2009/07/29
TheRegister: Sun tripling RAID protection
by Chris Mellor
The RAID industry standard for storage is RAID-6, with recovery from a double drive failure. But it's not going to be good enough as disk capacities increase, prolonging failed disk rebuild times and so lengthening the window of unrecoverable failure if a third disk fails before the recovery from a double drive failure is complete.
This point is made by Adam Leventhal of Oracle/Sun's Fishworks in a blog. He says hard drive capacity roughly doubles every year but hard drive bandwidth is pretty constant, so it takes longer and longer to write data to fill up a drive.
Other things being equal, a 500GB drive will take twice as long to write as a 250GB drive. Suppliers are now producing 2TB drives, taking four times as long to fill with data as a 500GB drive; Leventhal implying that it will take about eight hours.
Assume 3TB drives are coming, then 4TB ones, and we're looking at 12 hours and 16 hours respectively for a rebuild of a full failed disk. Every added terabyte adds four hours to the rebuild time, half a day. That's increasing the chances a third drive will fail in the rebuild period for second and first failed drive rebuilds.
Leventhal has added triple-parity RAID to Sun's ZFS filesystem, calling it RAIDz3. He suggests calling it generically RAID-7 or RAID-8 might be silly. RAID-6 is often known as RAID-DP though, so RAID-TP would seem logical. Leventhal says it too could be superseded if disk capacities keep on growing.
That has to be logically true but, if the use of 3.5-inch disks switches over to 2.5-inch drives then that would reduce failed disk rebuild times. It would also likely increase the number of drives in an array, putting us back, roughly speaking, at square one.
Triple-parity RAID-Z will be included in the next major software release for Oracle/Sun's 7000 series sometime in the third quarter of this year; in other words, in a few weeks. It's not a first though - Avante Digital had a triple-parity EasyRAID product in 2006.
We might expect triple-parity RAID to start appearing, perhaps as an option, in mainstream enterprise EMC, HDS, HDS, IBM and NetApp arrays, and third-party RAID controllers from next year. ®
InfoWorld: Some SMS networks vulnerable to attack
by Robert McMillan
Flaws in the way some mobile-phone networks handle SMS (short message service) signaling data could leave them open to a whole new range of attacks.
At this week's Black Hat conference in Las Vegas, researchers Zane Lackey and Luis Miras will show how they were able to spoof SMS and MMS (multimedia messaging service) messages and falsify the signaling data that underlies these messages.
Neither researcher was able to comment for this story, but in a description of their Thursday talk, posted to the Black Hat Web site, they say that they plan to release SMS hacking tools and will demonstrate an iPhone-based application that can be used in several SMS attacks. "SMS is also one of the only mobile phone attack surfaces which is on by default and requires almost no user interaction to be attacked," they say in their talk abstract.
The researchers were able to send SMS messages from one phone to another that contained configuration information that would normally originate only on the network's servers, according to a source familiar with the talk, who spoke on condition of anonymity because he was not authorized to speak on the matter. The research details security flaws in the way some mobile networks communicate with the devices on the network. "Basically, they found that there is a way to bypass all of the source sender validation," the source said.
The iPhone tool, which runs on a jailbroken version of the device, lets them send SMS messages with data that should normally only be sent from the carrier network, the source said. "They have found a new attack vector by which people can try to exploit phones based upon invalid assumptions the network operators and the phone operators have made about the security of this communications channel."
The attack works on the GSM (Global System for Mobile Communications)-based networks used by carriers such as AT&T and T-Mobile, but does not work on CDMA (Code Division Multiple Access) networks, he said.
It's not clear how dangerous such an SMS-based attack could be, or what exactly the researchers were able to do with their spoofed messages, but carriers use SMS to send basic configuration to the phones. In theory, an attacker might be able to use this technique to redirect a phone's Web browser to a malicious server or change voicemail notifications.
"We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS," the researchers write in their abstract.
SMS uses a communications channel that was designed as a way for network operators to send basic status updates between mobile phones and the network, and only later did it evolve as an extremely popular way to send short messages between mobile-phone users.
The network servers that handle SMS traffic are built by companies such as Ericsson, Nortel, Lucent and Nokia Siemens.
Mobile carriers have long tightly controlled the software and devices that can be used on their networks, but apparently, these networks are not as tightly controlled as was previously thought. "They're not as open as the Internet, but there are definitely lots of bad things that you can do that people never expected," the source said. "There are lots of malicious things you can do."
CNet: Intuit and open source: Tastes great, less filling?
by Matt Asay
Intuit announced on Monday that it has launched a community site for open-source developers to write open-source SaaS (software as a service) applications that enhance Intuit's own SaaS platform. Glyn Moody derides the move as "a rather feeble attempt to plug into the power of openness without really engaging with it," but this misses the point.
The point is to enhance the value around an already valuable platform (Intuit's software). This isn't just of benefit to Intuit, but also to the third-party developers who contribute. No one wants to write software to sit on a shelf, unused. Coding for Intuit ensures a ready-made audience of small businesses.
What's not to like about that?
IBM's Savio Rodrigues notes that this same effect could have been achieved with a closed-source community site, but he suggests a few reasons open source makes the community site richer:
(B)y using an open source license, Intuit reduces a potential issue for its partners that do sell open source products on top of Intuit's platform. Intuit also makes it easier for its partners to customize the code for their own purposes, something that partners are likely to do. Lastly, the open source license encourages Intuit's ecosystem to contribute their own components and, thereby, helps raise all boats, without having to open source Intuit's core products. It seems like a win-win to me.
Agreed. Intuit clearly "gets" that open source is a means to an end, not an end in and of itself. Openness helps the company accomplish community and corporate goals. It helps to enrich its partner experience. But it's not a revenue model that the company is embracing.
Some will see this move by Intuit as more about artifice than community, but they will be wrong. The Intuit community stands to benefit greatly from this move. As with Microsoft before it, these Intuit partners are looking for ways to enhance the value of their offerings while building on a winning platform.
Open source helps them to do that, as ZDNet's Sam Diaz points out, while also helping Intuit to increase the value of its platform. It's a win-win situation.
