uncompiled.com

We’ve made two improvements to AWS Import/Export.

You can now send us a “raw” or internal SATA drive all by itself, with no need for an enclosure. You don’t have to send connectors, cables, or power cords. Raw SATA drives appear to be the most cost-effective way to send large amounts of data from place to place.

If you have a SATA cradle (I use this one at home; others have told me that they like this one), you can connect the drive to your desktop machine without having to open up the enclosure.

Also, you can now send us drives with capacities up to 4 TB. Customers with the need to import or export large amounts of data will reduce the number of devices needed.

Don’t forget that tools like Bucket Explorer, the CloudBerry S3 Explorer, and the S3Fox Explorer make it easy to create your Import and Export jobs.

Source

The former National Security Agency technical director told the RSA Conference he doesn’t trust cloud services and bluntly admonished vendors for leaving software vulnerabilities unpatched sometimes for years.

Speaking for himself and not the agency, Brian Snow says that cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. “You don’t know what else is cuddling up next to it,” he says.

Snow was speaking as a member of the annual cryptographers panel at RSA Conference. Another panelist said he doesn’t trust clouds either, but his reluctance was based upon worry about what NSA might be up to.

Adi Shamir a computer science professor at Israel’s Weizmann Institute of Science and also the “S” in the RSA encryption algorithm, warned against trusting cloud computing services for the same reason he suspects the confidentiality of transmissions over telecom networks and the Internet. He says the phone systems are secure, but that major crossroads in their networks are tapped by the NSA. “There’s a pipe out of the back of an office at AT&T in San Francisco to NSA,” he said.

Government access to assets entrusted to public cloud providers will be similar, he says. He suspects in some cases cloud providers will be companies influenced by government spy agencies, similar to the way Crypto AG security gear gave the NSA backdoor access to encrypted messages sent by foreign governments that had bought the gear. “Please don’t use Crypto AG,” he said.

On another topic, Snow said many commercial applications and security products contain known flaws or shortcomings that users accept without understanding them or analyzing them thoroughly. That trust is similar to the trust investors had in unsound Wall Street derivative investment products, he said. Just as the country’s financial markets melted down last year, he said network security could face a “trust-bubble meltdown”.

He alluded to a 17-year-old Microsoft vulnerability that went unpatched. Fixing such problems before they are exploited gives vendors a commercial advantage, so they should do so. “Fix vulnerabilities before you first smell an attack,” he said. “End of message.”

Also during the panel, Snow acknowledged that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years but still maintain the upper hand in the sophistication of their crypto schemes and in their ability to decrypt.

“I do believe NSA is still ahead, but not by much — a handful of years,” said Snow, the former technical director for the agency. “I think we’ve got the edge still.”

He said that in the 1980s there was a huge gap between what the NSA could do and what commercial encryption technology was capable of. “Now we are very close together and moving very slowly forward in a mature field,” Snow said.

Source

The Cloud Connect conference March 15-18 will feature leaders of the NoSQL movement speaking on how to handle large data sets in the cloud. The NoSQL movement and other cloud practitioners are likely to be out in force at the Cloud Connect 2010 conference March 15-18 in Santa Clara, Calif., one of the first major gatherings of the year on cloud computing.

One of the workshop instructors March 15 will be Dwight Merriman, CEO and co-founder of gen10 and the architect of the DoubleClick ad serving system, DART. DART is now serving billions of ads a day. Merriman will instruct a first day workshop on MongoDB and why it and other no-SQL systems, such as CouchDB and Hadoop, are preferable to traditional database systems for operations in the cloud.

MongoDB is a cluster or cloud-based data management system that does not rely on relational database principles. Cloud users try to get away from relational database for operations on large data sets because SQL queries tend to consume CPU cycles and “thrash the disk” as they pull data off it.

“NoSQL” systems work with data in memory, or upload chunks of data from many disks in parallel. 10gen is a New York-based company that sponsors the MongoDB open source project and provides commercial support for it.

Alistair Croll, an organizer of the event, said Merriman is one of several cloud computing professionals recruited to speak based on their credentials as “doers” in the cloud environment.

Another is Bradford Stephens, founder of Drawn to Scale, a firm which designs systems to deal with Web-sized masses of data. He will speak on “Introduction to Big Data and Storage at Scale” at 8:15-9:15 a.m. on March 18. His co-speaker will be Florian Leibert, software engineer, research, at Twitter.

The topic “Processing Big Data” at 9:30 a.m. March 18 will feature Chris Wensel, CTO and founder of Concurrent, a supplier of tools for creating applications that execute on parallel computing clusters, and Nathan Marz, lead engineer for BackType.com, a Web site that searches blogs and social networking sites for particular topics of discussion.

“Learning from Big Data with Scalable Analytics” will be the topic of a talk at 10:45 a.m. March 18 given by Michael Driscoll, founder of Dataspora, a firm producing software for data analytics and visualization, and Ted Dunning, CTO of Deepdyve, an aggregator of medical knowledge.

The Cloud Connect conference at the Santa Clara Convention Center is organized by TechWeb and is billed as bringing cloud computing stakeholders together in one event.

“These are the people who are the experts in a given domain, the guy who wrote the thing or the guy who invented it, ” said Croll. There will be many cloud computing vendors both on the show floor and in the ranks of speakers, but Croll said the conference was seeking to make their presentations “non-partisan” and focused on their subject expertise.

Source

Novell and the Cloud Security Alliance have announced a vendor-neutral “Trusted Cloud Initiative” for developing standards and certification of cloud security, compliance, identity management and other best practices.

While cloud computing is a popular topic, it lacks a set of well-defined terms and standards that tell prospective users concrete information about the environment they’re about to adopt.

Businesses considering adopting cloud computing lack assurances they will be able to continue to control their data, enforce best practices and guarantee security, said Jim Reavis, executive director of the Cloud Security Alliance Monday.

The Cloud Security Alliance is a group of consultants, vendors, and cloud users that formed a non-profit group at the end of 2008 to address the lack of standards for cloud computing.

If a prospective cloud user and a vendor talk about level three security in the cloud, one may have a completely different idea of what the other is saying. There are no defined levels of security in cloud computing, and it’s difficult to get a discussion going when one party can’t be sure of the terms that the other is using. The Trusted Cloud Initiative is aimed in part at creating a shared set of standards that can be verified by neutral third parties.

“By building a consensus security reference guide and certification roadmap, we are creating common ground for both enterprises and cloud providers, and expect to accelerate cloud adoption,” said Alan Boehme, senior VP IT strategy and enterprise architecture at ING Americas, a branch of the Dutch insurance conglomerate, in Monday’s announcement. Boehme is a member of the board of directors of the Cloud Security Alliance.

“Our customers need a visible seal of trust. We strongly believe education, clarity, and industry-approved security guidelines will propel the adoption of clouding computing” said Dipto Chakravarty, VP of engineering, Identity and Security unit at Novell. Reavis said Novell proposed launching the Trusted Cloud Initiative with the alliance.

The initiative will define a roadmap and certification criteria for secure cloud computing. Members of the Cloud Security Alliance include Microsoft, Dell, Rackspace, Qualys, HP, Intel, Cisco, McAfee, Salesforce.com, Symantec, the DMTF (formerly Distributed Management Task Force) standards body, and the Information Systems Audit and Control Association (ISACA).

The initiative is co-chaired by Nick Nikols, VP of product management for Novell’s Identity and Security unit, and Liam Lynch, chief security strategist for eBay.

Nils Puhlmann, chief security officer at Zynga Game Network, a producer of online social games, including FarmVille, said the alliance will pay attention to other standards efforts and adopt them, whenever it can.

“We are committed to aligning the Trusted Cloud Initiative with other standards efforts,” he said in the announcement. But the alliance will be responsible for “assembling the reference model and certification criteria from existing standards, and we we will complete it in 2010,” he said.

Source

Over the weekend, my cloud computing infrastructure survived a major hacking attack. Here is what happened and what it took to recover it.

This weekend my servers out in the cloud space fended off a major hacking attack across two of the systems that I have given the public access to use them. The attack started simply on Friday night as a simple series of scans to see if there was anything in the IP space that I am using. This is the fairly standard attack pattern that many information security people see every day. Thinking that this was normal I closed up shop on Friday and went home.

On Sunday I got an alert from the system that it had hung and when I went to go try to take a look at it using HTTP and SFTP the computer simply would not respond, there was no way to access it. In the control panel provided by the company I use for cloud hosting, I simply rebooted the box thinking that it was hung on a process that was keeping the box from being accessed. Over Sunday night, I got three more alerts that that the box had hung.

Monday morning when I went into work I rebooted the box again (this is a low priority box with almost no regular use over the weekend) and dove into the error logs for the box.

Over the Saturday Sunday time period someone had seriously tried to get into the computer. Over 250 gigs of access logs and over 300 gigs of error logs had almost consumed the disk space that I was using. The computer was not simply hung on a process, it had been resource starved because during the hacking attack the hacker had hit the system so hard that there were no more ports open to make a legitimate connection. They had towards the end of the attack (Sunday night) hit the computers with what looks like a simple denial of service attack at towards the end of the attack.

My thoughts on this is that, my computer survived and came back to operations with a simple reboot of the cloud computer to free up resources that had been consumed during the attack. No data was lost or stolen from the system and its role is to deliver Multi-media and provide data back to a Learning Management System. This meant the loss of some ability for the LMS but nothing that would have killed the entire system.

The 300 Gigs of error logs is over kill, the assumption was that at some point the hacker or hackers got angry enough that they could not get into the system that they simply did a Denial of Service against the box aiming to resource starve the system and cause problems for the System Administrator over the weekend. I do not think they knew it was on the cloud or that it was a simple matter of rebooting the box to restore services.

The hacker or hackers had failed in getting into the box, which is good, but resorted to DDOS to cause resource starvation as a final act. I do not think we are dealing with a true professional, but I do think we are dealing with a person who is a step above a script kiddy. They had access to an awesome level of firepower for their DDOS, we logged thousands of IP’s Sunday night. My belief on this one is that the person or persons had access to a botnet or a very large number of compromised systems to make this work.

I paid 20 cents a gig in bandwidth costs for the attack, with the 500 gigs of traffic roughly aimed at the system according to my monitor I paid 100 dollars to my cloud service provider for bandwidth consumed during the attack.

I only had temporary loss of one system because of the way that we distributed the cloud architecture across multiple systems in different data centers. As users switched over to different data centers, the system performed as architected, people were able to get their data over the weekend and nothing was truly slowed down or otherwise inaccessible during the attack.

It took two hours to go through the log files on the system to see what had happened. It took 15 minutes to generate the report to IT. This is literally the quickest I have ever gone through an attack, with clean up and with log analysis ever. It is also the cheapest attack I have ever dealt with in terms of loss or dollar costs associated with an attack ever. Which made for a fun hacking attack with a ton of data to use in the classroom and share. The good part is that a distributed architecture in this case worked which validates the way we built the cloud based system with fail over in mind, not necessarily a hacking attack induced failure of a system.

It is possible to attack a cloud computing system, and it is possible to resource starve a cloud computer, but in the longer run survivability and the ability to get to data relies on the architecture that the system was initially built around. If you are building a cloud space for your company, think in terms of survivability and fail over if a system in your cloud space fails for any reason and how to recover and still present data to the end user. Hacking attacks happen, and hackers will get angry and try to DDOS your site off the planet, how you architect your cloud space and cloud services will help you survive hackers as well as the occasional other failures in the system.

Source

New EC2 Instance Type: m2.xlarge

We’ve added a new EC2 instance type to our repertoire. It is called the High Memory Extra Large (m2.xlarge) and has the following specs:

* 17.1 GB of RAM.
* 420 GB of local storage.
* 64-bit platform.
* 6.5 ECU (EC2 Compute Units), 2 virtual cores each with 3.25 ECU.

You can leverage this new instance type as a lower cost option if you are already using Standard Extra Large instances. The new instance type is available now in all of the EC2 Regions (US-East, US-West, and EU).

Source

The Cloud Security Alliance (CSA) and IEEE are joining forces to ensure that best practices and standards are developed and available to provide security assurance for cloud computing. As a result of this collaboration, CSA and IEEE have been conducting a survey to identify and define the most critical security concerns surrounding enterprise cloud computing.

The survey was completed by hundreds of IT professionals who are actively involved in implementing cloud-related projects. CSA and IEEE will announce their findings at the RSA Conference.

“Since founding the Cloud Security Alliance, our members have been committed to defining a set of best practices that will enable their organizations to embrace their cloud initiatives without compromising their security posture,” said Jim Reavis, founder of the Cloud Security Alliance. “As one of the world’s oldest and most respected computing organizations, the IEEE and their global membership will help us gain valuable insight into which cloud security concerns are most pressing. Once we fully understand these priorities, we will be able to better define new standards that will improve all aspects of cloud security.”

“The true promise of cloud computing will only be realized if all aspects of security are addressed and communicated in a truly open and collaborative manner,” said Judy Gorman, Managing Director, IEEE-SA. “Both CSA and the IEEE bring a unique and informed perspective to the table and this survey will help set the agenda for developing a comprehensive set of cloud security standards.”

Source

Cloud computing is one of the most hyped technology concepts in recent memory, and, like many buzzwords, the term “cloud” is overloaded and overused. A while back Ars ran an article attempting to clear some of the confusion by reviewing the cloud’s hardware underpinnings and giving it a proper definition, and in this article I’ll flesh out that picture on the software side by offering a brief tour of the cloud platform options available to development teams today. I’ll also discuss these options’ key strengths and weaknesses, and I’ll conclude with some thoughts about the kinds of advances we can expect in the near term. In all, though, it’s important to keep in mind that what’s presented here is just a snapshot. The cloud is evolving very rapidly—critical features that seem to be missing today may be standard a year from now.

Before I begin, it’s worth noting one of the key reasons for the confusion that surrounds cloud computing. Unlike most hot tech trends that attain buzzword status, the aspects of the cloud that make it a truly new form of client-server (e.g., rapid scalability from a few resource units to tens of thousands, metered usage models, the ability to access resources from any Internet-connected device, low barriers to client entry, etc.) also make it impossible, at least from a developer’s perspective, to pin down into traditional “enterprise,” “small to medium business,” or “consumer” boxes that the IT world traditionally thinks in terms of. Enterprises, SMBs, and tiny startups, and lone coders all run their code on the cloud platforms described below. It’s true that each category of user faces different parameters and constraints when deciding how and where to use cloud services, and I’ll reference a few of the issues that enterprise users face in the article below. But just because the basic perspective of this article is that of enterprise IT, much of the material has relevance to non-enterprise users, as well.

Source

A storage startup called Nasuni is unveiling a virtual NAS file server that runs on VMware and connects customers to cloud platforms such as Amazon’s Simple Storage Service, adding encryption to enhance security and several features to improve performance.

Nasuni was founded last year and on Tuesday is announcing the beta version of its Nasuni Filer – a so-called “cloud storage gateway.” Target customers are mid-sized companies who are interested in cloud storage, but are concerned about exposing sensitive data or suffering from high latency.

“We connect our customers to partners, people like Iron Mountain and Amazon that provide cloud storage, and we are delivering it as a file server in your virtual environment,” says Nasuni founder and CEO Andres Rodriguez, who previously founded Archivas, an online storage management software vendor acquired by Hitachi Data Systems three years ago.

Nasuni is based in Natick, Mass., with 18 employees, and has $8 million in first-round funding from North Bridge Venture Partners and Sigma Partners. Rodriguez says Nasuni has eight customers in alpha mode and is now offering the filer in a free public beta.

Nasuni’s NAS file server runs in a VMware virtual machine and integrates with either Amazon S3 or Iron Mountain remote storage services, while providing features such as encryption, caching, deduplication, automatic provisioning, and synchronous snapshots.

Accessing cloud storage introduces latency, Rodriguez says, but Nasuni allows users to work with a local cache, speeding up access to data.

“It’s quite clever,” says IDC analyst Laura DuBois. “It does address security concerns in the form of encryption of data in flight and at rest, and it also certainly addresses the concerns around availability.”

Nasuni is one of many startups building software and services that add capability to cloud platforms such as Amazon. For example, the company RightScale was founded to help customers build and clone virtual servers and manage storage in the cloud, and Symantec offers storage management for Amazon customers.

Nasuni will make its product generally available in the spring, and add more partners before doing so, according to Rodriguez. Nasuni will start charging customers after the beta trial, with fees starting around $250 a month. Although two vendors will be involved in each sale, customers would receive just one bill, which could come either from Nasuni or a partner depending on the billing model, he says.

Source

Sören Bleikertz, a computer science student writing his Masters thesis on EC2 security, poked into the Xen hypervisor used by EC2 and made some observations regarding EC2’s underlying architecture. Among his findings on the storage and networking configurations, Sören pointed out that each instance was given a unique name (the “Xen domain”) such as dom_32504936 and that this seemed to behave like a serial number, growing from day to day. Sound familiar yet?

Well, it turns out that this Xen domain is none other than the underlying instance ID uncovered in my previous research! This revelation gives us an important conclusion: the decoding method was accurate. The serial number exists and based on everyone’s input we even got the formula right.

With Sören’s technique at hand we can now uncover the constants needed for all EC2 regions. Except for us-east-1 which thanks to RightScale enjoyed a 3-year history, we did not have enough data to extract the constants for other regions. Surprisingly, it turns out that the constants are in fact identical for all regions. What threw us off the scent is that as opposed to us-east-1 which very likely started the serial number from zero, the other regions do not. For example, the serial numbers for the 3-month-old us-west-1 region are already in the range of 752 million. Those for eu-west-1 are in the 500 million range. We can safely assume that hundreds of millions of instances have not in fact been spun up. What makes more sense is that each region was assigned a different starting point in order to ensure globally unique instance IDs.

An additional finding of Sören’s is that the image file for the root disk points to a filename on the VM host such as /mnt/instance_image_store_3/262768. It turns out that the number at the end of this file is, again, simply the AMI ID – decoded. For example, we can re-encode 262768 to yield ami-19a34270, which is Alestic’s Ubuntu Karmic Base image. Similar to instance IDs, the underlying image ID also seems to have different ranges in each AWS region.

Source