technology

A flurry of activity on free software blogs addresses the losses of freedom brought about by cloud computing.

The Free Software Foundation is concerned, that:

the movement of software off of personal computers has reconfigured power relationships between users and their software and complicated questions of ownership and control in ways that free software advocates do not yet know how to address.

Cloud computing presents a centralization of resources, hence a centralization of power. The software you're using doesn't run on your own PC, it runs on a distant server. The documents you're creating aren't saved on your local harddisk, but somewhere on the intarweb. The combination of the two presents a major shift of control away from you, an individual, towards a few giant global technology corporations.

That's scary. Read on for countermeasures.

Think a minute about the security challenges involved in creating a health-centered social network. Or, more generally, any web application that has to handle sensitive user data. What if the database server becomes compromised? How do you make sure that, even if the database is stolen, your users' secrets remain confidential? How can any cloud computing application provide any significant measure of privacy?

At Clipperz they claim to have found the solution: they call it "zero-knowledge web applications". Since the term "zero knowledge" has a precise meaning in cryptography, that's a bit confusing. What Clipperz promotes boils down to evangelism for the "host-proof hosting" AJAX programming pattern.

client-side encryption

You still with me? It's a very simple concept, actually. Encrypt any sensitive data on the client-side browser before sending it to the web server. Data is never stored plaintext. Users can retrieve their data, in encrypted form, and only in their private browser is it decrypted and becomes accessible. Should the database server be compromised, an attacker finds only encrypted gibberish in the database.

Wow! Total privacy in the cloud computing age! Why don't we rewrite all our web applications to use this neat trick? Yes, why don't we? Read on to find several answers to that question.

The war on spam is mostly waged between spammers and ISP's, invisible to the public.

Earlier I wrote about greylisting. That's a fairly minimal change in handling email, that reduces the spam volume on our mail servers disproportionately. How can this be? Let's take a look at the economics involved.

At the NFG mail servers, we block about 10 spam messages for every valid email our customers receive. Even so, customers keep asking for more agressive spam filters.

Spam filtering requires a lot of system resources. Content filtering involves opening each message and matching its full contents against a database of spam patterns. This involves a lot of disk read/write actions and heavy number crunching.

In the graph above, our mail server was flooded with more spam than it could adequately handle. Of course, we could allocate more system resources or try and tune the server some more. However, the solution turned out to be much simpler: greylisting.

Paul and myself have started a new DBMail blog.

Read the full blog entry @blog.dbmail.eu about direct database access versus protocol-mediated data retrieval.

Virtualization is cool. Literally. Consolidating servers is a great way to reduce carbon emissions.

Running a multi-core Xen server nowadays is like having a mini-datacenter-in-a-box. Cramming a dozen logical servers into the rackspace and energy footprint of a single physical server, it's a geek paradise. And a boon for the bottom line.

So naturally, when Amazon keeps upping the ante in it's Xen-based EC2 (Elastic Cloud Computing) offering, that's a cool thing.

Which begs the question: make or buy? How does running your own server rack (make) compare to renting EC2 capacity (buy)?

Amazon CTO Werner Vogel's recent announcement of new high-availability features in EC2 (Amazon Elastic Compute Cloud) drew some attention. And indeed, being finally able to manage IP addresses for EC2 services removes one of the biggest drawbacks EC2 had until now.

Amazon reseller Rightscale even drew some nice diagrams explaining how the new EC2 features make renting a fault-tolerant hosting environment a breeze.

Some pretty interesting details got omitted somehow, though.

Mailman is our mailing list software of choice. Even when using PloneGazette to format mailings, we prefer to use Mailman as the actual mail sender: it's faster, it has superior bounce handling, and it runs on our dedicated list server, outside our Plone environment.

Managing subscriptions for simple publication sites can be as easy as creating a MailManSubForm. However, if you have a full-fledged Member site you'll want to integrate mailing list subscription/unsubscription options as part of the member profile personalization experience in Plone.

We need to use the Plone Member database as master for the mailman database, in other words. This turns out to be quite easy.

XFN is vulnerable to relationship injection attacks, as discussed earlier here and there and elsewhere. Summary: If I create a malicious page and put a rel="me" link to your page, your XFN "identity" contains my malicious page and is therefore compromised. The same holds true for links to other people.

We can arm ourselves against such an attack by requiring that all links are bidirectional, i.e. reciprocated. This is, in practice, too burdensome. If you have 10 pages, you'd have to link to all 10 pages from all 10 pages to truly establish identity. If you have 20 friends with 10 pages each, they'd have to put all your 10 pages on all their 10 pages. And everyone would have to do that for everyone.

Webmonday Aachen yesterday featured great talks (video available) and lively discussions.

Technologies like XFN enable exchange of social network data between different carriers. Now people can search your social network through the Google Social Graph API.

As it stands, there is a real concern for user backlash as these APIs start being implemented and users find themselves presented with eerily accurate information about themselves magically appearing on websites without their ‘consent’.

Suddenly even people in the dataportability camp start scratching their heads about the implications of unbridled data sharing.

The separation between our online identities is a feature, not a bug. Unifying our fragmented online selves into a total identity is not only technically difficult (XFN is vulnerable to relationship injection attacks). It's also epistemologically unsound.

Not everything that can be done, should be done. We should be talking less about technology, and more about what we want. And especially about what we don't want.

If you start thinking about social data control, it soon becomes clear that ownership of social data, like opensocialweb.org claims in their Bill of Rights, is a fiction. If Alice publishes a link rel="friend" relation with Bob, and Claire publishes a link rel="coworker" relationship with Bob, we know a lot about Bob without having to ask Bob. It ain't Bob's data, and it ain't under his control. That's because it's social data.

Combine this brewing privacy backlash with mounting signs of social media fatigue and you may start to wonder if, maybe, social networking has reached the peak of it's hype cycle?

Cloud computing is a big meme to wrap your head around. A good place to start is this video (go to tab "The Coming Cloud"), featuring amongst others Nic Carr, who wrote the book.

The free software community should be mightily worried about these developments.

• A world in which most software runs in one of two megaclouds controlled by the likes of Google and Microsoft is the ultimate dystopia from a software freedom point of view.
• Currently available open source cloud computing software is mainly funded by Yahoo!. A Microsoft takeover of Yahoo! can hardly be beneficial.
• The web 2.0 / cloud computing / software as a service paradigm disrupts the social contract constructed by the GPL around software distribution - because it disrupts software distribution per se.

Following Martin Aspeli's excellent buildout tutorial, in a clean chroot setup, has helped me rediscover the joys of programming. Because, let's face it: if Python is The Beauty, Zope2 surely is The Beast.

Zope3 is a much more gentile creature. It's availability within the bowels of modern Zope2 releases is a godsend, as any developer working with Plone3 will testify. Meanwhile, the Python community at large has rallied around the Python Package index and easy_install eggs as the primary channel for distributing code.

To leverage these new development practices, you need to be able to control your python environment. Read on to find out, why this is a problem, and what you can do about it.

The announcement that Facebook apps can now also be deployed on other websites (outside Facebook), has gone largely unnoticed, except for some Dutch press coverage.

Following the introduction last year of the Facebook platform, which precipitated the OpenSocial effort, widening the scope in which Facebook apps can be deployed is potentially a big deal. Deployment of Facebook apps across the web is attractive for both application developers (gain exposure) and for Facebook (drive traffic).

However, Facebook may have passed the peak of it's hype cycle already. The proliferation of apps results in a deluge of spammy messages that seriously annoys the user population.

Exporting this problem to other sites will only hasten the "Through of Disillusionment."

In 2001, Manuel Castells published an instant classic: The Internet Galaxy, Reflections on the Internet, Business, and Society. Re-reading it strikes you full force with the enormity of changes we've seen already, in the few years since 2001.

Here your are, in the age of World of Warcraft and Facebook, reading a text that analyzes role-playing chat environments and The Well as premier instances of social behaviour on the internet. Meet The Flintstones.

However, in other respects, Castells turns out to be a powerful visionary.

With Microsoft joining DataPortability.org, an impressive line-up of major web2.0 sites is now co-operating on establishing common ground for exchanging social data.

This augments Google's launch of OpenSocial, a programming standard for social networking environments, last november.