InternetNews.com Week in Preview November 3, 2008By Sean Kerner | October 31, 2008
Our weekly Week in Preview podcast is now up!
The week of November 3, 2008 is shaping up to be a very busy week. For one it's election week in the US which is something that our Exec Editor Erin Joyce chats about in connection to technology. Andy Patrizio wraps up at Microsoft's PDC and
tells us what to expect at WinHEC (hint: It's all about Windows 7). David Needle gives us some insight into the Web 2.0 show in
San Francisco where Jerry Yang is expected to take the stage.
And as for me, well I talk about Cisco, they've got earnings and some upcoming product releases too.
Firefox 3.1 Beta 2 coming November 11By Sean Kerner | October 31, 2008
The next big release from Mozilla - Firefox 3.1 is getting a little bit closer to release (just a little). According to the latest update from Mozilla, a code freeze for Firefox 3.1 is now set for Nov 4-6 with release builds expected to be available on November 11th.
Though it's only officially a point release - I personally see a lot of changes in Firefox 3.1 over Firefox 3.0.x in terms of speed and functionality. Which means there are a lot of things to test and as always the potential for regressions (which makes the testing more fun). I've got Firefox 3.1 Beta 1 running now and it's reasonably stable, though many Add-Ons don't support it yet (but that's typical for this stage of a release cycle).
I don't doubt that we'll see a Beta 3 of Firefox 3.1 (one hasn't officially been announced yet AFAIK), but I do know Mozilla is always about releasing things when they're done (as opposed to being scheduling zealots).
Google Chrome version 0.3.154.9 fixes plugins (again)By Sean Kerner | October 30, 2008
Google is updating it's mainline Chrome users today with its Chrome 0.3.154.9 update. The update is the first major update for mainline Chrome users since the 0.2.149.30 release. So yeaah that's a big jump in numbers between releases.
But if you've been running the Developer channel version of Chrome - this is old news to you since Google updated you weeks ago.
"This release fixes the top issues we've heard about from people using
the Beta release, especially with plugins (the programs that show
video on sites like YouTube), Mark Larson, Google Chrome Program Manager wrote in a mailing list posting. "This is a roll up of fixes that have perviously been released to our Dev channel users."
Confused? You see Google has at least two public versions of Chrome (main and developer) and you can choose which update stream you're on - but the choice isn't one you can make directly in the browser (that would just be toooo easy). Instead if you want the faster updating developer version of Chrome you need to download and run the Google Chrome Channel Chooser (http://chromium.googlecode.com/files/chromechannel-1.0.exe).
But wait it gets more confusing!
The main 0.3.154.9 release is actually a bit ahead of the developer release (by a day). The current developer release is 0.3.154.6.
Developer edition users are getting an update tomorrow (Oct 31) and Larson notes:
"Despite the difference in version numbers, the only
difference between 154.6 and 154.9 is translated strings. 154.9
includes translations into 42 languages for all new strings (like 'Add
Soooooo...most of the time Chrome developer edition is updated faster but not always. Go figure.
Red Hat Enterprise Linux 5.3 hits BetaBy Sean Kerner | October 29, 2008
Red Hat is out today with a beta release of Red Hat Enterprise Linux (RHEL) 5.3. If I'm not mistaken this should be the last major update to RHEL before the release of RHEL 6 which should come sometime in 2009. RHEL 5.3 adds a long list of enhancements to Red Hat's flagship Linux distribution.
Among them are virtualization enhancements to support up 126 CPUs. RHEL 5.3 also gets the new NetworkManager functionality which improves both wired and wireless networking. As a bonus Red Hat is also improving SELinux for NetworkManager audit. (It's not clear to me at this point if this directly related to the secTOOL effort that is in the upcoming Fedora 10 release.)
According to Red Hat's release notes, Window interoperability is also improved in this beta release.
Rebased samba from 3.0.28 to 3.0.32 which supports Windows
Vista and 2008 and various fixes for DC functionality
(interoperability with Citrix and Domain trusts)
The RHEL 5.3 beta is the third incremental update from Red Hat for RHEL 5.x since the original release in March of 2007. RHEL 5.1 beta appeared in August of 2007 while RHEL 5.2 beta came out in March of 2008.
Red Hat expect that the beta testing period for RHEL 5.3 will continue through
Jan 6, 2009.
Personally I have heard very little so far about RHEL 5.x's successor, RHEL 6 (though I always ask). It's likely that the upcoming Fedora 10 release will showcase some of its early features. We'll have to wait until 2009 to know for sure.
DimDim and Zimbra collaborate for open source education offeringBy Sean Kerner | October 28, 2008
Lots of activity this week for open source collaboration in the education market. Tomorrow (Wednesday Oct 29th). Collaboration vendor DimDim is expected to announce its Dimdim Virtual Classroom Pack which will let 10 teachers host up to 40 students at a time in their own hosted, customizable web-based classroom.
DimDim is an interesting open source startup that is a competitive play to what Cisco does with WebEx. One of DimDim's investor's is the co-founder of Yahoo's Zimbra division, Satish Dharmaraj.
So not too surprisingly, DimDim is also expected to announce tomorrow a Zimbra Collaboration Suite Zimlet, to enable unified collaboration across campus-wide email systems. Zimlets are the Zimbra Web Service technology that allows for service integration and mashups. Zimbra itself today rolled out a hosted offering for the education market.
While I suspect that DimDim and Zimbra usage has already been done on campuses prior to this formal Zimlet rollout, no doubt this will make it easier. More importantly it could be the beginning of a new broader open source sales momentum in the collaboration space.
Canonical is not cash flow positiveBy Sean Kerner | October 27, 2008
Ubuntu Founder Mark Shuttleworth admitted today his company is not cash flow positive. That's despite the fact that Chris Kenyon, director of business development at Canonical told me that Canonical has 8 million users and growing revenues.
On a conference call with press and analysts today, Shuttleworth said some really amazing things about his business and it's lack of currently profitability and his view that the money isn't on the Linux desktop.
"Canonical is not Cash positive," Shuttleworth said. " I think we could be cash positive if we focus on the core and scaled back."
Shuttleworth added that he expect Canonical will require another three to five years worth of funding.
"We continue to require investment and I keep being careful with my pennies making those investments, " Shuttleworth said.
So though Canonical is generating revenue, they aren't yet profitable. Even more interesting is while Shuttleworth is a big believer in the Linux desktop he also admitted that isn't where he's going to make his money back.
"We can't make money selling the desktop that's why we focused on a zero licensing cost business model," Shuttleworth said. "The only way to build a business on Linux is to focus on services."
Facebook Scribe goes open source via ThriftBy Sean Kerner | October 27, 2008
While Facebook isn't exactly a poster child for open source, it's not quite an orphan either. Facebook like many Web 2.0 sites was built using open source software - and in using that software Facebook has realized that they needed to develop some of their own. Scribe is one such piece of software engineering and it's now being released outside of Facebook as open source licensed code.
"Scribe is a system for collecting massive amounts of data from a large
number of servers, and we use it for everything from tracking how much
memory a database is using to delivering relationship stories into News
Feed," Facebook developer Robert Johnson blogged. "Before we wrote scribe, we tried a variety of open source and
proprietary systems, but none of them could keep up with the massive
amount of information our users were generating. So we wrote our own
system, conceived from the start to handle the sorts of problems you
only encounter at such large scale."
What's particularly interesting to me about Scribe is the fact that it was built using another open source tool developed by Facebook called Thrift. According to Facebook, Thrift is its a software framework for scalable cross-language services development.That's a big deal.
Currently Thrift is an incubator project at Apache and it will be interesting to see if/when it gets promoted to full project status and which other vendors might end up participating in the overall Thrift development.
InternetNews Week In Preview October 27, 2008By Sean Kerner | October 24, 2008
From the "shameless self promotion" files:
Our weekly Week in Preview podcast is now up!
In this week's podcast, I'll answer the question -
what's an Ibex? Judy Mottl answers whether it will be trick or treat
for our favorite wireless carriers. While Kenneth Corbin answers why
these are dark days in Sunnyvale for Yahoo.
Mozilla releases Ubiquity 0.1.2 improving updatesBy Sean Kerner | October 23, 2008
Mozilla is updating its Ubiquity semantic mashup tool to version 0.1.2. As far as I can tell the biggest improvement is that this new version will make it easier to get newer versions of Ubiquity - so let's call this an update for updating.
According to the release notes:
Built-in Ubiquity commands have been moved to automatically-subscribed
Mozilla feeds. This means that we can update commands to fix bugs and
add functionality, and you'll get the improvements immediately, without
having to download a new version of Ubiquity.
There are other enhancements too - most notably the ability to make commands - which after all is really what Ubiquity is all about. Overall Mozilla claims that they've enhanced the command editor with bug fixes and the ability to more easily create commands.For example bookmarklets can now be made into Ubiquity commands.
While I think that Ubiquity is a great idea - it's still very early days. I would expect however though that with the improvement in command editing, adoption will grow.
The true test will ultimately come at the point when Mozilla itself decided that Ubiquity isn't a seperate feature but rather core part of the browser and integrates into the mainline of Firefox development.
SCO down but not outBy Sean Kerner | October 22, 2008
Bankrupt and apparently beaten in a key court ruling, embattled Unix vendor SCO is still around and rolling new releases. This week in Las Vegas, SCO is holding its SCO Tec Forum 2008 event at the Luxor hotel. In addition to hosting customers (yup they've still got those I guess) SCO announced an upgrade to its office suite SCOoffice Server 4.2 which is geared for their OpenServer 6 and UnixWare 7.1.4 users.
"This is an important upgrade to SCOoffice 4.2 users," said Andy Nagle,
director of development at SCO in a statement. "This upgrade includes many new
features customers have been anticipating, particularly Connector
support for Windows Vista and Outlook 2007."
It looks like the thrust of SCO's message is that SCOoffice is a good alternative to Microsoft Exchange, though I'm not sure that Exchange runs on SCO's UNIX servers to begin with.
On the legal front Groklaw reported this week that SCO is still knee deep in shenanigans as it continues its maneuvering against Novell. So while SCO is far from top of mind for Linux users anymore - SCO is still alive.
Fix Linux bugs. Get free cookiesBy Sean Kerner | October 21, 2008
Every Linux distribution (and open source project) has an ongoing challenge to resolve bugs. Fixing bugs becomes increasingly important at release time - which is where Debian is now at with the upcoming "lenny" release. Debian is gearing up for a bug sprint to fix remaining bugs (about 100 key ones) and is offering a unique incentive to developers - free cookies.
"The one who Fixes a RC bug
that is more than 3 months old by writing a patch shall become a WINNER. WINNERs and release managers will be eligible to receive home-made cookies from volunteers and from those who are not able to fix their RC bug in 5 days," Josselin Mouette wrote in an email to Debian developers.
I think it's a great idea. Sure free beer and the admiration/respect of peers is good thing too but home made cookies? Mmmmmmmmmmmmmmmmmm.
Linux Ecosystem worth $25 billionBy Sean Kerner | October 20, 2008
The Linux Foundation is set to release a report on Wednesday estimating that the Linux ecosystem is now worth $25 billion. The $25 billion figure is one that I'm surprised at because its lower than other forecasts I've seen over the years.
Or is it? I'm not sure how the Linux Foundation has compiled their numbers as I have not seen their report. The only tidbit of info I have so far is that the LInux Foundation has valued Google's use of Linux for Android at $1.3 billion worth of R&D. I would assume that the forecast also includes direct revenues from Linux vendors as well as hardware revenue derived from Linux server sales. A really accurate forecast would also include revenues from routing hardware (from Cisco, Juniper, Nortel and others) that is all powered by a Linux OS.
So why do I think the $25 billion figure is a bit low?
In 2008, IDC forecast that the Linux ecosystem would be worth $49 billion by 2011. That report coincidentally was sponsored by the Linux Foundation as well. IDC pegged the value of the 2007 Linux ecosystem at $21 billion. At that point (2007) IDC noted that Linux only accounted for 4 percent of the $242 billion spent annually on all software.
So yes I suppose that $25 billion is an accomplishment that needs to be recognized. But take it with a grain of salt. If IDC's 2008 projection was accurate 2009/2010 will see some massive growth - then again maybe IDC was just wrong. In the context of the overall software market it's also clear that Linux is a player but it certainly has alot of room to grow.
Linux to get a new numbering scheme?By Sean Kerner | October 17, 2008
From the "whatever happened to the dewey decimal system" files:
Linux kernel developer Greg Kroah-Hartman is leading an effort now that could possibly end up changing the way the Linux kernel is numbered.
Currently kernels are on an x,y,z scheme where the latest point release is 2.6.27 while the bug fixes and security updates are 18.104.22.168. Kroah-Hartman is proposing a calendar based system that will help identify the aging of the kernel.
In a posting to the Linux Kernel Mailing List, Kroah-Hartman wrote:
So, as someone who constantly is dealing with kernel version numbers all the time with the -stable trees, our current numbering scheme is a pain a times. How about this proposal instead?
We number the kernel based on the year, and the numbers of releases we have done this year: YEAR.NUMBER.MINOR_RELEASE
Under Kroah-Hartman's proposal the first release of 2009 would be 2009.0.0.
I haven't yet seen Andrew Morton or Linus Torvalds weigh in on an opinion on this either way. In my own personal opinion, I can certainly see benefits in a calendar approach and as a journalist (rather than as a user) it would save me the grief of looking up when a kernel came out. As a user, frankly, I don't care. The current numbering system is logical and systematic so I have no problems with it.
Mozilla's mobile browser Fennec hits AlphaBy Sean Kerner | October 17, 2008
The first alpha of Mozilla new Fennec mobile browser is now out, though its mobile platform availability is extremely limited. Fennec only works on Nokia N810 Internet Tablets currently, though efforts are ongoing for a Windows Mobile version.
But don't worry - if you've got a Windows/Mac/Linux desktop you too can download Fennec to try it out on your local desktop.
"That's right, you can install Fennec on your Windows, OS X or Linux
desktop too! We want you to be able to experiment, provide feedback,
write add-ons and generally get involved with the Mozilla Mobile
project, even if you don't have a device," blogged.
While I definitely agree that mobile is a place where Mozilla should be, I also know that Mozilla is at a distinct disadvantage in mobile for a number of reasons.
First off both Google Android and Apple iPhone use WebKit based web browsers. Fennec (unless i'm totally mistaken) uses Gecko. As well Nokia owns Trolltech, developers of the qtopia mobile develpoment suite which also leverages WebKit. I would strongly suspect that Nokia will also standardize on its mainstream Symbian OS phones with WebKit as well.
The simple fact that bleeding edge app developers are targetting WebKit means that Fennec will face an uphill battle. Then again, Mozilla has been facing an uphill battle on the desktop side for years so what else is new right?
Google updates Chrome so plugins will work betterBy Sean Kerner | October 16, 2008
Google's Chrome browser is now better at handling plugins. That the big thing I take away from the the new Chrome 0.3.154.3 update release.
The new update is tagged by Google as containing mostly bug fixes as well as a new download behaviour - which is also an important thing to note. Security researcher Aviv Raff had alleged that Chrome was at risk from a Carpet Bombing flaw that would let downloaded files execute on a users desktop - the 0.3.154.3 update changes download behaviour. According to Google's release notes:
Changes the download behavior for files that could execute code (exe,
dll, bat, etc.). These files are now downloaded to
unconfirmed_*.download files. In the browser, you're asked if you want
to accept the download. Only after you click Save is the
unconfirmed_*.download file converted to the real file name.
Unconfirmed downloads are deleted when Google Chrome exits.
The big thing for me though is really one bug that is fixed dealing with plugings. Google notes that in the new update Chrome runs plugins at a normal priority so that they do not cause the browser to become unresponsive. That's a huge thing. In my experience with Chrome thus far it is typically a plugin (often Flash) that becomes unresponsive crashing the browser. Putting the plugin at the same priority is an interesting fix - though i'm not sure how that relates to Google's idea of sandboxing processes.
Change the minimum timer resolution for setTimeout() to 4 milliseconds
(up from 1ms). At 1ms, some pages would spin in tight loops and consume
100% of CPU.
Intuitively I would have thought that a lower timer resolution would have meant better performance - but that's apparently not always the case.
Open Source IS a business modelBy Sean Kerner | October 15, 2008
Analyst group 451 Group has a non-public report out titled, "Open Source is Not a Business Model." To put my views front and center - this report title is clearly an attempt to generate interest with what some might think of as a controversial view. I have somewhat different views than 451.
In a blog post by 451 Group analyst Matt Asslett he wrote that:
Open source is a business tactic, not a business model.
Open source is not a market in and of itself, nor is it a vertical
segment of the market. Open source is a software development and/or
distribution model that is enabled by a licensing tactic.
There is very little money being made out of open source software that
doesn't involve proprietary software and services.
Bottom line in my view is that open source IS a licensing approach and it IS a development methodology. It's also used as a marketing strategy sometimes too. That said many millions have been made from open source technologies - like Linux. Mozilla's Firefox open source browser generates more than $50 million a year for Mozilla. I could go on, but you get the point.
There is also a move by some (governments and others) to specify open source software as part of the procurement process. I'd say that qualifies as a category.
Saying that open source is not a business model is sort of like saying that search is not a business model. Search itself (Google or otherwise) is of course a vehicle on which a business model can be built (in Google's case a very good one). The same is true for open source - it is the medium/methodology - on top of which money is made.
The fact that many open source vendors have a dual-licensing model should not be seen as a failure of open source to be a business model in and of itself which is kinda/sorta what 451 Group is implying. Every time I've ever spoken to any open source vendor with a dual license strategy the reason why they have one always has to do with choice and policies at the end user enterprises. Open source can co-habitate with proprietary solutions and the fact that the two can co-exist is a sign of strength not weakness and doesn't mean that open source is not the basis for a business model.
Understanding how to make money from open source software is an important thing and that's what I see as the key issue that needs to be understood. Understanding that it's a balance of open/closed and free/paid is critical to success. But that's nothing new is it? Hasn't Red Hat been grappling with that issue since its creation? Isn't Red Hat an Open Source vendor?
Is Opera's MAMA the best search for developers?By Sean Kerner | October 15, 2008
From the "everything I ever learned about programming came from View Source" files:
Most search engines search for content. Opera's new MAMA search ("Metadata Analysis and Mining Application") is searching for what's behind the content. It's all about figuring out what websites are made of in terms of markup and technologies. Sure you can easily find that stuff out today without MAMA on a site by site basis (view source/page info etc) but looking at all that info in the aggregate as a search is something that I personally have not seen in the way that MAMA provides.
"Say you want to find a sampling
of Web pages that have more than 100 hyperlinks or for pages that use the
that also use the
FONTelement with a
Sizeattribute? Many parties would be interested
in such a service, even if the market would be smaller than for a "traditional" search engine," Opera's Brian Wilson wrote. "For browser makers
and standards bodies, the structure and composition of the Web is a more pressing issue than its content."
Beyond just being a search tool, Opera has also already done some aggregate analysis based on an initial analysis of 3.6 million URLs. Among MAMA's findings is that the open source Apache Server dominates with nearly 68 percent as compared to Microsoft's IIS which had a 26 percent share.
Flash is also represented though the penetration is less that I might have guessed. According to Opera, the total number of MAMA URLs using the Flash plugin is 1,176,227 (33.5 percent).
AJAX relies on XHR (XMLHttpRequest) so I would have expected to see it heavily represented as well. Opera reported however that XHR was used in 112,277 of MAMA's URLs 3.20 percent of all its Web
The only other stat from MAMA that if found a tad surprising was the CSS (Cascading Style Sheets) penetration. Opera reported that they found CSS iin 2,821,141 MAMA URLs 80.39 percent. I guess the other 20 percent are still using <table>.
Overall, this is definately a valuable tool for looking at broad trends. But I'd caution individual site owners/developers to always place more faith in their own log file analysis as experience has taught me that individual experiences always vary.
Mozilla Firefox 3.1 Beta 1 shows some neat featuresBy Sean Kerner | October 14, 2008
Mozilla Firefox 3.1 Beta 1 is now out and its got what Mozilla claims to be ,"..a huge pile of new features for developers." It's a claim that I personally won't argue against.
There is also support for a CSS property called CSS @font-face which lets designers specify specific true type fonts.
Then there are the HTML 5 elements - <video> and <audio>. Since the beginning of the web, embedding audio and/or video has also been an <embed> exercise. The new HTML 5 tags supported in Firefox 3.1 make it dead easy to include audio/video (though at this point it looks like the default is OGG (and not a Windows Media or QuickTime).
On the security front, Firefox 3.1 includes support for the W3C XHR (XML over HTTP Request) access control. Mozilla's dev specs note that:
Web developers have long wanted to be able to get data from one site on another but same-origin restrictions
on many types of requests prevent many developers from mashing up
content. This new access control mechanism offers the ability for
servers, content and web clients to cooperate to make a lot of new
things possible on an opt-in basis.
But wait there's more!
Lots of stuff and I've barely scratched the surface -
Linux Standards Base (LSB) 4.0 hits BetaBy Sean Kerner | October 14, 2008
The first Beta of LSB 4.0 (Linux Standards Base) is now out, so get ready to start standardizing your Linux apps/distros!
I first wrote about LSB 4.0 in July when Linux Foundation exec Jim Zemlin told me he had 50 people in Russia working on it.
My former Jupitermedia colleague and now LInux Foundation community manager Brian Proffit wrote about the LSB 4 beta today. One of the key things that is part of LSB 4 is the Application Checker which is supposed to help devs target Linux accurately.
"The Application Checker draws
on the extensive testing framework developed by the Russian Academy of
Sciences and the Linux Foundation to examine the binary files of an
application to determine how it will run on all LSB-certified
distributions. Not only does this assist application developers work
towards LSB certification, it also greatly enhances the general
portability of any application that's tested."
The overall goal of the LSB is all about portability - write once for LInux and have your app run on any distro. It's a worthy goal for sure though a difficult one. That said, the Linux Foundation is already claiming a degree of early success with the LSB 4.0 beta. They claim that there are already some 234 applications that are at or nearly ready for LSB 4.0 certification..not too shabby.
The final LSB 4.0 release is expected by the Linux Foundation to be out in the fall of this year (so that means soon!).
Mozilla launches new developer tools lab with Ajaxian vetsBy Sean Kerner | October 13, 2008
Developer tools are an area that Mozilla itself specifically has not been engaged in too heavily, which frankly has been a bit of shame since it's something that Netscape definitely was engaged in. Almaer has not yet laid out a plan with specifics but he does have some ideas that he blogged about.
As we ramp up this new group, we will be looking at the problem and
seeing where it makes sense to step in. We are going to be
experimenting, and thinking about how to make developers lives better
in different ways. so we aren't expecting to see traditional tools come
out of this group. Also, we don't want to do this alone. We want to
involve the entire community which is one reason that we are so excited
to kick off this work at Mozilla. We believe that we have a unique
opportunity to put developers first. We can build these tools in the
open, with total transparency; the Mozilla way.
I'm going to put in a request right now. I want to see a full featured Mozilla Web Editing Tool - not Firebug, but a bona fide full development suite. Now i know that there is the Mozilla Composer Effort but it's high time that there is an open source project that can compete against Adobe Dreamweaver. Yes I know that's a bit low-level for some developers, but it's a level that I personally think is important. Almaer does note however in his blog post that traditional tools aren't what his group is going to be focused on (but hey doesn't mean you can't put in a request).
Beyond that Firebug is awesome (i have it installed myself) and if that team does get the full power and resources of the new Mozilla Developer Tools Lab - then wowza - watch out!
No Press at Linux Foundation End User SummitBy Sean Kerner | October 13, 2008
There is a big Linux event in NYC today and tomorrow - but I won't be there. The Linux Foundation's End User Collaboration Summit has some big names presenting including Novell's CEO Ron Hovsepian, Canonical CEO Mark Shuttleworth, Red Hat EVP Paul Cormier and an impressive list of financial industry executives from UBS, NYSE, Credit Suisse, CME and AIG.
But I won't be there to hear any of them in person. The Linux Foundation has decided to keep the End User Collaboration event as a closed event without press (at least that's what they told me).
"While we very much appreciate your interest in attending the 2008 End User Summit , I am afraid that attendance is limited to end users, kernel developers and LF member vendors only," Angela Brown of the Linux Foundation wrote in an email to me. "We have decided that press will not be allowed to participate in the event. After the event, we will issue a summary to press and be available for questions."
To be fair, the Linux Foundation has always been very responsive to me overall and Jim Zemlin the Exec Director of the LInux Foundation is an excellent person to interview anytime. The Linux Foundation also has a new conference called LinuxCon set for 2009 which hopefully will allow for press.
While I understand that there are times when closed door sessions are necessary - as a technology journalist I also must always see openness and transparency as being of paramount importance. With a closed door event, my first question will always be - what aren't they telling me?
Mandriva Linux 2009.0 is out - but do you care?By Sean Kerner | October 10, 2008
The first time I ever saw Mandrake Linux (now Mandriva) was on a retail store shelf. That was probably 9 years ago and to be honest in the last few years I personally haven't seen Mandriva running much (as I shoulder surf desktops at conferences) - though it's hard to tell. Mandriva Linux 2009.0 is now out and it might help to improve the adoption numbers, especially for those who prefer the KDE Linux desktop.
Mandriva 2009.0 includes KDE 4.1 (a whole lot more stable than KDE 4), a new GUI installer and improved boot times according to the release notes. Mandriva also claims that its installer is now capable of detecting low-resource systems or
netbooks, and installing an appropriate environment.
Linux bloat is a real problem for low resource systems. In my own experience I tend to spend the first hour (or more) of any new release installation turning off services that are installed by default that I'm likely to never need or use. Having an installer that can detect a low-resource system is a positive step forward overall in helping to make for faster and more efficient systems.
Mandriva at this stage in its maturity faces more than just technical challenges - there are significant marketing challenges too. Traditional competitors like Red Hat, SUSE and Debian are still there and the popular Ubuntu Linux distribution is also grabbing a lot of mind and market share. It's not just good enough anymore (if it ever really was) to just be better than Windows - for Mandriva to make a dent it need to be better and somehow differentiated than other Linux distros as well.
Update Flash to protect against ClickjackingBy Sean Kerner | October 08, 2008
Security researcher Robert Hanson (aka Rsnake) is warning of a new class of vulnerabilities that he is referring to as Clickjacking. So far Adobe has already issued an advisory for its Flash player to protect against Clickjacking vulnerabilities that could be exploited.
Understanding clickjacking isn't that easy - it is in fact a form of what in lay terms I would think of as a cross site scripting issue though it really is more than that. Rsnake explains in a blog posting that:
First of all let me start by saying there are multiple variants of
clickjacking. Some of it requires cross domain access, some doesn't.
Some overlays entire pages over a page, some uses iframes to get you to
use CSRF to pre-load data in forms, some don't. Clickjacking does not
cover any one of these use cases, but rather all of them. That's why we
had to come up with a new term for it - like the term or not.
In total, Rsnake claims there are 8 different issues related to clickjacking only 2 of which are currently resolved in shipping applications. Adobe has issued an advisory for Flash and Adobe security researcher David Lenoe has blogged on this issue as well.
This potential 'Clickjacking' browser issue affects Adobe Flash Player's microphone and camera access dialog. A Flash Player update to mitigate the issue will be available before the end of October. In the meantime, users can apply the workaround described in the Advisory.
Serious stuff - and definately a new threat vector that I expect we'll see more of in 2008 and into 2009.
SecTor: Johnny 'I Hack Stuff' hacking for charityBy Sean Kerner | October 08, 2008
TORONTO. Johnny 'I hack stuff' Long is by his own admission a hacker. Does that mean he's a bad dude? No - not even close.
Long is in Toronto at the SecTor conference giving a keynote on No Tech Hacking. Before he started his keynote he began with a pitch, not a product pitch, but a pitch for hackers to do good.
Long runs an effort called Hackers for Charity (http://www.hackersforcharity.org/) that pairs hackers with charitable efforts.
"We're helping to shatter the cycle of poverty through empowering people and not charity," Long said.
Hackers for Charity makes use of hackers skills to build websites and computer installations for those less fortunate in East Africa and other places. Long also donates the profits from his book No Tech Hacking and he also sells T-shirts (sold out at this show) and solicits donations for the effort. For $9 a month Long claims he can feed a child in Africa.
So next time you equate hacking with being evil - think again. Not all hackers are evil and some (like Long) are actually forces for good.
MySQL co-founder leaving SunBy Sean Kerner | October 08, 2008
MySQL co-founder David Axmark is leaving Sun. MySQL developer Kaj Arno broke the news on his blog in which he copied parts of Axmark's resignation letter in which he rages against the authority of Sun.
I have thought about my role at Sun and decided that I am better off in
smaller organisations. I HATE all the rules that I need to follow, and
I also HATE breaking them. It would be far better for me to "retire"
from employment and work with MySQL and Sun on a less formal basis.
Frankly Axmark's departure isn't a big surprise, I would have been more surprised if he had stayed to be honest. MySQL is now much bigger than it once was both in terms of its development and its expected business yield. As well - and this is my view - I'd suspect that Axmark had a certain yield that he earned from the Sun buyout of MySQL it may just be time for him to finally cash in.
Not that he isn't leaving MySQL entirely - he's just 'retiring' as he notes from Sun. I expect that Axmart will continue to be active in actual code development whether at MySQL open source proper or on affiliated efforts.
SecTor: Walking out of Googless Google security talkBy Sean Kerner | October 07, 2008
TORONTO. The term Google Hacking is not a new one - and it's definitely an interesting topic to learn about how you can use Google to attack or protect sites.
That was the promise of the Googless session at SecTor run by OWASP researcher Christian Heinrich. Unfortunately Heinrich's presentation was a little strung out and heavy on the obvious features of Google. So much so that by my estimation at least 40 percent of the people that were in the session when it began left before it ended.
From my point of view I gleaned at least one small tidbit. Heinrich has created a tool called TCP Input Text which extracts TCP Ports from Google Search Results. It's an interesting little tool that could be used for profiling without triggering an IPS/IDS. He also demonstrated how his Google tool could be integrated with the NMAP security tool to get an even more accurate profile.
The new tool is part of an OWASP tools project - I'll be keen to see how they evolve over time. Heinrich said that the Google hacking tools will be released in November of 2008 and will be published on Google Code itself.
Heinrich argued that the OWASP Google Hacking effort is not a violation of Google's Terms of Service, though he did note that Google has complained to OWASP executives about the project.That said Heinrich claimed that Google has recently offered him a job as Google Security Team lead in Australia.
SecTor : Metasploit Prime comes to CanadaBy Sean Kerner | October 07, 2008
Back in the summer I had emailed Moore to see what was going on - and at the time he noted he was busy with stuff (like making a weaponized attack code for Kaminsky's DNS exploit)
Well luckily for me - he's not too busy to make it up to SecTor which kicks off today in Toronto.
Moore is talking about - what else - Metasploit - but here's kicker - he's talking about Metasploit 3.2 - which is currently in development. It's been months since Metasploit 3.1 was released and Moore has got *a few* tricks up his sleeve yet.
His preso is just about to start here - but he's delayed - by....a/v issues with the projector.
**UPDATE** Moore just announced that Metasploit is moving to a BSD license for 3.2 which will be out any day now. Big news!
**UPDATE 2** - Auto Browser Pwn, Evil Wireless Access Point, Metasploit MITM and IPv6 attack capabilities are the other big highlights in Metasploit 3.2. I've got a full story that should be up soon on the main InternetNews.com with more details and quotes.
LinuxWorld is Dead. Long Live Open Source World!By Sean Kerner | October 07, 2008
As I had predicted earlier this year LinuxWorld is no more. Well not quite. LinuxWorld the big Linux show that occurs ever year in San Francisco is morphing into a new show called OpenSource World. The re-naming follows a move by O'Reilly to bring the OSCON conference to San Francisco earlier this year.
Frankly I think this is a bit odd in many ways. OSCON moves to the Bay so LinuxWorld - in the same year changes it's name?
Luckily there will still be a named Linux conference - the Linux Foundation's LinuxCon which will be in Portland. So a few moving chairs here. OSCON moves from Portland to the Bay. LinuxWorld becomes OpenSource World and a new conf in Portland. Lots of activity in Linux, open source space for sure, hopefully that's a sign that thought there is an economic slowdown - slow times are not ahead for open source.
Mozilla Labs Geode brings geotagging to FirefoxBy Sean Kerner | October 07, 2008
Aza Raskin is set to announce today a new Mozilla Labs project called Geode which is a geotagging effort. Identifying content by location isn't new for the web, IP addresses generally speaking can be used for geotargetting purposes but geotagging on the client side browser is something that has been a bit more, nebulous (outside of say Flickr or Picassa).
The Geode effort will be by my count the second major effort from Raskin's team at Mozilla Labs this year. In August, Raskin launched the Ubiquity effort which is a semantic mashup for content.
Raskin himself has only been with Mozilla since January of this year when his firm Humanized was acquired by Mozilla. Aza Raskin, is perhaps best known for being the son of legendary Apple Macintosh UI designer Jef Raskin. Jef Raskin passed away in February of 2005 and was widely credited with being the father of the Apple Macintosh.
*UPDATED* The Geode code (and announcement) are now available on the Mozilla Labs site.
According to Mozilla's post:
Geode provides an early implementation of the W3C Geolocation specification
so that developers can begin experimenting with enabling location-aware
experiences using Firefox 3 today, and users can tell us what they
think of the experience it provides. It includes a single experimental
geolocation service provider so that any computer with WiFi can get
accurate positioning data.
What's wrong with Linux netbooks?By Sean Kerner | October 06, 2008
"They start playing
around with Linux and start realizing that it's not what they are used
to," MSI's Director of U.S. Sales Andy Tung said in the Laptop mag interview. "They don't want to spend time to learn it so they bring it back to
the store. The return rate is at least four times higher for Linux
netbooks than Windows XP netbooks."
Frankly - this doesn't surprise me in the least. I suspect that most retail consumers simply don't have a clue what Linux is. So they walk into a retail store buy a cheap netbook open it up and see something different - so they return it.
Linux does not look the same as Windows (though of course you can make it look pretty close - which is something that Xandros does well) and it doesn't run all the same desktop applications that Windows does. Certainly there are replacement applications - OpenOffice for Microsoft Office and Firefox for IE - BUT still, if a user has a certain expectation (and that expectation is Windows) and they don't get it...well what do you expect?
While the netbook industry has done a great job of pushing price - i'm not so sure they've done a great job (so far) of evangelizing Linux. Then again, this is the comment of one vendor - so it will be interesting to see if other netbook vendors have had the same (negative) experience.
Linux turns 17By Sean Kerner | October 06, 2008
On October 5th 1991, Linus Torvalds posted his now infamous first announcement of a new operating system called Linux.
Seventeen years later, Linux is front and center as a leading operating system, displacing big Iron UNIX and making inroads against Microsoft Windows (which in 1991 wasn't an issue, though with Windows 3.1 release in 1992 it became one...).
How does a small effort started by one man, end up growing into a multi-billion dollar ecosystem with thousands of developers globally? Lots of reasons, but fundamentally it all comes down to two things as far as I'm concerned.
1) Open Source - which at the time was only Free Software. The GPL license enabled and encouraged contribution in a way that would not have been possible with other licenses.
2) A need to replace UNIX with something else.
In his original message 17 years ago, Torvalds himself provided a very simple explanation of why Linux was coming into being:
I can (well, almost) hear you asking yourselves "why?". Hurd will be out in a year (or two, or next month, who knows), and I've already got minix. This is a program for hackers by a hacker. I've enjouyed doing it, and somebody might enjoy looking at it and even modifying it for their own needs. It is still small enough to understand, use and modify, and I'm looking forward to any comments you might have.
Happy 17th Linux! It will be interesting to see what the next 17 years will bring.
Majority of Firefox downloads are unusedBy Sean Kerner | October 02, 2008
From the "shocking but true" files:
Hundreds of millions of people have downloaded the open source Firefox web browser. You would think that if someone downloads the browser they would use it - but that's not always the case. In fact according to Mozilla, 75 percent of users are not active after that initial download.
SHOCKING - isn't it?
So Mozilla is trying to correct the problem with their new Impact Mozilla effort that is intended to help grow retention and usage of Firefox.
Retention marketing is one of Mozilla's key challenges. Currently tens
of millions of Firefox users download the browser, but about 75% of
those users are not active after that initial download. How do we get
these past users back? And how do we keep future users active once
they've downloaded Firefox?
The answer to me is painfully obvious - IE is still installed by default on most of these users PCs and IE is still their default browser. The act of downloading Firefox alone does not mean that users have actually 'switched' to Firefox.
As well, users still click on http; links from within their email clients (often Outlook/Outlook Express) which will still open up IE by default (sure you can change the setting but who does that?).
The same basic anti-trust issues that led to the collapse of Netscape are still in play today. So long as IE is the default installed browser, Mozilla (though often downloaded) will always be a supplementary download and as such at risk from reduced usage.
Africa's IPv6 adoption isn't world beatingBy Sean Kerner | October 02, 2008
Over the next 36 months or so talk about IPv6 is likely to hit a feverish pitch as IPv4 addresses are finally exhausted. As such, it makes sense to try and figure who is leading in the race towards IPv6 adoption and who is lagging behind. ICANN staffer Leo Vegoda has made an interesting case for Africa being a leader in IPv6.
Vegoda notes that actually finding a valid metric for figuring out how much IPv6 is being used in a given region is a difficult task.
"One possible measure of IPv6 deployment in ISPs is the number of IPv6
address blocks (prefixes) seen in the routing table in comparison with
the the number of autonomous systems (ASs - roughly equivalent to ISPs)
in a region," Vegoda blogged. "AfriNIC, the Regional Internet
Registry for Africa and parts of the Indian Ocean, has a higher
proportion of networks in its region announcing IPv6 addresses than the
First of all I think it's great that Africa is right up there on the uptake of IPv6. It's a measure of the fact that Africa doesn't have as much 'legacy' IPv4 to deal with and not as many IP's in general to deal with.
However I don't think it's an accurate assessment to say that Africa currently leads the world in IPv6. It's very difficult to measure IPv6 (as Vegoda notes) because there is traffic that is tunneled (IPv6 over IPv4) as well as native traffic. Personally I would strongly suspect that due to the recent OMB mandate in the US Government for IPv6 compliance that the US governement is in a very strong position when it comes to IPv6. Certainly the US has not 'turned on' IPv6 as its default, but the installed capability is there when the time comes.