Archive for the ‘Business’ Category

« Older Entries

Comments on Online Account Security

Friday, September 3rd, 2010

I see that Facebook has been casting around, looking for some way to enhance security.

They certainly have challenges:

  • users with weak passwords
  • application bugs
  • advertising-supported, so cannot afford a lot of human-human account support
  • user account lists circulating through partners and malicious users.

The physical world relies on either a guard who knows your face, or 2-factor authentication:

  1. something you know (a passphrase) and
  2. something you have (a token) or are (biometrics).

Web-sites usually get considerably less …

Being an Internet company that doesn’t issue X.509 certificates, on a good day Facebook can only get 1-factor authentication (a strong password), and on most days, 0-factor authentication (their users are re-using weak passwords from other accounts.)

I give them credit for adding login notifications and the “force logout” feature. Users can change their password and disconnect other users and bots from their accounts.

The next step would be enforcing strong passwords and displaying a captcha on every logon.

Beyond that, enforcing online security gets hard to tighten in a reliable manner.

I’m skeptical of their additional security attempts.

Cookies can be deleted, and IP addresses are shared in proxies or change over time. Doing SMS verification seems like a burder for a social media account user.

However when you’ve got 500 million accounts, any means of improving security or analyzing security issues saves on support costs.

Authentication: Something You Know, Have, or Are

Posted in Business, Tech | No Comments »

HTTP to HTTPS and CDN Transitions in Web Browsers and Email Clients

Wednesday, September 1st, 2010

It’s easy for front-end designers and server-side engineers to create web sites that don’t play well when SSL and Content Delivery Networks (CDNs) are added to the site.

Fortunately it’s also easy to solve that by understanding how to design HTML and site structure in advance to support those.

One of the most helpful things that can be done is to have well-defined URLs for HTML, images, CSS and JavaScript in the following scenarios:

  • homepage content rooted under /, like ., images, css and js respectively
  • admin site content rooted under /app, like ., images, css and js
  • CDNs where you may store content in the future, such as a network-local proxy, Amazon, Akamai or Limelight. Generally a remote URL is overlaid onto the homepage or admin site structures listed above.

If you have localized content, each of the subdirectories above may be subdivided by ISO language code also.

Generally HTML and URLs intended for web browsers and email clients needs to be considered separately:

  • web browsers handle relative URLs well
  • email clients do not handle relative URLs as well as browsers, if at all. For example, not using an absolute URL or not specifying the scheme (ie. ://domain.tld) will cause problems in most email clients.
  • in both cases, HTTP servers can use URL rewriting if necessary to make changes after the design is done.

Relative URLs not only help with HTTP to HTTPS transitions, but also in creating developer sandboxes, and test and QA servers.

Try to make as many links as possible relative in your HTML as possible if you’re planning on using SSL or test servers in the future. Fixing the links later can be expensive as it requires testing the entire site again for broken links.

By having reserved directory paths for images, css and html, it’s possible to set far-future expiry times to improve cacheability of those assets. However, the filename may not be reused, so new version of images need to receive a new filename or else caches will continue serving the old content.

And by having a URL available for items that could be served from a CDN, it’s possible to configure your CMS to be CDN-aware from Day One and avoid site changes and testing later. One of the first things I check when evaluating CMS programs these days is how I would easily be able to change serving images from a local web server to a remote CDN.

Posted in Business, Open Source, Tech, i18n | No Comments »

Some ZFS News

Friday, August 27th, 2010

Phoronix has a really well-written article on ZFS, including news on a company planning to release a CDDL-licensed linux kernel module.

ZFS is the holy grail of filesystems. Many Database Administrators have switched from Linux to Solaris because ZFS has much better snapshot support than LLVM, as well as good SSD support.

phoronix.com: Native ZFS Is Coming To Linux Next Month (Aug. 27, 2010)
phoronix.com: Btrfs, EXT4 & ZFS On A Solid-State Drive (Aug. 9, 2010)
phoronix.com: Benchmarking ZFS On FreeBSD vs. EXT4 & Btrfs On Linux (July 27, 2010)
phoronix.com: Running ZFS With CAM-based ATA On FreeBSD 8.1 (July 26, 2010)
github: Native ZFS for Linux
FreeBSD Wiki: ZFS

Posted in BSD, Business, Linux, OSCON, Open Source, Oracle, Storage, Tech, Toys | No Comments »

DynDNS Being Evil

Friday, August 27th, 2010

DynDNS is changing the ToS on their free accounts to make them less appealing, thus encouraging upgrades to their Pro account for $15/year.

Now a Free account holder is required to “log into your account or update your hostname monthly” or their account gets expired, resulting in the hassle of having to setup their dynamic address again.

Previously 5 free domains were allowed, now reduced to 2.

DynDNS Changes Dialog

Posted in Business, Tech, Toys | No Comments »

Simultaneous Outages for All Major Credit Card Sites

Sunday, August 22nd, 2010

I just tried to pay my USA credit cards online, and at 1:30 am PST this morning (Sunday) all three account websites were down for maintenance (either refused the login or refused to show account activity.)

Hmm … I’ve noticed a pattern of financial websites always taking the maintenance window, instead of architecting for 7×24 uptime. The web is still treated like a second-class citizen compared to the rest of the banking system.

Note: I used to work for a major bank, and the IT employees were smart enough to avoid this. Not sure what’s going on.

msnbc: BofA online banking down for 4 hours (August 27, 2010)

Posted in Business, Tech | No Comments »

Java and the Software Patent Minefield

Friday, August 13th, 2010

I was always skeptical of Sun’s possessive and schizophrenic licensing of Java … originally CDDL (Open Source, but not quite Free), then licensed under GPL2 in 2006 but with numerous patents filed.

Some versions had “classpath exceptions”, like Standard Edition (SE), and some didn’t, like Mobile Edition (ME.)

So I stuck with C/C++ and Unix scripting languages like Perl, which don’t rely on any one company.

Oracle has clarified what those Java patents mean, with a lawsuit against Google for using Java, over 7 software patents originally granted to Sun. They even tossed in some copyright violation complaints.

(Oracle/Sun also has numerous restrictions on their downloadable Java binaries, including right of agreement termination at any time.)

The US Patent Office created a software and business method process minefield when it allowed patents on the most trivial of ideas reduced to practice.

One of the patents being litigated even involves the JAR format.

This is just the latest example of why software patents are of no benefit, except to monopolists who want to impede progress and openness.

allthingsd.com: Love, Larry: Here is the Oracle Statement and Final Complaint Versus Google
cnet.com: Sun settles Kodak’s Java suit for $92 million (2004)
cnet.com: Sun picks GPL license for Java code (2006)
cnet.com: Why Oracle, not Sun, sued Google over Java

Posted in Business, Open Source, Oracle, Tech | No Comments »

Three Weeks to Create New Twitter Account

Monday, August 9th, 2010

TwitchI’ve been trying periodically since OSCON on July 19 to create a Twitter account for @ActionMessage, but kept getting an error page with “Internal Server Error” from twitter.com.

After 3 weeks signup finally worked … yay!

However, the first account confirmation email never arrived (verified by looking at my MTA log), so I had to request it again.

Twitter.com engineers, here’s 2 tips for reliably sending email programmatically:

  1. Have your program inject the message to an MTA relay that is located inside your data center (www.twitter.com and mx006.twitter.com seem to be on same network segment, so that looks ok)
  2. Do program error checking and retry email message injection if it fails, and log the application error so ops can figure out why. (The resend_confirmation_email link could be instrumented with query-string parameters to help diagnose problems.)

I guess part of the charm of Twitter is its unreliability, though that needs to change as it targets paying business clients.

@ActionMessage
pingdom: twitter/home

Posted in Business, Tech, Toys | No Comments »

YouTube: Subsidizing Internet Video for the World

Monday, August 9th, 2010

YouTube LogoHere’s some links related to YouTube subsidizing Internet video for the entire world. Thanks, Google!

(youtube.com domain name registered Feb. 15, 2005.)

blog.forret.com: Youtube bandwidth: terabytes per day (2006)
slate.com: Do You Think Bandwidth Grows on Trees? (2009)
Arbor Networks, the University of Michigan and Merit Network To Present Two-Year Study of Global Internet Traffic At NANOG47 (2009)
YouTube myth busting (2009)
mashable.com: Viacom Loses $1 Billion Lawsuit Against YouTube (2010)
socialtimes.com: Google CFO Reveals Viacom’s Lawsuit Cost YouTube $100 Million
youtube-global.blogspot.com: YouTube wins case against Viacom (2010)
wired.com: YouTube’s Bandwidth Bill Is Zero. Welcome to the New Net (2009)
Cringely: A Net Game for Google? (2010)
slashdot.org: What Are Google and Verizon Up To? (2010)

Posted in Business, Storage, Tech, Toys | No Comments »

« Older Entries