I’m contemplating using S3 for backups. Paul Stamantiou has a script ready to go. The thing which convinced me was this chart Paul showed. For 10GB of space he paid under 3 dollars per month. Thats really cheap…
GMail, Microsoft and yahoo all provide extra storage as well. However none of them have stable company supported APIs to allow users to upload data in this form.
Users and developers alike are going crazy. There’s too many social networks out there to keep track of. Developers want to make more, and users want to join more, but it’s all too much work to re-enter your friends and data. We need to lower the amount of pain for both users and developers and let a thousand new social applications bloom.
I’ve mentioned this problem in the past as well and feel like this is long overdue. Sites like Plaxo and Facebook have taken a step in the right direction, but its not the solution. As I see it the real solution should be something similar to the XMPP standard which opened up the chat protocol to allow decentralized chat networks work with each other.
Also read
The other day I briefly mentioned the pain point of the web2.0 world and how consolidation, aggregation and summarization will help reduce some of it. 
Microsoft today formally announced the availability of Microsoft Live ID as a contender for the providing SSO (single sign on) services in the web 2.0 world. Live ID, incase you didnt know, is the repackaged version of Microsoft Passport Network, which had failed so badly that it forced Microsoft to pull it out of the market. Here are some examples of how to use other languages like php, perl, python, ruby etc to do authentication using Live ID. Microsoft is not the first one to openly come out with a SSO technology. Liberty Alliance and OpenID are other opensource competitors which have some foothold in this market already.
The move to SSO, in the web 2.0 world, (Single sign on) is bound to happen regardless of how scary some people might find it to be. If you can trust your online bank with 100000 dollars and trust 3 companies you don’t really know with your entire credit history, then this shouldn’t be that much of a concern. The real question is whether you trust the technology leaders Microsoft, Google, Yahoo or others like Verisign enough to provide these critical services for you.
In my opinion the reason why OpenID and Liberty Alliance have failed is because of fragmentation of standards and lack of leadership. While Microsoft failed the commercial venture into Authentication services (Microsoft Passport network) it might actually do well as long as it doesn’t screw up this time. Not because the they have done a great job in the past, but because the pain is now so unbearable that people are willing to give almost anything a try. But the real kicker is that almost everyone has a microsoft account anyway, so if I had an option to use my Microsoft account to login to a new web 2.0 product, I’ll do that in a heart beat. Creating yet another account with a new password and doing the email confirmation thing is not an adventure anymore… ( or may be I’m getting old ).
I predict that Google or Yahoo will soon jump into this with its own suite of authentication services (probably using OpenID or Liberty Alliance) which will then become the next battleground in the web2.0 world. I also predict that in a couple of years after that many of the web services will move towards supporting these forms of authentication services so that users are not forced to create new user accounts with new passwords every single time.
And if my predictions don’t really come true… hey, at least I know that I can dream.
References
Everyone who knows what a “DNS Rebinding attack” is please raise your hands. I’m so glad I can’t see yours, because I’m ashamed of myself for not knowing this one. For those who are “pretending” not to know please read on.
Browsers use domain names to enforce same-domain policy for a lot of security features. Interestingly depending on which client you are using its possible to set a low DNS TTL and change the IP address such that without a change in domain name a script could interact with another website as long as browser can be made to believe that its still the same domain. To do this, all that the client needs to do is initially server contents from its own server and while the javascript is running, update the DNS such that the javascript can interact with a new domain from where it could steel information for the attacker.
There are some safe gaurds to stop these kinds of attacks, but for most part these kinds of attack can be done easily on the internet today. The browsers are getting smarter though. And the “DNS Rebinding attack” isn’t new anyway… its been known for years at least. The way browsers try to defeat this is by limiting the minimum DNS TTL which can be set.
All was well and good until an attacker realized that the browser and plugins inside the browser each have different minimum DNS TTL set. So as long as the browser and plugin can talk to each other, there could be a point in time when the plugin could be talking to the attackers server and the browser could be connected to the real server streaming the information to the attacker through the plugin.
References
Everyone would be talking about this soon. Someone leaked the source of the index page of facebook on a website called facebook secrets.
Update: Brandee Barker from Facebook responded to Nic on Techcrunch.
Hi Nic-
I wanted to clarify a few things in your story. Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.
Thanks to you and the TC readers for helping us out on this one.
Brandee Barker
What is not clear is whether this was a hack or was someone inside involved. This is what Nik Cubrilovic from TechCrunch has to say…
“There are a number of clear ramifications here. The first is that the code can be used by outsiders to better understand how the Facebook application works, for the purposes of finding further security holes or bugs that could be exploited. Since Facebook is a closed source application, without access to the code security holes are usually found through a process of black-box testing, whereby an external party will probe the application in an attempt to work out how the application behaves and to try and find potential race conditions. In closed source applications it is common that developers rely on the closed nature of the application to obfuscate poor design elements and the structure of the application. An attacker getting access to the source code more often than not leads to further security holes being discovered. It is for these reasons that it is often claimed that open source software is more secure than closed source software, since there are many more eyes auditing the code and obfuscation can’t be used as a security measure.
The second implication with this leak is that the source code reveals a lot about the structure of the application, and the practices that Facebook developers follow. From just this single page of source code a lot can be said and extrapolated about the rest of the Facebook application and platform. For instance, the structure doesn’t follow any object oriented development practices, and it seems that the application is one large PHP file with a large number of custom functions living in the same namespace (they also seem to be using the Smarty templating engine). “
