Use the following ATOM URL to talk to your blog on IBM developerWorks
This URL can be used in any application that supports ATOM for e.g. Windows Live Writer.
Wikipedia Diver visually maps where you've been on Wikipedia.
Lew Tucker (CTO, Sun Microsystems): Cloud computing is not so much a definition of a single term as a trend in service delivery. It's the movement of application services onto the Internet and the increased use of the Internet to access a variety of services traditionally originating from within a company's data center.
Werner Vogels (CTO, Amazon): If you run your services inside the company, privately, utilization becomes an issue. It amortizes your costs over a number of cycles. If you run services outside, on a public service, it is no longer an issue for you.
Greg Olsen (CTO, Coghead): Cloud computing presents a compelling opportunity for consumers of information technology and producers of information services.
Read more .. ..
"My friend has just had his PC wired for broadband," writes the poet Don Paterson. "I meet him in the café; he looks terrible—his face puffy and pale, his eyes bloodshot. . . . He tells me he is now detained, night and day, in downloading every album he ever owned, lost, desired, or was casually intrigued by; he has now stopped even listening to them, and spends his time sleeplessly monitoring a progress bar. . . . He says it's like all my birthdays have come at once, by which I can see he means, precisely, that he feels he is going to die."
The Internet has provided us with an almost unlimited amount of information, but the speed at which it works—and we work through it—has deprived us of its benefits. We might work at a higher rate, but this is not working. We can store a limited amount of information in our brains and have it at our disposal at any one time. Making decisions in this communication brownout, though without complete information, we go to war hastily, go to meetings unprepared, and build relationships on the slippery gravel of false impressions. Attention is one of the most valuable modern resources. If we waste it on frivolous communication, we will have nothing left when we really need it.
Read more .. ..
In an interview with NYTimes, David Vladeck, the Director of the FTC Bureau of Consumer Protection, said that he hopes to address the “notice and consent” framework that he considers “no longer sufficient”, as it has resulted in privacy disclosures that are rarely read or understood:
"The first and the more dominant one was what I’ll call the notice and consent framework. The theory was that data collection was OK and uses of that data was OK provided that consumers were on notice that collection activities were taking place, and that consent for the collection and use was secured in some way.
Now, that may have been a sensible framework back then, when it was easier to give notice and consent could be provided or contained in a way where it was clear that the consumer actually knew what she was consenting to, and where there would be a single use of the data or a clear use of the data. Disclosures are now written by lawyers, they’re 17 pages long. I don’t think they’re written principally to communicate information; they’re written defensively. I’m a lawyer, I’ve been practicing law for 33 years. I can’t figure out what the hell these consents mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it. Second of all, consent in the face of these kinds of quote disclosures, I’m not sure that consent really reflects a volitional, knowing act." (Vladeck, 2009)
Mr. Vladeck said the FTC wants to establish new "principles, not prescriptive regulation," which might not be relevant as technology changes (Schatz, 2009):
"Well, we’re not committing ourselves to imposing regulation. Please understand, we don’t view that at the end of this process we’re necessarily going to set down hard and fast markers for industry that must be obeyed. What we would like is to figure out useful tools and a more comprehensive way of looking at privacy protections that may obviate the need for rules." (Vladeck, 2009)
Mr. Vladeck also plans to consider not only economic harm, but also the “dignity interest” that arises in online information collection. (Jacobs, 2009)
Jacobs, A. (2009, August 8). FTC Takes New View of Online Privacy. Retrieved August 8, 2009, from Harvard Journal of Law & Technology Digest: http://jolt.law.harvard.edu/digest/copyright/flash-digest-news-in-brief-18
Schatz, A. (2009, August 5). Regulators Rethink Approach to Online Privacy. Retrieved August 8, 2009, from The Wall Street Journal: http://online.wsj.com/article/SB124949972905908593.html
Vladeck, D. (2009, August 3). An Interview With David Vladeck of the F.T.C. (S. Clifford, Interviewer) NYTimes.com.
Step 1) Authentication Server to Client
Ticket Granting Ticket : [client, address, validity, Key(client, TGS)]Key(TGS)
Step 2) Client to Ticket Granting Server
Ticket Granting Ticket : service, [client, client address, validity, Key(client, TGS)]Key(TGS)
Authenticator : [client, timestamp]Key(client, TGS)
Step 3) Ticket Granting Server to Client
Ticket (client, service) : service, [client, client address, validity, Key(client, service)]Key(service)
[Key(client, service)]Key(client, TGS)
Step 4) Client to Service
Ticket (client, service) : service, [client, client address, validity, Key(client, service)]Key(service)
Authenticator : [client, timestamp]Key(client, service)
What follows is a simplified description of the protocol. The following shortcuts will be used: AS = Authentication Server, TGS = Ticket Granting Server, SS = Service Server.
In one sentence: the client authenticates itself to AS, then demonstrates to the TGS that it's authorized to receive a ticket for a service (and receives it), then demonstrates to the SS that it has been approved to receive the service.
In more detail:
- A user enters a username and password on the client.
- The client performs a one-way hash on the entered password, and this becomes the secret key of the client.
- The client sends a clear-text message to the AS requesting services on behalf of the user. Sample Message: "User XYZ would like to request services". Note: Neither the secret key nor the password is sent to the AS.
- The AS checks to see if the client is in its database. If it is, the AS sends back the following two messages to the client:
* Message A: Client/TGS session key encrypted using the secret key of the user.
* Message B: Ticket-Granting Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS.
- Once the client receives messages A and B, it decrypts message A to obtain the client/TGS session key. This session key is used for further communications with TGS. (Note: The client cannot decrypt the Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS.
- When requesting services, the client sends the following two messages to the TGS:
* Message C: Composed of the Ticket-Granting Ticket from message B and the ID of the requested service.
* Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the client/TGS session key.
- Upon receiving messages C and D, the TGS decrypts message D (Authenticator) using the client/TGS session key and sends the following two messages to the client:
* Message E: Client-to-server ticket (which includes the client ID, client network address, validity period) encrypted using the service's secret key.
* Message F: Client/server session key encrypted with the client/TGS session key.
- Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the SS. The client connects to the SS and sends the following two messages:
* Message G: the client-to-server ticket, encrypted using service's secret key.
* Message H: a new Authenticator, which includes the client ID, timestamp and is encrypted using client/server session key.
- The server decrypts the ticket using its own secret key and sends the following message to the client to confirm its true identity and willingness to serve the client:
* Message I: the timestamp found in client's recent Authenticator plus 1, encrypted using the client/server session key.
- The client decrypts the confirmation using its shared key with the server and checks whether the timestamp is correctly updated. If so, then the client can trust the server and can start issuing service requests to the server.
- The server provides the requested services to the client.
Traditional (draconian??) e-security departments are having a field day with all the media buzz surrounding the insecurity of the Cloud Computing. They are missing the big picture.
Risk management is important. However what I am seeing right now is that these traditional e-security departments are just concentrating on the the Vulnerability component of the Risk equation:
Total risk = Threat X Vulnerability X Asset value
Residual risk = Total risk – Countermeasures
They are completely leaving out the "likelihood of a event happening" from their analysis. Countermeasures are put in place to reduce the likelihood of an event, which minimizes the overall residual risk.
Countermeasures are put in place to reduce the likelihood of an event, which minimizes the overall residual risk.
There is a common misconception that a move to Cloud Computing is inherently insecure. I don't think that is the case. For example, with Google App you can easily utilize multi-factor authentication, or make to it even more secure you can place the Security Assertion server inside your corporate firewall. This would require the user to be on the corporate network before accessing any of the Google Apps. However, this would also cause inconvenience for the mobile user who doesn't like to login into a VPN connection. It is all about trade-offs. My key point is that there is nothing preventing an organization from securing the Cloud Services.
I really don't think Cloud Computing is to be blamed for the twitter hack. The attack would have been possible even if twitter was using a in-house Exchange Server with some provisions for remote access and weak passwords. It is all about authentication and access control. If twitter had instituted proper access control using multi-factor authentication, this would never have happened.
NIST recently published a working draft of the Cloud Computing Security presentation. Some of the Security Advantages mentioned in the presentation are:
1. Shifting public data to a external cloud reduces the exposure of the internal sensitive data
2. Cloud homogeneity makes security auditing/testing simpler
3. Clouds enable automated security management
4. Redundancy / Disaster Recovery
5. Data Fragmentation and Dispersal
6. Dedicated Security Team
7. Greater Investment in Security Infrastructure
8. Fault Tolerance and Reliability
9. Greater Resiliency
10. Hypervisor Protection Against Network Attacks
11. Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds)
12. Simplification of Compliance Analysis
13. Data Held by Unbiased Party (cloud vendor assertion)
14. Low-Cost Disaster Recovery and Data Storage Solutions
15. On-Demand Security Controls
16. Real-Time Detection of System Tampering
17. Rapid Re-Constitution of Services
18. Advanced Honeynet Capabilities
I understand that these will depend on the actual implementation. It usually does for everything. For e.g. you can create world's most secure cipher, but the poor implementation is usually the weakest link.
But in theory, if cloud services are implemented properly, I think NIST's list of advantages hold true.
Problems are Soluble. Problems are inevitable - Professor David Deutsch
No amount of precautions can avoid problems that we do not yet foresee. Hence we need an attitude of problem fixing, not just problem "avoidance". An ounce of prevention equals a pound of cure, but that’s only if we know what to "prevent". If you’ve been punched on the nose, then the science of medicine does not consist of teaching you how to avoid punches. If medical science stopped seeking cures and concentrated on prevention only, then it would achieve very little of either.
The traditional Enterprise IT world is buzzing at the moment with plans on how to stop Cloud Computing from entering into the workplace. It ought to be buzzing with plans to reduce the security and privacy risks associated with Cloud Computing and improve data-portability and forensic capabilities. And not at all costs, but efficiently and cheaply. And some such plans exist, host-proof hosting, for example.
With problems that we are not aware of yet, the ability to put right - not the sheer good luck of avoiding indefinitely - is our only hope, not just of solving problems, but of making technological progress.
(the above is based on a talk by Professor David Deutsch on problem avoidance)
In response to: Confession 33: Tag Tag Tag
I wrote a semi-intelligent app that automatically determines appropriate tags for a blogpost and adds that tags to the post. Currently I use it to add tags to my blogspot blog using Blogger API. But I can easily modify it to use ATOM, if this blog supports updating tags using ATOM.
In response to: Amazingly Creative 404 (File Not Found) Page
Oh btw, some other creative 404 messages:
- http://fryewiles.com/404 (Funny!!! :))
- http://www.markfennell.com/404.html (The 404 page is a actually a game)
- http://www.orangecoat.com/404 (Flowchart anyone????)
- http://hootsuite.com/404 (Milk Carton Missing person's (page) Ad)
I simply use the following on my webserver:
I lie somewhere over here
-- Werner Heisenberg, as in Uncertainty Principle.
In response to: Lotus Connections Easily Trumps Other Vendors
I have to agree that Lotus Connections is definitely "people centered and not document centered". I currently use Atlassian Confluence. Even though they have many "social networking" plug-ins (e.g. Bubbles), it is no match to LC. Lotus took its time, but has definitely produced a Enterprise 2.0 platform for Social Networking.
I keep track of various E2.0 technologies, and LC is the most full-featured suite I have seen :)
The following is one of those pestiferous and nettlesome Facebook quizzes. But this one is designed by the A.C.L.U. to show you how much private information you reveal by taking them:
What Do Quizzes Really Know About You? on Facebook
Ever take one of those Facebook quizzes to find out which superhero most resembles your dog, or have a friend who seems to spend most of their life doing so? Then you might be in for a surprise when you take this quiz and learn just how much of your personal information these quizzes can access.
Even if your Facebook profile is "private," when you take a quiz, an unknown quiz developer could be accessing almost everything in your profile: your religion, sexual orientation, political affiliation, pictures, and groups. Facebook quizzes also have access to most of the info on your friends' profiles. This means that if your friend takes a quiz, they could be giving away your personal information too.
But don't take our word for it - take this quiz and see for yourself!
In response to: Amazingly Creative 404 (File Not Found) Page
So since we are on the topic of error messages, I would like to mention twitter's fail whale, an error msg that appears during an outage on Twitter. The fail whale has become an pop-culture icon, with a fan club, and even a fail whale clothing store.
This is amazing. How can failure of a website become so popular? It is an epic example of Social Media Branding using the Power of the Community.
Why can't we do something similar for Lotus Connections? The market is ripe. Lotus Connections is a unique product in the e2.0 collaboration space. It just need some pop-culture style marketing. What do you guys think? Any one wants to sign up for this? I am willing to help out in any way I can.
Post your ideas as comments below:
The following is NOT a Liar’s Paradox
stmt1: Following statement is false;
stmt2: Preceding statement is false;
It has the following possible solutions:
Take row 1: Stmt 2 is true, Stmt 1 is false. What Paradox?
Take row 2: Stmt 2 is false, Stmt 1 is true. What Paradox?
The following IS a Liar’s Paradox
stmt3: Following statement is true;
stmt4: Preceding statement is false;
Take row 1: stmt3 is true, therefore stmt4 is true, therefore stmt3 is false.
Now row 2: stmt3 is false, therefore stmt4 is false, therefore stmt3 is true.
I n t e r e s t i n g r e a d
(a technology forecast by PricewaterhouseCoopers)
The editors of this year's Collins English Dictionary have made 267 additions, including words which have previously been considered nothing more than sounds.
'words' such as 'hmm' and 'heh' have been included in the dictionary, as have the likes of 'meh' (a sound denoting disapproval) and 'mwah' (sounding like an exaggerated kiss).
Some words are contractions of expressions that have themselves only just become established online, most notably 'noob', for those who cannot be bothered to say – or more probably to write – 'newbie'.
Read more .. ..
In response to: Twittering teens add hundreds of words to dictionary
I think it is a combination of both txt msg and twittering. But tweets have much more visibility ( and findability??) than one-to-one txt msg. The words prolly started with text messaging, and then the twitter gave them visibility.
The following has been reproduced from NIST's common set of definitions around cloud computing and its use cases. Experts at NIST developed this draft definition in collaboration with industry and government. It was developed as the foundation for a NIST special publication that will cover cloud architectures, security, and deployment strategies for the federal government.
Definition of Cloud Computing
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.
Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.
Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.
Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
Service Model Architectures
Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.
Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
Cloud software takes full advantage of the cloud paradigm by being service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability.
Security Advantages with Cloud Computing
- Data Fragmentation and Dispersal
- Dedicated Security Team
- Greater Investment in Security Infrastructure
- Fault Tolerance and Reliability
- Greater Resiliency
- Hypervisor Protection Against Network Attacks
- Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds)
- Simplification of Compliance Analysis
- Data Held by Unbiased Party (cloud vendor assertion)
- Low-Cost Disaster Recovery and Data Storage Solutions
- On-Demand Security Controls
- Real-Time Detection of System Tampering
- Rapid Re-Constitution of Services
- Advanced Honeynet Capabilities
Security Challenges with Cloud Computing
- Data dispersal and international privacy laws
- EU Data Protection Directive and U.S. Safe Harbor program
- Exposure of data to foreign government and data subpoenas
- Data retention issues
- Need for isolation management
- Logging challenges
- Data ownership issues
- Quality of service guarantees
- Dependence on secure hypervisors
- Attraction to hackers (high value target)
- Security of virtual OSs in the cloud
- Possibility for massive outages
- Encryption needs for cloud computing
- Encrypting access to the cloud resource control interface
- Encrypting administrative access to OS instances
- Encrypting access to applications
- Encrypting application data at rest
- Public cloud vs internal cloud security
- Lack of public SaaS version control
Cloud Computing is a IP enabled, scalable, virtualized, multi-tenant, subscription based (or “pay as you”), B2B, service delivery method for business software applications, platform development, and adaptive infrastructure. i.e. SaaS based applications, PaaS based development, IaaS based infrastructure. (DePena, 2009)
Addendum: Cloud Vendor Strategies
VMware: I already have the most popular virtualization software and I will integrate Spring Source and create the best PaaS offering.
Amazon EC2: I am extending my cloud facility to a virtual private environment so that you security concerns are taken care.
Microsoft: I am giving you a platform which is very similar to what you use so that you can seamlessly extend your application to the cloud and even the developers can continue to use the same set of tools.
SalesForce.com: I am giving you a Force.com with which you can build what you need over and above what I provide out of the box.
Google App Engine: I am creating a platform with which you get access to my complete infrastructure – practically unlimited processing power & storage and all my existing services.
Banerjee, U. (2009, August 16). Cloud Strategy. Retrieved September 05, 2009, from Udayan Banerjee’s Blog – From The Other Side: http://setandbma.wordpress.com/2009/09/03/cloud-strategy/
DePena, R. (2009, August 16). The Beauty Of The Cloud. Retrieved September 05, 2009, from Competitive Business Innovations: http://raydepena.wordpress.com/2009/08/16/the-beauty-of-the-cloud/
Mell, P., & Grance, T. (2009, August 8). National Institute of Standards and Technology - Cloud Computing. Retrieved September 4, 2009, from National Institute of Standards and Technology: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html