Oracle Updates NoSQL

Oracle has announced the availability of the latest edition of its NoSQL datatabase.

NoSQL is Oracle’s distributed key-value database. Now in it’s third version, the enhancements this time are heavily centred around security and business continuity.

Oracle NoSQL 3.0 features improvements in security with cluster-wide password based user authentication and integration with Oracle Wallet. Session level Secure Socket Layer (SSL) encryption and network port restriction are also included.

For disaster recovery and prevention, there’s automatic fail-over to metro-area secondary data centres, while secondary server zones can be used to offload read-only workloads to take the pressure off primary servers under stress.

For developers, there is added support for tabular data models that Oracle claims will simplify application design and improve integration with SQL based applications, while secondary indexing improves query performance.

“Oracle NoSQL 3.0 helps organisations fill the gap in skills, security and performance by delivering […] enterprise-class NoSQL database that empowers database developers and DBAs to easily, intuitively and securely build and deploy next generation applications,” said Oracle’s EVP of Database Server Technologies, Andrew Mendelsohn.

It’s already been a big week for the SQL community with NoSQL arriving on MariaDB for the first time, courtesy of a tie-up between SkySQL, Google and IBM on Tuesday, while yesterday Fusion-IO announced the use of Non-volatile memory (NVM) compression in MySQL to increase the capacity of SSD storage.

Both the community and enterprise versions of Oracle NoSQL Database 3.0 are available for download now from the Oracle Technology Network.

Source

Facebook Goes Ten

Facebook plans on celebrating its 10th birthday today, an occasion likely to spur an outpouring of reflection on its past and speculation about its future.

Mark Zuckerberg launched “Thefacebook” from his dorm room at Harvard University on Feb. 4, 2004. The site was conceived as a way to connect students, and let them build an online identity for themselves.

It has since expanded to cover a large swath of the planet, with more than 1.2 billion people — one-seventh of the world’s population — using its site on a monthly basis, according to the company’s own recent figures.

Zuckerberg reflected on the 10-year milestone at an industry conference in Silicon Valley this week. Not surprisingly, at the start he never envisioned Facebook becoming so large or influential. After launching the initial version, “it was awesome to have this utility and community at our school,” he said at the Open Compute Project Summit.

He figured at the time that someone, someday would build such a site for the world. “It didn’t even occur to me that it could be us,” he said.

Since then, Facebook’s site and its business, now a public company, have changed dramatically. There are now more than a trillion status updates, text posts and other pieces of content stored within its walls — the company is trying to index them as part of its Graph Search search engine.

The company was slow to react to the important mobile market, and when it went public in 2012 investors were skeptical it would be able to monetize its service on smaller screens. But this week it reported that more than half its ad revenue now comes from mobile devices.

All the while, Facebook is making its ad business smarter, using targeting tools to show ads it deems most relevant.

The company is also experimenting with new ways to present content. Next week it will release Paper, an iPhone app that provides a new way to share photos and published articles.

It’s part of a larger effort Facebook hinted at this week to release a variety of standalone apps for different tasks.

The company is also trying to bring the Internet to more people in the world, an effort that’s part philanthropy and part business sense as Facebook aims to reach its next billion users. Asked this week why he launched the project, called Internet.org, Zuckerberg suggested he feels a weight of responsibility.

“There aren’t that many companies in the world that have the resources and the reach that Facebook has at this point,” he said.

Source

Was Dropbox Really Hacked?

Dropbox suffered a major outage over the weekend.

In one of the more bizarre recent incidents, after the service went down on Friday evening a group of hackers claimed to have infiltrated the service and compromised its servers.

However, on the Dropbox blog, Dropbox VP of engineering Ardita Ardwarl told users that hackers were not to blame.

Ardwari said, “On Friday evening we began a routine server upgrade. Unfortunately, a bug installed this upgrade on several active servers, which brought down the entire service. Your files were always safe, and despite some reports, no hacking or DDOS attack was involved.”

The fault occurred when a bug in an upgrade script caused an operating system upgrade to be triggered on several live machines, rendering them inoperative. Although the fault was rectified in three hours, the knock-on effects led to problems that lasted through the weekend for some users.

Dropbox has assured users that there are no further problems and that all users should now be back online. It said that at no point were files in danger, adding that the affected machines didn’t host any user data. In other words, the “hackers” weren’t hackers at all, but attention seeking trolls.

Dropbox claims to have over 200 million users, many of which it has acquired through strategic partnerships with device manufacturers offering free storage with purchases.

Source

The company is looking forward to an initial public offering (IPO) on the stock market, so the timing of such a major outage could not be worse. Dropbox, which includes Bono and The Edge from U2 amongst its investors, has recently enhanced its business offering to appeal to enterprise clients, and such a loss of uptime could affect its ability to attract customers.

Reddit ISO Profits

Social news hub Reddit enjoyed a major get when it interviewed Barack Obama last year. The big get for 2013 was reaching 90 million unique visitors a month, according to the company, on par with the likes of eBay. This season, even Microsoft co-founder and philanthropist Bill Gates joined its Secret Santa gift exchange.

Now, the self-dubbed “Front Page of the Internet” is going for a milestone it has been trying to reach since its founding in 2005: profitability.

After years of experimenting with paid subscriptions and display advertising, Reddit, with just 28 employees, has begun pouring resources into building an electronic bazaar.

Company executives say they increasingly believe such a venue is the answer to their long search for reliable revenue, complicated in part by their fans’ mistrust of advertising.

If Reddit Gifts, as the burgeoning bazaar is known, brings sustainable profitability, it would mark a turning point for an outfit that has exerted an outsized and sometimes controversial influence on Internet culture yet languished financially.

Reddit estimates over 250,000 items have been purchased over the holiday, mostly as part of the 50 or so mostly geek-oriented Secret Santa gift exchanges – where zombie- or fantasy-themed presents, say, change hands – that users have created.

Although Reddit won’t disclose details about how much money it has made from Reddit Gifts or its overall financial performance, it takes a 15 to 20 percent cut of every purchase.

Usually priced between $10 and $25, the goods reflect Reddit’s young and geeky user base, from collages of cats in steampunk apparel to coffee mugs branded by Imgur.com, a repository of funny Web pictures, to an entire category dedicated to bacon-related products. More than 250 merchants supply gifts curated and “up-voted” by the community, much as articles and links are elevated on the Reddit site itself.

The gift exchange made headlines this month after Gates signed up and surprised a Reddit user by sending her a travel book and a stuffed cow, symbol of the charity he donated to in her name.

The company, which is hoping to position itself as a bona fide shopping destination year-round, estimates that only 14 percent of its marketplace revenue comes from the Christmas-season gift exchange programs.

Yet those sales alone could put Reddit firmly in the black, said Dan McComas, the head of Reddit Gifts. He added that the company may choose to reinvest funds in e-commerce customer service and infrastructure.

Chief Executive Yishan Wong, a former Facebook executive, said Reddit was “kind of” breaking even and denied that pressure was mounting on his team to turn a profit.

Source

Twitter Tightens Security

Twitter Inc said it has put in place a security technology that makes it harder to spy on its users and called on other Internet firms to do the same, as Web providers look to thwart spying by government intelligence agencies.

The online messaging service, which began scrambling communications in 2011 using traditional HTTPS encryption, said on Friday it has added an advanced layer of protection for HTTPS known as “forward secrecy.”

“A year and a half ago, Twitter was first served completely over HTTPS,” the company said in a blog posting. “Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.”

Twitter’s move is the latest response from U.S. Internet firms following disclosures by former spy agency contractor Edward Snowden about widespread, classified U.S. government surveillance programs.

Facebook Inc, Google Inc, Microsoft Corp and Yahoo Inc have publicly complained that the government does not let them disclose data collection efforts. Some have adopted new privacy technologies to better secure user data.

Forward secrecy prevents attackers from exploiting one potential weakness in HTTPS, which is that large quantities of data can be unscrambled if spies are able to steal a single private “key” that is then used to encrypt all the data, said Dan Kaminsky, a well-known Internet security expert.

The more advanced technique repeatedly creates individual keys as new communications sessions are opened, making it impossible to use a master key to decrypt them, Kaminsky said.

“It is a good thing to do,” he said. “I’m glad this is the direction the industry is taking.”

Source

Adobe Data Found Online

A computer security firm has discovered data it says belongs to some 152 million Adobe Systems Inc user accounts, suggesting that a breach reported a month ago is much larger than Adobe has so far disclosed and is one of the largest on record.

LastPass, a password security firm, said that it has found email addresses, encrypted passwords and password hints stored in clear text from Adobe user accounts on an underground website frequented by cyber criminals.

Adobe said last week that attackers had stolen data on more than 38 million customer accounts, on top of the theft of information on nearly 3 million accounts that it disclosed nearly a month earlier.

The maker of Photoshop and Acrobat software confirmed that LastPass had found records stolen from its data center, but downplayed the significance of the security firm’s findings.

While the new findings from LastPass indicate that the Adobe breach is far bigger than previously known, company spokeswoman Heather Edell said it was not accurate to say 152 million customer accounts had been compromised because the database attacked was a backup system about to be decommissioned.

She said the records include some 25 million records containing invalid email addresses, 18 million with invalid passwords. She added that “a large percentage” of the accounts were fictitious, having been set up for one-time use so that their creators could get free software or other perks.

She also said that the company is continuing to work with law enforcement and outside investigators to determine the cost and scope of the breach, which resulted in the theft of customer data as well as source code to several software titles.

The company has notified some 38 million active Adobe ID users and is now contacting holders of inactive accounts, she said.

Paul Stephens, director of policy and advocacy for the non-profit Privacy Rights Clearinghouse, said information in an inactive database is often useful to criminals.

He said they might use it to engage in “phishing” scams or attempt to figure out passwords using the hints provided for some of the accounts in the database. In some cases, people whose data was exposed might not be aware of it because they have not accessed the out-of-date accounts, he said.

“Potentially it’s the website you’ve forgotten about that poses the greater risk,” he said. “What if somebody set up an account with Adobe ten years ago and forgot about it and they use the same password there that they use on other sites?”

Source

Will Skype 3RD Party API’s End?

Angry Developers, a breed not unlike Angry Birds but without the desire to fling themselves at naughty pigs, have started a petition asking Microsoft to withdraw its plan to switch off the desktop API for Skype.

The news follows Microsoft’s announcement that support for third party applications will end in December. The change.org petition explains, “The decision to discontinue Skype’s Desktop API impacts our ability to use Skype within my normal Skype calling activities.” It goes on to request that, “Skype/Microsoft provide continued support for third party Skype utilities that have become mission critical to Skype’s users.”

The API runs a range of services, including call recording clients, and in some cases third party hardware including certain headsets. Its discontinuation will most likely see problems for third party instant messaging (IM) services that rely on the API to aggregate IM services, as Skype does not use the Jabber protocol.

Microsoft’s explanation of this was fairly straightforward. It said, “The Desktop API was created in 2004 and it doesn’t support mobile application development. We have, therefore, decided to retire the Desktop API in December 2013.”

However, many developers who receive income from their products using the Skype API are unsatisfied with this.

Although Skype has had a mobile client dating back as far as Windows Mobile 5, it has never had parity with the desktop version and there remains some bewilderment as to why Microsoft has made this decision.

At the time of writing shortly after launch on Friday, the petition had 540 signatures and rising, showing that there is a groundswell of support for the initiative.

Source

Developers Hack Dropbox

Two developers have penetrated Dropbox’s security, even intercepting SSL data from its servers and bypassing the cloud storage provider’s two-factor authentication, according to a paper they published at USENIX 2013.

“These techniques are generic enough and we believe would aid in future software development, testing and security research,” the paper says in its abstract.

Dropbox, which claims more than 100 million users upload more than a billion files daily, said the research didn’t actually represent a vulnerability in its servers.

“We appreciate the contributions of these researchers and everyone who helps keep Dropbox safe,” a spokesperson said in an email to Computerworld. “In the case outlined here, the user’s computer would first need to have been compromised in such a way that it would leave the entire computer, not just the user’s Dropbox, open to attacks across the board.”

The two developers, Dhiru Kholia, with the Openwall open source project , and Przemyslaw Wegrzyn, with CodePainters, said they reverse-engineered Dropbox, an application written in Python.

“Our work reveals the internal API used by Dropbox client and makes it straightforward to write a portable open-source Dropbox client,” the paper states. “Additionally, we show how to bypass Dropbox’s two-factor authentication and gain access to users’ data.”

The paper presents “new and generic techniques to reverse engineer frozen Python applications, which are not limited to just the Dropbox world,” the developers wrote.

The researchers described in detail how they were able to unpack, decrypt and decompile Dropbox from scratch. And, once someone has de-compiled its source code, how “it is possible to study how Dropbox works in detail.

“We describe a method to bypass Dropbox’s two-factor authentication and hijack Dropbox accounts. Additionally, generic techniques to intercept SSL data using code injection techniques and monkey patching are presented,” the developers wrote in the paper.

The process they used included various code injection techniques and monkey-patching to intercept SSL data in a Dropbox client. They also used the techniques successfully to snoop on SSL data in other commercial products as well, they said.

The developers are hoping their white hat hacking prompts Dropbox to open source its platform so that it is no longer a “black box.”

Source

PayPal Extend Bug Bounty

PayPal is expanding its bug bounty program to individuals aged 14 and older, a move intended to reward younger researchers who are technically ineligible to hold full-fledged PayPal accounts.

PayPal’s program, which is a year old this month, only applied to those 18 years and older. Under the old rule, participants in the program were required to hold valid accounts, which excluded minors, said Gus Anagnos, PayPal’s director of information security.

In May, 17-year-old Robert Kugler, a student in Germany, said he’d been denied a reward for finding a vulnerability. PayPal said the bug had already been found by two other researchers, which would have made Kugler ineligible for bounty.

In an apparent miscommunication, Kugler said he was initially told he was too young rather than the bug had already been discovered. Nonetheless, PayPal said it would look to bring younger people into its program, which pays upwards of $10,000 for remote code execution bugs on its websites.

Those who are under 18 years old can receive a bug bounty payment through a PayPal student account, an arrangement where a minor can receive payments via their parent’s account, Anagnos said.

Anagnos said other terms and conditions have been modified to make its program more transparent, such as clarifying which PayPal subsidiaries and partner sites qualify for the program.

PayPal pays much less for vulnerabilities on partner websites, which have a URL form of “www.paypal-__.com.” A remote execution bug found on that kind of site garners only $1,500 rather than up to $10,000 on the company’s main sites.

Like other bug bounty programs run by companies such as Microsoft and Google, PayPal will publicly recognize researchers on its website with a “Wall of Fame” for the top 10 researchers in a quarter. Another “honorable mention” page lists anyone who submitted a valid bug for the quarter.

Eusebiu Blindu, a testing consultant from Romania, was one of the researchers listed on the Wall of Fame for the first quarter of this year.

“I think Paypal is the best bug bounty program, and I am glad I participated in it from the first days of its launching,” he wrote on his blog.

Source

DDoS Attacks Rising

One in five UK businesses experienced a DDoS attack last year according to a new survey.

Analytics firm Neustar said that while the percentage is significantly lower than that experienced by their US equivalents it is still fairly high. More than 22 percent of the 381 organisations participating in the annual trends study reported DDoS attacks, compared to 35 percent experiencing the same in a separate study carried out among US firms in 2012.

Neustar set out to measure revenue ‘risk per hour’ which is a measure of what it might cost a business in a particular sector to experience DdoS downtime. They found that the majority of organisations reckoned this at less than $1,500 per hour.

Most of the rest put it somewhere between $1,500 and $15,000 although one in four financial services firms put the number at $250,000 per hour. This cost included brand damage and unexpected customer service calls.

Source

« Previous Page — Next Page »