Removing the internet's relics

May 4th 2011, 7:59 by G.F. | SEATTLE

AN OLD internet protocol celebrated its 40th anniversary recently. The File Transfer Protocol (FTP), which first appeared in April 1971, remains a simple way to move files from one device to another. The most common use in the last 15 years has been for web design and programming, where sites and systems developed and tested on a computer are moved one file at a time or in batches to a web server that spews out pages and runs scripts for visiting browsers. Happy birthday, then. Now, though, it is time to die. For FTP's persistence is one of the banes of the internet's laissez-faire ways.

E-mail predated FTP, although the "@" addressing convention was invented in 1971 as well. The subsequent decade or so brought hunks of the other paraphernalia that made the early internet hum, such as the domain-name system (DNS) for labelling addresses in text, decentralised discussion groups (Usenet), and even a standard way to type commands on remote machines (telnet).

But the internet never throws anything away. Instead, engineers twiddle, update, and overhaul. The e-mail system in use today has a strong resemblance to that of 1971, just as transferring files between two machines in 2011 is, at heart, a 40-year-old relic.

This has become a problem because the nature of trust on a network with a handful of machines is vastly different to one in which billions of devices constantly interact. Early engineers were not naive, of course, and realised the potential dangers of unwanted interlopers poking around. However, the computing power and software needed for strong encryption was out of reach to those pioneers. And due to the network's piddling size, it was, in truth, probably unnecessary. In the early days of the internet's predecessor, the American Defence Department's ARPANET, users had to maintain lists of other machines to enter the correct machine numbers. That meant that nearly everyone on the network knew everyone else by name or face, ensuring a high level of trust.

Internet protocols have coped with the trust issue (and other developments) in two ways. On the one hand, the evolution of internet-wide standards led to new security fixes being proposed and obsoleting older versions. On the other, applications—be they commercial, free, or open-source—incorporate any such changes. Many ways were proposed to fix FTP's weaknesses, too. The rub was that none prevailed as a standard. True, several awkward alternatives emerged (SFTP, FTPS, and FTP-over-SSH, to give the cryptic names of the three most popular suggestions). But neither is available consistently across all web hosting systems and each is just fiddly and imperfect enough to deter less technical web designers from using it.

When using standard FTP to transfer files, the protocol sends the necessary account name and password without encryption. As a result, they may be intercepted on an open Wi-Fi network or even wired networks that are too promiscuous (as systems that broadcast their data indiscriminately are known in the jargon). Such account information is often precisely the same used for web-based (or even terminal) logins on a server, and can be used to take over entire systems or deface web pages. Log in once at a coffeeshop, and your website might be deleted, or scripts installed to attack visitors.

Most modern internet users may have never heard of FTP except in passing, and that is a good thing. Flickr, Facebook, or most blogging and web hosting sites do not rely on FTP, precisely because they know full well that their users' passwords are highly likely to be intercepted, even in casual public use. Most sites like these also offer application programmer interfaces (APIs) which let third parties write software that communicates directly, securely and efficiently with the site's servers. This cuts FTP right out of the picture.

Google's Blogger service once allowed FTP as part of managing a blog on a user's own domain, but shut down access in May 2010 after months of assisting users in migrating content. As one Blogger programmer explained at the time, the proportion of engineering resources devoted to supporting FTP vastly exceeded the 0.5% of blogs that were still published via FTP.

However, even as the web's giants now shun FTP, tens of millions of websites accessed by hundreds of millions of people may still rely on unprotected FTP servers. Just as Microsoft has a campaign to kill its weak and old Internet Explorer 6 browser, and security experts and senators promote the default use of secure web connections at social-media and other popular sites, so, too, is the FTP ripe for the chop.

• Permalink

By Peter Ferenczi | Mon May 02, 2011 11:02 am

A congressional subcommittee sent a letter to Sony asking for details about last week's massive PlayStation Network user data theft, as the House considers legislation to help prevent future breaches.

 

 

The letter asks how the breach occurred, what information was stolen, whether all users or just a subset were affected, whether Sony knows who is responsible, and when the company notified law enforcement about the attack.

Sony previously stated that the attack happened on April 19, but it didn't acknowledge it publicly until April 22, reportedly because it wanted time to analyze the breach. The company didn't tell users their data was stolen until April 26, a delay that angered many.

The company said that it has no evidence that credit card data was stolen, but that it can't rule it out. The credit card information was supposedly encrypted, which would make it difficult but not necessarily impossible to access.

Individuals claiming to have a list of 2.2 million credit card accounts from the breach reportedly surfaced on hacker discussion boards trying to sell the data, but whether they actually had the information hasn't been confirmed.

"Given the amount and nature of the personal information known to have been taken, the potential harm that could be caused if credit card information was also taken would be quite significant," the congressional letter said.

The incident is a black eye for Sony and underscores the risk users face when trusting companies with personal data, especially payment information.

If the commercial risk of losing customers doesn't compel adequate data protection measures, regulation may step in. The House subcommittee on Commerce, Manufacturing and Trade reportedly expects to introduce data security legislation this year, which could help address the problem.

Earlier this year, a marketing company leaked millions of e-mail addresses belonging to customers of many major U.S. retail chains. While that information was less sensitive than Sony's data, it points to a recurring problem that's likely to continue if companies can't tighten security sufficiently.

The PlayStation network has around 77 million users. Sony said in a blog posting that parts of the service would be online again this week.

On Thursday, PlayStation owners sued Sony for failing to protect customer accounts from the hack.

Maybe it's time for the Gov't to step in. It seems that business is not interested in the security of their customer's personal information.

Information Security is paramount in loyalty, Sony lost big here, but will it matter to them?

Amazon’s Cloud Crash Is Over, But the Talking About It Isn’t

by Arik Hesseldahl
Posted on April 25, 2011 at 3:45 PM PT

 

The big crash of Amazon’s cloud that brought down hundreds of other Internet companies that rely upon it is over. Now everyone who was affected in one way or another is comparing notes on how they coped or didn’t. And for cloud providers not named Amazon, there’s going to be an obvious business opportunity.

Last week I talked with David Young, co-founder and CEO of Joyent, an Amazon rival with 30,000 customers around the world. His criticism of Amazon in this instance is rather harsh. The way the Amazon cloud is built, he said, virtually guaranteed that a service outage such as this would happen. While on one hand he gives Amazon high praise for “evangelizing the cloud computing model,” with the other he disparages it as “the Atari of the cloud.”

“Amazon does not represent the cloud,” Young says. “These guys are booksellers who got in the cloud business. That’s like Nordstrom’s getting into the cash register business,” he told me. “They may be the market leader, but there’s a bunch of us who are building things in such a way that we don’t see these downtimes.”

It’s hard to miss Amazon’s outsize influence. Though Amazon Web Services amounts to just a fraction of the company’s overall revenue, it is the market leader, controlling about 60 percent of the market with Rackspace, IBM, Joyent and Terremark, recently acquired by Verizon.

Joyent, which is privately held and backed by investments from Greycroft Partners and Intel Capital, would never have suffered an outage, Young claimed, because of the way it is built. Amazon, on the other hand, was never designed for what he calls persistent computing that customers need to be available all the time. The problem, he said, started in Amazon’s Elastic Block Storage, which is vulnerable to being overwhelmed by demand, something he likened to a run on a bank, where depositors panic and rush to withdraw the cash from their accounts.

Essentially, he said, Amazon became a victim of its own popularity, unable to meet the demands placed upon the EBS storage infrastructure by the network, causing in the end a cascading failure. The company has blogged about its theory in greater technical detail here.

Meanwhile, there were Amazon customers who managed to keep their services up despite the crash, and they were comparing notes today. Don MacAskill, CEO of the photo-sharing site SmugMug, blogged about how designing for failure allowed its service to remain live during the crash. Others tweeted, like Mathias Meyer of Basho Technologies, who noted that having their service running in more than one Amazon region helped avert failure.

There were others. Donnie Flood, VP of engineering of Bizo, an advertising service aimed at business executives, said that the company used all of Amazon’s regions except its most recently launched one in Japan, and combined that with a global Domain Name Service system that would direct traffic to the nearest Amazon region. When Amazon’s U.S. East region went down, all traffic in the U.S. was routed to its Amazon instances running in Amazon’s Western U.S. data center. “We were able to stay up fully the entire time,” Flood said.

Oren Michels, CEO of Mashery, a cloud-based manager of software APIs, said that his company had additional cloud infrastructure in place from Internap that took over when Amazon failed. Neither Michels nor Flood said he was likely to move the services currently hosted with Amazon to another provider.

Amazon hasn’t made any public statements about what happened, beyond those made in its status dashboard, and it hasn’t responded to any of my messages seeking a comment on any aspect of this. The company reports earnings tomorrow, so expect some questions on the conference call about Amazon’s terrible, horrible day that stretched into nearly a week.

   

http://newenterprise.allthingsd.com/?p=5448">View Comments Tagged: Arik Hesseldahl, NewEnterprise, amazon, amazon web services, Atari, Bizo, Cloud Computing, crash, David Young, failure, Greycroft Partners, IBM, Intel Capital, Joyent, Mashery, outage, Rackspace, Terremark, verizon | permalink

 

We’ve launched a new commenting tool, Disqus. For the full story on all of its functionality, click here. To begin commenting right away, you can log in below using Disqus or Facebook Connect-—you can also log in using an existing AllThingsD account. Learn more about how Disqus collects and uses information in connection with the comments tool.

via newenterprise.allthingsd.com

SEA LIFE RAINCAMPAIGN®

FRESH GREEN ADS has developed a
RAINCAMPAIGN for SEA LIFE Scheveningen.
Every time it rains the octopus of SEA LIFE
Scheveningen appears on streets and
cisterns with its tentacles holding the text:
"SEA LIFE never lets you go."

The RAIN CAMPAIGN appears in and around
Scheveningen. The people on the streets are
on a surprising way drawn to the wonderful
world of SEA LIFE Scheveningen when it
rains. When the streets dry up the octopus
disappears again. These striking and
environmentally friendly messages remain
visible up to six to eight weeks.

Great concept for the NorthWest! We need more innovation of this kind.

Computerworld - Amazon.com is well into the second day of trying to fix a cloud outage that has partially disabled or knocked out popular Web sites like Quora, Foursquare and Reddit.

The trouble started a little after 5 a.m. ET Thursday when the company's Service Health Dashboard reported connectivity issues that were affecting its Relational Database Service, which is used to manage a relational database in the cloud, across multiple zones in the eastern U.S.

Because of server problems at Amazon's data center, which handles the company's EC2 Web hosting services, Web sites, including popular Web 2.0 sites, were left staggering or disabled.

As of noon ET Friday, these sites have been affected for about 30 hours.

Earlier today, at 5:41 a.m. ET, Amazon reported that its engineers were making progress. At 9:18 a.m. it noted, "We're starting to see more meaningful progress in restoring volumes (many have been restored in the last few hours) and expect this progress to continue over the next few hours."

That comes about 19 hours after Amazon reported Thursday afternoon that it was only a few hours away from having the problem solved.

Amazon updated users again at 11:49 a.m., saying that "many" customers have confirmed that their sites are recovering. "Our current estimate is that the majority of volumes will be recovered over the next five to six hours," the company reported.

Reddit reported at 10:30 a.m. that it was still running in emergency mode. Foursquare appeared to be up and running, while Quora was bouncing between read-only mode and the site's not launching at all but showing an "internal server error" message.

HootSuite was also having problems, reporting at one point that it was "back up" and then coming back with "again offline."

Ezra Gottheil, an analyst with Technology Business Research, said the outage is a big problem for the disabled Web sites, but it's an even bigger problem for Amazon.

"It's a pretty big hit. It's big and it's public," Gottheil added. "When you're doing business on the Web, you don't want to have your doors closed -- ever... It's tough for the sites. Most users will check again later but they'll lose a few."

For Amazon, though, regardless of its reputation as the top player in the cloud sector, the disruption will be hard for current customers to brush off and could hurt attracting future customers.

"This will give the other cloud vendors, especially the higher-end ones, a talking point that won't go away for years," Gottheil said.

Sharon Gaudin covers the Internet and Web 2.0, emerging technologies, and desktop and laptop chips for Computerworld. Follow Sharon on Twitter at

@sgaudin or subscribe to Sharon's RSS feed

. Her e-mail address is sgaudin@computerworld.com.

Read more about Cloud Computing in Computerworld's Cloud Computing Topic Center.

This is a catastrophic event for Cloud Hosting. What was supposed to be a fault tolerant system, appears to be quite vulnerable.

Managed File Transfer (MFT) is a growing market that feeds many business needs. In a nutshell, MFT builds on secure file transfer services by providing additional capabilities such as automatic file encryption, full transfer logging and complete reporting functions. These capabilities are directed at regulatory compliance needs such as PCI DSS, SOX, HIPAA and GLBA.

While there are many tools that are attempting to address this space, and we are testing a few, the one that stands out from a cost/benefit perspective is JSCAPE MFT Server. We'll be putting it through it's paces over the coming weeks.

JSCAPE MFT Server

Secure FTP Server with Managed File Transfer

JSCAPE MFT Server is a managed file transfer solution that centralizes all of your file transfer processes into a single easy to use application.  JSCAPE MFT Server supports all major file transfer protocols including FTP/S, SFTP, SCP and HTTP/S.

Very nice short scenic film of Seattle, WA

Plotting information -- say survey data in Pakistan's Federally Administered Tribal Areas or election results in Afghanistan -- on any kind of map adds critical geo-context to the data. These maps quickly become move powerful when you start adding more custom overlays, showing data like where different ethnic groups live, high incidents of corruption, or more complex visuals like the number of deaths per drone strike in Pakistan and which U.S. president ordered it.

What is really amazing is how accessible it is now for people to make custom maps to be able to tell more complex stories with data. Specifically, tools like Google Maps, OpenLayers, and Polymaps have made basic web mapping ubiquitous by making it simple to drop a map into a website, and their APIs open the door for everyone to customize maps by adding custom layers.

The trick now is to radically reduce the barrier to entry for making these overlays and custom base maps. This is the exact goal we had for our recently released TileMill, which is fully open sourced and built on top of fantastic open source tools.

TileMill is a modern map design studio that lets you design maps for the web using your own data or any publicly available data set. What makes TileMill unique is that it allows anyone who understands the idea behind CSS in web design to quickly and easily design custom maps.

Here is a look at using TileMill to make a custom baselayer map of Local Government Areas in Nigeria. This map helps visualize survey data around the upcoming presidential elections on April 9th.

Custom maps created in TileMill can be used on the web and also exported to run on mobile devices as an MBTiles file, an open format that packages up tiles to make them more portable and pluggable.

You can see TileMill in action in this video, where it's used to create a map of Amtrak routes in the United States, and then exported for use on an iPad:

You can download TileMill and read documentation on how to use it at TileMill.com. If you run into any bugs or have other feedback, please let us know in the issue queue.

And finally, a big thank you to the Knight Foundation for funding much of this work.

It's great to see apps like this popping up. There is always a use for geo-centric visual data in advertising, especially client reporting.