At 1:00 a.m. on Sunday morning I was doing routine maintenance on my personal Amazon Web Services account and instead found myself looking at something I had no right to be seeing: A database with 800,000 user accounts to the e-card site CardMaster.com. Along with that were the database passwords and back end of a major U.S. Public Broadcasting Service news show website (Gwen Ifill’s Washington Week), including daily updates from panelists on the stories they cover.

I wish I wasn’t the person to find this. I founded one of Amazon’s earliest dashboards. My consultancy is on Amazon’s European Customer Advisory Board. But this highlights a significant issue in the cloud today: There is a whole new user profile acting as developer and administrator. We are becoming empowered with amazing tools - and being given enough rope to really hang ourselves.

Sponsor

Guest author Jonathan Siegel is a serial entrepreneur and founder of the cloud applications consultancy ELCTech.com as well as a handful of cloud startups. Jonathan’s book, Electric Connections, is due out in June of this year.

I am an early adopter, business builder and owner of a cloud consultancy. On Sunday morning I went to clear out my personal Amazon Web Services account of excess files after seeing huge usage numbers from a report by CloudSplit. For those technically inclined, I was clearing out my S3 buckets and moving the few files that I wanted to save into an EBS disk instead.

My EBS disk ran out of space and I went to use a feature called EBS Snapshots. Snapshots are like a tape backup of your EBS disk drive. That’s when I noticed something odd: My EBS Snapshot account was filled with hundreds of snapshots, when I knew I had only made a handful. I wondered, Why do I have access to these backups? Were these backups made by my teammates? Shared snapshots from Amazon? Or something else…

What I saw were backups of Enron emails, a genomics database and then two made my stomach turn - a database for 800,000 user accounts to CardMaster.com and the database and site files for the Washington Week website. Yeah, the Enron emails are a non sequitur and the genomics database was likely meant to be public. But the other two, there’s no way they were intended for the public, yet here they were - marked as public and available to me or any other Amazon cloud user.

How Did This Happen?

Amazon is the largest and longest running public cloud computing platform. It has pushed the boundaries of technology infrastructure for us users. In fact, it has given us tools that are more powerful than anything we previously had available in our own small datacenters. This is great, because before we needed to hire trained Cisco or NetApp administrators in order to do basic tasks as our websites scaled. This was expensive and added another step - a delay - to our deployments. Amazon’s infrastructure commoditizes much of this technology into simple Web calls; paste some XML to Amazon and your website gets a full incremental backup to live-networked NAS. But as Stan Lee has warned us: With great power comes great responsibility.

By giving programmers control of the network and storage, we’ve empowered developers to take on system administration chores. This power has come too quickly or is being digested too lightly - as my discovery has shown.

In the case of PBS’s Washington Week there was quick acceptance of the issue. “It was human error and nothing personal was exposed,” said Kevin Dando, PBS’s Director of Digital Communications. “Although we weren’t aware of the issue initially, it was easily corrected. Because of Amazon’s strong audit capabilities we could pinpoint the error and fix it quickly.”

Despite numerous attempts we were unable to reach CardMaster.com.

This highlights a deeper issue in the cloud today: Despite what you may think, cloud security is not sexy. We are seeing products that address the baseline needs of cloud functionality, like Amazon’s dashboard and the support sites for the cloud. They focus on the sexy: deploying mobile apps, auto-scaling, grid processing and other buzz-word-friendly features. But the dirty truth is that the cloud has a whole new user profile acting as administrator and needs a new set of tools and expectation management to ensure that little mistakes make little problems and not big ones.

Remember: This is not something that Amazon did wrong. This is an intentional switch thrown by Amazon’s users that allowed their data to be public to any other Amazon user. The users did not mean to hit that switch and it’s unclear whether those users would have found this issue without my notification.

This is the switch in Amazon’s Web Console. It can be more subtle when packaged deep within cloud-assisting tools:

And Why Me?

A spokesperson for Amazon pointed out that snapshots were private by default and users must choose to share them. According to Amazon, “in general users understand this feature very well as this is no different than users explicitly choosing to share their data by any means.” However, as we’ve seen, users are obviously making their data inadvertently public. Amazon said they were updating their documentation “to provide more explicit guidance on this feature,” and that they would be “reaching out to the few who may be unknowingly sharing their snapshots.”

The question, though, is: Is it too easy to accidentally make your data public - and whose role is it to play data cop?

This leads to me, at 1 a.m., and finding security leakage with Amazon’s cloud customers while doing unrelated housekeeping. Look, I’m anything but an IT Security guy; I’ve got enough on my plate to worry about. For god’s sakes, I have 6 kids! Moreover, I’m an outspoken supporter for moving companies to the cloud - and I exclusively recommend Amazon’s cloud because of its reliability and features. Why is it me that finds this security issue - one that has been open since January of this year if the Snapshot dates are accurate.

This tells me that there is a pattern about to be replayed: That the users on the cloud today are a motley crew. That we need more supervision and hand-holding - whether we like it or not. That powerful services like CloudKick and CloudSplit need to be encouraged to add security as a top-priority feature. And we need to budget for their services and embrace their boring, yet hyper-important role as perimeter guard and security inspector.

If I were to try to keep this security problem in the bag - and avoid alerting the community - I would be fostering a sense of complacency that is antithetical to the marketplace needs. The cloud is so young that when we find a problem we need to admit it and find real, workable solutions. Since the cloud represents new ways of doing things, it gives us new ways of getting in trouble, and we need a lively forum for nipping these issues in the bud and laying a framework for ongoing success.

What Now?

If you are on Amazon’s cloud, I can’t stress enough that you need to immediately go to your AWS Management Console. Check at a minimum that your Snapshots, for every Region, are marked PUBLIC only if you mean them to be available to ALL other Amazon Web Services users. I’ve already checked mine. If you find data that you did not intend to make public, you need to engage your security team to remove the snapshots from the public and mitigate any data exposure.

Hopefully this gets chalked on the wall as a lesson learned - and we continue our march to the cloud with a deeper appreciation of our security support needs. This isn’t about calling people out. I work in the cloud and am passionate about its development. These mistakes could very well have been ones I made - or any other cloud user. To move the cloud forward we need to encourage a dialog about our new found power, new paradigms and new needs in the cloud.

Discuss

Rita McGrath published a great article, “Are You Squandering Your Intelligent Failures,” which discusses how to use things that go wrong to your benefit to better plan for the future.  It’s all rather common sense, but we all need a reminder now and again.  Why brush past something that didn’t work out of embarrassment?  Instead, take a look at it and see what you can learn.

via @librarianbyday on Twitter (Bobbi also has a write-up about the article on her blog)

Read this Wired article about eye-tracking tablets that change what you are reading in response to eye movements.

When you think of startup incubators, you think of the more well known organizations helping companies in cities like Boulder, San Francisco, New York or Austin, but one incubator is looking to change that assumption. Based at the VT KnowledgeWorks Business Acceleration Center in Blacksburg, VA, DayOne Ventures is a program aimed at tapping the talent coming from Virginia Tech to help local startups get off the ground.

Sponsor

With fewer than 40,000 residents, Blacksburg is less than half the size of startup hub Boulder, CO, but the city’s ties to Virginia Tech make it a fertile spot for its budding startup community. DayOne Ventures is taking advantage of the growing buzz in the area with its highly concentrated experience which will accept just 3 companies to participate this summer.

Those selected will benefit from up to $16,000 in seed funding, free office space, Internet access and hosting, legal assistance with incorporating their company and setting up stock plans, and mentorship from an panel of experienced entrepreneurs. DayOne co-founder and mentor Bill Boebel has prior experience himself with starting a company in Blacksburg; in 1999 he and a pair of co-founders created Webmail.us, an enterprise email solution.

“It was really awesome doing our startup down in Blacksburg because of the low cost of doing it. We were able to fail three times before we figured out the right idea,” Boebel told ReadWriteWeb. “The cost of failing in Blacksburg is a lot lower than the cost of failing in Silicon Valley.”

Eventually, Boebel and his co-founders molded Webmail.us into a profitable company which was later acquired by Rackspace in 2007. The Rackspace presence in Blacksburg remains to this day and is a reminder of the city’s most successful Internet startup. Now as an experienced entrepreneur, Boebel and others are teaming together to provide local startups (or those that choose to relocate for the program) with the mentorship and resources to get started.

TechStars and Y Combinator aren’t necessarily everyone’s cup of tea; DayOne, one the other hand, brings a bit of small town flavor to the already close-knit startup culture - a flavor that could produce some interesting results with their exclusive incubator. Applications for the 10-week program are open now, so if you’re in the Blacksburg area or wouldn’t mind relocating for the summer, be sure to look into the DayOne Ventures program.

Discuss

For a good summary of the impact of the web on publishing, check out Cory Doctorow’s talk on Internet-era publishing economics for Bloomsbury.

The future of libraries? Radical change and inspiration from Colorado’s Anythink, a summary of a PLA session from LJ.

via @LibraryJournal on Twitter

Cloudkick is a cloud monitoring start-up that helps system admins manage cloud servers. Today, the company announced it is getting physical, bringing its cloud monitoring capabilities to internally hosted servers and virtual machines.

The company has had a lot of success in helping companies who startup in the cloud and start to achieve scale. It already has a host of hot startup companies including Posterous, Bump Technologies, and Urban Airship. Through listening to users, the company decided to offer local server support to merge its view of all server assets for these organizations.

Sponsor

What is CloudKick?

Cloudkick enables a company to manage internally hosted servers and run the Cloudkick’s agent and report into the same console as your cloud computing infrastructure from AWS, RackSpace, SliceHost and others. When installed, the CloudKick agent will respond to status checks from the Cloudkick monitoring solution, which itself is a distributed cloud application. Cloudkick supports a host of cloud provider solutions and shares a report of feature.

We met with the company at their offices in San Francisco. Upon entry to the warehouse, called “The Farm” near the Mission District, we realized that was a true technology startup, founded by system administrators trying to make their jobs easier. The team participated in Y-Combinator and has received an initial capital infusion by Avalon Ventures.

The Cloudkick system offers consolidated server reports and shows server events by polling registered clients in cloud (and now data centers) and piping them to Cloudkick’s multi-tentant event aggregator.

The tools are modeled after administrative tools like Cacti, Nagios, and Munin, but are delivered on on top of an agent-driven real time view of the underlying assets of server infrastructure.

When checking out the demonstration, we also noted that the browser is updated in real-time as events are polled. This keeps the information fresh without having to re-check and brings the best of browser based real-time communication to system administrations.

Cloudkick’s implementation is simple and elegant. The young company is demonstrating product leadership by living the mantra of simplicity and utility.

Here’s a sample of the graphs from CloudKick’s feature inventory.

Monitoring Every Server

The goal of this release is to bring servers from the datacenter to power of cloud monitoring. It allows a larger and larger region of infrastructure to rely on outside controls to monitor it’s health and well being.

One feature we we intrigued by with Cloudkick was the ability to tag and filter groups of hosts, and to then set rules across them. For example, tagging all servers “web apps” allows a rule to quickly set custom rules for checking up time.

The company offers an API for its services and uses 2-legged OAuth for API authentication. OAuth is “an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.”. The company also offers a proxy service that streamlines and secures the connections for hosts that will connect to the Cloudkick services.

Cloudkick is a cloud company monitoring clouds and shows us in many ways the architecture of the future. In one of the blog posts from company, they share “love affair with cassandra” and how multi-master database technology is an enabler for co-location of server assets in infrastructure clouds.

Where does Cloudkick go from here?

Discuss

There are three measurements that work together to make up a properly-exposed photograph:  ISO, shutter speed, and aperture.  These three measurements are to a large extent dependent on one another; changing one setting requires that at least one other be changed to compensate. 

“Seattle Public Library” CC:by Jeff Wilcox.

ISO is roughly equivalent to what used to be the “speed” of film, but in digital terms, the ISO is the measurement of how much light has to hit the sensor for an image to be exposed properly.  Lower ISOs are used in bright light; higher ISOs are used in low-light situations.  Be aware that raising the ISO, particularly in older or less-expensive digital cameras, can introduce undesirable noise, or speckles, to images.

Understanding and knowing how to manipulate the other two measurements, shutter speed and aperture, can produce widely varying images.  Changing the shutter speed can freeze action or introduce the suggestion of movement; varying the aperture dictates how much of the image–front to back–is in focus.  The latter concept is called “depth-of-field.”

Shutter Speed

Shutter speed is the measurement of how long the shutter is open and is usually expressed as a fraction of a second: 1/100, 1/13, 1/1000.  Lengthening exposure time allows more light into the camera and captures the subject over a longer period of time.  Decreasing shutter speed freezes action or movement, but slower shutter speeds require a brighter setting or a change in aperture or ISO to ensure the proper amount of light hits the sensor.

Take these two photographs, for example:

The photo on the left has a shutter speed of 1/13th of a second.  The streams of water look smooth, and the people walking on the left in the background are slightly blurred as they walk by.

Now consider the photo on the right, of the same fountain, taken at 1/1000th of a second.  The lines of the fountain no longer look smooth, and it’s not only possible to discern individual drops of water but to see the tiniest droplets that have bounced up off the surface.

Aperture

The aperture is the part of the lens that opens to let light into the camera.  Also known as the “f-stop,” the aperture setting can vary in size, with subsequently larger openings (smaller f-stop numbers) letting in more light than smaller openings (which, confusingly enough, have higher f-stop numbers).

Wikimedia Commons

 

Consider the fountain images again.  In order to capture the first one at 1/13th of a second, the aperture was stopped down to f22, the smallest opening possible for the lens used.  The bottom image, captured at 1/1000th of a second, was shot at f2.2.  Notice the crisp background in the first and the blurred background of the second.  A small f-stop limits how much of the image is in focus and is great for portraits.  A larger f-stop is good for group shots, like capturing a crowd at an event, or taking a picture of an entire room.

Depth of Field

Depth-of-field is an expression of how much of a photograph, from front to back, is in focus.  Changing the aperture can result in two different images of the same scene:

The image on the left has a very narrow depth of field; only the flower’s petals are in perfect focus, as is a relatively small length of the tape measure.  When the lens is stopped down to the smallest aperture, f22, the entire tape measure is in focus, as is the flower.

Setting a camera to capture a narrow depth of field is particularly useful in isolating the subject of a photo against its background, as in this photo of my fellow TechSource blogger, Jason Griffey:

Narrow depth of field is ideal for portraits, whereas wide depth of field is required to capture details in a landscape or interior, although narrow depth of field can be used effectively in architectural photography as well:

(Left: f20; Right: f3.2) 

As mentioned above, changing the aperture changes the amount of light that it let into the lens.  The shutter speed must be changed accordingly to compensate.  Most of us rely on our cameras to make these adjustments for us, but here is where knowing a bit about how your camera works can help you dictate what sort of photos you get, instead of the other way around.  For a more in-depth explanation of depth of field and its concomitant terminology, visit BernieCode.

Note also that the lion’s face in the photo on the left is slightly elongated.  I haven’t yet researched why this is, but I suspect it has to do with differing focal lengths.  These photos were taken with the same lens.

Applying these principles in your library

In a library setting, a higher shutter speed would let library staff capture fast-moving toddlers at storytime, while a slow shutter speed (and sitting the camera on a tripod or other stationery object) would make for a great night shot of the building.

I already mentioned that a smaller f-stop makes for great portraits or other photos where it’s necessary to isolate the subject from the background.  A larger f-stop is not only great for group shots but for taking photos inside or outside the library building, for brochures or websites.  We have exciting events and beautiful buildings; show them off with pictures!

One of the biggest advantages of digital cameras over film cameras is that it costs little-to-nothing to take dozens, even hundreds, of shots.  Experiment with your camera by shooting the same scene, changing one setting at a time.  Any digital camera will have different modes that allow the photographer to fix one value while varying another; it’s a great way to learn.

Up next: Cameras and modes explained

About the “Take Pictures, Tell Stories” series

The votes are in and the winner is clear: entry number nine from Suzie DeGrasse! If you haven’t looked at her entry full-size, you owe it to yourself to click on the image below and check out the details.

For submitting the winning entry, Suzie will win our (to-be-named-later) Grand Prize. In addition, the voters named her the recipient of several special prizes, such as: Best Depiction of Reality in Libraries Over the Last 40 Years; Coloring Outside the Lines Award; Gratuitious Metadata Award; Best Mashup of Humor and Depression; Best Re-Purposing of a Pony Tail; Stereotypical Librarian Attention to Detail Award; Wordiest Coloring Contest Entry Evar.

Edit: Funny stuff redacted at Suzie’s request. Sorry, Suzie: didn’t mean to get you in trouble with humorless overlords.

All the entries had strong points, points that were recognized by the voters with the following special awards:

• Entry 1 : Best Use of Color as an Accent; Best Use of Grayscale
• Entry 2 : Best Use of a Rainbow Wig Outside a Sporting Event; Best Hairpiece and Implants; Taste the Rainbow Award
• Entry 3 : Advocacy Award for Including the Value of Library Materials; Best Use of Hearts Award; Best Promotion of Scientific Literature
• Entry 4 : Twilight-tastic Award; Best Redheaded Character Since Pippi Longstocking; Best Tattooed Librarian; Best Reader’s Advisory Dialogue
• Entry 5 : Best Use of Purple Hues; Best Depiction of Fluevogs
• Entry 6 : Best Striped Desk; Best Non-Hazardous Alert Use of Diagonal Lines; Diversity Award for Depiction of a Non-White, Non-Fluroscent Librarian
• Entry 7 : The Vividly Green Patron Award; Best Use of Vivid Colors; Outreach to Leprechaun Patrons Award; The Pretty In Pink Award;
• Entry 8 : Best Use of Library Supplies; Most True-To-Life; Most Like My Library Award

Thank you so much to all who participated and for your patience as I let this contest go on longer than intended.

Watch this space for more news about upcoming LSW zines.

My new book, Technology Training in Libraries, was officially published today!  Hurrah and happiness! My book is part of Neal Schuman’s 10-book Tech Set, which covers the most pressing issues in library technology.

Technology Training in Libraries covers technology training for libraries…with an approach that works for both staff and customers.  I cover different types of tech training: how to create a basic technology training program, technology petting zoos, peer training, lunchtime brown bags, online learning, and face-to-face learning.  I talk about documentation, class websites, marketing, and success measures.  I cover tips for trainers too: organizing courses, creating class materials, pacing classes, engaging difficult learners, and working with library management and unions.  I also include a humongous list of recommended resources on anything and everything related to tech training — from tutorials to sample lesson plans, from how-to videos to sample library tech competencies lists.

And if you’ve ever heard me speak or read something I’ve written, you know that I lean toward the practical side of the tracks.  The book reflects my budget-conscious and time-conscious approach to all things library.  After all, none of us has all the money and time in the world, now do we?

A lot of love and effort went into writing this book, as it does for every author.  I have very strong beliefs about workplace learning and training.  I believe that while the responsibility for “keeping up” with technology has long lain with the individual employee, that employee has rarely been given motivation to keep those skills up.  There are no positive rewards and no negative consequences.

The attitude of “oh yes, it’s nice if you have the technical skills necessary to do your job well but if not that’s okay” makes me want to pull my hair out.  We are all responsible for doing our jobs well, and for managers that means  empowering your employees to do their jobs well. This book is part of that equation.  Figure out how to help yourself, and others, to stay on top of technology trends and skills.  Fostering a thriving learning culture is fulfilling for the trainer, the employee, and greatly furthers the library’s mission and service goals.  So have at it!