RealTime IT News

Blog Archives

Red Hat Fedora 11 Linux hits beta. Hail Leonidas!

By Sean Kerner   |    March 31, 2009

fedora-logo.png
From the 'tonight we dine on Linux' files:

Red Hat's Fedora community Linux distribution is out today with its first beta for the Fedora 11 -codenamed Leonidas - release. At the top of the feature list for this new distro is something that all users will notice, namely faster boot times -- specifically a claim for a 20 second startup. Faster startup is a key goal for Linux distros this release season, Ubuntu Jaunty which should be out at the end of April, also features a faster startup.

Fedora is also aiming to have the new ext4 Linux filesystem as the default for new Fedora 11 installations, which will not only aid boot times but performance of the distro overall. Fedora 11 could well be the first mainstream Linux distro to include ext4 as its default filesystem with this release -- Ubuntu Jaunty does include ext4 but it is not the default at this point (ext3 is).

Typically Fedora is a distro that isn't too concerned about Microsoft Windows, but Fedora 11 does include at least one key Windows development feature called the Windows Cross-compiler.  According to Fedora's project description Windows Cross-compiler will enable users to, "build and test full-featured Windows programs, from the comfort of the Fedora system, without needing to use Windows."

The final Fedora 11 release is currently scheduled to be released by Red Hat at the end of May.

Microsoft settles with TomTom. Is this good or bad?

By Sean Kerner   |    March 30, 2009

msft.jpg
From the 'now what?' files:

After a brief but very media-hyped period, Microsoft and TomTom have settled their patent dispute - apparently in a way that is not incompatible with the open source GPL license.
Though the two parties have settled their dispute, the overall dispute over Linux patents is far from being settled in my opinion.

Microsoft made a patent deal with TomTom in this case, and it affects TomTom alone. In that way, this deal is similar to Microsoft's patent deals with Novell, Xandros and others which are fundamental cross-licensing deals with specific vendors.

The cloud of doubt -- call it FUD if you want - that still hangs over open source and Linux is that Microsoft still has intellectual property/patent issues with open source software. 

Red Hat Fedora reveals details on intrusion attack

By Sean Kerner   |    March 30, 2009

fedora-logo.png
From the 'now we know' files:

Last August, Red Hat's Fedora project announced that its servers had been compromised -- now 6 months later (after an exhaustive investigation), Red Hat has revealed exactly what happened.

According to Red Hat Fedora Project Leader Paul Frields, the compromise did not come by way of any vulnerable software on the Fedora servers but rather by way of an SSH key that wasn't properly secured. The SSH key belonged to a Fedora administrator and was used by the attacker to build modified version of openssh and rpm. That's pretty serious - as it means the attacker could have potentially messed up all Fedora packages -- but that's not what happened in the end.

"The intruder did deploy the modified packages, and the modified SSH package may have captured passphrases for a short time," Frields reported. "However, the investigation supports the conclusion that the modified packages were discovered before anyone accessed the system to sign any packages using the modified RPM package."

GhostNet cyber-spy network busted by Canadians

By Sean Kerner   |    March 30, 2009

From the 'Is China spying on you?' files:

A massive global spying network, dubbed GhostNet, was uncovered this weekend by researchers at my alma mater ,The University of Toronto. The network was allegedly run by the government of China, and was discovered first by an examination of the Tibetan Dalai Lama's website by the researchers, but is much more widespread than any one site.

"The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries," the report states. "Up to 30 percent of the infected hosts are considered high-value targets and include computers located at the ministries of foreign affairs, embassies, international organizations, news media and NGOs.
"

Allegedly the GhostNet -- which in my view is just another name for a botnet -- infected the hosts by way of a trojan that was delivered by way of a document attachment.

There are a few really interesting aspects to this story. First is the fact that there is a global co-ordinated effort by 'someone' (maybe China but we don't know for sure) to infilitrate global political organizations.

Then there is the fact that this GhostNet was discovered accidentally almost by way of an examination of the Dalai Lama's website (who had requested that the UofT researcher examine his site as his was suspicious of certain activities). It is unclear at this point how long this spying activity has been going on, and it is also unclear if any of the affected parties knew about these issues prior to being informed by the security researchers.

From a security point of view, the GhostNet is particularly disturbing because it should be preventable. You would think that with proper network access controls in place, anti-virus software and firewalls, that trojan sshouldn't be able to infect PCs. We don't know the security posture of all the infected PCs, but if they weren't all properly secured that's pretty scary.  If they were secured and they still got infected, that's even scarier.

What is for sure is that botnets and trojans are no longer just the domain of criminals. Trojans are now also a cyber-weapon that can be used by governments (or their agents) for spying operations. 

JBoss CTO leaving Red Hat

By Sean Kerner   |    March 30, 2009

Thumbnail image for JBoss.gif
From the 'good luck and fare thee well' files:

JBoss CTO Sacha Labourey is leaving Red Hat. Labourey had been at JBoss for the past eight years, nearly three of which were under Red Hat's ownership. Labourey's departure comes over two years after JBoss founder Marc Fleury left Red Hat in 2007.

Times are good for Red Hat if its most recent financial results are a good indicator. But it seems as though Labourey is just ready to move on and take life a little slower too.

"So, why am I leaving now? " Labourey wrote in a blog post. "Well, JBoss is kicking and well alive. Sales are booming, the product pipeline is full and new talents are energizing our ranks. We are now 33 months after the acquisition of JBoss by Red Hat and it is fair to say it is a great success."

Labourey notes that he'll still be available to Red Hat as an advisor, beyond that he plans on doing nothing for the next six months.

This isn't quite like Marc Fleury leaving -- he clearly didn't have a role that he wanted under Red Hat and this isn't like the meltdown at Sun with MySQL execs (Marten Mickos and Monty Widenius among others) running to the exits.

JBoss in my opinion has been a real boon to Red Hat since its acquisition
in 2006 for $350. Labourey has stuck around and has been a part of the
continued evolution and growth of JBoss inside of Red Hat. Eight years
is a long time in the tech business (especially today) and it's clear
to me that Labourey is leaving on his own good terms with Red Hat.

So good luck to you Sacha, hope you find the next six months peaceful.

Mozilla Firefox 3.0.8 out Now for zero day fix *UPDATE*

By Sean Kerner   |    March 27, 2009

sr-firefox3.jpg
From the 'high priority fire drill' files:

Mozilla is scrambling to rush out Firefox 3.0.8 by March 30th (or sooner) **UPDATED** Mozilla put out the 3.0.8 update late Friday March 27 ** to fix for a critical bug issue. The issue  has to deal with a flaw that can be exploited after an XSLT triggered crash. Essentially it's a remote memory-corruption vulnerability which is not uncommon in Mozilla security updates.

What is a little uncommon is the fact that a proof of concept exploit already exists for the flaw (which in my book means that Firefox was exploitable today -- a 0-day prior to the late update).

Firefox is was at risk from at least one other previously unpatched flaw as well. The one that 'Nils' found at the PWN2OWN contest last week is also patched in the 3.0.8 update.
 With the Pwn2OWN vulnerability though, that is still under wraps so there is no public (AFAIK) exploit code on that yet. There is no indication at this point, that the XSLT issue that 3.0.8 will fix is in any way related to Nils vulnerability either (but it could be).

According to Mozilla's advisory on Nils vulnerability:

Security researcher Nils reported via
TippingPoint's Zero Day Initiative that the XUL tree
method _moveToEdgeShift was in some cases triggering
garbage collection routines on objects which were still in use. In
such cases, the browser would crash when attempting to access a
previously destroyed object and this crash could be used by an
attacker to run arbitrary code on a victim's computer.

Nils also defeated IE8 and Safari - it's not yet clear whether he used a similiar attack vector on those browsers -- though considering this is XUL specific I'm not sure.

Melissa virus turns 10. That was not a fun day

By Sean Kerner   |    March 26, 2009

From the 'not so good old days' files:

It was 10 years ago today that the Melissa worm changed the IT security landscape. Melissa was the first big virus that went viral and it affected many people personally -- including me. Things today in 2009 are quite different, but still it's interesting to reminisce a little.

I was managing a network at the time, and I remember being in the office of one of the salespeople seeing all these messages fly into his inbox. It was madness. The volume was staggering and I had never seen anything like it.

I ran to my office to see if the same thing was happening on my Mac (a 68K Mac running System 7.5.x -- hey it was 1998 after all) and I was getting flooded too. My phone started to ring with other staff complaining of the same issue, the intercom system was blaring with people paging me to their office to look at their computers.

The server room was across the hall from my office, so I dashed in to look at the mail server to see what was going on. The volumes that I saw were shocking and what was worse was that it was obvious that the volume was both inbound and outbound.

So I did the only thing that I knew would stop the problem quickly. I physcially pulled the plug from the ISDN (yeaah remember it was 1998) router to the network. It was only an hour or so later, after a lot more grief, that I found out it was the Melissa virus.

Today networks are configured very differently then they were in 1998.

For one, gateway anti-virus is the norm as well as heuristics based desktop anti-virus. Carriers themselves also tend to do some scanning for their corporate clients to ensure clean pipes. Overall there is a greater awareness of the need for anti-virus measures. For that we can thank Melissa and the early viruses of her generation.

Yet though Melissa is now 10 years past, viruses still pop up and still find vulnerable hosts. There are still countless numbers of PC users that don't have up to date virus protection and still many that rely on desktop anti-virus alone.

Today as we mark the 10th anniversary of that dark day, let's all take the time to make sure we're updated -- and hey if you know someone less computer literate then yourself why not help them out to make sure they're properly protected too.

Psyb0t turning Linux routers into a botnet?

By Sean Kerner   |    March 26, 2009

From the 'that's not good' files:

As many as 100,000 routers are allegedly infected with a new worm that turns home routers into drones for a botnet. DroneBL which is a botnet attack monitoring service claims the new Psyb0t worms targets OpenWRT and DD-WRT based firmware (which run on MIPS processors). OpenWRT is open source software that is often deployed on Linksys routers running embedded Linux firmware.

 "This is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems," DroneBL claims in a blog post. "Many devices appear to be vulnerable."

Defending against psyb0t doesn't appear to be all that complex, so users just need to take a few simple steps to protect themselves.

"To disinfect, simply powercycle your device and take appropriate action
to lock it down, including the latest firmware updates, and using a
secure password," DroneBL suggests.

In my very simplistic point of view, what this highlights is a larger and continuing problem -- namely weak passwords and out of date firmware. When was the last time you updated your router's firmware or password? I suggest you check.

Microsoft not feeling TomTom Linux patent chill?

By Sean Kerner   |    March 25, 2009

msft.jpg
From the 'intellectual property is not evil' files:

There has been a lot of talk in the last several weeks about Microsoft's patent lawsuit against navigation vendor TomTom, which includes Linux. Despite that talk, (at least in the press), Microsoft apparently is not seeing any direct backlash as a result of their patent case.

I asked Sam Ramji senior director of platform strategy at Microsoft about TomTom the other day and he
claimed that patent issues aren't causing any chilling effect on his part of Microsoft's open source plans.

"We've made so much progress in demonstrating a consistent and rational process for open source adoption of Microsoft technologies and interoperability with non-Microsoft platforms," Ramji said. "I feel like we've gained some credit in that area and we do our best. I've been at two significant open source events in the last few weeks and none of attendees have brought up the issues of patents to me."

Before I go any further, let me first state that Sam Ramji does not shy away from questions. I've had the opportunity to interview him several times over the last few years and he has always been as upfront as possible.

Ramji's comments, in response to my question on TomTom, is a direct correlation with what Ramji has been saying for as long as I've been talking to him about patents -- namely that developers need not worry (too much).

That said, last year at OSCON, Ramji was quite literally mobbed by the audience after his presentation by attendees that were 'curious' about Microsoft's patent stance. The TomTom case potentially represents Microsoft's first real patent legal attack against Linux and as such, somehow I suspect that eventually that will trigger a chill of some sort.

Mozilla helps Accelerated 3D on the Web at GDC

By Sean Kerner   |    March 24, 2009

khronos.group.jpgFrom the 'play real games in your web browser' files:

Playing games, real games -- has always meant installing software, or running a dedicated gaming console with a CD/DVD. Sure there are games (usually little Flash things) that can be run inside a browser, but usually the graphics aren't up to snuff. That could be changing thanks to an open effort spearheaded by Mozilla (yes the same people that build Firefox).

Today at the Game Developers Conference (GDC), the Khronos Group announced a new in browser effort called, "Accelerated 3D on the Web". The Khronos Group is an industry consortium that develops open standards like OpenGL, that benefits game developers and media developers alike.

The Accelerated 3D on Web working group will be chaired by Mozilla, and is an effort to develop a new royalty-free standard, that could bring us cool 3D gaming graphics over the web direct to our web browsers.

A key part of making the browser into a gaming platform, will be the use of JavaScript to get OpenGL capabilities to users. Once upon a time, getting JavaScript to have the performance characteristics to power full 3D would have been a joke in my opinion, but it's not a joke anymore.

Oracle doesn't need Red Hat. It needs Zend

By Sean Kerner   |    March 24, 2009

oracle.jpg
From the 'why buy when you can build your own' files:

There is a lot of speculation out now about Oracle wanting to acquire Red Hat. It's a deal that makes no sense to me personally and one that I don't think is likely to happen anytime soon.

For one, Oracle has already demonstrated that it can take Red Hat products and through the open source licensing terms -- rebrand them.

Oracle Enterprise Linux is essentially Red Hat Enterprise Linux, just taken by Oracle and stripped of Red Hat's trademarks. Oracle clearly doesn't need to buy Red Hat for its software, since by definition Red Hat's software is open source.

Oracle could however stand to benefit from buying Red Hat's customers and support -- but considering that Red Hat is a strategic platform play for a number of vendors (including Cisco, HP, IBM and Dell), I just don't see it.

On the other hand, there is another strategic open source vendor that I think might make a really good fit for Oracle - namely commercial PHP vendor Zend.

Oracle and Zend already collaborate on a PHP distribution for Oracle so the two are hardly strangers. Oracle participates in the broad Java ecosystem, but if it owned the lead PHP vendor it could take a commanding position in the PHP space and carve out a real niche for itself. PHP is a critical component of the LAMP (Linux/Apache/MySQL/PHP) web stack and with Zend in hand, Oracle could get a strong grip on its own web stack business.

I've written before that I though that IBM should buy Zend -- and I still think that would make sense too.

Zend is a crown jewel among private open source vendors. Its technology is widely used, but in my view still not benefitting from the massive sales forces and integration that a big vendor like Oracle (or IBM) could bring to the table. That Oracle has the cash and the open source expertise to buy just about anyone they want. The key for them though in my opinion is make a deal for something that adds value and extends their platforms.

HP releases Flash security tool for free

By Sean Kerner   |    March 23, 2009

flashplayer.jpg
From the "I told you so" files:

Earlier this month, I wrote about HP's new Flash security tool -- that tool, now officially called SWFscan (just as I predicted) is out. But there is one surprise, the tool is free.

SWFscan is a tool that decompiles flash code and looks for vulnerabilities.HP security researcher Prajakta Jagdale discussed the tool (then under development and not public) at Black Hat in Washington DC in February.

HP claims that to date it has analyzed nearly 4,000 flash web apps, and surprisingly they found that 35 percent of them had some kind of security issue with them.

The release of SWFscan as a free tool is a good thing, in that it lowers the barriers to entry for developers to understand what they're doing wrong.

Simple issues like information disclosure and more complex issues like cross site scripting vulnerabilties aren't always easily caught during a development process - finding those with SWFscan might make the process a whole lot easier.

TomTom gets Linux patent help from OIN

By Sean Kerner   |    March 23, 2009

tux.jpg
From the 'friends in high places' files:

TomTom is adding a little more muscle to its patent fight against Microsoft. The navigation vendor today announced that it has joined the Open Invention Network (OIN) as a licensee. TomTom is in a back and forth patent battle with Microsoft -- with at least four patents specifically related to Linux

The OIN is group that is all about helping Linux and open source vendors share patents in a royalty free manner in order to futher encourage open source technology adoption. Though TomTom was not officially a member prior to today, the OIN as well as the Linux Foundation have previously pledged to defend against any patent claims against Linux.

"Linux plays an important role at TomTom as the core of all our Portable Navigation Devices," said Peter Spours, director of IP at TomTom in a statement. "We believe that by becoming an Open Invention Network licensee, we encourage Linux development and foster innovation in a technical community that benefits everyone."

How TomTom's involvement in OIN may actually impact the case against Microsoft is obvious to me.

TomTom is now pulling in the big patent holders (like IBM) that are part of OIN and making this a wider patent issue than just one of Microsoft vs a little GPS navigation vendor. Then again, from the first day that Microsoft made its allegations, the Linux community has made this a bigger issue.

Time will tell how this whole thing will ultimately get resolved -- but if I had to wager a guess what will happen, I'd say that we may end up seeing some kind of cross-licensing for TomTom and Microsoft patents.

Or the other potential scenario is more interesting -- maybe Microsoft will open up, join OIN and end the Linux patent threat forever. That sure would be something, wouldn't it?

Red Hat releases JBoss Developer Studio 2

By Sean Kerner   |    March 23, 2009

JBoss.gif

From the 'developers, developers, developers' files:

Red Hat is expanding its software development portfolio today with the official release of JBoss Developer Studio 2 - Portfolio Edition. It's an interesting release that packages together an Eclipse based dev tool with JBoss' Enterprise
Application, Portal, SOA and Data Services Platforms.

The JBoss Developer Studio tool itself is an interesting one -- it was originally developed as a closed source technology by tech vendor Exadel called Exadel Studio Pro. Red Hat acquired several Exaled technologies in March of 2007 including the Studio. In December of 2007, Red Hat completely open sourced the tool and renamed it JBoss Developer Studio (JBDS).

Having a fully integrated development studio is a key move in the middleware space for Red Hat in my opinion. Developers can now subscribe to a complete development enviroment that is more than just the IDE. As Red Hat continues to evolve its software business from being more than just a platform play, having robust development tools will play a critical role.

The timing of Red Hat's announcement is important too. This week is Eclipsecon the big yearly gathering of those that participate in the Eclipse ecosystem -- which includes JBoss.

TomTom countersues Microsoft on patents -- Linux ?

By Sean Kerner   |    March 20, 2009

msft.jpg
From the 'stand up and fight' files:

I'm not a lawyer (and I don't pretend to be one either), but it seems to me that a very common legal tactic in patent battles is that counter suing is the way things are done.

GPS vendor TomTom, this week filed a patent infringement suit against Microsoft for allegedly violating four patents with the Microsoft Streets and Trips software. Microsoft in February, filed suit against TomTom for eight alleged patent violation -- several of which were Linux specific. TomTom uses Linux as its underlying embedded operating system.

This is why the big patent holders cross-license items from each other, in order to prevent a back and forth patent claim battle. Patent portfolios are used as a deterrent against legal action. In my (non-lawyer view), what happened with TomTom and Microsoft is neither party was able or willing to negotiate a mutual licensing agreement of some sort, to prevent this back and forth patent battle.

The fear in the Linux community, is that the Microsoft suit is an attack on Linux. With TomTom filing a counter-suit, it is evident that this is about intellectual property that TomTom thinks it owns -- it's a subtle difference.

For the record, over the last several weeks I've contacted the two major embedded Linux vendors (Wind River and MontaVista) and neither wanted to talk to me about the TomTom case -- which frankly surprised the heck out of me.  I personally don't know if TomTom is using a roll your own embedded Linux (which is quite common) or if they benefited from MontaVista or Wind River support.

Why the vendor question is interesting is because one of the reasons why embedded developers choose MontaVista or Wind River  is indemnification. In such a case (if I understand the law correctly) the OS vendors would then help to defend their user.

From a wider point of view though, Linux is Linux, and the Linux Foundation has publicly said it would step in if it was necessary -- so roll your own or otherwise TomTom would get some support.

One thing is for sure in this case, neither party is backing down quickly.

Safari, IE 8 and Firefox hit by Zero-Day at PWN2OWN

By Sean Kerner   |    March 19, 2009

safari.jpg

From the 'I'm glad these are the good guys" files:

Apple Safari was hacked in under 2 minutes yesterday by way of a zero day exploit that has yet to be patched (or released into the wild). IE8 and Firefox were also taken down by zero day exploits. It was all part of the fun at the third annual PWN2OWN contest which kicked off yesterday (check out my story from yesterday on the PWN2OWN contest kickoff).

Security research Charlie Miller, once again targeted Safari (he won last year) and demonstrated how he could hack Safari in under 2 minutes. Miller wasn't the only one hacking Safari at PWN2OWN, a security researcher who identified himself only as 'Nils', used a different exploit to bring Safari to its knees as well.

Nils also defeated Microsoft's IE8 browser.

"With a little
tweaking, he ran a sleek exploit against IE,, defying Microsoft's
latest built in protection technologies, " Terri Forslof, manager of security response at TippingPoint DVLabs blogged.

Nils also managed to defeat Firefox 3.x with a zero day as well. In total Nils was awarded $15,000 by PWN2OWN for his hacking prowess.

The PWN2OWN contest winner are under a non-disclosure agreement to not publicly discuss their vulnerabilities until the vendors can patch them -- which is a very good thing.

What Nils was able to demonstrate, is that the three major browsers are all at risk (perhaps from a similar attack vector). If that knowledge were out in the wild that could lead to chaos, as no browser would be safe from attack.

What PWN2OWN and TippingPoint are doing is the responsible thing, they're passing the vulnerabilities off to the affected vendors so they can be fixed (hopefully) before the bad hackers exploit them in the wild.

Cisco Fatty a sad but true Twitter tale

By Sean Kerner   |    March 18, 2009

cisco.gif
From the 'Twitter knows all' files:

Cisco CEO John Chambers recently announced that Cisco would have some staff reductions, but apparently they are still doing some hiring -- or at least trying too until Twitter interfered.

A prospective Cisco hire (@theconnor who has now protected his updates, but Twitter search is still there..) tweeted:

Cisco just offered me a job! Now I have to weigh the utility of a fatty
paycheck against the daily commute to San Jose and hating the work.

Cisco of course, is social media aware and they noticed the tweet and responded with a tweet of their own (by Cisco channel partner advocate Tim Levad).

Who is the hiring manager. I'm sure they would love to know that you will hate the work. We here at Cisco are versed in the web.

The final outcome of the this little tweet exchange isn't fully known just yet but Levad does offer some advice (in a tweet of course):

Lots of new followers today. I wonder why. Be carefull what you say, and have a great day.

Sage advice indeed, but also common sense that some people obviously just don't have.

Red Hat Certified Engineer program turns 10. Certs matter.

By Sean Kerner   |    March 18, 2009

RHCE.gif
From the 'I still don't have one' files:

There was a time when having an IT certification was the key to getting a job -- that time may be here again.

Back in 1999, when many of my colleagues were out getting MCSE's and CNEs (remember those?), Red Hat launched its Red Hat Certified Engineer (RHCE) program.

Ten years later, the program is still kicking, with Red Hat now boasting that it has certified over 38,000 people -- that's a pretty big number. Then again, think of how far Linux has come in the last ten years -- think of how far Red Hat has come too.

Ten years ago, most of us (Red Hat users) were running Red Hat Linux. That's a product that doesn't even exist today. We've got Fedora now (the modern equivalent of Red Hat Linux) and then there is Red Hat Enterprise Linux. (RHEL). In 1999, in my experience, Red Hat was mostly run at edge of network as a webserver, firewall or as file server.

Today, Red Hat powers the world's largest stock exchange and is big partner of Cisco.

What role does training play in all that? A big one.

Having a professional certification is something that many large enterprises rely on as a mark of skill (though sure lots of people, myself included, have skills without being certified). IDC actually recently named Red Hat as a leading IT education vendor. There are of course, other Linux certification programs like those from the Linux Professional Institute (LPI), Novell and Canonical/Ubuntu too, the RCHE is however arguably more recognized (but hey if you think i'm wrong just comment below).

As the economy turns and governments pour money into retraining the workforce, Red Hat and its training programs are likely to benefit.

Cenzic: IE tops browser vuln list with Firefox second

By Sean Kerner   |    March 18, 2009

cenzic.gif
From the 'beware the web' files:

With RSA coming, it's that time of year again when security trend reports start popping up. Today, application security vendor Cenzic published their Q3-Q4 trends report which has some interesting findings.
 
Overall the number of vulnerabilities continues to rise led by web based vulnerabilities -- and oh yeah, Microsoft's IE had more issues, but Mozilla Firefox isn't all that far behind.

Cenzic reported that IE accounted for 43 percent of all reported web browser vulnerabilities in the second half of 2008. Mozilla's Firefox followed closely at 39 percent while Apple Safari was pegged at 10 percent and Opera was only 9 percent. Cenzic's findings are a little different than those of research vendor Secunia who reported earlier this month that Firefox had more vulnerabilities (though they were patched quicker).

In terms of the totality of reported vulnerabilities, Cenzic reported that in the second half of 2008, there was a 10 percent increase totaling 2,835 reported vulnerabilities. Of those 80 percent were web application related.

The trend toward web application vulnerabilities is no surprise to me (and shouldn't be to anyone) as this is something that has been happening for awhile. Hackers want to get at the largest number of people and the easiest way to do that is by way of a web application. In fact, Cenzic itself has been saying that web vulnerabilities are rising since at least July of 2007.
 

IBM Sun acquisition: Good for Unix and Linux. Bad for HP

By Sean Kerner   |    March 18, 2009

ibm.big.jpg
sun.jpg
From the 'wouldn't that be something' files:

IBM is reportedly in talks to acquire Sun for a whopping $6.5 billion. At this early stage, its not known whether this is a fact or just a rumor.

But just for the sake of argument, let's consider what a powerhouse IBM Sun would be. In my opinion, it would be a boon to both the Unix and Linux markets.

Between the two of them, they control two-thirds of the Unix market with AIX and Solaris. They also control a large portion of the big server market, with IBM's POWER and Sun's SPARC architectures. The only company in the Unix space that effectively competes against Sun and IBM is HP, and a result an IBM-Sun combo would be a major challenge.

Then again, it wasn't that long ago that HP bought Compaq for $25 billion (and remember Compaq had DEC). So in terms of size and scale, IBM acquiring Sun is a smaller deal and may perhaps even finally be IBM's attempt at catching up, as it were. Bringing AIX and Solaris under one roof will help to consolidate Unix's position instead of fraying it with competition.

For Linux, Sun isn't unfriendly -- working with Ubuntu/Canonical and others lately, but Solaris is their main operating system push, the way I see it. With Sun as part of IBM, and IBM a major reseller of Linux, the equation changes. Sun would fall into the IBM fold of pro-Linux in a manner similar to how HP today supports Linux.

Yes, there would be overlap -- just as there was for HP and Compaq -- but together, the combined IBM/Sun will challenge HP on significantly larger level.

Expanding the competitive landscape a little, with Cisco getting into the server market and a tighter relationship with Red Hat, the overall IT landscape is changing. IBM and Sun both have to do something in response to Cisco's blade server, and a new combined entity might just be the ticket.

Google Chrome beta catches up to dev version

By Sean Kerner   |    March 17, 2009

googlechromologo.jpg
From the 'not so bloody edge' files:

Google pushed out a new beta version of Google Chrome today, claiming greater speed than ever. To be clear this is a beta-channel release - Chrome itself officially is not a Google Beta anymore.

Google has three versions of Chrome - dev, beta and stable (I run dev on my test box). The most recent dev version came out last week and was number 2.0.169.1. It is that version of dev that the new beta version is based on.

The basic premise is that that the beta-channel version is more tested and less rough around the edges. As a dev-channel user, I can attest to the fact that the dev version has worked exceptionally well for me and hasn't seemed all that rough at all. Then again my perception of rough is different than others.

Google is claiming speed increases for those that haven't been on dev track though -

"The best thing about this new beta is speed," It's 25 percent faster on our V8 benchmark and 35 percent faster on the Sunspider
benchmark than the current stable channel version and almost twice as
fast when compared to our original beta version.
"

I'll be sticking with dev myself - but if you're still on stable, but haven't made the move to dev, the new beta will be a big boost for you. I'm still waiting for my native Linux version though and I know Mac users are eager for their crack at Chrome too.

Red Hat Linux joins Cisco for Unified Computing push

By Sean Kerner   |    March 17, 2009

redhat.png
cisco.gif
From the 'read in between the lines' files:

Cisco's big Unified Computing blade server push yesterday pulled in a lot of partners, among them Red Hat. There are a number of things that make the Red Hat / Cisco partnership extremely interesting from my point of view that indicate the importance of Linux to Cisco and of Cisco to Linux. Among them is the fact that from day one Linux will be a key operating system for the Cisco Unified Computing System (UCS).

1) For one, while Cisco had many partners joining its release, only EMC, VMware, BMC, Accenture and Red Hat got their own unique press releases listed on the Cisco website.

2) In the Red Hat release on the Cisco site, there is a video from Red Hat CEO Jim Whitehurst that exposes some really interesting facts. Among them is the fact that Red Hat and Cisco have joint beta site customers (plural) for the Unified Computing System. That's  A BIG DEAL. During Cisco's press conference yesterday, Cisco claimed to have only 10 beta sites for UCS in total.

That means that at least 20 percent (and maybe more if you consider that several means more than one) of Cisco's UCS business will be Linux from day one.

Cisco and Red Hat have worked together on high speed messaging related to RDMA - remote direct memory access (something I reported on earlier this month that both Red Hat and Cisco use). Cisco is a top contributor to Linux overall, working on its own as well as with partners Red Hat and MontaVista Software.

Having Red Hat Enterprise Linux as a key operating system on the massive Cisco blade server will bring Linux to a scale that is industry leading in many respects. With scale comes improvements, and since Red Hat is open source, those improvements will find their way into the Linux mainstream at some point benefitting the wider community.

#3hotsecurewords Twitter top ten trend

By Sean Kerner   |    March 17, 2009

twitter.jpg
From the 'security is fun' files:

An interesting trend hit viral proportions on Twitter yesterday as the hash tag #3hotsecurewords became a top trend. As a security guy and someone that appreciates (and on Mondays really needs) a good laugh this was a trend that I really enjoyed. So for you my good readers I'm going to pull out what I see as the top ten entries in the #3hotsecurewords discussion.

1)   Don't Tell Anyone
2)   One Password Everywhere
3)   Easy Fix Right?
4)   Pull the Plug
5)   CTRL ALT DEL
6)   We're All Patched
7)   Blind SQL Injection
8)   Reinstall OS Again
9)   Deny by Default
10) Plug and Play

What was your favorite #3hotsecurewords tweet? Follow me on Twitter @TechJournalist and let me know!

What's on your network? Cymphonix wants to know

By Sean Kerner   |    March 16, 2009

cymx_logo.gif
From the 'free trial' files:

Knowing what's running on a network is a challenge for many network administrators -- it's a challenge that many vendors are trying to solve too. Networking vendor Cymphonix is one such vendor with its Network Composer technology. Starting tomorrow (March 17th) they're offering a free 30 day trial of a new tool based off Network Composer call Network Revealer. The basic idea is to let you see everything that is running on your network inside of a slick web based interface.

"Network Revealer will help IT managers assess unsafe or inappropriate behaviors affecting their network--we see this as an effective way for companies to achieve 'true visibility' into their Internet through an easy-to-use software tool," said Kevin Santiago, CEO of Cymphonix in a statement to be released tomorrow. "With Revealer we see an opportunity to bring our technology to a broader customer-base by offering the product at no charge, while giving our partners a way to demonstrate the technology to their prospective customers from the convenience of a Web browser."

It's a good idea and one that will likely resonate with many network administrators. Cymphonix has some interesting proxy detection technology that I wrote about earlier this year which is also neat in that it can help restrict and identify when anonymous proxies are being used.

Cymphonix has plenty of competition though, especially on the open source side with network monitoring tools and systems like Nagios, Groundwork, Zenoss, Hyperic and others providing visibility and control over networks.  I'm not sure how Cymphonix with a limited free trial will compete effectively against those vendors that have a full time free and open source trial. That said, Cymphonix is hardware vendor too, and by making Network Revealer available under a limited trial, they're likely to push some hardware business too (which isn't what the open source vendors are really pushing).

Study : IT turning to Linux in economic downturn

By Sean Kerner   |    March 16, 2009

tux.jpg
From the 'self serving study' files:

A new report out today from IDC, sponsored by Linux vendor Novell indicates that the current economic downturn is a good thing for Linux adoption.

with more than half of the IT executives surveyed planning to accelerate Linux adoption in 2009.

This is definitely  something we've heard before from multiple open source and Linux vendors, but the IDC report puts some numbers to the premise.

According to IDC, in a poll of 300 IT professionals more than 72 percent reported that, "
they are either actively evaluating or have already decided to increase their adoption of Linux on the server in 2009."

The numbers on the Linux desktop are equally encouraging with some 68 percent reporting they would be looking closely at adoption.

On the deep drill down of the IDC results, it looks like the retail industry is leading in term of the potential for Linux adoption (69 percent on server and 63 percent on the desktop).

A key driver for moving to Linux according to the study is virtualization -- again no big surprise in my view. 88 percent of respondents reported that they ,"plan to evaluate, deploy or increase their use of virtualization software within Linux operating systems over the next 12-24 months."

"Economic downturns have the tendency to accelerate emerging technologies, boost the adoption of effective solutions and punish solutions that are not cost competitive," said Al Gillen, program vice president, system software, IDC in a statement. "This survey confirms that Linux users view it favorably, and this view places Linux in a competitive position to emerge from this downturn as a stronger solution."

There are a few obvious problems with this survey - the first being the fact that it's sponsored by a Linux vendor. I'm not saying that IDC skewed the results,but it is important to point out and be fair about who paid for the research.

The other interesting poing is the fact that Novell itself isn't growing its own Linux business at quite the rate it wants - recession or not. That said the findings do show a postive trend and attitude towards Linux adoption, it will be interesting to see how that translates into increased revenues for Linux vendors like Novell as the year goes on.

Cisco Blades competing with HP

By Sean Kerner   |    March 16, 2009

cisco.gifFrom the "what would you do with $30 billion" files:

Big day today for Cisco and the entire IT hardware market as Cisco enters a new market with its blade server announcement. The official press conference is at 11 AM ET, but it looks like Cisco's CTO Padmasree Warrior has already been talking.

"We're going to compete with H-P. I don't want to sugarcoat that," Warrior told the WSJ. "There is bound to be change in the landscape of who you compete
with and who you partner with."

HP already competes with Cisco, with its HP ProCurve equipment on the enterprise side, so I don't think there is a real surprise in Warrior's comments, co-opetition is the name of the game after all.

One thing is for sure, as I wrote on Friday, Cisco's news today is Big News for IT in general. I've been writing on Cisco fairly regularly since 2004 and in the last five years I have never been solicited by so many different vendors and analysts all seeking to provide comment on this news.

It seems as though everyone has an opinion and something to say. Again this shouldn't be a surprise. The typical bunch of Cisco networking competitors all have a view, then the new bunch of server competitors all have a view and then there are the analysts that cover networking and servers who all have views. Add it all up and today is going to be one busy day for tech.

At InternetNews.com we've got this event covered and we'll be updating our blogs and main site through the day as events transpire, so stay tuned.

**UPDATE** My story on the full news event is now up on the main InternetNews.com site.

Firefox 3.1 Beta 3 Test Day is today

By Sean Kerner   |    March 13, 2009

sr-firefox3.jpg
From the 'dumb newbie bug' files:

Firefox 3.1 Beta 3 came out yesterday and today Mozilla is hosting Firefox Beta Test Day.

As opposed to every other browser vendor I know, Mozilla has a very open and transparent process for testing in which they actively engage the community and encourage broad testing participation.

Mozilla is asking users to run tests on Firefox 3.1 Beta 3 using the Litmus system as well as just basic user interaction to see what's working and what's not.

I've got a few quick 'non-technical' bugs to point out here (if i have real technical bugs I'll be sure to submit them as everyone should).

1) The Official Test Day is Over before It Begins.
check out this image from the official Mozilla QA page on the test day (as @ 1:50 PM ET on March 13):

ff.test.gif

ROME 1.0 : Open source Java feed tool is done.

By Sean Kerner   |    March 13, 2009

rome.small.jpg

From the 'veni, vidi, vici SPQR' files:

ROME was not built in a day.

I'm talking about the Sun sponsored Java open source ROME project here. ROME is an effort I've been tracking for years and is supposed to provide a unified set of tools for parsing, generating and publishing RSS and Atom feeds.

Yes it's a good idea -- that's why Sun has been working on it for so long. There used to be a lot of confusion across the various RSS (1.0, 2.0) and Atom formats but in recent years I just don't see that same confusion, at least from an end user point of view. Most modern feed readers just work and leave the mystery of feed format parsing in the background.

ROME which has now finally hit 1.0, has had many iterative versions over the last four years and is a key tool that will enable Java developers to navigate the feed format mystery with relative ease.

Firefox 3.1 Beta 3 now out. Next stop Firefox 3.5

By Sean Kerner   |    March 12, 2009

sr-firefox3.jpg
From the 'good things come to those who wait' files:

At long last, Mozilla today is releasing Firefox 3.1 Beta 3. The Beta 2 release was out out in early December, itself a month overdue.

So what's in the new Beta 3? 

Mozilla has improved the Private Browsing Mode (aka Porn Mode) to make it even more private. The general idea behind Private Browsing is to have a browser session where the cookies and history file are not saved beyond the actual session. 

On the speed front, the TraceMonkey JavaScript engine gets stability and performance improvements. TraceMonkey in my view is a critically important feature, perhaps the most important new feature in Firefox 3.1 as a whole. The general idea is that it is faster than the JavaScript engine in Firefox 3.x and is competitive with Apple Safari's  Nitro JavaScript and Google Chrome's V8 JavaScript engines. Faster JavaScript engines means faster code execution means faster web experiences.

Mozilla also claims to have made improvements to the core Gecko rendering engine that will make content rendering faster overall. It's great to have fast JavaScript, but a faster Gecko in combination is really key.

Though this is Beta 3 for Firefox 3.1, it's actually the last Firefox 3.1 release period. The next beta is going to be called Firefox 3.5 Beta 4 in order to give the release more stature with the bigger release number. Firefox 3.5 Beta 4 and is currently targeted for an April 14th release.

Sendmail going to the cloud

By Sean Kerner   |    March 12, 2009

sendmail.gif

From the 'are you still using Sendmail?' files:

At one point or another nearly every human that has ever used email has benefited from the open source Sendmail mail transfer agent(MTA).

Sendmail at one point was THE MTA (included with every Linux distro) and like everyone else I used it everyday too. Today Sendmail claims that it is on over 35 percent of all Internet servers, and delivers over 65 percent of all email messages sent globally.

Now Sendmail Inc, the lead commercial vendor is going to up the ante. InternetNews.com has learned that on March 17th, Sendmail Inc plans to announce new cloud based email secruity services.

The new services will be a hybrid on premise and cloud approach, taking advantage of the benefits of both deployment scenarios.

Sendmail is coming to the game a week after Cisco's Ironport announced the same basic thing.

Using a hybrid approach means that inbound email gets filtered by the cloud, while outbound mail that may need to say on premise for compliance and policy reasons can also be secured. Its a nice mix and no doubt one that will continue to gain traction in the market, and more announcements from other vendors too.

The hosted email market is already massive and i'd expect the hybrid email security email will similiarly be an area of growth for those vendors that get it right.

HP releasing new Flash security tool soon

By Sean Kerner   |    March 11, 2009

flashplayer.jpg
From the 'things you see at Black Hat' files:

People talk about all kinds of things at a Black Hat event, sometimes even unreleased commercial products. Nearly a month ago, I was in a session at Black Hat DC where HP security researcher Prajakta Jagdale talked about the security risks associated with Flash. Buried in that presentation was the discussion of a tool called SWFscan -- a new under development tool from HP that decompiles flash code and looks for vulnerabilities.

InternetNews.com has now learned that HP plans to officially announce a Flash security tool on March 23.

In her Black Hat presentation, Jagdale gave an overview of SWFscan that showed some interesting capabilities.

Unfortunately, the Black Hat presentation link to Jagdale's slides is no longer operational. Fortunately for me (and for you good readers) I got a CD copy from the conference and I took decent notes while sitting in the presentation.

Google Fixes Chrome 2.0.169.0

By Sean Kerner   |    March 11, 2009

googlechromologo.jpg
From the 'update now' files:

Google has updated its Chrome browser dev-channel edition to version 2.0.169.0. The new release comes just days after the 2.0.168.0 release which had over 150 bug fixes.

All told what it means to Chrome users is that Chrome today is a lot better than it was a week ago. At the top of the list for me is a new version of V8 -- that's Chrome's speedy JavaScript engine. Google also claims it has made improvements to the full screen mode that first appeared in the 2.0.166.1 release a few weeks ago.

On the more minor -- but still interesting side of things the 2.0.169.0 releases adds even more support for EV-SSL (extended validation) certificates with support for the SwissSign Gold CA - G2 root certificate authority and the DigiNotar root certificate authority.

Even with the bug and stability fixes in the latest version of Chrome, does not yet have one key feature that Google is still working on -- Add On/Extension support.  Oh and there is still isn't a Mac or Linux version either.

Symantec Pifts.exe is no conspiracy. It's human error

By Sean Kerner   |    March 10, 2009

symantec.jpg
From the 'human error' files:

Everyone loves a good conspiracy (myself included) - which is what led to a wildfire of speculation today about Symantec trying to download alleged malware onto users PC's, with a file called pifts.exe.
To add further fuel to the fire Symantec deleted posts in its user forum related to the pifts.exe issue.

I just spoke with Symantec and they argue that the file is not malware and that the error they made was a human one.

Jeff Kyle group product manager at Symantec explained to me that pifts.exe was a diagnostic patch for Norton Internet Security 2006 and 2007 versions. The patch was out for three hours before Symantec noticed that the patch wasn't digitally signed. Symantec signs all of its patches to ensure authenticity, by not signing the patch, it triggered a malware alert on anti-virus systems.

"It was a human error that the patch wasn't signed," Kyle said. "I've never seen that before and I can't recall that ever happening at Symantec."

The second part of the PITFS.exe conspiriacy is a little more insidious with all forum postings related to the flaw being deleted by Symantec. That's the part that isn't human error and points to what I personally see as serious and significant issue.

Google Summer of Code 2009 opens up with Melange

By Sean Kerner   |    March 10, 2009

2009socwithlogo.gif
From the 'time to apply' files:

It's Summer! No it's not (but hey we can dream..) -- It is time though for another round of Google's Summer of Code (SoC). The SoC is an effort that first started in 2005 as an effort to get students involved in open source code development.  Google provides a stipend to the student and to the mentoring organization that helps the student.

The SoC started off in 2005 with an allocation for 200 students and a budget of $1 million, which ultimately grew to 410 students that same year.

In 2008, the SoC grew to a staggering 1,125 students which totaled an open source cash infusion of at least $5.6 million dollars.

2009 is a recession year -- even for Google, so initially (at least), Google is capping the number of students for the SoC at 1,000. In terms of mentoring organizations Google worked with 175 different groups in 2008 and expects a slightly lower number for 2009.

Also of interest for SoC 2009 is the fact that Google is using a new home grown system called Melange to manage the effort. Melange was first announced at OSCON in 2008. The name 'Melange' is an homage to the concept of Melange / spice from Frank Herbert's Dune novels.

The deadline for mentoring organizations to submit is March 18, 2009 and Google will begin taking student applications on March 23, 2009 with the deadline for student applications on April 3rd. On April 20th, Google will formally announced the accepted student applications and then after a several week learning period students will begin coding their projects on May 23rd. The SoC coding then continues on until August 17th.

While I don't know if Google's Melange will create a Mau'dib Paul
Atreides
type superhero, I do know that in its 4 years of existence the
SoC has had a tremendous impact on the open source ecosystem, leading to
countless functions and innovations that I benefit from every day.

"The sleeper has awoken."

WAN Optimization market worth $1 billion in 2008

By Sean Kerner   |    March 09, 2009

From the 'that's good coin' files:

A new report from Infonetics Research has pegged the value of the WAN optimization market in 2008 to be worth over $1 billion.

That's a new milestone for the market and in my opinion clearly shows that demand for WAN optimization is real.

"In 2008, the WAN optimization appliance market crossed the $1 billion mark for the first time, increasing 29 percent  from the previous year ," Matthias Machowinski, Directing Analyst, Enterprise Voice and Data, Infonetics Research said in a statement. "Impressive results for a year in which the world's economies slowed and many related networking segments struggled."

In terms of who is leading the pack, Infonetics has Cisco in the lead for revenues followed by Blue Coat in second and Riverbed in third place for 2008.

Firefox 3.5 : What's in a browser number?

By Sean Kerner   |    March 09, 2009

sr-firefox3.jpg
From the 'tomAYto, tomAHto' files:

At the end of February I wrote about Mozilla developers calling for Firefox 3.1 to be renamed Firefox 3.5.  It's now official, so the next Firefox new version release will be Firefox 3.5.

Firefox 3.1 is currently at Beta 2 with a third Beta coming as soon as this week.

The
reasons for moving the name from Firefox 3.1 to 3.5 are relatively
simple. The release has taken more time than initially expected and the
release contains more significant features than a simple x.1 release
might indicate.

However, the jump to Firefox 3.5 doesn't mean that Mozilla is now adding more into what was known as Firefox 3.1.

"It's
important to note that 3.5 represents a better labeling of our
*current* scope, and not an indication that we intend to significantly
increase this release's scope any further," Mozilla's Mike Shaver wrote
in a mailing list posting. "Beta 3 will be the last milestone release
with the 3.1 version number, and Firefox 3.5b4 will be the following
one."

The version after Firefox 3.5 will now have
the placeholder label of  Firefox 3.6, but that doesn't mean that
is what that release will ultimately be called.

A jump from a x.1 to an x.5 release has historical precedent at Mozilla -- the same thing happened with the Firefox 1.1/1.5 release in 2005.

The
general idea is that a bigger number signifies a bigger change to
users. With a new JavaScript engine in place Firefox 3.1/3.5 is a big
change.  Frankly I'm not sure why it wasn't labeled 3.5 (or perhaps even
Firefox 4
) earlier.

In a broader software context, major
version changes imply a significant rewrite of a core component and
sometimes a change in the underlying API compatibility.

In comparison to its competitors, Apple Safari is making the jumper from Safari 3.2 to Safari 4,
based strongly on its new Nitro JavaScript engine. Microsoft is jumping
from IE 7 to IE 8 with a long list of new features and as it ramps up
its new Windows 7 operating system. Google Chrome stable is currently
at the 1.x release with its dev-channel currently at 2.x

Like it
or not, Firefox is in competition against other browsers and naming
Firefox 3.5 is the right way to go, --  it implies something significant
and based on my usage of Firefox 3.1 so far, it sure is one significant
browser improvement.

Mozilla Firefox building on EV-SSL

By Sean Kerner   |    March 06, 2009

sr-firefox3.jpg

From the 'how secure do you want to be' files:

Extended Validation SSL (EV-SSL) certificates recently turned two , and seem to be growing in adoption with over 11,000 sites.

EV provides additional audit and verification to ensure that a site is authentic. A critical part of  the EV-SSL ecosystem are the browser vendors and one of the first to support EV-SSL was Mozilla Firefox.

I asked Mozilla's 'Human Shield' (and all around good guy) Johnathan Nightingale about his views on EV-SSL and he's optimistic on the technology though there is still more to be done.

"EV gives us a strong foundation for website identity, our focus now is to build on that," Nightingale said. "Now that we have a place in the browser to talk about a site's identity, we'd like to expand the information there to include details about your relationship with that site."

He added that included information could be a user's history with a site, whether they have saved passwords there or have bookmarks for this site, as that information all helps users to know who they're dealing with online.

"Arming our users with useful identity information was a central motive behind our participation in writing the EV guidelines, and it's something we will continue to do."

It's a great idea and I think that Mozilla is moving in the right direction. The fundamental issue though still remains that users will still do insecure things. It's something that domain registrar GoDaddy's COO Warren Adelman reminded me off when I spoke to him for my original article on EV-SSL.

"We still live in a world where people fall for spam e-mail, " Adelman commented. "So leaping to educating people about the padlock and green and EV-SSL, we have an educational process that will take years to unfold."

Cisco's PostPath to Linux powered hosted email

By Sean Kerner   |    March 06, 2009

cisco.gif
From the 'network is the platform' files:

I wrote a story earlier this week about Cisco's new hosted email security offering. Buried in that story was an interesting new Linux development that I want to call attention to:

Cisco is building a (Linux powered) hosted email service.

This is new and it will change the competitive landscape for hosted email once it is available. Cisco will be leveraging its PostPath acquisition to develop the upcoming hosted email service.PostPath offers a Linux-based e-mail, calendaring and collaboration solution. 

The release earlier this week was just about the security side of email, but with PostPath in play Cisco will soon have a full platform and will be competing against the likes of Google Gmail (on the enterprise side) for corporate email dollars.

" PostPath has "been working closely with [Cisco hosted Web conferencing unit] WebEx on a hosted e-mail offering," Keith Valory, director of product management for Cisco's security technology unit told me. "I don't want to talk too much about that, but I can say we're working very closely and the security solutions will be a part of that when it comes out," he said. "I will say that through the PostPath acquisition, Cisco has invested heavily in that space."

Cisco CEO John Chambers for years has been proclaiming that 'The Network is the Platform', what could be more key to the platform then email? 

It will be interesting to see how the PostPath technology furthers Cisco's Linux interest as well since Cisco tends not to do things on a small scale. A large Linux powered hosted email system will no doubt result in scalability and performance improvement that could well extend behind the confines of Cisco itself and benefit the broader open source ecosystem.

Firefox has the most bugs and the fastest fixes

By Sean Kerner   |    March 05, 2009

sr-firefox3.jpg

From the 'if it's broke fix it' files:

According to a new report from Security vendor Secunia on vulnerabilities in 2008, Mozilla's Firefox web browser topped the list at 115 reported issues. In comparison, Apple Safari had 32, Microsoft Internet Explorer (IE) had 31 and Opera had 30.

Simply counting vulnerabilities alone - does not make one browser less secure than another. Rather how fast a browser vendor is able to fix issues and not leave users exposed to risk is something that could define a more or less secure browser
.
According to Secunia's analysis, for vulnerabilities that were disclosed without or prior to vendor notification, Mozilla was significantly faster that Microsoft.  Mozilla has a low of 15 days to a high of 86 days until such non-vendor disclosed issues were fixed. On the other hand Microsoft had a low of 78 days with a high of 294 days.

To be fair, the issues that Secunia has identified in the time to patch category range in severity and certainly not every issue identified was critical. That said it's still interesting to note the time to patch as an interesting metric and perhaps as a leading indicator of browser security.

openSUSE 11.2 Fichte will fight Koalas and Spartans

By Sean Kerner   |    March 05, 2009

opensuse.small.jpg

From the 'what's in a name' files:

Novell's openSUSE community manager Joe Brockmeier just announced that that codename for the upcoming openSUSE 11.2 release is Fichte.

Fichte was a famous German philosopher and idealist. 

Linux distro naming is something that has become more interesting in recent years, thanks in no small part to the wacky names that come from Ubuntu.

So what we have shaping up in the next round of Linux distribution releases is a German Philosopher (openSUSE 11.2) squaring off against a Koala (Ubuntu) and the Spartan King Leonidas (Red Hat Fedora 11).

Do names say a lot about the different distros themselves?

Well let's try this out as a thought experiment shall we?

With Fichte, openSUSE is the German intellectual. Thoughtful and deep if not verbose.

With the Karmic Koala, Ubuntu is the tripped out cosmically balanced cute little animal that craves attention.

With Leonidas, Fedora is the warrior standing its ground with its principles in the face of a massive onslaught.

Truth is of course since all three distros share so much in terms of underlying code and shared open source applications there are many similarities between them. But still, the different names are differentiators and each distro is truly a different animal and/or historical figure.

PHP tops new survey for developer satisfaction

By Sean Kerner   |    March 04, 2009

php.gif

From the 'you can get satisfaction' files:

There are some devs out there that don't like PHP, then there are those that do.
A new survey from Evans Data of over 500 developers, asked questions in 12 different categories to see which dynamic languages they like best.

The study asked about Ruby, Python, Perl, Java script, Flex and VB script and the overall crown went to PHP. Ruby placed second followed by Python and then Perl.

The 12 categories ranked by Evans data were: Ease of Use, Exception handling, Extensibility, Maintainability / Readability, Cross-platform portability, Community, Availability of tools, Quality of tools, Performance, Memory management, Client side scripting and Security.

Digging into some of the specific categories, JavaScript beat out PHP for top score in terms of client-side scripting, which is no surprise to me personally. Python was the winner in the memory management and extensibility category which is something that also makes sense.

The bottom line though always for developers is to choose the right language for the task at hand. Still this report is a good result for those with PHP sites and apps as it helps to further reinforce the validity of their choice.

Cisco gets animated about security in The Realm

By Sean Kerner   |    March 04, 2009

cisco.the.realm.jpg

From the 'it's comic book wednesday' files:

As every geek knows, Wednesday is comic book day (the day that every comic book store in America gets new issues from Diamond, the only comic book distributor left..). This week though, we've got a new free online entry from a most unusual publisher, networking vendor Cisco with their title, 'The Realm."

The Realm is an online comic that animates the pane flow and adds voice narration. Creatively it's an engaging experience, not as complete as a full scale animation but more alive that just a flat 2D image.

The basic concept is that there are a few 'heroes' that are fighting a botnet of some sort. The head of the heroes is a Defender Jux - a bald Morpheus (Matrix) type and then there is 'Vixa' the buxom female hero. Defender Trace kind of reminds me (as drawn) of Daniel Jackson from Stargate and then we've got Defender Wall who is clearly the no-nonsense got in with the guns hot marine type.

The botnets are literally 'bots' (not quite Transformer Decepticons or Terminator T-888's but hey we'll see) that attack the defenders.

Yes the threats that face modern networks are very real. But since so much of it happens in the Ether(net) it's sometimes hard to personify.

A comic like The Realm may well serve to help people take a different view on security as a classic struggle between the forces of good (the superhero defenders) and the evil bots. I enjoyed the first episode personally and will watch the next one too.

Cisco has been involved with fighting 'robots' before too - for  a brief period Cisco sponsored a Terminator : The Sarah Connor Chronicles game called Evasion (that site is no longer live). I wonder if Cisco will have a play in the upcoming Terminator Salvation movie too, no doubt John Connor could use a little help fighting Skynet too.

Linux Foundation acquires Linux.com

By Sean Kerner   |    March 03, 2009

tux.jpg
From the 'whatever happened to..' files:

The Linux Foundation has acquired the Linux.com domain from SourceForge. Financial details of the deal are not being publicly disclosed at this time.

I spoke with Jim Zemlin Executive Director of the Linux Foundation (and all around super Linux promoter Dude) today about the transaction and what it means for him, for Linux and for me (since after all I write about Linux and am worried that Linux.com will become a new competitor - which it won't..)

Linux.com went 'dark' in January of this year laying off its staffers including Robin 'roblimo' Miller and David Graham (who managed the links). The site had been a content site for Linux news and reviews, but that's not necessarily what the new Linux.com under the ownership of the Linux Foundation will be all about.

Zemlin told me that initially the Linux Foundation will have an 'ideaforge' where people can sign up at Linux.com and provide their recommendation about what should be on Linux.com. Zemlin assured me that he's not trying to create a new competitor for me (or others in the Linux news business), but rather that Linux.com will be positioned as a resource for LInux as a whole.

"We're not a breaking news organization. We don't do what you do," Zemlin told me.

Happy Square Root Day ! 3/03/09

By Sean Kerner   |    March 03, 2009

From the 'today we're all square' files:

Look at the calendar. Notice anything interesting? It's the third day of the third month of 09. The square root of 9 is, yup 3 (remember grade 5 math?).

So Happy Square Root Day! This is something that doesn't happen all that often.

The next Square Root day isn't for another seven years on  4/4/16.

(and you thought 123456789 day was fun!)

Circuit City sells off Canadian operations to Bell Canada

By Sean Kerner   |    March 02, 2009

bell.jpg
From the 'battery of the month club' files:

Financially challenged consumer electronics retailer Circuit City is selling off its Canadian stores to Bell Canada. Financial terms of the deal are not being disclosed at this time.
My colleague Andy Patrizio has been writing about the Circuit City bankruptcy in the US, but we didn't know what was going to happen to the Canadian operations.

Circuit City in Canada is an interesting entity for me. Technically the stores are called "The Source by Circuit City" and they are in locations that for most of my life were called Radio Shack. Circuit City bough out InterTAN Canada (the one time owner of the Radio Shack name) in May of 2004.

What's interesting to me about this new deal is that in many of the malls where Radio Shack/The Source exist there is also often a Bell Canada retail store (Bell stores sell mobile phones, home phone service and Satellite TV). I wonder if they'll now try and merge/consolidate those operations.

There are 750 'The Source' stores in Canada, no word yet on how many will remain under Bell and whether or not the name will change.

I wonder if they'll bring back the 'battery' club thing though...(you'd bring your card in to a Radio Shack Canada location and you'd get  a free battery every month).

Linux Foundation Training Program isn't certification

By Sean Kerner   |    March 02, 2009

tux.jpg
From the 'it's time to train' files:

The Linux Foundation put a release this AM announcing a new Linux Training Program. My first reaction was 'Is the Linux Foundation now going to compete against the Linux Professional Institute (LPI) and their Linux certifications?

The LPI has been the standard bearer of Linux certification for years and as it turns out the Linux Foundation isn't going to compete with them either.

"The LF training program is focused on more advanced technical training and on connecting developers and operations people directly with leaders from the developer community," Amanda McPherson, Linux Foundation marketing director told InternetNews.com. "This does not compete with LPI at all. LF's program is focused on training. LPI provides certification."

The training the the LF will provide includes: Essential Linux Device Driver Development Skills, Creating Applications for Linux and Kernel Debugging and Performance. The training will initially occur at LF events.

The LPI on the other hand has a certification program known as the LPIC (Linux Professional Institute Certification) which is based on a series of tests that are offered at testing centers around the world. Red Hat is also active in the Linux certification space with its RHCE [Red Hat Certified Engineer] certification.

Personally I think that education is the key to greater Linux understanding and usage.

That said, it would be neat to see the LPI and LF somehow co-ordinate their efforts though in a way the mutually advances both training and certification.The way I see there is confusion in the Linux certification marketplace and it's something that a broad industry effort like the Linux Foundation could help to address.