Safe, But Also Sorry: Security expert Bruce Schneier talks about privacy and property in the information state – Reason Magazine

Safe, But Also Sorry: Security expert Bruce Schneier talks about privacy and property in the information state – Reason Magazine.

A good read, I highly recommend it. I’ve always said that 9/11 was the last airline hijacking that we’ll ever see in our lifetimes. No planeload of passengers will EVER just sit back and watch another one unfold. Never. As such TSA security is an absurd and invasive example of futility. Why bother?

Pondering Interesting Data

Have a look at this map.

I love maps, and when I was a kid I thought of becoming a cartographer. I can spend hours looking at atlases, Google Earth, etc. In fact I have found Google Earth to be a wonderful companion to reading books about history. You can visualize the terrain the author is describing.

Anyway, I saw this map linked from an article on Reason Magazine’s website: Washington’s Wealth Boom: The D.C. metro area is getting richer every year. That’s a problem for the rest of America. – Reason Magazine. As you can see they were concerned about the concentration of wealth around the nation’s capital.

You see this map paints the wealthiest counties in the USA red. The statistical anomaly I noted was the areas which we tend to think of as “vacation” spots: The San Juan Islands in Washington, The Lake Tahoe region, the areas around Sun Valley Idaho, Jackson Hole, Wyoming, Park City Utah, the Colorado ski towns of telluride, Aspen, Vail, etc. Outside of LA, SF & Seattle they pretty much make up the “rich” areas of the Western US… exclusively.

So does this mean the wealthy are not just vacationing there anymore, but have taken up permanent residence? Or was the data collection flawed? Interesting to think about.

(BTW: Can anyone explain the one county in SE Alaska? I thought the rich folks live in Anchorage?)

Last thing I’ll post about the recent weather…

I love the Internet. The fact that data about anything you might even be slightly interested in is just out there just warms the cockles of my heart. My friend Dan sent me a link to this satellite image. It was taken on the morning of December 17th, 2008. While it is focussed on Oregon, and is cropped about 60 miles south of my house, it shows the nature of the snowfall that blanketed the Northwest before Christmas. This was the morning after the snow first fell. We were expecting a dusting of an inch or two, and instead received a dump of 12 to 14 inches. I drove the boys down to Seattle that day to fly to Colorado, and this high-pressure and clear skies vanished quickly. Thankfully I had already started my timelapse gear and captured the brilliant sunrise and clear morning before those clouds you see on the western edge of the photo barreled in and delivered another foot of snow that night. I struggled home the next evening, and then got stuck in my driveway. The following week of being snowbound was sort of fun, but as it stretched into three weeks our patience ran thin.

It appears the weather has settled back to rain and in fact has now cleared – perhaps a bit of sunshine and dry weather will bring the Jaguar out of it’s hibernation?

Years in the making, and passing.

I was looking for a set of photos from an event in 1999 earlier today and stumbled upon this image from May of 1998. It was taken at the end of the New England 1000, where my Dad & I won our class in our first outing together in the 65E. The car was pretty fresh from it’s initial restoration and my Dad was freshly retired. I was living in the UK back then, but flew over to the east coast for the week. We had a blast!

While it was not really the start of either of our “car guy” lives, it certainly was the start of a very important era for the two of us. It has been over 10 years since that photo was taken. We’re both older, and a bit wiser. We’ve been on many many rallies since. From cost-to-coast “Vanishing Point” high-speed adventures, to weekend evil puzzlers. We still do our best to get out and have a blast. 😉

I hope to do at least two rallies with my Dad again this year, so stay tuned.

If you are terminally curious, I can dig up the URL for my very first rally report. Let me know.

Puffy White Clouds

Since I’m snowbound I’m working on my latest bit of professional writing. This one is about the latest over-the-top buzzword in my business “Cloud Computing”. This is a work in-progress, so feel free to comment. Hit “reload” every once in a while… I’m hacking it up and reordering as we speak! 😉

Here is a soundtrack to have going as you read this (thanks Nick!)

Orb – Little Fluffy Clouds
Found at bee mp3 search engine

[Andy Rooney] So what is all this buzz about “cloud computing” anyway? I really do not understand it. [/Andy Rooney]

From what you read and hear in the buzz surrounding cloud computing, it sounds like a model for how to do things that will just steamroller over the whole industry and make everything we’ve built over the past two decades obsolete. It will allow things to scale without effort, at minimal cost! It is an on-demand datacenter with ZERO capital outlay! It slices, dices, and juliennes! But even in the best-case it seems like it can only really solve a small subset of the industry’s needs. In the worst case it will be a punch line for lame jokes a few years from now, much like other over-hyped buzzwords from the past.

To be honest, I had not really thought much about cloud computing until I was asked directly about it. So I sat down, looked at everything that was running inside the facilities I manage, pulled out Occam’s Razor and started slicing. The first cut was on myself, or at least on my perspective. As a user, what would I want to put “out in a cloud”? What sub-set of my data could safely run on top of a completely unknown and amorphous infrastructure? As a provider, how could I make the cloud model work? How could I build the hard assets required to run a “cloud” and survive in the marketplace? At one level, I totally get the concept. It is sexy as hell. Total software abstraction from the hardware layer. Stuff running everywhere and anywhere. In reality though, I can’t see how it can come to fruition in the traditional commercial model of setting up as a service provider and charging users for it. Like a centerfold model in the flesh, without benefit of an army of stylists before the shoot and a heavy dose of Photoshop afterwards, the sexiness wears off fast. Cloud computing has a lot of unrealistic hopes and desires obscuring plenty of flaws, blemishes, and unresolved issues.

As a user, I could not immediately think about any process running that I would want to throw out onto a “cloud”, so I started with the stuff I knew I could never let go of. Mind you, not that I wouldn’t want to let go of it, just that there was always some aspect about it that keeps it from leaving the building.

First on the list is something that is fresh on my mind: Payment Card involved and/or ecommerce systems. We just helped a client survive a rather intense PCI-DSS audit. The auditors have a very clear idea of exactly what they want to see in terms of server infrastructure, software configuration, and network deployment. Deviations from the script are hard to get away with. Paramount to everything is the ability to audit. To see where, when, and how payment card data is used. When they ask “where is X?” You have to point to a specific spot (be it a server, a file system, or a database table) and say “X is right there.” You also have to be able to prove that X has not been altered without record of it, nor has ever left the building in an insecure or unencrypted state. So can any of this be trusted to a cloud? I doubt it. A cloud is amorphous and indistinct. It is layer 7 abstracted from all the lower layers. You can’t audit a cloud. It is virtual. Sure, we all know that it translates to a physical manifestation at some point, but can you touch it? Can you audit, with absolute certainty it’s filesystems, logs, and physical access? Can you be absolutely certain that it is physically secure? Can you be absolutely certain that its virtualized filesystems are not mingled on a physical disk with somebody else’s data? ABSOLUTE CERTAINTY is required for compliance. You can’t find absolute certainty out there in a cloud by definition.

What goes for PCI also goes for all those other Fully-Acronym-Compliant compliance regulations out there. HIPAA, SOX, SAS70, GLBA, etc. No matter what industry you operate in, there is some regulations somewhere that you either have to be compliant with now, or will have to be in the near future. Further it is difficult to fully detach those systems that require compliance with other corporate systems that interact with them.

Additionally as so many IT managers have learned through hard lessons, data retention for legal purposes is also vital these days. At an ISP I dealt with data retention requests from various law enforcement as well as State or Federal courts routinely. In corporate environments issues of civil and contractual liability also play into data retention. This has traditionally been in the realm of email, but can theoretically extend to any and all corporate communications, documentation, applications, and data. Frequently this transforms into third parties wanting physical access to the data, and just as importantly, audit trails of who has access to the data and systems. Here again Cloud Computing isn’t going to fly because it lacks the absolute certainty that auditors and legal systems require.

So if you have to have audit-safe data, cloud computing is out. If you have to live by any retention rules, which cover more and more data types each year, the cloud gets rules out. So is cloud computing just a solution in search of a problem? If it can not really contain core corporate data, what is it good for? Well… Edge cases.

If you Google the term “cloud computing success stories” you get lots of press releases from cloud computing providers and startups, but very few actual success stories. Those that are there are all edge cases. Situations where prototype applications endure fast scaling, such as a Facebook plug-in, or video content. Cloud deployment allows a startup with limited capital to ride somebody else’s infrastructure to scale quickly, but what happens when they need to, in that term that Biz Dev types love so much, “Monetize” it? Once you start down that path you become entangled in regulatory and compliance realms. That startup is going to HAVE to deploy some of their own infrastructure to support that, and revert to some hybrid-mode usage of cloud computing. The cloud can not contain anything “critical”, only things that overwhelm your ability to scale them. Even then, that deployment may only be temporary, until you can build up your own infrastructure. A start-up could use the cloud as a crutch until it could stand on it’s own so to speak.

So in the end, the cloud is a place to put things of little importance. Items of a temporary nature. Much of the Internet can be described as items of little importance, so perhaps there is something to the Cloud concept. The hard part then becomes making it pay. So then from the cloud provider’s perspective, how can you build a successful business on temporary items & users? Every successful Internet business has been built on the concept of reoccurring revenue. Being hit-and-run by a series of resource-hogging customers doesn’t sound like sound business strategy to me.

The old adage is true… There Is No Free Lunch.
Those of us who have built and maintained datacenters know that doing so on a scale required to truly handle anything thrown at them know that doing so is NOT cheap. The bill has to be paid at some point. Wildly popular web apps with no revenue won’t pay the cost of the servers, much less the electricity bill. I can’t see how the cloud providers can spend the cash to build out the infrastructure and then have enough margin in the usage charges to enjoy healthy profits. They will have to keep their usage percentages high to stay ahead of the capital expenditure curve. Just like all the previous iterations of shared computing resources in the past though, as actual usage goes up, performance goes down. So if they are successful in keeping usage high, they’ll have to keep spending more capital to expand and upgrade their infrastructure. This sounds like Sisyphus on roller skates.

I always like to boil down complex concepts to overly simple descriptions. They help clarify so much fuzzy thought. For example I have always said that the definition of a datacenter is “A place where electricity gets transformed into bits, on a very large scale.” Think about it, power goes in, bits come out. The by-product of that large scale process is heat, which plays into the definition a tad, but otherwise that is a datacenter in a nutshell. So let’s boil Cloud Computing down to it’s most basic definition: Cloud Computing is Datacenter-on-demand.

Datacenters, as we know, are capital-intensive places. They are expensive to build, and expensive to run. It is very hard to deliver something so large and unwieldy in an instant to meet sudden demand. Even using modular techniques. Demand fluctuates, and unless you are going to charge usurious rates when demand comes in, you will be burning cash at terrifying rates when demand is down. The fire will continue to burn even when demand is moderate. When demand suddenly scales upward, it is unlikely you can meet it, unless you have phenomenal amounts of unused capacity lying around burning capital. You can not have truly scalable, redundant, reliable datacenter infrastructure at low cost. The capital and return on that capital have to come from somewhere. The lifetime of a datacenter facility averages between 5 and 15 years. The lifetime of a server is even less, 18 to 36 months. No Cloud Provider wants to be a break-even prospect, much less a money-losing one. So how will any of them survive unless they charge their users far more than it costs to build and run their facilities? See the bowl-swirling process trap here awaiting the potential Cloud Computing provider?

Another thing to consider: So when the provider goes tango-uniform what happens to all your data out there in the clouds? It evaporates. Good thing it wasn’t anything critical eh?

The only real successful “Cloud Provider” today is Amazon, with their AWS services, and their current stance actually backs up my viewpoint. If you read their User Agreement “carefully” as they request that you do prior to signing up, it lays out a service that really should not be used for anything critical or sensitive. It is clear that their model is selling unused capacity on their own systems, and while they’ll be as nice as they can while you are a (paying) guest there, their needs come first. With anything from 60 down to 5 days notice they can terminate the bargain, with cause or without. They also state that neither security nor uptime is guaranteed and that they can suspend the service pretty much at any time they wish, and have no liability to their customers whatsoever in that event. This works fine for low-usage stuff, non-critical software infrastructure, and meaningless items of temporary interest… but it will not fly for mission-critical corporate IT functions.

Finally, one thing I think happens often in the business is Buzzword Overlap. People throw the Buzzword du Jour at whatever concept they are trying to sell. The overlap I see a lot is the Cloud-space right now is “Software as a Service” aka “SaaS”. SaaS can use a cloud as it’s underlying infrastructure but SaaS is NOT a “cloud.” So before you start firing up a flaming rebuttal to my thoughts, get out your own mental knife and cut away the SaaS components from your Cloud ones. I feel that SaaS and other online applications have a strong future. I look at the stuff running in the facilities I manage and good portions of it are SaaS delivery of some sort. The whole mobile market and most web applications are SaaS of some sort or another. The SaaS market is in its toddlerhood, having evolved from the previous buzzword “Application Service Provider” … same idea, different name. Google for example is not a cloud provider per se, they are an application (search, video, mail, chat, etc) provider who happens to use cloud technologies to support their applications. You don’t buy compute or datacenter capacity directly from Google, you buy application time online. SaaS has a future.

So what does the future hold for Cloud Computing? I think it that as an underlying technology it makes a lot of sense. Anyone developing software should do it with the assumption that it will run across many machines and many locations. As a business model though? If I were a Venture Capitalist I’d be chasing people out of my office as soon as they used the phrase. I foresee a lot of “Cloud Computing” startups evaporating like their namesake.

Exhaustion & Energy.

Highway Hypnosis!

Last night I almost fell asleep at the wheel.

It is hard to believe because “endurance driving” is something I love… something of a hobby. Nothing to me is more pleasurable than hopping behind the wheel and reeling off 300-700 miles at a clip. Last night though, I started nodding off around 200 miles into the route. Thankfully I realized this, right as a sign loomed out of the darkness, as if speaking DIRECTLY to me: “Tired? Rest area ¾ mile.” I slapped myself on the left cheek (face you filthy-minded reader!) and made that short distance, pulled into a parking space, reclined my seat, and literally in an instant fell into a deep restful sleep lasting several hours.

Ironically I’ve been personally & professionally in something of a state of … well… not quite sleep but certainly in slumber. An event yesterday shook me awake from it and sent me on my way. What “my way” will be is uncertain actually, but is not relevant to this bit of story.

Stories. Stories are very important to our species. I found this quote while reading a bedtime story, Crow & Weasel by Barry Lopez to my sons when they were young; and it struck me as vitally important, lodging itself into my brain since that evening more than a decade ago…

“I would ask you to remember only this one thing, the stories people tell have a way of taking care of them. If stories come to you, care for them. And learn to give them away where they are needed. Sometimes a person needs a story more than food to stay alive. That is why we put these stories in each other’s memory. This is how people care for themselves. One day you will be good storytellers. Never forget these obligations.” -Badger

Sometimes we do need stories more than food to stay alive. Last night however, I just needed a few hours rest to stay alive, and I found it at the Indian John Hill Rest Area on I-90. After I awoke and resumed my journey the events of the prior day exploded in my head. I realized that this is what caused my fatigue. My mind was reeling with galaxies of new information, new insight, new opportunities, and new ways of seeing things. I was thinking, NOT driving. Driving to me is a Zen-like activity. Complete concentration with minimal thought, only action. I become hyper-aware and my mind becomes blank… an input processor whose sole task is to absorb the environment around it – and my body becomes an output device at the whim of my mind. My drive last night was different because I could not empty my mind and drive. It was tumbling in somersaults through a new-found universe I had just discovered right under my nose, and applying all those thoughts and concepts to my future. It refilled my “gumption tank” but prevented me from performing the task at hand, namely safely driving home. My body surrendered to my brain there on Indian John Hill and I slept like a baby, despite the December chill.

Gumption Tank. That is a phrase I’m borrowing from another great story. Namely Robert Pirsig‘s Zen and the Art of Motorcycle Maintenance, one of the finest stories I have ever read. It is an honest inquiry into values, thought, and life. Pirsig’s story literally goes out beyond the edges, covering a lot of ground, some familiar enough to be mundane, other territory that lies beyond the edge of the map of our minds… where monsters lie. At several points in his story he speaks of motivation (gumption), and things that sap our motivations (gumption traps). As I drove across the dry scrublands of eastern Washington yesterday I recognized all the little gumption traps that I had fallen into, or attached themselves to me over the past few years… and when I awoke in the chill predawn on Indian Jim Hill I had climbed out of, or cast them all off. No matter what life has in store for me over the next few years, at least I have some gumption back.

Man, does it feel good.