, the CIO really needs board-level commitment and CEO commitment, not just of resources but to policies necessary for protection. Most of the time, all people want the CIO to do is keep the network up and costs down. As a result, many CIOs have been hired for their expertise in those areas, not for expertise in figuring out how to make a resilient network that resists attack.

Finally:

Clarke: It should be the federal government's responsibility to tell companies not only when they've been attacked but when others have been, such as their competitors, so they realize this sort of thing is going on...

[S]ometimes companies don't know they've been hacked. But frequently they realize after the fact. You don't know you've lost information until a knockoff of your product or some competing products start showing up in the marketplace.

I agree with all of these sentiments.

Incidentally I started read the library copy of Cyber War but decided I needed to take notes in the margins. So, I bought a copy from Amazon.com. I plan to finish it and review it by the end of the month.

A Year in the Life of a BSD Guru: Latest Version of BSD Certification DVD Available

Sun, 05 Sep 2010 09:33:53 +0000

The latest version of the BSD Certification Study DVD is now available. Besides being a handy study reference, the DVD is a useful tool as it contains the latest versions of the 4 BSDs plus their documentation. From the announcement:

Adnans Sysadmin/Dev Blog: Links for 2010-09-04 [del.icio.us]

Sun, 05 Sep 2010 07:00:00 +0000

Chris Siebenmann: A plan to deal with my feed reader problem

Sun, 05 Sep 2010 04:30:58 +0000

A plan to deal with my feed reader problem

I have a feed reader problem, one that has long ago reached epic levels: in practice, I'm not actually really reading feed entries. For years, Liferea has been telling me that I have thousands of unread entries and I have been ignoring them. I think it's time to declare feed reader bankruptcy (which is much like email bankruptcy) and deal honestly with the results.

(This will be a bit traumatic, because I'm somewhat obsessive about some things. It hurts to consciously and deliberately throw away unread entries.)

In thinking about this, I have realized that I have two sorts of feeds that I follow: casual reading feeds, that I keep around so that I have something to browse when I'm feeling bored and want to poke at their topic, and feeds that I am strongly interested in and want to read all or almost all of, even if it takes me a while. If I'm being honest about it, almost all of the feeds I currently have in Liferea are casual reading feeds (which is one reason I keep not reading them).

So here's my current plan for dealing with all of this:

A certain amount of the casual feeds are simply going to be discarded (a process that I've already started); I'll trust that anything worth reading that they produce will show up on the usual link sources that I browse (such as Hacker News). The rest of them will go into Google Reader, because Google Reader will quietly expire old unread entries for me. Throwing away old entries to keep the volume manageable is exactly the behavior I want for casual feeds.

(Google Reader is also better for casual browsing because I can use it from anywhere. Liferea is tied to a particular machine.)

My important feeds will stay in Liferea where I can exert more control over them, for example deciding exactly when they expire (or don't). I will probably also find some feeds that are more convenient to read in Liferea than in Google Reader. If I do this right I will have only a relatively small number of feeds in Liferea, and they will generally not have many unread entries.

I'm not sure that this will actually work, but I'll have to see how it goes. Something certainly needs to change; thousands of unread feed entries that just keep expiring off the bottom of feeds just don't work.

(They 'work' in one sense, but they create a kind of mental pressure that makes me avoid having much to do with them. Right now I avoid entire categories of feeds in Liferea because of all of the unread entries.)

PS: if I'm being honest with myself, I should probably throw away at least half of my casual feeds. Many of them were added because they looked sort of interesting, way back in my early days of feed reading enthusiasm when I felt that I had a lot more time for this. Rather than putting them in Google Reader only to ignore them, I should just save them in a file somewhere.

(This reminds me rather vividly of mailing lists, and if I go far enough back, Usenet. I went through much the same pattern with them that I am going through with feeds now, and if I got into something like Twitter I suspect that I would go through the same pattern with it too.)

Slaptijack: Tech Messages | 2010-09-04

Sun, 05 Sep 2010 01:00:56 +0000

A special extended edition of Tech Messages for 2010-09-03 through 2010-09-04:

A batch of WS-X6582-2PA may fail when booting under low temperature — Upgrade program available
Due to a delay in the early start up of the 1.2 voltage rails during the Power up sequence, a batch of WS-X6582-2PA cards in the 7600 platform have been shown to be prone to fail when booting under temperature below 15C. The failure condition may manifest when the card is powered up (booted) for the first time. Cards in working mode are not expected to exhibit this failure.
Introduction to Computer Science and Programming | MIT Video Course
Learn, learn, learn.
What are the essential tools you always have handy when attempting to fix someone's PC problem? – Super User
This is from superuser.com. Plenty of ideas on this page to help you out.

Everything Sysadmin: Ohio LinuxFest 2010 - Registration extended

Sat, 04 Sep 2010 16:19:59 +0000

Registration for the 2010 Ohio LinuxFest has been extended through September 8th, and the registration contest has also been extended until the 1,000th registration has been reached.

One lucky registrant will win an upgrade to the Supporter Pass, or a Professional Pass registration for Ohio LinuxFest 2011 worth $350, at the choice of the winner. Full details are available at http://ohiolinux.org/who-will-be-number-1000.html

Adnans Sysadmin/Dev Blog: Links for 2010-09-03 [del.icio.us]

Sat, 04 Sep 2010 07:00:00 +0000

Running Rails 3 on Windows | Accidental Technologist

Chris Siebenmann: The laziness of a programmer, illustrated

Sat, 04 Sep 2010 05:10:48 +0000

The laziness of a programmer, illustrated

At work, I have fallen into the bad habit of keeping a lot of iconified Firefox windows around, full of various things that I am going to read sometime (honest). As I've mentioned before, I have all of these iconified windows very carefully placed and organized so that I can find them again and keep track of them.

Naturally, this makes quitting and restarting Firefox kind of a pain. I have Firefox set to preserve all of the active windows and tabs over restarts, but it doesn't preserve the positions of the iconified windows (and it doesn't entirely preserve the regular window position either); any time I have to start Firefox again I have to re-position all of those icons. Generally this means that I don't; I never exit Firefox unless I'm forced to, because it's such a pain to get everything set up again.

(Which implies that I never log out, either; I just leave my screen locked.)

Recently I got tired of this (in the aftermath of my Fedora 13 upgrade, I've been restarting things more than usual). Thus I decided that clearly there had to be a way to fish around in the depths of X to find the current icon positions, so I could write a quick script that recorded them in a file and then shuffled the icons back into the right spots for me.

(This is less crazy than it sounds; I already have command line utilities to reposition windows, and X comes with a fair number of commands to poke at various aspects of window state.)

I'll cut to the chase: yes, except that it wasn't exactly a quick script. The most convenient way of doing this turned out to be writing an FVWM module in Perl that finds out all of this information and writes a file of FVWM commands that can be loaded back in to FVWM to (re)position and (re)iconify all of my Firefox windows just right. In the process of doing this I had to remember my Perl, look up a certain amount of Perl's OO support (my last serious Perl programming pretty much predates it), and figure out how to work with FVWM's underdocumented Perl bindings.

(FVWM has no current Python bindings for would be module authors.)

But all of this was less work than continuing to re-position all of my Firefox windows by hand. Honest.

(The resulting module is sort of theoretically general. If you are really interested, see here. As a bonus, you get to laugh at my hack-job Perl.)

(2 comments.)

MDLog:/sysadmin: Next Debian release will be called “Wheezy”

Sat, 04 Sep 2010 02:02:28 +0000

Squeeze has been frozen for some time now, and hopefully will be released by the end of the year, and today the Debian team has revealed the name of the next Debian release 7.0: Wheezy.

Just like all the previous releases, this is another character from Toy Story – wheezy – a rubber squeeze toy penguin with a red bow tie (that appears only in the 2nd movie). This will be the first character selected as a Debian version name which has not appeared in all the movies.

Source: http://lists.debian.org/debian-devel-announce/2010/09/msg00000.html

Slaptijack: Tech Messages | 2010-09-03

Fri, 03 Sep 2010 20:00:30 +0000

A special extended edition of Tech Messages for 2010-09-01 through 2010-09-03:

Interactive map of Linux kernel
XenServer 5.6 cdrommon Consumes All CPU Resources | Geek Run Virtualization Blog
Users of Citrix XenServer 5.6 are experiencing a problem where the cdrommon process begins consuming all CPU resources and affecting virtual machine performance.
95th percentile explained — sean adams mirror
This is a good explanation of 95th percentile billing and why ISPs use it.

TechRepublic Network Administrator: What your multinational's systems have in common with East Germany's Stasi

Fri, 03 Sep 2010 17:02:15 +0000

They know where you live. They know when you go to sleep. They know which coffee shops you visited. They know which hotels you stayed in, and for how long. With a little database cross-referencing, they can learn that you bought wine in a local restaurant while your spouse was traveling in another part of the country. They know where you’re planning to travel next summer. They know everywhere you’ve lived for the past decade or more.

They know all this without tailing you, without setting foot in your house, and without speaking to you or your friends and family.

“They” is any private or public firm doing business with citizens of European Union countries. “They” is your IT department if your systems collect IP addresses or other personally identifiable information (PII) from E.U. citizens or exchange such data with E.U. systems.

For those of you needing a Cold War refresher, the Stasi, or Staatssicherheit in German, was the official state security service of East Germany. The Stasi has been compared to the Gestapo, but in some ways the comparison is not apt, because the Stasi was a kindler, gentler, more insidious apparatus of the State. The Stasi were sometimes no more intimidating than, say, the network administrator working on the third floor, or the shiny new database consultant.

Think this issue unimportant? Due to privacy concerns in the E.U., until recently the United States did not have access to 2010 bank transaction data from the SWIFT database, a Europe-based system. This data was regarded as essential to U.S. law enforcement attempts to identify such transactions as money laundering and transfers to terrorist organizations. In a recently agreed upon compromise, the E.U. placed one of their officials at the U.S. Department of Treasury on a permanent basis, and will house the data within the E.U. instead of shipping it out en masse to the U.S.

(Image at left is the badge suggested for U.S. Dept of Commerce Voluntary Privacy Framework.)

IP = “Invaded Privacy” address?

Network and database administrators may be unwitting perpetrators of such surveillance. All this became clear when Google first entered the E.U. market, and concern peaked again when Google Street View was rolled out to Europe. While case law in the U.S. has been ambiguous, with federal courts deciding that IP addresses are not PII, and others deciding that a grand jury subpoena is required before an ISP is required to disclose a subscriber’s IP address. As can easily be seen from online ad targeting, i.e., “localized behavioral advertising,” it requires little effort to obtain city name and more from IP addresses.

Regardless of its current legal standing in the U.S., the public attitude that IP addresses were not PII shifted in 2006 when AOL released search logs from its members and New York Times reporters were able to identify and profile a single “anonymized” individual within days. Though many web site privacy policies say otherwise, when IIS or Apache collects IP addresses of users, PII data is being collected.

As DePaul’s Joshua McIntyre writes in a piece arguing for treatment of IP addresses as PII, “what prevails today is an online world that lulls its inhabitants into a false sense of anonymity while secretly recording their every move for future discovery.” In the U.S., privacy is viewed as a secondary concern in telecommunications policy. It’s been often mentioned that “privacy” does not appear in the U.S. Constitution. Not so in Europe, with its dark history of secret police, citizen-spies, and totalitarian regimes that obtained information clandestinely and used it to chase down individuals for imprisonment or death. As shown in the table, the U.S. and Europe have taken different approaches.

Attitudes About Personally Identifiable Information
European Union	United States
European Union Data Privacy Directive 95/46/EC sets high standards for the protection and movement of personally identifiable information between E.U. member countries and to outside Data protection is granted even after the consumer has passed on the data.	Focus on informed consent, with relatively few legal restrictions on the use of information provided voluntarily. What rules do exist are primarily state-by-state.
Firms are responsible for protecting PII data once it has been collected, and also for managing its transfer to others by monitoring compliance of recipients.	Once the data has been yielded to a company, the company is largely free to use it as it wishes, subject to local state regulations.
E-privacy rules introduce mandatory notifications for personal data breaches by providers of communications networks and services, “regardless of sector or type of the data concerned.”	In the U.S., violations are rarely prosecuted. According to a Business Week analysis, only seven cases have been brought to court, and none were proven to be actual non-compliance. (As a cautionary tale, though, consider the case of Twitter’s 2009 security breach.)
Medical records are no different from other E.U. citizen’s personal information because a degree of data protection is already afforded.	Concern over medical records privacy may increase with the push to reduce health care costs through greater automation.
As shown in the case of Germany’s export oversight, data to be transferred from Germany to the U.S. requires that the sender verify the recipient’s Safe Harbor certification and adherence to notification principles, and be prepared to show auditors the results of such analysis of third parties.	Companies can self-certify through the voluntary Safe Harbor framework suggested by the Department of Commerce. Except for certain areas (e.g., airline passenger data), enforcement is primarily through the private sector.

A checklist for U.S. multinational IT departments

This columnist is neither a lawyer nor a compliance specialist. Still, it is obvious to anyone working in IT that privacy considerations are often more lax here than in the E.U. and other countries. This could create risks for U.S. firms and nonprofits that have customers, contacts, and coworkers based in E.U. member states. Accordingly, this proposed checklist for proactive network and database administrators is just a starting point.

Learn about the Department of Commerce Safe Harbor framework. Consideration of voluntary compliance might enhance awareness of the issue, even if that official route isn’t ultimately selected. If you have a Compliance Officer, make an appointment to discuss the current state of affairs in your company. Get a feeling for the climate about PII in Europe; a 2009 RAND-Europe report covers the pros and cons of the E.U. Data Protection Directive.
Treat IP addresses as PII. Educate other IT professionals about privacy considerations associated with IP addresses (as well as other network data such as connection details) to minimize unnecessary or inadvertent collection of PII.
Update data protection policies to include web logs and other PII-containing repositories if they are not already included. Encrypt when not in use, and review data expunging policies. Consider at most a 6-month policy for IP address retention.
Verify that cybersecurity best practices are in place to protect PII. This should include pragmatic considerations such as authentication unique to the type of data to be protected, logging of access to PII archives, and proactive aggregation.
Review and update web site privacy policies.
Be alert for emerging sources of PII, such as bar codes scanned, photos with location and timestamp data in the EXIF, electronic ID, security access logs, GPS, wireless communications . . . the list goes on.
If you’re already in over your head, look for expertise from specialty outfits like DataGuidance, Hunton and Williams, Covington and Burling, Proskauer - to name but a few.

RELATED Check out a previous post on the Massachusetts privacy law.

High Scalability: Hot Scalability Links For Sep 3, 2010

Fri, 03 Sep 2010 14:46:13 +0000

With summer almost gone, it's time to fall into some good links...

Hibari - distributed, fault tolerant, highly available key-value store written in Erlang. In this video Scott Lystig Fritchie gives a very good overview of the newest key-value store.
Tweets of Gold
- lenidot: with 12 staff, @tumblr serves 1.5billion pageviews/month and 25,000 signups/day. Now that's scalability!
- jmtan24: Funny that whenever a high scalability article comes out, it always mention the shared nothing approach
- mfeathers: When life gives you lemons, you can have decades-long conquest to convert lemons to oranges, or you can make lemonade.
- OyvindIsene: Met an old man with mustache today, he had no opinion on #noSQL. Note to myself: Don't grow a mustache, now or later.
- vlad003: Isn't it interesting how P2P distributes data while Cloud Computing centralizes it? And they're both said to be the future.
You may be interested in a new DevOps Meetup organized by Dave Nielson, so you know it will be good.

Anton Chuvakin - Security Warrior: Monthly Blog Round-Up – August 2010

anton@chuvakin.org (Anton Chuvakin) — Fri, 03 Sep 2010 12:05:00 +0000

Blogs are "stateless" and people often pay attention only to what they see today. Thus a lot of useful security reading material gets lost. These monthly round-ups is my way of reminding people about interesting blog content. If you are “too busy to read the blogs,” at least read these.
So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month.

My super-rant about log analysis “Pathetic Analytics Epiphany!” has shot to the top like a pig kicked up in the ass by an irate giant. It is about how after looking at logs for so many years, we still use primitive approaches and primitive tools.
Not surprisingly, my belated reading of the Verizon Breach Reports 2010 (“Verizon Breach Report 2010 OUT!”) is in my Top5. VzDBIR is pure awesomeness, as always!
“Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2”, “SANS Top 5 Essential Log Reports Update!” and their predecessor “Top5 SANS Log Reports Update DRAFT” finally beat the previous champion of a few months “Simple Log Review Checklist Released!” Now I just need to document all the chosen favorite reports and submit it for community release.
Career posts always get top scores automatically and “Skills for Work vs Skills for Getting Hired” is no exception. Just as its predecessor, “Myth of an Expert Generalist”, it got on my monthly Top 5 posts immediately, was featured on Reddit.com, etc, etc. The next career post is coming soon…don’t despair :-)
News of sinking SIEM and log management vendors alluded to in “To Those Escaping from Sinking SIEM/Log Management Vendors” somehow made it to the top. Maybe links to SIEM jobs did it?
“How Do I Get The Best SIEM?”, a companion to “On Choosing SIEM“, went to the top like lighting a few months ago and stayed there this month as well. If you are thinking of getting a SIEM or a log management tool, check them out and also look at related resources at the end of these posts. “The Myth of SIEM as “An Analyst-in-the-box” or How NOT to Pick a SIEM-II?” and ““I Want to Buy Correlation” or How NOT to Pick a SIEM?” also stay at the top – it seems like smaller organizations are looking at deploying SIEM and log management and there is a lot of interest in simple guidance on this.

Also, below I am thanking my top 5 referrers this month (those who are people, not organizations). So, thanks a lot to the following people whose blogs sent the most visitors to my blog:

See you in September; also see my annual “Top Posts” - 2007, 2008, 2009!
Possibly related posts / past monthly popular blog round-ups:

A Year in the Life of a BSD Guru: Presentation for Ohio LinuxFest

Fri, 03 Sep 2010 11:57:51 +0000

My presentation "PC-BSD: An Easy to Use BSD Desktop" for next week's OLF is available on slideshare. If you're in the Columbus, OH area, drop by the BSD booth to pick up a free DVD of PC-BSD 8.1 and chat about all things BSD. Also, consider supporting BSD Certification by taking the BSDA exam at this event.

A Year in the Life of a BSD Guru: BSD Professional Certification Requirements Published

Fri, 03 Sep 2010 10:55:47 +0000

If I've been quiet lately it's because I was burning the midnight oil participating in the final technical and grammatical review for the BSD Professional Certification Requirements document. The document was published late Tuesday night and is a thing of beauty. From the announcement:

High Scalability: Six guiding principles to Consolidate your IT

Fri, 03 Sep 2010 09:37:01 +0000

The need for IT consolidation is most evident in two types of organizations. In the first group, IT grew organically with business over the decades, and survived changes of strategy, management, staff and vendor orientation. The second group of businesses capital groups are characterized by rapid growth through acquisitions (followed by attempts to integrate radically different IT environments). In both groups, their IT infrastructures have typically been pieced together over the past 20 (or more) years.

Chris Siebenmann: Finally understanding the attraction of AJAX

Fri, 03 Sep 2010 05:12:28 +0000

Finally understanding the attraction of AJAX

I'll admit it; I'm slow sometimes. For a very long time now I haven't really gotten why people keep sprinkling AJAX over their web pages (partly because I assiduously use NoScript and so mostly don't see it). Oh, I understood that you needed it to create actual applications on the web and that it could be convenient for making vaguely friendly things, but I didn't really understand it in the context of relatively ordinary web apps like DWiki.

But my recent thinking about my comment form design mistake has finally fixed that. Here is my recent insight in a nutshell:

AJAX lets you do things without page changes and refreshes, so you can preserve the user's context on the page and make them less confused.

In a conventional non-AJAX web interface, any significant action forces a (full) page reload. This creates a visible page refresh except in extremely ideal circumstances and in general means that the user has to find their place again and reorient themselves. This is sort of tolerable if what the user is working on fits entirely inside their browser window; it's fairly horrible if it doesn't and they have to actively scroll around to find where they were before. This is the core problem I have with a revision to my comment form design; I'm pretty sure that people would get lost among everything else going on.

(The ideal circumstances are that you're using fragment identifiers in the URL, the browser accurately repositions things back at the fragment identifier, and the entire system loads the new page so fast that there is no visible flicker.)

In an AJAX web interface the user can perform actions without this lurching jump. For example, when they click on 'add comments', they don't get yanked to a new page; instead, a comment form unfolds right then and there in front of them. This is less confusing in two ways. First, it is happening right in front of you, clearly visible. Second, it is the only thing that is happening; you don't have to pick out the significant change from all of the other flickering and movement and so on that's going on as the page reloads.

This creates a more fluid, less disorienting interface, one that is easier and faster to work with because you spend more time doing what you're interested in and less time finding your place again every so often. In a sense, the result is much closer to a direct manipulation interface than a standard, non-AJAX web page can manage.

I don't think that there's any way to pull this off without AJAX; you really need some way to do a partial page content update without anything else flickering or moving. That's just not something that browsers offer (you don't even get it on plain user-initiated page refresh).

(I suspect that this is old hat for people in the field, but all of it only clicked for me when I started really thinking over the problem of people getting lost in my comment form under various circumstances, cf TemplateLimitations.)

PS: looking backwards, this makes me slightly more sympathetic to old HTML frames. Although they were almost never used this way, you can argue that they were a crude first attempt at the sort of limited page update you'd need to pull this off.

(4 comments.)

The Blog of Ben Rockwood: Devops Days Silicon Valley: What You Missed

Fri, 03 Sep 2010 04:06:00 +0000

All the panels from the Silicon Valley DevOps Days are now online. A huge round of applause for InfoQ for putting this entire event online and making it available to the world.

If you want a glimpse into the next 10 years of system administration as a career path, you need to get up to speed now so it doesn't take you by surprise in the coming years.

The FreeBSD Diary: 3Ware Nagios plugin

Thu, 02 Sep 2010 23:45:33 +0000

I liked it, but I wanted more

TaoSecurity: The Inside Scoop on DoD Thinking

noreply@blogger.com (Richard Bejtlich) — Thu, 02 Sep 2010 22:40:30 +0000

I wanted to help put some of you in the mindset of a DoD person when reading recent news, namely Defense official discloses cyberattack and Pentagon considers preemptive strikes as part of cyber-defense strategy, both by Washington Post reporter Ellen Nakashima. I'll assume you read both articles and the references.

Deputy Defense Secretary Lynn's article (covered by the first Post story) is significant, perhaps for reasons that aren't obvious. First, when I wore the uniform, the fact that a classified system suffered a compromise was itself classified. To this day I cannot say if a classified system I used ever suffered a compromise of any kind. Readers might be kind enough to say if this policy is still in effect today. So, to publicly admit such a widespread event -- one that affected classified systems -- that is a big deal.

Second, Lynn said "this previously classified incident was the most significant breach of U.S. military computers ever." That is significant. It sets a bar against which other incidents can be measured. Why was it so bad?

Adversaries have acquired thousands of files from U.S. networks and from the networks of U.S. allies and industry partners, including weapons blueprints, operational plans, and surveillance data.

That's serious, and specific.

Third, after citing Google's January admission, Lynn says:

Although the threat to intellectual property is less dramatic than the threat to critical national infrastructure, it may be the most significant cyberthreat that the United States will face over the long term.

Every year, an amount of intellectual property many times larger than all the intellectual property contained in the Library of Congress is stolen from networks maintained by U.S. businesses, universities, and government agencies.

As military strength ultimately depends on economic vitality, sustained intellectual property losses could erode both the United States' military effectiveness and its competitiveness in the global economy.

I interpret this as saying cyberwar is hurting the US specifically because non-military targets are being hit, repeatedly and persistently.

Finally, I'd like to provide a counterpoint regarding the second Post article. Other pundits are calling DoD's potential offensive strategy "beyond stupid." I'd like to know what's stupid: more of the same failed vulnerability-centric policies and approaches of the last, what, 10, 15, 20 years, or taking a threat-centric approach to apply pressure on the adversary? I also wrote about this in 2007, like some other pundits. In the three years since, playing defense hasn't helped much. Expect more on offensive options in the coming years, in all sectors -- not just the military.

Anton Chuvakin - Security Warrior: LogChat Podcast 1: Anton Chuvakin and Andrew Hay Talk Logs

anton@chuvakin.org (Anton Chuvakin) — Thu, 02 Sep 2010 18:11:00 +0000

"LogChat" Podcast is born! Everybody knows that all this world needs is a podcast devoted to logs, logging and log management (as well as SIEM, incident response and other closely related subjects). And now you have it - through the sheer combined genius of Andrew Hay and myself, Anton Chuvakin. Administrative items first: We need a new name! We are not entirely happy with "LogChat" and, sadly, "LogTalk" is taken. Please suggest a name - if we pick yours, you get a free signed  copy of my "PCI Compliance" book. We will post the transcript, not just the MP3 file - in a few days. If you have ideas for a good/inexpensive transcribing service, we are all ears. I will try Amazon Mechanical Turk first, but it might not be good enough for a technical podcast. Please also suggest topics to cover as well - even though we are not likely to run out of ideas for a few years. Our first topic today is new log source integration - if it sounds boring...well...listen first/judge second :-) We plan for this to be a monthly podcast. So, the next one will happen sometime early October. Any other feedback is HUGELY useful. Is it too long? Too loud? Not enough jokes? Too few mentions of the "cloud"? Feedback please! Who knows...maybe there are more PCI books left in my secret stash and you too will earn that glorious prize for the most useful piece of feedback  :-) And now, in all its, glory - the podcast: the link to MP3 is here [MP3]. Enjoy the log chat!About me: http://www.chuvakin.org

TaoSecurity: Review of Hacking Exposed: Wireless, 2nd Ed Posted

noreply@blogger.com (Richard Bejtlich) — Thu, 02 Sep 2010 17:28:00 +0000

Amazon.com just posted my five star review of Hacking Exposed: Wireless, 2nd Ed by Johnny Cache, Joshua Wright and Vincent Liu. From the review:

I reviewed the first edition of Hacking Exposed: Wireless (HEW) in May 2007, and offered four stars. Three years later I can confidently say that Hacking Exposed: Wireless, 2nd Ed (HEW2) is a solid five star book. After reading my 2007 review, I believe the authors took my suggestions seriously, and those of other reviewers, and produced HEW2, the best book on wireless security available. If you want to understand wireless -- and not just 802.11, but also Bluetooth, ZigBee, and DECT -- HEW2 is the book for you.

I forgot to mention in my review that this new edition appears to be a substantial rewrite, not a minor editing of old chapters! I didn't do a chapter-by-chapter comparison. I did read the whole book, which the publisher provided as a review copy.

TechRepublic IT Security: Quantum Hacking cracks quantum crypto

Thu, 02 Sep 2010 16:08:26 +0000

Quantum cryptography sounds like science fiction, but the people at Quantum Hacking have already cracked a pair of commercial quantum crypto implementations.

Quantum key exchange is generally regarded as a perfect solution to the problem of securely exchanging cryptographic keys. Ensuring that keys are exchanged in a secure manner is a critical part of the process of communicating secret information without any chance of an eavesdropper acquiring the secrets.

One of the foundational principles of modern cryptology theory is Kerckhoffs’ Principle, which states that a cryptosystem should be secure even if everything about the system is known by potential attackers except its key. Shannon’s Maxim, a roughly equivalent but much more succinct formulation, says “The enemy knows the system.”

With such principles of security firmly in mind, two obviously necessary policies for secure systems arise:

The security of a system can only benefit from making its design subject to public review so that potential weaknesses can be detected and fixed. This is often referred to as a recognition that obscurity is not security or, more to the point, a policy of security through visibility.
The key used to decrypt a secret message must, itself, be a secret held as exclusively as possible.

There are two generally accepted ways to solve the problem of key exclusivity:

Keep a key exclusive to a particular individual. This is the approach that leads to techniques of public key cryptography such as is used in OpenPGP systems, where only one person knows the key used to decrypt a message — but everyone in the world might know the key used to encrypt it. This ensures the secrecy of a message sent to the recipient, so long as the recipient’s private key is the only key that can be used to decrypt it, and so long as the implementation and security practices of the two parties are sufficiently strong to negate any attempts to crack the system.
Keep a key exclusive to a particular relationship. This approach depends upon the communications between two parties being protected by a key, or keys, that are specific to the relationship between those two parties, and not reused anywhere else. It serves as the basis for the one-time pad cipher, the only truly uncrackable cipher known to modern cryptology — and a cipher that is almost completely impractical for regular use. It also serves as the underlying assumption of cryptographic exchange in more practical symmetric key ciphers.

The problem of key exchange has been the subject of much debate, research, and effort over many years. Public key cryptography essentially avoids the whole issue by using key pairs, where the system is not only not compromised if half the keyset falls into the wrong hands, but it works better if that half of the keyset is public knowledge. For certain purposes, however, symmetric key encryption is often preferable, so long as the key exchange problem is solved.

The promise of quantum key exchange, and its weaknesses

Heisenberg’s uncertainty principle has plagued physicists for decades. When what you study gets small enough, the tiny little particles — photons, the building blocks of things like “light”, for instance — that you need to bounce off of what you are trying to observe are no longer inconsequential to the target of observation. When you want to observe the behavior of an electron, trying to bounce a photon off the electron can alter the state of the electron, leaving you with an uncertain read on the particle’s state. It gets worse as the targets of your observation get even smaller, as in the case of trying to observe photons themselves.

Quantum key exchange makes clever use of this uncertainty principle. Systems that make use of quantum key exchange take advantage of the uncertainty principle to guarantee, at least in theory, that nobody has attempted to observe the key in transit. Any attempt to do so will change the state of the communication, thus producing detectable anomalies, alerting the communicating parties to the presence of an eavesdropper so they will know the key has been compromised and will not use it.

In theory, it seems like an infallible system. In practice, the actual security of the system is subject to the limitations of implementation — the one weakness that plagues all cryptosystems. Commercial quantum key distribution systems exist, but the technology is still not a 100% perfectly solved problem.

Such systems typically use a fiber optic cable to communicate data across distances measured in kilometers, employing avalanche photodiodes to detect individual photons. The work of a group of quantum information scientists at the Norwegian University of Science and Technology, known as the Quantum Hacking group, in collaboration with the Max Planck institute for the science of light and the University of Erlangen-Nürnberg, has produced a means to crack two quantum key distribution systems by exploiting a characteristic of the design of avalanche photodiodes.

In simplified form, the crack consisted of a man in the middle attack that works by fooling the photodiode itself, using nothing but off-the-shelf (if somewhat expensive for casual use) components. “Blinding” the receiving system’s photodiodes with a laser so that it cannot read the quantum states of incoming photons causes the diodes to behave as a “classical detector”, recording bit values not due to the quantum states of incoming photons but due to the detection of pulses of brighter light. As such, the eavesdropper can “blind” the intended recipient, receive the key in its stead, then convey the key’s value to the still-blinded avalanche photodiodes in the intended recipient system by way of pulses of bright light.

One of the researchers, Vadim Makarov, said of the crack, “We have exploited a purely technological loophole that turns a quantum cryptographic system into a classical system, without anyone noticing.” (In the picture above, a member of the Quantum Hacking team, Lars Lydersen, tests Clavis2 quantum cryptography system for detector controllability. Photo credit: 2009 Vadim Makarov, www.vad1.com)

Since discovering the vulnerability, the researchers have worked in collaboration with ID Quantique, the vendor for one of the commercial systems, to fix the weakness in this type of quantum key distribution system. The Quantum Hacking group’s paper was published in the Nature Photonics journal, as Hacking commercial quantum cryptography systems by tailored bright illumination.

Photos of the equipment used to analyze the cracked systems and perform the crack are available at the Quantum Hacking site, in Cracking commercial quantum cryptography: how we did it, in pictures. They even provide a link to a photo of ID Quantique engineers feeding pizza to Quantum Hacking researchers as they worked on a fix for the vulnerability.

Standalone Sysadmin: Intermittent Problems Suck (your time)

Thu, 02 Sep 2010 15:51:06 +0000

For the past few days, our NYC office has had incredibly irritating problems with the internet connection. We’ve got service through a local Metro-E provider, but they’re a CLEC, which means they don’t own the lines, they just lease them from the ILEC, who is in this case, Verizon.

The root of the issue is that the wiring at the building we’re in is crap. It’s a small 5 story building that used to be apartments and has been converted to offices, and the wiring is just not up for the job. We went through several pairs of copper pairs looking for one that was good enough to carry the metro-E signal, and it was all we could do. Before metro-E, we had DSL, where we capped out at just over 1Mb/s…and this is in Manhattan.

Unfortunately, the circuit is currently in the middle of dying, so it’s working sometimes and failing others. I first opened this ticket on Monday, and have exchanged emails with our provider a dozen times or so. They’ll see the issue, but symptoms are vague as to whether it’s their equipment, our equipment, or the line running between our equipment, or (what I’m fairly sure the problem is), the lines entering the building from Verizon.

It wasn’t until last night when they finally saw enough errors on the bridge to have Verizon to commit to a service call tomorrow evening to add a loop. Every other time, everything on the line was hunky-dory. This is why intermittent problems take so long to solve…because all the stake holders have to be monitoring at exactly the right time for anything to get done.

Meanwhile, I’ve been having to apologize to my users, and give them instructions on how to forward their desk phones to their cells.

Even though the problem isn’t actually with my provider, I would love to get a secondary network connection, because the lines here are just too unreliable. No cable companies will give us service, no fiber companies will touch the building…it’s pretty much just Verizon and their CLECs at this point.

I think we’ve only got 2 more years on the lease?

SysAdmin1138: Times change, alas

Thu, 02 Sep 2010 15:40:14 +0000

Right now we're giving serious consideration to using folder mount-points in Windows in order to solve a specific storage problem. The one thing that make me go, "oh, please, no," is the fact that the disk-space monitoring script I've been using for years, the one that also monitors NetWare, Windows and ESX, can't handle folder-mounts. Why? Because the Windows SNMP agent doesn't give any information about folder-mounts, just drive-letter mounts.

SNMP was very nice since I didn't have to use Windows to get the information I needed. However, Microsoft hasn't been really paying attention to SNMP in recent versions so I am not at all surprised to learn that this hasn't been put in place. Or if it is, they're using a MIB I don't know about.

I suspect I'll have to carve my script up in twain, into Windows and non-Windows variants. That way I can continue to keep data in this particular database (with data that goes back to 2004!).

But still, the core engineering of this guy was done back in 2001, with efforts later on to shim in Windows and ESX support. I looked into Linux a couple years ago and determined that I could add support for that pretty simply, but never did as we didn't have a call for it yet. 9 years is a long life for a script like this. I suppose it's time.

Or maybe we can not use folder-mounts.

High Scalability: Distributed Hashing Algorithms by Example: Consistent Hashing

Thu, 02 Sep 2010 14:26:15 +0000

Consistent Hashing is a specific implementation of hashing that is well suited for many of today’s web-scale load balancing problems. Specifically, it can be seen in use in various caching solutions like Memcached and is applicable to NoSQL solutions as well. Consistent Hashing is used particularly because it provides a solution for the typical “hashcode mod n” method of distributing keys across a series of servers. It does this by allowing servers to be added or removed without significantly upsetting the distribution of keys, nor does it require that all keys be rehashed to accommodate the change in the number of servers.

You can read the full store here.

Jordan Sissel: RAID is not Redundant.

Thu, 02 Sep 2010 07:50:00 +0000

My year at Rocket Fuel has seen many unique system failures. One specific kind of failure I want to highlight is those of full RAID failures. I've talked before about how RAID is not a backup technology.

Tonight, we rebooted a machine that hung (presumably due to OOM or other funkiness) and it came back in the bios saying:

Foreign configuration(s) found on adapter

Our managed hosting support weren't sure what to make of this, so we decided to make a new home (from backups) for the services on this now-dead machine. Dell won't helping debug on this until tomorrow.

This is one of many total data losses I've observed on RAID sets in recent months - all due to RAID failures. Thankfully, We have backups that get shipped to HDFS. We monitor those backups. We also have puppet and other automation to help move and rebuild services on a new host. We're equipped to handle this kind of failure.

This leads me to a new conclusion: The 'R' in RAID is a lie. It is not redundant. Treating it that way can lead you to the raid-is-backup fallacy.

Wikipedia has this to say about Redundancy (engineering): "In engineering, redundancy is the duplication of critical components of a system with the intention of increasing reliability of the system, usually in the case of a backup or fail-safe."

Adding more parts (complexity) to a system doesn't often increase its reliability. Even taking into account the disk redundancy you might get with mirror or parity, you're still hedging that the RAID card doesn't die, which it will. Everything's MTBF comes eventually, so weigh your risk.

Back to my conclusion that RAID is not redundant. RAID is not dead, I'm just done viewing RAID as a continuity-through-drive-failure technology. RAID has other benefits, though. It achieves more than just redundancy (when your card doesn't die).

RAID makes multiple drives present as a single drive device to the OS, right? Right. RAID allows you to aggregate disk IO performance to achive higher read/write rates than with a single disk alone. You can also aggregate disk space this way, too, if you didn't know.

It's almost 0100 now, I'd much rather be sleeping or playing TF2 than helping rebuild from backups.

Slaptijack: Cisco Access Registrar: Automatically Clear Old Sessions

Thu, 02 Sep 2010 07:00:17 +0000

While doing some testing with Cisco Access Registrar (CAR) 5.0, I noticed that the test user had hundreds of old sessions hanging around:

--> query-sessions /r with-User X
Sessions with-User X for /Radius
  Sessions for /Radius/SessionManagers/session-mgr-1:
    S432 Key: 04000000000CF660, NAS: NAS.slaptijack.com, NAS-Port: 0, User-Name: X, Time: 21:19:26, Acct-Session-Id: 04000000000CF660
<snipped a lot of lines>

--> count-sessions /r with-User X

Total 469 session(s) with-User X for /Radius/SessionManagers

It seemed like a good idea to have these old sessions be cleared out rather than sitting around forever. These sessions were likely created during testing when things may not have worked perfectly right. Although this can be done by hand (release-sessions), I decided to have it done automatically. You have to change two settings.

First, set the PhantomSessionTimeOut in your session manager. This controls how long it takes for an accounting start record to appear before CAR believes the session is never going to start.

--> cd /Radius/SessionManagers/session-mgr-1/

[ //localhost/Radius/SessionManagers/session-mgr-1 ]
    Name = session-mgr-1
    Description =
    Type = Local
    IncomingScript =
    OutgoingScript =
    AllowAccountingStartToCreateSession = False
    SessionTimeOut =
    PhantomSessionTimeOut =
    SessionKey = User-Name
    ResourceManagers/

--> set PhantomSessionTimeOut "10 Minutes"

Set PhantomSessionTimeOut "10 Minutes"

--> cd /Radius/Advanced/

[ //localhost/Radius/Advanced ]
<snip>
    SessionPurgeInterval =
<snip>

--> set SessionPurgeInterval "1 Hour"

Set SessionPurgeInterval "1 Hour"

--> save

Validating //localhost...
Saving //localhost...

--> reload

Reloading Server 'Radius'...
Server 'Radius' is Running, its health is 10 out of 10

As you remember, we had 469 sessions for user X. After an hour…

--> count-sessions /r with-User X

No active sessions found with-User X for /Radius/SessionManagers

Adnans Sysadmin/Dev Blog: Links for 2010-09-01 [del.icio.us]

Thu, 02 Sep 2010 07:00:00 +0000

Emacs Emulation Extension Now Available! - The Visual Studio Blog - Site Home - MSDN Blogs

Chris Siebenmann: Why Python's global is necessary

Thu, 02 Sep 2010 04:01:01 +0000

Why Python's `global` is necessary

When I started out programming in Python, I didn't really like global. For a long time I considered it unaesthetic, annoying, and on the whole an irritating wart of the bytecode implementation. As I mentioned recently, I have come around to a different view of global, and it goes like this.

If you want to have both global variables and lexically scoped local variables, you have to be able to tell whether a given name being assigned to in a function is a local or a global variable at the time that the function is being defined. Assuming that you want as much as possible of this to be implicit for various reasons, there are three relatively reasonable choices that I can think of:

you must declare globals explicitly; otherwise names are local.
you must declare locals explicitly; otherwise names are global.
the decision is made implicitly by what global names already exist when the function is being defined; a name that exists globally is taken as a global variable, and otherwise the name is taken as a local variable.

(If a name is never assigned to within a function but only read from, it's either a global variable or a 'use of an undefined value' error. Python opts to consider it a global variable.)

The third option is fragile (and un-Pythonic). This leaves you with a choice between the first and the second options, and either way you are going to need a keyword for it. Python makes the decision that writing to global variables will be rare and so it forces you to declare them explicitly; local variables, the common case, are handled implicitly. So it needs global, because having local instead would be worse (and having neither would be much worse).

(This decision might be either a pragmatic one, based on what was expected to be common, or a philosophical choice to make global variables more inconvenient in the hopes of making them less common. I don't know the Python history involved, so I have no idea which it was.)

Other languages make different choices here, sometimes for philosophical reasons that come down on the other side and sometimes just for historical ones (eg, if they started out without local variables or lexical scoping at all).

Sidebar: the many problems with the fully implicit option

The core problem with the fully implicit option, why it is fragile in many ways, is that it makes the meaning of a function dependent on its surrounding context. You can't just read a function and know what it does and what it manipulates; instead you have to know what global names exist when the function is defined.

One consequence of this is that anything that changes what global names are defined can change the meaning of the function. In a language like Python where function definition is an ordinary executable statement, one done immediately when encountered, merely moving a function definition forward or backwards inside a file could change the function's meaning even without any other code changes (as you move it before or after where global names are created or even deleted).

High Scalability: Scale-out vs Scale-up

Wed, 01 Sep 2010 20:45:16 +0000

In this post I'll cover the difference between multi-core concurrency that is often referred to as Scale-Up and distributed computing that is often referred to as Scale-Out mode.

more..

Source: Scale-out vs Scale-up (http://www.dzone.com/links/r/scaleout_vs_scaleup.html) by Nati Shalom

Anton Chuvakin - Security Warrior: Fun Project Honeynet Log Challenge: Log Mysteries

anton@chuvakin.org (Anton Chuvakin) — Wed, 01 Sep 2010 18:22:13 +0000

Project Honeynet just released its latest Forensic Challenge 5 - Log Mysteries. It is based on logs from a compromised virtual server and requires quite a bit of digging through messy log data.

The Challenge:
Analyze the attached sanitized_log.zip [A.C. – get the logs here] and answer the following questions:

Was the system compromised and when? How do you know that for sure? (5pts)

If the was compromised, what was the method used? (5pts)

Can you locate how many attackers failed? If some succeeded, how many were they? How many stopped attacking after the first success? (5pts)

What happened after the brute force attack? (5pts)

Locate the authentication logs, was a bruteforce attack performed? if yes how many? (5pts)

What is the timeline of significant events? How certain are you of the timing? (5pts)

Anything else that looks suspicious in the logs? Any misconfigurations? Other issues? (5pts)

Was an automatic tool used to perform the attack? if yes which one? (5pts)

What can you say about the attacker's goals and methods? (5pts)

Bonus. What would you have done to avoid this attack? (5pts)

Go get the challenge here and get to solving it – you have about a month. And, yes, there will be prizes too!

Finally, if you really want to make me happy (hehe...who’d want that? :-)), please invent a new approach while solving the challenge.

Possibly related posts:

Everything tagged Project Honeynet

High Scalability: Paper: The Case for Determinism in Database Systems

Wed, 01 Sep 2010 17:40:24 +0000

Can you have your ACID cake and eat your distributed database too? Yes explains Daniel Abadi, Assistant Professor of Computer Science at Yale University, in an epic post, The problems with ACID, and how to fix them without going NoSQL, coauthored with Alexander Thomson, on their paper The Case for Determinism in Database Systems. We've already seen VoltDB offer the best of both worlds, this sounds like a completely different approach.

The solution, they propose, is:

Standalone Sysadmin: SysAdmin Spirit Animal?

Wed, 01 Sep 2010 15:30:40 +0000

There’s an amusing thread on the LOPSA Discuss list going on right now. It’s called “What Animal is a System Administrator“.

I was leaning toward the beaver until I saw the post by Paul Graydon, who recommends the Pooka, aka the Púca:

The púca has the power of human speech, and has been known to give
advice and lead people away from harm. Though the púca enjoys
confusing and often terrifying humans, it is considered to be
benevolent.

It’s like I’m looking in a mirror.

Everything Sysadmin: Verizon FIOS: No outage so far!`

Wed, 01 Sep 2010 13:40:08 +0000

Well it is the first of the month and it seems like I have internet access still. That's good news.

Lets see what happens my DHCP lease expires. That's the real test.

I don't want to push my luck, but it looks like good news so far!

Standalone Sysadmin: Linux machines with no rebooting…? Is this what we want?

Wed, 01 Sep 2010 12:14:10 +0000

The other day, I caught a message that KSplice was available for Fedora. I thought I’d be a wiseguy and I replied “Yeah, great. Call me in 20 years when it’s available for for RHEL”. Well, as several people pointed out, it turns out the joke is on me.

As you can see, it’s actually available for many Linux-based OSes at various prices. I suppose my confusion stemmed from the fact that I misunderstood what ksplice was.

My impression from a long time ago, when it first came out on Ubuntu, was that it was essentially a kernel patch that dynamically loaded patches and provided the ability to rebootstrap a kernel that was already loaded. As it turns out, it’s a commercial product that offers the ability to not have to reboot your machine to update the kernel. Let me be frank: I’m all about that.

The part that I kind of object to is in the press release, of all things. It’s the opening line of the company profile:

Ksplice is an enterprise software company making reboots a thing of the past.

Please, lets be honest. Reboots are inevitable. Using this product as a stop-gap for untimely reboots may be handy (at the low low price of $50 per year per server), but it can’t (and shouldn’t!) replace regular reboots.

The reasons for scheduled rebooting of machines are numerous. The primary one is that regular reboots assure that the machine is configured to boot correctly. If you’ve got a machine that’s got over 100 days of uptime, how do you know it will start correctly? You last booted it last quarter…what has happened to that machine since then? Changes in installed services, mountpoints, etc…it’s hard to tell if it’s going to be in a known-good state when it comes back up after a power failure.

Another reason to reboot occasionally is to clean up the running state of the machine. What’s that you say? Your machine is running fine? Well, sure, it may be, but how much cruft is left hanging that isn’t obvious? Have you ever used kill -9? Do you know for sure that there aren’t any memory leaks in your running services? Any processes hang while reading I/O and is now stuck in uninterruptible sleep?

Yes, there are lots of things that happen to servers over the course of doing their jobs. A reboot fixes many of them. The only argument against it is uptime.

I’ve written about uptime before, and I still feel the same way. Modern system administration has advanced beyond a single server providing a service. Uptime needs to be measured from the outside in, and according to the availability of the service, not the individual servers comprising that pool.

Feel free to disagree. Let me know if you’ve got an uptime of a year plus and you’re proud of it, or if you would be ashamed to be in that position.

Edit
This entry is causing quite a stir on Reddit. Cxunix from twitter also weighed in on his blog, servermanaged.it (link is in Italian, English translation here).

Anton Chuvakin - Security Warrior: Another Fun SIEM Whitepaper

anton@chuvakin.org (Anton Chuvakin) — Wed, 01 Sep 2010 06:11:00 +0000

As promised, here is another detailed SIEM whitepaper called “A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security” that I wrote for a great team at Tripwire earlier this year.

“While recent economic troubles might have something to do with it, many organizations today seek to only do a bare minimum of security. To be more precise, they try to do what they think is the bare necessary minimum. Their perception that security “due diligence” can be reduced all the way down to the level prescribed by regulations, such as PCI DSS, is more common than ever today. All too common result of this thinking is security breaches and other damaging events.

This trend has affected many security safeguards, and SIEM and log management are hard hit by this as well. It is very common to deploy these technologies in order to satisfy the compliance check box. In this paper we will analyze this trend and provide useful guidance for getting value out of SIEM and log management tools while focusing on protecting systems and data – and not simply on checking the box.”

Get the paper here.

Possible related posts:

Slaptijack: Python: Remove Whitespace From a String

Wed, 01 Sep 2010 03:08:08 +0000

>>> print "".join(" hello   world ".split())
helloworld

The key to the above is that the String method split() separates the string on any amount of whitespace when no separator is specified.

MDLog:/sysadmin: NodeJS chef cookbook released

Wed, 01 Sep 2010 00:21:05 +0000

I’ve just released a simple chef cookbook that will install nodejs from source. You can check it out directly from github or download it from the opscode cookbook site. Let me know what you think if you find it useful.

Chris Siebenmann: I don't understand how net.ipv4.conf.*.rp_filter can work

Wed, 01 Sep 2010 00:08:34 +0000

I don't understand how `net.ipv4.conf.*.rp_filter` can work

First, the background. net.ipv4.conf.*.rp_filter controls some IP address source validation filtering done on incoming IPv4 packets. It has three values:

0	No filtering is done.
1	Packets are discarded if they come in on any interface except the one that a reply to the source IP would go out on.
2	Packets are discarded if a reply to the source IP could not be sent out any interface.

(A more formal description is in ip-sysctl.txt in the kernel documentation. Like all interface sysctls, it can be set separately for each interface, as a default, and for all interfaces.)

I don't understand how this can possibly work. Well, I understand how it works, I just don't understand how it can possibly do any good in most configurations. And I don't understand how a setting of '1' can possibly work at all in multihomed configurations where the multihomed machine is not the sole router for every network it's connected to that is not where its default route points.

First, as far as I can tell a setting of '2' is equivalent to '0' if you have a default route set (the usual case). With a default route set, all source IPs are reachable and so '2' will never discard packets, which is exactly the same as '0'.

For a machine with a single network interface and a default route, all settings are equivalent (for the same reason as above; all source IPs are reachable through your single interface). If you do not have a default route, either '1' or '2' will discard packets that come from networks you do not have routes for.

It is the multihomed case where things explode. Suppose that you have a multihomed host with two network interfaces, net-1 and net-2, with IP-1 on net-1 and IP-2 on net-2. With an rp_filter value of 1, a machine on net-2 cannot talk to this machine's IP-1 address unless the packets pass through the multihomed machine on the way to net-1, ie the multihomed machine is the router for the net-2 machine. If the packets go through another router, they will arrive on the multihomed machine's net-1 interface but the replies would go out the net-2 interface, so they fail the check.

Effectively this creates a bad version of an isolated interface, with the packet reachability restrictions but without the multiple split routing tables that make multihomed hosts actually work. As a bonus it hides the restriction deep in the networking sysctls, where you have to be an expert to find it.

(I suppose that there are some advantages to this half-hearted approach, in that it avoids some limits in the policy based routing version of it.)

By the way, I stumbled over this courtesy of Ubuntu 10.04 setting rp_filter to 1 by default. We have multihomed non-routing machines, and when we set up an Ubuntu 10.04 test version things promptly exploded. If I was not already suspicious of network sysctls, we could have spent quite a lot of time trying to find out just why the machine was ignoring certain sorts of network traffic.

(As it was I did 'sysctl -a | fgrep net. | sort' on both a 10.04 and an 8.04 machine and then looked for settings that were different. Ubuntu 10.04 may not be the first version that sets this, but 8.04 definitely didn't.)

PS: a much more useful version of this sysctl would be a 'private' flag on interfaces. If an interface had the private flag set, packets with a source IP address that was routed through that interface would only be accepted on that interface; all other interfaces would discard such packets.

(4 comments.)

Slaptijack: Tech Messages | 2010-08-31

Tue, 31 Aug 2010 23:00:03 +0000

Interesting technology-related news from around the web for 2010-08-31:

TechRepublic Network Administrator: Review: Zenmap network monitor

Tue, 31 Aug 2010 17:32:37 +0000

Network monitors are a dime a dozen. You can find a network monitor to fit just about every need and every taste. Because of the abundance of monitors available, it’s a real needle-in-a-haystack adventure to find the one that fits your bill. And since not all of these tools are free — unless the tool you’re looking at has a demo — you could be out some cash until you find the right one.

That’s why when you find a tool that has many of the features you need at a cost that is appealing to your budget, it’s time to install it and use it. One such monitor is Zenmap. Zenmap is the official cross-platform, GUI front-end for the Nmap security scanner. But does Zenmap fit your needs? Is it the perfect tool at the perfect price? Let’s dig in and find out.

Specs

Supported Operating systems: Windows, Mac, Linux, BSD
Cost: Free
Requirements: Nmap

Who’s it for?

Zenmap is for any network or security administrator who needs to keep a constant check on their network topology. With it’s next-to-zero learning curve, just about any network administrator can have all of the information they need quickly. Zenmap will work for any size company or even a single-user consultancy, where a quick scan of a network topology can make the difference between spotting a security issue and finding a resolution or, well…not.

What problem does it solve?

There are two very key issues Zenmap solves. One is making the more-challenging Nmap scanner useable for the average administrator. Nmap is a console-only tool and the majority of administrators do not want to spend their day at the console (with a nod to the old-school Linux and UNIX admins who would much rather spend their day at the command line than in a GUI tool). Zenmap also gives the administrator a topology mapping tool where they can actually see an interactive, animated visualization of the hosts on your network.

Key features

Free
Easy-to-use GUI
Quickly saves scans
Uses traceroute and ping
Saves profiles for frequent run tests
Topology mapping
Compares scan results of different scans
Runs multiple scans and views them as one big scan
Plenty of default scan profiles to choose from
Searches scan results

The interactive Topology mapping allows you to add/remove hosts/features, drag and resize the map, zoom in and out of the map, and much more.

What’s wrong

There is very little wrong with Zenmap. But if I were to really dig deep, I would have to say the interactive Topology Map takes a bit of trial and error to get used to. And the lack of any discernible legend for colors or symbols makes it necessary to consult documentation to help read the topology map.

Bottom line for business

With Nmap being one of the standards by which other scanners are judged, having an easy-to-use GUI front end for this tool makes perfect sense for any network administrator. If you are looking for an user-friendly, flexible network scanner and do not want to spend any of your precious IT budget on said scanner, Zenmap is the tool for you.

Competitive products

User rating

Have you taken advantage of the power of Zenmap? If so, what was your experience? Would you recommend this network security scanning solution to your fellow administrators? Share your experience/thoughts with your fellow TechRepublic readers.

TechRepublic Network Administrator: A Special Offer From Our Sponsor

Tue, 31 Aug 2010 17:32:37 +0000

SysAdmin1138: The budget crisis gets deeper

Tue, 31 Aug 2010 15:43:12 +0000

We were told last week that Olympia is requiring WWU to find another 4% to cut from this fiscal year, and another 10% for next fiscal. Fortunately (?) this is within our own internal budget forecasting so we at least have a plan for dealing with it, mostly. The hard part will be the 4% right now.

This is leading to creative thinking. We've done a lot of that over the last two years but now we're scraping the bottom of the barrel. We got told late last week that Technical Services will no longer be able to use the ADMCS supply closet for office supplies and we have to make our own. There are all of 7 of us in this department, we don't go through a lot of Post-Its, pens, and DVD blanks. What we do go through is paper and toner, because one or two of us still prints off 200-600 page manuals once in a while (the rest of us just keep the PDFs around).

And yet, I just turned in a pair of hardware quotes that came to low six figures. A lot of us are confused as to why we're even bothering if money is that tight, but apparently The Powers That Be are confident that there really is money. I do know that there are different flavors of money out there; Capital Funds can't be swept to fix operational budget holes, for instance. Apparently the money for these quotes is coming out of a similarly protected fund, but I don't know what it is or how it works. It'll be nice to get that hardware as it'll keep me busy for the better part of a month.

And of course, the 10% for next fiscal is causing everyone sweat. Technical Services hasn't had to take a layoff yet in the two rounds we've had so far, and it just might be our turn. A 10% cut to our budget is either a person, or a handful of Furlough Days.

TechRepublic IT Security: Securely disposing data on hard drives and other storage media

Tue, 31 Aug 2010 12:00:10 +0000

Debates sometimes arise, both within academic circles and outside of them, over the necessity of high-intensity secure deletion techniques. Find out the true state of affairs for secure data disposal.

The state of the art of secure data disposal is, like that in most technical spheres of knowledge, always subject to change as researchers do their work. One might imagine that this involves new techniques for more effective data recovery that employs magnetic force microscopes and similarly high-cost solutions, countered by new advice for how to defeat such efforts when disposing of hard drives and other storage media.

One example of an impressive data recovery effort is that of the remains of hard drives from the Columbia space shuttle disaster, which ultimately led to the recovery of experimental data. Six months after the shuttle came apart on atmospheric reentry, a damaged hard drive was found in a dry lakebed and delivered to data recovery specialists at Kroll Ontrack Inc. Some time in the next four years or so, 99% of the data stored on the drive was recovered. The drive was eight years old before the shuttle disaster; it was delivered to the people who recovered the data from it looking like a melted down piece of slag and then damaged further during the recovery process — but recovery was a success.

On the other hand, two other drives involved in the shuttle disaster were complete losses.

There is a persistent myth to the effect that to securely delete everything from a hard drive one must overwrite it thirty-five times with random data. This myth arises from a superficial read and misunderstanding of Peter Gutmann’s 1996 paper, Secure Deletion of Data from Magnetic and Solid-State Memory. The truth of the matter, as presented in his paper, is that 35 random overwrites serves only to apply the necessary means of securely deleting data for any of several different drive technologies. A specific data storage technology only requires some lesser technique applied to ensure secure deletion.

Perhaps more interesting is the fact that, for the most modern hard drive technologies, a single complete overwrite of a drive with zeros should be sufficient. Part of the reason for this is the fact that data density on a drive is much greater than it used to be. In layman’s terms, “the bits are smaller”, which means that when rewriting, there is less room for old data to be left behind in a recoverable manner. A fair amount of redundancy of stored data occurred on older, lower density drives because the reading and writing devices were not as precise, and small deviations would leave random small areas unaffected on a single overwrite.

In a recent epilogue to his paper, Gutmann quoted himself responding to a researcher who considered doing some data testing:

Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don’t see how MFM would even get a usable image, and then the use of EPRML will mean that even if you could magically transfer some sort of image into a file, the ability to decode that to recover the original data would be quite challenging. OTOH if you’re going to use the mid-90s technology that I talked about, low-density MFM or (1,7) RLL, you could do it with the right equipment, but why bother? Others have already done it, and even if you reproduced it, you’d just have done something with technology that hasn’t been used for ten years. This is why I’ve never updated my paper (I’ve had a number of requests), there doesn’t seem to be much more to be said about the topic.

Recent papers by other researchers may seem to contradict Gutmann’s results. He does address some of this in his epilogues. Judging by both his epilogues and an independent look at reporting on such papers, it seems that such papers are in some cases misguided, and in others not contradictory of Gutmann’s results so much as relating to a specific technology that falls within the range of Gutmann’s more general overview.

While no single storage technology requires Gutmann’s described technique for dealing with all technologies, few of us have the time or inclination to double-check the specific technologies and the approaches required for each of them before tackling the task of secure data disposal. If you want to run a secure data disposal service where you expect to need to deal with many, many different storage devices regularly, it pays to know the specific techniques for specific technologies, and to apply them, if only because the time and resource costs for secure deletion will add up quickly. If you are a more typical user who just needs to get rid of a hard drive every couple years or so, the time spent keeping track of drive technologies and data disposal techniques is probably worth more to you than the time it takes a computer to perform Gutmann’s thirty-five overwrite “scorched earth” technique.

Some incredibly effective data recovery techniques may yet be developed that require new secure disposal techniques, in the future. Hopefully a diligent “scorched earth” approach today will defend effectively against such approaches tomorrow, but only time will tell. Meanwhile, given today’s technologies, Gutmann’s advice for data disposal still seems to be appropriate and well considered:

There are two ways that you can delete data from magnetic media, using software or by physically destroying the media. For the software-only option, to delete individual files under Windows, I use Eraser and under Linux, I use shred, which is included in the GNU coreutils and is therefore in pretty much every Linux distro. To erase entire drives I use DBAN, which allows you to create a bootable CD/DVD running a stripped-down Linux kernel from which you can erase pretty much any media. All of these applications are free and open-source/GPLed, there’s no need to pay for commercial equivalents when you’ve got these available, and they’re as good as or better than many commercial apps that I’ve seen.

For the physical-destruction option there’s only one product available (unless you want to spend a fortune on something like a hammer mill), but fortunately it’s both well-designed and inexpensive. DiskStroyer is a set of hardware tools that lets you both magnetically and physically destroy data on hard drives, leaving behind nothing more than polished metal platters. It’s been carefully thought out and put together, there’s everything you need included, down to safety glasses for when you’re disassembling the drive. It’s had very positive reviews from its users. If you really want to make sure that your data’s gone, this one gets my thumbs-up (and this isn’t a paid endorsement, if only other technical products had this level of thought put into the workflow and usability aspects).

Given recent concerns over the possibility of electronic devices carrying spying technology, though, it might behoove you to destroy drive electronics regardless of how you erase the drive, even if you do not go so far as to melt down drive platters. It all depends on how paranoid you want to get.

TechRepublic Network Administrator: Net neutrality: Seven questions for the new Internet rule makers

Tue, 31 Aug 2010 12:00:09 +0000

It probably wasn’t how Google’s CEO-founder Eric Schmidt (of “Don’t Be Evil” fame) envisioned things. Earlier this month protesters converged on the Google campus to protest the Google-Verizon joint proposal to keep the internet neutral. Called a “joint policy proposal for an open internet,” it was innocuous-sounding enough, but to many it is being seen, above all, as a sellout of the wireless internet where Google itself is keen to play. There’s some thoughtful consideration given in the proposal to treating all content equally — but only where “wireline networks” are concerned. There is also a call for “network transparency,” but since decades into internet build-out there is still little network transparency, this seems more like a wish than a policy suggestion.

The issue of net neutrality is awash with a jumble of technology, politics, and business. Way back in 1978 Rob Kling wrote in Telecommunications Policy:

“Proposals which focus on changing the kind or quality of data available to public policy makers assume that ‘rationality’ is inherent in the data or techniques used to generate it. Yet the evidence seems to indicate that whatever ‘rationality’ may be found in policy-making is as much a feature of the policy-making process as of the data that informs it.”

This seems to be true of the latest Google-Verizon proposal. Its pronouncements are assumed to be self-evident. Little glimpse is offered of the mountain of information the two firms together could marshall to strengthen their arguments. Like many aspects of the intersection between technology and public policy, extended discourse about complex proposals is readily sideswiped by vested interests, political calculations, and guesses hazarded about future technologies.

Background: Flaws and calculations

NPR’s Tom Cole sees several flaws in the proposal, and his views are typical. The FCC is to have no real enforcement power, instead relying upon a yet-to-be-identified advisory group operating through a “complaint-driven,” case-by-case oversight. On the other hand, the new Wild West is wireless broadband, whose providers are free to create “additional, differentiated online services” within their monopolies.

Cable TV was once one of those “differentiated services.” Seen from one perspective, it grew and made possible the wired Internet speeds many now enjoy. From a different perspective, it created a tangled bundle of services including “free” and “pay” TV, local and long distance voice, and broadband - with typically only one or two providers in a market. The palette of services is deep compared to years past, but those who want to limit costs may have a hard time untangling the service bundles. For example, in the case of Verizon, bundles offering wireless, broadband and TV services are least expensive when purchased together. Further, the bundled services are each delivered on a single fiber infrastructure — no picking and choosing infrastructure, so make room for that now-mandatory battery backup.

The Electronic Frontier Foundation’s Cindy Cohn applauds the proposal for avoiding direct FCC control of content, and considers the role of outside standards bodies potentially helpful, though not without risk. (Some such bodies, e.g., IEEE standards committees requiring 75% concurrence and debates lasting years, can be closed to public scrutiny; consider the case of Ultra-wideband below.) But she worries that the proposal sidesteps already exposed issues of censorship, content control, and adds her voice to the outcry over ceding the wireless Internet to purely mercantile interests — the portion “currently most lacking in openness and neutrality.”

Existing non-neutralities

Despite the lofty goals of net neutrality, as Harish Vadad points out, “not all packets are created equal and not all applications will get the priority”. QoS requirements for Web content and email are different from voice and video. Traffic shaping with QoS mechanisms already come into play, as well as protocol differences (e.g., TCP vs. UDP). Service-Level failures can occur through intrinsic factors, not just the oft-mentioned BitTorrent “abuse,” such as broadband HDTV users may experience around 10 p.m. on weeknights. My contract with Verizon gives me only an “up to” guarantee, and for downloads the service often exceeds that, but uploads are another story (see Figure A).

It doesn’t take much imagination to see why Google would be concerned with QoS issues. Now that Google Voice has morphed into a long distance voice communications provider , one can imagine why peering and generally playing nicely with Big Telecom might make sense to Google. Verizon, a firm that in my geographical area, based solely on my own experience, is executing well with its fiber infrastructure, may want to head off a capabilities end run by the pure Internet players.

Political bandwidth: Limitless

Anyone assuming that net neutrality is a purely technical discussion should have their connectors cleaned. An analysis by the Sunlight Foundation recounts that just as there was Congressional opposition to plans as disruptive as a la carte cable service (imagine paying only for desired channels), there was opposition to net neutrality. No fewer than 74 Democratic and 171 Republican members of the House wrote the FCC in separate letters. Their gentle reminder? That Congressional direction is required before acting on net neutrality. Only last June, two of the five members of the FCC voted against a public hearing on overhauling the nation’s broadband regulations and addressing net neutrality. The political rationale varies. Some claim that the FCC doesn’t have the authority to reclassify broadband to Title II Telecommunication services, or that it would be challenged in court. Skeptics have a more cynical interpretation. In 2006, the last time Congress considered telecommunications legislation, the industry poured $59 billion into lobbying (source: Wall Street Journal via CNET).

On the other hand, a smaller voice consisting of four members from the House Energy and Commerce Subcommittee wrote the FCC chairman to critique the Google-Verizon proposal, identifying the segregation of wireless and overly broad description of “managed services.” In their letter they wrote, “Rather than expansion upon a proposal by two large communications companies with a vested financial interest in the outcome, formal FCC action is needed. The public interest is served by a free and open Internet that continues to be an indispensable platform for innovation, investment, entrepreneurship and free speech.” Senator Al Franken has referred to this as “the First Amendment issue of our time.”

Meanwhile, H.R. 3458, the Internet Freedom Preservation Act introduced by Reps. Markey and Eshoo in 2009 seems to have spent the last year stalled in committee.

Unpredictable bedfellows: Engineers and lawyers

Lawyer Mitchell Lazarus wrote in IEEE Spectrum last year that net neutrality is just wishful thinking. In 2002, the FCC said that Internet providers were not required to open facilities to other ISPs. Monopolies with vested interests moved to protect themselves. For instance, wired network provider Madison River Communications blocked access by Vonage. Comcast blocked content that might compete with its pay-per-view service. As a result, and more importantly, smaller entrepreneurs whose inventions might interfere with entrenched paradigms must worry that they will not only be drawn into long court battles, but more likely, frozen out of courtrooms because they can’t afford to litigate against wealthy adversaries. This makes raising capital even more difficult.

“Somebody is always regulating your channels. Will it be Comcast, Verizon, or do we have a rule through government that specifies minimal interference?” asked Google skeptic Siva Vaidhyanathan on a recent WNYC call-in show.

Some defensive actions ISPs might take could be illegal. Even more insidious are the actions they can take which are perfectly legal. They can demand expensive long term, or volume-based commitments to gain access to broadband service categories which are beyond the reach of startups and smaller firms. Perfectly legal. Expect that the cloud in cloud computing will need to be closer to the ground.

Lazarus bolsters his argument by reviewing the 12-year-old debate over Ultra-wideband. Here was an emerging technology supported by start-ups and radar companies, but opposed by just about every other existing corporate user of the spectrum. Not only did the fight drag on for more than a decade, despite what Lazarus argues was clear evidence that the new technology would not interfere with existing services, but the IEEE was unable to agree between two competing standards (search for “MB-OFDM” and “DS-UWB” for the sad history of competing standards) and disbanded its standards committee in 2006. The history of Ultra-wideband is an object lesson for anyone holding out hope for a straightforward role of professional associations in the Google-Verizon proposal.

Biggest benefits for the already big

The single biggest impact of the Google-Verizon proposal would be felt in one the hottest areas for investment in a weak economy. It would free the wireless Internet to engage in more price-based segmentation of services. Already in this space, and controlling not only the current revenue model but the existing infrastructure, big firms will stand to gain handsomely.

The Google-Verizon proposal tests our understanding of the distinction between large enterprises with government-sanctioned near-monopolies, and regulated public utilities accountable to a broader set of societal guidelines. Utilities can be privatized. Companies can act in the public interest and, if there is widespread adoption, economies of scale can result. But should the wealthy be allowed to buy passes for the HOV lane?

Seven questions for the new Internet rule-makers

1. Media and Telecom company size and the cost of litigation may exert undue pressure on fairness and policy formation. Is there a guarantee that profit-driven investment attracted to wireless enhanced services will benefit small and medium sized entrepreneurs as much as it will benefit the monopolies?

2. While file sharing of video is singled out as a resource hog, in fact the data to support this is not public. Can you show us the data about BitTorrent, streaming TV, and the like?

3. Cisco would like to upgrade both the wired and the wireless internet to such an extent that there’s plenty of headroom for all to play. Wouldn’t this offer a provider-neutral environment, or is the wireless genie out of the bottle?

4. Does this proposal institutionalize the disparity between rural have-nots and their wealthier urban/suburban counterparts? Will it be even worse for wireless?

5. Figure A shows an account for 35mps down/20mps up with Verizon FIOS. The Verizon-recommended speedtest shows reduced upload speeds (though the FCC-sponsored tests of small file transfers say otherwise). Where is the transparency? Will the ordinary consumer with a modest at-home network be able to monitor an ISP’s service level? Will they need to?

6. Trust in telecommunications providers is not strengthened by AT&T’s collaboration with the NSA to wiretap and analyze domestic U.S. communications. Should we place additional trust in Big Telecom to segregate and price content for the wireless internet while handling more and more privacy data?

7. Is it still impossible to envision partnerships between small businesses and the current crop of broadband brokers?

REFERENCES

The original joint Google/Verizon post (http://googlepublicpolicy.blogspot.com/2010/08/facts-about-our-network-neutrality.html) by Alan Davidson (Google) and Tom Tauke (Verizon)
The lay public is confused. A Reuters story points out that there is no consensus over the role of government in broadband adoption policy.
H.R. 3458 http://markey.house.gov/images/PDFs/netneutralitybill.pdf).

Anton Chuvakin - Security Warrior: Links for 2010-08-30 [del.icio.us]

Tue, 31 Aug 2010 07:00:00 +0000

10 Tips to Thwart Skimming

RISKS Digest: Hot debate over Electronic Voting Machines