Dr. Christopher Kunz

Anhand des Referrers konnte ich feststellen, daß Sie dieses Blog über eine sogenannte “Personensuchmaschine” erreicht haben. Diese “Suchmaschinen” leben davon, anhand des Namens einer Person Daten zu aggregieren, die sie als dieser Person zugehörig identifiziert haben. Daß dies mittels automatisierter Verfahren und ohne menschliches Zutun geschieht, ist logisch. Leider ist es aber ebenso logisch und unumgänglich, daß sich hier teilweise massive Fehler einschleichen. Gleichzeitig müssen Personensuchmaschinen (bekannte Vertreter in Deutschland sind yasni und 123people) fast zwangsläufig personenbezogene Daten speichern, was ihnen laut BDSG untersagt ist.

Die Suchergebnisse, die eine solche “Personensuche” findet, sind bei fast jedem Namen sehr ungenau, da nur wenige Vorname/Nachname-Kombinationen deutschlandweit eineindeutig sind. So mischen sich in der Personensuche zu mir Bilder meiner Konferenz- und Buchtitel, Schulinformationen für völlig andere Personen, Firmenbeteiligungen mit denen ich nichts zu tun habe und Amazon-Wunschlisten, die (nicht alle) mir gehören, zu einem sehr merkwürdigen Versatzwerk aus mehreren Leben, das keinen der “Christopher Kunz” in Deutschland auch nur annähernd sinnvoll beschreibt. Und so dürfte es fast jedem gehen.

Gleichzeitig ist insbesondere die Yasni GmbH, die ja von genau dieser Aggregation lebt und sich auch nicht entblödet, an Amazon-Links ihren Affiliate-Code hintendran zu pappen, steif und fest der Ansicht, sie speichere keine persönlichen Daten. Dazu ist dieser Artikel recht aufschlußreich.

Das verbreitete Argument, man müsse ja nicht sein Leben im Internet ausbreiten, wenn man nicht gefunden werden möchte, ist natürlich ebenso ein Unsinn. So hatte ich bis vor kurzem mehrere Dutzend Bilder von mir über den Flickr-Stream von Sebastian Bergmann im Internet (danke fürs Verstecken!) und Dinge wie ein Xing-Profil (Facebook-Profil, Studivz-Profil, Adultfriendfinder-Profil, Massenmoerdercommunity-Profil, je nach Gusto) sind nun einmal für viele unumgänglich. Trotzdem möchte ich ungern, daß Hans und Franz mit einem Klick meine Amazon-Wunschliste neben meiner alten Telefonnummer sieht und dann gleich anrufen kann, um mich zu meinem prima Musikgeschmack zu beglückwünschen.

Langer Rede, kurzer Sinn: Personensuchmaschinen, nein Danke!
Ich habe daher mit Pelle Boese zusammen das Projekt “Ungläsern” ins Leben gerufen, das allen “gläsernen Netzmenschen” eine Möglichkeit an die Hand geben soll, etwas weniger öffentlich für Personensuchmaschinen zu werden und das die Diskussion über eben diese Personensuchmaschinen etwas anheizen soll. Ihr findet die Website unter unglaesern.de.

I will be moderator to the “WebSec Day” on the WebTech 2009 conference in Karlsruhe, Germany. The full-day workshop will consist of several, loosely thematically linked sessions regarding web security. See full entry for abstracts and speakers.


If you want to have a beer, I will only be in Karlsruhe on monday evening and tuesday during the day. You can follow me at twitter (@christopherkunz). I’m looking forward to seeing some of the PHP folks again during the few hours that I will spend in Karlsruhe.

Over the last months, a drought has started in this blog and the two or three readers that might still be left deserve a status update. In fact, I would like to recap the last couple of months to get my head clear and tell all of you what’s been going on.

If you’re interested in what I’ve been doing these past weeks, just click on the extended entry and you shall be enlightened.

As usual, the first day of OGF25 was filled with political and administrative talks. The “Transition to EGI” talk gave an overview about what will happen when the EGEE project transitions into EGI, about what the national Grid initiatives have to do and when to do it. For my taste, the “why” was a bit undercovered, though.
Now, the opening plenary is still underway, with a vivid presentation by a SalesForce represantative about all things Cloud. I think he’s getting carried away a bit, but there’s wifi so I don’t mind too much.

For all those who want to read more about different aspects of the conference, you can follow me, EGEE and GridTalk on Twitter, for example. Blog coverage is copious too, with the OGSA-DAI blog and GridTalk to only name a few.

After this talk, I’ll have to decide between data management and workflow management. Both very interesting topics for our GDI-Grid project... Hm.

Finally, my dissertation project is taking off... my concept paper regarding my thesis idea was accepted to ICNS 2009, the Fifth International Conference on Networ king and Services. The paper is titled A Concept for Grid Credential Lifecycle Management and Heuristic Credential Abuse Detection, I’ll upload an abstract here as soon as it’s somehow published.

The conference will take place in Valencia, April 2009, and you can find more details on the ICNS web site.

Für alle, die mal wissen wollen, in welchen Dimensionen Google rechnet, kann sich in diesem Artikel über die “Google I/O”-Conference erleuchten lassen. Highlights sind:

Dean seemingly thinks clusters of 1,800 servers are pretty routine, if not exactly ho-hum.

Oder auch:

In each cluster’s first year, it’s typical that 1,000 individual machine failures will occur; thousands of hard drive failures will occur; one power distribution unit will fail, bringing down 500 to 1,000 machines for about 6 hours; 20 racks will fail, each time causing 40 to 80 machines to vanish from the network; 5 racks will “go wonky,” with half their network packets missing in action; and the cluster will have to be rewired once, affecting 5 percent of the machines at any given moment over a 2-day span, Dean said. And there’s about a 50 percent chance that the cluster will overheat, taking down most of the servers in less than 5 minutes and taking 1 to 2 days to recover.

Diese Ausfälle sind jedoch - zumindest auf Storageebene - kein Problem für Google, denn ihr eigenes verteiltes Dateisystem GFS hat für solche Fälle eine feine Fehlerbehandlung:

GFS stores each chunk of data, typically 64MB in size, on at least three machines called chunkservers; master servers are responsible for backing up data to a new area if a chunkserver failure occurs. “Machine failures are handled entirely by the GFS system, at least at the storage level,” Dean said.

Und wenn man genügend Rechner abnimmt (laut nicht von Google autorisierten Schätzungen mehrere hunderttausend Rechner), dann baut Intel auch spezielle Mainboards, so daß die Probleme, die mit konventionellen 19-Zoll-Racks einhergehen, durch speziell gebaute Racks umgangen werden können. Das ist allerdings keine Magie, denn andere machen das auch so (1&1, soweit ich mich erinnere, hatte vor Jahren komplett eigene Gehäuse, um die Rechnerdichte auf mehr als 1 Server pro HE zu bringen).
Ich denke, wir werden noch ein bißchen üben müssen, bis wir in diese Größenordnung vorstoßen.
(via fefe)

I already blogged this at our PHP Security Blog, but it is not (yet? hey Toby ) aggregated on planet-php, so here goes again.

You can now download my session slides for the full-day workshop on PHP security - unfortunately for my international readers, they are in German. If that doesn’t scare you (because you got taught lots of useful german phrases in the last days, right Caitlin? ), you can get them here:PHP Sicherheit Workshop.

If you need a little explanation on the PHP Security Quiz by Mayflower, just read the extended entry.

I already blogged this at our PHP Security Blog, but it is not (yet? hey Toby ) aggregated on planet-php, so here goes again.

You can now download my session slides for the full-day workshop on PHP security - unfortunately for my international readers, they are in German. If that doesn’t scare you (because you got taught lots of useful german phrases in the last days, right Caitlin? ), you can get them here:PHP Sicherheit Workshop.

If you need a little explanation on the PHP Security Quiz by Mayflower, just read the extended entry.

That was a weird week. I think I rarely changed locations that often, and I kinda lost track of what time zone, currency and/or event I was currently at. However, it turned out to be a very rewarding week, too.

All in all, I roughly travelled around 5600 km, which is probably quite a lot given the fact that I otherwise leave Hannover rarely. I changed timezones twice, currencies 4 times (including transit airports), and spoke at two different (un-)conferences. There were nights in school gyms, Sofia park bars, hostel dorms and for 2 nights, I even slept in my own home (tue->wed->thu).

My overall perception was that the security topic is still kinda “hot” and although most attendees (naturally, those at PHP Vikinger were more on top of things) seemed to have a firm grasp of what could go wrong with PHP applications, there is still a lack of trustworthy and well-designed solutions to the various security dilemmas. As Kris Köhntopp said on the PHP Vikinger, using stuff like mod_security, our Hardening Patch or other assorted security products is not a real solution, since there is no programmatical and wellformed approach to them. Instead of having a defined and limited outer and inner area for applications (like, an array of all possible URL entries to the application, as well as all possible output it generates), we are putting out fires as they emerge. Of course, we do that because we currently have no other way of keeping our boxes alive and the attackers out as long as possible, but still, Kris has a point.

So there we are in Bulgaria, and two of the PHP Vikings actually made it here: Derick and me. As I write this, he’s having his first session about the eZ Components. The conference is very well-visited (with around 300 people attending to 2 tracks and some workshops) and so far has been pure fun. Bogomil, the organiser, and his wife have everything under control and they really know how to celebrate

Yesterday evening, we experienced the mighty power of Thor first-hand: A huge thunderstorm went down over Sofia and literally flooded everything. In a brave attempt to get to the hotel, me and some other attendees ran from the restaurant, only to be greeted with lots of car alarm sirens (due to the hailing) and lots of water from every direction. The roads were actually converted to rivers with water flowing about 10-20 cm deep. I am not kidding you.

Around 1pm, I’ll be in for my first session, talking about how to harden PHP and about the Hardened-PHP Project.

For about 4 hours now, the PHP Vikinger is in full swing. Everyone arrived between 10 and 11, and together we hacked up a makeshift agenda. Remember that this is an “unconference”, so attendees are in full charge of the whole event. Our lead viking Zak, inspired by the mighty power of Thor himself, took it upon him to moderate the scheduling and get everything started. Now, everyone who wants gets up and does a presentation, starts a discussion or - as Kris is currently doing - stipulates brainstorming with the attending core developers and other PHP nerds.

The current discussion is even somewhat strategic, pointing things out that PHP still lacks, things that need to adopt to changes in our environment and stuff that is really good in comparison to other languages. Kris is creating a list of everything that’s thrown at him and every item so far has been diligently discussed.

After that, Ilia and me will do some security stuff, with him doing introductions and me likely focusing on the server side. My obsession with securing servers without touching apps is well-known, plus it’s a good place to show off the Hardening patch.

I am going to speak on the PHP Conference UK which will be held at South Bank University, London, UK on February 10th, 2006. Yes guys, that’s in less than three weeks

php.net has the following to say about the event: “Not bad for 50 quid”, and I think that’s kinda true. Amongst others, book author Harry Fuecks and Derick “the ez photographer” Rethans will be speaking, so register now! The conference will be the first of its kind in the UK and anyone who’s interested in PHP should seriously consider joining us for the 10th. You should, however, expedite your decision - Early Bird Discounts are only on offer until February 3rd.

My talk will focus on the Hardening-Patch for PHP, outlining the usual stuff (obtaining it, installing it, configuring it) as well as some real-life demos of what it does and how the patch has influenced the mainline PHP distributions. I will also be available for signing CACert accounts and general networking.

And, to top it off, I’ll spend a few more days in London to visit all museums and places I didn’t get around to during my stay over New Year’s.

That’s it - I’m home again, after almost four extremely rewarding and interesting days at the International PHP Conference in Frankfurt. The conference offered a chance to get together with all the cool guys from the international community, mix and mingle, drink lots of beer (my bar invoice was around 80 bucks) and of course hack at PHP.

Since we had our own booth for the Hardened-PHP Project, we had the opportunity to pitch or little thingy to a wider base of interested developers and administrators, and the discussions at the booth sparked some new ideas for the Hardening Patch. We were also able to show off two advance copies of my (and my coauthor Peter Prochaska’s) first book, “PHP-Sicherheit”. It is the first german book dedicated to the security of our favorite scripting language, and after having it under public scrutiny for three days, I’m now confident it’s gonna be a success. Thanks to everyone for their feedback!

For everyone who’s been in one of my talks, thanks for your interest to you guys and see you on the next conference. I will upload the slides to both presentations to my web server and notify everyone with a separate posting.

As usual, I will be in attendance of the International PHP Conference in Frankfurt/Germany again, marking my 7th (or 8th, including the Amsterdam conferences) participation in this event. This year, however, promises to be a very special conference. Exciting things are going to happen - read more in the extended entry.

Nun sitze ich also in der Lobby des Novotel am RAI, nach einer etwas verwirrten Rundreise durch den Redlight District von Amsterdam werden nun die letzten Slides gebaut. In den folgenden Tagen werde ich beim Blog der PHP Conference bloggen und ggf. Trackbacks hier einfügen.