•
At 1:00 a.m. on Sunday morning I was doing routine maintenance on my personal Amazon Web Services account and instead found myself looking at something I had no right to be seeing: A database with 800,000 user accounts to the e-card site CardMaster.com . Along with that were the database passwords and back end of a major U.S. Public Broadcasting Service news show website ( Gwen Ifill's Washington Week ), including daily updates from panelists on the stories they cover. I wish I wasn't the person to find this. I founded one of Amazon's earliest dashboards. My consultancy is on Amazon's European Customer Advisory Board. But this highlights a significant issue in the cloud today: There is a whole new user profile acting as developer and administrator. We are becoming empowered with amazing tools - and being given enough rope to really hang ourselves. Sponsor Guest author Jonathan Siegel is a serial entrepreneur and founder of the cloud applications consultancy ELCTech.com as well as a handful of cloud startups. Jonathan's book, Electric Connections , is due out in June of this year. I am an early adopter, business builder and owner of a cloud consultancy. On Sunday morning I went to clear out my personal Amazon Web Services account of excess files after seeing huge usage numbers from a report by CloudSplit. For those technically inclined, I was clearing out my S3 buckets and moving the few files that I wanted to save into an EBS disk instead. My EBS disk ran out of space and I went to use a feature called EBS Snapshots. Snapshots are like a tape backup of your EBS disk drive. That's when I noticed something odd: My EBS Snapshot account was filled with hundreds of snapshots, when I knew I had only made a handful. I wondered, Why do I have access to these backups? Were these backups made by my teammates? Shared snapshots from Amazon? Or something else... What I saw were backups of Enron emails, a genomics database and then two made my stomach turn - a database for 800,000 user accounts to CardMaster.com and the database and site files for the Washington Week website. Yeah, the Enron emails are a non sequitur and the genomics database was likely meant to be public. But the other two, there's no way they were intended for the public, yet here they were - marked as public and available to me or any other Amazon cloud user. How Did This Happen? Amazon is the largest and longest running public cloud computing platform. It has pushed the boundaries of technology infrastructure for us users. In fact, it has given us tools that are more powerful than anything we previously had available in our own small datacenters. This is great, because before we needed to hire trained Cisco or NetApp administrators in order to do basic tasks as our websites scaled. This was expensive and added another step - a delay - to our deployments. Amazon's infrastructure commoditizes much of this technology into simple Web calls; paste some XML to Amazon and your website gets a full incremental backup to live-networked NAS. But as Stan Lee has warned us: With great power comes great responsibility. By giving programmers control of the network and storage, we've empowered developers to take on system administration chores. This power has come too quickly or is being digested too lightly - as my discovery has shown. In the case of PBS's Washington Week there was quick acceptance of the issue. "It was human error and nothing personal was exposed," said Kevin Dando, PBS's Director of Digital Communications. "Although we weren't aware of the issue initially, it was easily corrected. Because of Amazon's strong audit capabilities we could pinpoint the error and fix it quickly." Despite numerous attempts we were unable to reach CardMaster.com. This highlights a deeper issue in the cloud today: Despite what you may think, cloud security is not sexy. We are seeing products that address the baseline needs of cloud functionality, like Amazon's dashboard and the support sites for the cloud. They focus on the sexy: deploying mobile apps, auto-scaling, grid processing and other buzz-word-friendly features. But the dirty truth is that the cloud has a whole new user profile acting as administrator and needs a new set of tools and expectation management to ensure that little mistakes make little problems and not big ones. Remember: This is not something that Amazon did wrong. This is an intentional switch thrown by Amazon's users that allowed their data to be public to any other Amazon user. The users did not mean to hit that switch and it's unclear whether those users would have found this issue without my notification. This is the switch in Amazon's Web Console. It can be more subtle when packaged deep within cloud-assisting tools: And Why Me? A spokesperson for Amazon pointed out that snapshots were private by default and users must choose to share them. According to Amazon, "users understand this feature very well as this is no different than users explicitly choosing to share their data by any means." However, as we've seen, users are obviously making their data inadvertently public. Amazon said they were updating their documentation "to provide more explicit guidance on this feature," and that they would be "reaching out to the few who may be unknowingly sharing their snapshots." The question, though, is: Is it too easy to accidentally make your data public - and whose role is it to play data cop? This leads to me, at 1 a.m., and finding security leakage with Amazon's cloud customers while doing unrelated housekeeping. Look, I'm anything but an IT Security guy; I've got enough on my plate to worry about. For god's sakes, I have 6 kids! Moreover, I'm an outspoken supporter for moving companies to the cloud - and I exclusively recommend Amazon's cloud because of its reliability and features. Why is it me that finds this security issue - one that has been open since January of this year if the Snapshot dates are accurate. This tells me that there is a pattern about to be replayed: That the users on the cloud today are a motley crew. That we need more supervision and hand-holding - whether we like it or not. That powerful services like CloudKick and CloudSplit need to be encouraged to add security as a top-priority feature. And we need to budget for their services and embrace their boring, yet hyper-important role as perimeter guard and security inspector. If I were to try to keep this security problem in the bag - and avoid alerting the community - I would be fostering a sense of complacency that is antithetical to the marketplace needs. The cloud is so young that when we find a problem we need to admit it and find real, workable solutions. Since the cloud represents new ways of doing things, it gives us new ways of getting in trouble, and we need a lively forum for nipping these issues in the bud and laying a framework for ongoing success. What Now? If you are on Amazon's cloud, I can't stress enough that you need to immediately go to your AWS Management Console. Check at a minimum that your Snapshots, for every Region, are marked PUBLIC only if you mean them to be available to ALL other Amazon Web Services users. I've already checked mine. If you find data that you did not intend to make public, you need to engage your security team to remove the snapshots from the public and mitigate any data exposure. Hopefully this gets chalked on the wall as a lesson learned - and we continue our march to the cloud with a deeper appreciation of our security support needs. This isn't about calling people out. I work in the cloud and am passionate about its development. These mistakes could very well have been ones I made - or any other cloud user. To move the cloud forward we need to encourage a dialog about our new found power, new paradigms and new needs in the cloud. Discuss
Read the original here:
User Ignorance Causes Cloud Security Leak; Accounts, Passwords Revealed
Tags:
amazon web,
Cisco,
cloud,
data,
database,
digital,
director,
european,
Jonathan Siegel,
network,
person,
personal,
public broadcasting service,
security,
snapshots,
technology
•
Without a doubt, location-based services and social networks are one of the hottest topics on the Internet right now. Foursquare, Gowalla, Loopt and many others are vying for users, but strong privacy concerns are still holding back the mainstream adoption of these kinds of services. Rally Up for the iPhone is a new location-based social network that puts a very strong emphasis on privacy and also features some innovative new concepts. Sponsor Focus on Privacy While Rally Up ( iTunes link ) allows you to friend anybody who is a member of the service, it features some nifty privacy settings, which are represented by a slider on every friend's profile. You can choose between four different privacy settings. These range from not sharing information with this person to just seeing this friend's update but not sharing information with them, to giving the contact the full firehose of settings with and without push notifications. The idea here is that you only give your real friends full access to all of your updates, while still giving you the option to follow anybody else on the service - though these users can obviously also choose to not share any information with you. Your own home's location is always private and never shared on the service. Just like Gowalla and Foursquare, Rally Up features badges, but the emphasis of the service is more on connecting you to your real friends. Because of this, the Rally Up team also decided not to allow users to syndicate their location feed on Twitter. You can, however, choose to share your location with your Facebook friends. The assumption here, we assume, is that your Facebook friends are more likely to be your "real" friends and that Facebook will keep this data private. Instead of connecting to Twitter, Rally Up emphasizes private microblogging on the service itself. Rally Up allows you to send short text messages to your friends, but you can also attach photos to any location. I'm On My Way Besides focusing on privacy, Rally Up also included some interesting innovations in its service that aren't available in most of the current crop of popular location-based services yet. While most services only allow you to check in once you have arrived at a location, Rally Up also allows you to send out a notification when you are on your way to a venue. You can also set up temporary locations, which is quite useful when you go to a party at somebody's house, for example. The app, which, by the way, is very well designed, doesn't focus so much on venues as on connecting people. This is a nice departure from quite a few of the location-based social networks we have recently seen. Overall, Rally Up represents a very nifty take on the location-based social networking model and we especially like the company's focus on privacy. Discuss
The rest is here:
Rally Up: A Location-Based Social Network for Your Real Friends
Tags:
data,
facebook,
feed-on-twitter,
friends,
internet,
iphone,
mainstream,
much-on-venues,
person,
slider-on-every,
social-networking
•
I have a few different friends who are trying their hands at entrepreneurship; some have met with investors already, while others are closing in on their meeting date with anticipation and uncertainty. Based on hearing some of the things they were doing to prepare for their meeting, I thought it would be wise to roundup some of the best pitch advice I've come across not only for them but for the other first time entrepreneurs out there who may not know what typical VC pitches are like. Sponsor Pitches range in length from 5 quick minutes to a half hour or more, but what I have consistently seen while researching this topic is that no matter what length the pitch is, the key is to keep things simple and understandable while not patronizing the VC. But don't take my word for it, here is advice from six venture capitalists on various aspects of the all important pitch. David S. Rose - How to Pitch an Angel (or VC) If you're looking for "Pitching VCs 101," then look no further than Rose's 2008 TED University presentation on how to give presentations (embedded below). Rose, who has raised and invested millions through pitches, leads Rose Tech Ventures which after educating prospects on the art of the pitch saw investment rates climb. "Our investment rate more than DOUBLED, and we have funded over $35 million into more than 50 companies during the past six years," writes Rose. Highlights from Rose's speech include taking the VC on an emotional journey during your pitch by telling a story, and remember that they are there to evaluate you more than your idea. Chris Dixon - Pitch yourself, not your idea Investor and entrepreneur Chris Dixon reiterated Rose's point last November that VCs are more interested in the quality of the team than the quality of the idea. Ideas are subject to change, but how people work and interact are pretty solid and unmovable, so remember to be self-aware, he says. "What you should really be focused on when pitching your early stage startup is pitching yourself and your team," writes Dixon. "Of course a great way to show you can build stuff is to build a prototype of the product you are raising money for. This is why so many VCs tell entrepreneurs to 'come back when you have a demo.' They aren't wondering whether your product can be built - they are wondering whether you can build it." Mark Suster - Who Should Attend Your VC Pitch? Mark Suster, who has written extensively on pitching to VCs, brought up an interesting decision entrepreneurs need to make before their pitch: who is coming? Suster argues that for most situations just having the CEO is plenty, but that showing "the depth of your bench" can be beneficial too. However, there are several pitfalls he warns you to avoid when you start including more people in your pitch. "If you bring the full team make sure that you construct the entire storyline in advance so everybody knows how you plan to have the meeting flow," writes Suster. Who is going to cover which slides, who is going to field which questions, how are you going to answer difficult questions (which you should write down in advance and practice). Definitely don't "wing it" - have practice sessions to see how each member performs. Honestly I would say a good 50% of team presentations that I see seem like they really haven't practiced the flow very well amongst team members." Guy Kawasaki - The 10/20/30 Rule of PowerPoint Though originally posted in 2005, Kawasaki's rule of 10/20/30 in presentations still holds true. We've all seen those terrible presentations with way to many slides and way too much text that is way to small. The slideshow isn't supposed to do the talking for you, its merely a supplement to the wisdom that will come flowing from your voice. "I am evangelizing the 10/20/30 Rule of PowerPoint. It's quite simple: a PowerPoint presentation should have ten slides, last no more than twenty minutes, and contain no font smaller than thirty points. While I'm in the venture capital business, this rule is applicable for any presentation to reach agreement: for example, raising capital, making a sale, forming a partnership, etc." In another related post, Kawasaki points out this presentation as a great example of using visuals and text together with expert ability. It's not a great example of a VC pitch, but the presentation does a great job of conveying the message of the presenter. In other words, be more like Steve Jobs - that man knows how to pitch! Don Rainey - The Top 5 Rookie Mistakes in Pitching VCs Enough about what to do right, lets talk about what not to do. Among Rainey's list of the top mistakes made by novice pitches is presenting terms to the VCs, being late to the meeting, or asking VCs to sign a non-disclosure agreement (NDA). But the number one issue Rainey sees all too often is when the entrepreneurs come to pitch a VC firm without any prior knowledge of the firm and its investments. "One doesn't need be an expert on our history, track record or portfolio but a little knowledge can go a long way. Just a little awareness on our companies, professional background, and current boards, can drive efficiency for the person pitching an idea," writes Rainey. "If I've had three companies in Internet Advertising, for example, you can probably skip explaining simple concepts related to it. If one lacks that awareness, it wastes time AND undermines credibility. Plus, you look [like] someone who doesn't do what it takes to succeed because, in this instance, you haven't." Bijan Sabet - Startup Presentations Sometimes your aren't the only company pitching to VCs in a single day. In the case of this week's Y Combinator Demo Day, 26 startups presented back-to-back with one intermission. This means that by the 26th presentation, which could be you, the VCs in attendance are likely itching to get out of their seat and go meet the other entrepreneurs, so how will you grab their attention? Bijan Sabet says humor can be a great ice-breaker and get your audience engaged with your pitch. "A number of entrepreneurs used humor in their presentations in just the right amounts. Too little and the presentation can by dry. Too much and it's just, well, a joke. But the right amount is a wonderful way to engage your audience," writes Sabet. "It's obvious that Paul Graham, the founder of YC, plays a huge role in helping these (mostly) first time entrepreneurs find their way and put together their presentations. And it's also obvious that these founders practice their pitch over and over again so they can nail it in a room full of strangers." So what have we learned? Remember that you are just as much if not more important than the idea you are pitching, figure out before the pitch who is coming in the room and who is saying what, make sure your slides aren't poorly designed, avoid common rookie errors, and don't be afraid to spice things up with a dab of humor. Of course, there are a countless number of lessons to be learned before pitching VCs, but hopefully this has covered the basic and most important ones. If you need an example of a well designed pitch deck, Mint.com (which was eventually bought out for big bucks by Intuit) recently made an early deck of theirs available on slideshare. If you have other suggestions for first-time pitchers, leave your thoughts in the comments! Photo by Flickr user Dawn Ashley . Discuss
Go here to see the original:
The Art of the VC Pitch: A Roundup of Advice from 6 VCs
Tags:
angel,
audience,
Business,
flickr,
internet,
meeting,
person,
pitch,
presentation,
presentations,
Tips,
university
•
Microsoft is testing a microblogging service called OfficeTalk that is much like Twitter. The service is designed for the enterprise and appears it will be offered as an on-premise service. OfficeTalk is being developed by OfficeLabs , the Microsoft lab for testing internally developed ideas. Sponsor The service looks almost identical to Twitter. Microsoft says themselves that they are in the very early stages of development and because of this "the OfficeTalk microblogging experience itself looks very similar to other well-known services." Microsoft is testing the service pretty much internally but is now accepting external requests from companies that want to join the pilot program. Microsoft has a few screen shots of the OfficeTalk user interface. People create profiles. They communicate in 140 characters or less. You read the message of the people you follow. It includes a search functionality to find people on the service. A company feed shows the posts of all the people who are posting. Like Twitter, you can see the person's profile, the number of mentions, posts, followers and people who the user is following. It also has a url shortening service and threaded conversations they call comments.
Read more from the original source:
Microsoft Testing OfficeTalk - Microblogging Service Much Like Twitter
Tags:
enterprise,
join-the-pilot,
Microsoft,
news,
Office,
OfficeTalk,
people,
person,
shows-the-posts,
talk-socialtext,
user
•
The effort to bring Facebook into the enterprise continues with more services using Outlook as a gateway to extend a contact network and use as a foundations for a CRM environment. SenderOK is one of the latest effiorts to give more context to email by showing a picture of the sender in an email message. Too bad it only works on Windows XP or Vista. Ugh. Sponsor But let's take a look at the service as we are seeing more services that use email as a foundation for a social CRM environment. SenderOK compares itself to Microsoft's Outlook Soclal Connector and Xobni , an email plug-in that provides a search and profile element for Outlook. But we hear a lot of criticism that Xobni is a memory hog and slows down computers. As one reader said about Xobni in our last post concerning Outlook plug-ins : "Interesting article, although I have my doubts about Xobni which I used for several months but had to uninstall as it had gotten to the point where it was nearly impossible to use (too slow). Harmony sounds promising; sharing documents in place of merely sending them as attachments (hence overloading the network) is becoming critical if one wants to keep only one copy and not scatter several around." To be fair, Xobni is the leader in this space compared to other services. They have a loyal following. It makes sense that companies like SenderOK would go after this sector of the market. SenderOK features include a smart mapping capability to give a view of the person's unread email across multiple accounts. It will also prioritize the email. Our interest stems from the SenderOK "business card" feature. Email includes an image of the person and their profile information in the header of the message. In Outlook Social Connector, the image of the sender blocks out the message. In Xobni, the image and contact information appears in a widget. We expect these services to proliferate as more startups turn their attention to Outlook as a way to build a user base. Xobni has proven that this approach works. Further, Google Apps now integrates with third party applications. Services such as Zoho CRM and Intuit are leveraging GMail integration to offer hybrid applications. Perhaps 2010 will be the year email is viewed more as a foundation than a nuisance to be eliminated. Discuss
More:
SenderOK: Email as a Facebook Connector and Social CRM Catalyst
Tags:
Business,
email,
enterprise,
environment,
Harmony,
memory hog,
message,
network,
outlook,
outlook-social,
person,
products,
smart mapping,
social,
unread email,
Xobni