Setup High Performance Server

High Performance Server? yeah. Its no wonder that we can setup high performance server.

Server – A computer running a service. yep. its true servers are nothing but computers running appropriate services.

So whats a server? Hardware or Software or both? What about the big 6 feet high machines we think as servers?

A server can be any computer running service(s).

You can make your laptop as a server or desktop or even mobile phone. but performance matters.

Servers performance depend on hardware and software. we can upgrade hardware to improve performance but upgrading software may fix bugs, add new features to it but no change in performance or can reduce performance.

Our major concern is choosing right software for the right job. There is no all in one software, even if there is it will be slow or buggy. We need to choose each and every piece of software to make a better system.

I will illustrate this with an example.

Requirement : We 10 people from 6 geographic locations intend to develop a social network which may serve 100 million users.

Analysis : Assume that we have best hardware, now focus on software. Software includes Operating System, Programming Language, Database Server, Web Server, SCM Server, Cache server. Our software need to be small memory footprint, bug/virus free, secure, fast.

If we see existing high performance implementations like hotmail, yahoo, facebook, twitter, google its like this,

  • Google : Python, C++, Plan9 (i think), Bigtable, GWS, GFS, mysql, …
  • Facebook : Linux, C++, C, PHP, Scribe, Thrift, Apache Cassandra, Hip hop, Tornado, Apache Hive, Varnish, Mysql, Memcached.
  • Hotmail : IIS, Windows server, .Net, …
  • Youtube : Memcached, …
  • Yahoo : PHP, Mysql, Free BSD, …
  • Twitter : Ruby, memcached, …

OS : CentOS or Ubuntu We have lot of options to choose in Operating Systems like Windows/Solaris/Unix/BSD/Linux/Mac/Plan9/AIX But Linux kernel is in active development than any other, fast/scalable/secure and nearly as bug/virus free as UNIX. Linux is having lot of flavors so we choose advanced and know version among them.

Programming Language : C, PHP, Javascript, Python, Haskel. We have several kinds of languages like Procedural, Object Oriented, Dynamic, Functional, Event Driven, Structured, Statically typed, Dynamically typed and few more. Each kind having its advantages. Normally we come to choose programming language according to our need/purpose rather than what we fancy. In general we have C, C++, Perl, Python, Ruby, .net(VB, C#, F#), Java, PHP, Haskel, Scheme, Javascript, Tcl,… C is the best to do low level stuff, PHP to play with http/HTML, Javascript to enrich presentation layer, python good at playing with text, heskel to do any exteded programming to take advantage of functional language.

DBMS : Mysql or apache cassandra. We choose fast and distributed database management systems from Mysql, MS Sql Server, Postgresql, Oracle, DB2, …

Web Server : nginx. A Webserver serve’s performance depends on how it process request and how it handles scripts(PHP, Ruby, Python, Java,….). We have Lots of Webservers like Lighttpd, nginx, Apache, Cherokee, IIS, Tomcat, Glash fish, Weblogic, mongrel, Webrick,….

SCM Server : Git. Git is the best of its kind when compared with Mercurial, Subversion, Bazaar, CVS, Bitkeeper and several others.

Cache Server : Varnish

In future I will try to screen cast the best setup i can.

Cloud Computing: Yahoo! Reaches the 2 Quadrillionth Bit of Pi

A Yahoo! engineer has reached a new cloud computing milestone. Using Hadoop, Yahoo! cloud computing engineer, Tsz Wo (Nicholas) Sze has determined the computation of π (pi) to the two quadrillionth decimal. And it equals zero. It’s the most amount of bits ever calculated for pi.

This is a remarkable achievement and shows the power of distributed systems for crunching big data.

It’s also an example of how data is changing our infrastructure as we discover new ways to develop applications with greater computational capabilities.

As Yahoo! points out, pi is a mathematical constant that is used to calculate the area of a circle.

Sze’s discovery follows a long line of mathematicians who have sought a bigger piece of the pi, no pun intended of course. This effort took some significant firepower and Hadoop magic:

“The circumference of the visible universe can be calculated using a mere 39 or 40 decimal places, so what are Yahoos like Nicholas doing out at those outer reaches? For Nicholas, this was a project ideally suited to flex the muscles of Hadoop, the open source technology at the epicenter of big data and cloud computing. The computation took 23 full days and required 1000 different machines using Hadoop.”

The achievement shows the power of distributed systems and points to how Yahoo! has adapted its business to the research it has done using Hadoop.

Yahoo is one of the pioneers in using Hadoop. It has helped the company better define the context of its network and the personal preferences of the millions of people use Yahoo! every day.

What that means for Yahoo! is a better understanding of how to use the computational powers of cloud computing. It provides the opportunity to do all sorts of things. Yahoo! engineers, for instance, are learning how to speed up calculations and algorithms. That faster crunch time? Think of one of the world’s largest networks doing mathematics equations and you have something that equates to a whole new experience. It goes beyond new ways to find new songs or predict the price of apples in the commodity exchange.

Instead, this points to the entrance of a new world where our culture meets the power of big data. A society that is driven more by information than machine.

Hackers blind quantum cryptographers

A way to intercept photons of light to create a security leak has been discovered.Punchstock

Quantum hackers have performed the first ‘invisible’ attack on two commercial quantum cryptographic systems. By using lasers on the systems — which use quantum states of light to encrypt information for transmission — they have fully cracked their encryption keys, yet left no trace of the hack.

Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it. So, in theory, it is impossible for an eavesdropper to intercept a quantum encryption key without disrupting it in a noticeable way, triggering alarm bells.

Vadim Makarov at the Norwegian University of Science and Technology in Trondheim and his colleagues have now cracked it. “Our hack gave 100% knowledge of the key, with zero disturbance to the system,” he says.

In standard quantum cryptographic techniques, the sender — called ‘Alice’ for convenience — generates a secret key by encoding classical bit values of 0 and 1 using two different quantum states of photons, or particles of light. The receiver, ‘Bob’, reads off these bit values using a detector that measures the quantum state of incoming photons. In theory, an eavesdropper, ‘Eve’, will disturb the properties of these photons before they reach Bob, so that if Alice and Bob compare parts of their key, they will notice a mismatch.

In Makarov and colleagues’ hack, Eve gets round this constraint by ‘blinding’ Bob’s detector — shining a continuous, 1-milliwatt laser at it. While Bob’s detector is thus disabled, Eve can then intercept Alice’s signal. The research is published online in Nature Photonics today.

Breaking the rules

The cunning part is that while blinded, Bob’s detector cannot function as a ‘quantum detector’ that distinguishes between different quantum states of incoming light. However, it does still work as a ‘classical detector’ — recording a bit value of 1 if it is hit by an additional bright light pulse, regardless of the quantum properties of that pulse.

That means that every time Eve intercepts a bit value of 1 from Alice, she can send a bright pulse to Bob, so that he also receives the correct signal, and is entirely unaware that his detector has been sabotaged. There is no mismatch between Eve and Bob’s readings because Eve sends Bob a classical signal, not a quantum one. As quantum cryptographic rules no longer apply, no alarm bells are triggered, says Makarov.

“We have exploited a purely technological loophole that turns a quantum cryptographic system into a classical system, without anyone noticing,” says Makarov.

Makarov and his team have demonstrated that the hack works on two commercially available systems: one sold by ID Quantique (IDQ), based in Geneva, Switzerland, and one by MagiQ Technologies, based in Boston, Massachusetts. “Once I had the systems in the lab, it took only about two months to develop a working hack,” says Makarov.

This is the latest in a line of quantum hacks. Earlier this year, a group led by Hoi-Kwong Lo at the University of Toronto in Ontario, Canada, also showed that an IDQ commercial system could be fully hacked. However, in that case, the eavesdropper did introduce some noticeable errors in the quantum key.

Grégoire Ribordy, chief executive of IDQ, says that the hack of Makarov and his group is “far more practical to implement and goes further than anything that has gone before”.

Both IDQ and MagiQ welcome the hack for exposing potential vulnerabilities in their systems. Makorov informed both companies of the details of the hack before publishing, so that patches could made, avoiding any possible security risk.

“We provide open systems for researchers to play with and we are glad they are doing it,” says Anton Zavriyev, director of research and development at MagiQ.

Ribordy and Zavriyev stress that the open versions of their systems that are sold to university researchers are not the same as those sold for security purposes, which contain extra layers of protection. For instance, the fully commercial versions of IDQ’s system also use classical cryptographic techniques as a safety net, says Ribordy.

Makarov agrees that the hack should not make people lose confidence in quantum cryptography. “Our work will ultimately make these systems stronger,” he says. “If you want state-of-the-art security, quantum cryptography is still the best place to go.”

100 million Facebook pages leaked on torrent site

Image: Screen capture of Facebook directory download

A directory containing personal details about more than 100 million Facebook users has surfaced on an Internet file-sharing site.

The most dramatic “data theft” to hit social networks in quite a while isn’t a theft at all.
Facebook users were hit with another frightening reminder on Thursday that not everyone online is their friend, as over 100 million personal profiles and details from the service were scraped from Facebook’s pages and published on the Web.
But Facebook wasn’t hacked. Far from it. And if users had personal details exposed, they have no one but themselves to blame.
A program written by Ron Bowes, a security consultant at Skull Security, scanned all the listings in Facebook’s open-access directory and then compiled a text file that lists the information he uncovered. That data potentially exposes some Facebook users’ birthdays, addresses, phone numbers and more — but only because they chose not to keep those details private.
“All I’ve done is compile public information into a nice format for statistical analysis,” Bowes told the BBC. He explained that he had simply accessed the same information that’s available to search engines like Google, Bing and Yahoo — or the countless white-pages services available online.
But the stunt should make those 100 million Facebook users reconsider what personal information they make available online.
Going public with your birthday and address exposes you to the very real threat of identity theft and fraud — not to mention stalking and other unwelcome advances. Hackers typically troll for such information to open credit cards under aliases, or they use the names they find in other online scams.
And it’s hardly unreasonable to presume that some of the thousands of people who have downloaded Bowes’ file since it hit the Internet have criminal intentions.
Facebook is putting a straight face on the story. Company spokesman Andrew Noyes told FoxNews.com that the “information that people have agreed to make public was collected by a single researcher … no private data is available or has been compromised.”
As Facebook leaves it up to its users to decide how much personal information they want to reveal to the public, people who want to keep some things to themselves are encouraged to take a few specific steps.
To be removed from the open access directory that Bowes scanned, users should select “Privacy Settings” under the “Account” heading on the Facebook screen, then edit the “Public Search” option to uncheck the “Enable public search” box.
Then they should go back to the privacy settings and select “Custom” to specify what information (photos, comments, and so on) they want to share, and with whom.
If your profile was set to be searchable by everyone, chances are you’re in Bowes file, and there’s nothing you can do about that now.
Facebook users should also be aware that after they have changed their privacy settings, their old profile pages may still be publicly available because they are often stored (or cached) by search engines.
Ultimately, this latest incident is just another reminder of the basic reality of modern cyber security:
Whatever it is . . . if you wouldn’t put it on a billboard in Times Square, don’t post it on the Web.

The most dramatic “data theft” to hit social networks in quite a while isn’t a theft at all.
Facebook users were hit with another frightening reminder on Thursday that not everyone online is their friend, as over 100 million personal profiles and details from the service were scraped from Facebook’s pages and published on the Web.
But Facebook wasn’t hacked. Far from it. And if users had personal details exposed, they have no one but themselves to blame.
A program written by Ron Bowes, a security consultant at Skull Security, scanned all the listings in Facebook’s open-access directory and then compiled a text file that lists the information he uncovered. That data potentially exposes some Facebook users’ birthdays, addresses, phone numbers and more — but only because they chose not to keep those details private.
“All I’ve done is compile public information into a nice format for statistical analysis,” Bowes told the BBC. He explained that he had simply accessed the same information that’s available to search engines like Google, Bing and Yahoo — or the countless white-pages services available online.
But the stunt should make those 100 million Facebook users reconsider what personal information they make available online.
Going public with your birthday and address exposes you to the very real threat of identity theft and fraud — not to mention stalking and other unwelcome advances. Hackers typically troll for such information to open credit cards under aliases, or they use the names they find in other online scams.
And it’s hardly unreasonable to presume that some of the thousands of people who have downloaded Bowes’ file since it hit the Internet have criminal intentions.
Facebook is putting a straight face on the story. Company spokesman Andrew Noyes told FoxNews.com that the “information that people have agreed to make public was collected by a single researcher … no private data is available or has been compromised.”
As Facebook leaves it up to its users to decide how much personal information they want to reveal to the public, people who want to keep some things to themselves are encouraged to take a few specific steps.
To be removed from the open access directory that Bowes scanned, users should select “Privacy Settings” under the “Account” heading on the Facebook screen, then edit the “Public Search” option to uncheck the “Enable public search” box.
Then they should go back to the privacy settings and select “Custom” to specify what information (photos, comments, and so on) they want to share, and with whom.
If your profile was set to be searchable by everyone, chances are you’re in Bowes file, and there’s nothing you can do about that now.
Facebook users should also be aware that after they have changed their privacy settings, their old profile pages may still be publicly available because they are often stored (or cached) by search engines.
Ultimately, this latest incident is just another reminder of the basic reality of modern cyber security:
Whatever it is . . . if you wouldn’t put it on a billboard in Times Square, don’t post it on the Web.

The 2.8GB torrent was compiled by hacker Ron Bowes of Skull Security, who created a web crawler program that harvested data on users contained in Facebook’s open access directory, which lists all users who haven’t bothered to change their privacy settings to make their pages unavailable to search engines.

Bowes’ directory contains 171 million entries, relating to more than 100 million individual users – more than one in five of Facebook’s recently trumpeted half billion user base.

The file contains user account names and a URL for each user’s profile page, from which details such as addresses, dates of birth or phone numbers can be accessed. Accessing a user’s page from the list will also enable you to click through to friends’ profiles – even if those friends have made themselves non-searchable.

There’s absolutely nothing illegal about what Bowes has done – the information is, after all, publicly available – but perhaps the existence of a stalker’s online black book might finally persuade less security-minded Facebook users to get their arses in gear.

http://www.skullsecurity.org/Resume-20100621.pdf

http://www.skullsecurity.org/blog/

PHPIDS Secure your php app.

PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.