Sam Johnston

Trend Micro abandons Intercloud™ trademark application

samj@samj.net (Sam Johnston) — Mon, 15 Feb 2010 14:15:00 PST

Just when I thought we were going to be looking at another trademark debacle not unlike Dell's attempt at "cloud computing" back in 2008 (see Dell cloud computing™ denied) it seems luck is with us in that Trend Micro have abandoned their application #77018125 for a trademark on the term Intercloud (see NewsFlash: Trend Micro trademarks the Intercloud™). They had until 5 February 2010 to file for an extension and according to USPTO's Trademark Document Retrieval system they have now well and truly missed the date (the last extension was submitted at the 11th hour, at 6pm on the eve of expiry).

Like Dell, Trend Micro were issued a "Notice of Allowance" on 5 August 2008 (actually Dell's "Notice of Allowance" for #77139082 was issued less than a month before, on 8 July 2008, and cancelled just afterwards, on 7 August 2008). Unlike Dell though, Trend Micro just happened to be in the right place at the right time rather than attempting to lay claim to an existing, rapidly developing technology term ("cloud computing").

Having been issued a Notice of Allowance both companies just had to submit a Statement of Use and the trademarks were theirs. With Dell it was just lucky that I happened to discover and reveal their application during this brief window (after which the USPTO cancelled their application following widespread uproar), but with Trend Micro it's likely they don't actually have a product today with which to use the trademark.

A similar thing happened to Psion late 2008, who couldn't believe their luck when the term "netbook" became popular long after they had discontinued their product line by the same name. Having realised they still held an active trademark, they threatened all and sundry over it, eventually claiming Intel had "unclean hands" and asking for $1.2bn, only to back down when push came to shove. One could argue that as we have "submarine patents", we also have "submarine trademarks".

In this case, back on September 25, 2006 Trend Micro announced a product coincidentally called "InterCloud" (see Trend Micro Takes Unprecedented Approach to Eliminating Botnet Threats with the Unveiling of InterCloud Security Service), which they claimed was "the industry’s most advanced solution for identifying botnet activity and offering customers the ability to quarantine and optionally clean bot-infected PCs". Today's Intercloud is a global cloud of clouds, in the same way that the Internet is a global network of networks - clearly nothing like what Trend Micro had in mind. It's also both descriptive (a portmanteau describing interconnected clouds) and generic (in that it cannot serve as a source identifier for a given product or service), which basically means it should be found ineligible for trademark protection should anyone apply again in future.

Explaining further, the Internet has kept us busy for a few decades simply by passing packets between clients and servers (most of the time). It's analogous to the bare electricity grid, allowing connected nodes to transfer electrical energy between one another (typically from generators to consumers but with alternative energy sometimes consumers are generators too). Cloud computing is like adding massive, centralised power stations to the electricity grid, essentially giving it a life of its own.

I like the term Intercloud, mainly because it takes the focus away from the question of "What is cloud?", instead drawing attention to interoperability and standards where it belongs. Kudos to Trend Micro for this [in]action - whether intentional or unintentional.

Introducing Planet Cloud: More signal, less noise.

samj@samj.net (Sam Johnston) — Thu, 18 Feb 2010 18:40:53 PST

As you are no doubt well aware there is a large and increasing amount of noise about cloud computing, so much so that it's becoming increasingly difficult to extract a clean signal. This has always been the case but now that even vendors like Oracle (who have previously been sharply critical of cloud computing, in part for exactly this reason) are clambering aboard the bandwagon, it's nearly impossible to tell who's worth listening to and who's just trying to sell you yesterday's technology under today's label.

It is with this in mind that I am happy to announce Planet Cloud, a news aggregator for cloud computing articles that is particularly fussy about its sources. In particular, unless you talk all cloud, all the time (which is rare - even I take a break every once in a while) then your posts won't be included unless you can provide a cloud-specific feed. Fortunately most blogging software supports this capability and many of the feeds included at launch take advantage of it. You can access Planet Cloud at:

http://www.planetcloud.org/ or @planetcloud

Those of you aware of my disdain for SYS-CON's antics might be surprised that we've opted to ask for forgiveness rather than permission, but you'll also notice that we don't run ads (nor do we have any plans to - except for a few that come to us via feeds and are thus paid to authors). As such this is a non-profit service to the cloud computing community intended filter out much of the noise in the same way that the Clouderati provides an fast track to the heart of the cloud computing discussion on Twitter. An unwanted side effect of this approach is that it is not possible for us to offer the feeds under a Creative Commons license, as would usually be the case for content we own.

Many thanks to Tim Freeman (@timfaas) for his contribution not only of the planetcloud.org domain itself, but also of a comprehensive initial list of feeds (including many I never would have thought of myself). Thanks also to Rackspace Cloud who provide our hosting and who have done a great job of keeping the site alive during the testing period over the last few weeks. Thanks to the Planet aggregator which is simple but effective Python software for collating many feeds. And finally thanks to the various authors who have [been] volunteered for this project - hopefully we'll be able to drive some extra traffic your way (of course if you're not into it then that's fine too - we'll just remove you from the config file and you'll vanish within 5 minutes).

Announcing OpenECP: Open Elastic Computing Platform

samj@samj.net (Sam Johnston) — Mon, 15 Feb 2010 17:20:52 PST

I am pleased to announce the immediate availability of the Open Elastic Computing Platform (OpenECP) Version 4.0 Alpha (openecp-4.0alpha.tar.gz), provisionally tested on Debian GNU/Linux 5.0 (screenshots). This is an open source fork of the Enomaly ECP product following its abrupt commercialisation in November 2009, which resolves a number of serious security vulnerabilities. For more information refer to:

http://www.openecp.org/

OpenECP is a web-based management platform for Linux-based hypervisors including KVM and Xen which can be used to create "public" and "private" cloud computing environments.

It will always be freely available under the Affero General Public License v3 or similar.

Features

Xen, KVM, Qemu, OpenVZ, Amazon EC2 support
Multiple OpenECP server support
RESTful Web Services API
Dashboard with metering, chargeback
Automated virtual machine (VM) deployment

Support
Technical support is provided by the community, however as an open source product anyone is free to support and extend it.

Background
This release was forked from the most recent version of Enomaly ECP as at 2010-02-09 (3.0.4 with a number of additional revisions), as distributed under the Affero GPL v3 by Enomaly, Inc. In order to avoid any potential intellectual property issues, all references to Enomaly™ have been scrubbed from the distribution (in the same way that references to RedHat have been purged from CentOS).

The unmodified Enomaly ECP code (enomaly-ecp-3.0.4.1.tar.gz) is also available along with a non-maintainer release which resolves all known security issues (enomaly-ecp-3.0.4.2.tar.gz) as it appears that Enomaly have no plans to address these outstanding issues.

Update: Enomaly have responded with this comparison chart (however this changelog proves a common lineage):

Private cloud security is no security at all

samj@samj.net (Sam Johnston) — Sun, 21 Feb 2010 08:42:08 PST

It's ironic that the purveyors of "Private Cloud" sell their wares on the premise of enhanced privacy and security - a totally unjustified claim which is too often accepted without question - and that they are quick to dismiss the huge benefit of the armies of security boffins employed by "public" cloud vendors (whose future is largely dependent on keeping customer data safe). It's also very convenient for them that the term itself is disparaging of "public" cloud in the same way that "Blog With Integrity" badges imply that the rest of us are somehow unethical (one of the main reasons I personally have and will always dislike[d] it).

It is with that in mind that I was intrigued by Reuven Cohen's announcement today regarding Enomaly, Inc. having recently joined the Intel Cloud Builder Program (whatever that is). It was these two quotes that I found particularly questionable regarding their Enomaly ECP product:

Intel was among the first to full(sic) understand the opportunity in enabling a truly secure virtualized cloud computing environments(sic) for service providers and Telco's.
Our work with the Intel Cloud Builder Program will help to accelerate our efforts to deliver a massively-scalable, highly-available, high-security cloud platform to our customers.

The reason I'm naturally suspicious of such claims is that I've already discovered a handful of critical security vulnerabilities in this product (and that's without even having to look beyond the startup script - a secure-by-default turbogears component that was made insecure through inexplicable modifications):

I had to dig a little (but not much) deeper for the silent update remote command execution vulnerability. I also inadvertently discovered another serious security vulnerability (sending corporate BestBuy credentials in the clear over the Internet to a 3rd party service), which as it turns out was also developed by Enomaly, Inc. It's only natural that I would be suspicious of any future security claims made by this company.

It doesn't help my sentiment either that every last trace of the Open Source ECP Community Edition was recently scrubbed from the Internet without notice, leaving angry customers high and dry, purportedly pending the "rejigging [of their] OSS strategy". While my previous attempts to fork the product as Freenomalism failed when we were unable to get the daemon to start, having the code in any condition is better than not having it at all. In my opinion this is little more than blatantly (and successfully I might add) taking advantage of the Open Source community for as long as necessary to get the product into the limelight. Had they not filled this void others would certainly have done so, and the Open Cloud would be better off today as a result.

As part of cloud standards work I was interested in taking a look at the "secure" mechanism they developed for distributing virtual machines:

VMcasting is an automatic virtual machine deployment mechanism based on RSS2.0 whereby virtual machine images are transferred from a server to a client which securely delivers files containing a technical specification and virtual disk image.

Another bold claim that initially appeared justified by a simple but relatively sensible embedding of crytpographically strong checksums into descriptor and manifest files that were in turn digitally signed using GPG. Unfortunately no consideration was given to the secure retrieval of the archive itself (nor the RSS feed listing the archives for that matter), nor were signatures actually required by the specification, meaning that it would be trivial for an attacker to insert their own unsigned packages and/or replace existing signed packages with modified, unsigned ones. Or replaying an older, signed version of an insecure workload for that matter.

Fortunately an attacker need not even go to these lengths as despite acknowledging the need for digital signatures in the VMcasting specification, none of the security features appear to have been implemented in Enomaly ECP itself. Worse still, it won't even let you use SSL if you're sensible enough to try:

if url[0].lower not in ("http", "ftp"):
raise E2UndefinedError(_("Unknown scheme in package URL."))

Think you're safe if you keep everything on your own network (that's the whole point, right?). Don't be so sure, as the vmfeed module quietly registers these HTTP URLs for you:

http://enomalism.com/vmcast_appliances.php [archived copy]
http://enomalism.com/vmcast_modules.php [archived copy]

Sure enough if you retrieve the first URL you'll get a feed of "virtual appliances" like this one (delivered over HTTP from Amazon S3 no less) and as expected, if you untar it you'll see that there's no signatures whatsoever. Don't get me started on the myriad vulnerabilities no doubt present within the appliances themselves given their age - packaging applications as virtual machines is a notoriously bad idea and one that I hope will be overrun by containers/platforms in the not too distant future.

But wait, there's more - being able to run workloads of your choice (e.g. trojan horses, network scanners, etc.) within your victim's network is one thing, and being able to obtain and reverse engineer their existing workloads (given there's no catering for authentication) another, but taking over the management system itself is where there's real fun to be had. Fortunately all you need to do is set the MIME type to application/python-egg rather than application/enomalism2-xvm2 and this little chestnut gets invoked, quietly unzipping and forcibly installing the supplied python module:

elif self.get_mime()==EGG_MIME:
tx.update("Installing Python egg.", 90)
target=os.path.join(settings.repodir,\
self.get_uuid().replace("-","_")+".egg")
shutil.move(filename, target)
self.install_python_egg(target)

The vmcast_modules feed currently advertises the e2_drivemounter, e2_exception and e2_phone_home modules which are all available for download, again over HTTP, from http://enomaly.com/fileadmin/eggs/.

Anyway I'm sure there'll be backpedalling, downplaying, shooting-the-messenger, etc. which is why you're reading this here rather than in a vulnerability announcement. While the bugs are obviously unconfirmed this still illustrates my point nicely - don't take it for granted that private cloud offerings are secure, and in the unlikely event that the systems themselves are secure, don't assume you or your provider can run them in a more secure fashion than a "public" cloud provider could.

Incidents like this go a long way towards realising one of my predictions for 2010 (or should I say @philww's "considered prediction") in that Private clouds will be discredited by year end.

Update: Following Enomaly, Inc.'s CEO denying access to the source, a "Strategic Advisor and Board Member" downplayed the issues (below), once again claiming "many of the items above have been addressed in [other] editions" and once again failing to provide any details or code for verification. Finally, the CTO tweeted "Seriously, reviewing software you've never tried is like reviewing book you've never read or a movie you've never watched. #Fail" and promptly blocked me.

Given Enomaly claimed to have 15,000 users some 18 months ago and 15,000 organisations more recently (both officially and unofficially), if they're to be believed then that's a lot of people left high and dry by the outstanding vulnerabilities, not to mention their having pulled the source. It's also more than enough motivation to announce the release of OpenECP: Open Elastic Computing Platform.

Whether the community run with it is yet to be seen but in any case it fills the void left by Enomaly ECP, throws stranded customers a lifeline and may just coax the company into being better behaved with respect to security issues and the open source community. Time will tell.

Update: According to Secunia "The vendor disputes the problems: reportedly, the vulnerable module is not used in any of their current products and was only used in the now unsupported 'Community Edition'". This conflicts with their "VM Repository Management" screencast which clearly shows both the offending VMcasting protocol and the offending insecure URLs in use in their commercial product:

Face it Flash, your days are numbered.

samj@samj.net (Sam Johnston) — Thu, 18 Feb 2010 18:47:05 PST

It's no secret that I'm no fan of Adobe Flash:

It should be no surprise then that I'm stoked to see a vigorous debate taking place about the future/fate of Flash well ahead of schedule, and even happier to see Flash sympathisers already resorting to desperate measures including "playing the porn card" (not to mention Farmville which, in addition to the myriad annoying, invasive and privacy-invading advertisements, I will also be more than happy to see extinct). In my mind this all but proves how dire their situation has become with the sudden onslaught of mobile devices deliberately absent flash malware*.

Let's take a moment to talk about statistics. According to analysts there are currently "only" 1.3 billion Internet-connected PCs. To put that into context, there are already almost as many Internet-connected mobile devices. With a growth rate 2.5 times that of PCs, mobiles will soon become the dominant Internet access device. Of those new devices, few of them support Flash (think Android, iPhone), and with good reason - they are designed to be small, simple, performant and operate for hours/days between charges.

As if that's not enough, companies with the power to make it happen would very much like for us to have a third device that fills the void between the two - a netbook or a tablet (like the iPad). For the most part (again being powered by Android and iPhone OS) these devices don't support Flash either. Even if we were to give Adobe the benefit of the doubt in accepting their ~~deceptive~~optimistic claims that Flash is currently "reaching 99% of Internet-enabled desktops in mature markets" (for more on that subject see Lies, damned lies and Adobe’s penetration statistics for Flash), between these two new markets it seems inevitable that their penetration rate will drop well below 50% real soon now.

Here's the best part though, Flash penetration doesn't even have to drop below 50% for us to break the vicious cycle of designers claiming "99% penetration" and users then having to install Flash because so many sites arbitrarily depend on it (using Flash for navigation is a particularly heinous offense, as is using it for headings with fancy fonts). Even if penetration were to drop to 95% (I would argue it already has long ago, especially if you dispense with weasel wording like "mature markets" and even moreso if you do away with the arbitrary "desktop" restriction - talk about sampling bias!) that translates to turning away 1 in 20 of your customers. At what point will merchants start to flinch - 1 in 10 (90%)? 1 in 5 (80%)? 1 in 4 (75%)? 1 in 2 (50%)?

As if that's not enough, according to Rich Internet Application Statistics, you would be losing some of your best customers - those who can afford to run Mac OS X (87% penetration) and Windows 7 (around 75% penetration) - not to mention those with iPhones and iPads (neither of which are the cheapest devices on the market). Oh yeah and you heard it right, according to them, Flash penetration on Windows 7 is an embarassing 3 in 4 machines; even worse than ~~Sun~~Oracle Java (though ironically Microsoft's own Silverlight barely reaches 1 in 2 machines).

While we're at it, at what point does it become "willful false advertising" for Adobe and their army of Flash designers to claim such deep penetration? Victims who pay $$lots for Flash-based sites only to discover from server logs that a surprisingly large percentage of users are being turned away have every reason to be upset, and ultimately to seek legal recourse. Why hasn't this already happened? Has it? In any case designers like "Paul Threatt, a graphic designer at Jackson Walker design group, [who] has filed a complaint to the FTC alleging false advertising" ought to think twice before pointing the finger at Apple (accused in this case over a few mockups, briefly shown and since removed, in an iPad promo video).

At the end of the day much of what is annoying about the web is powered by Flash. If you don't believe me then get a real browser and install Flashblock (for Firefox or Chrome) or ClickToFlash (for Safari) and see for yourself. You will be pleasantly surprised by the absence of annoyances as well as impressed by how well even an old computer can perform when not laden with this unnecessary parasite*. What is less obvious (but arguably more important) is that your security will dramatically improve as you significantly reduce your attack surface (while you're at it replace Adobe Reader with Foxit and enjoy even more safety). As someone who has been largely Flash-free for the last 3 months I can assure you life is better on the other side; in addition to huge performance gains I've had far fewer crashes since purging my machine - unsurprising given according to Apple's Steve Jobs, "Whenever a Mac crashes more often than not it’s because of Flash". "No one will be using Flash, he says. The world is moving to HTML5."

So what can Adobe do about this now the horse has long since bolted? If you ask me, nothing. Dave Winer (another fellow who, like myself, "very much care[s] about an open Internet") is somewhat more positive in posing the question What if Flash were an open standard? and suggesting that "Adobe might want to consider, right now, very quickly, giving Flash to the public domain. Disclaim all patents, open source all code, etc etc.". Too bad it's not that simple so long as one of the primary motivations for using Flash is bundled proprietary codecs like H.264 (which the MPEG LA have made abundantly clear will not be open sourced so long as they hold [over 900!] essential patents over it).

Update: Mobile Firefox Maemo RC3 has disabled Flash because "The Adobe Flash plugin used on many sites degraded the performance of the browser to the point where it didn’t meet Mozilla’s standards." Sound familiar?

Update: Regarding the upcoming CS5 release which Adobe claims will "let you publish ActionScript 3 projects to run as native applications for iPhone", this is not at all the same thing as the Flash plugin and will merely allow developers to create applications which suck more using a non-free SDK. No thanks. I'm unconvinced Apple will let such applications into the store anyway, citing performance concerns and/or the runtime rule.

Update: I tend to agree with Steven Wei that The best way for Adobe to save Flash is by killing it, but that doesn't mean it'll happen and any case if they wanted to do that they would have wanted to have started at least a year or two ago for the project to have any relevance, and it's clear that they're still busy flogging the binary plugin dead horse.

Update: Another important factor I neglected to mention above is that Adobe already struggle to maintain up-to-date binaries for a small number of major platforms and even then Mac and Linux are apparently second and third class citizens. If they're struggling to manage the workload today then I don't see what will make it any easier tomorrow with the myriad Linux/ARM devices hitting the market (among others). Nor would they want to - if they target HTML5, CSS3, etc. as proposed above then they have more resources to spend on having the best development environment out there.

* You may feel that words like "parasite" and "malware" are a bit strong for Flash, but when you think about it Flash has all the necessary attributes; it consumes your resources, weakens your security and is generally annoying. In short, the cost outweighs any perceived benefits.

HOWTO: Set up OpenVPN in a VPS

samj@samj.net (Sam Johnston) — Tue, 05 Jan 2010 08:30:05 PST

If, like me, you want to do any or all of the following things, you'll want to tunnel your traffic over a VPN to a remote location:

Access media services restricted by geography (Hulu, FOX, BBX, etc.)
Bypass draconian censorship
Conceal your identity/location/etc.
Protect your machine from attackers
etc.

You could of course use a commercial service like AlwaysVPN in which case you typically pay ($5-10) per month or (~$1) per gigabyte, but many will prefer to run their own service. FWIW AlywaysVPN has worked very well for me but it's time to move on.

First thing's first you'll want to find yourself a remote Linux server, and the easiest way to do so is to rent a virtual private server (VPS) from one of a myriad providers. No point spending more than 10 bucks a month on it as you don't need much in the way of resources (only bandwidth). Check out lowendbox.com for VPS deals under $7/month or just run with a BurstNET VPS starting at $5.95/month for a very reasonable resource allocation (including a terabyte of bandwidth!).

Once you've placed your order and passed their fraud detection systems (which includes an automated callback on the number you supply) you'll have to wait 12-24 hours for activation, upon which you'll receive an email with details for accessing your vePortal control panel as well as the VPS itself (via SSH). You'll get 2 IP addresses and I dedicated the second to both inbound and outbound traffic for VPS clients (which live on a 10.x RFC1918 subnet and access the Internet via SNAT).

If you didn't already do so when signing up then choose a sensible OS in your control panel ("OS Reload") like Ubuntu 8.04 - a Long Term Support release which means you'll be getting security fixes for years to come - or better yet, 10.4 if it's been released by the time you read this (it's the next LTS release). Do an "apt-get install unattended-upgrades" and you ought to be fairly safe until 2015. You're also going to need your TUN/TAP device(s) enabled which involves another trip to the control panel ("Enable Tun/Tap") and/or a helpdesk ticket (http://support.burst.net/). If /dev/net/tun doesn't exist then you can create it with "mknod /dev/net/tun c 10 200".

To install OpenVPN it's just a case of doing "apt-get install openvpn"... you could also download a free 2-user version of OpenVPN-AS from http://openvpn.net/ but I found it had problems trying to load netfilter modules that were already loaded so YMMV. If you want support or > 2 users you'll be looking at a very reasonable $5/user - you're on your own with the free/open source version but there's no such limitations either.

OpenVPN uses PKI but rather than go to a certificate authority we'll set one up ourselves. EasyRSA is included to simplify this process so it's just a case of doing something like this:

cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
. ./vars
./clean-all
./build-ca
./build-dh
openvpn --genkey --secret ta.key
./build-key-server server
./build-key client1
./build-key client2
./build-key client3

It'll ask you a bunch of superflous information like your country, state, city, organisation, etc. but I just filled these out with '.' (blank rather than the defaults) - mostly so as not to give away information unnecessarily to anyone who asks. The only field that matters is the Common Name which you probably want to leave as 'server', 'client1' (or some other username like 'samj'), etc. When you're done here you'll want to "cp keys/* /etc/openvpn" so OpenVPN can see it.

Next you'll want to configure the OpenVPN server and client(s) based on examples in /usr/share/doc/openvpn/examples/sample-config-files. I'm running two - one "Faster" one for the best performance when I'm on a "clean" connection (which uses udp/1194) and another "Compatible" one for when I'm on a restricted/corporate network (which shares tcp/443 with HTTPS). I did a "zcat server.conf.gz > /etc/openvpn/faster.conf" and edited it so it (when filtered with `cat faster.conf | grep -v "^#" |grep -v "^;" | grep -v "^$"`) looks something like this:

local 173.212.x.x
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist faster-ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-to-client
keepalive 10 120
tls-auth ta.key 0
cipher BF-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/faster-status.log
log-append /var/log/openvpn/faster.log
verb 3
mute 20

Noteworthy points:

local specifies which IP to bind to - I used the second (of two) that BurstNET had allocated to my VPS so as to keep the first for other servers, but you could just as easily use the first and then put clients behind the second, which would appear to be completely "clean".
We're using "tun" (tunneling/routing) rather than "tap" (ethernet briding) because BurstNET use venet interfaces which lack MAC addresses rather than veth. Wasn't able to get bridging up and running, as originally intended.
There are various hardening options but to keep it simple I just run as nobody:nogroup and use tls-auth (having generated the optional ta.key with "openvpn --genkey --secret ta.key" above).
Pushing Google Public DNS addresses to clients as they won't be able to use their local resolver addresses once connected. Also telling them to route all traffic over the VPN (which would otherwise only intercept traffic for a remote network).
Configured separate log files and subnets (10.8.0.0/24 and 10.9.0.0/24) for the "faster" and "compatible" instances.

The "compatible.conf" file varies only with the following lines:

port 443
proto tcp
server 10.8.0.0 255.255.255.0
status /var/log/openvpn/compatible-status.log
log-append /var/log/openvpn/compatible.log

Next you'll want to copy over client.conf from /usr/share/doc/openvpn/examples/sample-config-files (but set 'AUTOSTART="compatible faster"' in /etc/default/openvpn so it's ignored by the init scripts).

client
dev tun
proto udp
remote 173.212.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca burstnet-ca.crt
cert burstnet-client.crt
key burstnet-client.key
ns-cert-type server
tls-auth burstnet-ta.key 1
cipher tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA
cipher BF-CBC
comp-lzo
verb 3

As I've got a bunch of different connections on my clients I've prepended "burstnet-" to all the files and called the main config files "BurstNET-Faster.conf" and "BurstNET-Compatible.conf" (which appear in the Tunnelblick menu on OS X as "BurstNET-Faster" and "BurstNET-Compatible" respectively - thanks to AlwaysVPN for this idea). The only difference for BurstNET-Compatible.conf is:

proto tcp
remote 173.212.x.x 443

You're now almost ready for the smoke test (and indeed should be able to connect) but you'll end up on a 10.x subnet and therefore unable to communicate with anyone. The fix is "iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j SNAT --to-source 173.212.x.x" (where the source IP is one of those allocated to you).

Being paranoid though I want to lock down my server with a firewall, which for Ubuntu typically means ufw (you'll need to "apt-get install ufw" if you haven't already). My ufw rules look something like this:

# ufw status
Status: active

To                         Action  From
--                         ------  ----
Anywhere                   ALLOW   1.2.3.4
1194/udp                   ALLOW   Anywhere
443/tcp                    ALLOW   Anywhere

The first rule allows me to access the server from home via SSH and 1194/udp and 443/tcp allow VPN clients in. To allow the clients to access the outside world we're going to have to rewrite their traffic to come from a public IP (which is called "SNAT"), but first you'll want to enable forwarding by setting DEFAULT_FORWARD_POLICY="ACCEPT" in /etc/default/ufw. Then it's just a case of adding something like this to /etc/ufw/before.rules:

# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# SNAT traffic from VPN subnet.
-A POSTROUTING -s 10.8.0.0/255.255.255.0 -j SNAT --to-source 173.212.x.x
-A POSTROUTING -s 10.9.0.0/255.255.255.0 -j SNAT --to-source 173.212.x.x

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

You may need to enable UFW ("ufw enable") and if you lose access to your server you can always disable UFW ("ufw disable") using the rudimentary "Console" function of vePortal.

On the client side you've got support for (at least) Linux (e.g. "openvpn --config /etc/openvpn/BurstNET-Faster.conf"), Mac and Windows and there's various GUIs (including OpenVPN GUI for Windows and Tunnelblick for Mac OS X). I'm (only) using Tunnelblick, and after copying Tunnelblick.app to /Applications I just need to create a ~/Library/openvpn directory and drop these files in there:

BurstNET-Compatible.conf
BurstNET-Faster.conf
burstnet-ca.crt
burstnet-client.key
burstnet-client.crt
burstnet-ta.key

When Tunnelblick's running I have a little black tunnel symbol in the top right corner of my screen from which I can connect & disconnect as necessary.

I think that's about it - hopefully there's nothing critical I've missed but feel free to follow up in the comments if you've anything to add. I'm now happily streaming from Hulu and Fox in the US, downloading Amazon MP3s (using my US credit card), and have a reasonable level of anonymity. If I was in Australia I'd have little to fear from censorship (and there's virtually nothing they can do to stop me) and as my machine has a private IP I'm effectively firewalled.

NoSQL "movement" roadblocks HTML5 WebDB

samj@samj.net (Sam Johnston) — Mon, 28 Dec 2009 01:26:55 PST

Today's rant is coming between me and a day of skiing so I'll keep it brief. While trying to get to the bottom of why I can't enjoy offline access to Google Apps & other web-based applications with Gears on Snow Leopard I came across a post noting Chrome, Opera to support html5 webdb, FF & IE won’t. This seemed curious as HTML5 is powering on towards last call and there are already multiple implementations of both applications and clients that run them. Here's where we're at:

Opera: "At opera, we implemented web db [...] it’s likely we will [ship it] as people have built on it"
Google [Chrome]: "We’ve implemented WebDB … we’re about to ship it"
Microsoft [IE]: "We don’t think we’ll reasonably be able to ship an interoperable version of WebDB"
Mozilla [Firefox]: "We’ve talked to a lot of developers, the feedback we got is that we really don’t want SQL [...] I don’t think mozilla plans to ship it."

Of these, Microsoft's argument (aside from being disproven by existing interoperable implementations) can be summarily dismissed because offline web applications are a direct competitor to desktop applications and therefore Windows itself. As if that's not enough, they have their own horse in this race that they don't have to share with anyone in the form of Silverlight. As such it's completely understandable (however lame) for them to spread interoperability FUD about competing technology.

Mozilla's argument that "we really don't want SQL" is far more troublesome and posts like this follow an increasingly common pattern:

Someone proposes SQL for something (given we've got 4 decades of experience with it)
Religious zealots trash talk SQL, offering a dozen or so NoSQL alternatives (all of which are in varying stages of [early] development)
"My NoSQL db is bigger/better/faster than yours" debate ensues
Nobody does anything

Like it or not, SQL is a sensible database interface for web applications today. It's used almost exclusively on the server side already (except perhaps for the largest of sites, and even these tend to use SQL for some components) so developers are very well equipped to deal with it. It has been proven to work (and work well) by demanding applications including Gmail, Google Docs and Google Calendar, and is anyway independent of the underlying database engine. Ironically work has already been done to provide SQL interfaces to "NoSQL" databases (which just goes to show the "movement" completely misses the point) so those who really don't like SQLite (which happens to drive most implementations today) could conceivably create a drop-in replacement for it. Indeed power users like myself would likely appreciate a browser with embedded MySQL as a differentiating feature.

In any case the API [cs]hould be versioned so we can offer alternatives like WebSimpleDB in the future. Right now though the open web is being held back by outdated standards and proprietary offerings controlled by single vendors (e.g. Adobe's AIR and Microsoft's Silverlight) are lining up to fill in the gap. Those suggesting "it's worth stepping back" because "there are other options that should be considered" which "might serve those needs better" would want to take a long, hard look at whether their proposed alternatives are really ready for prime time, or indeed even necessary. To an outsider trying to solve real business problems today a lot of it looks like academic wankery.

Press Release: Cloud computing consultancy condemns controversial censorship conspiracy

samj@samj.net (Sam Johnston) — Tue, 22 Dec 2009 23:19:31 PST

SYDNEY, 24 December 2009: Sydney-based Australian Online Solutions today condemned the government's plans to introduce draconian Internet censorship laws in Australia.

Senator Stephen Conroy (Minister for Broadband, Communications and the Digital Economy) recently announced the introduction of mandatory Internet Service Provider (ISP) level filtering of Refused Classification (RC)-rated content as well as grants to encourage ISPs to filter wider categories of content. This would require the implementation of complicated, expensive and unreliable, yet trivially circumvented filtering technology at the cost of the taxpayer and Internet user, despite a strong message having been sent that this is both unwanted and unwarranted. Reader polls conducted by the Sydney Morning Herald and The Age newspaper showed a staggering 95% of some 25,000 readers reject the federal government's plans to censor the Internet in Australia, on the basis that it impinges on their freedom. "There are better and safer ways to tackle the problem, such as educating parents, teachers and children, offering customisable filtering as a value-added option and improving law enforcement (including cooperation with other countries)" said Sam Johnston, Australian Online Solutions' Founder & CTO.

The full frontal assault on civil liberties aside, Australian Online Solutions has also raised some serious technical concerns about the program. "At a time when individuals and businesses are looking to shed expensive legacy systems in favour of cheap, scalable Internet based services, any action which can only impair performance and reliability while threatening to strangle Australia's connectivity with the outside world calls for extensive justification", said Johnston. "Cloud computing, which delivers computing services over the Internet on a utility basis - like electricity - gives its' users a significant advantage over competitors. However web-based applications such as Facebook, Gmail, Hotmail and Twitter are extremely sensitive to bandwidth and latency constraints introduced by censorship technology", added Johnston. "The proposed law threatens to exclude Australia from this large and growing industry altogether, both as provider and consumer, at a time when it could emerge as a market leader. Would you buy an Internet-based service from China or Iran, or even use one if you were based there?". Analysts Merrill Lynch and Gartner estimate the cloud computing market to reach $175 billion in the coming years.

Trials commissioned by Senator Conroy and conducted by "highly reputable and independent testing company" Enex Testlab were also called into question, on both technical and conflict of interest bases. Enex Testlab, a supplier of "independent" evaluation, purchasing advice and product review services, boasts a corporate client list with over a dozen vendors of filtering technology including Content Keeper Technologies, Content Watch and Internet Sheriff Technology (accounting for around one quarter of all clients listed) and offers formal certification for content filters. As such it is believed they have strong motivation to avoid releasing a report directly or indirectly critical of their clients' offerings.

Furthermore, the scope of the testing was artificially constrained, criticial controls (such as connection consistency) were missing and success criteria were poorly defined or non- existent from the outset, in a trial that appears to be a manufactured success. Nonetheless unflattering results which highlighted serious deficiencies in the proposal were disingenuously touted by Senator Conroy as showing "100 percent accuracy" with "negligible impact on internet speed".

Other problems with the fatally flawed and heavily criticised report include include:

Proof that "a technically competent user could circumvent the filtering technology" while "circumvention prevention measures can result in greater degradation of internet performance".
Admission that all filters were "not effective in the case of non-web based protocols such as instant messaging, peer-to-peer or chat rooms".
False positive rates (over-blocking of legitimate/innocuous content) of up to 3.4% (over 5.1 billion pages per Internet Archive estimates) with failure rates as high as 2% (3 billion pages) considered "low".
False negative rates (passing of inappropriate content) exceeding 20% (over 30 billion pages) with failure rates as high as 30% considered "reasonable by industry standards" (45 billion pages).
Admission that 100% accuracy is "unlikely to be achieved" and that the false positive rate increases with sensitivity, with no attempt to scientifically determine acceptable failure rates.
Faults being perceptible to end users, with some customers reporting "over-blocking and/or under-blocking of content during the pilot" while considering "mechanisms for self-management" and "improved visibility of the filter in action" to be "important".
Unjustified assumptions including that "performance impact is minimal if between 10 and 20 percent", while at least one system "displayed a noticeable performance impact". Some customers "believe they experienced some speed degradation".
Admission of "uncontrollable variables", including ones that could result in "40 percent performance degradation over theoretical maximum line-rate, or more in some cases", even at speeds less than 1/12 that of the proposed National Broadband Network (NBN).
Admission that reliable recognition of IP addresses to be filtered is unreliable (indeed often impossible), particularly for large-scale websites that use load balancing (e.g. most cloud computing solutions).
Results that were "irregular/incorrect" and "highly anomalous with reasonable expectations" (such as physically impossible improvements in performance when transferring encrypted, random payloads).
Complete absence of quantitative cost analysis (e.g. what financial load will be borne by both the taxpayer and Internet subscriber, both up front and on an ongoing basis), as well as any secondary costs such as decreased efficiency.
Overall results indicating that 1 in 5 customers' needs were not met, with 1 in 3 opting out of continued use of the filtered service.

In addition to contacting local representatives, Australian Online Solutions encourages concerned individuals and businesses to join and support organisations including Electronic Frontiers Australia (EFA), GetUp and The Pirate Party Australia. The immediate availability of a limited number of sponsorships for founding members of The Pirate Party Australia is also announced for those who want to get involved but, for whatever reason, cannot afford the membership fees in this difficult economic environment. To take advantage of this opportunity please contact membership@pirateparty.org.au with a brief explanation of your situation.

"Anyone who cares about their future and that of their children and grandchildren should take action now", said Johnston, who applied to both The Pirate Party Australia and Electronic Frontiers Australia (EFA) in response to Senator Conroy's announcement. "The government's gift to us this Christmas was draconian censorship, so let's return the favour in helping The Pirate Party Australia attain official status by acquiring 500 exclusive members".

###

About Australian Online Solutions Pty Ltd

Australian Online Solutions is a boutique consultancy that specialises in cloud computing solutions for large enterprise, government and education clients throughout Australia, Europe and the USA. Founded in 1998, Australian Online Solutions has over a decade of experience delivering next generation Internet-based systems and is a pioneer in the cloud computing space, whereby technology previously delivered as hardware and software products are delivered as services over the Internet. Cloud computing is Internet ('cloud') based development and use of computer technology ('computing'). For more information refer to http://www.aos.net.au/

About The Pirate Party Australia

The Pirate Party Australia (http://www.pirateparty.org.au/) is a political party with a serious platform of intellectual property law reform and protection of privacy rights and freedom of speech. The Pirate Party Australia aims to protect civil liberties and promote culture and innovation, primarily through:

Decriminalisation of non-commercial copyright infringement
Protection of freedom of speech rights
Protection of privacy rights
Opposition to internet censorship
Support for an R18+ rating for games
Reforming the life + 70 years copyright length
Providing parents with the tools to run their own families.

About Electronic Fronteirs Australia (EFA)

Electronic Frontiers Australia (EFA) is a non-profit national organisation representing Internet users concerned with on-line freedoms and rights. The EFA is the organisation responsible for the "No Clean Feed" (http://nocleanfeed.com/) grassroots movement to stop Internet censorship in Australia. They are also dealing with related issues such as the Anti- Counterfeiting Trade Agreement (ACTA) and censorship of computer games. Individual memberships start at $27.50 and organisational memberships are available. For more information refer to http://www.efa.org.au/

About GetUp

GetUp is an independent, grass-roots community advocacy organisation that is actively tackling this and other pertinent issues including climate change. For more information about how to get involved refer to http://www.getup.org.au/

About Sam Johnston

Sam Johnston, Australian Online Solutions' Founder and CTO, is a prominent blogger on cloud computing, security and open source topics. He maintains a blog at http://samj.net/

Press Contact:

Sam Johnston <sam.johnston@aos.net.au> +61 2 8898 9090 (pager)

Australian Online Solutions Pty Ltd

http://www.aos.net.au/

For the latest version of this release please refer to http://tinyurl.com/cloudcensor

A word on the Australian Internet censorship scandal

samj@samj.net (Sam Johnston) — Wed, 16 Dec 2009 22:29:35 PST

I've had a quick scan over Senator Stephen Conroy's infamous, long-awaited report on the efficacy of current Internet filtering technology and find it to be nothing short of scandalous. Without getting into the nitty gritty details (for example, how a filtering solution can achieve the impossible by improving rather than degrading the performance of encrypted, random transfers), it reads like it's a whitepaper for one of the various purveyors of censorship technology.

The cynic in me insisted I take a quick look at who these Enex Pty Ltd jabbers are anyway - who knows, they could be an industry lobby group for all we know. Sure enough, a quick look at their corporate client list reveals (based on some quick Google searching) over a dozen companies who make a living selling commercial censorship technology:

Anthology Solutions
Content Keeper Technologies
Content Watch
F-Secure Corporation
Internet Sheriff Technology
Manaccom
MessageLabs
NetBox Blue
Netgear
Netsweeper
PC Tools Software
Raritan (?)
Secure Computing Corporation (McAfee)
Symantec
Trend Micro

To put things in perspective, this represents around a quarter of their published client list, and that's not including half a dozen or so service providers that could arguably be thrown in with this bunch. Who in their right mind would risk upsetting one in four of their paying customers by writing a report critical of their products? And does anyone really believe that these vendors resisted the urge to apply pressure? Or that there were not personal relationships involved? I don't, not for a second. In my opinion this report was rigged from the outset to succeed, and in doing so deprive Australians of essential civil liberties.

The report itself is fatally flawed; the error margins are significant (e.g. "a conservative
+/-10 percent"), critical controls were missing (e.g. "as much as 40 percent of an internet service performance could be lost [due to factors outside of our control]"), outrageous assumptions were used (e.g. "performance impact is considered minimal if between 10 and 20 percent") and perhaps most importantly of all, it's creator has an obvious conflict of interest. I don't consider it to be worth the paper it's [not] printed on.

Another deeply concerning development is government grants that would encourage ISPs to go beyond the mandatory filters, despite all censorship systems tested reporting 2.5-3.5% false positive rates (that is, where innocuous/legitimate content is filtered). To put that in perspective, the best part of a billion legitimate pages would be improperly filtered (according to Wikipedia stats), or around 1 page in 30.

Speaking of Wikipedia, many of the systems are hybrid which means that hosts known to be clean would be ignored by IP (which is much more efficient). If, however, even a single page were problematic then the entire site (and all others sharing its' IPs) would be forced through a filtering proxy. This would affect some of the most popular sites on the Internet (such as Wikipedia and YouTube), not to mention other increasingly useful services like WikiLeaks (no doubt silencing such services is seen as a fringe benefit to our self-appointed censors). Need I remind you that similar filters in Britain caused severe problems for Wikipedia over a single CD cover only last year.

Another consideration that has not been covered anywhere near enough is the performance impact on cloud computing services. Web interfaces like Facebook, Twitter and Gmail are extremely sensitive to latency introduced by proxies and raw computing services like Amazon's S3 are sensitive to bandwidth limitations. Then you have the problem of platforms like Google App Engine, Google Sites & Microsoft Web Office which are both difficult to identify (they have many IPs which are not disclosed and difficult if not impossible to enumerate) and which host content for a massive number of customers. If even one person shares a document deemed obnoxious to their sensibilities then the performance will be reduced to unacceptable levels for everyone until it is removed (and then some).

It is my contention that censorship is completely incompatible with cloud computing, and that this alone is reason enough to scuttle it. In the mean time Electronic Frontiers Australia (EFA) has just landed themselves a new life member and I encourage anyone who cares about their future and that of their children to join as well (my friends in the USA may want to take a look at the EFF and Europeans the FFII).

Thanks to Gizmodo Australia for the image above, used without permission but with thanks. No thanks to Gizmodo for breaking the link.

HOWTO: Fix OS X by uninstalling Adobe Flash

samj@samj.net (Sam Johnston) — Thu, 18 Feb 2010 18:57:18 PST

Adobe Flash just ruined my day for the last time... I've just arrived in Paris and needed to do some work before a meeting this afternoon. As it's noisy here I didn't hear the MacBook's fans running at full speed trying to compensate for a single rogue Flash ad in a tab in Google Chrome. The result was that my full 4 hour battery was reduced to less than 40 minutes and I now have no chance of getting everything I wanted to do done. Instead I'm going to use the remaining 20 minutes to tell you how to rid yourself of Flash once and for all, and in doing so enjoy the following benefits:

Significantly improved security (Snow Leopard even shipped with a vulnerable Flash player!)
Significantly improved performance (Flash regularly consumes most of the resources of even the most powerful machines)
Significantly longer battery life (the CPU consumes a lot more energy when it is busy)
Significantly less noise (MacBooks crank up the fans to deal with the extra heat)
No more annoying and invasive advertisements (virtually all of the most annoying ads are Flash)
Less distractions (while sites like YouTube have legitimate uses, the overwhelming majority of time spent there is procrastination)
A better Internet (Adobe's penetration figures are already complete bullshit but by voting NO to Flash you're sending developers a strong message)
An open Internet (Adobe Flash is a proprietary plugin that hampers the adoption of open standards like HTML 5)
A level playing field with one less monopoly (Adobe was the first company to achieve near-ubiquitous penetration rate with a proprietary plug-in, and it will hopefully be the last. Late entrants like Silverlight don't stand a chance because there is just no incentive.)

Without further ado (as I'm running out of juice):

Download the Adobe Flash Player uninstaller for your system (e.g. uninstall_flash_player_osx.dmg)
Open the Flash Player Uninstaller:
Authenticate:
Watch:
Done:
Enjoy a Flash-free computing experience (it only takes about 30 seconds).

PS: You might be surprised to find that (provided you're using a recent browser like Safari 4, Chrome, Firefox 3.5, etc.) videos such as those at Apple.com (including the Get a Mac ads) as well as sites like DailyMotion's OpenVideo will "just work", natively, in the browser, without Flash. That's the future right there...

PPS: For the fanbois on whom the message that I'm not interested is lost, feel free to flame away below. The demise of Flash is going to happen, probably sooner than you would like, so why endure another day?

Update: After 2 weeks without Flash I've had far fewer problems, can open many more tabs and have not had to restart my browser at all. Even YouTube has its own HTML5 video demo pages up now so it's only a matter of time before Flash will be relegated to the wonderful world of Internet advertising. For those who are stuck with Flash for whatever reason I recommend ClickToFlash which at least prevents it from being loaded without user interaction.

A quick word on Windows 7 launch parties...

samj@samj.net (Sam Johnston) — Thu, 29 Oct 2009 03:24:30 PDT

Many of you have already seen this cringeworthy video of some PR flak's interpretation of what a "Windows 7 Launch Party" should look like:

Unsurprisingly they fizzled as a "complete and utter failure", but we didn't hear much about this - either because so few were held or because of the reams of legalese that apparently even those RSVPing had to commit to.

Remember high school--cool kids went to parties and had fun while nerds hung out at math club and played Dungeons and Dragons? Well, the two don't mix. Hosting a party where you play Dungeons and Dragons or discuss algebraic functions doesn't make you cool just because you put the word ‘party' on it.

Apple is cool. Microsoft is not.

Thanks Krishna Subramanian, Devan Sabaratnam and YouTube's badicalindustries for this blast from the past:

The critique writes itself. Learn from your mistakes people.

An open letter to the NoSQL community

samj@samj.net (Sam Johnston) — Tue, 27 Oct 2009 10:23:09 PDT

Following some discussion on Twitter today I posted this thread to the nosql-discussion group. You can see the outcome for yourself (essentially, and unsurprisingly I might add, "please feel free to take your software and call it whatever you want").

While I don't want to mess with their momentum (it's a good cause, if branded with an unfortunate name) this isn't the first time the issue's been raised and I doubt it will be the last. I do however think that "no SQL" is completely missing the point and that the core concern is trading consistency for scalability. At the end of the day developers and users will deploy what is most appropriate for the task at hand.

There'a already been a question about alternatives to SQL, and knowing how Structured Query Language (SQL) came to be (consider the interfaces before it existed and compare that to what we have today) I figure it's only a matter of time before history repeats itself and we end up creating something like Cloud Query Language (CQL) (a deliberate play on words). The closer this is to ANSI SQL the better it will be, both in terms of technology reuse and of the bags of bones that need to understand how it works... for the same reason the Open Cloud Computing Interface (OCCI) tries very hard to be as close as possible to HyperText Transfer Protocol (HTTP).

---------- Forwarded message ----------
From: Sam Johnston
Date: Tue, Oct 27, 2009 at 3:33 PM
Subject: An open letter to the NoSQL community
To: NoSQL

Afternoon NoSQLers,

I write to you as a huge fan of next generation databases, but also as someone who doesn't associate in any way with the "NoSQL" moniker. I don't particularly care for SQL and appreciate the contrived contention it creates, but I think it misses the point somewhat and alienates people like myself who might otherwise have been drawn to the project.

I assume that by "NoSQL" we're referring to the next generation of [generally cloud-based] databases such as Google's BigTable, Amazon's SimpleDB, Facebook's Cassandra, etc., in which case the issue is more the underlying model (e.g. ACID vs BASE), where we are ultimately trading consistency for scalability.

To me this has nothing to do with the query language (which would still arguably be useful for many applications and which may as well be [something like] SQL, albeit adapted), nor the relational (as opposed to navigational) nature of the data (which is still the case today - it's just represented as pointers rather than separate "relation" tables), and to focus on either attribute is missing the point. This is particularly true with today's announcement of Amazon RDS.

Perhaps it's too late already, but I'd like to think we can come up with a more representative name to which everyone can associate (and which isn't so scary for fickle enterprise customers). There's already been a couple of decent suggestions, including alt.db, db-ng, NRDB[MS], etc.

Sam
http://samj.net/

Twitter's down for the count. What are we going to do about it?

samj@samj.net (Sam Johnston) — Tue, 27 Oct 2009 05:53:17 PDT

What's wrong with this picture?

There's not a single provider for telephony (AT&T, T-Mobile, etc.)
There's not a single provider for text messaging (AT&T, T-Mobile, etc.)
There's not a single provider for instant messaging (GTalk, MSN, AIM, etc.)
There's not a single provider for e-mail (GMail, Hotmail, Yahoo!, etc.)
There's not a single provider for blogging (Blogger, Wordpress, etc.)
There's not a single provider for "mini" blogging (Tumblr, Posterous, etc.)
There IS a single provider for micro blogging (Twitter)
And it's down for the count (everything from the main site to the API is inaccessible)
And it's been down for an Internet eternity (the best part of an hour and counting)

What are we going to do about it?

How lobbyists are denying you a voice and destroying democracy

samj@samj.net (Sam Johnston) — Thu, 18 Feb 2010 18:40:22 PST

I came across an unsurprising but nonetheless disconcerting revelation today that is gives a very good example of what most of us knew all along: that "public comment" process are routinely subverted by commercial interests, generally at the public's expense. It comes in the form of a smoking gun courtesy DSL Reports: Who Knew Senior Citizens Hated Net Neutrality?

There is currently an extremely important battle underway over securing Net Neutrality regulations and another where big media are actively attacking (by way of three-strikes policies like HADOPI in France) what is fast becoming a legal right: broadband access (thanks to Finland for getting the ball rolling: Fast Internet access becomes a legal right in Finland).

Us (US?) consumers recently had a big win with the FCC getting on board the Open Internet bandwagon but not afraid to flog a dead horse, industry lobbyists have rolled out an army of puppets parroting their position; that Net Neutrality is somehow opposed to broadband adoption (which could not be further from the truth). In this case it's the Arkansas Retired Seniors Coalition, purporting to represent (surprise, surprise) retired seniors in Arkansas, ignoring the fact that your average senior quite probably doesn't know what net neutrality is, let alone care about it!

They do care about Internet access though and as the slowest state in the south all it would take would be a seemingly suitable scapegoat and you'd have pitchforks in the streets. My guess is they don't even know the position taken by their representatives which makes this letter sent on their behalf at least deceitful:

Arkansas Retired Seniors Coalition Net Neutrality Letter

The problem which such astroturfing is that it makes public opinion both harder to reliably collect and easier to dismiss. Such shenanigans appear far more prevalent in the US than other countries I've lived in, but regulations there (e.g. DMCA) tend to flow on to the rest of us eventually so it's in everyone's interest to have their say.

There really should be something done about the issue, however most solutions are relatively difficult to enforce. Examples include requiring a statutory declaration component such that egregious abuses can be punished (and to make people think twice about misrepresenting others), or requiring the individuals represented to make an overt act such as signing a petition. Rejecting messages that are too similar, and therefore obviously templates, raises the bar somewhat but does not stop determined attackers.

The long term solution likely comes in the form of digital identity, whereby each individual can be reliably authenticated and the cost of involving them in decisions trends towards zero. As referendums are extremely expensive and inefficient (despite the availability of technology that could put them within reach for routine decision-making) we appoint representatives who we hope will accurately reflect our views on each of the topics. Obviously this is rare - for example your representative might share your views on fiscal policy but reject gay marriage in which case you have to choose what is more important to you.

An arguably better solution is where individuals can take part in all decisions they care about, which is called a direct democracy (or pure democracy), and the use of technology to achieve better representation is a separate but related concept known as e-democracy. We should be paying more attention to both as it's like we only got half way there by establishing representative democracies in most of the western world.

Cloud or Not?

samj@samj.net (Sam Johnston) — Tue, 13 Oct 2009 01:19:45 PDT

As it seems people still just don't get what is, and what is not (*cough*Sidekick*cough*) cloud computing, I've put together a (tongue-in-cheek) flowchart to help you decide:

If it's dangerous it's NOT cloud computing

samj@samj.net (Sam Johnston) — Mon, 12 Oct 2009 05:32:29 PDT

Having written something similar over the weekend myself (How Open Cloud could have saved Sidekick users' skins) I was getting ready to complement Reuven Cohen on his latest post (really), but fear-mongering title aside (Cloud Computing is Dangerous) I was dismayed to see this:

"Let's call it what it is, it's a cloud app -- your data when using a Sidekick is hosted in some elses data center."

I simply can not and will not accept this, and I'm not the only one:

Help me out here. I'm seeing really smart people I totally respect jump on this T-Mobile issue as a "Cloud" failure. Am I losing my mind?

Reuven: I'm disappointed that you feel this way, particularly as people (for better or worse) do actually listen to what you have to say. As such you owe it to the community you [unofficially] represent to think (or better yet, ask) before you speak on its behalf - what you consider "partly kidding" others take very seriously. I'd swear I spend half my life cleaning up after things like the Open Cloud Manifestation (albeit granted if we all agreed from the outset we'd have nothing to talk about!).

For a start, Sidekicks predate cloud by 1/2 a dozen *years*, with the first releases back in 2001. Are we saying that they were so far ahead (like Google) that we just hadn't come up with a name for their technology yet? No. Is Blackberry cloud? No, it isn't either. This was a legacy n-tier Internet-facing application that catastrophically failed as many such applications do. It was NOT cloud. As Alexis Richardson pointed out to Redmonk's James Governor "if it loses your data - it's not a cloud".

While I know that this analogy is inconvenient for some vendors it works and it's the best we have: Cloud is resilient in the same way that the electricity grid is resilient. Power stations do fail and we (generally) don't hear about it. Similarly datacenters fail, get disconnected, overheat, flood, burn to the ground and so on, but these events should not cause any more than a minor interruption for end users. Otherwise how are they different from "legacy" web applications? Sure, occasionally we'll have cloud computing "blackouts" but we'll learn to live with them just as we do today when the electricity goes out.

As a more specific example, if an Amazon DC fails you'll lose your EC2 instances (the cost/performance hit of running lock-step across high latency links is way too high for live redundancy). However the virtual machine image itself should be automagically replicated across multiple geographically independent availability zones by S3 so it's just a case of starting them again. If you're using S3 directly (or Gmail for that matter) you should never need to know that something went wrong.

But Salesforce predates cloud by almost a decade you say? This data point was a thorn in my side until I found this article (Salesforce suffers gridlock as database collapses) and the associated Oracle press release (Salesforce.com’s 267,000 Subscribers To Go On Demand With Oracle® Grid). With wording like "one of its four data hubs collapsed" in what "appears to be a database cluster crash" I'm starting to question whether Salesforce really is as "cloudy" as they are claim (and are assumed) to be. Indeed the URL I'm staring at as I use Salesforce.com now (https://na1.salesforce.com/home/home.jsp - emphasis mine) would suggest that it is anything but. NA1 is one of 1/2 a dozen different data centers and their "cloud" only appears as a single point when you log in (http://login.salesforce.com/) at which time you are redirected to the one that hosts your data. Is it any wonder then that it's Google and Amazon that are topping the surveys now rather than Microsoft and Salesforce?

Don't get me wrong - Salesforce.com is a great company with a great product suite that I use and recommend every day. They may well be locked in to a legacy n-tier architecture but they do a great job of keeping it running at large scale and I almost can't believe it's not cloud. I see it as "Software. As a Service", bearing in mind that it's replacing some piece of software that traditionally would have run on the desktop by delivering it over the Internet via the browser. SaaS is, if anything, a subset of cloud and I'm sure that nobody here would suggest that any old LAMP application constitutes cloud. But we digress...

I honestly thought we had this issue resolved last year, having spent an inordinate amount of time discussing, blogging, writing Wikipedia articles and generally trying to extract sense (and consensus) from the noise. I was apparently wrong as even our self-appointed spokesman has foolishly conceded that what can only really be described as gross negligence in IT operations and a crass act of stupidity is somehow a failure of the cloud computing model itself. I agree completely with Chris Hoff in that "This T-Mobile debacle is a good thing. It will help further flush out definitions and expectations of Cloud. (I can dream, right?)" - it's high time for us to revisit and nail the issue of what is (and more importantly, what is not) cloud once and for all.

How Open Cloud could have saved Sidekick users' skins

samj@samj.net (Sam Johnston) — Thu, 18 Feb 2010 18:59:41 PST

The cloud computing scandal of the week is looking like being the catastrophic loss of millions of Sidekick users' data. This is an unfortunate and completely avoidable event that Microsoft's Danger subsidiary and T-Mobile (along with the rest of the cloud computing community) will surely very soon come to regret.

There's plenty of theories as to what went wrong - the most credible being that a SAN upgrade was botched, possibly by a large outsourcing contractor, and that no backups were taken despite space being available (though presumably not on the same SAN!). Note that while most cloud services exceed the capacity/cost ceiling of SANs and therefore employ cheaper horizontal scaling options (like the Google File System) this is, or should I say was, a relatively small amount of data. As such there is no excuse whatsoever for not having reliable, off-line backups - particularly given Danger is owned by Microsoft (previously considered one of the "big 4" cloud companies even by myself). It was a paid-for service too (~$20/month or $240/year?) which makes even the most expensive cloud offerings like Apple's MobileMe look like a bargain (though if it's any consolation the fact that the service was paid for rather than free may well come back to bite them by way of the inevitable class action lawsuits).

"Real" cloud storage systems transparently ensure that multiple copies of data are automatically maintained on different nodes, at least one of which is ideally geographically independent. That is to say, the fact I see the term "SAN" appearing in the conversation suggests that this was a legacy architecture far more likely to fail. This is in the same way that today's aircraft are far safer than yesterday's and today's electricity grids far more reliable than earlier ones (Sidekick apparently predates Android & iPhone by some years after all). It's hard to say with any real authority what is and what is not cloud computing though, beyond saying that "I know it when I see it, and this ain't it".

Whatever the root cause the result is the same - users who were given no choice but to store their contacts, calendars and other essential day-to-day data on Microsoft's servers look like having irretrievably lost it. Friends, family, acquaintances and loved ones - even (especially?) the boy/girl you met at the bar last night - may be gone for good. People will miss appointments, lose business deals and in the most extreme cases could face extreme hardship as a result (for example, I'm guessing parole officers don't take kindly to missed appointments with no contact!). The cost of this failure will (at least initially) be borne by the users, and yet there was nothing they could have done to prevent it short of choosing another service or manually transcribing their details.

The last hope for them is that Microsoft can somehow reverse the caching process in order to remotely retrieve copies from the devices (which are effectively dumb terminals) before they lose power; good luck with that. While synchronisation is hard to get right, having a single cloud-based "master" and a local cache on the device (as opposed to a full, first-class citizen copy) is a poor design decision. I have an iPhone (actually I have a 1G, 3G, 3GS and an iPod Touch) and they're all synchronised together via two MacBooks and in turn to both a Time Machine backup and Mozy online backup. As if that's not enough all my contacts are in sync with Google Apps' Gmail over the air too so I can take your number and pretty much immediately drop it in a beer without concern for data loss. Even this proprietary system protects me from such failures.

The moral of the story is that externalised risk is a real problem for cloud computing. Most providers [try to] avoid responsibility by way of terms of service that strip away users' rights but it's a difficult problem to solve though because enforcing liability for anything but gross negligence can exclude smaller players from the market. That is why users absolutely must have control over their data and be encouraged if not forced to take responsibility for it.

Open Cloud simply requires open formats and open APIs - that is to say, users must have access to their data in a transparent format. Even if it doesn't make sense to maintain a local copy on the users' computer, there's nothing stopping providers from pushing it to a third party storage service like Amazon S3. In fact it makes a lot of sense for applications to be separated from storage entirely. We don't expect our operating system to provide all the functionality we'll ever need (or indeed, any of it) so we install third party applications which use the operating system to store data. What's to stop us doing the same in the cloud, for example having Google Apps and Zoho both saving back to a common Amazon S3 store which is in turn replicated locally or to another cloud-based service like Rackspace Cloud Files?

In any case perhaps it's time for us to dust off and revisit the Cloud Computing Bill of Rights?

"Bare Metal" cloud infrastructure "compute" services arrive

samj@samj.net (Sam Johnston) — Thu, 18 Feb 2010 18:57:34 PST

Earlier in the year during the formation of the Open Cloud Computing Interface (OCCI) working group I described three types of cloud infrastructure "compute" services:

Physical Machines ("Bare Metal") which are essentially dedicated servers provisioned on a utility basis (e.g. hourly), whether physically independent or just physically isolated (e.g. blades)
Virtual Machines which nowadays uses hypervisors to split the resources of a physical host amongst various guests, where both the host and each of the guests run a separate operating system instance. For more details on emulation vs virtualisation vs paravirtualisation see a KB article I wrote for Citrix a while back: CTX107587 Virtual Machine Technology Overview
OS Virtualisation (e.g. containers, zones, chroots) which is where a single instance of an operating system provides multiple isolated user-space instances.

While the overwhelming majority of cloud computing discussions today focus on virtual machines, the reason for my making the distinction was so as the resulting API would be capable of dealing with all possibilities. The clouderati are now realising that there's more to life than virtual machines and that the OS is like "a cancer that sucks energy (e.g. resources, cycles), needs constant treatment (e.g. patches, updates, upgrades) and poses significant risk of death (e.g. catastrophic failure) to any application it hosts". That's some good progress - now if only the rest of the commentators would quit referring to virtualisation as private cloud so we can focus on what's important rather than maintaining the status quo.

Anyway such cloud services didn't exist at the time but in France at least we did have providers like Dedibox and Kimsufi who would provision a fixed configuration dedicated server for you pretty much on the spot starting at €20/month (<€0.03/hr or ~$0.04/hr). I figured there was nothing theoretically stopping this being fully automated and exposed via a user (web) or machine (API) interface, in which case it would be indistinguishable from a service delivered via VM (except for a higher level of isolation and performance). Provided you're billing as a utility (that is, users can consume resources as they need them and are billed only for what they use) rather than monthly or annually and taking care of all the details "within" the cloud there's no reason this isn't cloud computing. After all, as an end user I needn't care if you're providing your service using an army of monkeys, so long as you are. PCI compliance anyone?

Virtually all of the cloud infrastructure services people talk about today are based on virtual machines and the market price for a reasonably capable one is $0.10/hr or around $72.00 per month. That's said to be 3-5x more than cost at "cloud scale" (think Amazon) so expect that price to drop as the market matures. Rackspace Cloud are already offering small Xen VMs for 1.5c/hr or ~$10/month. I won't waste any more time talking about these offerings as everyone else already is. This will be a very crowded space thanks in no small part to VMware's introduction of vCloud (which they claim turns any web hoster into a cloud provider) but with the hypervisor well and truly commoditised I assure you there's nothing to see here.

On the lightweight side of the spectrum, VPS providers are a dime a dozen. These guys generally slice Linux servers up into tens if not hundreds of accounts for only a few dollars a month and take care of little more than the (shared) kernel, leaving end users to install the distribution of their choice as root. Solaris has zones and even Windows has MultiWin built in now days (that's the technology, courtesy Citrix, that allows multiple users each having their own GUI session to coexist on the same machine - it's primarily used for Terminal Services & Fast User Switching but applications and services can also run in their own context). This delivers most of the benefits of a virtual machine, only without the overhead and cost of running and managing multiple operating systems side by side. Unfortunately nobody's really doing this yet in cloud but if they were you'd be able to get machines for tasks like mail relaying, spam filtering, DNS, etc. for literally a fraction of a penny per hour (VPSs start at <$5/m or around 0.7c/hr).

So the reason for my writing this post today is that SoftLayer this week announced the availability of "Bare Metal Cloud" starting at $0.15 per hour. I'm not going to give them any props for having done so thanks for their disappointing attempt to trademark the obvious and generic term "bare metal cloud" and due to unattractive hourly rates that are almost four times the price of the monthly packages by the time you take into account data allowances. I will however say that it's good to see this prophecy (however predictable) fulfilled.

I sincerely hope that the attention will continue to move further away from overpriced and inefficient virtual machines and towards more innovative approaches to virtualisation.

Who's lying about the Ulitzer Cloud Security Journal?

samj@samj.net (Sam Johnston) — Thu, 18 Feb 2010 18:37:25 PST

I've spent the last week jetting about for meetings and CloudCamps but now I'm trawling through the week's news and email it seems I'm not the only one who's been busy. On Wednesday SYS-CON announced the Cloud Security Journal on Reuven Cohen's behalf:

Reuven Cohen Launches Cloud Security Journal on Ulitzer
Providing Insight Into the Cloud Computing Security, Privacy and Related Threats

BY LIZ MCMILLAN
SEPTEMBER 23, 2009 10:45 PM EDT
Reuven Cohen launched today Cloud Security Journal on Ulitzer.
Cloud Security Journal offers dedicated coverage of cloud security & privacy news, practical insights and editorials that give readers a unique virtual perspective of the rapidly evolving area of cloud security, threats and privacy.
Reuven Cohen is Founder & Chief Technologist for Toronto based Enomaly Inc. - leading developer of Cloud Computing products and solutions focused on enterprise businesses.
Enomaly's products include the Enomaly elastic computing platform, an open source cloud platform that enables a scalable enterprise IT and local cloud infrastructure platform. Cohen is a thought leader in the emerging cloud computing industry and maintains a blog at www.elasticvapor.com.

Reuven's notorious for poking a finger in every pie but this development is particularly controversial given the existence of the Cloud Security Alliance and his company, Enomaly's average security track record. He already ruffled feathers by "Introducing the CSA" back in March so it struck me as odd that he should have risked a similar backlash some months later.

Sure enough he vehemently denies any such involvement, adding that "Scraping my RSS I can tolerate, but writing fake PR releases is going to far. Not cool." Now SYS-CON (aka Ulitzer) are not the most reputable source (see Aral Balkan's "My Sys-Con Nightmare" post, among others) but to announce something like this without your victim having any knowledge whatsoever seems a stretch even for them. FWIW Reuven was certainly supportive of the now defunct "Cloud Interoperability Magazine" launch so to try it on again with security would not be unprecedented.

I don't know who's lying about this (clearly someone is) but had this have happened to me I would have immediately instructed them in writing to remove all of my content and references to my name or any of my companies (as I have just done now). If that didn't work a DMCA notice and/or C&D letter would promptly follow. Yet Reuven has not done so. Why? It seems that in return for turning a blind eye to such indiscretions Reuven's company Enomaly is rewarded with over 10,000 mentions on sys-con.com and ulitzer.com (which was recently removed from Google's index, apparently following complaints about spamming and using others' content without permission).

Good on them for finding a free (albeit dodgy) source of free advertising. However by selling out and being "supportive" of Sys-Con/Ulitzer - criticising them on Twitter to save face but otherwise tolerating their antics - Reuven and Enomaly are giving airtime and an unwarranted air of legitimacy to an otherwise untrustworthy organisation. Worse still, inaccurate content from unreliable sources is being actively promoted by way of syndication, press releases and SEO spamming which is damaging to the cloud computing community as a whole.

I therefore urge Reuven Cohen and anyone else who's "feeling a little used and abused" to follow my example an request removal from SYS-CON sites. If that doesn't work then don't hesitate to take further action in the form of DMCA notices and/or C&D letters.

Cloud Computing Crypto: GSM is dead. Long live GSM!

samj@samj.net (Sam Johnston) — Thu, 18 Feb 2010 18:46:42 PST

GSM, at least in its current form, is dead and the GSMA's attempts to downplay serious vulnerabilities in claiming otherwise reminds me of this rather famous Monty Python sketch about a dead parrot:

Fortunately consumers these days are savvy and have access to information with which to verify (or not) vendors' claims about security. So when they get together and say things like "the researchers still would need to build a complex radio receiver to process the raw radio data" the more cynical of us are able to dig up 18 month old threads like this one which concludes:

So it appears you might be able to construct a GSM sniffer from a USRP board and a bunch of free software, including a Wireshark patch. (It appears that one of the pieces of free software required is called "Linux" or "GNU/Linux", depending on which side of that particular debate you're on :-), i.e. it works by using Linux's tunnel device to stuff packets into a fake network interface on which Wireshark can capture.

Ok so extracting the 1's and 0's from the airwaves and getting them into the most convenient (open source) framework we have for the dissection of live protocols is a problem long since solved. Not only are the schematics publicly available, but devices are commercially available online for around $1,000. One would have assumed that the GSMA should have known this, and presumably they did but found it preferable to turn a blind eye to the inconvenient truth for the purposes of their release.

The real news though is in the cracking of the A5/1 encryption which purports to protect most of us users by keeping the voice channels "secure". Conversely the control information which keeps bad guys from stealing airtime is believed to remain safe for the time being. That is to say that our conversations are exposed while the carriers' billing is secure - an "externalisation" of risk in that the costs are borne by the end users. You can bet that were the billing channels affected then there would have been a scramble to widely deploy a fix overnight rather than this poor attempt at a cover-up.

The attack works by creating a 2Tb rainbow table in advance which allows one to simply look up a secret key rather than having to brute force it. This should be infeasible even for A5/1's 64-bit key but "the network operators decided to pad the key with ten zeros to make processing faster, so it's really a 54-bit key" and there are other weaknesses that combine to make this possible. A fair bit of work goes into creating the table initially, but this only needs to be done once and you can buy access to the tables as a service as well as the tables themselves for many common hashes (such as those used to protect Windows and Unix passwords - and no doubt GSM soon too!). The calculations themselves can be quite expensive but advances like OpenCL in the recently released Mac OS X (Snow Leopard) can make things a lot better/faster/cheaper by taking advantage of extremely performant graphics processing units (GPUs).

Of course thanks to cloud computing you don't even need to do the work yourself - you can just spin up a handful of instances on a service like Amazon EC2 and save the results onto Amazon S3/Amazon EBS. You can then either leave it there (at a cost of around $300/month for 2Tb storage) and use instances to interrogate the tables via a web service, or download it to a local 2Tb drive (conveniently just hitting the market at ~$300 once off).

Cloud storage providers could make the task even easier with services like public data sets which bring multi-tenancy in the form of de-duplication benefits to common data sets. For example, if Amazon found two or more customers storing the same file they could link the two together and share the costs between all of them (they may well do this today, only if they do they keep the benefit for themselves). In the best case such benefits would be exposed to all users in which case the cost of such "public domain" data would be rapidly driven down towards zero.

Ignoring A5/2 (which gives deliberately weakened protection for countries where encryption is restricted), there's also a downgrade attack possible thanks to A5/0 (which gives no protection) and the tendency for handsets to happily transmit in the clear rather than refusing to transmit at all or at least giving a warning as suggested by the specifications. A man in the middle just needs to be the strongest signal in the area and they can negotiate an unencrypted connection while the user is none the wiser. This is something like how analog phones used to work in that there was no encryption at all and anyone with a radio scanner could trivially eavesdrop on [at least one side of] the conversation. This vulnerability apparently doesn't apply where a 3G signal is available, in which case the man in the middle also needs to block it.

Fortunately there's already a solution in the form of A5/3, only it's apparently not being deployed:

A5/3 is indeed much more secure; not only is it based on the well known (and trusted) Kasumi algorithm, but it was also developed to encrypt more of the communication (including the phone numbers of those connecting together), making it much harder for ne'er-do-wells to work out which call to intercept. A5/3 was developed, at public expense, by the European Telecommunications Standards Institute (ETSI) and is mandated by the 3G standard, though can also be applied to 2.5G technologies including GPRS and EDGE.

That GSMA consider a 2Tb data set in any way a barrier to these attacks is telling about their attitude to security, and to go as far as to compare this to a "20 kilometre high pile of books" is offensively appalling for anyone who knows anything about security. Rainbow tables, cloud computing and advances in PC hardware put this attack well within the budget of individuals (~$1,000), let alone determined business and government funded attackers. Furthermore groups like the GSM Software Project, having realised that "GSM analyzer[s] cost a sh*tload of money for no good reason" are working to "build a GSM analyzer for less than $1000" so as to, among other things, "crack A5 and proof[sic] to the public that GSM is insecure". Then there's the GNU Radio guys who have been funded to produce the software to drive it.

Let's not forget too that, as Steve Gibson observes in his recent Cracking GSM Cellphones podcast with Leo Laporte: "every single cellphone user has a handset which is able to decrypt GSM". It's no wonder then that Apple claim jailbreaking the iPhone supports terrorists and drug dealers, but at about the same price as an iPhone ($700 for the first generation USRP board) it's a wonder why anyone would bother messing with proprietary hardware when they can deal with open hardware AND software in the same price range. What's most distressing though is that this is not news - according to Steve an attack was published some 6 years ago:

There's a precomputation attack. And it was published thoroughly, completely, in 2003. A bunch of researchers laid it all out. They said, here's how we cracked GSM. We can either have - I think they had, like, a time-complexity tradeoff. You'd have to listen to two minutes of GSM cellphone traffic, and then you could crack the key that was used to encrypt this. After two minutes you could crack it in one second. Or if you listen to two seconds of GSM cellphone traffic, then you can crack it in two minutes. So if you have more input data, takes less time; less input data, more time. And they use then tables exactly like we were talking about, basically precomputation tables, the so-called two terabytes that the GSM Alliance was pooh-poohing and saying, well, you know, no one's ever going to be able to produce this.

Fortunately us users can now take matters into our own hands by handling our own encryption given those entrusted with doing it for us have been long since asleep at the wheel. I've got Skype on my MacBook and iPhone for example (tools like 3G Unrestrictor on a jailbroken iPhone allow you to break the digital shackles and use it as a real GSM alternative) and while this has built in encryption (already proving a headache for the authorities) it is, like GSM, proprietary:

Everything about this is worrisome. I mean, from day one, the fact that they were keeping this algorithm, their cipher, a secret, rather than allowing it to be exposed publicly, tells you, I mean, it was like the first thing to worry about. We've talked often about the dangers of relying on security through obscurity. It's not that some obscurity can't also be useful. But relying on the obscurity is something you never want because nothing remains obscure forever.

We all know that open systems are more secure - for example, while SSL/TLS has had its fair share of flaws it can be configured securely and is far better than most proprietary alternatives. That's why I'm most supportive of solutions like (but not necessarily) Phil Zimmerman's Zfone - an open source implementation of the open ZRTP specification (submitted for IETF standardisation). This could do the same for voice as what his ironically named Pretty Good Privacy did for email many years ago (that is - those who do care about their privacy can have it). Unfortunately draft-zimmermann-avt-zrtp expired last week but let's hope it's not the end of the road as something urgently needs to be done about this. Here you can see it successfully encrypting a Google Talk connection (with video!):

Sure there may be some performance and efficiency advantages to be had by adding encryption to compression codecs but I rather like the separation of duties as it's unlikely a team of encryption experts will be good at audio and video compression and vice versa.

Widespread adoption of such standards would also bring us one big step closer to data-only carriers that I predict will destroy the telco industry as we know it some time soon.

Amazon VPC trojan horse finds its mark: Private Cloud

samj@samj.net (Sam Johnston) — Fri, 28 Aug 2009 12:15:13 PDT

Now we've all had a chance to digest the Amazon Virtual Private Cloud announcement and the dust has settled I'm joining the fray with a "scoop of interpretation". Positioned as "a secure and seamless bridge between a company’s existing IT infrastructure and the AWS cloud" the product is (like Google's Secure Data Connector for App Engine which preceded Amazon VPC by almost 6 months) quite simply a secure connection back to legacy infrastructure from the cloud - nothing more, nothing less. Here's a diagram for those who prefer to visualise (Virtual Private Cloud.svg on Wikimedia Commons):

Notice that "private cloud" (at least in the sense that it is most often [ab]used today) is conspicuously absent. What Amazon and Google are clearly telling customers is that they don't need their own "private cloud". Rather, they can safely extend their existing legacy infrastructure into the [inter]cloud using VPN-like connections and all they need to do to get up and running is install the software provided or configure a new VPN connection (Amazon uses IPsec).

Remember, a VPN is the network you have when you're not having a network - it behaves just like a "private network" only it's virtual. Similarly a VPC is exactly that: a virtual "private cloud" - it behaves like a "private cloud" (in that it has a [virtual] perimeter) but users still get all the benefits of cloud computing - including trading capex for opex and leaving the details to someone else.

Also recall that the origin of the cloud was network diagrams where it was used to denote sections of the infrastructure that were somebody else's concern (e.g. a telco). You just needed to poke your packets in one side and [hopefully] they would reappear at the other (much like the Internet). Cloud computing is like that too - everything within the cloud is somebody else's concern, but if you install your own physical "private cloud" then that no longer holds true.

Of course the "private cloud" parade (unsurprisingly consisting almost entirely of vendors who peddle "private cloud" or their agents, often having some or all of their existing revenue streams under direct threat from cloud computing) were quick to jump on this and claim that Amazon's announcement legitimised "private cloud". Au contraire mes amis - from my [front row] seat the message was exactly the opposite. Rather than "legitimis[ing] private cloud" or "substantiating the value proposition" they completely undermined the "private cloud" position by providing a compelling "public cloud" based alternative. This is the mother of all trojan horses and even the most critical of commentators wheeled it right on in to the town square and paraded it to the world.

Upon hearing the announcement Christofer Hoff immediately claimed that Amazon had "peed on [our] fire hydrant" and Appistry's Sam Charrington chimed in, raising him by claiming they had also "peed in the pool" ([ab]using one of my favourite analogies). Sam went on to say that despite having effectively defined the term Amazon's product was not, in fact, "virtual private cloud" at all, calling into question the level of "logical isolation". Reuven Cohen (another private cloud vendor) was more positive having already talked about it a while back, but his definition of VPC as "a method for partitioning a public computing utility such as EC2 into quarantined virtual infrastructure" is a little off the mark - services like EC2 are quarantined by default but granular in that they don't enforce the "strong perimeter" characteristic of VPCs.

Accordingly I would (provisionally) define Virtual Private Cloud (VPC) as follows:

Virtual Private Cloud (VPC) is any private cloud existing within a shared or public cloud (i.e. the Intercloud).

This is derived from the best definition I could find for "Virtual Private Network (VPN)"

Twitter Pro: Best Buy's @twelpforce is full of [security] fail

samj@samj.net (Sam Johnston) — Sat, 26 Sep 2009 06:18:34 PDT

Update: Enomaly's Lars-Eric Forsberg, "the manager responsible for overseeing projects outside of our product group at Enomaly including Twelpforce" emailed me to let me know that they "have taken steps to address the security issues you outlined in your post". He requested that "[I] give [them] a head's up if [I] do notice any issues like this in the future before posting about it publicly to give [them] an opportunity to rectify the situation", and while it's ironic that I've dealt with Enomaly before, none of the Best Buy sites mentioned their involvement and Twelpforce itself still lacks contact details. While they have enabled SSL there was no mention about third-party services unnecessarily handling corporate credentials (aside from an obscure reference to "other mitigating factors that have been present in the environment from the beginning"), nor what steps were taken to audit or remediate those accounts that may have been compromised while the site was insecure.

As you know I've been paying very close attention to Twitter this week and while trawling through their blog looking for [ab]use of various terms they're trying to trademark I found this little chestnut: BestBuy, Good Stuff. Basically, "BestBuy has created a program they call Twelpforce. The idea is that employees from across the organization can interact quickly and easily with customers who have questions about products". Curious I took a look at @twelpforce and was greeted with this:

Just in case you can't see it from here (or click through to the full size version), the first tweet is:

@SimonTheSnowman this is true, Best Buy will rule the world. via @mikelinsalaco

Here we have 12 year old Simon of Being Freakin' Awesome, Inc. (who can be reached on 1337 and who blogs at http://simonthesnowmanftw.tk/) being reassured by Mikel Insalaco: "I am the infamous Mikel Insalaco, I am kind of a big thing. Muthasuckin Mahogany and leatherbound books". As James Watters would say, the critique here writes iself?

This is in line with Dave Zatz's observations too in suggesting Has Best Buy’s Twelpforce Already Failed? Dave draws attention to this classy twelpforcer tweet (among others): "tweet tweet...im such a homo" - definitely not the sort of thing I'd want associated with my corporate branding, that's for sure.

This, viewers, is what Twitter has in mind for companies (having come clean after TechCrunch aired their dirty laundry in public). They are so excited in fact that "[they]'ve been studying how customers and businesses interact and derive value from Twitter [and] are putting together a document based on our studies and we'll find a spot on our web site to share it with everyone when it's ready". Definitely looking forward to leafing through that when it's available, though I'm guessing there'll have to be some fairly agressive pre-press filtering if this is what the raw feed looks like. Despite appearances I do rather like Twitter and hope they do well - I'm just not convinced this is how they're going to make their millions.

Cutting to the chase, see that third tweet: "@missladii0430 #Twelpforce If you are a Best Buy employee you can sign up here. --> http://tinyurl.com/kp8jwb via @Agent8819". That employee sign up link takes you here: http://bbyconnect.appspot.com/connect/signup/ See the problem yet? The first thing they ask you for is "Please enter your Best Buy employee number and password", followed immediately by your "Best Buy Corporate email address".

What's that? You want my name (Best Buy addresses are firstname.lastname@bestbuy.com), corporate email, employee number and corporate password to be sent over the big bad Internet? To a preview release of a service hosted by someone else? That's ok, it's encrypted, right? WRONG. Never mind, I'll just change "http" to "https". Wrong again. Though Google App Engine supports SSL it's disabled for this application/URL so even though it looks like it works you've just been silently redirected back to the insecure address. Oops.

So here we have Best Buy soliciting corporate credentials with no encryption whatsoever, over the public Internet (including any local, potentially unprotected wireless), to a preview release of a service they have little control over and, it gets better, verifying them in real time! If you enter random details into the form it will tell you instantly (that's right, no tarpitting or other delays) that "Employee number or password is incorrect". Don't have a Best Buy employee number to try? That's ok because they're only a Google search away (along with network configuration information including server names) and there doesn't appear to be anything stopping you from trying as many times as you like either so brute force away.

Normally I'd have reported this via the usual channels but they've not given any contact information whatsoever (except via public Twitter) and besides, it's such a comedy of errors that they're probably better off shutting it down than trying to fix it anyway. What I don't get more than anything else is why they would bother trying to roll their own when there are plenty of perfectly good services like CoTweet and HootSuite that are being used with far better results by the likes of Ford, Coke, Pepsi, JetBlue, Sprint and StarBucks.

Crystal ball: Data-only carriers to destroy the telco industry RSN

samj@samj.net (Sam Johnston) — Thu, 18 Feb 2010 18:37:07 PST

This is one of those random thoughts that fits in a tweet but deserves a little more explanation. Like most I currently pay around €100 a month for a mobile package that includes some texts, airtime (2+2 hours on and off peak), some data and usually some useless gimmicks (free calls at certain times or to certain phones, etc.). This of course makes it truly impossible to compare apples to apples and I almost feel like choosing the right plan should be a profession (I'm sure there must be businesses that do this for a living).

Under the covers though it's all just 1's and 0's and it's been that way for a while - Australia turned off it's analog mobile network (AMPS) while I was still there and like here in Europe uses the Global Standard for Mobiles (GSM). This shares the limited airwaves with timeslices (TDMA) and over in the US they do a similar thing with code (CDMA), probably because TDMA has timing problems when you get out to tens of kilometers (irrespective of the strength of the signal) and the US has a lot of land to cover. Point is that under the covers it's all data. Of course things have changed a bit since I was helping design Australia's first digital mobile network - now we've got 3G, LTE, WiFi, WiMax, etc. to play with too.

Traditional telephony was what we call "circuit switched", which means it was about creating a dedicated connection between two endpoints. First these were hardwired, then switched manually by operators, then clicks on the line would operate mechanical switches at the exchange, more recently tones (DTMF) would tell chips what to do and nowdays connections are set up out-of-band over data connections. But it all still revolves around circuits, even though these days we're not tying up a pair of copper for the duration of the call, rather sending as much data as we need to when we need it (silence often uses little or no bandwidth but then we have to simulate background noise at the other end so as not to confuse the human).

That is to say it's time we stopped thinking about circuits which tend to be billed by time (after all, the resource could not be shared when you were using it) and start thinking about data (which is typically billed by quantity transferred or bandwidth available). In other words we are paying (generally more) for our communications because of technological limitations that have long since been removed. Even Skype go to great lengths to identify which country you are calling from so as to impose the legacy billing system we are used to (so many cents per minute depending on the country) rather than take advantage of what the Internet has to offer in terms of being unaffected by geography.

Then there's texts which are an even bigger rort. These were basically an afterthought which are sent out-of-band over the relatively limited control channel - the one that's used to set up calls and so on (that's why they take a while to send and why you can jam a phone by sending/receiving too many). Knowing that everything is 1's and 0's anyway, did you ever stop to think about how many texts a minute of voice is worth (even using strong compression)? It's a *lot* but let's work it out. Full rate GSM consumes 13Kbps or just shy of 100,000 8-bit characters per minute assuming my maths are correct. Each SMS is 140 8-bit (or 160 7-bit) characters or around 700 texts per minute. In Australia those texts cost $0.25 each so we're paying $175.00 a minute to consume the bandwidth as texts when we'd pay around $0.50 to consume it as voice. You can see why they love them now, can't you!

The telcos have been on the gravy train for long enough at our expense and it's long since been time for the next generation of carrier to take over. There's a massive opportunity here for someone to enter the market with a data-only service and in doing so destroy the existing industry literally overnight. We've already got devices (iPhones, Android) that are more than capable of doing everything we need over data, but which are being deliberately crippled by hardware and software vendors in order to protect the legacy carriers. That's not to say that Apple and Google are to blame for contracts they are almost certainly forced into by the likes of AT&T, but seeing Google taking the high road while having to concede that "individual operators can request that certain applications be filtered if they violate their terms of service" is disappointing.

Why can't we have Google Voice on the iPhone? Or use Skype over 3G (without jailbreaking and installing 3G Unrestrictor)? Or open source/open standard SIP telephony for that matter? Why are we sending texts when we have instant messaging? Or dialing in to retrieve voicemails that could just as easily be translated and/or emailed? Why are we paying for silence on the line when we should be paying for bandwidth and/or quantity of data? Why do we pay for minutes at all?

The telcos will tell you it's to protect their networks, and ultimately to protect you, no doubt from the evils of illegal filesharing, terroristing and child pornography. There's an element of truth to this (it only takes a few greedy customers to ruin it for the rest and as always 10% of the users use 90% of the traffic), ut there are simple, effective solutions for this too. People will pay more for a premium/priority service and at the end of the day you can always reign in abusers with packet shaping. The fairest mechanism I can think of comes in the form of a logarithmic bandwidth policy whereby the more you use the slower you go, but the point is that there are solutions so this is pure FUD. My "unlimited" data connection was just throttled from 3G+ to 3G speeds at 800Mb and again at 1000 Mb (so much for unlimited), but I'd happily pay more for a more "unlimited" service if it meant I could say goodbye to minutes and texts forever.

It will happen - it's just a case of when (and where first). Australia's regularly used as a test market and capped ($99 all you can talk) style plans took over by storm a few years ago, so let's just help an existing innovative carrier like 3 or a new one altogether teach the incumbents a lesson, with any luck by the time I get back there.

Twitter Retries Registering Retweet

samj@samj.net (Sam Johnston) — Fri, 21 Aug 2009 09:33:09 PDT

Hopefully you're not sick of hearing about Twitter, Inc's trademark woes (and yet another alliteration) because yes, they've been at it again.

Conceding that the USPTO has successfully torpedoed their trademark on "tweet" but otherwise undeterred they've just tried to lay claim to the more specific term "retweet" (#77804841). While admittedly more distinctive (and therefore less problematic from a legal point of view), let's not forget that they recently came under fire from developers for unjustly suspending retweet.com's @retweet account, having announced plans for an official retweet function of their own (more on Project Retweet at Mashable).

This functionality could well prove as important for microblogging as Google's PageRank did for Internet search and it's definitely not the sort of thing we want to have locked up with a single provider. The idea is that it provides a way to value a user's contribution based on how many people (and who) retweet a user's tweets (a TweetRank, for want of a better name).

So what's the problem with Twitter, Inc registering "retweet" as a trademark? It's not theirs to register, that's what. That's right, the "gesture and syntax of retweet was invented by users" and even Twitter's own web interface still lacks the very functionality they are trying to take control of (and will for weeks to come no less). The retweet "micro-convention" has been meticulously documented and extensively discussed by active twitterers (twits?) who have gone so far as to write an essay on retweeting etiquette. Nothing I have seen anywhere credits Twitter with the invention of the retweet (which according to Google Trends took off at the start of this year) and in my opinion asking the authorities to remove this term from the public lexicon is nothing short of highway robbery.

It's no secret they didn't come up with the idea either. Shooting themselves in the foot once again, Twitter's help pages (archived for posterity) define retweeting as follows (emphasis mine):

What does RT, or retweet mean?
RT is short for retweet, and indicates a re-posting of someone else's tweet. This isn't an official Twitter command or feature, but people add RT somewhere in a tweet to indicate that part of their tweet includes something they're re-posting from another person's tweet, sometimes with a comment of their own.Check out this great article on re-tweeting, written by a fellow Twitter user, @ruhanirabin.

So there you have it, even Twitter admit the idea isn't theirs, defining it as a verb (another sure fire way to destroy a trademark) and then referring to a user article for more information. Of course that won't stop them claiming it as their own now with a view to preventing competitors from delivering it themselves.

To put things in perspective that's about as reasonable as Google claiming ownership of our ideas because they're in their index.

Unfortunately though I have a sneaking suspicion that Twitter will get away with it this time unless we stand our ground now. ReTweet.com are in a particularly good position to prevent this from happening (they already claim trademark status over the word):

TRADEMARK INFORMATION
Retweet.com, the Retweet.com logo and other Mesiab Labs trademarks including service marks, and product and service names are Mesiab Labs trademarks or registered trademarks in the United States and in other countries (the "Mesiab Labs Marks"). All other names and designs may be trademarks of their respective owners. Users may display or use the Retweet.com and Mesiab Labs Marks only in accordance with Mesiab Labs Trademark Use Guidelines.

Here's hoping they (or one of the many other retweet sites) file an opposition to the trademark when the appropriate time comes.

"Twitter" Trademark in Trouble Too

samj@samj.net (Sam Johnston) — Thu, 20 Aug 2009 14:07:42 PDT

Yesterday I apparently struck a nerve in revealing Twitter's "Tweet" Trademark Torpedoed. The follow up commentary both on this blog and on Twitter itself was interesting and insightful, revealing that in addition to likely losing "tweet" (assuming you accept that it was ever theirs to lose) the recently registered Twitter trademark itself (#77166246) and pending registrations for the Twitter logo (#77721757, #77721751) are also on very shaky ground.

Trademarks 101

Before we get into details as to how this could happen lt's start with some background. A trademark is one of three main types of intellectual property (the others being copyrights and patents) in which society grants a monopoly over a "source identifier" (e.g. a word, logo, scent, etc.) in return for being given some guarantee of quality (e.g. I know what I'm getting when I buy a bottle of black liquid bearing the Coke® branding). Anybody can claim to have a trademark but generally they are registered which makes the process of enforcing the mark much easier. The registration process itself is thus more of a sanity check - making sure everything is in order, fees are paid, the mark is not obviously broken (that is, unable to function as a source identifier) and perhaps most importantly, that it doesn't clash with other marks already issued.

Trademarks are also jurisdictional in that they apply to a given territory (typically a country but also US states) but to make things easier it's possible to use the Madrid Protocol to extend a valid trademark in one territory to any number of others (including the EU which is known as a "Community Trademark"). Of course if the first trademark fails (within a certain period of time) then those dependent on it are also jeopardised. Twitter have also filed applications using this process.

Moving right along, there are a number of different types of trademarks, starting with the strongest and working back:

Fanciful marks are created specifically to be trademarks (e.g. Kodak) - these are the strongest of all marks.
Arbitrary marks have a meaning but not in the context in which they are used as a trademark. We all know what an apple is but when used in the context of computers it is meaningless (which is how Apple Computer is protected, though they did get in trouble when they started selling music and encroached on another trademark in the process). Similarly, you can't trademark "yellow bananas" but you'd probably get away with "blue bananas" or "cool bananas" because they don't exist.
Suggestive marks hint at some quality or characteristic without describing the product (e.g. Coppertone for sun-tan lotion)
Descriptive marks describe some quality or characteristic of the product and are unregistrable in most trademark offices and unprotectable in most courts. "Cloud computing" was found to be both generic and descriptive by USPTO last year in denying Dell. Twitter is likely considered a descriptive trademark (but one could argue it's now also generic).
Generic marks cannot be protected as the name of a product or service cannot function as a source identifier (e.g. Apple in the context of fruits, but not in the context of computers and music)

Twitter
Twitter's off to a bad start already in their selection of names - while Google is a deliberate misspelling of the word googol (suggesting the enormous number of items indexed), the English word twitter has a well established meaning that relates directly to the service Twitter, Inc. provides. It's the best part of 1,000 years old too, derived around 1325–75 from ME twiteren (v.); akin to G zwitschern:

- verb (used without object)

1. to utter a succession of small, tremulous sounds, as a bird.
2. to talk lightly and rapidly, esp. of trivial matters; chatter.
3. to titter, giggle.
4. to tremble with excitement or the like; be in a flutter.
- verb (used with object)

5. to express or utter by twittering.
- noun

6. an act of twittering.
7. a twittering sound.
8. a state of tremulous excitement.

Although the primary meaning people associate these days is that of a bird, it cannot be denied that "twitter" also means "to talk lightly and rapidly, esp. of trivial matters; chatter". The fact it is now done over the Internet matters not in the same way that one can "talk" or "chat" over it (and telephones for that matter) despite the technology not existing when the words were conceived. Had "twitter" have tried to obtain a monopoly over a more common words like "chatter" and "chat" there'd have been hell to pay, but that's not to say they should get away with it now.

Let's leave the definition at that for now as twitter have managed to secure registration of their trademark (which does not imply that it is enforceable). The point is that this is the weakest type of trademark already and some (including myself) would argue that it a) should never have been allowed and b) will be impossible to enforce. To make matters worse, Twitter itself has gained an entry in the dictionary as both a noun ("a website where people can post short messages about their current activities") and a verb ("to write short messages on the Twitter website") as well as the AP Sytlebook for good measure. This could constitute "academic credability" or "trademark kryptonite" depending how you look at it.

Enforcement

This brings us to the more pertinent point, trademark enforcement, which can essentially be summed up as "use it or lose it". As at today I have not been able to find any reference whatsoever, anywhere on twitter.com, to any trademark rights claimed by Twitter, Inc. Sure they assert copyright ("© 2009 Twitter") but that's something different altogether - I have never seen this before and to be honest I can't believe my eyes. I expect they will fix this promptly in the wake of this post by sprinking disclaimers and [registered®] trademark (TM) and servicemark (SM) symbols everywhere, but the Internet Archive never lies so once again it's likely too little too late. If you don't tell someone it's a trademark then how are they supposed to avoid infringing it?

Terms of Service

The single reference to trademarks (but not "twitter" specifically) I found was in the terms of service (which are commendably concise):

We reserve the right to reclaim usernames on behalf of businesses or individuals that hold legal claim or trademark on those usernames.

That of course didn't stop them suspending @retweet shortly after filing for the ill-fated "tweet" trademark themselves, but that's another matter altogether. The important point is that they don't claim trademark rights and so far as I can tell, never have.

Logo

To rub salt in the (gaping) wound they (wait for it, are you sitting down?) offer their high resolution logos for anyone to use with no mention whatsoever as to how they should and shouldn't be used ("Download our logos") - a huge no-no for trademarks which must be associated with some form of quality control. Again there is no trademark claim, no ™ or ® symbols, and for the convenience of invited infringers, no less than three different high quality source formats (PNG, Adobe Illustrator and Adobe Photoshop):

Advertising

Then there's the advertising, oh the advertising. Apparently Twitter HQ didn't get the memo about exercising extreme caution when using your trademark; lest be the trademark holder who refers to her product or service as a noun or a verb but Twitter does both, even in 3rd-party advertisements (good luck trying to get an AdWords ad containing the word "Google"):

Internal Misuse

Somebody from Adobe or Google please explain to Twitter why it's important to educate users that they don't "google" or "photoshop", rather "search using Google®" and "edit using Photoshop®". Here's some more gems from the help section:

Now that you're twittering, find new friends or follow people you already know to get their twitter updates too.
Wondering who sends tweets from your area?
@username + message directs a twitter at another person, and causes your twitter to save in their "replies" tab.
FAV username marks a person's last twitter as a favorite.
People write short updates, often called "tweets" of 140 characters or fewer.
Tweets with @username elsewhere in the tweet are also collected in your sidebar tab; tweets starting with @username are replies, and tweets with @username elsewhere are considered mentions.
Can I edit a tweet once I post it?
What does RT, or retweet, mean? RT is short for retweet, and indicates a re-posting of someone else's tweet. This isn't an official Twitter command or feature, but people add RT somewhere in a tweet to indicate that part of their tweet includes something they're re-posting from another person's tweet, sometimes with a comment of their own. Check out this great article on re-tweeting, written by a fellow Twitter user, @ruhanirabin. <- FAIL x 7

Domains

According to this domain search there are currently 6,263 domains using the word "twitter", almost all in connection with microblogging. To put that number in perspective, if Twitter wanted to take action against these registrants given current UDRP rates for a single panelist we're talking $9,394,500 in filing fees alone (or around 1.5 billion nigerian naira if that's not illustrative enough for you). That's not including the cost of preparing the filings, representation, etc. that their lawyers (Fenwick & West LLP) would likely charge them.

If you (like Doug Champigny) happen to be on the receiving end of one of these letters recently you might just want to politely but firmly point them at the UDRP and have them prove, among other things, that you were acting in bad faith (don't bother coming crying to me if they do though - this post is just one guy's opinion and IANAL remember ;).

I could go on but I think you get the picture - Twitter has done such a poor job of protecting the Twitter trademark that they run the risk of losing it forever and becoming a lawschool textbook example of what not to do. There are already literally thousands of products and services [ab]using their brand and while some have recently succombed to the recent batch legal threats they may well have more trouble now that people know their rights and the problem is being actively discussed. Furthermore, were it not for being extremely permissive with the Twitter brand from the outset they arguably would not have had anywhere near as large a following as they do now. It is only with the dedicated support of the users and developers they are actively attacking that they have got as far as they have.

The Problem: A Microblogging Monopoly

Initially it was my position that Twitter had built their brand and deserved to keep it, but that they had gone too far with "tweet". Then in the process of writing this story I re-read the now infamous May The Tweets Be With You post that prompted the USPTO to reject their application hours later and it changed my mind too. Most of the media coverage took the money quote out of context but here it is in its entirity (emphasis mine):

We have applied to trademark Tweet because it is clearly attached to Twitter from a brand perspective but we have no intention of "going after" the wonderful applications and services that use the word in their name when associated with Twitter.

Do you see what's happening here? I can't believe I missed it on the first pass. Twitter are happy for you to tweet to your heart's content provided you use their service. That is, they realised that outside of the network effects of having millions of users all they really do is push 1's and 0's around (and poorly at that). They go on to say:

However, if we come across a confusing or damaging project, the recourse to act responsibly to protect both users and our brand is important.

Today's batch of microblogging clients are hard wired to Twitter's servers and as a result (or vice versa) they have an effective microblogging monopoly. Twitter, Inc has every reason to be happy with that outcome and is naturally seeking to protect it - how better than to have an officially sanctioned method with which to beat anyone who dare stray from the path by allowing connections to competitors like identi.ca? That's exactly what they mean with the "when associated with Twitter" language above and by "confusing or damaging" they no doubt mean "confusing or damaging [to Twitter, Inc]".

The Solution: Distributed Social Networking

Distributed social networking and open standards in general (in the traditional rather than Microsoft sense) are set to change that, but not if the language society uses (and has used for hundreds of years) is granted under an official monopoly to Twitter, Inc - it's bad enough that they effectively own the @ namespace when there are existing open standards for it. Just imagine if email was a centralised system and everything went through one [unreliable] service - brings a new meaning to "email is down"! Well that's Twitter's [now not so] secret strategy: to be the "pulse of the planet" (their words, not mine).

Don't get me wrong - I think Twitter's great and will continue to twitter and tweet as @samj so long as it's the best microblogging platform around - but I don't want to be forced to use it because it's the only one there is. Twitter, Inc had ample chance to secure "twitter" as a trademark and so far as I am concerned they have long since missed it (despite securing dubious and likely unenforceable registrations). Now they need to play on a level playing field and focus on being the best service there is.

Update: Before I get falsely accused of brand piracy let me clarify one important point: so far as I am concerned while Twitter can do what they like with their logo (despite continuing to give it away to the entire Internet no strings attached), the words "twitter" and "tweet" are fair game as they have been for the last 700+ years and will be for the next 700. From now on "twitter" for me means "generic microblog" and "tweet" means "microblog update".

If I had a product interesting enough for Twitter, Inc to send me one of their infamous C&D letters I would waste no time whatsoever in scanning it, posting it here and making fun of them for it. I'm no thief but I am a fervent believer in open standards.