The Daily Parker

Politics, Weather, Photography, and the Dog

Out of the apartment, into the cloud (Part 2)

Last weekend I described moving my email hosting from my living room home office out to Microsoft Exchange Online. And Thursday I spent all day at a Microsoft workshop about Windows Azure, the cloud computing platform on which my employer, 10th Magnitude, has developed software for the past two years.

In this post, I'm going to describe the actual process of migrating from an on-site Exchange 2007 server to Exchange Online. If you'd prefer more photos of Parker or discussions about politics, go ahead and skip this one. It's pretty technical and Parker only makes a brief cameo.

About 18 months ago, 10th Magnitude's CTO tried to move us to the predecessor offering now replaced by Exchange Online and Office 365's, Business Productivity Online Suite, AKA "BPOS." He was quite adamant that BPOS was a CPOS, and made just setting up the service a complete PITA. I'd like to assure him and everyone else thinking about cloud-based email that the situation today has improved.

The new migration tools start you with a step-by-step checklist, liked to all the documentation you need, that takes you through the entire process:

Step 1 took fifteen seconds. I called my dad and told him I was moving his email account to a different server, and that he probably wouldn't even notice the change except his password would change. He said fine. That was easy.

Step 2 was to add my domains to Exchange Online. My existing Exchange organization hosted eight domains, which it had acquired over the 12 years or so I'd run development servers in my office. Each domain required going into my DNS registration account at DNS Made Easy and adding a TXT records proving I owned it. Fortunately, my DNS provider and Microsoft communicated in real time about the updates, so I got through 7 of 8 domains in about 10 minutes. The 8th domain, which unfortunately was the Active Directory root domain, had its nameservers pointed at the DNS registrar that I used before switching to DNS Made Easy. Switching nameservers took an entire day, for reasons that pass understanding.

Step 3, mailbox migration, had a few hiccups, and required about more effort than I anticipated. First, using the Remote Connectivity Analyzer, I discovered that the specific combination of DNS records, firewall rules, and mailbox configuration on my Exchange server wouldn't allow migration. It took about two hours of playing whack-a-mole to get just one of the tests in the suite to work. Microsoft provided (generally) comprehensive instructions on how to fix the problems I encountered, however. The test suite itself gave me a good idea of what I was doing wrong on its own, even without the TechNet articles.

The remaining steps in the plan—redirecting mail to the new server, completing the mailbox migration, activating users, and starting to use Exchange Online—took about fifteen minutes. Seriously.

The whole effort took six hours total. Part of this includes the post-move configuration changes I had to make to several services and Web sites, as my Exchange server was also my internal SMTP server. This blog, all of my hosted websites, and the collection of services that support those websites (like Weather Now, for example) all had to have a new SMTP server to send emails out. That was a little tricky, and required using IIS6 tools on a Windows 2008 server. But that's another story.

Also, my RSS feeds didn't fare well in the switch. With Exchange 2007 and Outlook 2010, your RSS feeds are stored on the server, not the client. So I had to add all of them back by hand after the migration.

It's important to note a few things that would make this more difficult for a larger business than mine. I had two active mailboxes for people and a couple for support services, I controlled both the Exchange server and the network, and I had no critical business issues during the switch. Larger organizations will have to handle a migration much more carefully than I did.

In the end, my email experience is exactly the same. And my apartment home office is noticeably quieter with two fewer servers gobbling electricity.

Terrorists! Communists! Anarchists! Roundheads! Saxons!

The FBI has put together a committee of university presidents to root out foreign spies who have infiltrated American colleges:

While overshadowed by espionage against corporations, efforts by foreign countries to penetrate universities have increased in the past five years, [Frank] Figliuzzi, [Federal Bureau of Investigation assistant director for counterintelligence] said. The FBI and academia, which have often been at loggerheads, are working together to combat the threat, he said.

Attempts by countries in East Asia, including China, to obtain classified or proprietary information by “academic solicitation,” such as requests to review academic papers or study with professors, jumped eightfold in 2010 from a year earlier, according to a 2011 U.S. Defense Department report. Such approaches from the Middle East doubled, it said.

The problem with this, as a number of people pointed out in the article, is that academics share information freely. That's their freaking job. And the U.S. has hundreds of thousands of foreign students—76,000 from China alone—because, for now anyway, we have the best schools in the world.

Of course the FBI should go after real spies, and discovering former Russian intelligence agent Sergei Tretyakov probably prevented Russia from stealing information that would have helped them catch up to where we'd gotten ten years earlier.

The university presidents on the FBI's committee need to remember their first duty. I hope some of them will remind the FBI that suspecting lots of foreigners of trying to spy on us will cost more than it will save.

This is a very old conversation. There are always people who see enemies everywhere. Sometimes they're right; but we need to make sure that when they're wrong, they don't cause more damage than they're trying to prevent.

Disclosing Facebook passwords

Raganwald yesterday posted a facetious resignation outlining the dangers to employers of asking prospective employees to disclose social media information:

I have been interviewing senior hires for the crucial tech lead position on the Fizz Buzz team, and while several walked out in a huff when I asked them to let me look at their Facebook, one young lady smiled and said I could help myself. She logged into her Facebook as I requested, and as I followed the COO’s instructions to scan her timeline and friends list looking for evidence of moral turpitude, I became aware she was writing something on her iPad.

“Taking notes?” I asked politely.

“No,” she smiled, “Emailing a human rights lawyer I know.” To say that the tension in the room could be cut with a knife would be understatement of the highest order. “Oh?” I asked. I waited, and as I am an expert in out-waiting people, she eventually cracked and explained herself.

“If you are surfing my Facebook, you could reasonably be expected to discover that I am a Lesbian. Since discrimination against me on this basis is illegal in Ontario, I am just preparing myself for the possibility that you might refuse to hire me and instead hire someone who is a heterosexual but less qualified in any way. Likewise, if you do hire me, I might need to have your employment contracts disclosed to ensure you aren’t paying me less than any male and/or heterosexual colleagues with equivalent responsibilities and experience.”

Three things:

  • He's right on the main point. Looking through employees' Facebook pages uninvited is tricky enough. Determining whether or not to hire someone based on a Facebook page is closer to the line. Forcing the disclosure crosses the line, surveys the land, plants a flag, and invites the natives to kill you in your sleep.
  • Disclosing a password to anyone for any reason is, almost always, a bad idea. Authentication is half of security (the other is authorization, which depends on you being who you say you are). The corollary to authentication is deniability. If you lose control over your Facebook password, you expose yourself to identity theft. To emphasize this point, in our office we routinely prank developers who leave their keyboards unlocked when they leave the room. Walking away at a client site could let clients see other clients' materials, for starters, but it also could allow someone to send email or make Facebook posts in your name.
  • I am proud to report that Illinois is right now passing a law to prohibit this practice. It will probably be signed later this month.

Other things of note

I don't want to lose these things:

That is all. More UK and France photos later today.

Google blocked at Peet's Coffee in HMB

I've spent the morning working at the Peet's Coffee in Half Moon Bay, Calif.. For some reason, this location has blocked HTTP access to most Google addresses.

The most obvious symptom is that browser requests to Google, Youtube, and other Google properties (including GMail) simply don't go through. Chrome reports "connection reset" after timing out; IE simply spins into oblivion. Another symptom, which took me a few moments to figure out, is that sites that have Google Analytics bugs (like this one) sometimes, but not always, fail to load. Reading the page source shows that the entire page has loaded, but the browser doesn't render the page because part of it is being blocked.

Using nothing more sophisticated than Ping and Tracert, I've determined that the block occurs pretty close to my laptop, possibly even in the WiFi router or in Peet's proxy server. Pinging Google's public DNS service (8.8.8.8) works fine, as does making nslookup requests against it. But pinging www.google.com, www.youtu.be, and www.gmail.com all fail. Tracerts to these URLs and directly to their public IPs also fail at the very first hop.

Google IPs appear to start with 74.125.x.y. Tracert to 8.8.4.4 passes through 74.125.49.85 a few hops away; www.google.com resolves to 74.125.224.84; etc. However, reverse DNS lookups show something slightly different. 8.8.4.4 resolves back to google-public-dns-b.google.com; however, 74.125.224.84 resolves back to nuq04s07-in-f20.1e100.com. 74.125.224.69 (www.youtu.be) resolves back to another 1e100.com address.

All other sites appear to work fine, with decent (megabit-speed) throughput.

So, the mystery is: who has blocked Google from this Peet's store, and why? I have sent Peet's a request for comment.

You have the right to remain silent

A man accused of rape in Alabama got into an online argument with the Jefferson County Sheriff's Office on the office's Facebook page:

U.S. Marshals took Dustin McCombs into custody today in Ohio, said Chief Deputy Randy Christian.

The U.S. Marshal's Gulf Coast Regional Task for in Birmingham shared information with their counterparts in Ohio who tracked down the fugitive.

McComb's was featured on the Jefferson County Sheriff Department's Facebook page as its "Creep of the Week" because of an outstanding forcible rape charge.

McCombs apparently decided that was a challenge, taking up a posting duel with the department on Facebook, according to the website Gizmodo.

Of course, McCombs has not been convicted of the crime that led to his arrest warrant, but wow is he stupid. The entire exchange is still available on Failbook, and worth a look. So is the sheriff's Facebook page, which seems like an effective use of social media by government.

Vox populi

Welcome back. We were dark today to protest two flawed legislative proposals, the Stop Online Piracy Act and the Protect IP Act.

The administration today hinted at a threat to veto SOPA, while several senators have withdrawn support for PIPA in response to the blackout protests around the Internet:

Co-sponsors who say they can no longer support their own legislation include Senators Marco Rubio, a Florida Republican, Roy Blunt, a Missouri Republican, and Ben Cardin, a Maryland Democrat. Republican Representatives Ben Quayle of Arizona, Lee Terry of Nebraska, and Dennis Ross of Florida also said they would withdraw their backing of the House bill.

Rubio said he switched his position on the Senate measure, the Protect IP Act, after examining opponents’ contention that it would present a “potentially unreasonable expansion of the federal government’s power to impact the Internet,” according to a posting today on Facebook. Blunt said in a statement today he is withdrawing as a co-sponsor of the Senate bill.

The Washington Monthly explains the administration's volte face on SOPA:

The White House didn’t issue a veto threat, per se, but the administration’s chief technology officials concluded, “We will not support legislation that reduces freedom of expression, increases cybersecurity risk or undermines the dynamic, innovative global Internet.” The statement added that any proposed legislation “must not tamper with the technical architecture of the Internet.” The White House’s position left SOPA and PIPA, at least in their current form, effectively dead.

The state of play in the Senate is a little different — a PIPA vote is likely next Tuesday — but even in the upper chamber, the bill is quickly losing friends. Sen. Scott Brown (R-Mass.) announced his opposition yesterday, and Sen. Ben Cardin (D-Md.), a former co-sponsor of PIPA, is also now against it.

The President did, however, shut down the Keystone XL pipeline (at least for now).

So, in all, this was a pretty good day for the people.

Update: Via Coding Horror, Mozilla Foundation Chair Mitchell Baker has a great description of why PIPA and SOPA are so awful.

Wikipedia joins SOPA protest; Twitter boss scoffs

The largest encyclopedia ever assembled will go offline tomorrow to protest against the Stop Online Piracy Act, currently working its way through Congress's collective bowels. From Wikipedia's public statement:

[T]he Wikimedia Foundation is asked to allocate resources and assist the community in blacking out the project globally for 24 hours starting at 05:00 UTC on January 18, 2012, or at another time as determined by the Wikimedia Foundation. This should be carried out while respecting technical limitations of the underlying software, and should specifically prevent editing wherever possible. Provisions for emergency access to the site should be included in the blackout software. In order to assist our readers and the community at large to educate themselves about SOPA and PIPA, these articles and those closely related to them will remain accessible for reading purposes if possible. Wikipedians are urged to work with WMF staff to develop effective messaging for the "blackout screens" that directs readers to suitable online resources. Sister projects, such as the German and Italian Wikipedias and Wikimedia Commons, have indicated an intention to support the same principles with banners on those sites, and the support of other projects is welcome and appreciated.

Twitter CEO Dick Costolo is unimpressed: " 'That's just silly. Closing a global business in reaction to single-issue national politics is foolish,' Costolo [said]."

For what it's worth, my U.S. Senators are split: Senator Mark Kirk (R-IL) claims to be opposed to it, while Senator Dick Durbin (D-IL) is a co-sponsor of the Senate's version. Neither has any material on his website about it. I have written to Senator Durbin and to Representative Mike Quigley (D-IL) for comment.

SOPA would be unconstitutional

Via Sullivan, a constitutional analysis of the Stop Online Piracy Act:

To begin with, the bills represent an unprecedented, legally sanctioned assault on the Internet’s critical technical infrastructure. Based upon nothing more than an application by a federal prosecutor alleging that a foreign website is “dedicated to infringing activities,” Protect IP authorizes courts to order all U.S. Internet service providers, domain name registries, domain name registrars, and operators of domain name servers—a category that includes hundreds of thousands of small and medium-sized businesses, colleges, universities, nonprofit organizations, and the like—to take steps to prevent the offending site’s domain name from translating to the correct Internet protocol address.

This not only violates basic principles of due process by depriving persons of property without a fair hearing and a reasonable opportunity to be heard, it also constitutes an unconstitutional abridgement of the freedom of speech protected by the First Amendment. The Supreme Court has made it abundantly clear that governmental action suppressing speech, if taken prior to an adversary proceeding and subsequent judicial determination that the speech in question is unlawful, is a presumptively unconstitutional “prior restraint.” In other words, it is the “most serious and the least tolerable infringement on First Amendment rights,” permissible only in the narrowest range of circumstances. The Constitution requires a court “to make a final determination” that the material in question is unlawful “after an adversary hearing before the material is completely removed from circulation.”

(Emphasis in quoted blog post; references removed.)

I've already written to my representative in Congress; have you written to yours?

Bruce Schneier gives another interview

Given my activities yesterday (i.e., going through airport security), I found the latest interview with Bruce Schneier timely and once again correct:

As we came by the checkpoint line, Schneier described one of these aspects: the ease with which people can pass through airport security with fake boarding passes. First, scan an old boarding pass, he said—more loudly than necessary, it seemed to me. Alter it with Photoshop, then print the result with a laser printer. In his hand was an example, complete with the little squiggle the T.S.A. agent had drawn on it to indicate that it had been checked. “Feeling safer?” he asked.

To a large number of security analysts, [the billions we've spent on security theater] makes no sense. The vast cost is not worth the infinitesimal benefit. Not only has the actual threat from terror been exaggerated, they say, but the great bulk of the post-9/11 measures to contain it are little more than what Schneier mocks as “security theater”: actions that accomplish nothing but are designed to make the government look like it is on the job. In fact, the continuing expenditure on security may actually have made the United States less safe.

Yes. We spend money on high-tech, whiz-bang solutions to human-intelligence problems. The attack on 9/11 can't happen again in the U.S., not because of full-body scanners at airports, but because of reinforced cockpit doors and vigilant passengers. Should we let just anyone board a transport airplane without a security check[1]? No, of course not; but we should make the checks effective, rather than flamboyant.

Security, however, tends to ratchet up, because no one wants to be the guy who relaxed security right before an attack. And we know an attack will happen someday; nihilists are not easily dissuaded from their crimes. Still, one can hope.