Phillip Hallam-Baker's Web Security Blog

Security costs real time and money. What I often find hard to explain to programers is that what they might imagine to be a trivial effort can quickly mount up.

Take for example, the fact that my effort to install Ubuntu to drive my CNC lathe had me drilling into the case of a server with a drill this morning.

Why does it take an electric drill to install ubuntu? Well it shouldn't but it does require a DVD drive as opposed to a CDRom drive as claimed. And I don't have a DVD drive on the ancient machine in question, only CDRom. And the BIOS would not boot from a USB DVD drive. So I have to take the DVD drive out of another aged server, only the key to the case has been lost, hence the drill. And I could not do that last night when the kids were in bed, I had to wait till first thing this morning.

And the need for a DVD drive in turn is caused by the fact that the ubuntu distribution is now 700Mb and the design capacity of a CDRom is 650Mb. So after several hours of 'persuasion' to get the ISO to burn on a CD I found that the drivers on the machine won't boot from a CDRom of more than 650Mb, it just hangs.

And these are the real problems of computer administration. None of these steps is difficult, and the problems will all be forgotten after success is achieved. But each little problem soaks up a few minutes or a few hours of time

Posted by Phillip Hallam-Baker at 8:28 AM | Permalink | Comments (0)

So what is edge caching? Edge caching is simply provision for a network content cache at the point where a local ISP network joins the Internet at large. It is not a new idea, pretty much every Web browser in use today supports HTTP proxy caching. the difference is scale. A HTTP proxy cache does not typically keep copies of video resources.

In recent years edge caching has been rather less fashionable than Napster style 'peer-2-peer'. P2P bypasses the need for the ISP to invest in cache infrastructure by conscripting end user machines as caches. This is good for the P2P provider but very bad for the ISP as the content will now travel over the most constrained part of the ISP's network multiple times.

The value of edge cachine is already known to companies like Akamai of course. But Akamai is a proprietary scheme. Google recently began work to build out a similar scheme and there will be many more as Internet video on demand becomes an increasingly bigger market.

So pity the poor ISP who is expected to provide space and power for all these boxes in their endpoints. If any economics student is looking for a thesis topic, try predicting which parties will benefit from this particular arrangment during the introductory phase and then again some years later once consumers have reliable ways of measuring network performance being delivered.

My rough model suggests that under the proprieatry cache model each party benefits at exactly the wrong time. In the short term, some ISPs may gain a modest revenue stream but in the longer term content is king.

Rather than waiting passively for the content distribution companies to come along with their boxes, a better strategy for the ISPs would be to develop a model that puts the edge cache under their control, allowing the ISP to determine the choice of hardware/software platform and which content content is cached.

The design of a network protocol for such a scheme may be left as an exercise for the (graduate) student. A discovery mechanism will be required (hint, SRV records in the reverse DNS) and some means of breaking content up into manageable chunks. And in the case of really popular content there will be a need for load balancing amongst local servers.

The rather more interesting issue is the security considerations that arise. Who gets to store content? Who gets to retreive it? When is content deleted? How are questions of copyright ownership decided?

Posted by Phillip Hallam-Baker at 6:45 AM | Permalink | Comments (0)

While most of the United States was watching the Pittsburgh Steelers win the superbowl with a last minute touchdown, Comcast viewers in Arizona had their football interrupted by a pornographic video.

While the cause of the disruption is not yet known, it stretches credibility to believe that this was operator error. Most likely it will turn out to be an act of vandalism by a disgruntled employee or an external attacker. In either case, we need to know quickly as casual attacks by vandals tend to be followed by professional attacks for profit.

At a minimum the attacker has demonstrated the ability to map one cable channel onto another. But imagine that the attacker had the ability to inject arbitrary content into the New York city cable feed for Bloomberg or CNBC. It really isn't very difficult to see how a profitable stock manipulation fraud can be set up.

The big problem with electronic media is establishing authenticity. As we come to rely on electronic information sources, the risk of being fed spurious data increases. Unless we take the problem seriously soon, others will force us to take it seriously.

Posted by Phillip Hallam-Baker at 5:21 AM | Permalink | Comments (0)