Here's a couple recent linsk for data center photo tour geeks: Info Week just had a slideshow of photos from inside the Sun Blackbox portable data center, while C/Net offered a look inside LucasFilms' Death Star data center in San Francisco.
The AP story mentions that UltraDNS may have been targeted. Last May DDoS attackers targeted UltraDNS as part of the attack against Blue Security that ultimately drove BS out of business. That attack managed to knock some UltraDNS customers offline.
There was a previous attack on the root servers in 2002.
I think there are two reasons for the low visibility of "webmaster." One is that the term fell out of favor, as it was too broad and meant different things to different people. I stopped using it, because every conversation about "webmaster" skills was followed by more conversation to ensure that we were talking about the same thing.
Blogs, CMS systems and Web 2.0 apps have also made it possible for lots of folks to create web content without having to learn webmaster skills. That's been a good thing.
Having said that, there are plenty of "webmasters" out there, with a broad range of web-related skills that defy easy categorization. If you read forums like Web Hosting Talk, Digital Point or SitePoint, you'll see lots of participants that that fit the general a description.
The inclusion of Cleveland is a perfect example of why I'm befuddled whenever I see the ICF data. Intelligent for what? Cost studies of US locations for data centers place Cleveland in the middle of the pack. It's cheaper to run a facility in Columbus or Fort Wayne, and it's much cheaper to get power in Chicago.
I've tracked the ICF findings for years and have yet to understand the methodology, which is utterly out of whack with what's happening in the marketplace as well as studies that drive site location decisions for data centers (my particular interest). I think the ICF reflects the perspective of a very focused constituency. It's a source of interesting case studies on community broadband deployment, but isn't anything I'd ever build a business case around.
Rosenblatt's company, Demand Media, is the best illustration of how the domain business is changing. Domain parking used to be dominated by a fairly small community of "domainers," who bought up one-word or two-word domains, filled them with ads, and made money off type-in traffic and misspellings. That all changed in early 2005 when a public company, Marchex, paid $165 million to buy a huge portfolio of names from a Hong Kong domain speculator. Suddenly everyone wanted to be a domainer and make millions. Sales of new domains surged, and resale prices rose.
But soon Google and Yahoo, who provide most of the ads on parked sites, found that click-throughs from parked pages often didn't lead to sales, and many advertisers didn't want to buy AdWords and then have them show up on these sites with no content. Some of the largest parking services began switching to a pay-per-action business model, instead of pay-per-click.
Meanwhile, venture capital firms started pumping money into the sector, buying up registrars (like Demand Media's deals for eNom and BulkRegister) and large domain portfolios. Vector Capital bought Register.com, and Perot has a piece of Internet REIT. The VCs and Wall Street investors prefer to monetize their domains with developed web sites instead of parked pages. Many of them are using free user generated content to populate these sites with articles and forums linked to their target keywords. Google likes these sites better, and they appear to get more relevant traffic and click-throughs.
But there will always be plenty of smaller operators with thousands of single-page ad-filled parked domains. The low price of domains means there's virtually no barrier for entry into this business, and that's not likely to change anytime soon.
Phishing scams are already using Flash in their spoof pages. This was occurring as early as last June. Maybe the bank liked the idea so much they decided to copy it. Reverse phishing, sort of.
Does anybody know which bank the submitter is talking about?
VeriSign is charging $1,299 a year for extended validation certificates, and I wonder how many small businesses would be willing to fork over that amount for the benefits of EV SSL. Other certificate authorities will eventually offer these as well, and charge less.
Several CAs, including Digicert, are seeking to have the standard revised to include small businesses. I don't believe the CA/Browser Forum has finalized the standard yet, as there were some holdouts last I checked.
Doc - Thanks for the link re the file system. I hadn't seen that.
Google actually has data center facilities all over the place (it's hiring data center staff in nine different locations), and is building more. They are said to be shopping for property in North Carolina, and contemplating a $1 billion facility in India. I think their center network is rapidly becoming more distributed, and given the issues in Silicon Valley, they'll be accelerating that trend.
Some data centers actually cool their facilities with air pumped in from outside their buildings. There's a study underway at Lawrence Berkeley National Laboratory looking at the use of air economizers at seven data centers that have participated in a PG&E program offering rebates for folks who do this. The study is looking at concerns that the use of outside air will introduce contaminants or excess humidity into the data center. Not for everyone, but seems to work for some folks.
While Google, Yahoo and Microsoft can build stand-alone data centers in Washington State to power their search engines, enterprises and Internet companies want space and connectivity in the major business hubs. Right now the strongest demand for data center space is focused on three markets: New York/Northern NJ, northern Virginia, and Silicon Valley. While power is less expensive in nothern Virginia, none of these markets are cheap.
The other hot data center real estate market is Austin, which has benefitted from a regional focus on energy efficiency, a strong technology community, and a skilled IT workforce. Phoenix and Kansas City have become active markets for backup data centers, while a dark horse market is northern New York, which used its abundant supply of cheap hydro power from the Niagara River to snare a $166 million HSBC data center.
There's been speculation that Google may begin investing in or even buying equipment manufacturers that can develop specialized gear to improve the energy efficiency of its data centers, which are already among the most efficient out there. Google sees its data center operations as a competitive advantage, which is why it uses a custom OS and in-house/commodity hardware to run their clusters. If they develop energy-efficient equipment, I'd be surprised if they share it. It's not like they've open sourced their OS code or server design.
This is a key point. We're starting to see the first few legal cases concerning property and ownership in virtual worlds, which may create precedents about who owns what and what property rights players can expect. There's really a two-tier economy at the moment, as some worlds allow/encourage ownership and real money trading (Second Life, some EQII servers) and appear to be operating under different rules than worlds in which the ToS bans asset trading, which then moves to grey/black markets. It'll be interesting to see if the notion of IRS interest in real money trading prompts more game operators to create official exchanges than allow them to manage the economic activity in their games. It could also send them in the other direction - outlawing RMT and forcing the IRS to shake down eBay sellers. Either way, this is probably a headache for IGE.
While there's a certain logic to the scenario presented by Ramprate in TFA regarding phone companies and ISPs, it's also true that the largest online games are actually hosted by a phone company. AT&T hosts World of Warcraft and Sony Online Entertainment's major games. At this year's E3, AT&T announced the expansion of its online gaming operation. Given the hosting fees coming in from Blizzard and Sony, AT&T/SBC has a vested interest in their success. Does the nation's largest phone company have leverage in dealing with ISPs who might be tempted to mess with MMO traffic? I suspect they do. Food for thought.
If Net Neutrality did squeeze online gaming, it might create an opportunity for someone like GameRail, a high speed network that directly connects online game players to the servers that host popular FPS titles. GameRail peers directly with ISPs, universities and game server providers (GSPs). The question is whether game server hosts see usefulness in that type of middleman. The answer to that question might change in some of the scenarios imagined int eh article.
Phishers have been known to use frame injections to insert their content into framesets, allowing them to grab login info from within the bank's own web site. It's not nearly as fancy as an SQL injection, but it's sure malicious and quite difficult for victims to recognize.
There's already an active market in Internationalized Domain names (IDN) with many domain speculators buying up names for investment and/or parking purposes. Sites focused on this niche include IDN Forums, the IDN Blog and the IDN Domain Blog. A lot of companies and web sites will go to register their trademarked terms in these multilingual domain names and find that they're long gone, and getting them back could mean international litigation. I think it hasn't even occurred to many corporations to register IDN domains.
Back in 2005 Firefox briefly disabled its support for IDN after The Shmoo Group demonstrated the ease of using Internationalized Domain Names (IDNs) to spoof existing domains, including those for major retailers or banks. At the time, Mozilla said domain registrars were ignoring ICANN guidelines on IDN, and developed a list of problematic Unicode characters that could be banned in domain names to limit homographic attacks. Not sure if this is still current.
Everything is getting cheaper but power, which for some data centers now costs more than hardware. Nicholas Carr explains why Gilder's assumptions are problematic:
"What Gilder calls 'petascale computing' is anything but free. The marginal cost of supplying a dose of processing power or a chunk of storage may be infinitesimal, but the fixed costs of petascale computing are very, very high. Led by web-computing giants like Google, Microsoft, Amazon, and Ask.com, companies are dumping billions of dollars of capital into constructing utility-class computing centers. And keeping those centers running requires, as Gilder himself notes, the "awesome consumption" of electricity"
As I noted in our commentary at Data Center Knowledge, the power issues with high-density blade server computing has been understood for years. Back in 2002, Liebert and APC and other equipment vendors were developing products that could address huge heat loads. They saw it coming, and sensed a market opportunity. So where were the chip makers? Even as cooling vendors prepared for the results of the huge power and heat loads, little was done to address their source.
What's interesting is that most banks and major corporations will now spend the money to register the "sucks" version of their domain in all major TLDs, but don't take the same step with domains that would be useful for phishing. Domains are cheap enough ($3 to $9 a year, depending upon your registrar) that it wouldn't take a lot of bucks to register these variations and point them at their.com. The problem is that the phishers and typosquatters thought of this before the banks did. These folks who are selling the names on Sedo aren't selling for $9, and that changes the economics of a defense based on pre-emptive domain registration.
According to a Netcraft report, 3,659 "look-alike" domains (names designed to confuse the recipient into believing they belonged to the bank) were used in phishing attacks in 2005. A lot of these used visual tricks (substituting the number 1 for the letter l, for example) to present a plausible URL. Anti-phishing services are getting better at blocking these sites, but they continue to feature in a large number of scams.
Tim Callan of VeriSign has written a blog post clarifying and adding context to the statements in the Register that launched this thread. In the post, he offers an apology for the criticism of Mozilla. An excerpt:
"Let me start by stating that the story as written is very much not in keeping with the tenor of the actual conversation I had with the reporter in question. Among other things, the story makes it sound like VeriSign is critical of the Mozilla Foundation for not having announced support for the Extended Validation SSL standard at this time. Quite the opposite, in fact. Several members of the FireFox community have been key contributors to the Extended Validation effort and are active participants in the CA/Browser Forum. I never characterized Mozilla as heel-dragging in any sense of the word, and it was my effort to defend Mozilla's method of operation that led to the most regrettable moment in the article."
That's all true. But in reality, Microsoft owns 85 percent of the browser market and VeriSign, having acquired GeoTrust, owns 70 percent of the SSL certificate market. If their only goal was to take advantage of their dominance, why even sit down with Kongueror, Firefox, etc? This effort sprung from a broader industry concern about phishing and unsophisticated users. The end users who know what they're doing and actually examine certificates don't need the green address bar. But the color coding may help a small number of users who would otherwise get taken for a ride by phishers. It's a slight improvement for the end users. And, yes, it's a sales opportunity for the CAs.
I believe they're using a certificate extension. The proposed validation process would involve the applicant providing proof that they control the domain, proof of a bank account (whic by itself requires another layer of checks on the bank side), documentation that the applicant has authority to act on behalf of their company, and a site visit to confirm a physical address. The process is designed to be thorough enough to prevent spoofing. But then again, the standard hasn't been finalized either.
The article is, not surprisingly, VeriSign's version of events. The Extended Validation standard emerged from talks among a consortium of browser makers (the IE team, Mozilla, Opera and Konqueror) and a ghroup of SSL certificate authorities, which includes not only VeriSign but also geoTurst (since bought by VeriSign), Comodo, Entrust and Go Daddy. The group is known as the The CA/Browser Forum, the group of certificate authorities and browser developers that is working with the American Bar Association's Information Security Committee on finalizing an open standard for the validation process, which is to be followed by all participating CAs. So this isn't just a VeriSign issue, but the culmination of an 18-month process.
The plan was for all the browsers to implement the color bar scheme, based on IE's implementation. There were optimistic announcements by all involved, but no final standard has emerged. VeriSign and other SSL certificate authorities are preparing to start selling these in January. It's not clear to me if Firefox/Mozilla has actually opted out or is just moving more slowly than MSFT in incorporating the changes in the browser. Mozilla tends to be deliberate about SSL-related changes in the browser.
Slashdot Mirror
Here's a couple recent linsk for data center photo tour geeks: Info Week just had a slideshow of photos from inside the Sun Blackbox portable data center, while C/Net offered a look inside LucasFilms' Death Star data center in San Francisco.
The AP story mentions that UltraDNS may have been targeted. Last May DDoS attackers targeted UltraDNS as part of the attack against Blue Security that ultimately drove BS out of business. That attack managed to knock some UltraDNS customers offline. There was a previous attack on the root servers in 2002.
Having said that, there are plenty of "webmasters" out there, with a broad range of web-related skills that defy easy categorization. If you read forums like Web Hosting Talk, Digital Point or SitePoint, you'll see lots of participants that that fit the general a description.
I've tracked the ICF findings for years and have yet to understand the methodology, which is utterly out of whack with what's happening in the marketplace as well as studies that drive site location decisions for data centers (my particular interest). I think the ICF reflects the perspective of a very focused constituency. It's a source of interesting case studies on community broadband deployment, but isn't anything I'd ever build a business case around.
But soon Google and Yahoo, who provide most of the ads on parked sites, found that click-throughs from parked pages often didn't lead to sales, and many advertisers didn't want to buy AdWords and then have them show up on these sites with no content. Some of the largest parking services began switching to a pay-per-action business model, instead of pay-per-click.
Meanwhile, venture capital firms started pumping money into the sector, buying up registrars (like Demand Media's deals for eNom and BulkRegister) and large domain portfolios. Vector Capital bought Register.com, and Perot has a piece of Internet REIT. The VCs and Wall Street investors prefer to monetize their domains with developed web sites instead of parked pages. Many of them are using free user generated content to populate these sites with articles and forums linked to their target keywords. Google likes these sites better, and they appear to get more relevant traffic and click-throughs.
But there will always be plenty of smaller operators with thousands of single-page ad-filled parked domains. The low price of domains means there's virtually no barrier for entry into this business, and that's not likely to change anytime soon.
Does anybody know which bank the submitter is talking about?
Several CAs, including Digicert, are seeking to have the standard revised to include small businesses. I don't believe the CA/Browser Forum has finalized the standard yet, as there were some holdouts last I checked.
Google actually has data center facilities all over the place (it's hiring data center staff in nine different locations), and is building more. They are said to be shopping for property in North Carolina, and contemplating a $1 billion facility in India. I think their center network is rapidly becoming more distributed, and given the issues in Silicon Valley, they'll be accelerating that trend.
Some data centers actually cool their facilities with air pumped in from outside their buildings. There's a study underway at Lawrence Berkeley National Laboratory looking at the use of air economizers at seven data centers that have participated in a PG&E program offering rebates for folks who do this. The study is looking at concerns that the use of outside air will introduce contaminants or excess humidity into the data center. Not for everyone, but seems to work for some folks.
The other hot data center real estate market is Austin, which has benefitted from a regional focus on energy efficiency, a strong technology community, and a skilled IT workforce. Phoenix and Kansas City have become active markets for backup data centers, while a dark horse market is northern New York, which used its abundant supply of cheap hydro power from the Niagara River to snare a $166 million HSBC data center.
There's been speculation that Google may begin investing in or even buying equipment manufacturers that can develop specialized gear to improve the energy efficiency of its data centers, which are already among the most efficient out there. Google sees its data center operations as a competitive advantage, which is why it uses a custom OS and in-house/commodity hardware to run their clusters. If they develop energy-efficient equipment, I'd be surprised if they share it. It's not like they've open sourced their OS code or server design.
Imminent TechCrunch headline: "Spam 2.0 receives VC funding"
This is a key point. We're starting to see the first few legal cases concerning property and ownership in virtual worlds, which may create precedents about who owns what and what property rights players can expect. There's really a two-tier economy at the moment, as some worlds allow/encourage ownership and real money trading (Second Life, some EQII servers) and appear to be operating under different rules than worlds in which the ToS bans asset trading, which then moves to grey/black markets. It'll be interesting to see if the notion of IRS interest in real money trading prompts more game operators to create official exchanges than allow them to manage the economic activity in their games. It could also send them in the other direction - outlawing RMT and forcing the IRS to shake down eBay sellers. Either way, this is probably a headache for IGE.
If Net Neutrality did squeeze online gaming, it might create an opportunity for someone like GameRail, a high speed network that directly connects online game players to the servers that host popular FPS titles. GameRail peers directly with ISPs, universities and game server providers (GSPs). The question is whether game server hosts see usefulness in that type of middleman. The answer to that question might change in some of the scenarios imagined int eh article.
Phishers have been known to use frame injections to insert their content into framesets, allowing them to grab login info from within the bank's own web site. It's not nearly as fancy as an SQL injection, but it's sure malicious and quite difficult for victims to recognize.
There's already an active market in Internationalized Domain names (IDN) with many domain speculators buying up names for investment and/or parking purposes. Sites focused on this niche include IDN Forums, the IDN Blog and the IDN Domain Blog. A lot of companies and web sites will go to register their trademarked terms in these multilingual domain names and find that they're long gone, and getting them back could mean international litigation. I think it hasn't even occurred to many corporations to register IDN domains.
Back in 2005 Firefox briefly disabled its support for IDN after The Shmoo Group demonstrated the ease of using Internationalized Domain Names (IDNs) to spoof existing domains, including those for major retailers or banks. At the time, Mozilla said domain registrars were ignoring ICANN guidelines on IDN, and developed a list of problematic Unicode characters that could be banned in domain names to limit homographic attacks. Not sure if this is still current.
"What Gilder calls 'petascale computing' is anything but free. The marginal cost of supplying a dose of processing power or a chunk of storage may be infinitesimal, but the fixed costs of petascale computing are very, very high. Led by web-computing giants like Google, Microsoft, Amazon, and Ask.com, companies are dumping billions of dollars of capital into constructing utility-class computing centers. And keeping those centers running requires, as Gilder himself notes, the "awesome consumption" of electricity"
As I noted in our commentary at Data Center Knowledge, the power issues with high-density blade server computing has been understood for years. Back in 2002, Liebert and APC and other equipment vendors were developing products that could address huge heat loads. They saw it coming, and sensed a market opportunity. So where were the chip makers? Even as cooling vendors prepared for the results of the huge power and heat loads, little was done to address their source.
The Paypal.com web site stayed online throughout, even though the blast happened near its network operations center.
What's interesting is that most banks and major corporations will now spend the money to register the "sucks" version of their domain in all major TLDs, but don't take the same step with domains that would be useful for phishing. Domains are cheap enough ($3 to $9 a year, depending upon your registrar) that it wouldn't take a lot of bucks to register these variations and point them at their .com. The problem is that the phishers and typosquatters thought of this before the banks did. These folks who are selling the names on Sedo aren't selling for $9, and that changes the economics of a defense based on pre-emptive domain registration.
According to a Netcraft report, 3,659 "look-alike" domains (names designed to confuse the recipient into believing they belonged to the bank) were used in phishing attacks in 2005. A lot of these used visual tricks (substituting the number 1 for the letter l, for example) to present a plausible URL. Anti-phishing services are getting better at blocking these sites, but they continue to feature in a large number of scams.
"Let me start by stating that the story as written is very much not in keeping with the tenor of the actual conversation I had with the reporter in question. Among other things, the story makes it sound like VeriSign is critical of the Mozilla Foundation for not having announced support for the Extended Validation SSL standard at this time. Quite the opposite, in fact. Several members of the FireFox community have been key contributors to the Extended Validation effort and are active participants in the CA/Browser Forum. I never characterized Mozilla as heel-dragging in any sense of the word, and it was my effort to defend Mozilla's method of operation that led to the most regrettable moment in the article."
That's all true. But in reality, Microsoft owns 85 percent of the browser market and VeriSign, having acquired GeoTrust, owns 70 percent of the SSL certificate market. If their only goal was to take advantage of their dominance, why even sit down with Kongueror, Firefox, etc? This effort sprung from a broader industry concern about phishing and unsophisticated users. The end users who know what they're doing and actually examine certificates don't need the green address bar. But the color coding may help a small number of users who would otherwise get taken for a ride by phishers. It's a slight improvement for the end users. And, yes, it's a sales opportunity for the CAs.
I believe they're using a certificate extension. The proposed validation process would involve the applicant providing proof that they control the domain, proof of a bank account (whic by itself requires another layer of checks on the bank side), documentation that the applicant has authority to act on behalf of their company, and a site visit to confirm a physical address. The process is designed to be thorough enough to prevent spoofing. But then again, the standard hasn't been finalized either.
The plan was for all the browsers to implement the color bar scheme, based on IE's implementation. There were optimistic announcements by all involved, but no final standard has emerged. VeriSign and other SSL certificate authorities are preparing to start selling these in January. It's not clear to me if Firefox/Mozilla has actually opted out or is just moving more slowly than MSFT in incorporating the changes in the browser. Mozilla tends to be deliberate about SSL-related changes in the browser.