The rise of cloud computing

Posted on July 28, 2010 by ian

Google insights shows that interest in “Cloud Computing” continues to rise meteorically, possibly at the recent expense of virtualization which is dropping off as virtualization technologies fade into the background of cloud solutions. Also of interest, the term grid computing continues to drop, also likely out of favour due to the rise of virtualization and more recently, cloud computing.

Also of interest is the provenance of these searches…primarily outside of North America:

1. India 100
2. Singapore 51
3. Sri Lanka 36
4. Hong Kong 34
5. Kenya 34
6. South Korea 33
7. Taiwan 28
8. United States 23
9. Pakistan 20
10. Ireland 19

Kenya? Really?

Posted in Uncategorized | Tagged | Leave a comment

Security – a conversation on disclosure with Dave Piscitello

Posted on July 22, 2010 by ian

As an information technology professional, information security is of huge practical importance to me, influencing pretty much every project I am involved in. While security is not my key focus I thankfully have some colleagues in the industry who I can turn to for advice and analysis: Adam Shostack and Dave Piscitello have been particularly valuable in directing my thinking on security issues.

Here is a transcript of an e-mail exchange Dave and I had about human factor engineering and vulnerability reporting:

Ian:

I read a book called the Human Factor awhile back and it got me thinking about problems in security, particularly reporting of incidents and the difficulty of getting accurate actionable data. Unfortunately I never got much of an answer from anyone as to whether it might be worthwhile to implement a system in the genre of the Aviation Safety Reporting System, which is voluntary, confidential, non-punitive and independent.

Dave:

I agree that our senses are dulled when it comes to security, to a far greater extent than air and auto safety, and several orders of magnitude *above* medical safety. But comparing computer incidents to either of these is an odd comparison. By and large, consumer and enterprise security incidents don’t result in death. Moreover, when human injury and death are identified as risks (space shuttles, ATC software, and yes, medical systems that govern life support systems and imaging), hardware and software systems undergo more stringent code review and testing, commonly by 3rd parties or government agencies. So I don’t see the risk profiles as easily compared and as a result, I think incident handling and reporting have different characteristics.

Before we consider a computer safety reporting system, we have to consider society’s understanding of the state of and need for security. Our society claims to worry over identity theft and related security incidents, but does society really worry more today over identity theft than it did when dumpster divers hunted for carbon paper used in the original credit card charge forms, or is it that financial institutions see a much greater revenue loss than they factor into their fees? Online transactions continue to grow exponentially, not because everyone believes SSL protects the transaction, or that identity theft is being thwarted, but because nearly everyone now trusts that their personal liability is bounded should someone use their credit card fraudulently.

Conclusions: Financial institutions will always take the loss because they have no choice. If they put the liability on individuals, individuals won’t use credit and debit, online or in person. Security is secondary to sustaining the revenue model. The result is that individuals don’t take security seriously because someone else assumes accountability and absorbs the loss.

Many security measures are compromised in the same way. What incentive does anyone have in reporting identity theft? Will credit card interest rates go down? Will the cost of products be reduced?

Next rant. What is a security incident? Only “technology wizards” know the answer, which throws us back to the issue of human factor engineering. The majority of users can’t distinguish between a security incident and an operating system, application or network failure. We expect computers and networks to break, we have little faith that software will work, and we have less faith that anyone is actually motivated to improve the situation. Everyone believes any system and application will eventually fail. People fall back on what they know: restart the machine, reinstall the OEM disks, lose data and cry about it, call a computer geek. How do you educate users to distinguish between a security incident and buggy software, and what incentive do they have to learn this? Imagine if you put a CSRS in place and you *don’t* educate them. Who fields all the incident reports and sorts incident from user/configuration error and buggy software?

Given how low (and accurately) the standard is set, I don’t see how a CSRS would help any more than a reporting system where drivers notify law enforcement when a fellow driver exceeds the speed limit by one mile.

Before we implement CSRS, we need to recalibrate our expectations of quality assurance and software integrity. I’d rather see society spend more time developing software reliability assurances; like SLAs, these could be used by government agencies and F1000s to hold system and software developers accountable to a set of minimum performance, stability, vulnerability, availability, and other quality metrics. Once you hold vendors accountable and threaten revenue, they’ll more seriously consider secure code review and more quality assurance cycles and we’ll see less flawed code.

One last point. I think the claims that incidents go unreported because those who report are penalized and embarrassed is rather suspect. The savvy companies I’ve consulted with work directly with their vendor when they identify an exploitable bug. They don’t make a lot of noise and fuss. The vendor assumes the responsibility for disclosure and this is probably fine; after all, how does DuPont or Goldman Sachs benefit from publishing a CVE? I worry that the notion that everyone needs to know every exploit at the zero hour is a bit overworked, and that it serves market push more than security.

Ian:

So here were my assumptions, which are important since security is not my primary line of work:

Assumption #1

As I understand it many security breaches in the corporate world go unreported:

-security staff afraid of reporting to management in certain cases

-corporate management afraid of reporting it to the industry (painting a target on their heads or shaking investor confidence)

Dave:

I think this is part Urban Myth. The rise to prominence of CSOs/ISOs gives officer/board level credibility to security in F1000s and there’s a trickle-down effect. The increased obligation to comply with regulatory guidelines that are incomprehensible to any but security professionals has made them much more valuable, and in turn, security professionals are more outspoken and demanding. In regulatory situations, reporting is mandatory; in other situations, I imagine reporting continues to vary per-incident, per-organization. I’d have to understand more how reporting leads to improved security to be convinced that unreported incidents are a root cause.

I have a more basic issue with this assumption, since it suggests that security incidents are all breaches, and all of equal and serious weight, which I know you understand is not true. However, absent a taxonomy and classification of breaches, I think it’s damned hard to determine what to report, to whom, and how to manage incidents (unless regulatory compliance demands reporting).

Examples:

- A configuration error at a firewall allows possible unauthorized disclosure of sensitive information for an undetermined period. When is this a reportable incident? To whom? How do you measure damage? Whether the organization can accurately determine what’s been touched, copied or altered and whether will they invest in the forensics to complete such an investigation and “go public” varies wildly and is hugely influenced by the regulatory environment in which the organization operates.

- Spyware infestations. An estimated 80-90% of PCs have spyware of one form or another. Even if this number is wrong by a factor of two, that’s lots more PCs than jets. Which spyware infestations are justifiably incidents? Again, no clear taxonomy and a constantly evolving threat.

- Use of unauthorized applications, unlicensed software/warez. Some say these are security incidents, others say no. Some companies spend lots of time and $ on this, others are entirely lax.

- Credential sharing/disclosure. Most security folks consider this an incident. I audited a company and found that 8 of 10 managers routinely shared credentials with secretaries and staff.

My point is that the realm of reportable security incidents is entirely too broad. Every company must decide what’s reportable, to whom, etc. according to the assets they value, regulatory environment, operating environment, etc.

This is a *very* different realm than the “bug tracking” world. BugTraq and others like them are basically external quality assurance. The model in place is entirely broken and would benefit from an operating environment that has the characteristics you list later: voluntary/confidential/non-punitive/independent.

Ian:

Assumption #2

As a result of there being penalties for reporting it would seem that the industry does not have good data on the quantity and scale of breaches which makes it difficult to band our collective intelligence together to create products (components of the architecture) which combine in a synergistic fashion so that better security emerges from the architecture not worse security due to added complexity.

Dave:

I think penalties are a small contributor to general lack of data. We have too little data for many reasons, including the ones I cited above, but ones I think are most important are (1) many companies don’t know the extent to which incidents occur (they remain undetected), (2) there’s no clear incentive to investigate incidents and hence no easy way to justify the cost (where’s the ROI in dedicating 2 engineers to a month-long analysis of disparate and non-synchronized logs to construct the exact anatomy of a successful attack?), and (3) the expertise to collect, assimilate the data is a limited resource that is almost always fighting other fires.

Ian:

Assumption #3

People might not die as a result of security issues but there are very large sums of money at stake so one would assume there could be an incentive to have this data available so both the product designers and security teams can focus on the top sources of pain and suffering.

Dave:

IMO, many calculations of loss due to attacks are pure alchemy. However, punitive damages by injured parties (e.g., the party whose HIV infection is disclosed) and fines for non-compliance to regulations *are* certainly incentives not to collect data, but to improve security deployment. Ask a CSO whether he thinks his security budget will yield better results:

(a) post-mortem analysis of security incidents for the sake of building reliable industry data.

(b) hardening servers and implementing admission control

BTW, product engineers, esp software engineers, should know exactly where the top sources of pain and suffering are: shoddy programming practices. If every data access in every program were tested to assure that buffers could not be overrun, we’d eliminate LOTS of the pain and suffering.

Ian:

Assumption #4

There is no such system/organization which allows easy reporting which is:

1) voluntary

2) confidential

3) non-punitive

4) independent

Dave:

Your points are excellent:

-incident handling and reporting have different characteristics since “death isn’t on the line”

-individual liability is low

-end users are not well trained

-revenue isn’t threatened

-disclosure of vulnerabilities happen through the vendors

So I am going to try to get more specific, say some crackers threatening (credibly) to bring down a large enterprise business, so lets pretend:

-huge sums of money that can threaten the revenue model of the company ARE on the line

-the only people involved in reporting to this system are the security savvy IT personnel

-the system will inform other IT personnel at other companies of this new risk

-that specific vendor disclosures of vulnerabilities is unlikely to prevent or help this

Now I have heard of a new kind of insurance – basically insurance against online extortion – and this does concern me since if companies can externalize the risk of having their network held ransom or having 100,000 customer records stolen THEN there really is no way to improve things and the burden of this activity will be carried by society.

I have to admit that it does seem that it all comes down to the economics and practical aspects of security which are damn complicated and simply aren’t as well controlled as, say, elements of risk in the aviation industry. But we have to strive to improve things somehow, no?

Oh I honestly believe we have to improve things. I think reporting is the tail wagging the dog. We need to fundamentally change the way code is developed and qualified. We don’t put code through exhaustive checks in the same way a manufacturer must to have his materials used in a space shuttle. The problem is that we must convince people that doing this up front, which clearly increases software costs, ultimately reduces the lifecycle cost of computing and networking.

We then have to improve how we configure and operate clients, servers and networking equipment, and how we monitor and assimilate the information we collect as we monitor.

Ian:

Dave,

Thanks so much for taking the time to enrich my understanding on this topic

Dave:

Always enjoyable chatting with you.

Posted in Uncategorized | Tagged | Leave a comment

A wireless end run on the internet?

Posted on July 19, 2010 by ian

It is increasingly obvious that the reasonably functional performance of 3G+ combined with the convenience factor of ‘net access almost anyplace reasonably populated are conspiring to change internet usage for consumers and business. For example when my laptop died last April I learned to get much of my work done on my new Blackberry, with a Netbook as a complement. I still did serious work at a desktop with a broadband or high-speed office connection, but I was a bit shocked at how much I could do without certain things I thought were indispensable. Tethering is becoming widely used and the iPad 3G model is ushering in a new era of rich content consumption over wireless broadband. Since the expectation of a high quality of service on 3G networks (especially in the USA thanks to iPhone) is not there compared with wired broadband, excuses for traffic throttling and rate-shaping abound.

Will convenience and “good enough” break the end-to-end premise of the internet? Are those little HSDPA sticks the beginning of an end which sees application delivery migrate to big wireless telecom provider networks with preferential or paid access or is this the beginning of a new, richer and more diverse internet ecosystem where cheap broadband and wifi will continue to play an important role?  Om Malick nails it in his post “no stopping the mobile internet” when he comments:

The mobile internet isn’t going to play by the rules of wired net, but hopefully competitive pressures would keep bringing change to the market.

The problem, with which Canadians are painfully familiar, is that there is not a lot of competition in the wireless industry. The barrier to entry is extremely high, spectrum is not only artificially costly, but often dollars are not enough. Even Om expresses the hope (and concern) that Sprint will succeed, presumably since he knows competition is at risk.

All your basestation are belong to us

Increasingly we may be using wires or wifi to connect to a wireless broadband basestation. And if that basestation is provided by your wireless telco on the premise of providing you local connectivity for your cellphone (picocell or UMA) what does this mean for net neutrality? Might they provide basestations that don’t support Skype? I expanded on this question at great idealistic length a few years back, and concluded that the market would not allow ISPs to engage in blocking or additional charges for certain applications. But what is an App Store if not an early version of this possible future? Apple is doing an impressive job of shifting the market here, and a scary job of defining what we can and cannot do with their products, and within a year or two the battle lines should be visible if not drawn.

Posted in Uncategorized | Leave a comment

The (copy)fight against digital culture, and intellectual privelege

Posted on November 10, 2008 by ian

It takes (sci-fi) author Cory Doctorow to put it sufficiently lucidly: the internet is designed  to efficiently and inexpensively copy information and has flourished as a result, therefore traditional copyright in the age of the web is a direct attack on the digital culture which has given rise the web. Due to this huge shift in constraints, the legal framework we had is maladapted to the medium. The balances are out of whack.

Take, for example, the concept of the “free rider,” one who benefits from but does not contribute to a common good. Tim Lee points out that the economics of these scenarios is vastly changed by the scale of the internet. This has big implications for intellectual property, as Mark Lemly discusses in his fascinating paper.

Which segues into some broader, and enormous, problems with intellectual property in the age of the web. Never have there been so many people with such high levels of education had access to so much information. Most good ideas occur to many simultaneously, the challenge tends to be execution (with some rare exceptions).  So I was recently intrigued by an alternative way of looking at IP: “Intellectual privelege.” Consider that for a moment. Any originality I have is predicated on some influences: education, peers, priveleged information…

More on this when I get another micro-sabbatical, but bottom line is, society needs to re-evaluate the incentives and rewards for intellectual productivity to ensure they don’t have the effect of stifling innovation and worse yet, benefiting a vanishingly tiny fraction of the population.

Posted in news | Tagged | Leave a comment

What a month – I have a new boss

Posted on October 1, 2008 by ian

Ian Rae's Facebook profileSeptember was a great month. BitNorth was awesome, videos of content to come soon at Bitcurrent. Akoha had a great launch at TechCrunch and will hopefully inspire a new generation to “play it forward.” Syntenic hired a new Ops manager who brings some great unix and virtualization chops. 

September is also yielding excitement with general elections in North America, and has generated economic uncertainty with the collapse of Wall Street’s pyramid scheme. However, the BIG NEWS is that I “spawned a child process” (as a colleague likes to put it) – a beautiful daughter process. For those who don’t have access to my Facebook photo albums you can see some pics at her mother’s and my best friend’s blog: AlioFish.

Nothing I have done compares to the excitement and fulfillment of being a dad. It refocuses, inspires and is an intense source of joy. I thought as an entrepreneur I would be my own boss, but no longer now that my daughter is here. And for some reason I’m ok with that.

Posted in personal | Leave a comment

A cartoon guide to new Google web browser

Posted on September 1, 2008 by ian

Well I was thinking Amazon’s SAN in the cloud was going to be the biggest web application news of 2008. But that just got trumped by Google’s new web browser, touted by many as an “operating system for the web.” Wow. Open source, heavily influenced by popular web technologies such as Mozilla Firefox and webkit, with a particular focus on improving javascript performance and browser security and stability. There is going to be a lot of information to sort through on this, but it certainly looks extremely promising. Check out the excellent cartoon guide!

Posted in news | Tagged | Leave a comment

Personal update

Posted on August 17, 2008 by ian

Heri at Montreal Tech Watch broke the news that my web infrastructure services company Syntenic has a new (beta) webpage. I have no doubt that my amazing wife’s blog pulls in more visitors than I do, so I am hoping to reverse that trend with a slick new design!

I also eked out a Shakespeare-inspired article on cloud computing for BitCurrent, an Alistair Croll initiative to which I contribute sporadically but enthusiastically (witness the awesome graphics here).

Speaking of collaboration with Alistair, the made-in-Montreal BitNorth conference will soon be upon us, a unique group investigation of the intersections of technology, social issues, policy and – most fittingly given the amazing location of the event – music (can revelry be far behind?). I can’t say enough good things about the location, the topics, or the people who will be there. You can still register here , if you’re lucky :)

Posted in news | Leave a comment

Search gets smarter, we get stupider

Posted on June 30, 2008 by ian

A lot has been written lately on how intelligent search will solve all kinds of problems, most recently in The End of Theory, Chris Anderson of “long tail” fame confuses the abundance of low hanging fruit that “big search” and biotechnologies provide with the ability to really understand and extract meaning, pose and falsify or support hypothesies. Mathew Ingram takes issue with the Wired article in Google and the end of everything and Alistair Croll piles on in Does Big Search change science? emphasizing the familiar scientific refrain: correlation does not necessitate causation.

To be fair to Chris, it seems that he does understand Mathew’s point that correlation is not causation, rather his thesis seems to be that with sufficiently large datasets and powerful computational algorithms, correlation approaches causation. However I side with Mathew and Alistair, I don’t think Chris understands what Google or Rapid gene sequencing bring to scientific analysis, or he has written an excellent satirical article:

Petabytes allow us to say: “Correlation is enough.” We can stop looking for models. We can analyze the data without hypotheses about what it might show. We can throw the numbers into the biggest computing clusters the world has ever seen and let statistical algorithms find patterns where science cannot.

It sounds like we should be able to just sit back and feed the raw data into a massive cloud computer, grab a few coffees, live a few lifetimes and get some answers (Deep Thought anyone?). As the search technology gets smarter we can all afford to get a lot stupider, as we are no longer required to solve scientific problems.

In actuality Google’s pagerank algorithm(s) and Craig Venter’s DNA shotgun sequencing techniques are successful because they are overly simplistic, designed to capture low hanging fruit as quickly as possible, they don’t solve the hard problems – rather they get us faster down a road that leads to more questions. Questions that are likely too complicated for either search engines or cute biotech tricks to answer. Requiring experiments and analyses that are too intricate and error-sensitive…that need to be hand-held, coaxed and cajoled. Science in the real world is so different from the platonic model that is taught in schoolbooks. Failure is important, errors are crucial and we progress because human thought is remarkably adaptable and resilient in the face of this. Contrast this to the types of problems we will get when our analysis is guided by bug ridden computer algorithms, infested with worms, and the data is riddled with errors and spam.

Until the computing power and the algorithms which guide it, are truly evolutionarily designed, I don’t think science will learn much from the computer. When we do get the kind of AI that Chris and the Google founders are looking for, I suspect that they will find it impossible to clock that type of artificial intelligence at Gigahertz speeds, and that we may end up re-evolving a computer that looks and acts very similar to the human brain. At which point we may regret not using the ones we already have instead.

For the next stop on this train of thought, read the excellent article Is Google Making us Stupid? I’ve got one foot in the YES camp.

Addendum: the Wired article bothered me as an epitome of reductionist scientific thought. Reductionism by nature tends to focus on the simple problems, hard problems which are complex and expensive to tackle are avoided which leads to the amplification of reductionist techniques and causes. Sooner or later you might be convinced that all knowledge is within the reach of such reductionist approaches. There is a disturbing correlated trend for industry funding of scientific research to further skew science by leaving problems without obvious economic payoffs by the wayside. I would suggest that both industrial and reductionist science are represented in the Wired hypothesis.

Posted in news | Tagged | Leave a comment

Cloud computing – linear utility or complex ecosystem?

Posted on June 22, 2008 by ian

Reuven of Enomaly speculates on whether there will be an analogue of Moore’s law for cloud computing, looking to coin “Ruv’s law.” I would like to see more detail on what it would postulate, presumably a linear relationship between growth in cloud computation and time. I think we would also agree this would need to stand the test of time before it would be considered “law.” Moore referred to a rather simple relationship between the number of transistors that can economically be used in electronic chips and time. The cloud is likely to become a very complex ecosystem, and defy simple linear rules of productivity. Rather I would expect the cloud to both behave in unexpected ways and exhibit emergent properties. On that note I am much more interested in the phase transitions, critical junctures where the properties of the system change radically, and what the underlying causes might be (technological breakthroughs, human behaviour, power shortages). I wouldn’t be shocked if the behaviour of clouds was as hard to predict as the weather (“5 day forecast calls for a 200 msec second standard deviation in latency with 10% probability of the jitters”) or the stock markets. I’m only slightly joking – my early experiences with sharing hosted grid computing resources have been variable (Mediatemple and Mosso have low cost plans). In any case I look forward to more clarity on cloud structure, composition, performance, any potential “laws” and above all the likelihood of rain… Anyone interested in a lively string of Q&A surrounding the much hyped “cloud computing” revolution should look in on the Google group for cloud computing and check what the insightful Alistair Croll of Bitcurrent has to say. Lots of folks are trying to define cloud computing these days (check out defogging the cloud for a nice simple explanation), and its hard to do partly due to a Cambrian explosion of diversity which makes the cloud(s) a fast moving target. As for me, I’m embracing the trend from the web operations trenches while keeping my sense of humour about the hype:The cloud has everything and the kitchen sink

Posted in news | Tagged | 15 Comments

Awesome Magnetic Visualization

Posted on June 18, 2008 by ian

Semiconductor’s Magnetic Movie is a stunning, if questionably accurate visualization of magnetic fields and their interactions. Worth a watch:


Magnetic Movie from Semiconductor on Vimeo.

Posted in news | Tagged , , | Leave a comment