RealTime IT News

Blog Archives

Firefox 3 at low/high risk from new flaw

By Sean Kerner   |    July 30, 2008

sr-firefox3.jpg
From the "tomato, tom-ah-to" files:

Mozilla Firefox 3 is at risk from a new flaw that is currently unpatched. Whether the flaw is high or low risk depends on who you ask (or read).

This AM Radware issued a press release calling the vulnerability - critical. I contacted Mozilla and a few hours later they had an advisory up on their site calling the vulnerability - low risk.

Mozilla explains the vulnerability to be:

A null pointer dereference in the content layout component of Firefox
allows an attacker to crash the browser when a user navigates to a
malicious page.

As a mitigating factor, Firefox's session restore will allow a user to restart their browser and be taken back to where they left off. The vulnerability requires that a user visits a malicious site with the malicious code on it, but as far as I can tell it does not require any further user interaction.

In my book, any flaw that does not require user interaction is significant.

True the impact is limited, and Mozilla notes that the issue is under investigation. But I hope that we see an incremental patch for this issue before I see a module for it up on Metasploit.

H D Moore has NOT been owned

By Sean Kerner   |    July 30, 2008

blackhat.jpg

From the "half truths that journo's tell" file:

I've been following the Kaminsky DNS cache exploit issue closely since it was first announced - and no doubt so has everyone else in the security business. As such I was surprised to read a headline this morning that said that Metasploit founder H D Moore (and yes Virginia, there is a Santa Claus and I run Metasploit on a test machine too - who doesn't?) had been 'owned' (should've been p'wned I think) by the DNS flaw.

The story is not true - at least according to H D Moore who claims he was misquoted by the journalist in question.

"In a recent conversation with Robert McMillan (IDG), I described a
in-the-wild attack against one of AT&T's DNS cache servers,
specifically one that was configured as an upstream forwarder for an
internal DNS machine at BreakingPoint Systems," H D Moore wrote in a blog post. "Shortly after our conversation, Mr. McMillan published an article
with a sensationalist title, that while containing most of the facts,
attributed a quote to me that I simply did not say. Specifically,
`"It's funny," he said. "I got owned."

I've had the good fortune of speaking and corresponding via email with Moore a few times over the years. (Thankfully I've never been accused of misquoting him). I've also met Robert McMillan before and he seems like a decent guy.

I can't speak to what was or wasn't said - but I do know that material published with my byline has certainly had 'sensationalist' headlines over the years that some people didn't agree with. For better or for worse, many readers simply choose to click (and read) a story simply based on the headline alone (I know that's what pulled me into this particular Moore story).

That said with this DNS issue there have been more half baked stories published than I personally remember on any other topic since the Melissa virus broke out. The caching flaw is definitely real - and thanks to Metasploit I've even tried it out myself on a test machine that I've got. There is a patch for most DNS implementations and if one isn't you can just point to a safe recursive DNS server at your ISP (or OpenDNS). It's not that crazy.

As to whether or not Moore was "owned", the sensationalist nature of this whole DNS caching exploit is the true culprit I'd bet. I'd also suggest to Moore in the spirit of his own protection that he record his calls with journalists (and first advise the journalist that he is doing so) or just stick with email, then you've always got a record.

Mozilla Firefox Shiretoko (3.1) hits first alpha

By Sean Kerner   |    July 29, 2008

sr-firefox3.jpg
From the "shiny new objects" file:

The first alpha for Mozilla Firefox 3.1 (codenamed Shiretoko) is now out boasting a number of incremental improvements over the recent Firefox 3 release.

There is a new tab switching behavior, improvements to the 'awesome' bar (aka the Smart Location Bar), as well as some web standards improvements.

Personally speaking it's the improvements to the awesome bar that have me interested in Shiretoko alpha 1. There are some quirky behaviors in how the bar permits tagging in my view and it looks like Mozilla developers are keen on making the awesome bar even more....well...awesome.

When it comes to new web standards - that's a good thing for the web community, but inevitably unless other browser vendors pick up the same standards - they end up having little practical utility (unless a web developer is only going to focus on Mozilla).

IEEE 1394 (Firewire) gets a big speed boost

By Sean Kerner   |    July 29, 2008

IEEE.gif
From the "Firewire isn't dead yet" files:

A few years ago Firewire (also known as i.Link and IEEE 1394) was the only game in town when it came to high speed cable transfers on consumer devices. Then along came USB 2 which in some respects was faster and it became arguably more widespread too. But Firewire isn't dead yet - the IEEE has just announced a revised specification that will continue to keep it a relevant technology.


The 1394-2008 standard updates and revises all prior 1394 standards,
including 1394a, 1394b,
1394c, enhanced UTP, and the 1394 beta plus
PHY-Link interface. It also incorporates the complete specifications for
S1600 (1.6 Gigabit/second bandwidth) and for S3200, which provides 3.2
Gigabit/second speeds.

3.2 Gigabit/second is pretty sweet and totally blows the 480 megabit/second for USB 2 out of the water. Then again USB 3 is on its way soon too and advocates of that interconnect are claiming that it could deliver 4.8 Gigabit/second of connectivity.

Personally I've found Firewire connections to be better for latency sensitive data transfer (like live video streaming) than USB 2 overall. It will be interesting to see how the next generation of USB vs. IEEE1394/Firewire shakes out over the coming year.

Facebook nabs one Mozilla Mike

By Sean Kerner   |    July 28, 2008

facebook_small.gif

From the "one less Mike at Mozilla" files:

Mozilla VP of Engineering Mike "Schrep" Schroepfer is leaving Mozilla and headed to Facebook - to serve as Director of Engineering. Mozilla seems to like guys named Mike in key roles - there is Schrep, Mike Beltzner, Mike Shaver and Mike Connor.

There is no shortage of smart guys (named Mike or otherwise) at Mozilla so I personally don't think that Schrep's departure will have any significant impact on Mozilla operations. Mozilla Firefox 3 is already out the door and Firefox 3.5 isn't coming till the end of the year.

On the other side, Facebook could sure use a guy of Schrep's expertise on a number of levels. Schrep knows how to make development decisions and  work with  a community of developers (internal and external).  So good luck  to you Schrep and good luck to whoever replaces you officially at Mozilla.

1 trillion unique URLs on the Web

By Sean Kerner   |    July 28, 2008

google.logo.jpg
From the "Carl Sagan would be proud" files:

Google is now reporting that its seen more than 1 trillion unique URLs on the Web. That's a big number and a massive jump from the 26 million URLs it saw in 1998.  But even at a trillion pages Google admits that there are many duplicates (in terms of content), and that there well may be an infinite number of pages overall.

Many pages have multiple URLs with exactly the same content or URLs
that are auto-generated copies of each other. Even after removing those
exact duplicates, we saw a trillion unique URLs, and the number of
individual Web pages out there is growing by several billion pages per
day.

So how many unique pages does the web really contain? We
don't know; we don't have time to look at them all! :-) Strictly
speaking, the number of pages out there is infinite
.

Thanks to the magic of dynamically generated page content (with or without session IDs) and the fact that Google (despite their best efforts) has never effectively indexed Flash content properly -- I personally think the 1 trillion number is on the low side.

Now that doesn't mean there are more than a trillion Web sites out there -- the latest netcraft study reports just over 173 million sites.

Microsoft: Not worried about open source patents

By Sean Kerner   |    July 25, 2008

msft.jpg
PORTLAND. Microsoft's Sam Ramji is a popular guy here at OSCON. He literally got mobbed after giving a talk by open source types angry at Microsoft for a long list of grievances.

Ramji delivered a keynote address here in which he talked about how Microsoft is working with the open source community. In the Q&A that followed he responded to a question about patents something that I have never heard from a Microsoft executive before.

"We don't worry about
infringement of open source code," Ramji said. "Developers should never have to worry about it."

Ramji also told the audience that Microsoft has never litigated against users.

One of the funniest exchanges between Ramji and the OSCON audience was the following:

"Do you feel like you're screwing a porcupine and you're one prick
against thousands?" the OSCON audience member asked Ramji.

Ramji politely replied:

"It takes time to change and I knew that I'd be unpopular when I took this job but I've
got sponsorship from Ray Ozzie directly."

OSCON audience members didn't leave Ramji alone once he left the stage either. Just outside of the keynote hall a large group of people surrounded him for 15 minutes peperring him with questions. Throughout it all I saw his PR people watching nervously.

To Sam Ramji's credit he stood his ground and talked to just about everyone that approached him. Ramji claims that he wants to be open and honest with the open source community and I think that today he tried hard to prove that.

Shuttleworth's view on patents (Microsoft and all)

By Sean Kerner   |    July 24, 2008

ubuntu.png
From the 'really' files:

PORTLAND. Who's afraid of patents? Not Mark Shuttleworth founder of Ubuntu Linux and CEO of Canonical. He figures he's 'REALLY' got it covered.

In a session at OSCON, Shuttleworth stood in for one of his Canonical employees to talk about development practices. He talked enthusiastically and technicaly about key elements of LEAN and AGILE programming methodologies - it was an interesting overview but when he was done (and started Q&A) I felt that something was missing. 

Shuttleworth didn't talk about IP or licensing issues which is often the key FUD that non-open source vendors tend to bring up when discussing open development. And also because a keynoter in the AM talked about patents as well and I wanted to get Ubuntu's take.

So after others in the room asked their questions (including David Asher from Mozilla Messaging) I asked my question:

"From a development best practices point of view is there
a good way to bake in IP, Patent and license compatibility issues into your
methodology?
" I asked.

"The GPLv3 is a really good solution," Shuttleworth said as he paused in thought then continued. "It's a really good
question and it's also really difficult as it's enormously difficult for any
company to know if they are treading on someone else's patents.  We're really
doing this - [Shuttleworth then covered his face with his hands] in a minefield. I don't know how you can encourage developers to be
confident that they're not trampling on other patents.  Do you have any suggestions?
"

I actually didn't (at the time) but responded with a new question of my own :

"Microsoft has X number of patents and no one
knows if they've infringed
," I said. "So what happens if some infringing code gets
committed to Debian, that code gets merged with Ubuntu and then that puts you at
Canonical at risk for your commercial customers since you indemnify them right
?"

 Shuttleworth smirked and then responded.

"I don't believe Microsoft is going to sue any open source
software vendor, doing so would be tantamount to launching nuclear war."

The audience erupted into laughter.

"We do copyright assignment and I really do believe that's
a valuable practice," Shuttleworth continued. "As part of our
copyright assignment we don't ask for any statement about patents, we accept
the code, it's a contribution and we take responsibility for it and we carry
that forward."

 Another audience member then raised his hand and said:

"'Really?"

"Really," replied Shuttleworth.

"Really?" the same audience member said again.

"Really," Shuttleworth repeated as the audience laughed.

OSCON: Open Web Foundation launches

By Sean Kerner   |    July 24, 2008

From the 'what another open foundation?' files:

PORTLAND. Dave Recordon of blogging vendor SixApart (they make MovableType which is the tech that powers this blog). just officially announced on the OSCON stage something called - The Open Web Foundation. The group is being supported by Google, SixApart, MySpace, Facebook among others.

Recordon said that he didn't really want to help start a new web standards organization but in his view no other group was doing - or wanted to do what the Open Web Foundation will do.

So what will they do?

According to Recordon - OWF will be focussed on open web standards to ensure data portability. The official explanation is that they are an independent non-profit dedicated to the
development and protection of open, non-proprietary specifications for
web technologies.

Frankly sitting here in the OSCON auditorium - I didn't get it. We've got far too many open specification groups already in my view and adding yet another to the mix further dilutes a crowded landscape. Sure open specification are great but aren't there enough groups out there and it's time to consolidate efforts and not create new ones.

I'm going to try and connect with Recordon at some point today (they've got a BOF here end of day) and I'll see if I'm wrong on this initial opinion that I've got - cause maybe I'm missing something (or not).

*UPDATE*  I did meet up Recordon later in the day - and after a really great conversation - I get it. I'll have a full writeup over on the main site soon * .

OSCON: Don't fear patents

By Sean Kerner   |    July 24, 2008

PORTLAND. Keith Bergelt CEO of Open Invention Network (OIN) took the OSCON stage this morning with a key message - Patents have a place.

The OIN was launched back in 2005 as a way to collect patents and then make them available under a royalty free grant to open source efforts.

"Patents may either enable or retard open source and Linux, depending on the motivation of the patent owners," Bergelt said.

The key for Bergelt is to have defensive patents to help protect the open source community against the negative aspects of patents and further SCO-like attacks.

Bergelt argued that defensive publication of patents - good patents that are part of the open source community actually helps to raise the bar for patents overall.

"Intellectual property is not a dirty word and we
need to get the point across that there are ways to codify intellectual property inventions so there
are broader benefits for community and defensive publications are one way."

Sun loses PostgreSQL lead

By Sean Kerner   |    July 24, 2008

sun.jpg

From the 'not everyone is happy at Sun (though lots are)' files:

PORTLAND. Sun has been supporting the PostgreSQL database since at least November of 2005, a few months later they hired Josh Berkus.PostgreSQL core team member as PostgreSQL Lead for Sun's Database Technology Group.

Since then a lot has happened at Sun, notably they bought rival open source database MySQL for $1 billion. So now six months after the MySQL acquisition and two years after joining Sun, Berkus is leaving.

I've had the good fortune to meet up with Berkus to talk about his experience at Sun and why he's leaving.

"Obviously Sun acquiring MySQL was not really encouraging to me," Berkus told InternetNews.com. "It meant PostgreSQL being number two to MySQL within Sun. So it's just not a real exciting atmosphere for a PostgreSQL guy."

Berkus also told me that there was a larger issue for him as well which dealt with the reasons why he joined Sun in the first place. He alleged that Sun just isn't doing big and exciting things as they're focussed on revenue in the database division and that's what Sun needs to do.

"It's good for Sun to sell support for PostgreSQL but that's good for Sun," Berkus said. "I really went into Sun in the first place because Sun has a very large core of high end engineers who really had the opportunity to take PostgreSQL to a bigger scale and do some interesting things with it that we hadn't classically done in the open source community."

I asked Sun spokesperson Terri Molini about Berkus leaving Sun and she said that she wished Berkus the best of luck in his future endeavors.

Berkus isn't yet certain what those future endeavors may be, though he told me he is entertaining some offers.

On an interestign side note, at a Sun party at OSCON on Wednesday night, Berkus actually literally wrestled with MySQL founder Monty Widenius (you know those big Sumo puff things) with a large crowd of spectators cheering them both on. Who ever said geeks can't be physical?

OSCON: Google Melange will spice up SoC

By Sean Kerner   |    July 23, 2008

GSoC_logosmall.png
From the 'everyone loves Paul Atreides' files:

PORTLAND. Google's Summer of Code (SoC) has been around since 2005 as a way to get students involved in open source. But according to Google program Manager Leslie Hawthorne the Google system used for managing the projects within the SoC hasn't been all that great. So Google is developing a new collaboration platform called Melange (based on the concept of Melange / spice from Frank Herbert's Dune novels). Google Open Source Program Manager Chris DiBona was creditted by Hawthorne for coming up with the name.

"We need to make a system that is
useful as a method of interaction," Hawthorne told the OSCON crowd. " DiBona came up with the name. It's Melange as in the spice of creation."

 The Google Melange effort is currently being developed in the open on Google Code and is expected by Google to be the platform by which SoC is run in the future.

As a huge fan of Frank Herbert and Dune - I personally thing Melange is an awesome name for a collaboration project. In Dune, spice is the basis on which the Navigators are able to fold space-time and travel across the Universe, I'm not sure that Google Melange will enable users to fold space-time but a collaboration on projects is a key thing and it should be really interesting to see how this project matures.

OSCON: Why Intel cancelled Moblin dev day

By Sean Kerner   |    July 23, 2008

Late last week in the final run up to OSCON, conference organizers sent out an email detailing the basics of OSCON and what was going on. At the end of the email there was a small note that said that the Intel Moblin (mobile Linux) developer day had been canceled. At the time there was no explanation - but now we've got one right from Intel itself.

Dirk
Hohndel Chief Linux and Open Source Technologist at Intel took the keynote stage at OSCON this morning to talk about Moblin and Intel's plans for mobile Linux.He also candidly addressed why the Moblin developer day was canceled.

Moblin isn't ready. At least not Moblin 2 which is the version that Intel was hoping to talk to developers about here at OSCON. Hohndel said it will be open to the public in 3 or 4 more weeks.

"It's a minor snag so we were a little late," Hohndel said. "You don't release code when the conference is you release when you're ready."

OSCON: O'Reilly bullish on open source

By Sean Kerner   |    July 23, 2008

tuxsmall.jpg
From the 'time to sell more books' file:

PORTLAND. Tim O'Reilly (you know the guy who runs the big tech publisher) is still bullish on the prospect of open source. After 10 years of running the OSCON conference he still sees innovation on the horizon.

In the AM keynote at OSCON, O'Reilly told the large crowd about some new data that his research firm (O'Reilly Radar) has just released which shows that open source usage still has a aways to go. Among non-technology companies O'Reilly's research found that 1 in 385 jobs (0.25 percent) use open source in some way. In contrast among technology companies the figure rises to 1 in 55 (1.8 percent).

Linux is the most widely used open source tool according to O'Reilly's data though Alfresco, Zimbra and Drupal are all rising fast.

"As we look at our success in last 10 yrs we
can be proud," O'Reilly said. "But what I'm most excited about and
ecourage by is that you're tackling
new hard problems and not wrestling on your laurels".

Overall O'Reilly sees the continued need for the freedom of data that open source promises, especially as the world moves to a cloud based compute infrastructure.

"Work on what's hard and make freedom reign in each new
market so history is not a wave that passes us by but one that carries us to the
future," O'Reilly said.

OSCON: Linux Desktop not a mad crusade

By Sean Kerner   |    July 22, 2008

ubuntu.png

From the 'everyone's favorite cosmonaut' files:

PORTLAND. The quest for the Linux desktop is not a 'mad crusade' - so says
Ubuntu Founder Mark Shuttleworth who just finished up a rousing philosophical discussion on the art and science of Free Software Engineering.

The gist of his talk and the part that got the audience engaged in an impromptu round of applause mid-speech was the following statement:.

'As a final challenge the great
task in front of us in the next 2 years is to lift up the experience of the Linux desktop from
something that is stable and robust and not so pretty to something that is
art, " Shuttleworth said.

Canonical has got a whole plan for making that happen and it all starts with the fundamentals of process and by enabling more transparency and open collaboration.

Overall Shuttleworth's talk included the humorous, the inspiring and the pipe dream too (with his idea of a synchronized plan for open source releases). No question Mark Shuttleworth is a rock star in the open source world and the OSCON 08 conference is his playground. Anyways that's my first .02 take after a long day (who starts keynotes at 7:30 PM anyways?), we'll have a full writeup on the Shuttleworth keynote on the main InternetNews.com site in the AM.

Open source database study has obvious results

By Sean Kerner   |    July 22, 2008

enterprisedb.gif

From the 'OSCON 08 research study bonanza' files:

The biggest conclusion of the EnterpriseDB open source database study is that PostgreSQL is the open source database of choice for transactional applications. Not a surprising conclusion given that EnterpriseDB is a sponsor of the PostgreSQL project and has its own supported distributions of it.

While the open source database that often comes to mind for many is MySQL, the EnterpriseDB open source database press release surprisingly makes no mention of them.

 "The survey did ask respondents which open source databases they and their companies use, and MySQL was definitely one of the choices," Bob Zurek, EnterpriseDB's CTO  wrote in an email to InternetNews.com. "The news that EnterpriseDB is announcing is about PostgreSQL and not about MySQL, so MySQL is simply included in mentions of 'other open source databases'.  (MySQL's popularity is definitely not 'news'.)"

Here's some free advice for EnterpriseDB  - if your survey found that PostgreSQL is somehow displacing MySQL you really should call that out. Hiding MySQL in the category of 'other', removes the transparency from the study in my opinion.
 
The other issue which troubled me is the fact that the study is titled the open source database survey while EnterpriseDB also offers the Postgres Plus Advanced Server which is not open source. According to Zurek that's not an issue either.

"The survey was focused on open source databases generally, and not EnterpriseDB's branded products particularly," Zurek said. "Postgres Plus Advanced Server, the EnterpriseDB product that can run applications written for Oracle, is not open source, so we didn't ask about it in the survey.  In fact, the survey did not even mention Postgres Plus, EnterpriseDB's professional distribution of PostgreSQL."

Overall, Zurek noted that the survey results tell us that the 'lack of in-house knowledge' is by far the biggest inhibitor of enterprise open source database adoption.  It's an area that EnterpriseDB is aiming to correct with a new certification program as well as new efforts to come to further raise the profile of PostgreSQL.

It certainly sounds like a good idea. I would just hope that in the future, EnterpriseDB isn't afraid to call out its competitors open source or otherwise. PostgreSQL has been a leading database worthy of comparison with name brand databases for a decade.

With Sun, which had been a leading proponent of PostgreSQL trying to get its money's worth from its $1 Billion acquisition of MySQL, EnterpriseDB is the poster child for PostgreSQL so if anyone is going to go full hog promoting PostgreSQL it will be them.

OSCON: the open source candy store

By Sean Kerner   |    July 22, 2008

tuxsmall.jpg
From the 'open source is a lot more than Linux' files:

I'm on route to the Candy Store - for open source types that is. That's right OSCON 2008 is gearing up and it looks like a dandy to me.

Instead of the typical 5 tracks of information (for a good conference) OSCON has (get this) 14 tracks ongoing tomorrow...it's an unbelievable amount of content (and news for me) to write about.
It also leads to some tough decisions no what to attend since on any given hour of any given day there are at least two different things that interest me. Thankfully though the OSCON organizer have not overlapped sessions with keynotes (like they do at Interop) so I'm grateful for that.

Highlights for me at this early stage include  Unbuntu's Mark Shuttleworth's keynote on Tuesday night (and i'm meeting with Jono Bacon this aft so that should be fun too), Chris DiBona of Google talking about the latest and greatest from their group, Dave Ascher from Mozilla Messaging on Mozilla 3, Nat Friedman from Novell, and EnterpriseDB's new CEO  Ed Boyajian are just a few of the well known names I'm looking forward to seeing...It should be a blast!

SFLC files new GPL lawsuit againt Extreme

By Sean Kerner   |    July 21, 2008

sflc.png
From the 'here we go again' files:

The Software Freedom Law Center (SFLC) is once again filing a law suit against a vendor that allegedly has violated the terms of the GPL. This time it's networking vendor Extreme Networks. Once again the plaintiff is BusyBox which is the same open source project that SFLC has filed and settled legal suits for before.

"We attempted to negotiate with Extreme Networks, but they ultimately ignored us," said Aaron Williamson, SFLC Counsel in a statement. "Like too many other companies we have contacted, they treated GPL compliance as an afterthought. That is not acceptable to us or our clients."

SFLC has a perfect batting record for BusyBox GPL law suits so far, it will be interesting to see if their perfect score will continue.

Novell wins $2.5 million from SCO - What?!

By Sean Kerner   |    July 17, 2008

sco.gif
After four years of legal battles, the judge in the Novell versus SCO Unix case has ruled that SCO owes Novell - $2.5 million.

WHAT?! That's it? That can't be right can it??

The lawyers have made more than that for sure and in the end they are the true winners here.

Essentially Kimball ruled that SCO didn't owe Novell any money on SCO's UnixWare or OpenServer products which is where SCO makes most of its money. The actual SVRX Unix licenses apparently never really made SCO all that much money - go figure.

So with their $100 million credit line in tow and their OpenServer and UnixWare products, SCO will live another day and will continue to fight.

Though I don't understand their legal basis, I have seen no indication that SCO won't continue its legal case against IBM as well, but the fact that they never owned the SVRX licenses REALLY should mean that they can't. But hey I'm not a lawyer ....

What Linus Torvalds thinks about OpenBSD

By Sean Kerner   |    July 16, 2008

tuxsmall.jpg
What does Linus Torvalds think about BSD? It's not too pleasant.

Linus Torvalds - the creator of the Linux kernel and its current maintainer - is by all accounts a brilliant human being. He can also be incredibly crass and rude. Case in point is a post he made to the Linux Kernel mailing list (LKML) yesterday, where he offered his opinion on security research and specifically the OpenBSD operating system (which is security centric).

It's soo rude that it's 'funny' - that is if you're not an OpenBSD developer or have a particular affection for monkeys.

Torvalds wrote:

Security people are often the black-and-white kind of people that I can't  stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.

The gist of Torvalds' longer argument is that there are more interesting bugs out there than just security bugs. On that topic I heartily agree with the God of Linux. While I am also a contributor to the security bug hype often focusing stories that I write on those issues, as a user I know full well that it's often the 'regular' bugs that are the issues that actually affect me the most.

Firefox 2.0.0.16 today; 3.0.1 tomorrow?

By Sean Kerner   |    July 16, 2008

sr-firefox3.jpg

From the 'time to update your browsers again' files:

Barely two weeks after Mozilla patched Firefox to version 2.0.0.15, the 2.0.0.16 version is out patching a pair of critical flaws. Users of the newer Firefox 3.x version however will have to wait until later today to get their fixes in the 3.0.1 update. Both Firefox 2.x and 3.x are at risk from the same two flaws.

MFSA 2008-35 is the 'infamous' Safari carpet bombing flaw that has been known for months and first reported by researcher Billy Rios.

In Firefox 2 scripts running from file: URIs can read data from a user's entire disk, a risk if the attacker could first place a malicious file in a guessable location on the local disk. Rios demonstrated that the so-called 'Safari Carpet-bombing vulnerability' could be used for this, as well as other techniques that do not rely on that now-fixed Safari vulnerability.

Apple fixed the flaw from the Safari side at the end of June. Firefox 3 which will get patched for the same flaw later today with version 3.0.1 apparently has limited risk from this vulnerability with Mozilla noting that, "in Firefox 3 scripts running in local files have limited access to other files."

The second critical vulnerability patched has also been known for weeks - though it has not been disclosed publicly. It's the one that comes from 3com's Tipping Point Zero Day Initiative and deals with a remote code execution flaw that is triggered by overflowing the CSS reference counter.

The vulnerability was caused by an insufficiently sized variable being used as a reference counter for CSS objects. By creating a very large number of references to a common CSS object, this counter could be overflowed which could cause a crash when the browser attempts to free the CSS object while still in use.

URI type flaws like the 'carpet bombing' vulnerability are scary stuff and seem to crop up alot in browsers lately. But CSS related vulnerabilites - that's something I personally have seen very little off in recent years. Though it is triggered by a JavaScript related issue, and certainly JavaScript issue are the most common type of browser vulnerability in Mozilla browsers.

Personally I think that the decision to patch 2.x one day and 3.x the next is a very risky security decision - regardless of the fact that Mozilla thinks there is less risk to Firefox 3. The reality is that users don't patch as quickly as they should (though they do update Firefox faster than other browsers) and having a known vulnerability out there waiting to patch isn't my idea of mitigating risk properly. 

Open Source WordPress blog hits version 2.6

By Sean Kerner   |    July 15, 2008

wordpresslogo.jpg
From the 'yes I've got WordPress envy' files:

The open source WordPress blogging software is out with version 2.6 which moves the system closer to being a Content Management System with version control functionality. Ohh and it fixes about 200 bugs, some of which are security related including what I consider to be a VERY important SSL enhancement.

WordPress's announcement states that there are, "A number of proactive security enhancements, including cookies and database interactions."

The SSL enhancement that I consider to be key is the fact that a WordPress admin can now force SSL on a user. From my lay understanding what that should enable is if a user goes to a login page (without HTTPS) they should get bumped to the HTTPS version which will prevent their passwords from being sent in clear text over the wire (and thus easily sniffed).

WordPress claims they had over 75 people contributing code to WordPress 2.6 which isn't too shabby either. Don't forget of course that earlier this year WordPress raised $29.5 million in financing. Not bad for a blogging tool that you can run for free if want too.

They've also put up a neat 3 min overview of features in WordPress 2.6 - check it out below:

Red Hat opens up on patent settlement - or does it?

By Sean Kerner   |    July 15, 2008

redhat.png
From the 'read the fine print files' :

Red Hat VP and Assistant General Counsel Rob Tiller has publicly posted the terms of the patent agreement he helped to negotiate last month with Firestar Software, Inc. and DataTern Inc. The general idea behind Tiller's post is to be transparent about the deal - the only problem in my simplistic view is that it's missing some very key information about money.

According to Tiller:

Section 3 of the agreement is entitled 'Payment,' but the material on
this issue has been redacted here. This is because the parties agreed
that this term must remain confidential.

How can you be transparent about a settlement without discussing money? How much is a patent worth today? I certainly would want to know and I'd bet millions of others would too.

The money issue aside the other key item from my point of view that is actually clarified reasonably well by Tiller relates to who is actually protected by this deal.  The patent in question has to do with technology that is used by Red Hat's JBoss division, but Red Hat has done the RIGHT THING and gone a step further to protect the whole community - and not just its own customers.

The agreement specifically notes that it protects products distributed under a 'Red Hat Brand' as well as its derivatives.

Because this includes downstream derivatives and combinations
based on projects developed upstream from Red Hat, JBoss, and Fedora,
it covers not only software distributed by us, but also software from
such projects that is distributed by our competitors such as Novell and
Sun Microsystems under their own brands.

This is a fantastic thing. Now if Novell had been as community minded when it struck its patent covenant deal with Microsoft the biggest patent threat hovering over the Linux community as a whole IMHO would just go away.

Hopefully others will learn from Red Hat's community approach to patent deals and we'll see more of this sort in the future that protects the interests of ALL users.

Brian's last day at LinuxToday

By Sean Kerner   |    July 11, 2008

linuxtoday.png
From the 'ave atque vale' files:

Today is Brian Proffitt's last day as Managing Editor of LinuxToday - he's now moving to a new position at the Linux Foundation.

Over the years I have written for Brian (LinuxPlanet), been linked by him (LinuxToday) and sat next to him at  events in Toronto, Boston and San Francisco. I have always been amazed by Brian's clear understanding of what he writes about/edits/links too and how much he cares about the writers that work with him and the community they serve.

In my first couple of years at InternetNews.com, when encountering a new Linux source that was hesitant to speak with me I often began a conversation with - "I've worked with Brian Proffitt' - which was often more than enough to open any door.

LinuxToday for years has been the standard bearer of the Linux community and Brian has been its 'prophet'. It has been an honor working at the same company that has employed him.

Thanks for all your help over the years Brian and best of luck in your new journey at the Linux Foundation!

Zend the PHP company gets $7 million

By Sean Kerner   |    July 10, 2008

zend.jpg
Back in May, I speculated that IBM would be well served if it picked up PHP vendor Zend. That hasn't happened (yet), meantime Zend continues to raise funds on its own.

Today Zend announced it was getting $7 million from from TriplePoint Capital, of Menlo Park,
California.

"Zend
benefits from its strong position in this market, with an expanding list
of major companies as customers and partners," Harold
Goldberg, CEO at Zend Technologies said in a statement. "We wanted to ensure that
we continue our expansion and are therefore pleased to begin this
partnership with TriplePoint Capital, a firm whose innovative approach
closely aligns with our strategies in the web application market."

Good news for Zend I suppose, but still a far cry from them truly unlocking their potential value which will only happen if they either get bought out or have an IPO.

Google Browser Sync goes open source

By Sean Kerner   |    July 10, 2008

google.logo.jpg
From the 'this is a project I can sink my teeth' into' files:

I've been using Google Browser Sync since 2006 when it first came out as a simple way to sync multiple browser installations I have on multiple machines. Google decided late last month to discontinue support for it, but now they've decided to fully open source the code! This is fantastic news.


While we're no longer doing active development, we've released the code
in the hopes that those folks who asked for it will use it to develop
something cool. For example, it would be great to see the server ported
to Google App Engine, or support for Firefox 3 implemented.

Since there are so many alternatives now for Browser syncing Google apparently figured their time/effort is better spent elsewhere. Personally speaking I also use del.icio.us, but that's more as a public facing mechanism to share bookmarks. I've always wanted to be able to sync my Google Browser sync with the del.icio.us browser sync with proper filters for public and non-public settings. Perhaps now that it's open source it's something that will happen.

Then of course there is Mozilla Weave which might be the biggest benefactor of this code in the long run. Weave is Mozilla's effort for data sync that I've written on before and perhaps Moz developers will be able to pull stuff from the Google code that will make Weave a more stable and attractive option for users.

Ubuntu's Best Buy

By Sean Kerner   |    July 09, 2008

ubuntulogo.png
From the 'why get something for free when you can pay for it' files:

Go to just about any open source conference and you're bound to see free (as in Beer) Ubuntu Linux CDs being distributed. It's also available for Free by simply downloading it online. Ubuntu also has a Free shipping service where they'll ship a copy of Ubuntu to anyone that wants it.

BUT if you don't want Ubuntu for Free - you can now pay for it at your local Best Buy.

That's right, Ubuntu is now available as a boxed software set by way of US distribution vendor ValuSoft. The box set includes the latest Ubuntu 8.0.4 Hardy Heron release as well as 60 days of support and a Quick Start guide and is priced at $19.99.

According to Steve George Director, Corporate Services at Canonical (lead commercial sponsor of Ubuntu):

The aim is to provide Ubuntu to users who want the software and support
conveniently presented in a boxed set. Making it available through Best
Buy is an opportunity to reach users who are unaware of Ubuntu or who
are bandwidth restricted and don't want to download Ubuntu themselves.

This of course is not the first time Linux has been sold on retail shelves in the US. In fact I will admit that I personally actually purchased a boxed Linux distribution from the store shelf of US retail store in 1998 (I had bandwidth problems...).

There was a time when Red Hat Linux (when Red Hat Linux still existed before the Fedora/Enterprise split), TurboLinux and Mandrake could easily be found on store shelves. For various reasons that seemed to have faded away by 2002 or so. It'll be interesting to see if anything has really changed in 2008.

Colbert Nation bumps Firefox

By Sean Kerner   |    July 08, 2008

sr-firefox3.jpg

Yes I'll admit that I'm a citizen of the Colbert Nation (that being the rabid fans of Comedy Central's The Colbert Report).

Colbert has long argued that anyone or thing that comes on his show gets a 'bump' in popularity. Now Mozilla has proved that the bump is real by looking at their server logs following a Colbert mention for Firefox 3.

According to Mozilla's Blog of Metrics:

At minute 23 of the broadcast, Colbert said, "Firefox 3 just got the Colbert Bump."  What happened next?
We saw a big spike in downloads exactly one and two minutes later
.

Nice for Mozilla, but remember that the Colbert bump wasn't enough to save Mike Huckabee (who got the bump early on in his run for the Republican nomination). Full video of the Firefox 3 mention is on the Comedy Central site.

Mozilla's security tracking metrics boondoggle

By Sean Kerner   |    July 08, 2008

mozilla.gif
From the '2+2 =?' files:

Mozilla is working on an effort to figure out a new way of measuring how secure Firefox actually is over a period of time. While I think on the surface that it's a good idea I also have serious doubts about the value that the actual metric will have in the end. After all Cisco, Oracle and others have already kinda/sorta figured this out in an industry standard way already.

Window Snyder, Mozilla's head of security wrote in a blog post:

We are trying to develop a model that goes beyond
simple bug counts and more accurately reflects both the effectiveness
of secure development efforts, and the relative risk to users over time.

OK then let's step back a second. What's wrong with simple bug counts for one?

For any given Mozilla security advisory there are one or more CVE identified issues. Each one of those CVE identified issues could have one or more bugzilla entries attached to them.  So doing the simple math here would imply that a single Mozilla security advisory could fix multiple bugs. The Mozilla advisories already do a fine job of grouping multiple related CVEs into one issue.

Does the fact that a vendor - any vendor - fixes more or less bugs or issues or issues more or less security advisories make them any more or less secure?

Mozilla fixes a lot of bugs in each release, that doesn't mean that the release was necessarily insecure to begin with. But simply counting bugs, CVEs and advisories is a simple yet incredibly realistic method for measuring the security related activity on a given project.

YES I understand that due to the fact the Mozilla fixes so many bugs that some lame reporter (or competitive vendor) could use the numbers to imply something negative. Those same numbers can be used to show progress in a positive light as well.

Certainly understanding  relative security is a great idea as well as understanding the true impact and severity of bugs. That's why two of the biggest technology vendors on Earth, Oracle and Cisco use the CVSS system (The Common Vulnerability Scoring System) which defines the severity of vulnerabilities.

If I ran security for Mozilla I'd look very seriously at CVSS as the basis for a security risk matrix and as a core metric to help gauge the relative security of Mozilla products over time. It's an industry standard approach that wouldn't require Mozilla to re-invent the wheel.

They may still have to build out the whole car mind you, but at least the core vulnerability metrics would enable an apples to apples (no pun intended) comparison with other vendors.

Ubuntu provides 200+ updates in 8.0.4.1

By Sean Kerner   |    July 07, 2008

ubuntulogo.png
Ubuntu is out with its first update point release for its  'Hardy Heron' (8.0.4) Linux distribution with the  8.0.4.1 release. The update comes just over two months after 8.0.4 was officially released.

As is typical with Linux distribution point updates, the 8.0.4.1 release is really just a roll-up of updates that everyday Ubuntu users have already received (that is if they update regularly which is the default configuration). All told there are over 200 updates to Ubuntu, so if you're a new user it's probably a whole lot easier to download the 8.0.4.1 release instead of downloading 8.0.4 and then updating (it'll take some time...).

The most obvious update in 8.0.4.1 from my point of view is the inclusion of the final Mozilla Firefox 3 web browser. The original 8.0.4 release included Firefox 3 Beta 5.  Ubuntu did provide Firefox 3 final as an update to users the day Mozilla made the release generally available last month.

The 8.0.4.x Hardy Heron release is a long term support (LTS) release from Ubuntu and will be supported until until April2011 on desktops and April 2013 on servers.2011 on desktops and April 2013 on servers.

The 8.0.4.1 release also marks the first time that users of Ubuntu 6.0.6 Dapper Drake, which came out in 2006, will get an update notification to be automatically upgraded.

Microsoft rebuilds open source Sandcastle

By Sean Kerner   |    July 02, 2008

msft.jpg
From the 'just trying to do the right thing' files:

Microsoft is apparently serious about its efforts to adhere to the letter of the Open Source Definition and is now set to relaunch its Sandcastle effort as a result. Nearly a month ago Microsoft pulled the Sandcastle project from its CodePlex site because it was listed as being open source (under the OSI approved Ms-PL) when in fact it wasn't because it didn't adhere to the licensing terms of open source. Sandcastle which is a documentation compiler for managed class
libraries did not have source code open and available for download.

Sam Ramji who runs Microsoft's Open Source Lab has now confirmed on his blog that Sandcastle is now set to re-appear on CodePlex as a fully compliant open source project.

This was a non-trivial effort and I applaud them for it.  I think these
actions demonstrate Microsoft's desire to abide by the OSI's Open
Source Definition with regard to source code when releasing open source
projects on CodePlex
.

This is a positive turn of events in my view. Certainly there are many within Microsoft who couldn't care less about open source, fortunately Sam Ramji isn't one of them.

Mozilla Firefox 2.0.0.15 fixes 12 flaws

By Sean Kerner   |    July 02, 2008

sr-firefox3.jpg
From the 'I still use Firefox 2.x' files:

It has been over two weeks since Firefox 3.0 was released, but the vast majority of Firefox users are still on Firefox 2.x. Mozilla is out today with a new version Firefox 2.0.0.15 that fixes at least 12 different security issues four of them marked as critical.

There is no corresponding update to Firefox 3.x yet though Firefox 3.0.1 should be out in the next week or so.

One of the critical fixes for 2.0.15 there is one omnibus advisory in MFSA 2008-21 for 'memory corruption vulnerabilities'. Mozilla tends to have one of these in every update where they basically look at crash reports and see that they could have led to security risks.

A vulnerability listed as 'high' by Mozilla (which I would have rated as critical) that is very interesting is a Cross Site Scripting (XSS) issue that doesn't sound to hard to pull off. According to the advisory:

Mozilla contributor moz_bug_r_a4 submitted a set of
vulnerabilities which allow scripts from one document to be executed in
the context of a different document. These vulnerabilities could be
used by an attacker to violate the same-origin policy and perform an XSS
attack against arbitrary sites, potentially stealing or manipulating
the user's private information on the victim site.

Another 'high' vulnerability that sounds freakishly scary to me is an Arbitrary file upload vulnerability. I have never heard of such a thing before personally. According to Mozilla's advisory on the issue the  flaw could have allowed malicious content to force the browser into uploading
local files to the remote server. This flaw could have been used by an attacker to
steal files from known locations on a victim's computer. According to Mozilla, 

Firefox 3 is not vulnerable to this attack due to the changed
design of the file upload form element.

There is also a flaw rated as 'moderate' (but again I think it's deserving of more) for an issue that involves Windows shortcuts. According to the advisory:

Mozilla community member Geoff reported that URL shortcut
files on Windows (for example, saved IE favorites) could be interpreted as if
they were in the local file context when opened by Firefox, although the
referenced remote content would be downloaded and displayed. Scripts loaded
from the remote site would have access to all local file content in Firefox 2
if they were programmed to look for it.

Mozilla notes that Firefox 3 already includes protections to mitigate this risk.

Overall Firefox 2.0.0.15 is a very interesting release from my point of view for a number of reasons. It shows flaws that are very creative and interesting - yet are already fixed in the current version of Firefox 3. It will be VERY INTERESTING to see if any of these actually aren't yet actually fully fixed in Firefox 3, but we might not know that till the 3.0.1 release.

Mozilla has already stated that they will continue to support Firefox 2.x for six more month - until the 3.5 release which Mozilla expects to ship by the end of 2008.

Over 600 million Web users at risk?

By Sean Kerner   |    July 01, 2008

From the 'be afraid, be very afraid files':

Regular readers of InternetNews.com know that browser vendors (Microsoft, Mozilla, Apple and Opera) routinely update their software in response to security vulnerabilities.

But what about those that don't update?

According to new research published by Computer Engineering and Networks Laboratory (CSG), ETH Zurich, Google Switzerland GmbH, and IBM Internet Security Systems there are 637 million people out there with outdated and insecure web browsers.

WOW.

The breakdown is as follows:

  • 577 million outdated Microsoft Internet Explorer users
  • 38 million outdated Mozilla Firefox users
  • 17 million outdated Apple Safari users
  • 5 million outdated Opera users.

The data used to measure the worldwide vulnerable Web browser
population within each browser type was provided by Google, and is a
subset of non-personally identifiable data accumulated by Google's
search and Web application server logs from around the globe; processed
daily between January 2007 and June 2008. With Google's search queries
coming from more than 75 percent of Internet Web search users, our
measurements of Web browser proliferation are of a truly global scale.

So what to do? All the major browser vendors offer update mechanisms for their respective browsers that advise users of updates. Yet even with those mechanisms in place the number of insecure users is truly staggering.

My personal opinion on solving this problem is simple. ISPs and web sites need to take a stand on this issue and restrict access to only updated browsers. If a user can continue to go about their day to day web browsing with an insecure browser - then why will they change? If you force them to change by restricting access they'll move. It really should be that simple.

Apple updates to Mac OS X 10.5.4

By Sean Kerner   |    July 01, 2008

Apple users it's time to update your systems again. The new
Mac OS X 10.5.4 updates addresses some 25 vulnerabilities ranging from the
Tomcat application server to the WebKit browser technology.

As Mac's use a lot of open source technology there are quite a
few updates from open source projects in the 10.5.4 update.

Among the most noticeable are several updates to Ruby for
multiple vulnerabilities. 

Impact: Running a Ruby script that uses untrusted input to access strings or
arrays may lead to an unexpected application termination or arbitrary code
execution

Description: Multiple memory corruption issues exist in Ruby's handling of
strings and arrays, the most serious of which may lead to arbitrary code
execution. This update addresses the issue by performing additional validation
of strings and arrays.

The other issue that is important to note is one that affects WebKit which is the core rendering engine for the Safari web browser.

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Though Apple does not have a "Patch Tuesday" monthly cycle like Microsoft, the 10.5.4 update comes roughly a month after the 10.5.3 update of late May. That's not to say that Apple is updating on a near monthly basis though as the 10.5.2 update came out in February.

Open source venture funding on the rise

By Sean Kerner   |    July 01, 2008

From the '"ree as in freedom, not free beer" files:

It's still a good time to be an open source startup looking for venture capital funding. According to 451 Group analyst Matt Aslett, funding in the second quarter of 2008 hit $115.5 million an increase of nearly 14 percent over the 2Q07 figure of $101.5 million.

Aslett noted that there were 12 funding deals completed in 2Q08 with an average deal size of $9.6 million.

Overall he's optimistic about the prospects for open source funding in 2008 as compared to 2007.

"Looking forward, it is a no brainer that open source funding in full
year 2008 will be higher than in full year 2007, although I'm sticking
to my prediction that it will be below the $580.6m raised in 2006."

Though I don't disagree with Aslett (and why should I?) the other factor to consider when looking at the open source landscape is the potential for Merger and Acquisition (M&A) activity. With a tight economy, I personally think some startups that might have otherwise tried to go it alone may well jump at a good offer. That could well spark some additional VC opportunities as they look to make a quick buck on the buyout opportunities.