Skip to content

Software Development News: .NET, Java, PHP, Ruby, Agile, Databases, SOA, JavaScript, Open Source

Methods & Tools

Subscribe to Methods & Tools
if you are not afraid to read more than one page to be a smarter software developer, software tester or project manager!


Actian Appoints New CMO and SVP of Business Development to Accelerate the Transformation of the Big Data Marketplace

Actian Corporation (Ingres) Press Releases - Thu, 10/24/2013 - 19:00

Ashish Gupta, Former Microsoft and Vidyo executive, is poised to redefine the data analytics marketplace by creating new opportunities not addressed by aging stack players

Redwood City, Calif. – October 24, 2013 — – Actian Corporation (“Actian”), a next-generation leader in big data analytics and cloud integration, has appointed Ashish Gupta as chief marketing officer and senior vice president of business development.

“We have very systematically evolved our business so that we have a very powerful engine for the market’s transition to the Age of Data,” said Steve Shine, chief executive officer of Actian Corporation. “Ashish Gupta brings the go-to-market experience to ensure that we build our base in big data analytics and cloud integration. More importantly, he has the strategic vision to work with the team to entirely redefine these markets as we leapfrog legacy stack players.”

Gupta brings a passion and track record for challenging established companies saddled with legacy approaches, often caught in the Innovator’s Dilemma, by exploiting disruptive technologies and creative marketing strategies to rapidly scale the new entrant’s business and open new markets not addressed by incumbents. He joins Actian from Vidyo, a video conferencing provider, where he served as chief marketing officer and senior vice president of corporate development. Under his leadership, Vidyo experienced significant growth, formed key strategic partnerships and built a leading brand in the industry – challenging the leaders of a 30-year-old industry. Prior to Vidyo, Gupta held various executive roles within the Microsoft Office Division where he led marketing, sales and business development teams for Microsoft’s Unified Communications Group, competing with established PBX vendors to create a leadership position for Microsoft Lync in the communications and collaboration market. Gupta has also served in executive roles at Alcatel/Genesys Telecommunications, Deloitte Consulting, Covad and Hewlett-Packard.

“Severe market disruption happens when innovative technologies materially shift an industry’s fulcrum to create new business approaches and markets,” said Gupta. “Actian’s portfolio has proven to be such a force in the industry by enabling next-generation analytical solutions and invisible integration for thousands of customers that use data to create sustainable competitive advantage. I welcome the opportunity to contribute to the company’s fast growth and market leadership.”

About Actian: Take Action on Big Data

Actian powers the action-driven enterprise in the Age of Data, delivering rapid time to analytic value with a modular approach that connects data assets behind the scenes, enables unconstrained analytics and scales almost without limits. The Actian DataCloud Integration and ParAccel Big Data Analytics Platforms help organizations leverage data assets for competitive advantage, delivering highly parallelized software that fully exploits modern chip, core and cluster infrastructures. Its scalable solutions deliver powerful business results for industry innovators. Actian serves tens of thousands of users worldwide and is headquartered in Redwood City, California. Stay connected with Actian Corporation on Facebook, Twitter and LinkedIn.

Actian, DataCloud, ParAccel, Action Apps, Ingres, RushAnalytics, Versant and Vectorwise are trademarks of Actian Corporation and its subsidiaries. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Categories: Database, Vendor

Actian to Present at the 10th Annual East Coast Technology Growth Conference

Actian Corporation (Ingres) Press Releases - Tue, 10/15/2013 - 02:41

Redwood City, Calif. – October 14, 2013 — – John Santaferraro, vice president of solutions and product marketing at Actian Corporation(“Actian”), a next-generation leader in big data analytics, will present during the AGC Partners 10th Annual East Coast Technology Growth Conference at the Westin Copley Place in Boston on Tuesday, October 15, 2013.

During the event, Santaferraro will participate in a panel focused on Big Data Analytics moderated by Jeff Kelly, Principal Research Coordinator of the Wikibon Project. Santaferraro and fellow panelists Kathy McGroddy, VP of Business Development of IBM; Louis Brun, Senior VP of Product Strategy of Guavus; Jit Saxena, Chairman of Netezza and Anthony Deighton, CTO of QlikView will discuss why traditional data management and business analytics tools and technologies are straining under the weight of big data. They will shed light on challenges organizations face when deriving value from their data and share new approaches in helping enterprises gain actionable insights through next-generation big data analytics.

Visit to learn more about Actian’s next-generation approach of enabling organizations to predict the future, prescribe the next best action, prevent damage to their business and discover hidden risks and opportunities through use of the ParAccel Big Data Analytics Platform.

About Actian: Take Action on Big Data

Actian powers the action-driven enterprise in the Age of Data, delivering rapid time to analytic value with a modular approach that connects data assets behind the scenes, enables unconstrained analytics and scales almost without limits. The Actian DataCloud Integration and ParAccel Big Data Analytics Platforms help organizations leverage data assets for competitive advantage, delivering highly parallelized software that fully exploits modern chip, core and cluster infrastructures. Its scalable solutions deliver powerful business results for industry innovators. Actian serves tens of thousands of users worldwide and is headquartered in Redwood City, California. Stay connected with Actian Corporation on Facebook, Twitter and LinkedIn.

Actian, DataCloud, ParAccel, Action Apps, Ingres, RushAnalytics, Versant and Vectorwise are trademarks of Actian Corporation and its subsidiaries. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Categories: Database, Vendor

Actian Integrates ParAccel Big Data Analytics Platform to Speed Time to Analytic Value

Actian Corporation (Ingres) Press Releases - Fri, 10/11/2013 - 21:14

Platform combines ParAccel Big Data Analytics Platform’s high-performance analytical capabilities with Hadoop’s data management capabilities to democratize big data analytics

Redwood City, Calif. – October 11, 2013 Actian Corporation (“Actian”), a next-generation leader in big data analytics, announced the release of new ParAccel Dataflow Operators that integrate the recently announced ParAccel Big Data Analytics Platform, further unifying its technology offerings. This new innovation ties together the data management capabilities of Hadoop with the high-performance analytic processing of the ParAccel Big Data Analytic Platform, enabling organizations to achieve better price performance and quicker time to analytic value.

The ParAccel Big Data Analytics Platform provides a single, visual interface to load, prepare, enrich and analyze data natively on various Apache Hadoop distributions. Users can now process data directly on Hadoop and move the data to the ParAccel Big Data Analytics Platform’s high-performance analytics engine without any MapReduce or SQL programming, rapidly increasing the rate at which business value is derived from the analytics process. Business users and analysts alike can leverage the extreme performance of the ParAccel Big Data Analytics Platform for their predictive analytics initiatives.

“In the Age of Data, organizations need next-generation technologies that rapidly turn big-data investments into value-creation engines. To achieve this, different data platforms must work together to meet the mixed workload demands that result from the convergence of emerging data and new analytics,” said Steve Shine, chief executive officer of Actian Corporation. “Actian has quickly integrated its leading-edge technology assets to create a cooperative analytic processing environment that accelerates the speed at which data flows from data management to high-value analytics.”

The ParAccel Dataflow Operators enable data to persist within Actian’s massively parallel analytic processing engine or the single-node version used for accelerated business intelligence or analytic applications. When used in conjunction with Hadoop’s superior data management capabilities, the platform gives business users the ability to conduct analytics leveraging best-of-breed point applications for enterprise-class deployments.

“Platforms that allow workloads to gravitate to the engine best-suited to handle specific kinds of processing will consistently lower the cost of computing,” said Shawn Rogers, vice president of Enterprise Management Associates. “Hadoop is optimal for preparing and enriching data, as well as search and discovery analytics. Analytic platforms are best-suited for running high-performance, lower latency analytics at any scale. Actian’s next-generation, shared processing approach is consistent with the way companies should architect systems to leverage both technologies.”

This technology integration comes only months removed from Actian’s announcement of leveraging recently acquired companies ParAccel, Pervasive Software and Versant Corporation to deliver the ParAccel Big Data Analytics and Actian DataCloud Platforms. “You are seeing the new Actian in action,” said Shine. “We are a big data innovator with the agility of a small Silicon Valley startup and the strength and staying power of a global stalwart.”

About Actian: Take Action on Big Data

Actian powers the action-driven enterprise in the Age of Data, delivering rapid time to analytic value with a modular approach that connects data assets behind the scenes, enables unconstrained analytics and scales almost without limits. The Actian DataCloud Integration and ParAccel Big Data Analytics Platforms help organizations leverage data assets for competitive advantage, delivering highly parallelized software that fully exploits modern chip, core and cluster infrastructures. Its scalable solutions deliver powerful business results for industry innovators. Actian serves tens of thousands of users worldwide and is headquartered in Redwood City, California. Stay connected with Actian Corporation on Facebook, Twitter and LinkedIn.

Actian, DataCloud, ParAccel, Action Apps, Ingres, RushAnalytics, Versant and Vectorwise are trademarks of Actian Corporation and its subsidiaries. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Categories: Database, Vendor

A Great Day for Membase

NorthScale Blog - Tue, 10/05/2010 - 01:14

Whenever I talk about Membase with candidates, employees, or friends, I feel more and more excited about what we are building and how it is going to impact the industry. Each discussion validates my belief that what we do *is* unique and a game changer.

Just today, we had two important “wins,” one from a prospect who evaluated our technology against other NoSQL databases and chose Membase. I can’t talk much about it yet, but this is an amazing win. The second is the fact that IDC chose us as an innovative company to watch. Great day!

Every morning when I look at my calendar, I find myself looking forward several things. At the top of the list is the meetings in which I am going to discuss Membase technology, meet smart people, and demo a data management solution they can get excited about. I also look forward to the end of each day to see what improvements are in the latest build that make it even better for Membase users. It’s fun being in a position where people are hungry to learn about what you do and how you do it.

After five years in a big company I now remember how much I love being in a startup: to be able to move quickly, change direction fast when needed, develop features in days that in other environments would take weeks or even months, wear multiple hats, and most importantly, be close to the customer. I like building meaningful systems that solve real problems. This company is an amazing place to be and it is getting better every day.

And, by the way, we are *always* looking for great people to join us. If you’re one of them, just shoot me an email.

Categories: Architecture, Database

Membase Recognized by IDC

NorthScale Blog - Mon, 10/04/2010 - 17:52

Winning awards is always fun. Over the years, companies I’ve been part of have won their fair share. But not all awards are created equal. Some definitely carry more weight than others, and I put the IDC Innovative Company to Watch award in this category. The fact that IDC does extensive research on the markets they address, talks regularly to a broad set of vendors and customers, and has a rigorous process for award selection all brings great credibility to the award. The award certainly has great meaning for us and I suspect this is also true for organizations who are thinking through what database to use for their next project.

As a small company it’s always a challenge to get the word out about your products and this is particularly true when you’re in a space like NoSQL where there are lots of competing technologies. Membase wasn’t one of the first NoSQL products in the market, so it’s encouraging that our innovative work and early customer success is being recognized so quickly. We’re very proud that while IDC could have given the award to any of the many NoSQL contenders, they chose to give it to us.

While we are thrilled to be recognized as a company to watch, it is even more gratifying that IDC understands the strategic importance of this new category of databases for enterprise customers and the significant near-term opportunity (tens of millions of dollars) it represents for companies like ours. IDC notes that they are seeing “an ‘intensifying trend’ for application development to move to the Web, creating the need for back-end architectures that demand extreme speed and scale elasticity while maintaining high levels of reliability. I can second that. We’ve seen a marked increase in the interest and uptake of our software – we just hit a run-rate of 30,000 downloads a month, and judging by this heightened demand in the marketplace, customers with interactive web applications are clearly looking for alternatives to complement their relational database solutions.

We’re also excited about the range of customer interest. Yes, our customers include many Web 2.0 type companies such as social gaming and ad targeting platforms among others – but many enterprise customers are now recognizing the need for non-relational solutions on the back end. A recent InformationWeek survey indicated that 44% of IT staff in the enterprise had not yet heard of NoSQL databases. But that means that 56% have heard of NoSQL– and in fact, if our interactions with customers is any indication, many of those already have pilots underway. From financial services to retailers to media companies, we’re seeing a growing number of inquiries and engagements in the enterprise and expect those numbers to increase as the value of NoSQL becomes more widely understood among those in mainstream IT.

I’d love to hear from you, especially if you are involved with web-based application development for an enterprise. What are your plans for exploring this emerging class of data management solutions optimized to support interactive web applications?

Categories: Architecture, Database

Membase Server Beta 4 is here, with memcached buckets!

NorthScale Blog - Thu, 09/23/2010 - 14:36

We NorthScalers have been hard at work and are proud to release Membase Server Beta 4, our final Beta release ahead of our general availability release.

Go and grab it here!

In addition to support for 64-bit Windows, we think you’ll be particularly excited by a major new feature in the release: memcached buckets!

Introducing Memcached Buckets
You now can create buckets in your Membase Server cluster that behave exactly like memcached, which means you can use Membase Server as a drop-in replacement for your existing memcached setup. In a single cluster you can now share the resources between memcached buckets and membase buckets.

Let’s look at the differences between memcached and membase bucket types:

Fundamentally, membase buckets are designed as permanent data stores. Once you put a key-value (KV) pair into a membase bucket it will remain there until you remove it (or the time-to-live expires). In a membase bucket, data will be written to disk, so your store can grow, constrained only by the available disk space. In addition, membase buckets offer replication; further, they are using vbuckets to allow data to be moved between nodes as cluster topology changes.

On the other hand, memcached buckets follow the memcached semantics: they are fundamentally designed as caches, not permanent data stores. As the cache runs out of available cache memory, items are evicted from the cache, based on a least-recently-used (LRU) policy. As a result, your application needs to be able to cope with the expected behavior, namely that an item stored in the cache may not be available at some later point. If that’s not the behavior you want, then you need to consider membase buckets as an alternative.

And, just like memcached, memcached buckets do not persist data to disk and there is no replication between nodes. When you add a node, keys served from the new node are no longer accessible from the old node, as they do not get transferred from the old node to the new one. There will be cache misses and the KV pairs will need to be set again on the new node – again, these are the normal, expected behaviors of a memcached setup.

Memory quota allocation for memcached buckets is identical to the that of the current NorthScale Memcached Server product. A fixed amount of memory per node is allocated for use by the memcached bucket, so adding or removing nodes will change the size of the memcached bucket. This is different from membase buckets, where the quota stays unchanged as the number of nodes changes, but we chose to keep memcached bucket behavior consistent with what current memcached users are accustomed to.

The new setup wizard lets you configure the default bucket when creating a new cluster, so you can start with a memcached bucket as the only bucket, and expand from there as your needs dictate.

A Quick Word on Disk Quotas
Based on our own experience and feedback from users, we took a hard second look at our disk quota system for membase buckets. Ultimately, we decided to remove that option. We believe this change brings the product more in line with typical database behavior: we now only return errors and run out of disk space when you actually run out of disk space :) Of course we are still showing disk usage per bucket and across the cluster, so that you can keep an eye on overall resource usage.

Enjoy Beta 4 and let us know what you think!

Categories: Architecture, Database

Membase and RightScale: Elastic Data Scaling in the Cloud

NorthScale Blog - Tue, 09/14/2010 - 13:47

I am very excited that Membase ServerTemplates are now up and running on the RightScale Cloud Management Platform (see today’s announcement). RightScale customers now have easy access to a leading NoSQL database for the first time, and Membase customers can rest easy that when they’re ready to deploy their applications in the cloud they can take advantage of the leading cloud management platform in the industry.

For those who may not be familiar with RightScale ServerTemplates, they’re really cool. They provide a kind of blueprint for what a server should do in the cloud. They let users deploy preconfigured, cloud-ready servers that know how to operate in the cloud: how to obtain an IP address, how to submit monitoring data, and how to work with other servers in a cloud deployment. In our case, the Membase ServerTemplate sets everything up so you can easily use Right Scale to deploy, provision, and manage a Membase database server running in Amazon (AWS), Rackspace, GoGrid, Eucalyptus or any other cloud service that RightScale supports.

Establishing a close relationship with RightScale was an easy decision. Many of our customers, including Zynga, already use RightScale extensively and prodded us to integrate our products with theirs. We’ve been working closely with RightScale for the past couple of months and I think you’ll like what we’ve put together.

Since social gaming turned out to be one of biggest initial adopters of Membase, RightScale, and Amazon (AWS), we’ve collectively decided to host a webinar to talk about how leading social gaming companies are using our products to build successful businesses (register now). If you’re in the social gaming business you won’t want to miss this but even if you’re not you can still learn a lot about deploying your web application in the cloud.

So, check out our new partnership with RightScale and let me know what you think. And let us know what other hot cloud companies we should work with next. Our goal is to make Membase easily accessible no matter how and where you choose to develop and deploy your application. Tell us how we can make your life easier!

Categories: Architecture, Database

Membase and Open Source 4.0

NorthScale Blog - Fri, 09/03/2010 - 16:33

I read Matt Aslett’s (The 451) post on the golden age of open source with interest. In it he describes that we’ve arrived at the fourth stage of open source, which is ”in short: a return to a focus on collaboration and community, as well as commercial interests.”

What we’re doing with definitely falls in line with this description although with a slightly different twist. NorthScale saw the need for a simple, fast, and elastic NoSQL database that we felt wasn’t being met by existing technologies. When it became clear that many prominent companies shared this view and were committed to an open source solution, NorthScale stepped in to shepherd the development of a broad community around the project. Consistent with Matt Aslett’s description of open source 4.0, the result is a project with an “emphasis on collaboration and community rather than control.” While NorthScale has contributed the bulk of the code to the project, our customers Zynga and NHN are co-sponsors of the project who have a strong commitment to its success. This blurring of the line between vendor and customer – the collaboration between two seemingly opposite sides of a transaction – has long set open source apart from the large proprietary vendors who want nothing more than a lock on their customers.

Traditionally, the primary attraction to open source, and what enabled it to make inroads in the enterprise, has been cost. This is the “cheaper Oracle than Oracle” model where the technology is not necessarily solving any new problems in the market, but provides a cheaper open source version of something enterprises are already paying for.

However, when I talk to enterprise companies, lowering costs no longer cuts it as a sole driver for open source technology adoption. On the other hand, if we engage our customers around a very real and painful problem they’re dealing with – in our case, the mismatch between relational databases and the needs of interactive web applications – and demonstrate how we’re solving this with innovative new technology, then we can have a discussion.

In a nutshell, the fourth stage of open source is much more than just a return to community and collaboration – it’s about putting open source front and center as an engine of innovation. We’re seeing an emergence of open source projects that solve a new problem and create a new solution that eases this pain point. The source code just happens to be open because it’s what we have all come to expect. This is particularly true of infrastructure software going forward, where it’s expected that some component, if not all of it, is available as open source.

We believe open source 4.0 is characterized in part by projects that solve new problems with innovative solutions and use a highly collaborative model. We encourage the participation of both “corporate sponsors” and passionate individuals who are willing to contribute to the membase roadmap and strengthen the community.

Categories: Architecture, Database

Implementing Membase Clients

NorthScale Blog - Tue, 08/31/2010 - 20:46

Recently, Attila Kiskó, the author of the best .NET memcached client, the Enyim .NET memcached client, has been enhancing his client library to speak directly to membase data nodes.  Membase already supports all existing memcached client libraries and memcached protocols via a high-performance proxy, but there’s a “direct path” that client libraries can use for ever-increased performance.  Along the way, we ended up with a quick guide on the wiki on how to create your own native or “smart” membase client library, so anybody else with their own favorite programming language can also do the same.

The easiest approach is to start with your favorite memcached client library (that speaks memcached binary protocol) and proceed from there.  The fun part  is with handling the cases during Rebalance operations to allow for seamless cluster elasticity without data loss, but who doesn’t like fun challenges like these?

Categories: Architecture, Database

NorthScale Membase Server Beta 3 is Here!

NorthScale Blog - Mon, 08/30/2010 - 14:14

I am excited to announce that NorthScale Membase Server 1.6 Beta3 is now available and ready for download.

This beta release adds a lot of new functionality and reflects most of what you’ll find in the final product. Highlights include:

  • Windows support
  • Multi-tenancy – allows multiple buckets on a single cluster including bucket quotas
  • “Cluster Overview” as a new monitoring dashboard
  • And lots of small improvements and bug fixes, of course!

Let’s take a look at these features in a bit more detail:

Windows support is by far one of the most frequently requested features, and we are very pleased to offer it with this beta release. Beta3 provides 32-bit Windows support, with 64-bit support on the way (Note: The 32bit binary runs just fine on Windows 64-bit but is subject to the 32-bit memory limits). The Windows version provides the same feature set as our Linux version.

Multi-tenancy is the mechanism for creating multiple buckets on one membase cluster. Each bucket represents a separate namespace, but more importantly it also provides a resource control mechanism on a per bucket basis, allowing buckets to have different behavior. For example if you have some data you consider very important, you may want to create a bucket with a replica count of 3; for other less crucial data, a replica count of 0 might make sense. This way you can decide how to divide the cluster resources to accommodate different requirements for different applications or different types. No more one size fits all!

Bucket quotas are worth a bit more explanation. Each time you create a cluster, you set a fixed amount of memory that each server node in the cluster will contribute to the total cluster memory that buckets can consume. Once set, this value will be inherited by any server joining the cluster and cannot be changed. Hence, the total memory available for membase use in the cluster increases by this amount with each addition of server to the cluster.

Similarly, each bucket defines a memory quota that sets the amount of memory it can use out of the cluster total memory. This quota does not change as you add servers to your cluster, but you can manually edit this on the “Manage Bucket” screen.

In addition to the memory quota, there is also a disk quota associated with each bucket. In contrast to the memory quota, there is no fixed limit of disk space that each server brings to the cluster; all free disk space on the assigned storage path may be used. It is up to sysadmin to make sure that each node provides sufficient space to accommodate the data written (and you can track free disk space in the new Cluster Overview dashboard). Disk quotas are not yet enforced in Beta3, but you can already use it to monitor your bucket’s usage versus the quota.

The Cluster Overview provides a single cluster overview dashboard, showing you the most crucial stats of your cluster in one place.

As you can see you get a single page to keep track of the memory and disk usage of all your buckets, as well as how many operations your cluster is performing. The “disk fetches per second” serves as a potential issue indicator. If you are seeing a lot of disk reads it means that the working set for at least one of your buckets does not fit into RAM alone anymore. Disk reads are much higher latency than memory reads, so should this happen you can use the Data Bucket monitor section to drill down and understand which bucket is encountering the issue. If you need to take action you can increase the bucket memory quota in the Manage Data Bucket section. Issue resolved!

As you see we packed a lot of great new features into Beta3. But there is still more to come. You might be able to guess from the new bucket creation dialog that we have another bucket type in store, which will make multi-tenancy even more exciting – but for more on that you’ll have to check back later.

Enjoy Beta3 and let us know how you are getting on with the new features!

Categories: Architecture, Database

Meetup with Membase at VMworld – Win an iPad

NorthScale Blog - Thu, 08/26/2010 - 23:36

We are looking forward to a great week next week at VMworld 2010 in San Francisco. It looks like it’s shaping up to be a great conference.

See a Membase demo.
If you’re at the show, be sure to come by NorthScale’s booth (#640) for a Membase demo. Membase is an elastic key-value database that stores data behind interactive web applications far more efficiently and cost effectively than it can be stored in a relational database. We’d love to show you how this highly available, cloud-friendly data layer expands and rebalances dynamically as application needs change. Just talk to anyone in the booth wearing a t-shirt with the Membase mascot (right).

membase t-shirtWear a t-shirt, win an iPad!
And speaking of t-shirts, pick up your own yellow membase t-shirt and wear it around the show floor to win a chance for an iPad. We’ll be giving away iPads at our booth on Tuesday (8/31) and Wednesday (9/1) at 5:30pm, so stop by during the day to get your t-shirt and find out more about how to win.

Can’t make the show?
Test drive Membase anyway.

If you won’t be in San Francisco next week, you can still take Membase for a spin by downloading it here. There are also a number of webinars available for getting started, and a very active user forum as well.

Hope to see you at the show!

Categories: Architecture, Database

Preview of Membase Beta 3

NorthScale Blog - Fri, 08/13/2010 - 20:15

Hey everyone,

Things are moving at the speed of light over here and I wanted to take a second to come up for air.

We just had our 7th weekly beta webinar and this week I did a demo/preview (albeit quick) of some of the features and functionality coming in our soon-to-be-released beta 3.

Check out the recorded webinar for a sneak-preview and then download the real thing when it’s available.

Thanks for all the feedback and please keep it coming.

P.S. If you happen to be in the area today, stop by for a beer and some eats at our parking lot BBQ (behind our Mountain View offices from 3-8pm.)

Categories: Architecture, Database

Memcached, go-derper, Black Hat and an Amazon Web Services (AWS) Security Bulletin

NorthScale Blog - Tue, 08/10/2010 - 21:11

If you are a user of memcached and have deployed instances on Amazon EC2, you may have received a message from Amazon over the weekend (we received one on 8/7/2010) indicating you may have a “Possible Insecure Memcached Configuration.” Here’s the body of the message we received:

We’ve sent you this email to let you know that we have observed that you may be running memcached in an insecure configuration. Specifically, we have noticed that you have at least one security group that allows the whole internet to have access to the port most commonly used by memcached (11211).

There has been a lot of recent attention by the security community about the lack of access controls on memcached and recently some exploits have been published. This has highlighted the importance of running with strict access controls. While we are not aware of any unauthorized access to your Amazon EC2 instances, we do believe you should have your technical team look at this immediately.

We suggest that you audit your security group settings and restrict access to only the instances and IP addresses that need access. Most users only authorize other Amazon EC2 instances to access their memcached server. If you need to access your memcached server from outside of Amazon EC2, you can also authorize just trusted addresses to access your security group.

If you need additional assistance, you can reach our Premium Support team by sending email to

The Amazon Web Services Team

Great email and service from the AWS team, and the suggested fix is spot on.

This posting is meant to provide some background on the issue and the alluded to “recent attention” the issue has received. The issue is relevant to all users of memcached, not just those deploying on Amazon EC2.

The vulnerability
The genesis of this bulletin was almost certainly the result of the development of go-derper by the team at sensepost, highlighted at the blackhat USA 2010 conference on July 30, 2010.

The highlighted vulnerability can be summarized as: if you deploy memcached on a server, leave the TCP port on which memcached is configured to listen (11211, by default) exposed to the Internet, leave the memcached ASCII protocol enabled, AND you are not using SASL authentication with the memcached binary protocol, then there is a trivial way for Bad Guys to retrieve and replace most of the contents of your cache. go-derper.rb is a simple Ruby application, built by sensepost, that can be used to exploit the vulnerability.

Eliminating the vulnerability
Let’s examine the vulnerability, clause-by-clause, and highlight what can be done to eliminate it, starting at the top:

“If you deploy memcached on a server,”

This may seem silly to consider, but there are actually options here. Not everyone needs to deploy and configure memcached on a server themselves in order to use the technology. If you are deploying memcached on a cloud platform, for example, you may simply leverage a pre-built image or even an add-on service.

We run the memcached add-on service for Heroku (itself run on Amazon infrastructure), the leading platform-as-a-service cloud provider for Ruby applications. Because we manage the memcached add-on, our deep expertise with memcached is implicitly brought to bear on behalf of the thousands of applications deployed on Heroku that leverage our memcached add-on.

Additionally, we are working closely with our friends at RightScale to make pre-configured memcached images available for those who want to deploy pre-configured memcached and membase instances on Amazon AWS.

If you are using one of these deployment options, we’ve ensured the configuration is secure.

“[if you] leave the TCP port on which memcached is configured to listen (11211, by default) exposed to the Internet,”

If you have deployed your own instance of memcached, either on your own equipment or in a cloud computing environment, then you need to ensure a firewall is protecting the system.

Amazon provides a rich set of capabilities for expressing and enforcing access control for instances running on EC2.

NorthScale co-founder Dustin Sallings also weighed in over the weekend; his blog provides great additional detail, especially regarding firewalling.

“[if you] leave the memcached ASCII protocol enabled,”

As built, the go-derper exploit depends on use of the ASCII protocol.

Memcached provides both an ASCII protocol and a binary protocol. The binary protocol was co-developed by NorthScale’s own Trond Norbye while employed by SUN Microsystems.

The fact of this vulnerability is that it also exists in the binary protocol, but the binary protocol supports authentication and access control, providing a mechanism for securing the data.

The ASCII protocol, the original protocol developed for memcached, does not have any facility for authentication or access control, and thus is not suitable for hanging on the public Internet. This protocol was explicitly developed for use behind a firewall, as a “back-end,” protected system.

In the unlikely event that you have some good reason to make the memcached port available to any host on the public Internet, but want to control access to the data, then you should disable ASCII protocol support (and enable SASL authentication on the binary protocol, as described next). The NorthScale distribution of memcached makes it easy to configure memcached to NOT bind the ASCII protocol listener to the memcached port.

“AND [if] you are not using SASL authentication with the memcached binary protocol,”

As mentioned above, the memcached binary protocol in recent releases of memcached does support authentication and access authorization via the SASL protocol.

The NorthScale distribution of memcached makes it very easy to leverage this capability. Creating a new “bucket” in our memcached distribution provides both multi-tenancy capability (allowing multiple applications to securely bind to a single memcached cluster) and serves as the vehicle for SASL credential binding. It is this capability that allows us to securely support thousands of memcached add-on users up on Heroku without running thousands of individual servers.

If you are using an older version of memcached (most linux distributions ship with antiquated versions of the software), and you need authenticated access support, you should look at a more recent version of the software. I certainly recommend our distribution.

The memcached historical context
The vulnerability is not surprising. Memcached was initially built by Brad Fitzpatrick for use at LiveJournal, in an environment where control over servers and network security was managed by a skilled team of system administrators. With many lines of defense in front of memcached, there was little need to build yet another layer of security into memcached itself, where the inevitable price would be development effort (effort better spent building blogging features) and performance (in an environment where many millions of memcached transactions are processed per day, and every single microsecond counts).

In a perfect world, every person developing and deploying software should fully understand the characteristics of all the underlying software infrastructure components on which their software is dependent; have a firm understanding of network security, policy formulation and policy enforcement; and regularly audit their operational environment while tracking emerging threats. Few systems would get deployed. In fact, I think it is fair to say that some of the most popular web applications on the Internet today would never have seen the light of day under those constraints.

In the real world, there is a lot of interesting software being developed and deployed by people who are not themselves, and who frequently do not have the resources to employ, experienced system administrators and network security specialists. They just want to get their software or service in the hands of as many users as possible, as quickly as they possibly can. If and when the billions of operations per second materialize, then the microseconds can be wrung out, hopefully by a competent team of system administrators which the organization can then attract, and afford.

An aside on cloud computing
Ultimately, this is one of the promises of cloud computing, as outlined in one of our white papers. Cloud computing is not just about transforming capital to operating expenses, or about leveraging service provider economies of scale. Managed hosting providers have been doing that for over a decade. Cloud computing ultimately enables software developers to develop and deploy software, without also building up expertise in system administration and network security. Ultimately the world is a better place as a result. More developers are empowered to build and deliver software solutions.

Amazon has demonstrated part of the value they provide to their customer base: they have tracked a newly highlighted vulnerability that is widely relevant (given the broad deployment of memcached) to their users, identified specific users at risk (possible given the metadata used to configure the virtual machine instances that ultimately underlie running systems on EC2) and notified them in a timely manner precisely how to deal with the problem. Serious value add.

Where do you get your memcached?
The team here at NorthScale provides the vast majority of the contributed source code to the memcached and membase open source projects. We respect the clearly expressed desire of the larger memcached development community that the core of memcached should remain raw, fast and best suited for those who know what they are doing.

We also make available commercially-supported, certified, less “raw” versions of those systems, making it easier for organizations to deploy, configure, secure and manage the software. While the memcached development community doesn’t want the code base polluted with “ease of use” features, there is a much larger potential community of users of the software that will be better off with those features present. Same goes for things like replication and live cluster reconfiguration. Many users want these capabilities, but the core community would prefer to keep them out of memcached proper. We make them freely available in our distribution and make the source code available in related projects (e.g.

Categories: Architecture, Database

Thu, 01/01/1970 - 01:00