The evolving threat

On a consumer level there are the phishing sites, out to steal your credit card or online banking details by pretending to be a trusted brand, and at a business level there are threats and extortion

dDOS (distrubited Denial of Service) attacks are typically launched from “bot nets”, or collections of compromised personal computers and servers. While alone any one of those machines, usually on the end of a home ADSL connection, cannot do much damage, if thousands of them flood a Web site with bogus requests Unfortunately the only real defense against such is to have more bandwidth than an attacker, but with more companies moving to cloud providers with massive pipes like us that means that the attacker would need a bot net of many thousands of machines to cause damage.

There has also been a marked increase in criminals attacking popular sites and advertising engines to steal information and disable websites for political reasons. The recent wave of ‘hacktivists’ presents new issues for web hosts, as many traditional organisations are now having their sites hacked.

Web Development

The first stage in solving the security problem starts with the development and design stage. If developers neglect to address all security issues, a future hacker will very likely exploit the flaw to run commands which can compromise the data on in your hosting account, some of which might even be confidential. To fix this problem, you must ensure scripts are very well planned and tested, especially those parts that deal with private information. Testing all inputs to the software is vital – ask your developer if they have enabled taint checking and if they look at you blankly get another developer!

Any forms that handle sensitive data should be using HTTPS (secure HTTP) of course. Be sure to enable SSL and buy a a Digital Certificate (Digital ID) from a trusted certificate authority – SSL certificates do not cost much compared to the cost of securing your site! Ensure that your developer makes any sensitive forms redirect to HTTP versions of the site too. Why is SSL encryption important? Well if you’re accessing a Web site over normal HTTP using, say, a public Wifi then I can “sniff” (read) your traffic (with a little cleverness) just by being on that same Wifi network! End-to-end encryption is always best for all online communications – don’t trust the network.

Finally, if you are using a content management system like WordPress be sure to keep it updated. The number one culprit we see after bad passwords (see below) is a WordPress site that has not been updated in ages. The same goes for all software you put online – keep it updated! With the automated tools that allow you to do so there is no excuse not to. The number two is badly-written PHP sites by the way – see above!

Password Management

The majority of hacks are caused by bad passwords. Its not just a simple matter of changing ‘l’s’ to 1′s either, as these are still easy to hack. Anything based on a dictionary word or piece of memorable information is vulnerable. It is vastly better in my experience to choose a good password and then stick with it for that site rather than changing it often also.

We have performed rigorous mathematical analysis on how good a password needs to be by working out how much money it would take to crack if you had the password file and were using cloud computing. We determined that an 8 character random string formed from a-z, A-Z and 0- (using open source pwgen) is adequate for the vast majority of purposes, costing about $100,000 to break. A 10 character randomly generated password will cost $13m to crack using cloud computing and quite frankly there are easier ways for hackers to get your information for that amount of money!

We get all staff to choose an auto-generated password created PWgen. This approach is much better than making them choose their own (often guessable) one and changing it periodically (which means they need to write it down to remember it).

Finally, having lots of different passwords to remember can be a pain. There are packages to help though. For most Web sites I use my browser’s password safe, which is encrypted because my entire laptop is entrypted, though many have encryption options available. For other passwords such as banking details I keep them in a password safe called KeePassX. I then use a 16-character randomly generated password (from pwgen) as my master password and I don’t have to remember any others. You should really have one password per site but personally I group a few together based on how much I trust the sites. For banking always use a unique password per site though!

Tight Controls on Accessing Data

If you are allowing access to your Web site’s back end, for example for order fulfilment, that will often expose a vulnerability that a hacker could exploit. Therefore it is important that you ensure that any device accessing that “soft spot” is secure.

That should not stop you operating completely over the wire / in the cloud though. We allow all staff to access from anywhere using a laptop and a browser, using HTTPS for the security. However, we do not allow access from just any laptop; it must be a company one, we require that everyone follows good password practices (see above) and every person has their own unique loginl.

Unique logins for each member of staff is vital, so that you can react quickly in the event of a compromise. We have regularly tested and audited procedures for revoking user access quickly so that in the event of a lost laptop or compromised user password (or SSH key for command-line access to systems) we can rapidly change that user’s access credentials.

As an additional precaution, any laptop that is used to store company data (most of it is in the cloud, but sometimes information is stored locally) must have an encrypted hard drive.

In conjunction with requiring that everyone uses a screen saver password lock our company laptops are effectively impervious even if stolen while running and decrypted in RAM. No data can be retrieved since the thief would have to power down the machine in order to access the drive.

Personnel / ‘purchase key’ attacks

The biggest security weak-point for any organisation is its people. A determined attacker will not bother with trying to steal servers nor hack into them, but will attempt to gain leverage over key members of staff; the “purchase key attack”. To protect yourself and your data, you should look to take steps to mitigate the risks. These are some of the things we do at Memset:

1. All staff with access to company and customer data are CRB / background checked.
2. Access to servers is gained via personal keys and all activity is logged.
3. Access to Web-based systems is gained via personal credentials and all activity is logged.
4. Logs and activity should be routinely checked by head of security.

Carefully Select Your Hosting Provider

The only thing one can really do about bot nets is to have more bandwidth than the attacker (ie. an army of hijacked home computers), which is yet another reason why companies should be giving up owning and managing their own data centres and moving to the cloud where providers like us have gigabits of connectivity so can withstand such attacks, which happen frequently.

We also have firewall technology to dynamically detect and block attacking IPs in real time. This sort of cyber warfare is not new though, but has only recently made the news. We have been fighting off such attacks for as long as I have been in the hosting industry (12 years). All that has changed is the scale of the weaponry.

Finally, at Memset we are very upfront about our approach to secure hosting. I would be strongly suspiscious of a provider that was unwilling to share with you how they protect your data. Be sure to ask them and look for externally-audited credentials like the well-recognised ISO 27001 Information Security Management System.

However, is this new cyber security concern warranted and do we need government and/or academia to get involved with a dedicated centre for tackling the issue? In short, I don’t think so, and this is why.

Just doing our job

As a hosting company we are players in a constant cyber war going on quietly behind the scenes that most people are not aware of. We have been successfully defending ourselves and our customers against hackers, script kiddies and DoSers for as long as I’ve been in the industry (since 1998). The weapons (bot nets and internet connections) have got bigger and the complexity of the systems and hacks has become more sophisticated, but we have evolved too.

We host 20,000 of Britain’s largest and busiest Web sites. In just the last week our automated denial of service (DOS) protection system, affectionately known as the “DOS-squasher”, blocked just over 200 attacks aimed at our clients. None of them even knew that anything untoward had happened.

On my personal server alone in the last week there were over 50 break-in attempts, all automatically deflected by a combination of good password choice, operating system lock down and firewalling. Multiplied up across our entire server estate that amounts to someone trying to compromise one of our customers’ servers every few seconds.

We regularly handle phishing sites and such which have been set up by criminals on compromised customer servers (it should be noted that they are generally only hacked only when we are not managing the security for them and usually as a result of a poor password) as part of the day job. Again, nothing terribly exciting for us and where necessary we liaise with the police.

I am uncertain that a government- or education-run department would add much value here. Instead I would advocate their drawing on the vast experience of the hosting and Internet Service Providers’ businesses in the UK by encouraging or incentivising us to pool our best minds to tackle possible threats to national infrastructure.

People and education

Now, it is true to say that we struggle to find good people with the right skills, but again I don’t think a university programme focussed on cyber security is necessarily the right approach. The soldiers and lieutenants in the silent cyber war are systems administrators and network engineers. They have the skills, but more of the good ones get those skills on the job. What I would like to see is more universities doing courses like those found at Portsmouth.

Half of our recent operations recruits have come straight from their computer network management and design BSc, a course that actually teaches them the skills they need to be a systems administrator. I’d like to see more courses like that, including modules on cyber security training for as standard within them. I do not believe it needs a special skill set since security should be part the curriculum for any IT training.

Serious crime

As well as kids in bedrooms with an axe to grind some cyber threats fall into the category of serious crime. On a consumer level there are the phishing sites, out to steal your credit card or online banking details by pretending to be a trusted brand, and at a business level there are threats and extortion. Take a typical gambling Web site; they could easily be bringing in tens of thousands of pounds per day. They get a major distributed denial of service attach (dDOS) which takes them out for a few minutes. Rattled, they then receive an email demanding thousands of pounds with threats of a much more prolonged dDOS if they don’t pay up. What do they do? Well, they pay. I can’t name names, but I know this has happened.

dDOS attacks are typically launched from “bot nets”, or collections of compromised personal computers and servers. While alone any one of those machines, usually on the end of a home ADSL connection, cannot do much damage, if thousands of them flood a Web site with bogus requests Unfortunately the only real defense against such is to have more bandwidth than an attacker, but with more companies moving to cloud providers with massive pipes like us that means that the attacker would need a bot net of many thousands of machines to cause damage.

This is serious crime and as with any crime should be the domain of the police. A good central authority that was able to track down hackers, phishers and protection racketeers, working with us, would be welcome. At present the police are not especially responsive and often don’t appear to understand the issues at hand.

National threats

When looking at a national level, such as the rumored attacks against Georgia originating from Russia back in 2008, that is something that central intelligence agencies such as CESG should be prepared for. However, again, the people who have the expertise and the means to help are the existing ISPs.

One concept I did quite like, however, was that of being able to “attack back”. One possible way to defend oneself against dDOS attacks is to launch your own attack on the originating sources from a number of ultra-high bandwidth locations. This has the effect of tying up, or even crashing, the bot net computers and making it difficult to control them. The problem here is that the bot net are innocent, zombies if you will that have been infected and are only guilty of having poor security (aka. “running Windows” . The real target should be the command and control servers, but determining where they are is not usually a quick task. Again, here, it should be the job and/or CESG of finding out who the perpetrators are and bringing them to justice.

Regardless, as I said before, the best defence against this sort of real cyber war is to have bigger pipes than your attacker. If we want to ensure our national network is not vulnerable then we need to be investing in it, and in our international connectivity, so that we can stay ahead of developing nations. Last year we were falling behind Eastern Europe, but we may have recovered a little now.

Conclusion

In short, cyber crime and cyber warfare are nothing new – it is just that they have recently entered the public and political consciousness. Government should simply support us, the ISPs, in our existing activities.

As for education, they should a) stop putting off teenagers by teaching them that “ICT” means “Microsoft Office” and b) at a university level actually teach students the skills that the industry needs, not dead operating systems and languages.

INTRODUCTION

As the increasing use of cloud computing and other technologies is changing the world of data management, keeping your data private and secure is an ongoing concern for everyone. As a cloud computing Infrastructure as a Service (IaaS) provider, I’m sharing an insider’s perspective on what you should be doing to keep your data safe.

IS THERE A SECURITY THREAT?

As you move data to the cloud there are many different challenges. Applications have to be designed differently. Security gets pushed further and further away from perimeter-based approaches. Security threats change when data moves to the cloud, with threats from the network or from the provider’s personnel being more pertinent than concerns over physical attack.

However, it need not be a big concern, you just need to apply the same common sense you would to sourcing any other service. Ask questions about your prospective cloud supplier; Are they financially sound? Do they have good security procedures in place? Is the infrastructure your data will be on shared with lots of other users, or will it be in it be segregated by virtualisation or even physically separate dedicated environments?

WHO TO TRUST?

Up until the existence of cloud computing the norm was to trust the IT department internally. Now that the IT department is outsourced people are asking the right questions about IT security. The focus must be on the security processes and procedures rather than the physical perimeter around the data storage devices. In many ways using the cloud can be much safer than hosting data on your own systems in your own building since a putative attacker no longer knows where to look. Even if, somehow, an individual were able to breach the heavy physical security of our data centres, they would be faced with thousands of identical-looking machines and no way of identifying their target.

The most likely source of data theft is always from within an organisation (the people), therefore for data management when it is not on your own systems, it comes down to trust. Just as if it were hosted on a computer in your office, then you need to trust everyone who has access to that machine, so if outsourcing to the cloud you need to trust the organisation that has access to the underlying infrastructure. Look for companies that have appropriate certifications like ISO27001 (as a minimum), and ask them about how they regulate and monitor their systems administrators’ access to servers holding client data.

THREATS FROM THE NETWORK

The other increasingly common source of attacks on cloud-based services is via the network itself. This can be greatly mitigated with good firewall systems, and if your services only need be accessed from a small number of office locations then the firewall should restrict access to only those IP addresses. That can prevent the helpful feature of universal access, however, so it may not be practical, but even then firewalling is important. Talk to the provider and they should be able to advise you.

For public-facing services there is also the danger of Distributed Denial of Service attack (dDoS), where servers are flooded with millions of bogus requests from hacked computers (a “bot-net”). Most providers should have a system for automatically detecting and blocking the source of such attacks, so ask them, but in cases where the attack is massively distributed the only defence is to have more bandwidth than the attackers, which means you need to be using an operator with large scale.

CONFIDENTIALITY

Confidentiality is a major question to ask your cloud hosting provider. Having the right tools in place to ensure that confidentiality is also being maintained is critical. So, some questions would be:

• What mechanism do you have to protect and securely deliver logs?
• What are you actually able to log?
• What activity are you recording within your cloud?
• Can the integrity of those logs be assured?

BACKUPS & DATA RESILIENCE

When entrusting a cloud provider to look after your data it is essential to ensure that there is adequate resilience in their storage systems. At a minimum they should be using RAID (Redundant Array of Independent Disks) systems, but most cloud storage providers will store multiple copies of your data across many independent machines. Memset’s cloud storage solution (currently in beta testing) stores all data in triplicate, for example.

Most providers will offer additional backup services, and these should certainly be considered when operating cloud based applications so that in the event of a serious hardware failure you can roll back to an earlier state. Also ask the provider what their normal restore times are.

Finally, as we have seen with the recent failure of Amazon’s Simple Storage Service, which included irrecoverable loss of some customer data, sometimes it is not enough to trust one provider. To help overcome this problem we will soon be rolling out a service to backup client’s cloud storage accounts with other providers’ onto our storage cloud.

WHERE IS YOUR DATA BEING STORED?

Although pushing data into the cloud is proving increasingly attractive for many organisations, there’s a growing realisation that geographic considerations remain important.

While the overriding concept of cloud involves the decoupling of data and applications from the underlying hardware on which they reside, knowing where that hardware is located can be vitally important.

For reasons of security, legal jurisdiction and privacy, many organisations are obliged to be aware where sensitive data is stored.  For British companies, data may need to be stored within UK borders for data protection purposes. For the majority of UK public sector IT requirements the data absolutely must remain within national boundaries.

THE PATRIOT ACT

Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities.

Microsoft has recently admitted that any EU-stored data, held in their EU-data centres, is subject to the US Patriot Act as Microsoft is a US headquartered company.

If you don’t want your data subject to the PATRIOT Act, then you have to use a non-US based company, in addition to a non-US data centre, for storing your data.

WHO CONTROLS YOUR DATA?

One risk with Software as a Service (SaaS) is that all your eggs are effectively in one basket, and if something goes wrong with that one provider you could face serious challenges. Memset’s approach is to disintegrate the stack enabling you to be able to move your software from one place to another. A typical example of this is using third party open source solutions to deliver hosted software services on their infrastructure. That way if the software provider fails you can still get to the data, and if the hosting company fails (assuming you have good backups) the software company can help you transfer to a new host.

DATA SEGREGATION

Many SaaS providers are essentially running one application for thousands (or many more) client organisations, with their data commingling on the same infrastructure and in the same databases separated only by the software itself. This presents a potential security risk, since if there is a flaw in the provider’s code it could be exploited to allow access to other customers’ data. For some services this may not be a problem, but for critical company or personal data it may be advisable to obtain additional segregation.

Memset’s stack disintegration approach solves this problem also. By using open source solutions (eg. Zimbra for Web email or Trac for integrated project management and Wiki), each hosted on virtual servers or dedicated servers for just that one client, there are additional layers of segregation between the software instances, thus providing greater security. While many SaaS solution’s code bases are not heavily tested, network and virtual machine segregation are very robust.

DATA PORTABILITY

You also need to think about data portability; the ability to be able to reuse your data across interoperable applications.  When weighing up SaaS suppliers, see if they have a “portability policy”. Where a privacy policy discloses what a company can do with your data, a portability policy discloses how a user can access and transfer their own data once it’s stored with that company. For IaaS providers this is normally a given, since they are just providing the infrastructure and you are able to extract the data as and when you wish at a root level.

MIGRATING OUT

Once you’re clear on who has your data, where that data is held, what they are doing with it and how they are protecting it, you also need to establish what procedures are in place to allow you to migrate your data out. Key characteristics to look for include:

• a clearly defined and established procedure for data migration
• low or no cost for migration
• data can be extracted in a meaningful, useful form for immediate re-use

For SaaS providers, look for an API or tools to download your data in a meaningful context. This could be as simple as a widget to download a CSV file (like with Google Contacts), or it might be a fully-fledged XML API. Failing that, and if taking the stack disintegration approach, ensure that the database in which the information is stored is transparent and well-documented. It is frequently not in a SaaS provider’s interest to make data portability easy though, so this can be a difficult item.

MITIGATE RISK WITH CLEAR SLAs

As with any service provider contract, you should negotiate clear SLAs for your cloud provider.  These should include, but not be limited to, clear metrics around performance (both networking and computing), provisioning, change management, patching and vulnerability remediation.

To ensure your data is safe in the cloud at all times, make sure you think about the following:

• Who has access to your data
• Where your data is held
• What they are doing with it
• How they are protecting it

CONCLUSION

In summary, the cloud is, and will continue to be, a critical part of many companies’ IT strategy so must it therefore be considered in their security policies. This role is likely to grow as a raft of new services are developed and commercialised and users’ level of familiarity and comfort with this approach to service delivery develops and grows. But it is also likely that the most effective network security strategies will be a hybrid model that takes the best that the cloud has to offer and combines it with the skills and focus of experts working on the ground.

For several years now, we’ve been running all our business systems over the ‘net  (including instant messaging, email, document management, project management & collaboration) by using open source software. Both Nick & I are huge fans of open source, so I thought I’d share why and how we use it within Memset.

As of 2008, 85 percent of businesses were using open source software, according to Gartner. That percentage has probably increased since then as more and more businesses find that they consistently get great value – and the desired ROI – from open source software.

We turned to open source for a number of reasons:

• Price. You don’t need to pay licensing to Microsoft anymore, simply download the open source software and install it, and don’t pay a penny. Furthermore, you usually get unrestricted access to the source code enabling you to modify it to suit your requirements.
• Flexibility. Once you have the software installed you are free to host your applications wherever you like. This means you no longer need to put all your information in one basket, say with Google, so instead you’re able to separate the software from the host and own your own data. A good example of how to achieve that would be Zimbra; an open source suite of office applications which can be hosted by any managed hosting provider. We have customers who rent a virtual machine from us and have us install Zimbra on it.
• Improved Productivity. By using open source software and adapting it to suit our needs, with fairly minimal development effort, we’ve been able to build on those foundations to automate a large number of our processes such as account billing, administration, provisioning, maintenance and monitoring activities so that they require very little staff input.
• Desktop Free. Because they are all Web based it makes it really easy for people to work from home, or anywhere for that matter. We have now migrated most of our staff to ‘nix-based systems (mostly Linux, but some of us use MacOS), and all they need is just a browser and an email client. Firefox & Thunderbird are certainly enterprise-strength, for example, and there are plenty of solid open source server-side solutions.
• Increased Security. In my opinion, open source applications tend to be even more secure than their commercial equivalents as open source communities are generally able to find and fix security vulnerabilities much quicker than their corporate counterparts. The very weakness pointed out by software companies like Microsoft (ie. that the source code is visible) is in reality its greatest security strength.

But what if it stops being supported?

Perhaps the biggest objection to open source I hear is, “But what if the solution I’m using stops being supported by the open source community?”. First off, you have this problem with commercial software; what if the supplier fails, or in the case of one like Microsoft what happens when they change version and stop supporting yours.

That is not the real answer though; one of the real beauties of open source software is that it is designed to be, well, open. All the solutions we use (see below) are based on open database architectures (often MySQL) with lots of documentation, so that even in the worst case scenario of the package no longer being supported, all of our business information is available in an open, accessible format, requiring only a little DBA time to extract. Try doing the same with a proprietary software’s internal data base!

Also, because the solutions are self-hosted (ie. you’re getting the software from someone other than the person providing the hosting) you are in total control of your own data. We do not use Google Docs, for example, mainly because I don’t want all my company information to be stored on a random server somewhere in the world with no guarantees of security.

Example: TRAC (Integrated Project Management & Wiki)

We use a mixture of in-house developed system and open source solutions such as Trac (project management & Wiki) and Sugar CRM to deliver an interlinking suite of information management tools which are available to everyone in the company.

Customer information is stored in a master central database, and by using rapid software development platforms like Django we have been able to quickly and cheaply add all the features and tools we need with our own internal development team.

However, the key element in the context of information management is probably our Wiki; it contains all procedural information and the distilled wisdom of the people in the company. You get complete version control and logging for free with the software, and those built-in auditing features helped make getting our ISO9001 accreditation a breeze.

Trac is invaluable for sharing information between teams, keeping track of changes to documents and projects, listing outstanding issues, assigning jobs and creating visibility of each others’ workflow. Being able to have an organised central location where everyone can go is great. It is certainly a lot better then trying to pass around .doc files from one person to the other, or constantly uploading and downloading .doc files to and from Sharepoint and having to worry about out of date versions. And, as its Web-based, you can access your data online from any computer, anywhere, secured and encrypted over HTTPS.

Example: SugarCRM

Sugar OS is an open source CRM application bringing a feature-rich set of business processes that enhance marketing effectiveness, drive sales performance, improve customer satisfaction and provide executive insight into business performance.

At Memset we use SugarCRM to improve productivity and sales effectiveness through the sales lead management functionality.

Example: Request Tracker

RT is an open source issue tracking and workflow platform. We use this software for all our customer technical support. It allows us to keep track of and assign assign tickets and to monitor who is working on which tasks, what’s already been done and when the tasks were completed.

Example: Openfire (chat)

Openfire, is an open source XMPP/Jabber server for instant messaging. Sure, you could use MSN, but we prefer not to have Microsoft listening in on our corporate communcations. We self-host and fully encrypt our internal instant messaging chat.

These are just a small selection of the open source solutions we have implemented at Memset. Also, despite us having a lot of technical know-how, you really do not need to be an expert to use these open source systems.

Even if you do not have the very basic systems administration skills in-house there are plenty of companies like Memset who will happily host and manage these services for you, while still giving you full control and data-ownership. With more and more companies looking to Cloud-based business management services like these, open source really is coming of age, even for the most security-conscious companies; Memset is fully ISO27001 certified and can ensure that your business-critical data remains 100% under your control, within UK borders.

Open source should be considered as a viable option for your business as it provides better value for money, lower costs, increased productivity and improved security.

Instead, purchase your software from one provider, but have a direct relationship with the host. Some of our customers are starting to do this with us and Zimbra. Zimbra is sort-of like Google docs, but open source, and they host it with us, and backup to a third-party host (which is cheap to do).

Good for resellers too

Managing the backup and hosting process might be a new way that resellers can differentiate their offering or add value to the supply chain as more and more businesses look to protect their data as they move to a Cloud Computing model. Ensuring ease of data migration between cloud providers is paramount for businesses moving forward.

By not being tied to one provider, a business could easily migrate to another host, or if Zimbra becomes unsupported, for example, they would not lose their data, and we would carry on hosting while they work with us to find a new software solution. If we fail, they still have their data and Zimbra can help them get set up again. We (the managed hosting provider in this example) would not own their data even if we did fail, but no harm in belt-and-braces.

Hosting commoditisation is here

Software providers cannot realistically compete in today’s commoditised hosting market place, and instead should stick to their strengths. This also applies to migrations – when moving customers between hosts there are now companies that specialise in the migration itself but have no interest in selling software nor hosting. One such company is SEM Solutions, with whom we have recently started working.

Another big win from supply chain disintegration is that you gain total price transparency; no more getting stitched up by one provider who is just whacking a huge mark-up on a commodity service like hosting (yes, I’m talking to you, local government CIOs .

Not only does it show you which bits cost what, thus allowing you to compare with the market rates, but disintegrating the supply chain also makes migration to a new Cloud / managed hosting provider easy since you just need to work with the software supplier to migrate to the new host, and are not tied in to one provider. Equally, since you own the data on the service (because you are buying the hosting direct), moving to a new software provider is greatly simplified.

Eating my own dog food

So, do I take my own advice? Yes; Memset is one of the fastest growing technology SMEs in the country, and all our business critical information and systems are hosted in the Cloud (or at least our little bit of it) and accessed over the Web. None of my staff have Microsoft Office, we do not pay for any software, and we do not need servers in our office for administration applications. Everyone has a laptop, and since all our systems and documents (we use a Wiki for the latter) are hosted online everyone can work from home without the complications of a VPN. We do not use any paper for internal communications either, thus minimising “the printer has broken” type problems.

We also use Trac project management and documentation management system for all our internal documentation, task and project management. It is free and simple to host yourself with any managed hosting provider. Simple, scalable systems like Trac have also made it easy for us to obtain and maintain our quality, security and environmental management systems (ISO9001, ISO27001 & ISO14001 accreditations).

It was a moment’s work to kill off the torrent site, and I sent a gentle email to the customer in question suggesting that they might like to take advantage of our Perimeter Patrol™ security services. He was a lucky one – many of our customers only decide to get us to manage their server’s security for them after a major, and damaging intrusion, but in their case no harm was done. There are plenty of commercially-run sites as well; it is not all just hackers stealing others’ bandwidth, and peer-to-peer file sharing is constantly growing especially as home broadband connections become ever-faster.

There is an on-going battle on the encryption and encoding front too. Just recently in The Register I heard that someone has already cracked the new HD DVD’s anti-rip system; embarrassing in the extreme for the HD DVD format’s supporters. The problem is, at a simplistic level, if you can play it then you can copy it. There are simply no two ways about it, and I for one think the music and movie industries are fighting a battle they cannot win, and should be taking a different approach entirely.

I am hardly innocent myself; I am quite a fan of allofmp3.com (a Russian mp3 site that purports pseudo-legality), but in my defense I primarily use it for getting good quality rips of CD’s and tapes I already own and therein, I think, lies a potential savior of the music industry. People like me do not want to be criminals, and we are also quite happy to pay a modest fee for a convenient service. I could have just ripped my CD’s for free, but I preferred to pay a few dollars and not faff about with disks etc.

Traditionally, a major cost for the media industries has been distribution, but the Internet renders that tiny. I am no expert, but I am pretty sure the music industry could make good money even at a small fraction of the current prices, say 10-20p per track. If combined with a really good interface most people would be quite happy to pay rather than mess about trying to download dodgy mp3′s.

In fact, it might even allow the music industry to sell a lot more thanks to being able to make “smart suggestions” based on what other users with similar tastes also like – there are already examples of such systems out there. Equally, such a model would be a great boon to small-time artists who currently have a nightmare getting their material heard since there would be minimal costs associated with getting your music listed, and if it was good then the “smart suggestions” system would auto-promote it. Everyone wins. Hmm, why am I giving out potentially-killer business ideas to the world?

However, this all powerfully reminds me of a sub-text to an excellent book I read last year by Peter F. Hamilton, Misspent youth. It portrays a world where ubiquitous high-speed connectivity and massive personal storage capacities have rendered copyright impotent, and the professional production of new novels, music and movies ends. Such a future seems, at times, chilling near.

Normally our data centres have plenty of over-capacity in their air-conditioning systems. Cooling a data centre is one of their big design challenges – each of our 1 metre square racks uses around 4KWatts, all of which gets turned into heat which is roughly the same as four electric fire bars; standing behind one is positively toasty! Believe it or not we are fairly conservative as to how we stack the servers as well – a rack full of blade-servers might easily double that figure.

The record temperatures this month have caused problems though. When the outside air temperature increases it becomes harder for the air-con units to dump heat – after all, for the external units to be able to radiate heat away they need to be hotter than the ambient temperature, and that is compounded by the fact that the area they are trying to cool is being additionally heated as well. When temperatures spiked to over well over 30 degrees Celsius earlier this week one overworked air-conditioning unit at our Fareham site failed. The data centre team was swift to respond and it was back up and running within an hour, however what under normal circumstances would have been a reduction in capacity well short of the safety-margin over-capacity actually meant there was not quite enough cooling for that brief period, thanks to reduced efficiency of the air-con units and the generally increased ambient temperature.

The result was a small rise in the building’s internal temperature, which was then compounded. As the temperature increased slightly, the hotter-running servers had to increase their fan-rates to keep cooler, and hence use more energy. On top of that CPUs tend to become less efficient as they heat up, again using more power. More power usage means more heat generation, and suddenly you have a positive-feedback loop, although thankfully quite a slow acting one.

Thanks to a swift response no serious harm was done; however one of our busier machines did manage to pull a whopping 400Watts and contributed to a power-trip being blown which, frustratingly, caused an unscheduled reboot for the handful servers on that power bar.

Along with increasing energy costs and a moral responsibility to battle climate change, this sort of technical consideration in the face of ever hotter Summers is yet another reason why IT hardware & infrastructure providers need to have energy firmly on the agenda. We certainly do.

Up until recently I had been using a massive Dell Inspiron 9100, which is a great laptop as long as you don’t actually put it on your lap or try to lug it around on the tube. I have also been a faithful Palm user for many years, but trying to do anything useful on a PDA, even with a bluetooth keyboard, is painful thanks to slow & limited applications, terrible reliability issues and poor battery life.

So, I recently splashed out on a gorgeous little Sony Vaio VGN-TX2HP (see right). Not only is it perhaps the ultimate geek-girl fashion accessory (and great for starting conversations on the train!), but it is so small that it fits in my handbag, so light that it is a breeze to carry, and has a battery life that puts the energizer bunny to shame (4-7 hours!)! It comes in-and-out of standby mode really fast too, making it so convenient to use that I will often put it to sleep while changing lines on the underground and just wake it back up for another 10 mins work tube-hop.

My other problem was mobile connectivity. I was using 3G on my hopelessly slow, chunky and unreliably Nokia 6680, which not only had major issues handing over between cells causing the connection to bounce irritatingly when on the move, but was also limited to 112Kbps thanks to the bluetooth connection. Therefore I recently gave in to temptation and bought one of Vodafone’s new high speed mobile data cards. I went with their more expensive £25/mo, 250MB/mo one rather than the popular £17/mo, 2,000MB/mo T-mobile for three reasons: i) I trust Vodafone’s network more ii) Vodafone don’t filter the traffic – T-mobile block things like VOIP and even MSN apparently, & iii) Vodafone’s can do up to 1.8Mbps when the new HSDPA system is fully rolled out. I have been seriously impressed so far; I get a persistent link almost all the way from Guildford to Waterloo, and the connection speeds are truly broadband-like. Even the latency is better – I can happily use PuTTY/SSH without a painful lag.

This sort of true anywhere-connectivity gives a whole raft of new options as well. Already, all my email is stored centrally on a remote IMAP server, along with most of my critical documents, diary and so forth. I am only a few steps away from having everything important centrally stored with my laptop acting as little more then a client application terminal, and when I have managed that the days of fretting about backups will be gone. I am not alone either; we are seeing an ever increasing demand for online business applications from IMAP email to CRM solutions and centrally hosted groupware.

Anyway, you may be saying “that’s all very well, but those are not cheap toys!”, and you’d be right. However I am quite sure that they have already paid for themselves in terms of my increased productivity. Money well spent I say (and come on, they’re so cool! ).