The Legal Battle for the Internet

With recent issues like Net Neutrality (preventing content providers from gaining an unfair advantage over each other via carrier-level agreements) and the debate over the use of unallocated wireless radio frequencies after the switch to digital television, the developments over the last 6 weeks on the Internet front are not surprising. The Stop Online Piracy Act (SOPA) floated to the top of tech and art news, backed by MPAA on intellectual property and licensing grounds, opposed by leading Internet companies at the forefront of information sharing and content delivery.

Claims made by both sides are valid in their motivations, but the bill (H.R. 3261) does not seem to serve either camp well. POPVOX has some good information about what each side says on this particular bill. Also check out some of the news and positions that have developed via the links below:

Advocacy Groups

Blog Posts from Significant Stakeholders, against SOPA

Blog Posts from Significant Stakeholders, for SOPA

Commentaries

Significant Stakeholders

These companies and organizations are at the forefront of discussions opposing SOPA.
These companies and organizations are at the forefront of discussions supporting SOPA.
Update: Scribd is hosting a collection of SOPA/PIPA documents.


Registered Linux User #370740 (http://linuxcounter.net)

WiFi network usage over holidays

US-CERT has published a bulletin advising caution when using wireless-enabled devices as you travel over this holiday season. Read the full article at the US-CERT website.

This link is provided for informational purposes only and does not represent an endorsement by or affiliation with the Department of Homeland Security (DHS).

Registered Linux User #370740 (http://linuxcounter.net)

C|NET Download.com Malware

Fyodor of the nmap project at insecure.org announced this week that C|NET has been wrapping the proper nmap software installer in a malware-installing application that in turn downloads and installs nmap. The collateral effects of what users download from C|NET include all sorts of adware/spyware toolbars, and the suspicious point is not only that users download something other than what they expect and have expressly requested, but the C|NET download is crafted so as to have the same file size as the legitimate installer, which would be verifiable elsewhere for vigilant users.

This is an outrage to the open source community, which is built on trust and openness, and severely undermines the reputations of security software vendors, whose products may be misunderstood by more novice users as being "viruses" or the like. What it amounts to is a man-in-the-middle attack (though not in the cryptological sense of the phrase), which may or may not be perceived as such by ordinary users.

What is more disheartening is that this is a blanket policy - that C|NET actually wraps all software downloads with this malware.

Let's make some noise and rally for integrity of values and for those who have tremendous influence as distributors of software to stand up for praiseworthy computing practices at a time in our collective history that is so very much necessary.

Find Fyodor's email and the Nmap project's Download.com Fiasco page on www.insecure.org.


Registered Linux User #370740 (http://linuxcounter.net)

Protect Against Online Scams

The US-CERT has published (once again) their advisory concerning online scams that are so prevalent during this shopping season. Please have a read to protect yourself!


http://www.us-cert.gov/current/index.html#holiday_season_phishing_scams_and

This link is provided for informational purposes only and does not represent an endorsement by or affiliation with the Department of Homeland Security (DHS).

Registered Linux User #370740 (http://linuxcounter.net)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.us-cert.gov/current/index.html#holiday_season_phishing_scams_and
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (Darwin)

iEYEARECAAYFAk7ZSSkACgkQQ1w9EhddFvYBewCeNubNTy2rjWPcNZYHMPgLtGqK
1PUAoK5wUQc7Ugo+dL9NXQmyUlqbB/ud
=qEpa
-----END PGP SIGNATURE-----

Amazon and Cloud Computing

Having used Amazon Web Services (AWS) for a class project and more recently compared cloud-based virtual private servers for ease of provisioning, administration, and use as a web development sandbox in both Windows Server and Linux operating systems, I receive regular updates from AWS about new service offerings. It strikes me that every couple weeks Amazon introduces a new feature or enhances an existing service. I did a quick search of my Gmail account to see if my impression was true.

I found that I had received 50 emails from AWS over the last year, which makes them weekly on average. The AWS newsletter came out mid-month, and a couple customer satisfaction surveys sprinkled in there, but about 30 emails over the last year announced a new service (Elastic this, Elastic that) or an enhancement to an existing service (like today's SMS [short message service aka text message] addition to the SNS [simple notification service] offering). That's a lot of growth in features! But AWS repeatedly receives negative reviews on points including security, ease of provisioning, and performance. Visiting the AWS website also shows the wide range of service offerings to be as daunting as a McDonald's menu! I definitely prefer Rackspace's In 'N Out Burger style no-nonsense service, though they are occasionally wanting in features that AWS does provide.

It's interesting that to make up for the "dedicated" features that AWS provides but Rackspace lacks, you simply add that feature to your CloudServer. The elementary infrastructure components of computing and storage are both provided at Rackspace: CloudServers and CloudFiles (Amazon provides Elastic Compute Cloud (EC2) and Simple Storage Service (S3) or Elastic Block Storage (EBS)). Amazon provides a few cloud database components in addition, which may make peoples' lives easier in some ways and more difficult in others. MediaTemple provides service-oriented components - you can order up a cloud web server or database server or application server (i.e. Java, Python, Ruby apps), and these are all provided as scalable "grids" of each service, which seems to abstract one level further, making it easier to get the services that you need while sacrificing some of the customizability that AWS and the Rackspace Cloud offer. Amazon then piles on a whole host of cloud technologies to facilitate networking a cluster of virtual servers, caching content on their CDN, sending various kinds of notifications to clients, monitoring your cloud network, and way, way more - just drop down the top navigation on the website to see what I mean.

The point is, with all that Amazon does currently, including the online store and the whole Kindle world, they have required an extensive computing foundation just to maintain their business, and they're putting all of that innovation to work, making it available to the public and charging for it, too. I suppose it's a useful service that they provide to the computing community, and their products are well-used, but personally, Amazon's setup is far too complex for me to seriously consider choosing them over a simpler virtual private (web) server provider any time in the near future. Maybe for a heavier business application I might consider it...

Registered Linux User #370740 (http://linuxcounter.net)

Security Breaches!

So many columnists have written about security breaches this year and last; the cat and mouse game seems to have favored the cat more than the mouse recently.

With major attacks against Google and the distributed denial of service (DDoS) attacks against Amazon and PayPal last year, plus major attacks against security vendors and now the most prominent organizations in the open source community - kernel.org, linux.com, and linuxfoundation.org. These most recent attacks were apparently not as targeted at stealing certain information. Because of this, and the sloppiness of the attackers, the breaches were discovered and fixed.

This is indicative to us general users that we need to understand how many layers of components are involved in our daily computing tasks. Every layer is susceptible to various kinds of attacks, and we need to understand how each layer is related to the others in order to knowledgeably protect ourselves. It often comes down to the password being irrelevant, due to weaknesses present in various system software that can gain access without it, so we need to keep a close watch on the vendors of the various software we run, securely obtain updates to the software, and ensure that they are always working as expected. We can also be easily misled by carefully-constructed social engineering attacks that, while not targeted at individual persons, do expose individual persons' information, in various forms, to parties with eventual malicious intent.

Social engineering is a method of using existing social relationships and perceptions to glean information that would not simply be given out otherwise. An email claiming to be from your bank or other service provider asking for your credentials in order to repair your account is an obvious breach of your trust; you should instead use your own means to contact your bank and verify the integrity of your account. Links provided in emails that allegedly take you directly to certain information within your account (but which will require you to log in) should immediately be suspect. Instead, visit the homepage of the site, access your account (preferably logging in via https), and then locate the information mentioned in the email notification. The US-CERT (US Computer Emergency Readiness Team) publishes frequently on safe behavior in cyberspace, and it is important that not only IT professionals and those responsible for big businesses or critical infrastructure, but also individual consumers observe these safe practices.

Be safe!

Registered Linux User #370740 (http://linuxcounter.net)

Google, Operating Systems, and Clouds

I have blogged recently about IPv6, actually twice in a row! Time for a little change in that department.

I have said a few times that in the computing industry, we often see a proliferation of multiple tools responding to the same need, which starts to confuse consumers (beginning with those in software development and trickling down to the average user). A few years into the proliferation cycle, the winners start buying up the competition or incorporating their feature sets into their own product. This consolidation phase builds a platform for future growth and provides an implicit standardization mechanism for the industry as a whole.

It is interesting, however, to notice how much Google has done in recent years to insert itself into markets previously untouched by Google. They moved from just web search at the beginning into various web-based software segments with rich applications like Gmail and Google Docs; Analytics and Web History were organic developments along the web search line, but nevertheless revolutionary for us consumers of the web. Google internally develops all kinds of solutions catalyzing its use of hardware and software with its BigTable distributed storage system and MapReduce distributed computation engines. It supports open source development with Google Code resources and dynamic web applications testing and deployment with the AppEngine. It has developed a few programming languages from scratch and made countless improvements to other languages. And it has provided a huge percentage of the development team at Facebook, in the way of former Google employees.

Google is also leading the way in terms of clean and effective user interfaces! I logged into my Blogger account today to find that it, too, has been refreshed to the new Google interface, which is more compatible with touch-screen devices and includes lots of HTML5/CSS3 glory. Compared to the new Analytics interface, I am loving the new Blogger interface. Calendar has taken some getting used to, but I'm comfortable with it now. I am glad they haven't gone the way of the Ribbon, however. Speculations about key features in Windows 8 sound like there are plenty of improvements and the Ribbon may actually become more practical. Microsoft is catering to a different audience than Apple, and I think the divergent paths here settle the age-old niche argument. My feeling about OS X Lion (10.7) is that it is becoming more of "grandma's OS" and even less useful for the creative community than before. FinalCut Pro is a glaring example of feature-set reductions that have raised all kinds of commotion in the community. Check out Ars Technica's extensive review. There are so many ground-breaking innovations in operating system design, I don't know what do think of it all. Windows 8, on the other hand, sounds to be more useful and productive for every segment of users from mobile devices, touchscreen devices, and the ordinary desktop, in the way of organic developments of core and familiar features. An official blog post echoes these observations.

Cloud computing, on the other hand, is soaring like crazy with so many providers out there that it is extremely difficult to keep track of them all. Amazon alone is a best with an elastic-everything offering from traditional computing units and storage units to MapReduce units and statistics and monitoring. I am glad I stuck with Rackspace Cloud, however. A quick test of deployment speed and simplicity between Amazon's EC2 and Rackspace CloudServers for Windows Server 2008 R2 64-bit proved Rackspace as the clear leader in both categories. It was both up and running sooner and easier to access. No configuring EC2 security groups or downloading cryptographic keys and a far simpler web-based management interface than EC2. So if I need a Windows machine elsewhere in a snap, Rackspace is my 15-minute solution. I can also set up an automated deployment process for myself using my existing linux CloudServer to host necessary files on the Rackspace Cloud and take advantage of free internal transfers; I would essentially become my own mirror and therefore only leave my expensive Windows server ($.08/hr) up when needed, configuring only what is necessary on the fly.

Well, this is a long article for a Saturday morning, so we'll just leave it all at that. Happy computing!


Registered Linux User #370740 (http://linuxcounter.net)

World IPv6 Day

... and it's here! Today, June 8, 2011 (as of about half an hour ago GMT), is World IPv6 Day, sponsored by the Internet Society. Many major corporations are offering their content (or some of it) over IPv6 for the next 24 hours. Head over to the main event page and get yourself on IPv6 and check out some sites over it! My personal favorite test page for IPv6 connectivity is actually http://ipv6-test.com/, not the ISOC-recommended http://test-ipv6.com/. The former also has a ping and website test that will verify that a web server is running at the v6 address that a domain resolves to. You can check my websites - they're up on IPv6 now!

Sadly my home connection is no longer tunnellable to IPv6. DSL Extreme needs to get their act together and offer such a simple service. I wonder why it is that I can't even tunnel out over IPv4...

Registered Linux User #370740 (http://counter.li.org)

IPv6

This is a hot topic, I know, but I just have to bite. Apparently IANA gave away the last /8 (Class A) subnet to regional registries in February, so the scramble for those last address blocks is happening right now.

The Internet Society (http://www.isoc.org) is organizing World IPv6 Day to encourage a concerted step toward making content available via IPv6.

I decided to do my part and set up an IPv6-over-IPv4 tunnel to my spiffy cloud server (on the Rackspace Cloud) and also try out a tunnel to my currently fluctuating residential Internet connection. I then proceeded to verify my configuration (networking is really fun, especially when the "route" command I expected to use to show me whether I had a mapped route for IPv6 addresses to the shiny new Internet gave way to a "-r" option to "netstat"... guess I didn't know BSD well enough).

I am happy to conclude that I can verify bi-directional IPv6 connectivity via my tunnels! I first found freenet6 but then heard that Hurricane Electric is also a good provider, and I chose to go with HE's http://www.tunnelbroker.net

OpenDNS (a personal favorite) also released a sandbox IPv6 recursive DNS service, so I tossed that one into my DNS resolver list, too, and things are looking good (but limited of course, because so many domains are not yet IPv6 enabled).

I ran into a little hitch when trying to add the quad-A (AAAA) records to my domain's DNS configuration so that I can participate in World IPv6 Day. Unfortunately, Network Solutions did not yet add IPv6 records management to their administrative interface, so I have to make the change by email (and the link is impossible to find on the site... it's listed not next to the records management but next to the nameserver management, and though the docs refer to advanced configuration all over the place, you actually have to go to the normal configuration page to get the email address and instructions).

The most surprising thing for me learning about IPv6 so far is that the address space is actually the current space squared TWICE! I guess it is trivial, being IPv4 is a 32-bit address space and IPv6 is a 128-bit space - increasing by powers of 2 because of the binary format. There are more /64 subnets than people on the planet (with as many addresses within them), whereas the IPv4 space is about 60% of the world population (and we already used it up... hm... greedy? only 1.5 billion people are online, using up 4.5 billion addresses).

What I think is a more interesting discussion is the assignment and verification of ownership of IPv6 address blocks and addresses - there is more security built into the protocol, but I am curious especially during the migration stage how all this will be accomplished.


Registered Linux User #370740 (http://counter.li.org)

Beware the Malware

US-CERT just released this cautionary notice about email-based scams related to the topic of Osama bin Laden's death. Please read this official publication from the United States Computer Emergency Readiness Team. To be really safe, what you would do is go to a trusted website and locate the official website of this organization there, then navigating to locate the information I refer to - to simply click on my link would be the precise problem the CERT is warning us about! But here's the link anyway:

http://www.us-cert.gov/current/index.html#osama_bin_laden_s_death

This link is provided for informational purposes only and does not represent an endorsement by or affiliation with the Department of Homeland Security (DHS).

It is really sad that there are people out there with the technical resources and knowledge to prey on the hype of the media with malicious intent. Over-sensationalized (or even false) journalism and reporting are bad enough; let us not turn them into a vehicle for fraud and identity theft, as well!


Registered Linux User #370740 (http://counter.li.org)

US Tax Season Phishing

The US-CERT released a bulletin today addressing tax season phishing scams that we should all look out for. Read the bulletin at the US-CERT website.

This link is provided for informational purposes only and does not represent an endorsement by or affiliation with the Department of Homeland Security (DHS).

Registered Linux User #370740 (http://counter.li.org)

Facebook

Paul Nguyen's Facebook profile

Nerd Test

v1.0:
I am nerdier than 94% of all people. Are you a nerd? Click here to take the Nerd Test, get nerdy images and jokes, and talk on the nerd forum!
v2.0:
NerdTests.com says I'm an Uber Cool High Nerd.  Click here to take the Nerd Test, get nerdy images and jokes, and write on the nerd forum!

Bloggers' Rights

Bloggers' Rights at EFF