Sam Johnston

HOWTO: Fix OS X by uninstalling Adobe Flash

samj@samj.net (Sam Johnston) — Wed, 11 Nov 2009 20:20:12 PST

Adobe Flash just ruined my day for the last time... I've just arrived in Paris and needed to do some work before a meeting this afternoon. As it's noisy here I didn't hear the MacBook's fans running at full speed trying to compensate for a single rogue Flash ad in a tab in Google Chrome. The result was that my full 4 hour battery was reduced to less than 40 minutes and I now have no chance of getting everything I wanted to do done. Instead I'm going to use the remaining 20 minutes to tell you how to rid yourself of Flash once and for all, and in doing so enjoy the following benefits:

Significantly improved security (Snow Leopard even shipped with a vulnerable Flash player!)
Significantly improved performance (Flash regularly consumes most of the resources of even the most powerful machines)
Significantly longer battery life (the CPU consumes a lot more energy when it is busy)
Significantly less noise (MacBooks crank up the fans to deal with the extra heat)
No more annoying and invasive advertisements (virtually all of the most annoying ads are Flash)
Less distractions (while sites like YouTube have legitimate uses, the overwhelming majority of time spent there is procrastination)
A better Internet (Adobe's penetration figures are already complete bullshit but by voting NO to Flash you're sending developers a strong message)
An open Internet (Adobe Flash is a proprietary plugin that hampers the adoption of open standards like HTML 5)
A level playing field with one less monopoly (Adobe was the first company to achieve near-ubiquitous penetration rate with a proprietary plug-in, and it will hopefully be the last. Late entrants like Silverlight don't stand a chance because there is just no incentive.)

Without further ado (as I'm running out of juice):

Download the Adobe Flash Player uninstaller for your system (e.g. uninstall_flash_player_osx.dmg)
Open the Flash Player Uninstaller:
Authenticate:
Watch:
Done:
Enjoy a Flash-free computing experience (it only takes about 30 seconds).

PS: You might be surprised to find that (provided you're using a recent browser like Safari 4, Chrome, Firefox 3.5, etc.) videos such as those at Apple.com (including the Get a Mac ads) as well as sites like DailyMotion's OpenVideo will "just work", natively, in the browser, without Flash. That's the future right there...

PPS: For the fanbois on whom the message that I'm not interested is lost, feel free to flame away below. The demise of Flash is going to happen, probably sooner than you would like, so why endure another day?

Update: After 2 weeks without Flash I've had far fewer problems, can open many more tabs and have not had to restart my browser at all. Even YouTube has its own HTML5 video demo pages up now so it's only a matter of time before Flash will be relegated to the wonderful world of Internet advertising. For those who are stuck with Flash for whatever reason I recommend ClickToFlash which at least prevents it from being loaded without user interaction.

A quick word on Windows 7 launch parties...

samj@samj.net (Sam Johnston) — Thu, 29 Oct 2009 03:24:30 PDT

Many of you have already seen this cringeworthy video of some PR flak's interpretation of what a "Windows 7 Launch Party" should look like:

Unsurprisingly they fizzled as a "complete and utter failure", but we didn't hear much about this - either because so few were held or because of the reams of legalese that apparently even those RSVPing had to commit to.

Remember high school--cool kids went to parties and had fun while nerds hung out at math club and played Dungeons and Dragons? Well, the two don't mix. Hosting a party where you play Dungeons and Dragons or discuss algebraic functions doesn't make you cool just because you put the word ‘party' on it.

Apple is cool. Microsoft is not.

Thanks Krishna Subramanian, Devan Sabaratnam and YouTube's badicalindustries for this blast from the past:

The critique writes itself. Learn from your mistakes people.

An open letter to the NoSQL community

samj@samj.net (Sam Johnston) — Tue, 27 Oct 2009 10:23:09 PDT

Following some discussion on Twitter today I posted this thread to the nosql-discussion group. You can see the outcome for yourself (essentially, and unsurprisingly I might add, "please feel free to take your software and call it whatever you want").

While I don't want to mess with their momentum (it's a good cause, if branded with an unfortunate name) this isn't the first time the issue's been raised and I doubt it will be the last. I do however think that "no SQL" is completely missing the point and that the core concern is trading consistency for scalability. At the end of the day developers and users will deploy what is most appropriate for the task at hand.

There'a already been a question about alternatives to SQL, and knowing how Structured Query Language (SQL) came to be (consider the interfaces before it existed and compare that to what we have today) I figure it's only a matter of time before history repeats itself and we end up creating something like Cloud Query Language (CQL) (a deliberate play on words). The closer this is to ANSI SQL the better it will be, both in terms of technology reuse and of the bags of bones that need to understand how it works... for the same reason the Open Cloud Computing Interface (OCCI) tries very hard to be as close as possible to HyperText Transfer Protocol (HTTP).

---------- Forwarded message ----------
From: Sam Johnston
Date: Tue, Oct 27, 2009 at 3:33 PM
Subject: An open letter to the NoSQL community
To: NoSQL

Afternoon NoSQLers,

I write to you as a huge fan of next generation databases, but also as someone who doesn't associate in any way with the "NoSQL" moniker. I don't particularly care for SQL and appreciate the contrived contention it creates, but I think it misses the point somewhat and alienates people like myself who might otherwise have been drawn to the project.

I assume that by "NoSQL" we're referring to the next generation of [generally cloud-based] databases such as Google's BigTable, Amazon's SimpleDB, Facebook's Cassandra, etc., in which case the issue is more the underlying model (e.g. ACID vs BASE), where we are ultimately trading consistency for scalability.

To me this has nothing to do with the query language (which would still arguably be useful for many applications and which may as well be [something like] SQL, albeit adapted), nor the relational (as opposed to navigational) nature of the data (which is still the case today - it's just represented as pointers rather than separate "relation" tables), and to focus on either attribute is missing the point. This is particularly true with today's announcement of Amazon RDS.

Perhaps it's too late already, but I'd like to think we can come up with a more representative name to which everyone can associate (and which isn't so scary for fickle enterprise customers). There's already been a couple of decent suggestions, including alt.db, db-ng, NRDB[MS], etc.

Sam
http://samj.net/

Twitter's down for the count. What are we going to do about it?

samj@samj.net (Sam Johnston) — Tue, 27 Oct 2009 05:53:17 PDT

What's wrong with this picture?

There's not a single provider for telephony (AT&T, T-Mobile, etc.)
There's not a single provider for text messaging (AT&T, T-Mobile, etc.)
There's not a single provider for instant messaging (GTalk, MSN, AIM, etc.)
There's not a single provider for e-mail (GMail, Hotmail, Yahoo!, etc.)
There's not a single provider for blogging (Blogger, Wordpress, etc.)
There's not a single provider for "mini" blogging (Tumblr, Posterous, etc.)
There IS a single provider for micro blogging (Twitter)
And it's down for the count (everything from the main site to the API is inaccessible)
And it's been down for an Internet eternity (the best part of an hour and counting)

What are we going to do about it?

How lobbyists are denying you a voice and destroying democracy

samj@samj.net (Sam Johnston) — Sat, 24 Oct 2009 03:59:13 PDT

I came across an unsurprising but nonetheless disconcerting revelation today that is gives a very good example of what most of us knew all along: that "public comment" process are routinely subverted by commercial interests, generally at the public's expense. It comes in the form of a smoking gun courtesy DSL Reports: Who Knew Senior Citizens Hated Net Neutrality?

There is currently an extremely important battle underway over securing Net Neutrality regulations and another where big media are actively attacking (by way of three-strikes policies like HADOPI in France) what is fast becoming a legal right: broadband access (thanks to Finland for getting the ball rolling: Fast Internet access becomes a legal right in Finland).

Us (US?) consumers recently had a big win with the FCC getting on board the Open Internet bandwagon but not afraid to flog a dead horse, industry lobbyists have rolled out an army of puppets parroting their position; that Net Neutrality is somehow opposed to broadband adoption (which could not be further from the truth). In this case it's the Arkansas Retired Seniors Coalition, purporting to represent (surprise, surprise) retired seniors in Arkansas, ignoring the fact that your average senior quite probably doesn't know what net neutrality is, let alone care about it!

They do care about Internet access though and as the slowest state in the south all it would take would be a seemingly suitable scapegoat and you'd have pitchforks in the streets. My guess is they don't even know the position taken by their representatives which makes this letter sent on their behalf at least deceitful:

Arkansas Retired Seniors Coalition Net Neutrality Letter

The problem which such astroturfing is that it makes public opinion both harder to reliably collect and easier to dismiss. Such shenanigans appear far more prevalent in the US than other countries I've lived in, but regulations there (e.g. DMCA) tend to flow on to the rest of us eventually so it's in everyone's interest to have their say.

There really should be something done about the issue, however most solutions are relatively difficult to enforce. Examples include requiring a statutory declaration component such that egregious abuses can be punished (and to make people think twice about misrepresenting others), or requiring the individuals represented to make an overt act such as signing a petition. Rejecting messages that are too similar, and therefore obviously templates, raises the bar somewhat but does not stop determined attackers.

The long term solution likely comes in the form of digital identity, whereby each individual can be reliably authenticated and the cost of involving them in decisions trends towards zero. As referendums are extremely expensive and inefficient (despite the availability of technology that could put them within reach for routine decision-making) we appoint representatives who we hope will accurately reflect our views on each of the topics. Obviously this is rare - for example your representative might share your views on fiscal policy but reject gay marriage in which case you have to choose what is more important to you.

An arguably better solution is where individuals can take part in all decisions they care about, which is called a direct democracy (or pure democracy), and the use of technology to achieve better representation is a separate but related concept known as e-democracy. We should be paying more attention to both as it's like we only got half way there by establishing representative democracies in most of the western world.

Cloud or Not?

samj@samj.net (Sam Johnston) — Tue, 13 Oct 2009 01:19:45 PDT

As it seems people still just don't get what is, and what is not (*cough*Sidekick*cough*) cloud computing, I've put together a (tongue-in-cheek) flowchart to help you decide:

If it's dangerous it's NOT cloud computing

samj@samj.net (Sam Johnston) — Mon, 12 Oct 2009 05:32:29 PDT

Having written something similar over the weekend myself (How Open Cloud could have saved Sidekick users' skins) I was getting ready to complement Reuven Cohen on his latest post (really), but fear-mongering title aside (Cloud Computing is Dangerous) I was dismayed to see this:

"Let's call it what it is, it's a cloud app -- your data when using a Sidekick is hosted in some elses data center."

I simply can not and will not accept this, and I'm not the only one:

Help me out here. I'm seeing really smart people I totally respect jump on this T-Mobile issue as a "Cloud" failure. Am I losing my mind?

Reuven: I'm disappointed that you feel this way, particularly as people (for better or worse) do actually listen to what you have to say. As such you owe it to the community you [unofficially] represent to think (or better yet, ask) before you speak on its behalf - what you consider "partly kidding" others take very seriously. I'd swear I spend half my life cleaning up after things like the Open Cloud Manifestation (albeit granted if we all agreed from the outset we'd have nothing to talk about!).

For a start, Sidekicks predate cloud by 1/2 a dozen *years*, with the first releases back in 2001. Are we saying that they were so far ahead (like Google) that we just hadn't come up with a name for their technology yet? No. Is Blackberry cloud? No, it isn't either. This was a legacy n-tier Internet-facing application that catastrophically failed as many such applications do. It was NOT cloud. As Alexis Richardson pointed out to Redmonk's James Governor "if it loses your data - it's not a cloud".

While I know that this analogy is inconvenient for some vendors it works and it's the best we have: Cloud is resilient in the same way that the electricity grid is resilient. Power stations do fail and we (generally) don't hear about it. Similarly datacenters fail, get disconnected, overheat, flood, burn to the ground and so on, but these events should not cause any more than a minor interruption for end users. Otherwise how are they different from "legacy" web applications? Sure, occasionally we'll have cloud computing "blackouts" but we'll learn to live with them just as we do today when the electricity goes out.

As a more specific example, if an Amazon DC fails you'll lose your EC2 instances (the cost/performance hit of running lock-step across high latency links is way too high for live redundancy). However the virtual machine image itself should be automagically replicated across multiple geographically independent availability zones by S3 so it's just a case of starting them again. If you're using S3 directly (or Gmail for that matter) you should never need to know that something went wrong.

But Salesforce predates cloud by almost a decade you say? This data point was a thorn in my side until I found this article (Salesforce suffers gridlock as database collapses) and the associated Oracle press release (Salesforce.com’s 267,000 Subscribers To Go On Demand With Oracle® Grid). With wording like "one of its four data hubs collapsed" in what "appears to be a database cluster crash" I'm starting to question whether Salesforce really is as "cloudy" as they are claim (and are assumed) to be. Indeed the URL I'm staring at as I use Salesforce.com now (https://na1.salesforce.com/home/home.jsp - emphasis mine) would suggest that it is anything but. NA1 is one of 1/2 a dozen different data centers and their "cloud" only appears as a single point when you log in (http://login.salesforce.com/) at which time you are redirected to the one that hosts your data. Is it any wonder then that it's Google and Amazon that are topping the surveys now rather than Microsoft and Salesforce?

Don't get me wrong - Salesforce.com is a great company with a great product suite that I use and recommend every day. They may well be locked in to a legacy n-tier architecture but they do a great job of keeping it running at large scale and I almost can't believe it's not cloud. I see it as "Software. As a Service", bearing in mind that it's replacing some piece of software that traditionally would have run on the desktop by delivering it over the Internet via the browser. SaaS is, if anything, a subset of cloud and I'm sure that nobody here would suggest that any old LAMP application constitutes cloud. But we digress...

I honestly thought we had this issue resolved last year, having spent an inordinate amount of time discussing, blogging, writing Wikipedia articles and generally trying to extract sense (and consensus) from the noise. I was apparently wrong as even our self-appointed spokesman has foolishly conceded that what can only really be described as gross negligence in IT operations and a crass act of stupidity is somehow a failure of the cloud computing model itself. I agree completely with Chris Hoff in that "This T-Mobile debacle is a good thing. It will help further flush out definitions and expectations of Cloud. (I can dream, right?)" - it's high time for us to revisit and nail the issue of what is (and more importantly, what is not) cloud once and for all.

How Open Cloud could have saved Sidekick users' skins

samj@samj.net (Sam Johnston) — Sun, 11 Oct 2009 06:44:26 PDT

The cloud computing scandal of the week is looking like being the catastrophic loss of millions of Sidekick users' data. This is an unfortunate and completely avoidable event that Microsoft's Danger subsidiary and T-Mobile (along with the rest of the cloud computing community) will surely very soon come to regret.

There's plenty of theories as to what went wrong - the most credible being that a SAN upgrade was botched, possibly by a large outsourcing contractor, and that no backups were taken despite space being available (though presumably not on the same SAN!). Note that while most cloud services exceed the capacity/cost ceiling of SANs and therefore employ cheaper horizontal scaling options (like the Google File System) this is, or should I say was, a relatively small amount of data. As such there is no excuse whatsoever for not having reliable, off-line backups - particularly given Danger is owned by Microsoft (previously considered one of the "big 4" cloud companies even by myself). It was a paid-for service too (~$20/month or $240/year?) which makes even the most expensive cloud offerings like Apple's MobileMe look like a bargain (though if it's any consolation the fact that the service was paid for rather than free may well come back to bite them by way of the inevitable class action lawsuits).

"Real" cloud storage systems transparently ensure that multiple copies of data are automatically maintained on different nodes, at least one of which is ideally geographically independent. That is to say, the fact I see the term "SAN" appearing in the conversation suggests that this was a legacy architecture far more likely to fail. This is in the same way that today's aircraft are far safer than yesterday's and today's electricity grids far more reliable than earlier ones (Sidekick apparently predates Android & iPhone by some years after all). It's hard to say with any real authority what is and what is not cloud computing though, beyond saying that "I know it when I see it, and this ain't it".

Whatever the root cause the result is the same - users who were given no choice but to store their contacts, calendars and other essential day-to-day data on Microsoft's servers look like having irretrievably lost it. Friends, family, acquaintances and loved ones - even (especially?) the boy/girl you met at the bar last night - may be gone for good. People will miss appointments, lose business deals and in the most extreme cases could face extreme hardship as a result (for example, I'm guessing parole officers don't take kindly to missed appointments with no contact!). The cost of this failure will (at least initially) be borne by the users, and yet there was nothing they could have done to prevent it short of choosing another service or manually transcribing their details.

The last hope for them is that Microsoft can somehow reverse the caching process in order to remotely retrieve copies from the devices (which are effectively dumb terminals) before they lose power; good luck with that. While synchronisation is hard to get right, having a single cloud-based "master" and a local cache on the device (as opposed to a full, first-class citizen copy) is a poor design decision. I have an iPhone (actually I have a 1G, 3G, 3GS and an iPod Touch) and they're all synchronised together via two MacBooks and in turn to both a Time Machine backup and Mozy online backup. As if that's not enough all my contacts are in sync with Google Apps' Gmail over the air too so I can take your number and pretty much immediately drop it in a beer without concern for data loss. Even this proprietary system protects me from such failures.

The moral of the story is that externalised risk is a real problem for cloud computing. Most providers [try to] avoid responsibility by way of terms of service that strip away users' rights but it's a difficult problem to solve though because enforcing liability for anything but gross negligence can exclude smaller players from the market. That is why users absolutely must have control over their data and be encouraged if not forced to take responsibility for it.

Open Cloud simply requires open formats and open APIs - that is to say, users must have access to their data in a transparent format. Even if it doesn't make sense to maintain a local copy on the users' computer, there's nothing stopping providers from pushing it to a third party storage service like Amazon S3. In fact it makes a lot of sense for applications to be separated from storage entirely. We don't expect our operating system to provide all the functionality we'll ever need (or indeed, any of it) so we install third party applications which use the operating system to store data. What's to stop us doing the same in the cloud, for example having Google Apps and Zoho both saving back to a common Amazon S3 store which is in turn replicated locally or to another cloud-based service like Rackspace Cloud Files?

In any case perhaps it's time for us to dust off and revisit the Cloud Computing Bill of Rights?

"Bare Metal" cloud infrastructure "compute" services arrive

samj@samj.net (Sam Johnston) — Thu, 08 Oct 2009 17:28:51 PDT

Earlier in the year during the formation of the Open Cloud Computing Interface (OCCI) working group I described three types of cloud infrastructure "compute" services:

Physical Machines ("Bare Metal") which are essentially dedicated servers provisioned on a utility basis (e.g. hourly), whether physically independent or just physically isolated (e.g. blades)
Virtual Machines which nowadays uses hypervisors to split the resources of a physical host amongst various guests, where both the host and each of the guests run a separate operating system instance. For more details on emulation vs virtualisation vs paravirtualisation see a KB article I wrote for Citrix a while back: CTX107587 Virtual Machine Technology Overview
OS Virtualisation (e.g. containers, zones, chroots) which is where a single instance of an operating system provides multiple isolated user-space instances.

While the overwhelming majority of cloud computing discussions today focus on virtual machines, the reason for my making the distinction was so as the resulting API would be capable of dealing with all possibilities. The clouderati are now realising that there's more to life than virtual machines and that the OS is like "a cancer that sucks energy (e.g. resources, cycles), needs constant treatment (e.g. patches, updates, upgrades) and poses significant risk of death (e.g. catastrophic failure) to any application it hosts". That's some good progress - now if only the rest of the commentators would quit referring to virtualisation as private cloud so we can focus on what's important rather than maintaining the status quo.

Anyway such cloud services didn't exist at the time but in France at least we did have providers like Dedibox and Kimsufi who would provision a fixed configuration dedicated server for you pretty much on the spot starting at €20/month (<€0.03/hr or ~$0.04/hr). I figured there was nothing theoretically stopping this being fully automated and exposed via a user (web) or machine (API) interface, in which case it would be indistinguishable from a service delivered via VM (except for a higher level of isolation and performance). Provided you're billing as a utility (that is, users can consume resources as they need them and are billed only for what they use) rather than monthly or annually and taking care of all the details "within" the cloud there's no reason this isn't cloud computing. After all, as an end user I needn't care if you're providing your service using an army of monkeys, so long as you are. PCI compliance anyone?

Virtually all of the cloud infrastructure services people talk about today are based on virtual machines and the market price for a reasonably capable one is $0.10/hr or around $72.00 per month. That's said to be 3-5x more than cost at "cloud scale" (think Amazon) so expect that price to drop as the market matures. Rackspace Cloud are already offering small Xen VMs for 1.5c/hr or ~$10/month. I won't waste any more time talking about these offerings as everyone else already is. This will be a very crowded space thanks in no small part to VMware's introduction of vCloud (which they claim turns any web hoster into a cloud provider) but with the hypervisor well and truly commoditised I assure you there's nothing to see here.

On the lightweight side of the spectrum, VPS providers are a dime a dozen. These guys generally slice Linux servers up into tens if not hundreds of accounts for only a few dollars a month and take care of little more than the (shared) kernel, leaving end users to install the distribution of their choice as root. Solaris has zones and even Windows has MultiWin built in now days (that's the technology, courtesy Citrix, that allows multiple users each having their own GUI session to coexist on the same machine - it's primarily used for Terminal Services & Fast User Switching but applications and services can also run in their own context). This delivers most of the benefits of a virtual machine, only without the overhead and cost of running and managing multiple operating systems side by side. Unfortunately nobody's really doing this yet in cloud but if they were you'd be able to get machines for tasks like mail relaying, spam filtering, DNS, etc. for literally a fraction of a penny per hour (VPSs start at <$5/m or around 0.7c/hr).

So the reason for my writing this post today is that SoftLayer this week announced the availability of "Bare Metal Cloud" starting at $0.15 per hour. I'm not going to give them any props for having done so thanks for their disappointing attempt to trademark the obvious and generic term "bare metal cloud" and due to unattractive hourly rates that are almost four times the price of the monthly packages by the time you take into account data allowances. I will however say that it's good to see this prophecy (however predictable) fulfilled.

I sincerely hope that the attention will continue to move further away from overpriced and inefficient virtual machines and towards more innovative approaches to virtualisation.

Who's lying about the Ulitzer Cloud Security Journal?

samj@samj.net (Sam Johnston) — Sat, 26 Sep 2009 07:26:27 PDT

I've spent the last week jetting about for meetings and CloudCamps but now I'm trawling through the week's news and email it seems I'm not the only one who's been busy. On Wednesday SYS-CON announced the Cloud Security Journal on Reuven Cohen's behalf:

Reuven Cohen Launches Cloud Security Journal on Ulitzer
Providing Insight Into the Cloud Computing Security, Privacy and Related Threats

BY LIZ MCMILLAN

SEPTEMBER 23, 2009 10:45 PM EDT

Reuven Cohen launched today Cloud Security Journal on Ulitzer.

Cloud Security Journal offers dedicated coverage of cloud security & privacy news, practical insights and editorials that give readers a unique virtual perspective of the rapidly evolving area of cloud security, threats and privacy.

Reuven Cohen is Founder & Chief Technologist for Toronto based Enomaly Inc. - leading developer of Cloud Computing products and solutions focused on enterprise businesses.

Enomaly's products include the Enomaly elastic computing platform, an open source cloud platform that enables a scalable enterprise IT and local cloud infrastructure platform. Cohen is a thought leader in the emerging cloud computing industry and maintains a blog at www.elasticvapor.com.

Reuven's notorious for poking a finger in every pie but this development is particularly controversial given the existence of the Cloud Security Alliance and his company, Enomaly's average security track record. He already ruffled feathers by "Introducing the CSA" back in March so it struck me as odd that he should have risked a similar backlash some months later.

Sure enough he vehemently denies any such involvement, adding that "Scraping my RSS I can tolerate, but writing fake PR releases is going to far. Not cool." Now SYS-CON (aka Ulitzer) are not the most reputable source (see Aral Balkan's "My Sys-Con Nightmare" post, among others) but to announce something like this without your victim having any knowledge whatsoever seems a stretch even for them. FWIW Reuven was certainly supportive of the now defunct "Cloud Interoperability Magazine" launch so to try it on again with security would not be unprecedented.

I don't know who's lying about this (clearly someone is) but had this have happened to me I would have immediately instructed them in writing to remove all of my content and references to my name or any of my companies (as I have just done now). If that didn't work a DMCA notice and/or C&D letter would promptly follow. Yet Reuven has not done so. Why? It seems that in return for turning a blind eye to such indiscretions Reuven's company Enomaly is rewarded with over 10,000 mentions on sys-con.com and ulitzer.com (which was recently removed from Google's index, apparently following complaints about spamming and using others' content without permission).

Good on them for finding a free (albeit dodgy) source of free advertising. However by selling out and being "supportive" of Sys-Con/Ulitzer - criticising them on Twitter to save face but otherwise tolerating their antics - Reuven and Enomaly are giving airtime and an unwarranted air of legitimacy to an otherwise untrustworthy organisation. Worse still, inaccurate content from unreliable sources is being actively promoted by way of syndication, press releases and SEO spamming which is damaging to the cloud computing community as a whole.

I therefore urge Reuven Cohen and anyone else who's "feeling a little used and abused" to follow my example an request removal from SYS-CON sites. If that doesn't work then don't hesitate to take further action in the form of DMCA notices and/or C&D letters.

Cloud Computing Crypto: GSM is dead. Long live GSM!

samj@samj.net (Sam Johnston) — Sun, 13 Sep 2009 05:26:07 PDT

GSM, at least in its current form, is dead and the GSMA's attempts to downplay serious vulnerabilities in claiming otherwise reminds me of this rather famous Monty Python sketch about a dead parrot:

Fortunately consumers these days are savvy and have access to information with which to verify (or not) vendors' claims about security. So when they get together and say things like "the researchers still would need to build a complex radio receiver to process the raw radio data" the more cynical of us are able to dig up 18 month old threads like this one which concludes:

So it appears you might be able to construct a GSM sniffer from a USRP board and a bunch of free software, including a Wireshark patch. (It appears that one of the pieces of free software required is called "Linux" or "GNU/Linux", depending on which side of that particular debate you're on :-), i.e. it works by using Linux's tunnel device to stuff packets into a fake network interface on which Wireshark can capture.

Ok so extracting the 1's and 0's from the airwaves and getting them into the most convenient (open source) framework we have for the dissection of live protocols is a problem long since solved. Not only are the schematics publicly available, but devices are commercially available online for around $1,000. One would have assumed that the GSMA should have known this, and presumably they did but found it preferable to turn a blind eye to the inconvenient truth for the purposes of their release.

The real news though is in the cracking of the A5/1 encryption which purports to protect most of us users by keeping the voice channels "secure". Conversely the control information which keeps bad guys from stealing airtime is believed to remain safe for the time being. That is to say that our conversations are exposed while the carriers' billing is secure - an "externalisation" of risk in that the costs are borne by the end users. You can bet that were the billing channels affected then there would have been a scramble to widely deploy a fix overnight rather than this poor attempt at a cover-up.

The attack works by creating a 2Tb rainbow table in advance which allows one to simply look up a secret key rather than having to brute force it. This should be infeasible even for A5/1's 64-bit key but "the network operators decided to pad the key with ten zeros to make processing faster, so it's really a 54-bit key" and there are other weaknesses that combine to make this possible. A fair bit of work goes into creating the table initially, but this only needs to be done once and you can buy access to the tables as a service as well as the tables themselves for many common hashes (such as those used to protect Windows and Unix passwords - and no doubt GSM soon too!). The calculations themselves can be quite expensive but advances like OpenCL in the recently released Mac OS X (Snow Leopard) can make things a lot better/faster/cheaper by taking advantage of extremely performant graphics processing units (GPUs).

Of course thanks to cloud computing you don't even need to do the work yourself - you can just spin up a handful of instances on a service like Amazon EC2 and save the results onto Amazon S3/Amazon EBS. You can then either leave it there (at a cost of around $300/month for 2Tb storage) and use instances to interrogate the tables via a web service, or download it to a local 2Tb drive (conveniently just hitting the market at ~$300 once off).

Cloud storage providers could make the task even easier with services like public data sets which bring multi-tenancy in the form of de-duplication benefits to common data sets. For example, if Amazon found two or more customers storing the same file they could link the two together and share the costs between all of them (they may well do this today, only if they do they keep the benefit for themselves). In the best case such benefits would be exposed to all users in which case the cost of such "public domain" data would be rapidly driven down towards zero.

Ignoring A5/2 (which gives deliberately weakened protection for countries where encryption is restricted), there's also a downgrade attack possible thanks to A5/0 (which gives no protection) and the tendency for handsets to happily transmit in the clear rather than refusing to transmit at all or at least giving a warning as suggested by the specifications. A man in the middle just needs to be the strongest signal in the area and they can negotiate an unencrypted connection while the user is none the wiser. This is something like how analog phones used to work in that there was no encryption at all and anyone with a radio scanner could trivially eavesdrop on [at least one side of] the conversation. This vulnerability apparently doesn't apply where a 3G signal is available, in which case the man in the middle also needs to block it.

Fortunately there's already a solution in the form of A5/3, only it's apparently not being deployed:

A5/3 is indeed much more secure; not only is it based on the well known (and trusted) Kasumi algorithm, but it was also developed to encrypt more of the communication (including the phone numbers of those connecting together), making it much harder for ne'er-do-wells to work out which call to intercept. A5/3 was developed, at public expense, by the European Telecommunications Standards Institute (ETSI) and is mandated by the 3G standard, though can also be applied to 2.5G technologies including GPRS and EDGE.

That GSMA consider a 2Tb data set in any way a barrier to these attacks is telling about their attitude to security, and to go as far as to compare this to a "20 kilometre high pile of books" is offensively appalling for anyone who knows anything about security. Rainbow tables, cloud computing and advances in PC hardware put this attack well within the budget of individuals (~$1,000), let alone determined business and government funded attackers. Furthermore groups like the GSM Software Project, having realised that "GSM analyzer[s] cost a sh*tload of money for no good reason" are working to "build a GSM analyzer for less than $1000" so as to, among other things, "crack A5 and proof[sic] to the public that GSM is insecure". Then there's the GNU Radio guys who have been funded to produce the software to drive it.

Let's not forget too that, as Steve Gibson observes in his recent Cracking GSM Cellphones podcast with Leo Laporte: "every single cellphone user has a handset which is able to decrypt GSM". It's no wonder then that Apple claim jailbreaking the iPhone supports terrorists and drug dealers, but at about the same price as an iPhone ($700 for the first generation USRP board) it's a wonder why anyone would bother messing with proprietary hardware when they can deal with open hardware AND software in the same price range. What's most distressing though is that this is not news - according to Steve an attack was published some 6 years ago:

There's a precomputation attack. And it was published thoroughly, completely, in 2003. A bunch of researchers laid it all out. They said, here's how we cracked GSM. We can either have - I think they had, like, a time-complexity tradeoff. You'd have to listen to two minutes of GSM cellphone traffic, and then you could crack the key that was used to encrypt this. After two minutes you could crack it in one second. Or if you listen to two seconds of GSM cellphone traffic, then you can crack it in two minutes. So if you have more input data, takes less time; less input data, more time. And they use then tables exactly like we were talking about, basically precomputation tables, the so-called two terabytes that the GSM Alliance was pooh-poohing and saying, well, you know, no one's ever going to be able to produce this.

Fortunately us users can now take matters into our own hands by handling our own encryption given those entrusted with doing it for us have been long since asleep at the wheel. I've got Skype on my MacBook and iPhone for example (tools like 3G Unrestrictor on a jailbroken iPhone allow you to break the digital shackles and use it as a real GSM alternative) and while this has built in encryption (already proving a headache for the authorities) it is, like GSM, proprietary:

Everything about this is worrisome. I mean, from day one, the fact that they were keeping this algorithm, their cipher, a secret, rather than allowing it to be exposed publicly, tells you, I mean, it was like the first thing to worry about. We've talked often about the dangers of relying on security through obscurity. It's not that some obscurity can't also be useful. But relying on the obscurity is something you never want because nothing remains obscure forever.

We all know that open systems are more secure - for example, while SSL/TLS has had its fair share of flaws it can be configured securely and is far better than most proprietary alternatives. That's why I'm most supportive of solutions like (but not necessarily) Phil Zimmerman's Zfone - an open source implementation of the open ZRTP specification (submitted for IETF standardisation). This could do the same for voice as what his ironically named Pretty Good Privacy did for email many years ago (that is - those who do care about their privacy can have it). Unfortunately draft-zimmermann-avt-zrtp expired last week but let's hope it's not the end of the road as something urgently needs to be done about this. Here you can see it successfully encrypting a Google Talk connection (with video!):

Sure there may be some performance and efficiency advantages to be had by adding encryption to compression codecs but I rather like the separation of duties as it's unlikely a team of encryption experts will be good at audio and video compression and vice versa.

Widespread adoption of such standards would also bring us one big step closer to data-only carriers that I predict will destroy the telco industry as we know it some time soon.

Amazon VPC trojan horse finds its mark: Private Cloud

samj@samj.net (Sam Johnston) — Fri, 28 Aug 2009 12:15:13 PDT

Now we've all had a chance to digest the Amazon Virtual Private Cloud announcement and the dust has settled I'm joining the fray with a "scoop of interpretation". Positioned as "a secure and seamless bridge between a company’s existing IT infrastructure and the AWS cloud" the product is (like Google's Secure Data Connector for App Engine which preceded Amazon VPC by almost 6 months) quite simply a secure connection back to legacy infrastructure from the cloud - nothing more, nothing less. Here's a diagram for those who prefer to visualise (Virtual Private Cloud.svg on Wikimedia Commons):

Notice that "private cloud" (at least in the sense that it is most often [ab]used today) is conspicuously absent. What Amazon and Google are clearly telling customers is that they don't need their own "private cloud". Rather, they can safely extend their existing legacy infrastructure into the [inter]cloud using VPN-like connections and all they need to do to get up and running is install the software provided or configure a new VPN connection (Amazon uses IPsec).

Remember, a VPN is the network you have when you're not having a network - it behaves just like a "private network" only it's virtual. Similarly a VPC is exactly that: a virtual "private cloud" - it behaves like a "private cloud" (in that it has a [virtual] perimeter) but users still get all the benefits of cloud computing - including trading capex for opex and leaving the details to someone else.

Also recall that the origin of the cloud was network diagrams where it was used to denote sections of the infrastructure that were somebody else's concern (e.g. a telco). You just needed to poke your packets in one side and [hopefully] they would reappear at the other (much like the Internet). Cloud computing is like that too - everything within the cloud is somebody else's concern, but if you install your own physical "private cloud" then that no longer holds true.

Of course the "private cloud" parade (unsurprisingly consisting almost entirely of vendors who peddle "private cloud" or their agents, often having some or all of their existing revenue streams under direct threat from cloud computing) were quick to jump on this and claim that Amazon's announcement legitimised "private cloud". Au contraire mes amis - from my [front row] seat the message was exactly the opposite. Rather than "legitimis[ing] private cloud" or "substantiating the value proposition" they completely undermined the "private cloud" position by providing a compelling "public cloud" based alternative. This is the mother of all trojan horses and even the most critical of commentators wheeled it right on in to the town square and paraded it to the world.

Upon hearing the announcement Christofer Hoff immediately claimed that Amazon had "peed on [our] fire hydrant" and Appistry's Sam Charrington chimed in, raising him by claiming they had also "peed in the pool" ([ab]using one of my favourite analogies). Sam went on to say that despite having effectively defined the term Amazon's product was not, in fact, "virtual private cloud" at all, calling into question the level of "logical isolation". Reuven Cohen (another private cloud vendor) was more positive having already talked about it a while back, but his definition of VPC as "a method for partitioning a public computing utility such as EC2 into quarantined virtual infrastructure" is a little off the mark - services like EC2 are quarantined by default but granular in that they don't enforce the "strong perimeter" characteristic of VPCs.

Accordingly I would (provisionally) define Virtual Private Cloud (VPC) as follows:

Virtual Private Cloud (VPC) is any private cloud existing within a shared or public cloud (i.e. the Intercloud).

This is derived from the best definition I could find for "Virtual Private Network (VPN)"

Twitter Pro: Best Buy's @twelpforce is full of [security] fail

samj@samj.net (Sam Johnston) — Sat, 26 Sep 2009 06:18:34 PDT

Update: Enomaly's Lars-Eric Forsberg, "the manager responsible for overseeing projects outside of our product group at Enomaly including Twelpforce" emailed me to let me know that they "have taken steps to address the security issues you outlined in your post". He requested that "[I] give [them] a head's up if [I] do notice any issues like this in the future before posting about it publicly to give [them] an opportunity to rectify the situation", and while it's ironic that I've dealt with Enomaly before, none of the Best Buy sites mentioned their involvement and Twelpforce itself still lacks contact details. While they have enabled SSL there was no mention about third-party services unnecessarily handling corporate credentials (aside from an obscure reference to "other mitigating factors that have been present in the environment from the beginning"), nor what steps were taken to audit or remediate those accounts that may have been compromised while the site was insecure.

As you know I've been paying very close attention to Twitter this week and while trawling through their blog looking for [ab]use of various terms they're trying to trademark I found this little chestnut: BestBuy, Good Stuff. Basically, "BestBuy has created a program they call Twelpforce. The idea is that employees from across the organization can interact quickly and easily with customers who have questions about products". Curious I took a look at @twelpforce and was greeted with this:

Just in case you can't see it from here (or click through to the full size version), the first tweet is:

@SimonTheSnowman this is true, Best Buy will rule the world. via @mikelinsalaco

Here we have 12 year old Simon of Being Freakin' Awesome, Inc. (who can be reached on 1337 and who blogs at http://simonthesnowmanftw.tk/) being reassured by Mikel Insalaco: "I am the infamous Mikel Insalaco, I am kind of a big thing. Muthasuckin Mahogany and leatherbound books". As James Watters would say, the critique here writes iself?

This is in line with Dave Zatz's observations too in suggesting Has Best Buy’s Twelpforce Already Failed? Dave draws attention to this classy twelpforcer tweet (among others): "tweet tweet...im such a homo" - definitely not the sort of thing I'd want associated with my corporate branding, that's for sure.

This, viewers, is what Twitter has in mind for companies (having come clean after TechCrunch aired their dirty laundry in public). They are so excited in fact that "[they]'ve been studying how customers and businesses interact and derive value from Twitter [and] are putting together a document based on our studies and we'll find a spot on our web site to share it with everyone when it's ready". Definitely looking forward to leafing through that when it's available, though I'm guessing there'll have to be some fairly agressive pre-press filtering if this is what the raw feed looks like. Despite appearances I do rather like Twitter and hope they do well - I'm just not convinced this is how they're going to make their millions.

Cutting to the chase, see that third tweet: "@missladii0430 #Twelpforce If you are a Best Buy employee you can sign up here. --> http://tinyurl.com/kp8jwb via @Agent8819". That employee sign up link takes you here: http://bbyconnect.appspot.com/connect/signup/ See the problem yet? The first thing they ask you for is "Please enter your Best Buy employee number and password", followed immediately by your "Best Buy Corporate email address".

What's that? You want my name (Best Buy addresses are firstname.lastname@bestbuy.com), corporate email, employee number and corporate password to be sent over the big bad Internet? To a preview release of a service hosted by someone else? That's ok, it's encrypted, right? WRONG. Never mind, I'll just change "http" to "https". Wrong again. Though Google App Engine supports SSL it's disabled for this application/URL so even though it looks like it works you've just been silently redirected back to the insecure address. Oops.

So here we have Best Buy soliciting corporate credentials with no encryption whatsoever, over the public Internet (including any local, potentially unprotected wireless), to a preview release of a service they have little control over and, it gets better, verifying them in real time! If you enter random details into the form it will tell you instantly (that's right, no tarpitting or other delays) that "Employee number or password is incorrect". Don't have a Best Buy employee number to try? That's ok because they're only a Google search away (along with network configuration information including server names) and there doesn't appear to be anything stopping you from trying as many times as you like either so brute force away.

Normally I'd have reported this via the usual channels but they've not given any contact information whatsoever (except via public Twitter) and besides, it's such a comedy of errors that they're probably better off shutting it down than trying to fix it anyway. What I don't get more than anything else is why they would bother trying to roll their own when there are plenty of perfectly good services like CoTweet and HootSuite that are being used with far better results by the likes of Ford, Coke, Pepsi, JetBlue, Sprint and StarBucks.

Crystal ball: Data-only carriers to destroy the telco industry RSN

samj@samj.net (Sam Johnston) — Sat, 22 Aug 2009 16:24:33 PDT

This is one of those random thoughts that fits in a tweet but deserves a little more explanation. Like most I currently pay around €100 a month for a mobile package that includes some texts, airtime (2+2 hours on and off peak), some data and usually some useless gimmicks (free calls at certain times or to certain phones, etc.). This of course makes it truly impossible to compare apples to apples and I almost feel like choosing the right plan should be a profession (I'm sure there must be businesses that do this for a living).

Under the covers though it's all just 1's and 0's and it's been that way for a while - Australia turned off it's analog mobile network (AMPS) while I was still there and like here in Europe uses the Global Standard for Mobiles (GSM). This shares the limited airwaves with timeslices (TDMA) and over in the US they do a similar thing with code (CDMA), probably because TDMA has timing problems when you get out to tens of kilometers (irrespective of the strength of the signal) and the US has a lot of land to cover. Point is that under the covers it's all data. Of course things have changed a bit since I was helping design Australia's first digital mobile network - now we've got 3G, LTE, WiFi, WiMax, etc. to play with too.

Traditional telephony was what we call "circuit switched", which means it was about creating a dedicated connection between two endpoints. First these were hardwired, then switched manually by operators, then clicks on the line would operate mechanical switches at the exchange, more recently tones (DTMF) would tell chips what to do and nowdays connections are set up out-of-band over data connections. But it all still revolves around circuits, even though these days we're not tying up a pair of copper for the duration of the call, rather sending as much data as we need to when we need it (silence often uses little or no bandwidth but then we have to simulate background noise at the other end so as not to confuse the human).

That is to say it's time we stopped thinking about circuits which tend to be billed by time (after all, the resource could not be shared when you were using it) and start thinking about data (which is typically billed by quantity transferred or bandwidth available). In other words we are paying (generally more) for our communications because of technological limitations that have long since been removed. Even Skype go to great lengths to identify which country you are calling from so as to impose the legacy billing system we are used to (so many cents per minute depending on the country) rather than take advantage of what the Internet has to offer in terms of being unaffected by geography.

Then there's texts which are an even bigger rort. These were basically an afterthought which are sent out-of-band over the relatively limited control channel - the one that's used to set up calls and so on (that's why they take a while to send and why you can jam a phone by sending/receiving too many). Knowing that everything is 1's and 0's anyway, did you ever stop to think about how many texts a minute of voice is worth (even using strong compression)? It's a *lot* but let's work it out. Full rate GSM consumes 13Kbps or just shy of 100,000 8-bit characters per minute assuming my maths are correct. Each SMS is 140 8-bit (or 160 7-bit) characters or around 700 texts per minute. In Australia those texts cost $0.25 each so we're paying $175.00 a minute to consume the bandwidth as texts when we'd pay around $0.50 to consume it as voice. You can see why they love them now, can't you!

The telcos have been on the gravy train for long enough at our expense and it's long since been time for the next generation of carrier to take over. There's a massive opportunity here for someone to enter the market with a data-only service and in doing so destroy the existing industry literally overnight. We've already got devices (iPhones, Android) that are more than capable of doing everything we need over data, but which are being deliberately crippled by hardware and software vendors in order to protect the legacy carriers. That's not to say that Apple and Google are to blame for contracts they are almost certainly forced into by the likes of AT&T, but seeing Google taking the high road while having to concede that "individual operators can request that certain applications be filtered if they violate their terms of service" is disappointing.

Why can't we have Google Voice on the iPhone? Or use Skype over 3G (without jailbreaking and installing 3G Unrestrictor)? Or open source/open standard SIP telephony for that matter? Why are we sending texts when we have instant messaging? Or dialing in to retrieve voicemails that could just as easily be translated and/or emailed? Why are we paying for silence on the line when we should be paying for bandwidth and/or quantity of data? Why do we pay for minutes at all?

The telcos will tell you it's to protect their networks, and ultimately to protect you, no doubt from the evils of illegal filesharing, terroristing and child pornography. There's an element of truth to this (it only takes a few greedy customers to ruin it for the rest and as always 10% of the users use 90% of the traffic), ut there are simple, effective solutions for this too. People will pay more for a premium/priority service and at the end of the day you can always reign in abusers with packet shaping. The fairest mechanism I can think of comes in the form of a logarithmic bandwidth policy whereby the more you use the slower you go, but the point is that there are solutions so this is pure FUD. My "unlimited" data connection was just throttled from 3G+ to 3G speeds at 800Mb and again at 1000 Mb (so much for unlimited), but I'd happily pay more for a more "unlimited" service if it meant I could say goodbye to minutes and texts forever.

It will happen - it's just a case of when (and where first). Australia's regularly used as a test market and capped ($99 all you can talk) style plans took over by storm a few years ago, so let's just help an existing innovative carrier like 3 or a new one altogether teach the incumbents a lesson, with any luck by the time I get back there.

Twitter Retries Registering Retweet

samj@samj.net (Sam Johnston) — Fri, 21 Aug 2009 09:33:09 PDT

Hopefully you're not sick of hearing about Twitter, Inc's trademark woes (and yet another alliteration) because yes, they've been at it again.

Conceding that the USPTO has successfully torpedoed their trademark on "tweet" but otherwise undeterred they've just tried to lay claim to the more specific term "retweet" (#77804841). While admittedly more distinctive (and therefore less problematic from a legal point of view), let's not forget that they recently came under fire from developers for unjustly suspending retweet.com's @retweet account, having announced plans for an official retweet function of their own (more on Project Retweet at Mashable).

This functionality could well prove as important for microblogging as Google's PageRank did for Internet search and it's definitely not the sort of thing we want to have locked up with a single provider. The idea is that it provides a way to value a user's contribution based on how many people (and who) retweet a user's tweets (a TweetRank, for want of a better name).

So what's the problem with Twitter, Inc registering "retweet" as a trademark? It's not theirs to register, that's what. That's right, the "gesture and syntax of retweet was invented by users" and even Twitter's own web interface still lacks the very functionality they are trying to take control of (and will for weeks to come no less). The retweet "micro-convention" has been meticulously documented and extensively discussed by active twitterers (twits?) who have gone so far as to write an essay on retweeting etiquette. Nothing I have seen anywhere credits Twitter with the invention of the retweet (which according to Google Trends took off at the start of this year) and in my opinion asking the authorities to remove this term from the public lexicon is nothing short of highway robbery.

It's no secret they didn't come up with the idea either. Shooting themselves in the foot once again, Twitter's help pages (archived for posterity) define retweeting as follows (emphasis mine):

What does RT, or retweet mean?
RT is short for retweet, and indicates a re-posting of someone else's tweet. This isn't an official Twitter command or feature, but people add RT somewhere in a tweet to indicate that part of their tweet includes something they're re-posting from another person's tweet, sometimes with a comment of their own.Check out this great article on re-tweeting, written by a fellow Twitter user, @ruhanirabin.

So there you have it, even Twitter admit the idea isn't theirs, defining it as a verb (another sure fire way to destroy a trademark) and then referring to a user article for more information. Of course that won't stop them claiming it as their own now with a view to preventing competitors from delivering it themselves.

To put things in perspective that's about as reasonable as Google claiming ownership of our ideas because they're in their index.

Unfortunately though I have a sneaking suspicion that Twitter will get away with it this time unless we stand our ground now. ReTweet.com are in a particularly good position to prevent this from happening (they already claim trademark status over the word):

TRADEMARK INFORMATION
Retweet.com, the Retweet.com logo and other Mesiab Labs trademarks including service marks, and product and service names are Mesiab Labs trademarks or registered trademarks in the United States and in other countries (the "Mesiab Labs Marks"). All other names and designs may be trademarks of their respective owners. Users may display or use the Retweet.com and Mesiab Labs Marks only in accordance with Mesiab Labs Trademark Use Guidelines.

Here's hoping they (or one of the many other retweet sites) file an opposition to the trademark when the appropriate time comes.

"Twitter" Trademark in Trouble Too

samj@samj.net (Sam Johnston) — Thu, 20 Aug 2009 14:07:42 PDT

Yesterday I apparently struck a nerve in revealing Twitter's "Tweet" Trademark Torpedoed. The follow up commentary both on this blog and on Twitter itself was interesting and insightful, revealing that in addition to likely losing "tweet" (assuming you accept that it was ever theirs to lose) the recently registered Twitter trademark itself (#77166246) and pending registrations for the Twitter logo (#77721757, #77721751) are also on very shaky ground.

Trademarks 101

Before we get into details as to how this could happen lt's start with some background. A trademark is one of three main types of intellectual property (the others being copyrights and patents) in which society grants a monopoly over a "source identifier" (e.g. a word, logo, scent, etc.) in return for being given some guarantee of quality (e.g. I know what I'm getting when I buy a bottle of black liquid bearing the Coke® branding). Anybody can claim to have a trademark but generally they are registered which makes the process of enforcing the mark much easier. The registration process itself is thus more of a sanity check - making sure everything is in order, fees are paid, the mark is not obviously broken (that is, unable to function as a source identifier) and perhaps most importantly, that it doesn't clash with other marks already issued.

Trademarks are also jurisdictional in that they apply to a given territory (typically a country but also US states) but to make things easier it's possible to use the Madrid Protocol to extend a valid trademark in one territory to any number of others (including the EU which is known as a "Community Trademark"). Of course if the first trademark fails (within a certain period of time) then those dependent on it are also jeopardised. Twitter have also filed applications using this process.

Moving right along, there are a number of different types of trademarks, starting with the strongest and working back:

Fanciful marks are created specifically to be trademarks (e.g. Kodak) - these are the strongest of all marks.
Arbitrary marks have a meaning but not in the context in which they are used as a trademark. We all know what an apple is but when used in the context of computers it is meaningless (which is how Apple Computer is protected, though they did get in trouble when they started selling music and encroached on another trademark in the process). Similarly, you can't trademark "yellow bananas" but you'd probably get away with "blue bananas" or "cool bananas" because they don't exist.
Suggestive marks hint at some quality or characteristic without describing the product (e.g. Coppertone for sun-tan lotion)
Descriptive marks describe some quality or characteristic of the product and are unregistrable in most trademark offices and unprotectable in most courts. "Cloud computing" was found to be both generic and descriptive by USPTO last year in denying Dell. Twitter is likely considered a descriptive trademark (but one could argue it's now also generic).
Generic marks cannot be protected as the name of a product or service cannot function as a source identifier (e.g. Apple in the context of fruits, but not in the context of computers and music)

Twitter
Twitter's off to a bad start already in their selection of names - while Google is a deliberate misspelling of the word googol (suggesting the enormous number of items indexed), the English word twitter has a well established meaning that relates directly to the service Twitter, Inc. provides. It's the best part of 1,000 years old too, derived around 1325–75 from ME twiteren (v.); akin to G zwitschern:

- verb (used without object)

1. to utter a succession of small, tremulous sounds, as a bird.
2. to talk lightly and rapidly, esp. of trivial matters; chatter.
3. to titter, giggle.
4. to tremble with excitement or the like; be in a flutter.
- verb (used with object)

5. to express or utter by twittering.
- noun

6. an act of twittering.
7. a twittering sound.
8. a state of tremulous excitement.

Although the primary meaning people associate these days is that of a bird, it cannot be denied that "twitter" also means "to talk lightly and rapidly, esp. of trivial matters; chatter". The fact it is now done over the Internet matters not in the same way that one can "talk" or "chat" over it (and telephones for that matter) despite the technology not existing when the words were conceived. Had "twitter" have tried to obtain a monopoly over a more common words like "chatter" and "chat" there'd have been hell to pay, but that's not to say they should get away with it now.

Let's leave the definition at that for now as twitter have managed to secure registration of their trademark (which does not imply that it is enforceable). The point is that this is the weakest type of trademark already and some (including myself) would argue that it a) should never have been allowed and b) will be impossible to enforce. To make matters worse, Twitter itself has gained an entry in the dictionary as both a noun ("a website where people can post short messages about their current activities") and a verb ("to write short messages on the Twitter website") as well as the AP Sytlebook for good measure. This could constitute "academic credability" or "trademark kryptonite" depending how you look at it.

Enforcement

This brings us to the more pertinent point, trademark enforcement, which can essentially be summed up as "use it or lose it". As at today I have not been able to find any reference whatsoever, anywhere on twitter.com, to any trademark rights claimed by Twitter, Inc. Sure they assert copyright ("© 2009 Twitter") but that's something different altogether - I have never seen this before and to be honest I can't believe my eyes. I expect they will fix this promptly in the wake of this post by sprinking disclaimers and [registered®] trademark (TM) and servicemark (SM) symbols everywhere, but the Internet Archive never lies so once again it's likely too little too late. If you don't tell someone it's a trademark then how are they supposed to avoid infringing it?

Terms of Service

The single reference to trademarks (but not "twitter" specifically) I found was in the terms of service (which are commendably concise):

We reserve the right to reclaim usernames on behalf of businesses or individuals that hold legal claim or trademark on those usernames.

That of course didn't stop them suspending @retweet shortly after filing for the ill-fated "tweet" trademark themselves, but that's another matter altogether. The important point is that they don't claim trademark rights and so far as I can tell, never have.

Logo

To rub salt in the (gaping) wound they (wait for it, are you sitting down?) offer their high resolution logos for anyone to use with no mention whatsoever as to how they should and shouldn't be used ("Download our logos") - a huge no-no for trademarks which must be associated with some form of quality control. Again there is no trademark claim, no ™ or ® symbols, and for the convenience of invited infringers, no less than three different high quality source formats (PNG, Adobe Illustrator and Adobe Photoshop):

Advertising

Then there's the advertising, oh the advertising. Apparently Twitter HQ didn't get the memo about exercising extreme caution when using your trademark; lest be the trademark holder who refers to her product or service as a noun or a verb but Twitter does both, even in 3rd-party advertisements (good luck trying to get an AdWords ad containing the word "Google"):

Internal Misuse

Somebody from Adobe or Google please explain to Twitter why it's important to educate users that they don't "google" or "photoshop", rather "search using Google®" and "edit using Photoshop®". Here's some more gems from the help section:

Now that you're twittering, find new friends or follow people you already know to get their twitter updates too.
Wondering who sends tweets from your area?
@username + message directs a twitter at another person, and causes your twitter to save in their "replies" tab.
FAV username marks a person's last twitter as a favorite.
People write short updates, often called "tweets" of 140 characters or fewer.
Tweets with @username elsewhere in the tweet are also collected in your sidebar tab; tweets starting with @username are replies, and tweets with @username elsewhere are considered mentions.
Can I edit a tweet once I post it?
What does RT, or retweet, mean? RT is short for retweet, and indicates a re-posting of someone else's tweet. This isn't an official Twitter command or feature, but people add RT somewhere in a tweet to indicate that part of their tweet includes something they're re-posting from another person's tweet, sometimes with a comment of their own. Check out this great article on re-tweeting, written by a fellow Twitter user, @ruhanirabin. <- FAIL x 7

Domains

According to this domain search there are currently 6,263 domains using the word "twitter", almost all in connection with microblogging. To put that number in perspective, if Twitter wanted to take action against these registrants given current UDRP rates for a single panelist we're talking $9,394,500 in filing fees alone (or around 1.5 billion nigerian naira if that's not illustrative enough for you). That's not including the cost of preparing the filings, representation, etc. that their lawyers (Fenwick & West LLP) would likely charge them.

If you (like Doug Champigny) happen to be on the receiving end of one of these letters recently you might just want to politely but firmly point them at the UDRP and have them prove, among other things, that you were acting in bad faith (don't bother coming crying to me if they do though - this post is just one guy's opinion and IANAL remember ;).

I could go on but I think you get the picture - Twitter has done such a poor job of protecting the Twitter trademark that they run the risk of losing it forever and becoming a lawschool textbook example of what not to do. There are already literally thousands of products and services [ab]using their brand and while some have recently succombed to the recent batch legal threats they may well have more trouble now that people know their rights and the problem is being actively discussed. Furthermore, were it not for being extremely permissive with the Twitter brand from the outset they arguably would not have had anywhere near as large a following as they do now. It is only with the dedicated support of the users and developers they are actively attacking that they have got as far as they have.

The Problem: A Microblogging Monopoly

Initially it was my position that Twitter had built their brand and deserved to keep it, but that they had gone too far with "tweet". Then in the process of writing this story I re-read the now infamous May The Tweets Be With You post that prompted the USPTO to reject their application hours later and it changed my mind too. Most of the media coverage took the money quote out of context but here it is in its entirity (emphasis mine):

We have applied to trademark Tweet because it is clearly attached to Twitter from a brand perspective but we have no intention of "going after" the wonderful applications and services that use the word in their name when associated with Twitter.

Do you see what's happening here? I can't believe I missed it on the first pass. Twitter are happy for you to tweet to your heart's content provided you use their service. That is, they realised that outside of the network effects of having millions of users all they really do is push 1's and 0's around (and poorly at that). They go on to say:

However, if we come across a confusing or damaging project, the recourse to act responsibly to protect both users and our brand is important.

Today's batch of microblogging clients are hard wired to Twitter's servers and as a result (or vice versa) they have an effective microblogging monopoly. Twitter, Inc has every reason to be happy with that outcome and is naturally seeking to protect it - how better than to have an officially sanctioned method with which to beat anyone who dare stray from the path by allowing connections to competitors like identi.ca? That's exactly what they mean with the "when associated with Twitter" language above and by "confusing or damaging" they no doubt mean "confusing or damaging [to Twitter, Inc]".

The Solution: Distributed Social Networking

Distributed social networking and open standards in general (in the traditional rather than Microsoft sense) are set to change that, but not if the language society uses (and has used for hundreds of years) is granted under an official monopoly to Twitter, Inc - it's bad enough that they effectively own the @ namespace when there are existing open standards for it. Just imagine if email was a centralised system and everything went through one [unreliable] service - brings a new meaning to "email is down"! Well that's Twitter's [now not so] secret strategy: to be the "pulse of the planet" (their words, not mine).

Don't get me wrong - I think Twitter's great and will continue to twitter and tweet as @samj so long as it's the best microblogging platform around - but I don't want to be forced to use it because it's the only one there is. Twitter, Inc had ample chance to secure "twitter" as a trademark and so far as I am concerned they have long since missed it (despite securing dubious and likely unenforceable registrations). Now they need to play on a level playing field and focus on being the best service there is.

Update: Before I get falsely accused of brand piracy let me clarify one important point: so far as I am concerned while Twitter can do what they like with their logo (despite continuing to give it away to the entire Internet no strings attached), the words "twitter" and "tweet" are fair game as they have been for the last 700+ years and will be for the next 700. From now on "twitter" for me means "generic microblog" and "tweet" means "microblog update".

If I had a product interesting enough for Twitter, Inc to send me one of their infamous C&D letters I would waste no time whatsoever in scanning it, posting it here and making fun of them for it. I'm no thief but I am a fervent believer in open standards.

Twitter's "Tweet" Trademark Torpedoed

samj@samj.net (Sam Johnston) — Wed, 19 Aug 2009 16:33:34 PDT

Last month Twitter founder Biz Stone announced in a blog post (May The Tweets Be With You) that they "have applied to trademark Tweet because it is clearly attached to Twitter from a brand perspective". This understandably caused widespread upset as the word "tweet" has been used generically by users for some time as well as in any number of product names by independent software vendors. Here's some samples from the resulting media storm:

What they failed to mention though was that according to USPTO records (#77715815) not only had they actually applied some months before (on 16 April 2009) but that their application had been refused that very same day (1 July 2009).

According to documents from the Trademark Document Retrieval system, their lawyers (Fenwick & West LLP) were notified of the rejection by email to trademarks@fenwick.com that day. The USPTO had explained that "marks in prior-filed pending applications may present a bar to registration of applicant’s mark. [...] If the marks in the referenced applications register, applicant’s mark may be refused registration under Trademark Act Section 2(d) because of a likelihood of confusion between the two marks", referencing and attaching not one, not two but three separate trademark applications:

#77695071 for TWEETMARKS (pending receipt of Statement of Use)
#77697186 for COTWEET (pending clarification)
#77701645 for TWEETPHOTO (pending transfer to Supplemental Register)

Now I may not be a lawyer (I did play a role in overturning Dell's "cloud computing" and Psion's "Netbook" trademarks) but given all three of the marks identified look like proceeding to registration (it only takes one to rain on their parade), it's my non-expert opinion that Twitter has a snowflake's chance in hell of securing a monopoly over the word "Tweet".

That's too bad for Twitter but it's great news for the rest of the community as it's one less tool for locking in Twitter's rapidly growing microblogging monopoly. People do use the word "tweet" generically (including with non-Twitter services) and if Twitter, Inc. were successful in removing it from the public lexicon then we could all suffer in the long run.

In any case it is neither serious nor safe for one company to become the "pulse of the planet" and that is why I will be following up with a series of posts as to how distributed social networking can be made a reality through open standards (if that stuff is of interest to you then subscribe and/or follow me for updates). I've also got some interesting things in the pipeline in relation to standards and trademarks in general so watch this space.

Anyway it just goes to show that with trademarks you need to "use it or lose it". The "propagation delay" of the media has dropped from months at the outset to near real-time today so companies need to move fast to protect their marks or lose them forever. As for whether the 1 July post was a scramble to protect the mark on receipt of the USPTO's denial, whether the USPTO was acting in response to it, or whether it was just a coincidence and particularly bad timing I don't know. I don't really care either as the result is the same, but I would like to believe that the USPTO is becoming more responsive to the needs of the community (after all, they revoked Dell's cloud computing trademark in the days following the uproar, despite having already issued a "Notice of Allowance" offering it to them).

Update: It turn out that USPTO most likely acted in response to Twitter's 10:37am blog post as (after months without action) they conducted an XSearch at 8:30pm and sent the rejection notice at 9:00pm. I'd chalk that up as a FAIL for Twitter and a WIN for the USPTO.

Update: See also: The Inquisitr: No Tweet trademark for Twitter, complete with the hilarious graphic at the top (used without permission but with thanks to the creative genius at The Inquisitr).

Update: See also: CNET News: Not so fast, Twitter: 'Tweet' isn't yours, which is a good, balanced, albeit unsourced article.

An obituary for Infrastructure as a Product (IaaP)

samj@samj.net (Sam Johnston) — Mon, 13 Jul 2009 04:26:48 PDT

There's been an interesting discussion in the Cloud Computing Use Cases group this week following a few people airing grievances about the increasingly problematic term "private cloud". I thought it would be useful to share my response with you, in which I explain where cloud came from and why it is inappropriate to associate the term "cloud computing" with most (if not all) of the hardware products on the market today.

All is not lost however - where on-site hardware is deployed (and maintained by the provider) in the process of providing a service then the term "cloud computing" may be appropriate. That said, most of what we see in the space today is little more than the evolution of virtualisation, and ultimately box pushing.

Without further ado:

On Sat, Jul 11, 2009 at 2:35 PM, Khürt Williams <khurtwilliams@gmail.com> wrote:

I am not sure I even under what private cloud means given that the
Cloud term was meant to refer to how the public Internet was
represented on network diagrams. If it is inside my firewall then how
is it "Cloud"?

Amen. The evolution of virtualisation is NOT cloud computing.

A few decades ago network diagrams necessarily contained every node and link because that was the only way to form a connected graph. Then telcos took over the middle part of it and consumers used a cloud symbol to denote anything they didn't [need to] care about... they just stuff a packet in one part of the cloud and it would magically appear [most of the time] out of another. Another way of looking at it (in light of the considerable complexity and cost) is "Here be dragons" - same applies today as managing infrastructure is both complex and costly.

Cloud computing is just that same cloud getting bigger, ultimately swallowing the servers and leaving only [part of] the clients on the outside (although with VDI nothing is sacred). Consumers now have the ability to consume computing resources on a utility basis, as they do electricity (you just pay for the connection and then use what you want). Clearly this is going to happen, and probably quicker than you might expect - I admit to being surprised when one of my first cloud consulting clients, Valeo, chose Google Apps for 30,000 users over legacy solutions back in 2007. Early adopters, as usual, will need to manage risk but will be rewarded with significant cost and agility advantages, as well as immunised to an extent against "digital native" competitors.

You can be sure that when Thomas Edison rocked up 125 years or so ago with his electricity grid there were discussions very similar to those that are going on today. With generators ("Electricity as a Product") you have to buy them, install them, fuel them, maintain them and ultimately replace them, which sustained a booming industry at the time. We all know how those conversations ended... Eastman Kodak is the only company I know of today still running their own coal fired power station (though we still use generators for remote sites and backup - this will likely also be the case with cloud). Everyone else consumes "Electricity as a Service", paying a relatively insignificant connection fee and then consuming what they need by the kilowatt hour.

What we have today is effectively "Infrastructure as a Product" and what we'll have tomorrow is "Infrastructure as a Service" (though I prefer the term "Intrastructure Services" and expect it to be "infrastructure" again once we've been successful and there is no longer any point in differentiating).

Now if legacy vendors work out how to deliver products as services (for example, by using financing to translate capex into opex and providing a full maintenance and support service) then they may have some claim to the "cloud" moniker, but that's not what I'm seeing today. Most of the "private cloud" offerings are about hardware, software and services (as was the case in the mainframe era) rather than true utility (per hour) basis. Good luck competing with the likes of Google and Amazon while carrying the on-site handicap - I'm expecting the TCO of "private cloud" setups to average an order of magnitude or so more than their "public" counterparts (that is, $1/hr ala network.com rather than $0.10/hr ala Amazon EC2), irrespective of what McKinsey et al have to say on the subject.

In the context of the use cases, sure on-premises or "internal" cloud rates a mention but the "public/private" nomenclature is problematic for more reasons than I care to list. I personally call it "I can't believe it's not cloud", but that's not to say I leave it out of proof of concepts and pilots... I'm just careful about managing expectations. Ultimately the user and machine interfaces should be the demarcation point for such offerings and everything on the supplier side (including upfront expense) should be of no concern whatsoever to the user. I consider utility billing and the absence of capex to be absolute requirements for cloud computing and feel this ought to be addressed in any such document - suppliers might, for example, offer the complete solution at $1/hr with a minimum of 150 concurrent instance minimum (~= $100k/month).

Oh and if large enterprises want to try their hands at competing with the likes of Google and Amazon by building their own next generation datacenters then that's fine by me, though I equate it to wanting to build your own coal-fired power station when you should be focusing on making widgets (and it should in any case be done in an isolated company/business unit). I imagine it won't be long before shareholders will be able to string up directors for running their own infrastructure, as would be the case if they lost money over an extended outage at their own coal-fired power station when the grid was available.

Sam

NewsFlash: Trend Micro trademarks the Intercloud™

samj@samj.net (Sam Johnston) — Mon, 06 Jul 2009 08:01:07 PDT

Don't worry if you've never heard of TrendMicro's InterCloud Security Service product when it was announced as a beta back on 25 September 2006 (for general availability in 2007):

I hadn't either until I researched my recent Intercloud post and wrote the Intercloud Wikipedia article (having created the cloud computing Wikipedia article around this time last year). The Intercloud, in case you were wondering, is a global "cloud of clouds" built on top of the Internet, a global "network of networks" - even if nothing else it's a useful term for those of us working on cloud computing interoperability (see: An open letter to the community regarding "Open Cloud").

Being the cynical type I thought it prudent to check the US Patent & Trademark Office (USPTO) databases and surprise, surprise, Trend Micro have pending trademark application #77018125 on the term "INTERCLOUD" in international classes 9 (hardware), 42 (software) and 45 (services). If your company, like mine, is a provider of cloud computing products and services then now's the time to sit up and pay attention as this word will almost certainly become part of your every day vocabulary before too long (as is already the case for companies like Cisco)... much to the chagrin of those who consider it, along with cloud computing in general, just another buzzword rather than the life changing paradigm shift it is.

Just like Dell's misguided attempt to secure a monopoly over the term "cloud computing" which I uncovered last year (see also: InformationWeek: Dell Seeks, May Receive 'Cloud Computing' Trademark), this application has proceeded to the Notice of Allowance phase which essentially means that it is theirs for the taking... all they need to do now is file a Statement of Use within the coming month (or ask for another 6 month extension like the one they were granted in January of this year... strange for a product that appears all but abandoned ala the infamous Psion Netbook - see: The Register: Blogger fights Psion's claim to 'netbook' name).

Unless we manage to make enough noise to convince the USPTO to have a change in heart (as was the case following the uproar over Dell's attempt on "cloud computing" - see: Dell Denied: 'Cloud Computing' both desciptive and generic), or convince TrendMicro do the RightThing™ and put it out of its misery (which seems unlikely as Trend Micro, like most vendors, are getting into cloud cloud computing in a big way - see: Trend Micro Bets Company Future on Cloud Computing Offering), they will likely succeed in removing this word from the public lexicon for their own exclusive use.

If, like me, you don't like that idea either then speak up now or forever hold your peace as unlike patents, trademarks don't expire so long as they're in continuous use.

A disturbing taste of the "Digital Wild West"

samj@samj.net (Sam Johnston) — Sat, 29 Aug 2009 22:56:12 PDT

Dodgy dealings happen all the time but it's not often you get to see it boiling over into the public arena as we have today. I saw in my newsfeed this morning that GrokLaw had picked up on (Darl, Norris, Bryan Cave Named as Defendants in IP Litigation - The Pelican Brief) a Courthouse News article (Ex-Partner Accused of AIP Trade Secret Theft) about a recently filed complaint by Pelican Equity, LLC against Talos Partners, Darl McBride (of SCO Group fame), Robert V. Brazell (of Overstock.com fame), Stephen L. Norris, Rama Ramachandran and lawfirm Bryan Cave LLP.

It claims a conspiracy to "steal AIP's proprietary stock loan product" (EQUITAP™, [which] helps investors achieve their financial goals by structuring non-recourse loans using the securities in their portfolio as collateral) and "virtually API's entire business from API and its founder, Mark Robbins" (Pelican claim to own the relevant rights). It then goes on to explain the whole sorry story of a techie (Robbins) investing four years and apparently all of his money into development of a product, being approached by seasoned businessmen (Brazell and McBride) as potential partners, the subsequent formation of a new business (Talos) and theft of everything from AIP's products to website to employees (Ramachandran) with the help of AIP's own lawyers (Bryan Cave LLP) who ultimately blew the whistle with an "astonishing" conflict of interest waiver.

The truly mindblowing part of the whole story though is the Skyline Cowboy site they claim is run by McBride and Brazell: "Finally, in a heinous effort to obliterate AIP's business and deflect their misdeeds [they] have over approximately the last 60 days littered the Internet with scurrilous postings on www.skylinecowboy.com, a website they used primarily for that purpose, and on Yahoo, Twitter and other message boards."

If that's true it's like coming back to stab the guy in the carpark after you've robbed him of everything he owns. Not only have they posted a video of the guy's wife being served what they claim is a $109,627 check fraud judgment following a $1,000 bounty as well as a $20,000 reward for arrest and $1,000,000 reward for "full restitution" (save that both appear to be impossible - and likely a result of the claimed highway robbery), but now they've offered $30,000 for the true identity of GrokLaw's Pamela Jones (PJ) who they claim is a "Secret IBM Shill Blogger". Let's not be too quick to forget the relationship to SCO Group and their apparently Microsoft funded attacks on IBM, Novell and Linux in general.

Anyway you can see the juicy details for yourself in the filings and if you're a GrokLaw member, the article and associated discussion (the article has since been updated "Now that I've read it, I've made the article Members Only for now." and unfortunately "creation of new accounts has been temporarily disabled"). I have but one question: Who the %!#$ do these cowboys think they are? It's amazing to think that our society routinely jails people for petty theft while leaving [what appear to be] career conmen free to enrich themselves at others' expense. Anyway at least Bernie Madoff got his comeuppance... you've heard my opinion - what's yours?

Update: An anonymous commenter just stated that they "know for a fact" that Rob Brazell went to Skyline High School. Sure enough a Google search for skyline and salt lake city (where all the action is) brings the school up first (so the origin of the name fits) and another for brazell and skyline high school returns over 100 results (so some members of the Brazell family(s) went there). If that's true then it seems the lawsuit is "on the money" (so to speak).

Gartner: VMware the next Novell? Cloud to save the world?

samj@samj.net (Sam Johnston) — Wed, 01 Jul 2009 20:48:53 PDT

There's been two more-interesting-than-usual posts over at the Gartner blogs today:

Just a Thought; Will VMware become the next Novell?

"VMware owns the market, well above 90%, and continues to come out with more and more innovative products. VMware has a loyal following of customers who see no reason to change direction – after all, the product works, the vision is sound, and the future is clear. But lurking in the background is this little thing called hyper-V; not as robust, or as tested as VMware, with almost no install base, and certainly not ready for prime time in most peoples minds. However, it will be an integral part of Windows 7, Windows Server 2008 and Windows Server 7 in 2010."

And here's my response:

Thanks for an insightful post - I definitely think you’re onto something here, and it’s not the first time I’ve said it either.

The thing is that the hypervisor is already commoditised. Worse, it’s free and there are various open source alternatives like Sun’s VirtualBox (which just released another major version yesterday). Then you’ve got Xen, KVM, etc. competing directly as well as physical hardware management tools coming down from above and containers/VPS’s eroding share from below. VMs may be all the rage today but the OS is overhead so there’s cloud platforms to think about too…

VMware’s main advantage is having a serious solution today which it can roll out to the large base of enterprise clients they have developed over the last decade. You can bet they’re busy making hay while the sun’s shining as it won’t be long before people realise they’re not the only show in town.

As you say it’s their market to keep, but I’m sure our enterprise clients will be happy to have a thriving competitive marketplace.

And the second:

The Cloud Will Save The World

"So, how does this all add up to the Cloud saving the world? My (admittedly clumsy) interpretation of Tainter is that as the world grows more complex, the only chance we have to head off the disintegration of modern society under the weight of complexity comes through technological leaps in the form of disruptive innovation. The hype around the Cloud provides some justification for the idea that it is disruptive. Yefim Natis and I (mostly Yefim) developed a research note in June that describes what we see as the Killer App - Application Platform-as-a-Service (APaaS) - on the horizon that will result in accelerated disruption."

And my response:

Cloud computing is set to change the world at least as much as the Internet on which it is based did a few decades ago. Things we never would have imagined possible already are, and we’re just getting started.

That said, proponents of the precautionary principle will be fast to ask whether “disruptive innovation” is in fact “destructive innovation” and whether “accelerated disruption” is in fact “accelerated destruction”.

With accelerating change comes a raft of new risks - I for one would rather live in blissful ignorance than be interrupted by the discovery that the Large Hadron Collider was in fact capable of creating creating a black hole.

I, for one, welcome our new cloud computing overlords... now if only I had a spare $25k to sign up for the 9-week Graduate Student Program at the Singularity University which is "Preparing Humanity For Accelerating Technological Change".

Organising the Internet with Web Categories

samj@samj.net (Sam Johnston) — Wed, 01 Jul 2009 20:09:08 PDT

In order to scratch an itch relating to the Open Cloud Computing Interface (OCCI) I submitted my first Internet-Draft to the IETF this week: Web Categories (draft-johnston-http-category-header).

The idea's fairly simple and largely inspired by the work of others (most notably the original HTTP and Atom authors, and a guy down under who's working on another draft). It defines an intuitive mechanism for web servers to express flexible category information for any resource (including opaque/binary/non-HyperText formats) in the HTTP headers, allowing users to categorise web resources into vocabularies or "schemes" and assign human-friendly "labels" in addition to the computer-friendly "terms".

This approach to taxonomies was lifted directly from (and is thus 100% compatible with) Atom and is another step closer to being able to render individual resources natively over HTTP rather than encoded and wrapped in XML (which gets unwieldly when you're dealing with multi-gigabyte virtual machines, as we are with OCCI).

It's anybody's guess where the document will go from here - it's currently marked "Experimental" but with any luck it will pique the interest of the standards and/or semantic web community and go on to live a long and happy life.

Internet Engineering Task Force                              S. Johnston
Internet-Draft                               Australian Online Solutions
Intended status: Experimental                               July 1, 2009
Expires: January 2, 2010


                             Web Categories
                 draft-johnston-http-category-header-00

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 2, 2010.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.

Abstract

   This document specifies the Category header-field for HyperText
   Transfer Protocol (HTTP), which enables the sending of taxonomy
   information in HTTP headers.



Johnston                 Expires January 2, 2010                [Page 1]

Internet-Draft              Abbreviated Title                  July 2009


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . . . 3
   2.  Categories  . . . . . . . . . . . . . . . . . . . . . . . . . . 3
   3.  The Category Header Field . . . . . . . . . . . . . . . . . . . 4
     3.1.  Examples  . . . . . . . . . . . . . . . . . . . . . . . . . 4
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
     4.1.  Category Header Registration  . . . . . . . . . . . . . . . 5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . . . 5
   6.  Internationalisation Considerations . . . . . . . . . . . . . . 5
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 6
     7.1.  Normative References  . . . . . . . . . . . . . . . . . . . 6
     7.2.  Informative References  . . . . . . . . . . . . . . . . . . 6
   Appendix A.  Notes on use with HTML . . . . . . . . . . . . . . . . 7
   Appendix B.  Notes on use with Atom . . . . . . . . . . . . . . . . 7
   Appendix C.  Acknowledgements . . . . . . . . . . . . . . . . . . . 8
   Appendix D.  Document History . . . . . . . . . . . . . . . . . . . 8
   Appendix E.  Outstanding Issues . . . . . . . . . . . . . . . . . . 8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 9































Johnston                 Expires January 2, 2010                [Page 2]

Internet-Draft              Abbreviated Title                  July 2009


1.  Introduction

   A means of indicating categories for resources on the web has been
   defined by Atom [RFC4287].  This document defines a framework for
   exposing category information in the same format via HTTP headers.

   The atom:category element conveys information about a category
   associated with an entry or feed.  A given atom:feed or atom:entry
   element MAY have zero or more categories which MUST have a "term"
   attribute (a string that identifies the category to which the entry
   or feed belongs) and MAY also have a scheme attribute (an IRI that
   identifies a categorization scheme) and/or a label attribute (a
   human-readable label for display in end-user applications).

   Similarly a web resource may be associated with zero or more
   categories as indicated in the Category header-field(s).  These
   categories may be divided into separate vocabularies or "schemes"
   and/or accompanied with human-friendly labels.

   [[ Feedback is welcome on the ietf-http-wg@w3.org mailing list,
   although this is NOT a work item of the HTTPBIS WG. ]]

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14, [RFC2119], as
   scoped to those conformance targets.

   This document uses the Augmented Backus-Naur Form (ABNF) notation of
   [RFC2616], and explicitly includes the following rules from it:
   quoted-string, token.  Additionally, the following rules are included
   from [RFC3986]: URI.


2.  Categories

   In this specification, a category is a grouping of resources by
   'term', from a vocabulary ('scheme') identified by an IRI [RFC3987].
   It is comprised of:

   o  A "term" which is a string that identifies the category to which
      the resource belongs.

   o  A "scheme" which is an IRI that identifies a categorization scheme
      (optional).





Johnston                 Expires January 2, 2010                [Page 3]

Internet-Draft              Abbreviated Title                  July 2009


   o  An "label" which is a human-readable label for display in end-user
      applications (optional).

   A category can be viewed as a statement of the form "resource is from
   the {term} category of {scheme}, to be displayed as {label}", for
   example "'Loewchen' is from the 'dog' category of 'animals', to be
   displayed as 'Canine'".


3.  The Category Header Field

   The Category entity-header provides a means for serialising one or
   more categories in HTTP headers.  It is semantically equivalent to
   the atom:category element in Atom [RFC4287].

   Category           = "Category" ":" #category-value
   category-value     = term *( ";" category-param )
   category-param     = ( ( "scheme" "=" <"> scheme <"> )
                      | ( "label" "=" quoted-string )
                      | ( "label*" "=" enc2231-string )
                      | ( category-extension ) )
   category-extension = token [ "=" ( token | quoted-string ) ]
   enc2231-string     = 
   term               = token
   scheme             = URI

   Each category-value conveys exactly one category but there may be
   multiple category-values for each header-field and/or multiple
   header-fields per [RFC2616].

   Note that schemes are REQUIRED to be absolute URLs in Category
   headers, and MUST be quoted if they contain a semicolon (";") or
   comma (",") as these characters are used to separate category-params
   and category-values respectively.

   The "label" parameter is used to label the category such that it can
   be used as a human-readable identifier (e.g. a menu entry).
   Alternately, the "label*" parameter MAY be used encode this label in
   a different character set, and/or contain language information as per
   [RFC2231].  When using the enc2231-string syntax, producers MUST NOT
   use a charset value other than 'ISO-8859-1' or 'UTF-8'.

3.1.  Examples

   NOTE: Non-ASCII characters used in prose for examples are encoded
   using the format "Backslash-U with Delimiters", defined in Section
   5.1 of [RFC5137].




Johnston                 Expires January 2, 2010                [Page 4]

Internet-Draft              Abbreviated Title                  July 2009


   For example:
   Category: dog

   indicates that the resource is in the "dog" category.
   Category: dog; label="Canine"; scheme="http://purl.org/net/animals"

   indicates that the resource is in the "dog" category, from the
   "http://purl.org/net/animals" scheme, and should be displayed as
   "Canine".

   The example below shows an instance of the Category header encoding
   multiple categories, and also the use of [RFC2231] encoding to
   represent both non-ASCII characters and language information.
   Category: dog; label="Canine"; scheme="http://purl.org/net/animals",
             lowchen; label*=UTF-8'de'L%c3%b6wchen";
             scheme="http://purl.org/net/animals/dogs"

   Here, the second category has a label encoded in UTF-8, uses the
   German language ("de"), and contains the Unicode code point \u'00F6'
   ("LATIN SMALL LETTER O WITH DIAERESIS").


4.  IANA Considerations

4.1.  Category Header Registration

   This specification adds an entry for "Category" in HTTP to the
   Message Header Registry [RFC3864] referring to this document:
   Header Field Name: Category
   Protocol: http
   Status: standard
   Author/change controller:
       IETF (iesg@ietf.org)
       Internet Engineering Task Force
   Specification document(s):
       [ this document ]


5.  Security Considerations

   The content of the Category header-field is not secure, private or
   integrity-guaranteed, and due caution should be exercised when using
   it.


6.  Internationalisation Considerations

   Category header-fields may be localised depending on the Accept-



Johnston                 Expires January 2, 2010                [Page 5]

Internet-Draft              Abbreviated Title                  July 2009


   Language header-field, as defined in section 14.4 of [RFC2616].

   Scheme IRIs in atom:category elements may need to be converted to
   URIs in order to express them in serialisations that do not support
   IRIs, as defined in section 3.1 of [RFC3987].  This includes the
   Category header-field.


7.  References

7.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2231]  Freed, N. and K. Moore, "MIME Parameter Value and Encoded
              Word Extensions: Character Sets, Languages, and
              Continuations", RFC 2231, November 1997.

   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.

   [RFC3864]  Klyne, G., Nottingham, M., and J. Mogul, "Registration
              Procedures for Message Header Fields", BCP 90, RFC 3864,
              September 2004.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, January 2005.

   [RFC3987]  Duerst, M. and M. Suignard, "Internationalized Resource
              Identifiers (IRIs)", RFC 3987, January 2005.

   [RFC4287]  Nottingham, M. and R. Sayre, "The Atom Syndication
              Format", RFC 4287, December 2005.

   [RFC5137]  Klensin, J., "ASCII Escaping of Unicode Characters",
              RFC 5137, February 2008.

7.2.  Informative References

   [OCCI]     Open Grid Forum (OGF), Edmonds, A., Metsch, T., Johnston,
              S., and A. Richardson, "Open Cloud Computing Interface
              (OCCI)", .

   [RFC2068]  Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T.
              Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1",



Johnston                 Expires January 2, 2010                [Page 6]

Internet-Draft              Abbreviated Title                  July 2009


              RFC 2068, January 1997.

   [W3C.REC-html401-19991224]
              Raggett, D., Hors, A., and I. Jacobs, "HTML 4.01
              Specification",
              .

   [W3C.WD-html5-20090423]
              Hyatt, D. and I. Hickson, "HTML 5", April 2009,
              .

   [draft-nottingham-http-link-header]
              Nottingham, M., "Web Linking",
              draft-nottingham-http-link-header-05 (work in progress),
              April 2009.

   [rel-tag-microformat]
              Celik, T., Marks, K., and D. Powazek, "rel="tag"
              Microformat", .


Appendix A.  Notes on use with HTML

   In the absence of a dedicated category element in HTML 4
   [W3C.REC-html401-19991224] and HTML 5 [W3C.WD-html5-20090423],
   category information (including user supllied folksonomy
   classifications) MAY be exposed using HTML A and/or LINK elements by
   concatenating the scheme and term:
   category-link = scheme term
   scheme        = URI
   term          = token

   These category-links MAY form a resolveable "tag space" in which case
   they SHOULD use the "tag" relation-type per [rel-tag-microformat].

   Alternatively META elements MAY be used:

   o  where the "name" attribute is "keywords" and the "content"
      attribute is a comma-separated list of term(s)

   o  where the "http-equiv" attribute is "Category" and the "content"
      attribute is a comma-separated list of category-value(s)


Appendix B.  Notes on use with Atom

   Where the cardinality is known to be one (for example, when
   retrieving an individual resource) it MAY be preferable to render the



Johnston                 Expires January 2, 2010                [Page 7]

Internet-Draft              Abbreviated Title                  July 2009


   resource natively over HTTP without Atom structures.  In this case
   the contents of the atom:content element SHOULD be returned as the
   HTTP entity-body and metadata including the type attribute and atom:
   category element(s) via HTTP header-field(s).

   This approach SHOULD NOT be used where the cardinality is guaranteed
   to be one (for example, search results which MAY return one result).


Appendix C.  Acknowledgements

   The author would like to thank Mark Nottingham for his work on Web
   Linking [draft-nottingham-http-link-header] (on which this document
   was based) and to the authors of [RFC2068] for specification of the
   Link: header-field on which this is based.

   The author would like to thank members of the OGF's Open Cloud
   Computing Interface [OCCI] working group for their contributions and
   others who commented upon, encouraged and gave feedback to this
   draft.


Appendix D.  Document History

   [[ to be removed by the RFC editor should document proceed to
   publication as an RFC. ]]

      -00

      *  Initial draft based on draft-nottingham-http-link-header-05


Appendix E.  Outstanding Issues

   [[ to be removed by the RFC editor should document proceed to
   publication as an RFC. ]]

   The following issues are oustanding and should be addressed:

   1.  Is extensibility of Category headers necessary as is the case for
       Link: headers?  If so, what are the use cases?

   2.  Is supporting multi-lingual representations of the same
       category(s) necessary?  If so, what are the risks of doing so?

   3.  Is a mechanism for maintaining Category header-fields required?
       If so, should it use the headers themselves or some other
       mechanism?



Johnston                 Expires January 2, 2010                [Page 8]

Internet-Draft              Abbreviated Title                  July 2009


   4.  Does this proposal conflict with others in the same space?  If
       so, is it an improvement on what exists?


Author's Address

   Sam Johnston
   Australian Online Solutions
   GPO Box 296
   Sydney, NSW  2001

   Email: samj@samj.net
   URI:   http://samj.net/






































Johnston                 Expires January 2, 2010                [Page 9]

The browser is the OS (thanks to Firefox 3.5, Chrome 2, Safari 4)

samj@samj.net (Sam Johnston) — Wed, 01 Jul 2009 05:32:28 PDT

Almost a year ago I wrote about Google Chrome: Cloud Operating Environment and [re]wrote the Google Chrome Wikipedia article, discussing the ways in which Google was changing the game through new and innovative features. They had improved isolation between sites (which is great for security), improved usability (speed dial, tear off tabs, etc.) and perhaps most importantly for SaaS/Web 2.0 applications, vastly improved the JavaScript engine.

Similar features were quickly adopted by competitors including Opera (which Chrome quickly overtook at ~2%) and Firefox (which still has an order of magnitude more users at ~20-25%). Safari is really making waves too at around 1/3-1/2 of the share of Firefox (~8%) and with the recent release of Safari 4 it's a compelling alternative - especially given it passes the Acid 3 test with flying colours while Firefox 3.5 bombs out at 93/100.

HTML 5 features such as local storage and the video and audio elements are starting to make their way into the new breed of browsers too, though it's still often necessary to install Google Gears to get advanced offline functionality (e.g. most of the Google Apps suite) up and running. Google have drawn fire by missing the Firefox 3.5 launch and users finding Gears disabled are flocking to the gears-users Google Group to vent their frustrations, some going so far as claiming that "Google is trying to do what it can to push users to Chrome" and asking "Are we watching a proccess of Google becoming customer-deaf Microsoft?". Let's just hope it's ready in time for my travel later this week...

The point is that after the brutal browser wars which stagnated the web for some time (right up until Microsoft opened the floodgates by introducing Ajax), we're now starting to see some true competition again. Granted Internet Explorer is still a 1,000 pound gorilla at ~65% of market share, but even with a silk shirt in the form of IE 8 and a handful of lame ads it's still a pig and the target of the vast majority of security exploits on the web. This makes it an an easy sell for any competitor who manages to get a foot in the door (which is unfortunately still the hardest part of the sale).

The decision not to ship IE with Windows 7 in Europe will be interesting as it should draw mainstream attention to the alternatives which will flow on to other markets (as we've seen with adoption of "alternative" technology like Linux in the past - not to mention the whole Netbook craze started by OLPC in the third world). However, with the browser being where most of the action is today the operating system has become little more than a life support system for it - an overly thick interface layer between the browser and the hardware. Surely I'm not the only one who finds it curious that while the software component of a new computer is fast approaching 50% of the cost (up from around 10% a decade ago), the heart of the system (the browser) is both absent from Windows 7 and yet freely available (both in terms of beer and freedom)? Something's gotta give...

Anyway it's time to stop looking at the features and performance of the underlying operating system, rather the security and scalability of the browser. When was the last time you turned to the operating system anyway, except to fix something that went wrong or do some menial housekeeping (like moving or deleting files)?

An open letter to the CAcert.org board and members

samj@samj.net (Sam Johnston) — Sun, 28 Jun 2009 04:55:14 PDT

This is an open letter to the CAcert.org board and membership (including my fellow 20-30 official "Association Members" (copied) as well as the 150,000 or so account holders we effectively represent) concerning recent events that could affect the ongoing viability of the organisation. Bearing in mind that this is an organisation built on trust, I implore you to follow my example in exercising extreme caution when we are called to necessarily intervene in resolving the deadlock. Despite claims to the contrary there is no urgency and the last thing we need now is an Iran style election (whether or not legitimate, perception is everything).

The Problem

It appears (from my perspective as an outsider, albeit with the benefit of various insider accounts) that the board has split into two factions. On one hand we have the "old school" who have been on the board for a while (some would say too long) and the other "reformist(s)" who seek change, yesterday. They are now on a crash course that will invariably result in the loss of committed contributors, or worse, loss of trust from the community. In any case a confrontation poses a serious risk to the organisation's future, and with it the community's access to an alernative to commercial certification authorities.

In requesting and receiving the official member list as well as proposing a number of new members (who are presumably sympathetic to their position and will vote for any motion they submit) it was already clear that plans were afoot for a "coup d'état". Now that an SGM has been proposed to "get this over with" complete with a clear agenda there is absolutely no doubt about it:

Acceptance of new members. (E.Schwob, A.Bürki, I.Grigg)
Vote that the committee of management no longer enjoys the confidence of the members.
Vote that the committee is hereby removed from office and election of a committee shall immediately follow adoption of this resolution.
Election of a new committee of management.

It is no wonder that the existing board feel they are under attack - they effectively are - and given the "soonest this could be done is in 7 days" they are no doubt starting to feel the pressure. I don't buy it. Yes, the auditor recently resigned and yes we will eventually need to get the audit back on track, but right now the number one issue is restoring stability to an unstable structure and minimising collateral damage. This needs to be done slowly and carefully and those promoting panic are perhaps deserving of the suspicion they have raised.

It is not my intent to start (yet another) discussion, rather to propose a safe and sensible way forward that will ensure CAcert's ongoing viability while protecting our most valuable asset: the trust of the community. Should the SGM proceed as planned (whether or not it is successful) I will be the first to admit that the trust is lost.

The Solution

The very first thing we need to do is expand the membership base by one or two orders of magnitude, as Patrick explains:

Increasing the number of members, will increase the stability of your organization. It is more difficult to try a Coup d'Etat or a revolution when you have to convince 200 voting members than 20. On the other hand, major changes will be slower for the same reason.

Any structure with a broad base is far more stable than the top heavy structure we have today (the subversion of which requires a mere THREE new members to be proposed at SGM!).

The two main obstacles to becoming a member today are:

A convoluted process requiring a "personally known" proposer and seconder as well as an explicit vote from the committee
A token USD10 annual fee, the proceeds of which (around €200) are a drop in the ocean

Fortunately the committee has the power to require "some other amount" (including zero) at least until such time as the organisation's rules can be updated accordingly (see CAcertIncorporated and the Associations Incorporation Act for more details). Accordingly the membership fees for 2009/2010 should be immediately suspended as members are far more important than money right now.

The process for becoming a member should also be streamlined, if not completely overhauled. Surely I'm not the only one who considers it ironic that an open, community driven organisation should in fact be closed. Building the broadest possible membership base offers the best protection against attacks like this (and yes, I consider this an attack and urge the attackers to back off while the structure is stabilised). Associations are typically limited by guarantee - which means that becoming a member involves a commitment to pay a certain (usually token) amount in the event that the organisation should be would up (as opposed to companies limited by shares, where the liability is limited to the value of the shares themselves). People are far more likely to agree to this than reach into their own pockets (even if only due to laziness) so this change alone should make a huge difference.

The invitation to become a member should then be extended to some (e.g. assurers, assured, active cert holders, etc.) or all of the existing users, whose membership applications should be processed as efficiently as possible. Ideally this would be able to be done online as [an optional] part of the signup process (perhaps relying on Australia's Electronic Transactions Act to capture electronic signatures) but for now the rules require writing or digitally signed email. A temporary "pipeline" consisting of one or more dedicated proposers and seconders could be set up, processing digitally signed applications from members as they arrive. The proposer and seconder requirement (who must be "personally known" to the applicant) should be eventually dropped and the "default deny" committee vote be dropped or replaced with a "default accept" [after 7 days?] veto. In any case only those with an existing interest in CAcert (e.g. a user account) will be eligible at this time so there is little risk of outsider influence.

Once we have a significantly larger membership base (at least 100 members but ideally more like 200-2000) we can proceed to an orderly election of a new board with each candidate providing a concise explanation of their experience and why they (individually) should be selected as representatives. The resulting board would likely be a mix of the two factions (who would hopefully have agreed to work together) as well as some "new blood".

I hope that you will agree that this is the best way forward and that those of you who have offered support to the revolutionary(s) reconsider in the presence of this far safer alternative. Should they press on with the SGM I for one will be voting against the motions (and encourage you to do the same), not because I don't agree "it's time for change" but because of the way it has been effected.

Thanks for your time and attention,

Sam

CloudBurst Trademarked?

samj@samj.net (Sam Johnston) — Wed, 01 Jul 2009 05:39:16 PDT

It's no secret that "CloudBurst" is one of my least favourite cloud computing buzzwords. Its intended meaning is something like when you run out of room in your own datacenters you can "CloudBurst" into a public service like EC2. Not only is that somewhat the pipedream today (you want an enterprise app to do what?), but it is a significant deviation from the real world meaning of the term which according to Wikipedia is:

A cloudburst is an extreme form of rainfall, sometimes mixed with hail and thunder, which normally lasts no longer than a few minutes but is capable of creating minor flood conditions.

Fortunately it seems I may not have to put up with it for much longer because the guys at Ythos (a "Technology and Business Development Consultancy") have gone and registered it with the USPTO (Trademark #77736577).

That said, it seems the USPTO have learnt some lessons from last year's "cloud computing" trademark debacle, citing Dell's ill-fated trademark in denying Q-Layer^W Sun^W Oracle's application for NephOS. They should probably deny this one too, but I'm saying that through gritted teeth and would be quite happy to see it removed from the public lexicon.

Update: Interestingly LogMeIn, Inc. got in a scuffle over the trademark a few years back but unfortunately it was "Abandoned after an inter partes decision by the Trademark Trial and Appeal Board."