Posts by Anthony Knee

Amstrad and Raid 6

Why do people think seagate are so good? Failed seagate drives caused huge problems for Amstrad. Amstrad lost millions, took seagate to court and won. Buy a variety of brands and reduce the risk.

Raid 5 isn't really suitable for large drives or large arrays. Raid 6 is fast becoming popular especially so in larger arrays for enterprise etc. With two drives instead of one for parity you don't have to worry about the time consuming and intensive rebuild process killing off another drive. You really can't afford to have another drive fail whilst going through rebuild process because you have no redundancy. (Raid 6 requires a minimum of four drives)

In an a raid 6 system with six drives you could have two from WD, two from Seagate and two from hitachi, you could then have both drives fail from one of the manufacturers and still read your data. This gives you brand redundancy and will protect you from a design faults. (provided you limit each manufacturer to two drives or less in a single array)

FTP and email standards

FTP passwords are always sent in the clear. It's in the standard. Most large ISPs use FTP by default and few have secure alternatives. Most consumers tend to use and rely on passwords being sent in the clear. There is nothing wrong with passwords being in the clear if you trust the networks between the two endpoints.

Fasthosts mentioned a network intrusion so someone was probably sniffing packets and collecting passwords. You can see how easy this is by loading up something like Etherreal on your own computer and having a look at the packets going in and out of your computer. I am sure that around 95% of the readers here (if they look hard enough) will see their passwords coming and going in the clear.

At Keen Computers we don't allow our hosting customers to have FTP accounts. Customers have to use secure FTP instead. This involves the use of certificates and software like WinSCP. We have been using this technology for more than three years now. It adds to our support costs, but it increases security. We also force the use of HTTPS for the control panels - more certificates.

We have recently implemented secure email and are testing this with a small number of users. It has taken us hundreds of hours of testing to get to this point. This again requires yet more certificates and greater customer support and education which is expensive. So I am guessing that it will take a year or two for us to migrate all of our customers onto secure email.

Fasthosts is not necessarily the company to blame here. Some of the fault lies with Microsoft and the other developers of the software in use at Fasthosts. (With windows web server 2003 for instance, only basic FTP is available and additional software has to be purchased and/or installed into the servers to add the security.)

The hosting market is very competitive and profits are almost non-existent so customers get what they want. End users want to use FTP because almost all the relevant end user applications use or support FTP. This is why web companies are still using old fashioned protocols like FTP. If the large ISPs stopped using FTP they would loose 50% of their customers overnight and would have to spend millions on support - they cannot afford either of these options.

Fasthosts are correct to say that unencrypted passwords are standard / normal etc - they will be until everyone stops using FTP. Perhaps this incident will help move the industry towards secure FTP. (Microsoft have a good opportunity to change things because they have a new server operating system in beta.)

I am not naive enough to think we are totally secure at Keen Computers because at any time, I am aware of half a dozen or more weaknesses in the security of our systems (and hence the security of every other hosting company too.) Finding an ideal solution to them is not yet possible, too expensive or just not practicable. The security experts around the world are constantly working on the problems and discussing new ideas though. Eventually, new solutions are formulated, new applications are developed, new procedures are laid out and new standards agreed upon - and so every now and again we have the ability to raise our security to a higher level.

The number and types of threats against all of us are increasing all the time. Every single computer in existence at the moment is insecure - it's just that we don't always know how they are insecure or we don't want to pay the additional costs. The safest form of hosting would be a managed dedicated server - but they cost around £50 per month. Most people though will take the risk, save the planet and go for shared hosting instead.

A lot of the security problems today are all about trust - hence the certificates with everything to define who and what can we trust. Things get very political very quickly and anyone too paranoid ends up trusting nobody. We have to trust the suppliers, the developers, Microsoft, the network engineers, the sysadmins and even the users - but at the same time we have to keep up the pressure and encourage them to do better. In the past, there was too much trust, malware didn't exist and we all thought every program could be trusted to play by the rules - those days are long gone.

Anthony Knee

CTO, Keen Computers

Bring it on Steve - if you dare !!!

I would love to see Microsoft in court taking on Linux for copyright and patents etc.

The defenders only have to argue that Microsoft steal code and use other people's patents without permission. (Microsoft have been found guilty on this quite a few times and have paid out millions).

How do we know that what Microsoft is claiming as theirs actually is. Microsoft purchase, copy, and borrow quite a lot of code. They claim that they own the copyright, but in actual fact, they can only claim copyright to portions of it. Recent court cases which Microsoft have lost have resulted in damages. You could argue with good reason that Microsoft have sold illegal software to every person with XP - and that is a lot !

Microsoft like to hide what they do behind closed source. It protects them not only from people stealing their ideas, but also it makes life difficult for patent holders, companies with rights and a variety of licensees to know what is going on under the covers.

So let's move on to open source and it's licensing etc. It's obvious that Microsoft will have lifted code that has some very interesting licenses. Some of those require that Microsoft release the source code of applications based on it.

Open source is far more legal than anything that is closed source. It is easy for rights holders to identify infringments and these can be dealt with - GIF file formats being an example.

Linux is easy to compile and change - most distros have already compiled the entire OS and most applications to 64 bit. Microsoft have hardly started with 64 bit compilation and they seem to be having problems with it. There are lots of missing bits in the 64bit versions of server 2003, vista and xp. So any court orders against them could be financially disastrous for the company, and damages could run into the millions.

Pandora's box is waiting to be opened and Steve wants to have a look inside. Go on Steve, I dare you!

Things are gonna get interesting !