Paul E. Jones' Blog

Basis for Apple vs. Samsung Decision

August 27, 2012

This past week, a jury of nine people convicted Samsung of infringing the patents of Apple. There were a number of patents that Apple claimed were infringed. Per CNET, the devices and patents were numerous. In a nutshell:

  • ‘381: “rubber band” effect when reaching the bottom of a document (“look and feel”)
  • ‘915: ability to differentiate between single-touch and multi-touch, just like Microsoft’s older surface computing table (how Apple got this patent in the face of prior art, I do not know) (“look and feel”)
  • ‘163: double tap on screen to enlarge and center portions of the screen (“look and feel”)
  • D ‘677: related to the front face of the iPhone (“design”)
  • D ‘087: related to the general outline (“design”)
  • D ‘305: the icon arrangement in a grid with round corners (“look and feel”), like the Palm Pilot, Windows Mobile, and Apple Newton from years ago

It is impossible for me to say which of these “inventions” are truly inventions. That said, I largely do not agree with “look and feel” patents. Often, “look and feel” is a matter of current fashion. It’s what’s in vogue. I certainly feel that way about icon arrangement and the look of icons, scrolling, etc.

The “rubber band” effect is an interesting effect, but that’s what it is: an effect. It is not an invention, really. Computer graphics students have for years been creating programs with bouncing balls and such that behave in a similar way. So what was “invented” was not the bouncing effect, but the application of that effect to scrolling. So is that an invention?

I think similar arguments can be made for most, if not all of these patents. Apple has truly created a revolutionary platform, but what was revolutionary was bringing together a powerful operating system, applications, and an app store, all while making it as simple to use as possible. Apple did not create the first mobile phone. Apple did not create most of the graphical user interface elements and concepts. Apple did not create the first operating system, and certainly not the first powerful mobile operating system. What Apple did was package it well and market it extremely well.

One has to wonder whether these user interface and design patents are even valid. Consider where the U.S. patent system originated. It came about due to Article I §8 of the U.S. Constitution which says, “Congress shall have the power … to promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries.”

Exactly where does a user interface design fit into writings or discoveries? I would agree with a design patent that describes the process of creating a particular kind of material or shape through a complex manufacturing process, the process for which had to be discovered through scientific research. However, a “rubber band” effect, icon arrangement, and aluminum edge around a glass screen hardly falls into that category.

Exactly how does the patent system that allows for such patents in any way “promote the progress of science or useful arts”? The answer is that it does not.

Apple’s bold entrance into the mobile communication space has significantly impacted the market and I applaud them for leading the revolution. At the same time, awarding these kinds of patents to Apple does not help to “promote the progress of science”. Rather, it serves just the opposite. Apple did not need those patents to become the wealthiest company in the world. However, it can use those patents to prevent anyone else from attempting to create competitive products. In so doing, it is the consumers – the public – that suffers. We want Apple to continue to innovate and we want Samsung and others to push the envelope. That is how technology progresses in all industries.

In any case, it is very interesting to see how the basic concepts of promoting science and useful arts has mushroomed into the complex copyright and patent system we have today. Now, we have cartoon characters like Mickey Mouse protected for some 70 years beyond the death of the inventor, copyright assigned to things other than writing or useful arts (the latter including music and movies), and patents awarded on the arrangement of icons in a grid pattern.

Permalink: Basis for Apple vs. Samsung Decision

Amazon "Add-Ons" are Idiotic

August 26, 2012

Perhaps the title is a bit strong, but I was frustrated when trying to order an item on Amazon tonight only to be greeted with a message that the item I wanted to order was an "add-on" item and that Amazon would not ship that item unless I ordered at least $25.

What are "add-on" items? They are items that, per Amazon, "would be cost-prohibitive to ship on their own". For those who are not Amazon Prime members and normally pay for shipping on items, these "add-on" items cannot be ordered separately, but will ship for free with your $25 or more order. Sounds good? Perhaps, except that you cannot even pay Amazon whatever the "cost-prohibitive" amount to ship it. Amazon simply will not sell those items by themselves, unless you buy $25 worth of the "add-on" items or something that cost $25 total.

What about Amazon Prime members? For those who do not know what Amazon Prime is, "Amazon Prime is a membership program that gives you and your family unlimited fast shipping, such as FREE Two-Day shipping to street addresses in the contiguous U.S. on all eligible purchases for an annual membership fee". But what are "eligible purchases"? Those are:

  • Millions of items sold by
  • Over 100,000 eligible items on
  • Many items that are fulfilled by Amazon

It's a great program, but what are the items that are not eligible? Well, Amazon lists those and they are:

  • Items fulfilled by Amazon Marketplace sellers
  • Magazine subscriptions
  • Personalized gift cards
  • Any item that doesn't have a message indicating that it's eligible for Prime on its product page

I visited Amazon today to purchase a short HDMI cable. I had purchased this same cable a couple of years ago. It was Prime Eligible then. Now, though, Amazon will not let me buy just the 0.9 meter cable for $4.99, because it's classified as an "add-on". I can't offer to pay for shipping, either. Amazon also tells me "FREE Two-Day Shipping for Prime members when buying this Add-on Item", but that's of no comfort since I cannot order it.

Just to show how dumb Amazon's "add-on" item idea is, while I cannot order the 0.9 meter cable for $4.99, I can order the 6 meter cable for $5.49 and get free 2-day shipping. Amazon: I'd gladly pay the extra 50 cents and get the shorter cable!

I appreciate the fact that some items might cost more to ship than Amazon would earn, but to offer absolutely no option to pay the cost it would take to get it out of the "cost-prohibitive" bucket is silly.

Is Amazon losing its touch?

Permalink: Amazon "Add-Ons" are Idiotic

DNSSEC Paves the Way for Better TLS Security

August 20, 2012

Everyone is familiar with the padlock that appears on the address bar in the web browser indicating that the communication session is secure. However, few people understand the technology behind that padlock, namely the Transport Layer Security protocol (TLS), or what a digital certificate is. It is those digital certificates that is the subject of this blog post.

For years, a small group of companies have served in the capacity of Certificate Authorities (CAs). The companies, along with makes of web browser, form the Certificate Authority / Browser Forum. It’s a fairly exclusive club, really. They purposely limit the number of certificate authorities so as to ensure that the price people pay for digital certificates is at a price that allows them to make money. Oh, and of course, to provide “trust” in some way. Gaining membership into this exclusive club is hard. Suppose you want to establish a new business to be a root certificate authority. In order to do that, you must “actively issue certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers”, as in you must be in the business already. It’s a bit of a chicken and egg problem. One cannot actively issue certificates if the web browser makers do not “trust” you and you cannot gain their trust unless you are a root certificate authority.

Not only is the CA/Browser Forum mostly a club that tightly controls who can trust whom on the Internet, largely for the financial benefit of the members of the Forum, the whole system is, in fact, flawed. If you visit a web site that claims it is secure, can you really trust the certificate presented? The fact is, there has been more than one casewhere a digital certificate was issued by a certificate authority in error. How can this happen? It’s possible because, until recently, DNS has had no security applied in practice, for one. Second, people are able to get into corporate email accounts. Anyone can create create a public/private key pair for the certificate. A hacker just needs to trick a certificate authority into signing it. Usually, this requires only that the person verify that they own an email address at the domain, usually one of the few the certificate authority believes to be an administrative address.

Now that DNSSEC is here, a better way exists to secure browser communication or other communication that utilizes TLS. Rather than create a certificate and have it signed by a certificate authority, a domain owner can create a certificate and place a signature of that certificate into the domain’s DNS. Since all DNS records are signed by the domain owner and DS records created by the domain owner are inserted into the registrar’s DNS servers, it is possible to trust those records. RFC 6698 defines precisely how to do that. Essentially, one creates a self-signed certificate and inserts a signature of that certificate in DNS as a TLSA record. For example, suppose one creates a certificate for on port 443 (standard TLS port) and wishes that to be trusted by browsers. One would create a signature of that certificate and insert a TLSA record like this: IN TLSA 1 1 \

It will take a few years before browsers and other TLS clients start using DNSSEC and TLSA records, but the technology now exists. This is significantly more secure than today’s certificates, since domain owners are in complete control of certificates. No longer is there a risk of a certificate authority issuing a bogus certificate. Domain owners can easily cancel certificates by simply removing the associated TLSA records in DNS.

Permalink: DNSSEC Paves the Way for Better TLS Security

Configuring DNSSEC on Your Domain

August 17, 2012

DNSSEC is the standard for providing security for your domain name in order to protect it from attackers who want to intercept communications by directing web browsers, email servers, etc. to destinations other than the correct destination. Enabling DNSSEC is actually very straight forward. I’ll explain the steps for those who use BIND to provide DNS services, as that’s one of the most popular DNS servers on the Internet.

The first step is to generate a pair of keys. The first key is called the “Zone Signing Key” (ZSK) and it can be created using this command (replace “” with your domain name):

dnssec-keygen -a RSASHA1 -b 1024 -n ZONE

Next, you need to create a key called the “Key Signing Key” (KSK). It is created using the following command:

dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK

Note that the -b flag indicates the number of bits of security.

These two commands will produce four files:


The format of the filenames is “Knnnn+aaa+iiiii.{key|public}”. The value “nnnn” refers to the domain name you are securing. The value “aaa” refers to the cryptographic algorithm used. In the example above, 005 refers to RSA/SHA-1 (per RFC 4034). The “iiiii” is a key identifier, which is just a 16-bit value that identifies this particular key for this particular domain.

Next, you concatenate the .key files to the end of your zone file, like this:

cat >>

Now, you have to “sign” your zone file like this. To do that, you need to identify which of the keys refers to your KSK and ZSK. If you took notice of the file names created after executing the key creation commands above, you’d know. Otherwise, just look at the file in a text editor and you’ll see which one. In our example, we’ll assume that “” is the ZSK and “” is the KSK. You’ll then execute this command:

/usr/sbin/dnssec-signzone –o -N keep -k

This will result in the creation of a file called “”.

Now, you just have to make a few small adjustments to the /etc/resolv.conf file. Here are the important changes:

options {


    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";




include "/etc/named.root.key";


zone "" IN {
    type master;
    file "";
    allow-update { "none"; };


Place both the and into the directory where BIND keeps its zone files. Restart named and/or issue these commands:

/usr/sbin/rndc reload
/usr/sbin/rndc flush

At this point, your DNS server is ready to go. However, your registrar must have an appropriate “glue” records in place. Usually, these records are DS records. Fortunately, those records are generated for you automatically by the “dnssec-signzone” command. You will see a file called “” with the DS records inside. All you have to do is insert those into your registrar’s DNS, much like you might assign your name servers. The procedures for doing this vary by registrar, so I cannot explain the procedure. However, it’s not so hard once you find the right place. The registrar should validate that everything is working properly before activating the DS records. One would not want an incorrect record in place, as that would break the trust chain established via DNSSEC and thereby “break” the domain resolution.

ICANN has list of registrars now supporting DNSSEC. Not all of them do and they certainly do not support DNSSEC for all TLDs. So, it is best to check with your registrar before going through all of the steps and being disappointed.

If you wish to validate that DNSSEC is working properly, you can use the “dig” command on Linux machines like this:

dig +topdown +sigchase

That command will report success or failure in the trust chain. Alternatively, visit and perform a basic test via the web.

One last point to make is that it is recommended that you re-sign your domain at least every 30 days. It's not necessary to generate new keys, but merely re-sign the zone file. (Note that if you did decide to change the key used to sign the domain that you need to ensure that you properly handle the key rollover. Otherwise, for a period of time some DNS servers might assume your domain's signature is invalid. DNSSEC Key rollover is a whole other topic.)

Permalink: Configuring DNSSEC on Your Domain

Making Sense of AT&T's New Data Plans Rates

July 18, 2012

AT&T announced today that it will be offering shared data plans called "AT&T Mobile Share" so that people with multiple devices can share data across those devices. Quite often, it's families that would benefit from sharing data, which was the case when "family plans" were introduced in order to share voice minutes.

Voice minutes and text messaging are unlimited with these news plans. This suggests that AT&T realizes that lower-cost VoIP alternatives exist, so there's no point trying to compete in the voice space. So rather than compete, AT&T will force customers to pay for the voice/text by charging a flat fee per phone, regardless of usage.

The new data sharing plan allows families to pool bandwidth as they did voice before, but the prices are not really cheaper than paying for individual plans. For example, if one has a 3-phone family plan at $70 with unlimited text and 2GB of data per phone, the total price is $70 + $30 (text) + $25 * 3 (data) = $175. Under the new pricing, the unlimited voice/text + 6GB of data would cost $195. But voice is unlimited, right? Who cares? The subscriber was probably OK with the limited voice minutes.

Anyway, here is the price breakdown:

How many people will actually save money with these new plans?

Permalink: Making Sense of AT&T's New Data Plans Rates

Acer Broke My Tablet

July 15, 2012

Less than a year ago, I bought an Acer Iconia A500 tablet. It's a great tablet and has worked really well, but in April Acer sent out the Android 4.0 update and, in so doing, broke an important feature on the tablet: screen rotation. I learned that if I reset the tablet and let it reboot a few times, it will eventually start working. There appears to be a race condition where the gyroscope is not being initialized properly.

Anyway, I waited a couple of months and contacted Acer about it. Here is what they said:

I understand that the screen of the tablet is not rotating. ... This issue is caused because the G-sensor on the tablet is not properly initializing. ... A new OS image was created to resolve this issue but there currently is no plan to release this image as a FOTA update. ... I have verified your product serial number and found that the unit is not covered under standard limited warranty. In order to resolve this issue, we can schedule the unit for repair.

Schedule it for repair? And what will they do? Install the firmware that should be released to fix the known problem?

This was my first and last Acer device. That's pretty rotten service, in my opinion. There is a world of difference between a broken device and a known defect introduced by the manufacturer through a software update!

Update: As required by Acer to fix the "broken" Acer Iconia A500 (by way of installing a new firmware load), I mailed the tablet to them. They returned it to me and, indeed, it had a new firmware load on it. Whether they had to open the tablet or not, I do not know. One thing that scared me was the service order stuffed in the box that said there were "surface scratches". I was afraid that perhaps the tablet got damaged in shipping. Alas, there were no scratches. The tablet was in perfect shape. Now, why would they have said that? I bet they say that on EVERY service order just in case somebody complains that Acer damaged their device they could say they observed surface scratches when they received the tablet. In any case, they were not entirely honest with this statement, as there are no scratches on the screen or elsewhere.

Permalink: Acer Broke My Tablet

America Forcing Its Laws on the World Sets Horrible Precedent

June 25, 2012

In case you're unaware, the United States Government seizes domain names of people and businesses all the time. They do it arguing those people are breaking the law, but take the domain names away even before there is a trial and before there is a guilty verdict. Three such domain seizures in recent months have been extremely questionable and, in my opinion, totally wrong. Worse, one guy is risk of being dragged to the United States to be thrown in jail for nothing more than links on his web site.

There was a gambling web site in Canada operating the domain name It's a Canadian company operating a business in Canada with the domain name registered in Canada. The federal government does not want you or me to gamble, so they took away the domain name by hijacking it. They did not have the authority to go to Canada to do their evil work, so they basically forced Verisign, the U.S. company that manages the .com names, to hand over the name. Along with that, the U.S. federal government indicted the man who owned the company.

The next case is a web site reportedly used to pirate movies and music called Federal law allows service providers to be exempt from what users post on the Internet, as long as they comply with the Digital Millennium Copyright Act (DMCA). This company did that, even though they are a foreign company. They are a Hong Kong-based company, with the owner/founder living in New Zealand. The U.S. worked with local authorities to raid the owner's house and take his money and property. They took away their servers and many users are complaining that they want their files back. One many even filed a lawsuit against the U.S. Government to get his files back and the U.S. argued that it would "set a bad precedent". Meanwhile, the company is closed, the 40+ employees are out of work, and there is no evidence that I can see that they were not in compliance with the law that, remember, they’re not even obligated to follow since they are not a US company. Perhaps they did thrive on exchange of illegal content, but they followed the law, it seems.

The last case if even more difficult for me to understand. A college student in the UK named Richard O'Dwyer ran a web site called On the site, users posted links to TV shows and movies around the Internet. This guy has never been to the U.S., did not do business in the U.S. (outside of the minority of users who were from the U.S.), did not have servers in the U.S., and had no copyrighted works on his web site, etc. Even so, the U.S. government is trying to force him to come to the U.S. to face trial and go to jail. Did you know that it is illegal to post a link on a web site to copyrighted works? It is not illegal in most countries, but it is here in the oppressive U.S. These kinds of laws rank right up there with taxing Americans on income they earn anywhere in the world, even if they don’t live in the U.S. or taxing people to give up their American citizenship.

The U.S. is nuts sometimes, and I don’t mind saying so. I love my country, but the politicians sometimes create laws to cater to big media companies and they stomp all over us little people. Just to put this into perspective, can you imagine facing jail time over something you say on the Internet that in your country is perfectly legal? If we follow America’s lead, then if any one of us were to say something negative about the Chinese government, for example, then we should all be picked up, carried to China, and put in jail or put to death. Sound reasonable to you? This is the real danger the U.S. is putting us all in by doing these things it is doing.

Jimmy Wales, founder of Wikipedia, is trying to stop the U.S. from bringing Richard O'Dwyer here to face trial over links on his web site. I encourage all of you to sign the petition to stop the U.S. Government. If you are American, I would also encourage you to write to your senators and congressmen to have them put an end to trying to force the world to comply with American laws. No country should ever be able to apply its laws to a person or business in another country, using a person’s words or a service they provide on the Internet as justification.

Permalink: America Forcing Its Laws on the World Sets Horrible Precedent

Delegating ENUM Resolution Resonsibility

March 29, 2012

One of the biggest challenges with respect to getting ENUM deployed is politics. Everyone wants to control the numbering plan because they either see money in owning the numbering, they do not want to be liable for service outages due to reliance on some other entity, they fear a loss of control over numbers they control, or something other. In any case, it has been very difficult to move the world to ENUM. Well, I’m here to ask the question, “Why worry about it?”

Dialed Digits is an ENUM service provider. It’s one of many ENUM service providers around the world. One can query Dialed Digits starting at the room of the ENUM tree at Dialed Digits can delegate a portion of the ENUM tree management to another organization for management, too. This can be done by simply inserting NS records into DNS like this under

4.4 IN NS

This DNS record basically says that all of the digits for the UK can be queried via (Please note that record is entirely fictitious. Packetizer does not manage the phone numbers for the UK.) So, if I were trying to contact the web team for Buckingham Palace in London at +442079304832, then a query would be sent for Seeing that +44 is handled by, a query would be directed to that server, but still looking for However, what if BT is the owner and manager of those phone numbers? It probably is. Further, I’m quite certain that BT is going to want to manage its numbers the BT domain name, perhaps at

So, how do we tell the ENUM resolution engines to go look in an entirely different domain? Here’s my proposal. We should use NAPTR records and introduce a new flag “x” that signals that responsibility for queries have been “transferred” to the specified domain (or sub-domain).

For example, under we might have a record that looks like this:

*.4.4 IN NAPTR 100 10 "x" "" ""

So, when a phone number like +442079304832 is resolved, an answer will come back with an NAPTR record that effectively says “go ask again over at”. And, so the query is re-issued under the specified domain.

What this allows service providers to do is, through DNS and ENUM procedures, to define who the authority is for a given any given digit string and to delegate management to them. There is no need to rely in a central There would be a need to establish peering relationships, but this approach would actually allow one to rely on any number of companies to provide that peering management.

Imagine if Dialed Digits were the “fallback” service for AT&T. Perhaps AT&T might manage ENUM services for all of its own numbers and might insert “transfer” NAPTR records for some numbers owned by service provides with whom the company has a direct peering relationship. But, for all other digits, it might rely on Dialed Digits to establish those peering relationships and provide the appropriate NAPTR records (either answers to queries or further “transfer” records).

UPDATE: I was exchanging email with Patrik Fältström on this topic. He suggested that, rather than introduce a new NAPTR record, just use DNAME records. That's really a far simpler way of delegating. So, an ENUM provider might have a DNS entry that looks like this:


This would mean that any query for +44 numbers would be directed to BT's ENUM tree at, if such an address existed.

Permalink: Delegating ENUM Resolution Resonsibility

Using XMPP with VoIP Protocols

March 20, 2012

As many know, I am a big advocate for enabling a plurality of devices and applications to be used together as a part of a multimedia communication session. That is the whole idea behind the work the ITU is presently doing with respect to H.325 (or AMS). AMS is aims to be the next generation multimedia communications protocol for the now aging SIP and H.323 protocols, both of which are now 16 years old. While work on AMS is still progressing, there are things we can do in the interim to make it easier to integrate some applications, perhaps most important is text and voice/video.

XMPP is the international standard for instant messaging and presence. It is widely used within enterprises around the world and used by services like Google Talk. Due to its design, it has the potential to be as ubiquitous as email is today. And like email, it fully allows for federation between different domains. With XMPP, it is just as easy to have an instant messaging (IM) session with a colleague as it is anybody around the world.

H.323 and SIP are the two leading voice and video communication standards in the market today. H.323 is still the most widely used protocol for videoconferencing, while SIP is primarily used as a voice “trunking” protocol between enterprise and service providers. In the core of the service provider networks, both H.323 and SIP are employed, with SIP perhaps now leading as the replacement as a pure voice replacement.

It is becoming increasingly possible to use VoIP (voice or video) to place calls between colleagues and with other people around the world. Since VoIP generally means “voice” in my mind, I prefer to use a more generic term of IP Multimedia Communications (IPMC), of which voice, video, instant messaging, whiteboarding, etc. are all a part. So, I’ll use IPMC below, but you can think of that as “VoIP” if you prefer that term.

When I initiate an IPMC session, it usually offers only a single mode of communication. Quite often, it is just a voice or voice/video call (admittedly, that is two modalities) or instant messaging. Rarely do we have the ability to initiate one session (e.g., voice) and have the ability to use instant messaging with that, especially if the two applications are not a single unified application. For example, if I make a call using my IP phone, my IM client has no idea that I’m talking to somebody. Likewise, if I am carrying on a few instant messaging sessions, my IP phone is oblivious to this fact.

What we need is a means of better integrating voice/video applications with XMPP. There was some work that started in the IETF to do this, but I do not think that work progressed too far. Nonetheless, I think it is important work and I figured I would write up my thoughts here.

We have two problems we need to solve:

  • My voice/video phone (desk phone or soft client) needs to know when I have an instant messaging session active with somebody so that I can just press a button to launch a voice call, and it needs to know the voice contact information for the other person
  • My instant messaging client needs to know when my voice/video phone is in an active call with somebody, and it needs to know the XMPP JID (the user’s identity) for the person with whom I am having a conversation

From these two requirements, we can see there is a need to share addressing information and there is a need to convey some presence state between the phone and the instant messaging client.

One way to convey addressing information is to simply advertise it within the protocols themselves. For example, when I configure my voice application, I could tell it my XMPP address. Likewise, when I configure my XMPP application, I can tell it the URI for my voice/video application. That’s pretty simple. You can imagine in SIP, for example, that we might introduce a header like this:


In fact, XMPP already defines the means through which addresses can be advertised for other applications.

A small addition like this to SIP and H.323 would allow me to call you, for example, and immediately know your XMPP address or your voice/video URL. One could also advertise one's H.323 or SIP URI via XMPP, too. If I have XMPP and voice/video integrated into a single application, that would be all I need to know in order to quickly launch a different mode of communication right from within my application.

Often, though, these applications are separate. So what we need is a means of allowing the voice/video application and XMPP application to convey their status information to each other. A very reasonable way to do that is to re-use XMPP. After all, XMPP was designed to be a presence protocol. It has the ability to learn and maintain state information related to various presentities (“presence entities”).

Now, with the phone knowing about active IM sessions and the XMPP client knowing about active voice/video sessions, it is now trivial to initiate new modes of communication with the touch of a button. If I call you using my phone, my IM client would know I am on a call with you. I could press a button on my IM client that corresponds to the active voice call and use instant messaging without ever having to manually enter an address.

There are also ways for clients to learn about addressing information for users automatically, too. For example, rather than tell my phone my JID, we can use technologies like Webfinger. Using Webfinger, it would be possible for my phone to query to learn the other addressing information related to me. Further, it would be possible for the person I call to learn my other addresses (IM, voice, email, etc.).

It is also possible to map telephone numbers to Webfinger account URIs using ENUM. So, it would be possible to convey only the phone number and then discover all of the other addressing information related to a user.

Webfinger makes it very easy to discover information about another person, but I realize that some people might be concerned with privacy. Therefore, Webfinger should be considered as one option and not the only solution. Still, it is one option to make provisioning significantly simpler.

ENUM could also be used to map a phone number to an XMPP address only. However, since we would still need to have the ability to map from an XMPP address to a phone number, we need to either advertise addresses via the session protocols or use Webfinger. I’m open to other recommendations.

Permalink: Using XMPP with VoIP Protocols

Amazon EC2: Creating EBS-backed Instances with Ephemeral Storage and Automatically Deleting the EBS Storage upon Termination

March 12, 2012

I use Amazon EC2 extensively. One of the things I noticed over the past couple of years is a move from instance-store to EBS-backed instances. I’ve read the literature on EBS-backed instances and, quite honestly, I don’t care about the benefits. If an instance dies, I can re-start is and have it up and running in no time, since virtually everything is scripted. That said, I’m not going to fight the trend.

One thing I do miss, though, is that instance-store instances have a large chunk of ephemeral storage available for use for free. With EBS-backed instances, the ephemeral storage is usually not available. It is, though, if you go through the motion of creating your own AMI or find one configured as outlined here.

To take the easiest route, launch an EBS-backed instance of the AMI you’d like to use with ephemeral storage. Make whatever changes you wish to it once you have it running. You might want to add this to the /etc/fstab, adjusting the device name and filesystem as required for your version of Linux:

/dev/xvda2 /mnt ext4 defaults 1 2

Now, stop the instance and take a snapshot of it. The snapshot will be our new AMI when done, so it will persist as long as you want to keep the AMI around.

Then execute the following command:

ec2-register -n AMI_Name -d AMI_Description -a PLATFORM —kernel KERNEL —ramdisk RAMDISK —root-device-name /dev/sda1 -b /dev/sda1=SNAPSHOT_NAME:10:true -b /dev/sda2=ephemeral0

Each of the variables above are defined here:

  • AMI_Name: A friendly name you assign to the AMI
  • AMI_Description: A longer description you assign to your AMI
  • PLATFORM: The platform, either "i386" or "x86_64"
  • KERNEL: The kernel ID of the kernel to use, which can be found using ec2-describe-images or observing the kernel used while the original instance is running
  • RAMDISK: The ramdisk ID to use, which should also match that specified in ec2-describe-images or observing the one used while the original instance is running (this is often not specified)
  • SNAPSHOT_NAME: The name of the snapshot you created above. Note the '10' following indicates the size of the EBS volume to create for the root filesystem and 'true' means that the volume should be deleted when the instance is terminated (you may prefer to set this to false)

One of the other things I really do not like about EBS-based instances is that when you terminate them, the EBS storage is left behind and you have to clean that up separately. Using “true” as a part of the -b parameter means that the EBS storage will be deleted automatically when the instance is terminated.

Note that the ec2-register command will return the name of your new AMI.

Permalink: Amazon EC2: Creating EBS-backed Instances with Ephemeral Storage and Automatically Deleting the EBS Storage upon Termination

Page 1 2 3 [4] 5 6 7

Paul E. Jones

About Me
My Blog ATOM Feed


Email Me

Social Media