Broadband Developments

I found this great podcast on the network world site today from Andreas Antonopoulos.  Things like Web 2.0 and unified communication applications as well as virtualization all make securing an enterprise network more difficult. Nemertes’ Andreas Antonopoulos explains how security policies and systems need to become more flexible to fit the new ways we work.

Click here for the podcast.

Yeah, Everyone does these.  Top 10 – etc.

I thought about it.  Techmeme did a nice job of the biggest stories.  Thanks end the end-of-year read.   So, I’ll analyze it.

1. The Yahoo-Microsoft Story – Yeah this had to be the story of the year.  Microsoft overbids it turns out for Yahoo.  Yahoo plays hard-to-get.  Yahoo cozies up to Google.  That doesn’t turn out so well.  Yahoo is worth a fraction of what Microsoft bid for it.  This one is not over by a long shot.
2. Apple Announces last year at MacWorld – The fanboys will be onboard anyway and this was their event.  (FYI – I carry an iPhone)  Apple has plenty of press nowadays, this is not much of a big deal.
3. Google Chrome – So far it has been ho-hum.  There was a big splash, some people tried it, but this is not a world changer as it turns out.  (FYI- it’s my second browser and I love it)
4. Apple Developer Connection – The App Store is the single greatest thing about the iPhone.
5. Google Spoken iPhone App – Cool and wow.  I like the sound of that and it sums up that app nicely.  It really does work well.  Now is this a story of the year?  Um.  It could lead to lots of exciting things, but to me, not really a story of the year.
6. Google/Valve buy – an interesting rumor that didn’t come true.  Google with all that money, all that cash and everyone talking about what to buy.  Kinda funny isn’t it?
7. RIAA Music lawsuits – Dropping the lawsuits against Grandma Jones, it means little as I expect the RIAA to increase the pressure on the internet providers.
8. Google>Microsoft> Digg – Once again see Comment for #6
9. Windows 7 – Reports are saying its a glossy version of Vista.  I think the timing of this OS may be unfortunate for Microsoft – with the economy stumbling and tech/personal spending in a crunch.  If Windows 7 is not a game changer, then this baby may thud.
10. iPhone 3G – This was a story that deserved to be way higher on the list.  Apple finally put it all together and delivered again a “game changer”.

Wasn’t there an Olympics or something?  What about LinkedIn?  I’ve been on that for maybe 2/3 years now, but it seems to really have blown up now.  Facebook anyone?  Twitter?  Not really news, but their influence and presence has grown..

Microsoft is now shedding a little more light on the zero-day XML vulnerability.  It seems some Hong Kong-based pornography sites are dropping the trojans Trojan:Win32/VB.IQ.dr and Trojan:Win32/VB.IQ on unsuspecting PC users.   This in addition to exploits discovered on a popular Taiwan search engine.  The details are here. A release to patch this vulnerability is to be released today.

(BTW I wonder what that job is like – “Just checking on potential viruses chief”)   I digress – really I appreciate all the MS team does to keep us in the dark keep us up to date on this serious security flaw in every instance of that little blue E on all the desktops in the world.  I mean if Hong Kong porn is not safe, then who is…?

All kidding aside can we stop the Patch Tuesday nonsense?  We now have a second “out of band” update this year.   Hackers are now celebrating “Exploit Wednesday” - look it up.   Some environments take weeks to approve these type of updates, even emergency ones.  I bet there are plenty of steamed folks out there about this little escapade.   Reports say this XML exploit started the day after the last regular patch.

I know things get exploited – fine.  And don’t start with the Mac and Linux tripe.  It’s just a fact that everything can be pwned.  I just have issues with the notification and resolution.  How you deal with it is what really determines how protected an organization is.  Patch Tuesday must die.  It’s like putting a sign on your lawn that says, “I am not home from the hours of 8am-530pm”.  Let’s put the call out today to put a nail in this thing.  Stop Patch Tuesday.  We need updates as they happen.  30 days is too long think about it.  Think about all the little vulnerabilities that don’t get the press.  Hacker releases exploit on Wednesday, if it gets found, it might make the next round of patches.  IT gets the update, tests on systems, releases to production – That could be 6 weeks of password-stealing, PC Zombie fun.

NOTE: I know there are crews at MS that have busted to get this thing identified and fixed – Thank you.  Again, I just don’t think the announcement strategy is working.  I know I will get some flames for this and some people who agree.  If someone has a better way, then speak up.

The Zero-day XML vulnerabilities once reported to only be affecting IE7 targets are now prompting warning from Microsoft to its customers across all supported versions of its Internet Explorer Web Browser.

http://www.microsoft.com/technet/security/advisory/961051.mspx

Workaround centers on setting Internet security settings to high and disabling the Ole32db.dll via ACL - not an end user-friendly operation.  Apparently the noted attacks have predominantly been noted against IE7 and on Chinese sites.  It exploits the way IE handles XML.  The exploit could potentially be used to access several types of sensitive data, however thus far it is only reported to be stealing passwords for computer games.

There are reports that Microsoft is considering fixing the flaw through an emergency software patch outside of the standard “Patch Tuesday”.

Now is a good time to give Google Chrome a try.

Yahoo was hit by a massive DNS problem today reported by GigaOm.

Some are saying quietly that there was a DNS cache poisining that effected Yahoo’s main DNS nameservers.  Yahoo is not talking to me about this.  Of course I’m interested in this because of all the recent DNS security risks which have been well documented by the DNS industry leading company Infoblox.

I will try to dig into this and see if Dan Kaminsky has any insight into this.

DNS problems went mainstream after I started reporting about it here and then John Markoff reported about it on the NYTimes.

Some more info here

Top-line results indicate that despite the fact that most organizations are running recent versions of BIND and no longer using Microsoft DNS Servers for their external DNS servers, many organizations have not taken the necessary precautions to limit access to recursion or secure zone transfers. In addition, many still have not upgraded to the latest DNS software to protect against the recently discovered Kaminsky vulnerability and associated risk of DNS cache poisoning.

“Given the heightened awareness of DNS server vulnerabilities due to the recent Kaminsky discovery, it is surprising to see how many organizations are still leaving their DNS systems as potential victims of attack,” commented Cricket Liu, Vice President of Architecture at Infoblox and author of O’Reilly & Associates’ DNS and BIND, DNS & BIND Cookbook, and DNS on Windows Server 2003. “Even if an enterprise has gone to the trouble of patching against the Kaminsky vulnerability, there are many other aspects of configuration, like recursion and open zone transfers, that should also be secured. If not, organizations are essentially locking their door to their house, but leaving the windows wide open. Organizations clearly need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages.”

DNS servers are essential network infrastructure that map domain names (e.g., yahoo.com) to IP addresses (e.g., 66.94.234.13), directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request, whether for Web browsing, email, ecommerce, or cloud computing. Should an enterprise or organization’s DNS systems become compromised by attacks, the results can be devastating, ranging from loss of a company’s Web presence, inability of employees to access any outside Web services, and perhaps most damaging, redirection of Web and email traffic to bogus sites, resulting in data loss, identity theft, ecommerce fraud and more.

Following are the key 2008 DNS survey results, which are based on a sample that included 5 percent of the IPv4 address space, nearly 80 million addresses.

GOOD NEWS

--  90% of name servers that run BIND run one of the most recent versions
    of BIND 9; a small but significant number of administrators continue to run
    older versions of BIND on Internet-facing name servers, putting their
    organizations at risk.

--  Only .17% still rely on Microsoft DNS Server, down from 2.7% (2007);
    usage of unsecure Microsoft DNS Servers connected to the Internet is
    vanishing.

--  Support for Sender Protection Framework (SPF) within DNS for spam
    reduction increased from 12.6% of zones sampled to 16.7%; despite the
    complexity of SPF configuration, validating email senders is increasing in
    importance and organizations are taking email fraud seriously.

BAD NEWS

--  One in four DNS servers does not perform source port randomization --
    the "patch" for "the Kaminsky vulnerability"; the effort by vendors and the
    Internet's DNS community to encourage administrators to upgrade their name
    servers after the announcement of the Kaminsky vulnerability paid off;
    however, a surprising number have not been upgraded and are very vulnerable
    to cache poisoning.

--  More than 40% of Internet name servers allow recursive queries; there
    are still millions of open recursors on the Internet, a danger both to
    themselves and others -- they are vulnerable to cache poisoning and
    Distributed Denial of Service attacks.

--  30% of DNS servers surveyed allow zone transfers to arbitrary
    requestors; this leaves servers as easy targets for denial-of-service
    attacks.

--  Only .002% of DNS zones tested support DNSSEC; administrators have not
    been convinced of its importance -- perhaps intimidated by its complexity
    -- but new mandates could mean a significant change in the near future.

MISC.

--  Usage of IPv6 name servers continues to increase from .27% to .44%;
    while enterprises are investigating IPv6 and concerned about increasingly
    scarce IPv4 address space, adoption of IPv6 is still low -- address
    scarcity isn't yet considered a serious concern and they feel no urgency to
    adopt IPv6.

Call to Action

Based on these statistics, there are some clear calls to action for organizations with external DNS servers. Instead of waiting until they are attacked, all organizations should assess their DNS infrastructure and immediately take the necessary steps to make them more reliable and secure. Infoblox provides a number of free, automated tools that enable organizations to test their DNS infrastructure and identify weaknesses and vulnerabilities.

The CTO of Amazon is blogging the new service from Amazon called CloudFront. I love this approach for obvious reasons but the question remains about reliability and security. In talking to Mendal Rosenblum this past weekend he and I both agreed that many are afraid of pushing information in the cloud. Mendal is the leader in pushing large scale computing and his observations ring true for many corporate enterprises. No doubt Amazon is great for startups but the open question remains for reliability and security.

When those two issues are lock solid then the era of cloud computing will be mainstream.

Here is the information on Amazon CloudFront.

Hello Amazon CloudFront, the new Amazon Web Service for content delivery. It integrates seamlessly with Amazon S3 to provide low-latency distribution of content with high data transfer speeds through a world-wide network of edge locations. It requires no upfront commitments and is a pay-as-you-go service in the same style as the other Amazon Web Services.

Amazon CloudFront has been designed to be fast; the service will cache copies of the content in edge locations close to the end-user’s location, significantly lowering the access latency to the content. High sustainable data transfer rates can be achieved with the service especially when distributing larger objects.

Amazon CloudFront will be useful for many different application scenarios such as giving your customers low-latency access to popular objects and protecting your site from popularity surges; other popular examples are low-cost delivery of rich media and sustainable fast transfer rates for software distributions.

See also the posting on the AWS Developer weblog and at Rightscale.

Amazon has seen success with the scalability, reliability and cost-effectiveness of Amazon S3 and now with the integration with Amazon EC2 it is easy to distribute Amazon S3 content world-wide. The combination of the two services is really powerful: Amazon S3 will give you durable storage of your data, and the network of edge locations on three continents used by the Amazon CloudFront will deliver the content with low latency from the most appropriate location.

The network of edge locations

To ensure low-latency delivery, Amazon CloudFront uses a network of edge locations world-wide:

• United States: Ashburn (VA), Dallas/Fort Worth, Los Angeles, Miami, Newark, Palo Alto, Seattle and St. Louis
• Europe: Amsterdam, Dublin, Frankfurt and London
• Asia: Hong Kong and Tokyo

These edge locations work together to direct customers’ requests to the edge location that can provide the response with the lowest latency.

Simplicity

Because Amazon CloudFront follows the core principles of all Amazon Web Services it is a unique content delivery service. The simplicity in getting started has been described by many of our early customers as a very important feature.

Using Amazon CloudFront is dead simple:

1. Put your objects in an Amazon S3 bucket.
2. Call the CreateDistribution API with the name of the S3 bucket, which will return your distribution’s domain name.
3. Use the new domain name in urls on your web or in your application. Whenever these urls are accessed CloudFront will determine the optimal edge location from where to serve your content.

The second Amazon Web Services principle that sets Amazon CloudFront apart is that no upfront commitments are necessary and you only pay for what you have used. There are no upfront fees or high volume requirements and no negotiations are necessary because we have published low prices from the start. This brings content delivery in the hands of all businesses, and you can exploit the benefits of Amazon’s world-wide network of edge locations, regardless of whether you are a highly popular website, a small blog, a complex enterprise application or a developer doing some prototyping.

A core distributed systems component

It is not uncommon to think about a service for content delivery such as Amazon CloudFront only in the context of media distribution for web sites, but it actually plays a more fundamental role.

There are two main technology components to such a service; the first is intelligent request routing, which routes requests to the location that can best serve the user given a series of requirements and the status of the network. The second technology component is that of object caching, which is a fundamental building block in both operating systems and in distributed systems.

Caching is an essential technique that is used to make sure that components can operate at the fastest speed possible, to overcome the performance differences that exist in systems. For example CPU’s have caches that are much faster than memory, memory works as caches for disks, local disks can function as caches for remote disks, etc.

In distributed systems caching is primarily used to provide fast access to popular objects that are located in remote storage servers. These systems of caching servers often cooperate to create massive aggregate world-wide capacity to provide low latency access. And by using globally decentralized cache servers for distribution, very high data transfer speed can be achieved.

Caching technology has long been the center piece of computer systems research and in Amazon CloudFront we use the type of highly advanced algorithms for reliability and scale that you have come to expect from our Amazon services.

Betsy Frost Webb, General Mgr of the Microsoft Unified Communications group, is giving the keynote here at VoiceCon San Francisco 2008. I am interested in the presentation from Microsoft because there are rumors floating around this morning that later in the week Microsoft will do a “GodFather” deal with IBM to team up on a joint Unified Communications solution. This would be a direct move against Cisco. I’ve also heard rumors that I’ve posted here that Cisco has been in conflict with IBM over their recent moves into the compute sector.

I came in a bit late but she is touting the awards and customers that are using Microsoft’s Unified Communications products. I see a video guy so I’ll keep the blogging short since a video from TechWeb will come out later.

Communication Server will come out in February 2009. She is introducing Eric Swift now. Eric is giving a demo. Demo of UC is showing the collaboration workflow of handling a basic conference call. Authentication is handled by Active Directory. They are adding IM capability into the conference call in context. Now Eric is adding video live as well in addition to the conference call. I really like how you an mute individual participants who are in noisy environments.

Eric is showing Firefox compatibility for non-Microsoft platforms. This is a must have feature for the world that is migrating over to cloud services and other non-Microsoft platforms. More impressive is the capability to mute land lines that integrate into Communicator. This is a pretty big deal to pull off and it makes the offering mainstream not a ’silo’d Microsoft’ offering - traditional telephony coming together with IP based software services.

Betsy is back on touting all the cost efficiencies that UC offers. She is talking about one open infrastructure to work well with existing systems. Betsy is asking for feedback and emails at voicecon@microsoft.com

She is talking about how the experience from the Office group and what they bring to the table in UC. Some have been saying that Office is dead and that cloud computing and things like Google Apps is killing Microsoft Office….(Hmmm this could be the cloud and edge based software model…hmmm more on that later).

Betsy admits there are implementation challenges. She is opening up and asking for input (very sales oriented). The major update is coming in February - Office Communications Serve 2007 R2 on February 3, 2009. (why is it called Office Communicator 2007 we are in 2009???)

I wonder if the all this open discussion will be related to the IBM rumors - I am trying to confirm that Microsoft is going to announce a deal with IBM on a common platform.

End of Microsoft Unified Communications Keynote

UPDATE: I spoke with Microsoft’s Betsy Frost Webb about the rumor that I heard this morning and she neither denied or admitted the ’so called’ deal with IBM which tell me that a pending deal is coming. A source told me that an announcement will come Thursday from Microsoft and IBM here at VoiceCon about a Unified Communication partnership. On Twitter Damien Mulley was saying that there was rumblings about a IBM and Microsoft ‘cloud deal’. I’m not sure this is the same thing.

Gloomy news in a down economy abound. Signs are everywhere in many sectors of the technology spectrum.

The Social Networking site Linkedin is laying off 10% of its workers. Dell has asked personnel to voluntarily take unpaid leave. Apple is supposedly scaling back its Iphone production. John Furrier earlier reported on Cisco’s earnings problems.   Many mid-size companies have discovered placing their infrastructures in managed hosting environments has given them cost advantages.   Other companies are pre-emptively behind-the-scenes cutting back, canceling planned expenses for the quarter, scaling back hiring goals, postponing projects, etc.

Plenty of the problems are based on uncertainty and faith in the economy in general.  On the other hand plenty of companies survived or even thrived during past cycles.  The difference is preaching value and advantage.  We have before our eyes a number of bleeding-edge technologies that offer advantages to businesses large and small.

And this perspective is not exclusive of conservative budgets.  The realization of value, effectiveness, and most importantly optimization is tantamount to those companies that look to tighten the belt in the technology realm.

Take some of the recent Microsoft news.  They are now offering a program that allows for free software to start up businesses, and from the observer’s point of view to stave an exodus to open-source software in a capital and credit challenged environment.   In the infrastructure realm, Microsoft is leveraging the realization of optimization of existing and breakthrough technologies to cut costs in terms of deployment, maintenance, and security.   Part of this optimization path includes integrating layers of technology to satisfy technology initiatives like Unified Communications, Systems Manager and Sharepoint.  Their strategy is to draw out an idealized spectrum of basic infrastructure implementation to the idealized dynamic configuration.  That state in which return on infrastructure, messaging, and security is maximized.

As a VAR, consultancy, IT manager, whatever, ASK yourself:  What do you offer, who do you offer it to and what is the return?   What are my customers seeing?    What is my customer’s satisfaction?  Why would they choose me?  Do I have confidence that our service is the best we can do for our customer?

There is plenty of hard data available that support the cost advantages.  Sales teams tout these statistics freely.   The key is to get the relationship, satisfaction of goals, and the technological foundation presented to the right people.  That is where the renewed confidence in technology lies.  On the front lines, people like us touting the advantages everyday.   Managers pushing through contracts, enterprise aligning with blazing new technology, any company that chooses to advertise, small businesses realizing that  technology can be the edge that gets them to profit.  The businesses and people that come out on top make bold moves, correct moves in times of economic crisis.  CHOOSE TO BE BOLD - and you will reap the benefits.

I definitely have continued thoughts to share on this and will post more on this matter.

The Measurement Factory, experts in performance testing and protocol compliance, today announced results from the fourth-annual survey of domain name servers on the public Internet.

Top-line results indicate that despite the fact that most organizations are running recent versions of BIND and no longer using Microsoft DNS Servers for their external DNS servers, many organizations have not taken the necessary precautions to limit access to recursion or secure zone transfers. In addition, many still have not upgraded to the latest DNS software to protect against the recently discovered Kaminsky vulnerability and associated risk of DNS cache poisoning.

“Given the heightened awareness of DNS server vulnerabilities due to the recent Kaminsky discovery, it is surprising to see how many organizations are still leaving their DNS systems as potential victims of attack,” commented Cricket Liu, Vice President of Architecture at Infoblox and author of O’Reilly & Associates’ DNS and BIND, DNS & BIND Cookbook, and DNS on Windows Server 2003. “Even if an enterprise has gone to the trouble of patching against the Kaminsky vulnerability, there are many other aspects of configuration, like recursion and open zone transfers, that should also be secured. If not, organizations are essentially locking their door to their house, but leaving the windows wide open. Organizations clearly need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages.”

DNS servers are essential network infrastructure that map domain names (e.g., yahoo.com) to IP addresses (e.g., 66.94.234.13), directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request, whether for Web browsing, email, ecommerce, or cloud computing. Should an enterprise or organization’s DNS systems become compromised by attacks, the results can be devastating, ranging from loss of a company’s Web presence, inability of employees to access any outside Web services, and perhaps most damaging, redirection of Web and email traffic to bogus sites, resulting in data loss, identity theft, ecommerce fraud and more.

Following are the key 2008 DNS survey results, which are based on a sample that included 5 percent of the IPv4 address space, nearly 80 million addresses.

GOOD NEWS

--  90% of name servers that run BIND run one of the most recent versions
    of BIND 9; a small but significant number of administrators continue to run
    older versions of BIND on Internet-facing name servers, putting their
    organizations at risk.

--  Only .17% still rely on Microsoft DNS Server, down from 2.7% (2007);
    usage of unsecure Microsoft DNS Servers connected to the Internet is
    vanishing.

--  Support for Sender Protection Framework (SPF) within DNS for spam
    reduction increased from 12.6% of zones sampled to 16.7%; despite the
    complexity of SPF configuration, validating email senders is increasing in
    importance and organizations are taking email fraud seriously.

BAD NEWS

--  One in four DNS servers does not perform source port randomization --
    the "patch" for "the Kaminsky vulnerability"; the effort by vendors and the
    Internet's DNS community to encourage administrators to upgrade their name
    servers after the announcement of the Kaminsky vulnerability paid off;
    however, a surprising number have not been upgraded and are very vulnerable
    to cache poisoning.

--  More than 40% of Internet name servers allow recursive queries; there
    are still millions of open recursors on the Internet, a danger both to
    themselves and others -- they are vulnerable to cache poisoning and
    Distributed Denial of Service attacks.

--  30% of DNS servers surveyed allow zone transfers to arbitrary
    requestors; this leaves servers as easy targets for denial-of-service
    attacks.

--  Only .002% of DNS zones tested support DNSSEC; administrators have not
    been convinced of its importance -- perhaps intimidated by its complexity
    -- but new mandates could mean a significant change in the near future.

MISC.

--  Usage of IPv6 name servers continues to increase from .27% to .44%;
    while enterprises are investigating IPv6 and concerned about increasingly
    scarce IPv4 address space, adoption of IPv6 is still low -- address
    scarcity isn't yet considered a serious concern and they feel no urgency to
    adopt IPv6.

Call to Action

Based on these statistics, there are some clear calls to action for organizations with external DNS servers. Instead of waiting until they are attacked, all organizations should assess their DNS infrastructure and immediately take the necessary steps to make them more reliable and secure. Infoblox provides a number of free, automated tools that enable organizations to test their DNS infrastructure and identify weaknesses and vulnerabilities.