Posts Tagged ‘security’

The Tent Datacenter

In Microsoft’s “The Power of Software” blog, they recently ran a post about a “datacenter” they ran inside a tent. The idea was to prove that they could run a rack of servers without any air conditioning using only the outside air to cool it and show how resilient servers really are. This way, the only power that was actually used was the power used to run the servers, thus achieving a better PUE. The rack of servers actually got wet and stayed up. Interestingly, (at least to them) the servers maintained a 100% uptime for the entire 30-day experiment. I’m going to throw out my security and environmental concerns just for the sake of this argument.

As a whole, the IT industry definitely does a lot of over-building of architecture. We buy two of everything. Through my job I’ve learned to trust nothing. Heck, sometimes I feel vulnerable driving down the road in my car since I don’t have dual tires and dual engines so in case one fails, I can keep going. Don’t laugh, it’s funny because it’s true. In our industry we quickly learn that everything fails. Hard drives, power supplies, RAM, and the worst of them all is people. Given this state of mistrust, we tend to buy much more than necessary, constantly chasing that elusive 100% uptime mark.

The idea behind this experiment was great – we really do over-purchase cooling, fire fighting, and power equipment. However, there’s one basic flaw here. For the same reason we buy seat belts, air bags, and insurance policies. 9,999 times out of 10,000 (hopefully it’s much higher!), everything is just fine when we get in our cars and drive away. But it’s that one time that will kill you, literally.

I find it interesting that people have been thinking of this as a new idea. People working with festivals and other events where temporary networks must be established have been running computers in tents for some time. I helped work with a large outdoor music festival called LifeLight for a couple of years. We did the same thing. We put computers in tents. Except for having less than ideal hardware, everything was fine. The machines got dew on them when they sat out overnight but they booted up in the mornings. It works, but it’s far from ideal. I’m sad to say that we didn’t achieve the 100% uptime these two did, but our equipment wasn’t quite the same.

Now I’m a progressive thinker, but seriously, let’s not forget where we came from. There’s a huge difference between 99% uptime and 99.99% uptime. Whether or not this is a reasonable goal is another conversation, but that’s what everyone seems to “need”. The big problem with this idea is this: our environment can cause disruptions in computers. Just like insurance policies, we never need the “wasted” money and power used for brick, cooling, fire, and power equipment until we need it. I do understand where they are coming from, but I’m not going to be the one telling my CEO that the servers that our company depends upon are down because it’s slightly warmer than what the servers can handle outside and we decided to save money by not spending a little more to have extra equipment to handle the load. I don’t want to be that guy.

Tags: , ,
Filed under Tech Trends : Comments (0) : Sep 22nd, 2008

The Google Datacenter on Water

Rumors are flying around the web about potential Google data centers out to sea. Google has cited a few reasons including using the energy from the waves to bring down cooling and power costs. Others have suggested that Google is trying to escape property taxes for its data centers around the world, but that seems it seems a bit ridiculous to me. Whatever the reasons, I’m not sure that I’d like to see their data centers on water.

Isolating data centers on the water scares me. Google of course has a very robust infrastructure, but, like it or not, they are an extremely important part of our national and international ecosystem. We’ve seen what kind of affect a small mistake by the Googlebot can cause on Wall Street. Combine that with the attacks on Georgia‘s infrastructure from Russia and we could have a real concern on our hands. I definitely see the advantages here, but let’s keep our feet on solid ground for now. Whether or not we choose to believe it, a crippled Google means a crippled Internet and a crippled Internet means a crippled nation.

Tags: ,
Filed under Tech Trends : Comments (0) : Sep 17th, 2008

American Airlines Fiasco Could Lead to Other Attacks

The Google/Sun-Sentinel/United Airlines fiasco earlier this week seems to just reiterate to me the one basic flaw of most Internet-based systems: computers trust other computers far too easily. Now, the person passing the story on to Bloomberg definitely had some issues with thoroughness, however I suspect most of that process is automated. The fact that the Google bot didn’t find a date on the page so it automatically assumed the news was new seems to point to a deeper flaw in the way we network our systems. Whether or not the problem was malicious or purely accidental, malicious attempts to cause damage like this are sure to follow. Using flaws in BGP that were disclosed at the recent DEFCON conference, an attack on an organization like this by editing news on major news sites. Obviously, the BGP issue is a much larger issue than this, but this definitely could add a new twist to the problem. With other recent security flaws surrounding another core networking service on the Internet, DNS, it makes me wonder how close we are to a much larger, coordinated attack like this. Perhaps the world won’t require a larger wake-up call than this before issues of trust are addressed, but not a lot has been said about the BGP issue since DEFCON on the mainstream media. Things looked positive as the DNS vendors all worked together to patch the latest DNS source port flaw. With real war being waged on the cyber front such as the Russian attacks on Georga over the web this year, these issues have to be of major concern to governments around the world.

Tags: , , ,
Filed under Tech Trends : Comments (0) : Sep 11th, 2008

Apple, Linux, and PHP in the Top List of Vulnerable Vendors

Cnet recently posted an article titled “Apple, Microsoft, PHP headline IBM’s list of most vulnerable software,” summarizing IBM Internet Security Systems’s X-Force 2008 Mid-Year Trend Statistics report. This report, by some strange reasoning, found it appropriate to list, among others, Apple, Joomla!, and Linux in the top ten list of vendors with the most reported security vulnerabilities. How exactly IBM Security Systems’s X-Force is capable of providing a suitable comparison between Apple and Joomla!, or how they find it appropriate to list Linux as a vendor, remains to be explained.

The IBMSSXF continued in their analysis of the top vendors with vulnerabilities:

Another commonality between these three vendors [Joomla!, Drupal, and WordPress] is that they are all written in PHP. If we look back over last year’s disclosures and apply the new CPE methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendor list.

*Sigh*

Ivo Jansch provided a pertinent reply in his blog. He mentioned that since PHP is getting blamed for these vulnerabilities, perhaps we should blame C for the vulnerabilities found in C-based software.

I realize that the IBMSSXF is trying to report hard numbers and facts. And their tables and graphs are all very pretty. But really, it comes down to this: you can’t compare apples with oranges, especially if the Apple is a vendor and the orange is a web site CMS…or an operating system…or a programming language.

Tags: , , ,
Filed under News : Comments (0) : Aug 30th, 2008

SSH "Vulnerabilities"

I had to laugh when I read the comments on zdnet’s article on how compromised SSH keys are leading to rootkits in Linux systems. Okay, I’ll admit it. I’m a Linux fan and am going to be partial to defending my pet operating system, but let’s all take a minute to think about this. The first part of the attack happens when an attacker is first able to login to an SSH server with a stolen key. Once the attacker has a shell, they are using a vulnerabilities to install rootkits. Sure, that means there are vulnerabilities once a user has a shell, and I’m not about to say that Linux is impenetrable. But let’s consider what’s happening here. The attackers are using a stolen key. The attackers could just as easily use a stolen password. The same would happen if you opened up remote desktop on your Windows server to the world and gave out your password. Okay, so this was mostly a rant about some comments made, but let’s all take the time and watch what public-facing services are running on our systems. Don’t open up a service on your servers if you don’t plan on logging and auditing the service. All OS’s are vulnerable to attacks due to poor implementation and good grief, be careful with your keys!

I also had to laugh when I went to the CERT article that the zdnet article was about. Right below it, CERT issued a warning about a vulnerability in PowerPoint that allowed remote code execution with escalated privileges if a user opened a crafted file. Wow, talk about irony! Yes, I know that there’s vulnerabilities in software from pretty much every vendor so don’t flame me, but I loved the irony.

Tags: ,
Filed under Tech Trends : Comments (0) : Aug 28th, 2008

Newer Entries »