RealTime IT News

Blog Archives

Sun taps PIE Theory to make JavaFX jump?

By Sean Kerner   |    April 30, 2009

PIEtheory_small.gif

From the 'don't get Lost on the Fringe' files:

Getting developers excited about new technology can sometimes be an interesting process. Sun (soon to be Oracle) is trying out a new viral marketing effort to get developers interested in its JavaFX technology, with something called PIE Theory.

Basically what they're doing is trying to tap into SciFi/paranormal culture to generate interest. Think X-Files but for Java code.

P.I.E is an acronym for Paranormal Investigations Experts, which is basically two dudes, Baron Hector. They've got this idea called JUMP theory, which theorizes that all major scientific breakthroughs come from 'other' sources (extra-terrestrials maybe?).  No it's not quite Stargate's Daniel Jackson, and it's not quite Mulder either, but the cliches are the same.

By tracking the clues, users are supposed to figure out this next jump -- which is JavaFX related.

There is a JavaFX site, YouTube videos, a Twitter hash tag (#PIE314)and other social networking connections as part of this effort. It's an interesting idea and certainly one that I haven't seen before.

That said, digging into PIE Theory myself,  I did find at least one conspiracy that I'm not sure Sun intended.

When you join PIE Theory you're sent to a welcome screen to download a recruit kit. The only problem (for me at least) is that the kit is only available (as far as I could find today) for Windows and Macs.

That's right OpenSolaris and Linux developers, no recruit kit for you (at least today). Here's my own screenshot (taken today) of this new 'conspiracy'.

PIE.recruit.gif

Open Source SugarCRM goes Expressly into the Cloud

By Sean Kerner   |    April 30, 2009

SugarCRM.gif
From the 'what's the difference between on-demand and the cloud?' files:

Open Source CRM vendor SugarCRM has a lot of free community users. In fact, Martin Schneider, Director of Product Marketing at SugarCRM told me that they have 500,000 users, which is quite a lot for a CRM product. The problem is that those users are not necessarily generating any direct revenues for SugarCRM as a professional open source company.

In order to migrate some free users to being paid users, SugarCRM this week revised its pricing model and added a new entry level paid solution called Sugar Express. Schneider attempted to argue that the new Sugar Express as a hosted service would actually be cheaper for a small business user to run than trying to run it on their own (Sugar Express starts at $7 a user per month).

Speaking of hosted solutions, before this week, Sugar used to called its hosted solutions Sugar On Demand but now they've rebranded their offering to take advantage of the new hot term in IT, the cloud.

When I asked Schneider what the difference was between Sugar On Demand and the Sugar Cloud, he admitted that it's really just a, "mild evolution" of what Sugar had already been doing. The Sugar Data Center Edition that I wrote about last year is being rebranded as well to include the word 'cloud'. Funny how SaaS, on demand and data center now all just mean 'cloud' isn't it?

Branding issues aside. SugarCRM is continuing to advance its open source project. Currently they are at version 5.2, though Schneider noted that a version 5.5. is in the works.
 

NetBSD 5 speeds up kernel, drops HP-UX support

By Sean Kerner   |    April 30, 2009

NetBSD_small.gif

From the 'BSD Lives' files:

NetBSD 5.0 is out, introducing a long list of new features to the BSD operating system with the first big major release since NetBSD 4.0 came out in 2007.

Among the big changes are improved scalability and performance improvements, thanks to a new threading subsystem that is optimized for multi-core systems. The NetBSD kernel itself has been improved to include kernel preemption, a new schedulers as well as some real-time extensions.

"Almost all core kernel subsystems, like virtual memory, memory allocators,
file system frameworks for major file systems, and others were audited and
overhauled to make use of highly concurrent algorithms," NetBSD 5.0's release notes state
.

NetBSD has also included a new file system preview with FFS which is a WAPBL (Write Ahead Physical Block Logging) system. as well as a new Power Management Framework.

NetBSD is a derivative of the UC Berkeley's 386BSD Unix with the first
NetBSD release appearing back in April of 1993. It competes in the BSD
variant space with FreeBSD and
OpenBSD
and is also considered to be a competitive alternative to Linux
as well.

At one point in NetBSD's history having Unix compatibility, specifically HP-UX compatibility was a key feature, but that's no longer the case with NetBSD 5.0. At the bottom of the changelog is a list of items that have been removed from NetBSD for various reasons. Among those items removed is: HP-UX binary compatibility.

In the BSD space, FreeBSD tends to be the most popular (from what I personally have seen), but that's not to take away from the importance of  NetBSD, OpenBSD and even DragonFly BSD. They are all part of the ecosystem as well. Though the BSD's do compete among each other somewhat, they also co-operate (a bit) and are all part of growing BSD usage.

Going deep into GCC 4.4 with Red Hat

By Sean Kerner   |    April 29, 2009

redhat.png

From the 'digging into GCC 4.4' files:

GCC 4.4 is a critically important component of the open source software landscape. It officially was released last week and I blogged on it briefly, but felt the need to get more insight. Fedora 11 which hit its preview release yesterday lists GCC 4.4 as one of its key features and Red Hat is a key contributor to GCC, so I asked Red Hat for their views on how GCC 4.4 will make a difference.

Tim Burke, Senior Director, RHEL Product Development told me that in his view the most significant new advancement in gcc 4.4 over gcc
4.3 is OpenMP 3.0 support (gcc 4.3 had OpenMP 2.5 support).

Burke explained that, the significant
feature in OpenMP version 3.0 is the concept of tasks. One can specify
whole sections of their code as separate tasks that can be run in
parallel. (OpenMP 3.0 specifications can be found here:
http://www.openmp.org/mp-documents/spec30.pdf and a good overview of the OpenMP standard can be found here:
http://en.wikipedia.org/wiki/Openmp).

"OpenMP allows
programmers to more easily create efficient multi-threaded programs in
C/C++," Burke explained. "With OpenMP 3.0 the user can explicitly section off code they
wish to run in parallel"

So what's next for GCC from Red Hat's point of view?

Nortel bankruptcy protection extended

By Sean Kerner   |    April 29, 2009

nortel.jpg
From the 'still down but not out' files:

Telecom and networking vendor Nortel Networks is still in trouble. Four months after entering into creditor protection in both Canada and the US, Nortel needs more time to restructure and protect itself from creditors.

Nortel has been granted an extension by the courts for its protection until July 30th.

Will it be enough time for Nortel to get its house in order? Well considering how little it has done in its first 90 days of protection, I'm not so sure.

I had expected that Nortel would begin some selloffs of its key assets. To date, the only asset that I've seen them sell is are its Alteon assets. That particular divestiture resulted in an $18 million sale for Nortel. That's just not enough.

I have spoken with their new Enterprise leader John McHugh, who hinted that Nortel is ramping up new platforms so things are happening. It's just that from where I sit not enough things are happening.

Nortel should likely be selling off more than just $18 million worth of its assets. No doubt the restructuring process is a very difficult one and no one should under estimate the immense challenges Nortel faces. It will be interesting to see what the next 90 days wills bring and whether or not we will in fact see another divestiture from Nortel.

IBM expands networking channel with Brocade

By Sean Kerner   |    April 28, 2009

ibm.big.jpg
From the 'it's all about partners' files:

IBM (NYSE:IBM) does not have its own networking equipment business, but that's not stopping it from selling networking gear. Today, IBM announced a reseller agreement with Brocade that extend their existing partnership.

IBM already had an OEM deal with Brocade whereby it re-branded and soled Brocade SAN equipment. Under the terms of the new deal IBM will now add four Brocade IP networking product families to its mix.

  • The
    Brocade NetIron MLX Series will be resold as IBM m-series Ethernet routers.
  • Brocade NetIron CES 2000 Series as IBM c-series Ethernet switches
  • Brocade FastIron SX Series as IBM s-series Ethernet switches
  • Brocade FastIron GS Series as IBM g-series Ethernet switches

It's an interesting deal that some might see as being competitive against Cisco. Not me.

The truth of the matter is that IBM already is a major partner of Cisco's rival Juniper.

IBM's partnership with Juniper includes the Juniper Ex switching line as well as a strategic play for data center virtualization, which is where the market is moving too. Just last week on Juniper's 1Q09 conference call, Juniper's CEO noted the importance of the IBM parternship to his company.

Now to be fair, the Brocade deal is an OEM deal whereas the Juniper deal (to the best of my knowledge is not). That means that with Brocade, IBM gets to put its name on the equipment which does have a certain value to it. In the mid-market for switching gear it means that IBM (through Brocade) is a name that will be found in networking closets and not just server or SAN racks.

Brocade itself is not a vendor that has been associated with switching for very long. Brocade entered the switching market in July of 2008 after buying switching vendor Foundry for $3 billion.

Mozilla Firefox updates to 3.0.10 and 3.5 Beta 4

By Sean Kerner   |    April 28, 2009

sr-firefox3.jpg
From the 'time to update' files:

Mozilla is updating both its stable version of Firefox as well as its in-development version. The new stable Firefox version 3.0.10 is a bit of surprise considering that Mozilla just issued 3.0.9 last week.

Firefox 3.0.10 fixes one issue introduced by the 3.0.9 release that actually ended up triggering frequent crashes in the browser.

"Users of the HTML Validator add-on were particularly affected, but other users also experienced this crash in some situations," Mozilla's advisory on the issue states. "In analyzing this crash we discovered that it was due to memory corruption similar to cases that have been identified as security vulnerabilities in the past."

It's unfortunate that the 3.0.9 release triggered crashes, however it is noteworthy that Mozilla reacted very quickly in getting the issue resolved.

Looking beyond the current stable release, at long last Mozilla has released its first Firefox 3.5 Bet which is technically labelled as Firefox 3.5 Beta 4. Mozilla started the Firefox 3.5 browser as Firefox 3.1 but renamed it after the Firefox 3.1 Beta 3 release.

What's new in Firefox 3.5? Lots.

ReactOS 0.3.9 improves open source Windows clone

By Sean Kerner   |    April 27, 2009

ReactOS.logo.jpg
From the 'no it's not Windows, or is it?' files:

The ReactOS open source operating system effort is an interesting one. It started off as an effort to 'clone' Windows NT, and then evolved to clone Windows Server 2003. Now with it's 0.3.9 release ReactOS is doing something that Microsoft didn't do with its own releases -- namely reduce the memory footprint needed to run the server.

The Changelog for 0.3.9 claims:

Reduced minimum memory requirement to 32Mb. In theory, ReactOS can now be installed with 24Mb and run with only 20Mb

Running a server-type Windows OS with only 20Mb sounds shockingly low to me.

Reducing the memory footprint isn't the only performance gains in ReactOS 0.3.9 either. Two other key improvements are:

  • A new, faster Hyperspace Mapping Interface has been implemented in the kernel resulting in a speed improvement of over 300%
  • Security check improvements to the Object Manager in the kernel improves performance by 500%. Noticeable during large file/registry operations

To be fair, this is still alpha software and it's not intended (or claimed by ReactOS) to be a drop in replacement for Windows. What it does represent though is an interesting attempt to create Windows compatability entirely in open source, without the need for licensing or patents.

FreeBSD 7.2 hits second release candidate stage

By Sean Kerner   |    April 27, 2009

FreeBSD_small1.jpg
From the 'let beastie out of the cage' files:

The next FreeBSD point release is almost done. Late Friday, developers released the second release candidate for FreeBSD 7.2 which is supposed to be the final RC before this release reaches general availability on May 4th.

RC2 comes three weeks after the Beta release of FreeBSD 7.2, and it looks to me like this release is on track. There is one item that developers noted might be an issue with the RC2.

There is one known issue with 7.2-RC2. We switched from KDE3 to KDE4
and during my tests done before uploading the images a problem with
package dependencies for KDE4 was discovered," FreeBSD developer Ken Smith wrote.

For the most part FreeBSD from my point of view looks like an incremental update, though on the desktop side the KDE shift is a big one. That said, most FreeBSD users are likely to be using it as a server where KDE version 3 or 4 isn't a issue. PC-BSD, the desktop derivative of FreeBSD recently came out with its 7.1 release which included KDE 4.2.2 as its default.

GCC 4.4 improves open source compiler with Graphite

By Sean Kerner   |    April 24, 2009

gcc.gif
From the 'who doesn't use GCC?' files:

One of the most popular open source programs (technically Free Software) in the world got a major boost this week. GCC 4.4 adds in lots of new features the biggest of which is the Graphite Framework.

GCC, originally was an acronym for GNU C Compiler, and has changed in recent years to stand for simply the GNU Compiler Collection, as it supports more languages beyond just C.

Compilers are critical tools that compile source code into object code.

What Graphite adds to GCC is a new engine for loop optimizations. GCC 4.4 also extends the support for the upcoming C++Ox standard. The GCC 4.3 release that came out in March of 2008 was the first GCC release to being preliminary experimental support for  C++Ox.

From a command line point of view there are a number of new command line switches that provide better optimization.

What does that all mean?

Well it means that (some) programs that are compiled with GCC (and that's a lot) will now benefit from the improved optimizations and could possibly as a result become faster themselves. It never ceases to amaze me how with every new GCC release, software vendors a few months later will come out and say how their software is now faster as a result.

Is Ubuntu Bigger than Debian now?

By Sean Kerner   |    April 24, 2009

debianlogo.png

From the 'Is Debian's failure, Ubuntu's Linux success?' files:

This week's Jaunty Jackalope release was Ubuntu's 10th release and the 9th release that I've used myself. I first became aware of Ubuntu in 2005 with the 'Hoary Hedgehog' release for only one reason, Debian Sarge was AWOL.

Debian is the basis for Ubuntu, but in some ways you can argue that Ubuntu has at this point, exceeded Debian. The great 'failure' of Debian is also it's great strength. Debian hasn't been able to put out releases in a regularly scheduled format in years -- something developers will commonly attribute to not making a release until it's ready.

While Debian has struggled on release dates (getting better lately), Ubuntu comes out with its releases like clockwork. Though Debian has been tremendous strides since Sarge with its desktop installation, Ubuntu has become one of the most popular Linux distribution for the desktop period.

On the server, Ubuntu is now ramping its efforts too, which is an area where Mark Shuttleworth also sees a place where Ubuntu can exceed what Debian does.

"We see Debian as the system administrators choice," Shuttleworth said during a conference call announcing Jaunty. "And we see Ubuntu as bringing a level of corporate identity and backing to that platform which makes it acceptable and palatable in a large scale organizational environments."

Google Chrome updated for IE tab security issue

By Sean Kerner   |    April 23, 2009

googlechromologo.jpg
From the 'run Microsoft, infect Google' files:

Google today updated its stable version of the Chrome browser to version 1.0.154.58 to fix a serious security issue. The 'funny' thing is the issue is triggered by Microsoft's Internet Explorer (IE) browser.

The issue is very serious and according to Google could potentially enable something called universal cross-site scripting (UXSS) without a user having to do anything.

According to Google's bug report on the issue:

When loaded in Internet Explorer, a specially crafted HTML page can launch Google Chrome with an arbitrary URI without requiring any user interaction.

That's right friends, if you run into an evil page while running IE, you could force Chrome to open up any pages an attacker wants or even arbitrary JavaScript. The flaw stems from a handling error that on the surface sounds very similar to one that Mozilla fixed back in 2007 with the 2.0.0.5 release.

How could this happen in 2009 to Chrome? Is it Google's fault or Microsoft's?

Ulteo expands open source virtual desktop

By Sean Kerner   |    April 23, 2009

ulteo.gif
From the 'Mandrake's legacy' files:

Ulteo is out with a new release of its open virtual desktop (OVD) today that now enables Windows as well as Linux applications.

Ulteo is an interesting company co-founded by the founder of Mandrake Linux Gael Duval. When I spoke with Duval last year about the initial 1.0 release, he told me that the plan was to expand to Windows in 2009 -- and here it is.

The basic idea behind Ulteo is that it lets users access applications in a SaaS type model. Ulteo provides OpenOffice.org aas a virtual online instance to users. With the new Windows edition, it looks like an enterprise could virtually deliver whatever Windows applications they wanted to for users.

"For Windows applications, the Ulteo OVD runs on top of Windows Server Terminal Services. In addition, it is an ideal solution for server management, load balancing and monitoring Windows TS servers," Gael Duval, CTO of Ulteo said in a statement. "But we also have requests to integrate the Ulteo OVD with commercial or Open Source portals, Enterprise Content Management, LDAP or Active Directory, etc. Since it is Open Source, these integrations are happening really fast."

The virtual app and desktop delivery market is a crowded one, even on the open source side. Citrix with its various XenServer initiatives is a key player as is VMware and Red Hat's Qumranet with KVM. How effectively Ulteo will be able to compete is a difficult question to answer in my opinion.

Ulteo however is all open source so the barriers to entry are low for anyone that wants to try it out. Duval managed to carve a nice niche for Mandrake against larger competitors while he was there and I have little doubt that he'll carve a nice niche for Ulteo too.

IBM gets compatible with Oracle, via EnterpriseDB

By Sean Kerner   |    April 22, 2009

ibm.big.jpg
From the 'databases should be open' files:

IBM may have lost out on buying Sun to Oracle, but it's taking aim at Oracle in a different way today - database compatibility.  EnterpriseDB which is a vendor best known for its commercial support of the open source PostgreSQL database, is licensing its Oracle database compatibility technology to IBM.

What that means is IBM DB2 version 9.7 users will be able (in many cases) to handle Oracle databases.

The EnterpriseDB technology is baked into their Postgres Plus Advanced Server product which is based mostly on open source technology, thought the Oracle compatibility parts are not open source. IBM is an investor in EnterpriseDB, and according to EnterpriseDB co-founder Andy Astor, the two companies have been working for the past two years on the Oracle compatability piece.

When I asked Astor about the importance of the IBM integration, he noted it's a big milestone for databases.

"It marks the  mainstreaming of compatibility and the next step towards true database standards. SQL standards worked perfectly well except that no one follows them," Astor told me. "What we are delivering now is a renaissance of the ability of databases to be interoperable."

It's an amazing observation. While so much focus in development as a whole is around openness, database interoperability remains a challenge for many.

I don't expect that existing Oracle user will now flock to IBM in droves, but the fact that IBM now has the EntepriseDB technology in place may well give some users pause and at least another choice.

Mozilla Firefox 3.0.9 fixes XSS flaws

By Sean Kerner   |    April 22, 2009

sr-firefox3.jpg
From the 'don't refresh until you update' files:

Mozilla is out with Firefox 3.0.9 today, fixing at least one critical set of vulnerabilities and issuing 9 security advisories in total.

The one critical security issue is another 'Crashes with evidence of memory corruption' advisory, which nearly every Firefox update of the past three years has included. More interestingly, Firefox 3.0.9 includes several fixes related to XSS (cross site scripting) related flaws.

One of the XSS risks patched in the update, deals withsame-origin violations in XMLHttpRequest (XHR). XHR requests are the lifeblood of AJAX communications and though Mozilla has only labelled this issue as being 'High', in my view it's the most serious issue fixed in 3.0.9. Mozilla's advisory on the issue notes that, " An attacker could use this vulnerability to execute arbitrary
JavaScript within the context of another site."

There is also a same origin violation (in my view this is still XSS) with how Mozilla handles Adobe Flash. According to Mozilla's advisory on Flash handling flaw,"The Flash file can bypass restrictions imposed by the
crossdomain.xml mechanism and initiate HTTP requests to arbitrary
third-party sites
. This vulnerability could be used by an attacker
to perform CSRF attacks against these sites."

Again Mozilla has only labelled the Flash issue as being 'High', but I see it as critical. Perhaps even more serious in my layperson's view is this is a flaw that stem from a third party plug-in (Flash) but affect Mozilla. It underscores the importance of proper boundary checking for plug-ins(think QuickTime too), which really could represent the greatest threats to browsers in general.

Google O3D brings 3D to web browsers.

By Sean Kerner   |    April 21, 2009

google.labs.png

From the 'Lynx can't do that' files:

Google has a new Labs project publicly available today that brings 3D graphics into web browsers. It's called O3D and its somewhat related to a multi-vendor effort that was announced last month at Game Developers Conference (GDC).

According to Google, O3D is an open-source JavaScript API for creating interactive 3D graphics applications that run in a browser window. The JavaScript required for 03D is loaded into the browser via HTML (like most content). O3D works on a users desktop by taking advantage of the GPU (hardware graphics accleration) by way of the OpenGL or Direct3D library.

Sound easy enough. The only problem in my view is that there is another effort called C3DL (sponsored by Mozilla) which look to my naked eye to be very similar.

What this could mean - in the absense of a true standard - is more fragmentation and frustration for web developers. Instead of a single standard approach, like say a real HTML 5 standard that included this stuff, developers may end up having to navigate the different specifications for different implementations.

Then again, I could be entirely wrong.

Google's effort is new and C3DL is hardly a standard either.

Perhaps with both effort pushing forward a common ground can be achieved. And if not, well they're both plug-ins now. Individual sites or developers could specify that users use specific plug-ins to get the 3D graphics. That model isn't likely to work, it failed in the early days of the web and it would fail now too.

The web needs standards. Let's hope 3D graphics are one standard that we'll see sooner rather than later.

Red Hat maps open source activity. France is #1

By Sean Kerner   |    April 21, 2009

redhat.png
From the 'how open is your country' files:

Red Hat today published a new study together with Georgia Tech mapping open source activity across 75 countries. Officially called the Open Source Index (OSI), the final score is made of a number of factors including policies, practices in the Government,
Industry, and Community. Topping the list current is France with a score of 1.35. Spain is second at 1.07, Germany third at 1.05.

The United States came in 9th overall according to the study, Canada came in 28th.

The idea of attempting to map open source use and activity is an interesting one, that may potentially yield benefit to academics. The total score is made up of an activity number combined with an environment number. By the study's own admission the environment score is 'speculative'.

 "Environmental factors are more speculative," Red Hat's FAQ on the study states. "Even a country that does not have a high degree of current penetration of open source may have a high number of internet users and information technology patents. These factors may indicate a favorable environment for open source software to take hold. Still, the correlation between a countries score on the activity and environment is quite high."

What I personally would like to see, from a similar type of study in the future, is an actual census of open source usage and some kind of per capita ratio based on that figure. So for example, wouldn't it be great to know that there are more Linux (and/or open source) users in a give country by volume, but that a different country has a higher density of users?

Shuttleworth: Oracle's Sun buy validates open source

By Sean Kerner   |    April 20, 2009

ubuntulogo.png

From the 'Jaunty is coming' files:

Mark Shuttleworth founder of Ubuntu and his CTO Matt Zimmerman held a press conference this AM to pre-announce the launch of Ubuntu 9.04 Jaunty Jackalope, which will become available this Thursday April 23rd. Aside from the product details on the upcoming release, Shuttleworth provided insight into what he sees the Oracle buy of Sun means to Ubuntu, and the wider open source ecosystem itself.

"What is interesting to me about this move is that it really cements the idea that free software and open source are the profound driving forces behind software today," Shuttleworth said in response to a question from me.

He added that  it's very hard to name a large proprietary software company which has been created since the 1990's. He argued that the major sources in software today are either free software or powered by free software, Google Yahoo etc.

"The fact that Oracle has just announced a multi-billion dollar acquisition of a company that describes itself as the world's biggest Free Software and Open Source company to me is enormously instructive," Shuttleworth said. "To me it suggests that it cements the idea that open source and free software are the big game in town. And everyone is trying to figure out what that means and how they integrate it, what' they can't do is ignore it."

Oracle buys Sun. Is MySQL doomed? Java? Solaris?

By Sean Kerner   |    April 20, 2009

oracle_sun.jpg

From the 'wow I didn't see that one coming' files:

After the weeks and weeks of hype surrounding IBM buying Sun, Oracle today announced it was buying Sun -- for $7.4 Billion.

With Sun in tow, Oracle will now finally have its own operating system with Solaris, instead of just its own Oracle Enterprise Linux (which is based on Red Hat). Perhaps more importantly, with one swift stroke Oracle has effectively cornered even more of the database market than it already owned.

With MySQL, Oracle will have one of the leading open source databases, and a vendor that has been a bit of a competitor to Oracle over the last several years. It's a win-win for Oracle. They'll be able to continue to push their proprietary Oracle database offering, while chewing away at the open source and Web 2.0 sides of the market they didn't already hold.

Oracle has held a strategic component of the MySQL ecosystem with InnoDB (which it has owned since 2005) for nearly four years. Though MySQL has been talking about an InnoDB killer of its own with Falcon since at least 2006, it hasn't yet been officially released for mainstream consumption. I think that the fate of Falcon and InnoDB are now clearly going to be very intertwined. Perhaps we'll now get the full force of the joint Oracle and Sun teams working on MySQL's transactional database capabilities.

Will Oracle advance MySQL (from a corporate level) further into mission critical workloads where Oracle's database already exists? Maybe, maybe not. One thing is for sure, Oracle will have one massive database portfolio of both commercial and open source database technology.

What of Java?

podcast

By Sean Kerner   |    April 17, 2009

HP updates Unix with Vigilant HP-UX 11i v3 Update 4

By Sean Kerner   |    April 17, 2009

HP-UX.25.jpg

From the 'teaching an old OS new tricks' files:

HP today officially released its latest Unix operating system, with HP-UX 11i v3 Update 4, codenamed Vigilant.

InternetNews.com got a preview of the new release back in March. Vigilant includes enhanced data protection,high-availability and disaster tolerance features.

With the new release, HP has also taken a interesting step forward in how HP-UX customers actually migrate to new releases. Typically, HP-UX was updated by way of a physical media update, but now HP has an online operating system update. HP claims that new online update options can save up to 50 percent of the downtime that might be required to do an update with physical media.

HP updates the HP-UX operating system in the spring and fall of each year.
The last update was October's HP-UX 11iv3 Update 3, with the previous spring update (Update 2) arriving in April 2008.
 

Google Chrome 2.0.174.0 updates Tab functionality

By Sean Kerner   |    April 17, 2009

googlechromologo.jpg
From the 'tabs are still very cool' files:

Google has updates its leading edge dev-channel edition of the Chrome web browser to version 2.0.174.0. The new release has three significant updates, two of which deal with how the browser tabs behaviors.

When Google Chrome users start up a new tab they get a page showing their most visited URLs as thumbnails. Apparently some users want the ability to modify that page. As such, Chrome 2.0.174.0 now gives users the rudimentary ability to remove the  thumbnails from the New Tab Page. Personally, I like the most visited thumbnails new page, but the ability to move them around a bit is definitely something I'm interested in.

Chrome 2.0.174.0 has also added something I've never seen before in terms of tab behavior on any browser -- the ability to undo a Tab close. That's awesome in my view. I've closed tabs by accident plenty of times (usually because I have too many open tabs). The ability to have a simple menu item to easily enable users to recover a lost tab is a simple but very useful feature.

There is also a really key security fix in Chrome 2.0.174.0. According to Google, "It is no longer possible to cut or copy from a password text-field."

That's a critical in my view. If a password text-field (even if it's obfuscated) can be copied, that leaves the possibility open for a password disclosure issue and a possible XSS attack vector.

Shuttleworth: Oracle a Litmus test for Linux, Ubuntu

By Sean Kerner   |    April 16, 2009

ubuntulogo.png

From the 'why Oracle matters to Linux' files:

Ubuntu Linux 9.04 is set for release on April 23rd for both the server and the desktop, and though it will include many new features it will be lacking at least one key item --�� Oracle certification.

I asked Mark Shuttleworth founder of Ubuntu about the lack of Oracle certification for 9.04 Jaunty Jackalope and he didn't seem too concerned, though he did admit Oracle holds a special place in the application landscape.

"Oracle is a litmus test for enterprise readiness," Shuttleworth told InternetNews.com. "So Oracle certification is far more important to us as a public testament to the reliability and ruggedness of Ubuntu than it is in terms of sheer volume."

Oracle has it's own Oracle Enterprise Linux (based on Red Hat) and certifies its applications on Red Hat and Novell's versions of Linux.

Shuttleworth argued that he has not seen any organization where Oracle applications represent a large number of Linux servers. In his view an organization only needs so many database servers.

I asked Oracle's top Linux exec, Wim Coekaerts, Director of Linux Engineering what he thought of Ubuntu and why Oracle hasn't certified it -- and got the flip side of Shuttleworth's answer.

PostgreSQL 8.4 Beta advances open source database

By Sean Kerner   |    April 16, 2009

postgreSQL.small.jpg
From the 'and they paid $1 billion for MySQL..." files:

The first beta for PostgreSQL 8.4 is now out, including dozens of new features and hundreds of patches according to developers. The new release (once finalized) will be the first major release for PostgreSQL since 8.3 came out in February of 2008.

Performance is a key theme in the release overall with improvements across the database. Among them  is something called Parallel Restore which is improved in 8.4 to be multi-threaded (and ready for multi-core CPUs). Free Space Map auto-tuning is another key performance improvement as is a new visibility map.

PostgreSQL 8.4 also makes a few improvements on the security side with improved SSL certificate support.

Then there are new SQL improvements that expand the capabilities with, Common Table Expressions & Recursive Joins as well as Default & Variadic parameters for functions.

The timing of the PostgreSQL 8.4 beta is particularly interesting. Next week, MySQL kicks off its annual users conference, amid new speculation that Sun will be bought by IBM -- and the recent departures of Monty Widenius and Marten Mickos.

Microsoft missing patch for IE 8 vulnerability?

By Sean Kerner   |    April 15, 2009

msft.jpg
From the 'read the fine print' files:

Microsoft put out their monthly Patch Tuesday update yesterday, including several updates for Internet Explorer (IE), but none for IE 8. This surprised me. After all, wasn't a flaw found in IE 8 last month at the PWN2OWN hacking contest?

In fact, Safari, IE 8 and Firefox 3 were all hit with a vulnerability at PWN2OWN. Mozilla has already patched Firefox. So what about IE 8?

As it turns out, the release of IE 8 that is now available is not vulnerable after all.

"The build of Internet Explorer 8 used in the Pwn2Own contest was not the RTW build released on March 19, 2009 to customers," Microsoft wrote in an email to me.

Nils (the hacker who cracked IE 8) AT PWN2OWN did not use the final version of IE 8 and apparently there were some fixes in the final build. So technically speaking then, IE 8 (the final release version) to date has not yet been hit with any public vulnerabilities and has not been publicly cracked/hacked either.

With Microsoft pushing IE 8 to its users now via the Automatic Update process, the fact that IE 8 remains secure and un-cracked (publicly) is a great thing. Microsoft though it takes more than its fair share of blame for all IT security problems (can you say Conficker?) is doing the right thing with IE 8, so far at least.

Time will tell, whether I'm wrong and in fact Nils, or someone else can still exploit IE 8. It's likely just a matter of time, but for now at least, new IE 8 users don't need to worry that some known flaw is out there waiting to get them.

Red Hat launches Open Source Channel Alliance

By Sean Kerner   |    April 14, 2009

redhat.png

From the 'don't change the channel' files:

Red Hat (NYSE: RHT) is ramping up its sales efforts with a new partnership alongside SYNNEX Corporation (NYSE: SNX), a business process services company.

The new partnership includes the launch of something called the Open Source Channel Alliance which is supposed to help make it easier for VARs to distribute and support open source software. The new alliance is starting off with nine founding members on top of Red Hat and SYNNEX. The members are: Alfresco, EnterpriseDB, Ingres, Jaspersoft, Likewise, Pentaho, Zmanda, Zenoss and Zimbra.

What Red Hat has done with this new Alliance is create its own open source channel with SYNNEX which is a big play in my view that could further push Red Hat Linux into the mainstream of IT. Red Hat has tried its own channel type effort in the past, notably the Red Hat Exchange (RHX). The SYNNEX deal is a little different because Red Hat is leaning on them and their distribution to help push open source further.

"This is a very exciting time for open source in the channel," Roger Egan, vice president of channel sales, North America, Red Hat said in a statement. "Our expanded partnership with SYNNEX allows us to create a scalable way to bring the power of open source solutions to a wider range of resellers. SYNNEX has a deep understanding of how to leverage the channel markets and there is a surge of demand for open source, so our partnership is well timed to meet market dynamics."

Check Point closes on Nokia acquisition

By Sean Kerner   |    April 14, 2009

checkpoint.logo.gif

From the 'networking news' files:

Check Point (Nasdaq: CHKP)has completed its acquisition of Nokia's security appliance business, nearly four months after the deal was first announced in December of 2008.

Nokia and Check Point had been partners in the security appliance business for the past 12 years. With the deal complete it means that Check Point now has a bigger appliance story to tell and can sell Nokia appliances running Check Point's firewall and security software.

Check Point has also indicated that it plans to expand the Nokia business and its own with a new line of all inclusive IP security appliances. 

"Check Point now leads the security appliance market with an unprecedented variety of security solutions," said Through the acquisition, we'll be able to better meet customers' needs and preferences with the latest security software on the leading hardware platforms," Gil Shwed, chairman and chief executive officer at Check Point said in a statement. "Our unique Software Blade architecture allows customers to select the exact security protections they need for a given environment, and our comprehensive line of appliances lets customers deploy their custom gateway on the hardware of their choice."

Check Point has claimed that Nokia had some 220,000 security appliance installations that will now become part of Check Point's customer base.

In my view, this is a good thing for Check Point and may well be the catalyst that helps to propel their share and market stature forward. Check Point has long been though off as mostly a software vendor in the enterprise space with its security application able to run on hardware from various vendors. I don't see that changing with the Nokia deal, but the mix could change with more deployments on Check Point branded hardware as time progresses.

Google Update goes open source for privacy

By Sean Kerner   |    April 13, 2009

google.logo.jpg
From the 'open source means better privacy?' files:

If you run any number of different Google apps (desktop, Chrome etc) on Windows than you've got GoogleUpdate.exe running in the background as a system process.  What GoogleUpdate.exe is supposed to do is continuosly check with Google for updates and then download them when available. It's a little thing, but it is something that has raised privacy concerns -- what exactly is Google sending back and forth?

In order to deal with those privacy issues, Google announced late last week that it was open sourcing the updated as project Omaha.

"We're releasing the source code for Omaha in addition to recent enhancements to Omaha functionality, to provide both transparency and control around the update process," Google's engineers wrote in a blog post."Since Google Update is always running on your system, there's no simple way to stop it, and since it's a fundamental part of the Google software that needs it, it's not explicitly installed. Some users can be surprised to find this program running, and at Google, we don't like disappointing our users. We've been working hard to address these concerns, and releasing the source code for Omaha is our attempt to make the purpose of Google Update totally transparent."

The source code is already up on Google Code , and is being made available under an Apache 2.0 open source license. Google has also gone a step further and is providing a developers guide  to actually get Omaha up and running.

While I applaud Google's efforts in openning up Omaha from a privacy point of view, there are still some issues in my opinion. For one, it's yet another updater on Windows. If every single vendor has their own updater (and many do) that adds a tremendous amount of resource overhead to a PC. I've advocated in the past that Windows should adopt a Linux type package repository system for a unified update process.

From a broader update point of view, it will be interesting to see if other Windows software vendors adopt Omaha as their own updating tool. If they do, perhaps in time it could become the basis for the unified updater that Windows so clearly (and desperately) needs.

Twitter worm attack spreads 10,000 spam tweets

By Sean Kerner   |    April 13, 2009

twitter.jpg
From the 'don't use the web version' files:

Over the weekend, Twitter became the victim of a cross site scripting attack based worm that spread spam tweets. According to Twitter, nearly 200 accounts were compromised and some 10,000 messages in total were pegged as being worm spam generated.

"Earlier today we were informed of a malicious site that was spreading links to StalkDaily.com on Twitter without user consent via a cross-site scripting vulnerability," Twitter posted on its status update page late Sunday. "We've taken steps to remove the offending updates, and to close the holes that allowed this worm to spread.

No passwords, phone numbers, or other sensitive information were compromised as part of this attack."

In total, there have been four different variant of the worm that hit Twitter over the weekend and now includes today (Monday).  Early Monday Twitter claimed it was successfully fighting the fourth variant.

The way it looks to me is that the Cross Site Scripting flaw is/was specific to Twitter web users. That is if you logging into Twitter by way of Twitter.com you could have been at risk from the flaw. Users of the third party clients (like Twhirl, TweetDeck) will not have the same risk.

No question, this is a cause for concern in my opinion, however the speed with which Twitter is responding to this worm is commendable. It also shows why web based services can in fact be more secure than desktop ones. With a web based service Twitter only needs to update their main application and not the applications sitting on millions of deskop users. This new worm can be contained very quickly (unlike Conficker and it's desktop variants) and it will cease to exist sooner rather than later.

Twitter is also going to go after whoever created the worm and ensure that they pay the legal price.

"The worm introduced to Twitter this weekend was similar to the famous Samy worm which spread across the popular MySpace social-networking site a while back," Twitter founder Biz Stone blogged. "At that time, MySpace filed a lawsuit against the virus creator which resulted in a felony charge and sentencing. Twitter takes security very seriously and we will be following up on all fronts."

Conficker hits Utah

By Sean Kerner   |    April 13, 2009

conficker_timebomb2.jpg
From the 'worm that keeps on giving' files:

Apparently Conficker isn't just media hype. The Associated Press reported on Sunday that the University of Utah was infected with the Conficker worm. In total the report claims that some 700 PCs at the university were infected with Conficker.

Among the PCs hit were those inside of the University of Utah's hospitals, though hospital officials claims there were no patient records lost.

So it's not just naive Windows users that can get hit by Conficker. Inside a university environment with many PCs that may or may not all be centrally managed properly, it is a difficult thing to manage patches and anti-virus sometimes. This incident at the University of Utah clearly underscores that point.

While Utah has publicly reported its Conficker issues, I don't doubt that many other institutions have had similiar issues that have yet (or ever) to be publicly reported. After all if PCs aren't centrally managed than how is a university or hospital to know if they're infected in the first place?  That's where the true danger of Conficker lies.

It's not about the numbers of infected PCs that are reported, but rather about the silent majority of unreported infections.

Conficker Kido spooling up 80,000 spam emails a day

By Sean Kerner   |    April 10, 2009

conficker_timebomb2.jpg

From the 'aren't we done yet with Conficker?' files:

Yesterday I wrote about the latest variant of Conficker . Additional details on the new variant have emerged that indicate that the worm is now using its infected hosts to send spam email.

The new Conficker worm (also known as Kido) downloaded scareware - a fake antivirus application offer on infected users' PCs. It also downloaded the Waledac spam worm also known as Email-Worm.Win32.Iksmas.atz.

"Over a 12-hour period, Iksmas connected to its control centers around the globe a number of times and received commands to send out spam mailings. In just 12 hours, one bot alone sent out 42,298 spam messages," Aleks Gostev, head of Kaspersky Lab's Global Research and Analysis Team, said in a statement.

Gostev noted that Kaspersky detected over 40,000 domains being used as part of the spam attack with most of the sites located in China.

"A simple calculation shows that one Iksmas bot sends out around 80 000 emails in 24 hours," Gostev commented. "Assuming that there are 5 million infected machines out there, the botnet could send out about 400 billion spam messages over a 24-hour period!"

That sure is a lot of spam. In my opinion, there are a few assumptions in Gostev's analysis of the total spam volume. It assumes that the bot wouldn't be detected or blocked over the course of the 24 hour period. That's the trouble with bots, dormant they can be difficult to detect. But once they start doing stuff, it's not that hard to see the anomalous activity.

PC-BSD 7.1 brings FreeBSD Warden to the desktop

By Sean Kerner   |    April 10, 2009

pcbsd.jpg
From the 'it's not just for servers' files:

PC-BSD the desktop distro version of FreeBSD, is now out with its 7.1 'Galileo' release. It's one of the most exciting releases of PC-BSD since 2006 when I first started writing (and using) PC-BSD.

The new release is built from FreeBSD 7.2 which just hit beta last week, and uses KDE 4.2.2 as its desktop.

This release has a few incremental improvements including an improved installer, package management, Wi-Fi and networking tools.

There is however at least one feature in PC-BSD 7.2 that I haven't seen before. Galileo includes something called 'Warden' which is a utility for FreeBSD server setup. More specifically it can be used as a graphical front end for virtualized FreeBSD instances -- or  jails.

According to iXysystems (which since 2006 has 'owned' PC-BSD), "The Warden makes jail creation and management accessible to a greater number of users, and provides a secure and isolated environment for all sorts of uses, such as a mail server, database server, or webserver, to name a few. Warden configurations, called Inmates, can be used to instantly load pre-configured jails into the Warden."

That's pretty neat in my opinion and could be the use case that helps to but PC-BSD
7.2 on more enterprise desktops as an admin tool for FreeBSD servers.

With the incremental improvements to existing features, it all amounts to a solid and easier to use version of PC-BSD than past versions. It's part of a trend that I've seen consistently building with PC-BSD since at least the 1.5 release.

Cisco acquires Tidal Software for $105 million

By Sean Kerner   |    April 09, 2009

cisco.gif
From the 'who should we buy today?' files:

Cisco today announced it was planning to acquire privately held Tidal Software. Cisco is paying $105 million cash and retention-based incentives and expects the deal to close by the end of its fourth quarter fiscal 2009.

Tidal Software has several application automation and management solutions that will fit into Cisco's overall application delivery strategy. The Tidal Intersperse application is a management technology for Java and .NET app servers while Tidal Enterprise Scheduler handles job task scheduling.  The Tidal Horizon product is all about automating the analysis and management of SAP operations which is something that Tidal complements with their Tidal Transaction Analyzer for SAP as well.

On the automation side, Tidal has software called, Tidal Intelligent Automation which according to Tidal,"..allows IT to easily create, modify,
delegate, automate and enable guided operations. It also enables IT to
automate, manage and audit critical IT processes within Windows-centric
IT operations."

"With the acquisition of Tidal Software, Cisco will accelerate its ability to help customers optimize the performance of their business applications and automate operational best practices in real time, which will lead to significantly reduced operational costs," said Gary Moore, senior vice president of Advanced Services at Cisco in a statement.

From my point of view, the Tidal Technologies will also make a nice complement to Cisco's new Unified Computing Fabric servers and strategy. As Cisco ramps up with server blades, the need to manage and automate app processes is critical. That said, Cisco today has other partners, like BMC (and others) that kinda/sorta play in the same space. Nothing wrong with choice and a little co-opetition, is there?

Conficker evolves with new variant

By Sean Kerner   |    April 09, 2009

conficker_timebomb2.jpg

From the 'evolution is not always a good thing' files:

Conficker, the dreaded much-hyped worm that was supposed to trigger 'something' on April 1st but didn't has evolved (again). Multiple anti-virus vendor are now reporting a new variant of Conficker (called WORM_DOWNAD.E by Trend Micro and W32/Confick-D by Sophos).

The new Conficker variant also has an activation date attached to it -- this time it's May 3rd.

According to Trend Micro the new variant runs in random file name and random service name. It also deletes its original download, leaving no traces in the Windows registry. What that means is if you're just looking for a file that say 'conficker' you're not going to find it.

In my opinion, detecting it should be as straight forward as previous Conficker iterations. For one, this version of Conficker opens up (according to Trend Micro) port 5114 to serve as an HTTP server. If you're running a proper firewall setup where you have to authorize inbound and outbound traffic locking down a local PC and/or Windows server to keep that port closed is not a big deal.

As well, like its predecessor so far as I can tell from the current research, it's still exploiting the same Windows flaw which was patched by Microsoft back in October (so just patch your Windows boxes people!).

The real threat here though in my view is that the Conficker author(s) are continuing to evolve the worm to evade detection with the random factor that this new variant includes. In that respect, Conficker is showing itself to be a resilient threat that isn't likely to fade away from the security landscape anytime soon.

Red Hat open sources Teiid virtual data integration

By Sean Kerner   |    April 09, 2009

teiid.gif

From the 'data is everywhere' files:

Red Hat today announced a new open source effort called Teiid that is all about virtual Enterprise Information Integration (EII).

The problem that it solves is one we're all familiar with -- data lives in multiple sources and environments and users don't always want to have to physically move/copy it to make use of it for data integration.

The way Teiid is supposed to work is it focuses on data virtualization allowing real data access without having to move data (yes I know on *nix systems we've long had symbolic links which is a similar concept at a lower level). 

The way Teiid achieves its data virtualization is by way of Java Database Connectivity (JDBC) and Web Services interfaces. The new open source project is part of Red Hat's JBoss division and comes out of technology acquired by Red Hat from its acquisition of MetaMatrix in 2007.

"When Red Hat acquired MetaMatrix in April 2007, we committed to releasing the data services technology in the open source community and Teiid is the result of that promise," said Craig Muzilla, vice president of Red Hat's middleware business in a statement.

Asterisk renumbers open source VoIP

By Sean Kerner   |    April 08, 2009

asterisk.small.jpg
From the 'what's in a version number?' files:

TORONTO. The open source Asterisk VoIP PBX is now at its 1.6.x release -- it's a number that Asterisk is going to stay at for a long time.  That's the message that Kevin Fleming, 
Director of Software Technologies at Digium and co-maintainer of the Asterisk told attendess at the IT360 conference here in Toronto.

Instead of changing version numbers for each new feature based release, Fleming explained that Asterisk will now put new features into its 1.6.x point release.

Currently Asterisk is at the 1.6.0 release with the 1.6.1 release in beta.

"Up until Asterisk 1.6, the  process was once new branch is out there are no new features in the branch just bug fixes," Fleming said. "That meant that if you had a new feature, it in might be a year or more till it showed up in production build.

Now we do add features in between point releases."

As such the pace of innovation in Asterisk may well now accelerate since new point release come out every two to three months.

Google AppEngine: Can you feed Java to a Python?

By Sean Kerner   |    April 08, 2009

appengine_lowres.jpg.gif
From the 'Java is still cool' files:

A year after first launching AppEngine,Google is now adding early support for Java. At launch AppEngine --which lets developers run their code on Google infrastructure -- was Python only.

Google has also added import/export support for its AppEngine database, which is a key thing. It means that it will be easier to build larger sites and uses datasets that didn't originate on AppEngine infrastructure.

The move to support Java, in a limited way -- really doesn't amount to much yet in my view. Initially they're limiting Java access to 10,000 developers, so over time no doubt Java usage will grow. For now though, Python is still the King of AppEngine

"In making Google's infrastructure broadly available, App Engine has helped over 150,000 developers focus on designing and launching great products, without the usual scale and maintenance headaches," said Andrew Bowers, Product Manager at Google in a statement. "Today -- with newly-launched features, and an early look at Java language support -- we're making Google App Engine a viable deployment option for more and more application developers."

OpenSUSE Build Service coming to Linux Foundation

By Sean Kerner   |    April 08, 2009

tux.jpg
From the 'apps for all' files:

Novell's openSUSE Build Service which enables developers to build application packages for multiple distros including SUSE, Red Hat and Debian/Ubuntu is set to be part of the Linux Foundation's Linux Developer Network (LDN).

Joe Brockmeier the openSUSE Community Manager told me that the idea behind having the build service at LDN is to encourage broader adoption. Brockmeier argued that the tool isn't just for Novell's Linux distribution and can benefit a broad range of Linux users.
"It's one of those things where a rising tide lifts all boats," Brockmeier said.


Novell has been working on the openBuild Service since January of 2007 and hit its 1.0 milestone in July of 2008. Currently the Build Service is at its 1.6 version which includes support for building packages for ARM based architectures.

The Linux Foundation's Amanda McPherson VP marketing and developer programs explained to me that the way the Build Service will work on LDN is that the LDN site will host a web interface the build service team has
developed for remote sites to tap into their resources. That interface
will plug into a dedicated instance of Novell's build service.

Unlike Mobilin (Intel's mobile Linux effort) which the Linux Foundation is actually taking over from an organizational point of view, the openSUSE Build Service will remain under Novell's technical direction.

"The project itself is still
under the auspices of its development team, though if more people want
to participate on the project after using it, that's really the point
of open source," McPherson explained.

Carrier Ethernet market worth $17 billion in 2008

By Sean Kerner   |    April 07, 2009

From the 'Ethernet everywhere' files:

Ethernet continued to make inroads into carrier networks during 2008. According to a new report from Infonetics Research, service providers spent $17 billion in 2008 on Carrier Ethernet equipment.

Infonetics forecasts that growth in Carrier Ethernet will continue to increase for the next five years. By 2013, Infonetics is projecting the Carrier Ethernet equipment market to be worth $32 billion.

There are a few factors driving demand for Carrier Ethernet, among them is the continuing demand on service provider networks and the need to converge services onto all IP Ethernet based networks for management and cost consilidation reasons.

"The economic downturn favors carrier Ethernet technologies and products, as they are a less expensive alternative to legacy equipment," Michael Howard, Principal Analyst - Optical, Routing, Switching, and Ethernet at Infonetics said in a statement. "In fact, service provider investment in carrier Ethernet equipment is growing faster than overall telecom capex. Carrier Ethernet is one of the key technologies globally integral to IP next gen network transformation projects pushing the move from TDM to packet based networks."

Say hello to Neeris, Conficker's worm cousin

By Sean Kerner   |    April 06, 2009

msft.jpg
From the 'so now they're a family?' files:

Apparently Conficker isn't the only worm out there trying to exploit the flaw Microsoft patched in October. A worm called - Neeris - is out taking advantage of the same Conficker flaw, and perhaps more interestingly, its creators have learned a few things from Conficker too.

"Neeris is a worm that has been active for a few years," Microsoft security researchers Ziv Mador & Aaron Putnam blogged. "Some of its variants used to exploit MS06-040 which addressed a vulnerability in the same Server service as MS08-067. However it looks like the authors of Neeris have been taking notes from Conficker. A new variant of the Neeris worm has been launched this week."

The Microsoft researchers noted that the new version Neeris became prevalent in the lead up to the dreaded April 1st activation date for Conficker. That said, they added that there is no direct correlation between Conficker activity and infections and Neeris -- except for the fact that they both try and exploit the same already patched Microsoft flaw.

According to Microsoft, Neeris spread by way of bad links sent via MSN Messenger as well as being an IRC bot.  It can also be spread via SQL server with weak password (but they anything can spread via SQL servers with weak passwords).

As was the case with Conficker, risk mitigation is relatively straight forward. If you're running Windows (since this is a Windows-only issue) make sure you directly visit Windows Update to get the lastest Microsoft patches.

FreeBSD 7.2 enters Beta

By Sean Kerner   |    April 06, 2009

FreeBSD_small1.jpg
From the 'beastie vs. tux' files:

The first Beta for FreeBSD 7.2 has been released, updating network drivers as well as some threading libraries.  The FreeBSD 7.2 release is the first point upgrade since the 7.1 release which became generally available in January of this year. The final release of FreeBSD 7.2 is currently scheduled for the first week of May.

The bigger push at FreeBSD from where I sit is the FreeBSD 8 release which is set for release later this year.

"We're very excited about FreeBSD 8.0, due out later this year, which includes support for a virtualized network stack, which will allow FreeBSD jails to have their own routing, firewalls, VPNs, etc," FreeBSD core team member Robert Watson told me earlier this year. "This is exciting for our ISP users, but also appliance vendors, research community, etc. Another similarly exciting feature is support for 802.11 Virtual Access Points, which allow a single radio to be used for many different 802.11 SSIDs, a feature that will be important to hobbyist use of FreeBSD to companies building commercial access point products."

Beyond its own development efforts, FreeBSD also might soon benefit from the Debian Linux community as well. Debian users will soon be able to choose to use a FreeBSD kernel (instead of a Linux kernel).

I'm not sure why a Debian user would choose to use a FreeBSD kernel, and no doubt at this early stage this is still experimental, but it is interesting. By enabling its users to choose FreeBSD, Debian could well open up its large development community to FreeBSD and in so doing expand the base of FreeBSD itself. Then again, it could just be a 'neat' feature that is interesting to try out, but doesn't actually serve a productive purpose. Time will tell.

Firefox 3.6 codenamed Namoroka speeds up the browser

By Sean Kerner   |    April 03, 2009

sr-firefox3.jpg
From the 'weren't they just working on 3.1?' files:

Firefox 3.5 is not yet out the door, but Mozilla has already started the planning for Firefox 3.6, codenamed 'Namoroka'. The new browser is named after a national park in Madagascar.

So far, Mozilla has outlined a number of key goals for Firefox 3.6 with the top item being performance.

"Observable improvements in user-perceptible performance metrics such as
startup, time to open a new tab, and responsiveness when interacting
with the user interface. Common user tasks should feel faster and more
responsive."

Digging a little deeper, Mozilla is setting the goal of having, "dramatic, human-perceivable (>50ms) speed increases on startup."

Memory bloat and performance, not just JavaScript - are the most pressing issues that Mozilla clearly needs to solve and I'm thrilled that it's at the top of their list.

Slow startup times are no longer acceptable.

The new Linux distros from Fedora and Ubuntu are both pushing for sub 20 second startups and it only makes sense that the leading open source browser follows the lead to lower startup time too.

Firefox 3.6 should also see the integration of the Ubiquity command infrastructure (now called Taskfox), that will add a major new dimension to the web browsing experience.

The target release date for Firefox 3.6 is early to mid 2010.

IBM Sun acquisition to be announced today?

By Sean Kerner   |    April 03, 2009

ibm.big.jpg
sun.jpg

From the 'some rumors are true' files:

Talk about a potential acquisition of Sun by IBM has been swirling for the last few weeks, and now has hit a new level. Both the Wall Street Journal and the New York Times are reporting that according to their sources, a deal is nearly done. If the sources familiar with the matter are accurate, the deal could be announced as soon as today.

Reportedly, IBM will pay $9.50 a share for Sun, giving the deal a total value of approximately $7 billion.

The deal (in my view) will consolidate the Unix market with 2/3rds of it under the control of IBM. I've also written that I figured it would be a good deal for Linux too.

Earlier this week, I got members of the Java community to chime in on this event too. For the most part, the view was that it could be a very positive thing for Java and the Java Community Process (JCP) itself.

So lots of positives here for this deal. Whether it happens today, over the weekend or next week is likely the only question left to answer.

Microsoft open sources ASP.NET MVC stack

By Sean Kerner   |    April 02, 2009

msft.jpg
From the 'yeah they do open source' files:

Microsoft is best known as a vendor of proprietary code and applications (like Windows), but it's important to remember that since 2007, Microsoft has had its own OSI approved open source licenses. Late yesterday, Microsoft announced that it was open sourcing its ASP.NET MVC (model view controller) under the Microsoft permissive license. Microsoft describes ASP.NET MVC as, a "closer to the
metal" web programming option for ASP.NET that enables full control
over HTML markup and URL structure, and facilitates unit testing and a
test driven development workflow.

Basically it makes ASP.NET more like dynamic language approaches found in  Ruby on Rails. This new open source code will actually also benefit open source developers outside of Microsoft, most notably those that use Mono - Novell's implementation of .NET for Linux. (Mono was just updated this week too.)

"I am psyched," Miguel de Icaza, vice president of development platforms at
Novell blogged. "Not only because ASP.NET MVC is usable in
Mono and the code is licensed under open source terms, but
also because I strongly believe that the same innovation,
rapid adoption and experimentation that has happened with
the new wave of web stacks will come to ASP.NET MVC across all
platforms."

DimDim 5: Open Source web meetings with Widgets

By Sean Kerner   |    April 02, 2009

dimdim.png
From the 'it's all about user experience' files:

Open source web meeting and collaboration vendor dimdim is out with version 5 of their platform today. The key new enhancements are webinar widgets and improved screen sharing (screen casting).

The webinar widgets are an interesting idea. The basic idea is that the webinar widgets are a promotion and registration vehicle to drive traffic to an online event. Usually when you want to go to webinar you see a link on a page and then save it to your own calendar somewhere. With a widget the idea is that the info can easily be shared, it's easier to get registered and the widget provides a live status of when the meeting is on. It will also provide a link to a transcript (if avail) after the meeting. Sure sounds like a time (and maybe life) saver to me.

DimDim has an open source download if you want to try and run it on your own -- but the real push is their online service which is a WebEx competitor. The difference is that it's all based on open source and conferences of 20 or fewer users can be run for free.

The 5.0 release comes just a few short months after the 4.5 release.

Intel takes its mobile Linux to the Linux Foundation

By Sean Kerner   |    April 01, 2009

tux.jpg
From the 'going mobile' files:

I've been writing about Intel's Moblin since 2007. The basic idea is that it's a mobile Linux distribution as well as a community for mobile Linux developers. For Intel, it is a key effort as it works hand in hand with their Atom CPUs. Now after two years of going it on their own, Intel is transferring the effort to the Linux Foundation.

Considering that initially at least, Moblin was not something that was welcomed by embedded Linux vendor MontaVista, the move to have Moblin be more open is a good thing.

"The Linux Foundation is the perfect environment to take Moblin to the next level," said Doug Fisher, vice president Intel Software and Services Group, and general manager System Software Division in a statement. "The open source process delivers multiple benefits to any project including, faster innovation and increase technology visibility."

Conficker Strikes! Or does it?

By Sean Kerner   |    April 01, 2009

conficker_timebomb2.jpg

From the 'no joke, and no punchline' files:

It's April 1st the day that Conficker.c is supposed to do....something. So far though, the worm hasn't caused massive havoc, but then again I don't think that was ever the plan.

Early reports so far show little activity though the day is still young and the scope of infections (maybe as many as 10 million) means that the true impact may not be known inside today.

"McAfee Avert Labs has been closely monitoring Conficker-related threats and, we haven't observed any significant activities on the domains that it is polling for thus far," McAfee security researcher Shinsuke Honjo blogged.

Nortel completes sale of Alteon for $18 million

By Sean Kerner   |    April 01, 2009

nortel.jpg

From the 'how to turn billions into millions' files:

In the year 2000, Nortel Networks acquired Alteon for $7.8 billion. Today, Nortel - in bankruptcy protection in Canada and the US - completed its sell off of Alteon to networking vendor Radware for (get this) $18 million.

The Radware deal was first announced in February and includes application delivery networking gear including Nortel's Virtual Services Switch (VSS) 5000. The VSS 5000 is a Linux-based
virtualization optimized networking switch for which Nortel had high
hopes when it was first released.

The Alteon product line sell-off is the first divestiture of assets since Nortel declared bankruptcy at the beginning of this year. Though Nortel has sold off the Alteon products, when I spoke with Nortel and Radware last month they explained that Nortel would continue to be involved in the products through an OEM relationship. It basically means that existing customers won't be left out in the cold and that the product lines will remain supported in the near term.

"The addition of the Nortel [Alteon] business to Radware's product portfolio was a strategic decision to enhance our offering and enable us to leverage the mutual strengths of both Radware and Alteon technologies, providing our customers with the next generation of more reliable, high-performance and feature-rich solutions," affirmed Roy Zisapel, CEO Radware in a statement.

It will be interesting to see what Nortel sells off next -- or if the company as a whole is entirely broken up.