RealTime IT News

Blog Archives

Juniper pulls ATM Jackpot talk from Black Hat

By Sean Kerner   |    June 30, 2009

juniperwhite.jpg
From the 'Black Hat mythos grows' files

The Black Hat security conference is one that has a certain mystique surrounding it - which has been fuelled in recent years by controversial talks that get pulled. This year will be no different.  A presentation on how to hack ATMs, titled, 'Jackpotting Automated Teller Machines' has been pulled from the 2009 event set for July.

The session was going to be delivered by Barnaby Jack, a Juniper Networks security researcher. Juniper (which is a vendor I cover in both the enterprise and service provider networking space) decided after getting some pressure from the at-risk ATM vendor to have Jack pull his talk.

Juniper however is still standing by Jack and his research.

"Juniper believes that Jack's research is important to be presented in a public forum in order to advance the state of security," Juniper said in a statement emailed to InternetNews.com. "However, the affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected."

That doesn't mean we won't eventually get to hear Jack's talk -- it's just that it won't be disclosed at Black Hat this summer.

GPLv3 use growing but GPLv2 still dominates

By Sean Kerner   |    June 30, 2009

GPL.v3.jpg
From the "GPLv2 and later' files:

It was two years ago on June 29, 2007 that the GPL version 3 was finalized. The GPL is the cornerstone free/open source license in use, and at the time of the version 3 update there were many questions raised about how widely the new license would be adopted.

According to new data from Black Duck, GPLv3 use has quadrupled since 2008, though overall use of GPLv3 is still dwarfed by GPLv2 usage.

Black Duck reports that there are now 9,500, GPLv3 licensed applications. That's up from 2,345 GPLv3 applications in 2008. GPLv3 now represents 5.10 percent of open source licenses currently in use.

In contrast, GPLv2 represents 50.06 percent of all open source licensed software.

Clearly GPLv3 has a very long way to go to catch up to GPLv2 - if it ever will.

Back when debates around the GPLv3 were very active, Linus Torvalds publicly stated on numerous occasions that the Linux kernel would not move from GPLv2 - and so far it hasn't. As long as that position remains the same - and I see no reason why that will ever change - GPLv2 will remain a critically important license.

That doesn't mean that GPLv3 isn't important.

With the new Black Duck data, it is clear that GPLv3 is important.

While GPLv2 still dominates, GPLv3 is just marginally behind the BSD license which sits at 6.32 percent. Black Duck is estimating that GPLv3 will actually pass the BSD license in about 6 months time.

Google launches new open source Sputnik for JavaScript

By Sean Kerner   |    June 29, 2009

sputnik.png
From the 'sun spider says what?' files:

A key feature of Google's Chrome browser is its V8 JavaScript engine. But is it actually faster than other JavaScript engines? How do you measure that and is V8 compliant with all of the JavaScript specifications?

For the most part, developers have used the standard SunSpider test that helps to measure JavaScript performance. Now Google is launching a new open source JavaScript measurement tool called Sputnik. According to Google, Sputnik has more than 5000 tests to fully qualify JavaScript.

"The goal is not that all implementations
should pass all tests," Christian Plesner Hansen, Google Software engineer wrote in blog post."V8 set out with that intention and we learned
the hard way that sometimes you have to be incompatible with the spec
to be compatible with the web. Rather, we want Sputnik to be a tool for
identifying differences between implementations."

The Sputnik test suite requires python in order to run - and is already available as a free download. Whether or not Sputnik will become a new standard by which browser vendors will measure themselves is a question yet to be answered.

SourceForge delivers 4 billionth open source download

By Sean Kerner   |    June 29, 2009

Thumbnail image for sourceforge_logo.png
From the 'that's a lot of downloads' files:

SourceForge.net, the big open source app/code repository has hit a major milestone: 4 billion downloads.

Since 1999, SourceForge has the 'go to place' for all open source downloads, but in the last couple of years, Google Code has put up a bit of challenge. Remember also for a while there was this constant thread in media about how SourceForge had 100,000 project, though most had been abandoned. SourceForge.net now has 230,000 projects and if downloads are an indication, they seem to be doing just fine.

According to SourceForge they move approximately 1.8 million downloads a day.

"Our technology enthusiast users are not simply 'clicking through';
SourceForge users are deeply engaged and interested in the entire
experience," Jon Sobel, SourceForge's group president of Media said in a statement. "Not only are they downloading software, applications and
tools, they are also regularly giving back by adding more content or
providing feedback."

While SourceForge.net is a significant resource for the open source community, it's also important to note that SourceForge.net itself uses a whole lot of computing resources too. I spoke with SourceForge earlier this year about their new mirror with CDNetworks. At the time, SourceForge VP Jay Seirmarco told me that traffic can spike on ocassion, with one particular Wednesday in January, the SourceForge mirror
network served 3.9 million downloads totaling 30.1 Terabytes of data.

Fedora Linux 12 named: Constantine

By Sean Kerner   |    June 29, 2009

fedora-logo.png
From the 'Roman Emperors of Sparta' files:

Red Hat's Fedora Linux community has now voted in a name for the upcoming Fedora 12 release. Constantine beat out four other rivals names including: Chilon, Orville, Rugosa and Umbria.

Fedora 12 succeeds Fedora 11's Leonidas (a Spartan King) with the name of a famous Roman Emperor. It's actually an interesting metaphor if you follow it through. Leonidas fought off the invaders with 300 men in a valiant stand. Constantine on the other hand is the Emperor that brought the Christian religion to the Roman Empire. As metaphor does that mean that Fedora 12 will bring the Linux religion to the masses?

In any event, Fedora 12 is still in very early development. The current release schedule pegs the release date at November 3rd 2009.

By that point Fedora 12 (for the desktop) will be up against Windows 7 (no cute codename there) and Ubuntu's Karmic Koala. I've blogged before how the different Linux distribution all have very different code names.

Ubuntu has its 'cute' animal names, openSUSE has its German philosophers, Debian is still stuck on Toy Story and Fedora seems to be fixated now on Kings and Emperors of antiquity.

*UPDATE 06/30 - Fedora Project Leader Paul Frields sent in a comment to clarify the connection between the Fedora release names - "Actually, the connection between Fedora 11 "Leonidas" and Fedora 12 "Constantine" is that both names are townships within St. Joseph County, Michigan."

PHP 5.3 coming June 30th

By Sean Kerner   |    June 25, 2009

php.gif
From the 'whatever happened to PHP 6?' files:

PHP 5.3 could be out as soon as Tuesday June 30th. The new open source language release is a big deal for a lot of reasons, not the least of which is the fact that by my count this is the first major update to PHP since 2006 and the PHP 5.2 release.

PHP 5.3 is also interesting in that it includes at least one key feature that was originally intended for PHP 6 (whenever -- if ever -- that release will be out).

I spoke with Zeev Suraski, co-founder and CTO at commercial PHP vendor Zend Technologies last month about PHP 5.3. He noted that one key feature backported from PHP 6 into PHP 5.3 is namespaces, which is a way to encapsulate classes and other PHP items more easily.

While the official release is on June 30th, support for PHP 5.3 is already present in development tools from Eclipse released this week.

*UPDATE JUNE 30TH - PHP 5.3 did get released - full story is up on the main site.

Adobe updates Shockwave for critical flaw

By Sean Kerner   |    June 25, 2009

shockwaveplayer_logo.jpg
From the 'doesn't everyone use Flash now?' files:

Adobe is advising users of its Shockwave player to update to a new version to protect against a critical remotely exploitable flaw.

The flaw affects Adobe Shockwave Player
11.5.0.596 and earlier versions and according to Adobe's advisory, "... could allow an
attacker who successfully exploits this vulnerability to take control
of the affected system."

Adobe's new Shockwave Player 11.5.0.600 corrects the issue, though it requires users to uninstall their existing Shockwave player first.

While some might be alarmed by Adobe's disclosure, personally I don't see this flaw as a big issue at all -- though of course go and update now!

First off all, the flaw was responsibly disclosed first by way of the Tipping Point Zero Day Initiative (ZDI). The way that works is, ZDI pays the researcher for the flaw and then ZDI keeps the details under wraps until a fix exists.

Google Chrome 3.0.190.x gets better on Linux, Mac

By Sean Kerner   |    June 25, 2009

googlechromologo.jpg
From the 'faster browsers for Linux' files:

Google's Chrome browser has only officially been available for Linux and Mac users since early June. Since then, Google has updated the browser once, keeping it at the same version number for Windows, Linux and Mac. That is now changing with the 3.0.190.x release for the dev-channel version of Chrome.

For this release, Google actually has three seperate numbers for each platform. The Mac is version 3.0.190.0, Windows is 3.0.190.1 and Linux is 3.0.190.2.

In my opinion, this new numbering is an obvious step as each platform is a little different. Looking over the release notes for the release, it's clear that a large part of the 3.0.190.x release is about bug fixes for Linux and Mac versions.

Among the issues fixed on Linux is the ability to import and export bookmarks. I know, seems simple enough, but remember the first Chrome for Linux release was barely stable loaded down with bugs.

For Mac users there are incremental bug fixes too including one that will now enable Mac users to download more than one item in a tab.

Beyond just bug fixes, Google is aggressively updating its V8 JavaScript engine in all version of Chrome too.

The release notes actually indicate not one but two version upgrades for V8 in the 3.0.190.x release cycle (versions 1.2.8.1 and V8 1.2.8.2).

It's important to remember that on Linux and Mac, Chrome is still just a dev-channel release and has not yet migrated to the stable-channel. Google has three development streams for Chrome: dev, beta and stable -- so it could be another few weeks by count until we see a stable release for Mac and Linux.

Juniper partners with NYSE for next gen data center

By Sean Kerner   |    June 24, 2009

juniperwhite.jpg
From the 'fastest trading platform on the planet' files:

NYSE Euronext is partnering with Juniper Networks (NASDAQ:JNPR) in the build out and consolidation of new data centers. As of the time of this post, I don't have the financial details on the transaction.

The real key for the NYSE Euronext exchange for their new data centers is all about lowering latency and being faster. During a press conference announcing the deal, NYSE Euronext CIO Steve Rubinow said that for the exchange, "latency is an obsession."

Rubinow commented that the new data centers could be thought off as a cloud, though they will not be entirely virtualized.

"Real cloud technology requires virtualization and overhead," Rubinow said. "That bit of movement introduces latency."

The key according to Juniper executives in reducing latency is the fact that Juniper has its own silicon and the JUNOS operating system.

Movable Type gets forked into Melody

By Sean Kerner   |    June 24, 2009

melody.jpg
From the 'fork is a four letter word' files:

Movable Type has been forked -- at least the open source GPL version -- into a new project called Melody.

Yes this blog is powered by Movable Type too. Six Apart, the vendor behind Movable Type created an open source version of Movable Type in 2008. Usually a fork of open source code happens because developers are not happy with the direction of code development and the main project.

In the case of Melody -- at least so far -- this looks to be a 'friendly' fork. The creator of Movable Type, Benjamin Trott sees where Melody will fit in at a bleeding edge community level, whereas Movable Type will hold its position as the professional version.

"We see the Melody community focusing on the equally-valuable ideas of bleeding-edge community-driven ideas, rapid iteration, and integration with the code of other open source projects," Trott wrote in a blog post." It's great news for the entire Movable Type community, as this new project uses the same themes, the same templates, the same plugins and the same publishing engine as Movable Type. And since it shares the GPL license with MT, it's even a great way for these new developments to work their way back into the official versions of Movable Type itself."

While I respect Trott's position, I have to respectfully disagree with his long term view of how Melody will affect Movable Type.

IBM updates Tivoli Identity Manager (TIM)

By Sean Kerner   |    June 23, 2009

ibm.big.jpg
From the 'who are you? And what do you want from the network' files:

Identity management is a critical component of modern network infrastructure. It provides the entitlements by which users can assess applications and resources, and it is a key part of regulatory compliance for many.

IBM today is updating their Tivoli Identity Manager (TIM) to version 5.1 -- this is an application that I last looked at in 2007 when TIM 5.0 was released. I took a briefing from Joe Anthony, program director, security and compliance management at IBM, who explained to me what's new in this point update, which Anthony refered to as a 'major' update.

TIM 5.1 adds role management capabilities so enterprises can more accurately seperate duties and management. There are also improvements around access certification and re-certification -- which are especially important in the current economy with staff changes occurring more frequently than ever before.

For IBM, TIM 5.1 is just one part of a holistic view of identity and access management, which is a theme that IBM was pitching to my colleague Alex Goldman during the RSA conference time frame earlier this year.

It all makes sense to me, though I can also see how it can be terribly confusing too.

Intel and Nokia join forces for open source

By Sean Kerner   |    June 23, 2009

intel.gif
From the 'great minds think alike' files:

Nokia and Intel have announced a new strategic partnership for mobile development. This is big news for open source, since both Intel and Nokia rely on Linux (and open source) for their respective mobile platforms.

Intel has Moblin, Nokia has Maemo -- both are Linux based mobile operating systems. Now the two efforts will benefit from a co-ordinated joint effort on some key open source mobile applications including : oFono, ConnMan, Mozilla, X.Org, BlueZ, D-BUS, Tracker, GStreamer and PulseAudio.

"Collectively, these technologies will provide an open source standards-based means to deliver a wealth of mobile Internet and communication experiences, with rich graphics and multimedia capabilities," Intel stated in a press release. "Enabling common technologies across the Moblin and Maemo software environments will help foster the development of compatible applications for these devices,  building on the huge number of off the shelf PC compatible applications."

Additionally Intel is now set to license Nokia's HSPA/3G modem technologies which will add new mobile connectivity capabilities to Intel's solutions.

In my opinion, from an open source perspective this new mobile partnership is a good thing.

Report: Ruby use on the rise

By Sean Kerner   |    June 23, 2009

ruby.gif

From the 'dynamic languages' files:

According to a new study from Evans Data, Ruby use is on the rise in North America. On a year over year basis, Ruby usage has increased by 40 percent so far in 2009.

But, even with the big increase, Ruby is still far from being pervasive. Evans' study found that only 14 percent of developers in North America use Ruby some of the time. They are currently forecasting the number to rise to 20 percent for 2010.

The new results are from Evans Data's latest North American Development Survey which received input from 400 developers.

The rise of Ruby, which is open source, is being complemented in a rise in Linux usage as a target platform for development. It's not all positive for open source though in the Evans study. The report also found that commercial SQL databases -- by a wide margin (2.5x) -- are more likely to be used than an open source SQL database for primary database operations.

"The increasing adoption of developers using scripting languages correlates with today's overall emphasis on web centric applications which have to be highly malleable to rapidly changing market driven requirements," said John Andrews, President and CEO of Evans Data in a statement. "Interestingly, while we see Linux continue to increase as a target platform, this category of development reflects the greatest growth in targeting a non windows target platform."

Mozilla Content Security Policy takes aim at XSS

By Sean Kerner   |    June 22, 2009

sr-firefox3.jpg
From the 'making browsers safe' files:

Cross Site Scripting (XSS) flaws are growing and Mozilla is now coming up with another attempt to try and stop them. It's a new approach called Content Security Policy and its goal is to prevent XSS.

Firefox 3.x has been patched before for XSS and Firefox 3 itself was originally supposed to provide protection against XSS as well with a W3C specification called Cross site XMLHttpRequest  (that didn't make it into the final Firefox 3).

So now they're trying again, with a new approach that will help to validate that code running in a browser is authorized.

"In order to differentiate legitimate content from injected or modified content, CSP requires that all JavaScript for a page be 1) loaded from an external file, and 2) served from an explicitly approved host. This means that all inline script, javascript: URIs, and event-handling HTML attributes will be ignored,"Brandon Sterne
Security Program Manager at Mozilla blogged. "
Only script included via a script tag pointing to a white-listed host will be treated as valid."

There is also a plan to help mitigate clickjacking as part of CSP policy that will enable a site to specify which sites can embed a resource.

Palm Pre WebOS powered by Linux 2.6.24

By Sean Kerner   |    June 22, 2009

palm_small.gif
From the 'Linux Inside' files:

There has been a lot of media coverage in recent weeks about the Palm Pre smart phone. One of its key attributes is the webOS operating system that could potentially help save Palm from oblivion.

Palm has posted many of the open source applications that are part of webOS -- as they are required to do under the terms of the GPL license -- and it's an interesting list.

At the heart of webOS is the Linux 2.6.24 kernel which originally was released by Linus Torvalds in January of 2008. It's also got BusyBox -- yeah that same busybox that the has been the subject of legal lawsuits -- which provides an embedded tool set.

For the audio/video portion there are some interesing applications in use - including ffmpeg, gstreamer, pulse audio and alsa (advanced linux sound architecture). It's not clear to me whether or not Palm is using those open source audio/video applications in conjunction with a proprietary codec (or not).

For instant messaging, Palm is using libpurple -- which is the core open source instant messaging stack behing the Pidgin (formerly gaim) open source IM program that is in (nearly) every Linux distribution.

On the browser side, Palm is using WebKit -- which of course is the same core rendering engine used by Apple's Safari (in the iPhone) and Google Chrome (in Android). Though all three vendors are using WebKit that doesn't mean that all three mobile browsers are the exactly the same, but it does give them a common base.

Make no mistake about it, Palm Pre is powered by open source software - time will tell whether that will be the catalyst that enables Palm to succeed with developers and users.

Adobe Flash vs the Web and HTML 5. Who wins?

By Sean Kerner   |    June 19, 2009


flashplayer.jpg

From the 'did the web really win?' files:

I've been blogging a lot lately about HTML 5 and its video component. It's a game changing element that is also competitive against the current pervasive web video technology -- Adobe Flash.

But what does Adobe think about HTML 5?

During Adobe's second quarter fiscal 2009 investor call, Adobe CEO Shantanu Narayen responded to a question from an analyst about what HTML 5 means to Adobe. Narayen is both supportive of HTML 5 as a standard that Adobe tools will support, while also being dismissive of the competitive threat that HTML 5 video might represent to Flash.

Narayen sees a real challenge for HTML 5 will be getting a consistent HTML 5 display across browsers, which is going to take a long time to do.

"It might be a decade before HTML 5 sees standardization across the number of browsers that are going to be out there," Narayen said on the call. "So clearly supportive in terms of making sure as HTML 5 is evolving that we will support it in our web authoring tools but from the perspective of continuing to drive Flash and innovation around Flash and rich Internet applications, we still think that actually the fragmentation of browsers makes Flash even more important rather than less important."

Google Chrome 3.0.189.0 breaks extension format

By Sean Kerner   |    June 18, 2009

googlechromologo.jpg
From the 'sign here please' files:

Google Chrome 3.0.189.0 dev-channel is now out, bringing with it a major change to the way Extensions are packaged.

Extensions (known as Add-Ons to Mozilla Firefox users) are still not part of the regular Chrome experience but with the new dev-channel release they are getting a step closer. But in getting closer, those that have built experimental extension will now have to repackage whatever they may have done so far.

"As part of the latest dev channel release, we've had to make a breaking
change to the crx format," Google staffer Nick Baum wrote on a mailing list update. "This change adds signatures to our package format,
which are necessary to enable automatic updates. Unfortunately, this means
that any existing extensions will stop working, and will have to be
repackaged."

At this early stage, the fact that developers will need to repackage is no big deal in my view. Mozilla Firefox developers are used to repackaging their add-ons for nearly every Firefox major release, so this is par for the course.

Have signatures for Extensions is a must have item. What that should do, is ensure the authenticity of an Extension and should hopefully prevent malware injections.

What's also interesting to note, is that once again Google is updating Windows, Mac and Linux users with this release. There are a good number of Linux and Mac specific fixes - which are needed since neither of those releases are really stable yet.

Firefox 3.5 hits Release Candidate - should it be Beta?

By Sean Kerner   |    June 18, 2009

Firefox.3.5.rc1.jpg
From the 'naming games' files:

Some vendors keep their software in Beta for a long period of time --  even calling services used by millions Beta (Gmail is still a Beta).

Mozilla however is now taking its Firefox 3.5 browser out of beta with the first official Release Candidate (RC 1).

Though, if you happen to have upgraded and just look at the 'About Mozilla Firefox' window all is states is version 3.5 (pic left).

There has been some discussion on the Mozilla mailing lists over the last 24 hours about the naming conventions for this release, and whether or not Mozilla should have just named it Beta 6 (or 7). The last official Beta release was Beta 5 which was released in April

"We *did* consider calling it a beta, and decided not to," Mozilla VP of Engineering Mike Shaver wrote. "One reason
is that we don't want people evaluating it as "beta software" -- they
should be holding it to the same standards as released software in
terms of what they would report as problems, and we have seen an
unfortunate number of "I would have reported it, but I figured it was
beta so I'd see if it just got fixed next time" on bugs we would have
rather heard about earlier."

Amazon Kindle powered by Linux, FSF not impressed

By Sean Kerner   |    June 17, 2009

tux.jpg
From the 'free as in freedom' files:

As my colleague Michelle Menga is reporting, Amazon is now making new source code available for its Amazon Kindle. Basically what it represents is, Amazon's responsibility to make the GPL licenced source code that is used in the Kindle available to others.

That's part of the GPL license and Amazon is doing its part.

Digging into the code that Amazon is now making available, provides some really interesting insight into the underlying structure of the Kindle.

For one, Kindle (at least the DX) is using a modified Linux 2.6.22 kernel. This is a kernel that originally was released by Linus Torvalds in 2007. Is it a surprise that the Kindle is Linux powered? (not really).

Where there is LInux there are always some key Linux tools. In the Kindle's case that's the GCC 4.1.2 release for code compilation. In GCC terms that's now an older release (originally out in 2006), so I would hope that Amazon moves to the newer GCC 4.4 over time as it could yield some performance gains for them.

Amazon is also using BusyBox (how can you not if you're running embedded?), so it's a good thing they've released that code - BusyBox has been active in recent years by way of the Software Freedom Law Center (SFLC) in making sure that vendors that use their code actually comply with the GPL.

That doesn't necessarily mean that those that back the GPL are entirely thrilled with Amazon. In fact the Free Software Foundation (FSF), actually refers to the Kindle (somewhat less than politely) as the 'Swindle'.

"It's good that Amazon is complying with the licenses and not behaving
illegally, but this is hardly something praiseworthy," John Sullivan operations manager at the FSF blogged. "Amazon benefited
from the freedoms passed on to them by other free software authors, and
that benefit comes with an obligation to convey that same freedom to
their users -- to share alike."

2 million+ Cligs short URLs hacked

By Sean Kerner   |    June 17, 2009

cligs_small.gif
From the 'don't click everything you see' files:

Thanks to Twitter, URL shortening services are now common place, but their popularity can also put them (and you) at risk potentially. URL shortening service Cligs has reported that its service was hacked on Monday. What the attack did was take Cligs URLs and redirect them to a different URL than they were originally supposed to go to.

All told according to Cligs, 2,188,978 URLs were edited in the attack. That's a lot of URLs.

What Cligs is doing now is restoring the correct URL points, but they apparently can't do it for all of the 2 million plus URLs that were affected - 161,232 URLs were not in their backup (7 percent).

This isn't the first time a URL shortening service has been the victim of an attack. In February, TinyURL was the target of a 'don't click' attack.

At the heart of the issue really is the fact that Twitter has helped many users to forget that they shouldn't just click on every URL they see. It's something that security researchers have commented on and something that I agree with.

In this case though, the URLs were orginally legitimate and all likely were in real posts from real users. The back end service was compromised - so how is a user to know?

Windows users must make sure they've got anti-virus/anti-phishing protection on in their browsers and perhaps more importanatly - always be vigilant. If something doesn't look right, then it might well not be right.

Twitter is down. Is this a sign of immaturity or genius?

By Sean Kerner   |    June 16, 2009

twitter_down.gif
From the 'not available now' files:

Twitter is down right now - it's part of a scheduled maintenance window that started at 5 PM ET. This was rescheduled from an overnight window to enable continued discussion in Iran over Twitter as my colleague Alex Goldman reported earlier today.

That's all fine and nice, and a brilliant altruistic move- but right now, I'm suffering from Twitter withdrawal.

But wait,  I understand that it's a maintenance thing from Twitter's carrier NTT, but does that mean that Twitter is not using multiple carriers?

Does it mean that Twitter is not distributed?
Does it mean that Twitter has a single point of failure?

Apple fixes Java for Mac, finally

By Sean Kerner   |    June 16, 2009

javasmall.jpg

From the 'why so long?' files:

Apple has finally patched Java on the Mac for a long list of issues that had already been patched on other operating system platforms.

As opposed to Windows users that get their Java updates directly from Sun (and soon Oracle?), Apple packages Java for the Mac itself. So users need to wait until Apple releases its official Java for the Mac updates to get the latest fixes.

The issue with Apple providing its own fixes is that they are delayed - by some accounts by as much as six months - after Sun issues updates for other operating systems.

Security researcher Landon Fuller recently warned on his site about numerous Java vulnerabilities that had already been publicly disclosed, and fixed by Sun. Fuller issued his own proof of concept for the flaws in May.

While I understand the need for Apple to maintain its own Java packages to ensure the quality of experience for Mac users -- I do not understand the excessive delay in following Sun's patches. If proof of concept code exists -- as it did for the Java issues - Mac users are at risk, when they shouldn't be.

Simply put, Apple needs to be more diligent in tracking updates to third party software that it maintains - whether it's Java or any of the open source packages it also maintains.

Opera Unite adds server to browser. Who needs it?

By Sean Kerner   |    June 16, 2009

opera.jpg
From the 'huh that's an interesting idea' files:

The way that browsers have worked since the time of  NCSA Mosaic is as clients to the wider world of the Internet. Opera Software is trying to change that with the alpha release of a technology that includes a web server in the browser.

Officially called Unite - Opera is now including it in a special build of their Opera 10  browser. Initially, Opera sees 6 key services for unite including: File sharing, web serving, media player, photo sharing, chat and note posting (the Fridge).

It all sounds fine and nice - but in my view when you boil it down - it's just a web server. Sure it's a web server that is automatically set up and accessible via the browser - but it's still a web server.

I see no mention of it as a distributed or P2P type service in any of Opera's developer specs , which means that whatever it is you're hosting is hosted locally and using local bandwidth. For small items, that's fine but in the new era of metered bandwidth, I think users with large media/photo collections would be wise to think twice before hosting content on their own.

Another reason why local servers (unless I'm missing something) are somewhat troublesome, is the fact that they are only accessible when the local server is physically on. Sure - your photos and media don't have to be available 24/7 but that's something that a web based service can offer.

For me, I've run web servers for far too many years dealing with the seemingly infinite security, bandwidth and availability issues that need to be considered to really give Unite a chance on my desktop browser. Does Unite offer the IPS/Firewall controls that will enable me to actually be secure? Does Unite open up my network to additional risk?

Yeaah I'm a little pessimistic here, but those criticisms aside - Opera is taking the anti-cloud approach here
and it is somewhat refreshing. Not everything should live in the cloud
.
Some things do work better locally and for some users Unite will be a
valuable service. Setting up your own web server is not easy and not everyone wants to use Facebook to share all their stuff.

Now as to whether or not other browser vendors will follow Opera on this only time will tell.

SCO fights off Chapter 7 bankruptcy

By Sean Kerner   |    June 16, 2009

sco.gif
From the 'fight till the bitter end' files:

You gotta hand it to SCO, they've got an incredible knack for survival. I (like many others) was expecting SCO to enter into Chapter 7 bankruptcy this week - that means the existing Chapter 11 bankruptcy that protects SCO from creditors would be converted to a liquidation where creditors carve up SCO's assets.

As it turns out, SCO has another 'trick' up its sleeve -- pulling out a renewed agreement according to a report in the Salt Lake Tribune with investor Stephen Norris to pay off creditors and keep SCO's litigation claims against IBM, Novell and others afloat.

Groklaw reports that the new hearing set for July 16 with backup for July 27.

If the name Stephen Norris (no not Chuck) sounds familiar -- it should.

Norris came to the aid of SCO first in February of 2008 with a proposed $100 million lifeline. Norris is now back and his action - for now - is keeping SCO a going concern for at least another month.

SCO enterned into Chapter 11 protection in 2008 after losing a decision to Novell on the ownership of UNIX copyrights.The company had been delisted from NASDAQ in late December 2008, and has since been traded in over-the-counter "Pink Sheets." 

Month of Twitter bugs. The real Twitpocalypse?

By Sean Kerner   |    June 15, 2009

twitter.jpg
From the 'fail whale bugs' file:

Regular Twitter users are used to seeing a 'fail whale' every so often that indicates the service is down for some reason (usually capacity). In July, the fail whale could be coming from a different source - namely the month of Twitter bugs.

Security researcher Aviv Raff has announced that July will be the month of Twitter bugs. Raff was part of H D Moore's Month of Browser bugs back in 2006 - so he's the real deal.

Raff isn't targeting Twitter.com but rather the Twitter API -- which is what powers third party Twitter clients like Twhirl and TweetDeck.

"Each day I will publish a new vulnerability in a 3rd party Twitter service on the twitpwn.com web site, Raff wrote on his website. "As those vulnerabilities can be exploited to create a Twitter worm, I'm going to give the 3rd party service provider and Twitter at-least 24 hours heads-up before I publish the vulnerability."

No this isn't the Twitpocalpyse -- then again the Twitpocalypse of last Friday (where a programming issue could have led to the stoppage of third party Twitter clients) was a non-event itself, with Twitter services (as best as I can tell) operating normally on Friday through until today.

Certainly there are flaws in the Twitter API.Twitter has been experimenting with Oauth for user authentication and that approach has its own security issues.

It will be interesting to see if there are 30 days worth of bug that can be found in the Twitter ecosystem. Either way, the fact that Raff will give the vendors a heads-up first means they've all got the opportunity to fix flaws first - which ultimately, hopefully will make Twitter more secure for all Twitter users.

Follow me on Twitter @TechJournalist

Report: Most users can't spot a phishing site

By Sean Kerner   |    June 15, 2009

verisign.gif
From the, "I prefer my fish grilled' files:

VeriSign is out with a new report this morning, stating that 88 percent of web users in the US can't identify phishing sites. Phishing sites are spoofed sites of legitimate sites that aim to trick users into giving up information.

While the VeriSign numbers sound disturbing -- they're actually an improvement from data that I reported on in 2005. Back then, I wrote a story about a report that stated that only 4 percent of users can spot a phished e-mail 100 percent of the time.

In the new 2009 report from VeriSign, they peg a few common areas that users miss. One of them is a misspelling in a site's name, the other is a padlock in the browser address bar. The browser padlock of course is a sign that a site is SSL secured (and oh yeah VeriSign sells SSL certificates).

The simple truth of the matter is that for important websites - be they banking or otherwise - web users should directly type in the address of the site themselves. Phishers generally operate from links - that is you get a link in an email, other website or Twitter and then click through.

Is phishing something to be concerned about? Of course it is. The fast that vast majority of users can't spot a phishing site is a concern but the reality users need to just be careful whenever they are going to pass off personal information in any medium, online or otherwise.

Should Google embrace Ogg for HTML5 and YouTube?

By Sean Kerner   |    June 15, 2009

googlechromologo.jpg
From the 'free video' files:

HTML 5 is coming and it could change the face of video enabling browser to directly include video with the new <video> tag. Apple's Safari 4, Opera 10, Google Chrome and Firefox 3.5 all have some form of HTML5 video support but what about the big video sites? What about Google's YouTube?

It turns out that Google is testing HTML 5 video now on YouTube -- if you've got an HTML 5 ready browser you can check out their demo at:http://www.youtube.com/html5). The issue with HTML 5 video though is which codec will be used for the video. This is a topic, I've blogged on before -- just last week I had a post where Mozilla's Director of Firefox Mike Beltzner called on all browser vendors to embrace the open Ogg video format.

Another Mozilla staffer - this time VP of Engineering, Mike Shaver is now turning up the heat on Google is a public mailing list tirade against Google and their use on YouTube of the H.274 codec (which is patent encumbered) instead of using Ogg.

"I do not like the situation on the web today, where to use all the content you need to have a license to Flash," Shaver wroter. "And I'm saddened that Google is choosing to use its considerable leverage -- especially in the web video space, where they could be a king-maker if ever there was one -- to create a _future_ in which one needs an H.264 patent license to view much of the video content on the web. Firefox won't likely have native H.264 support, since we simply can't operate under those patent restrictions."

This is a serious debate and one that could ultimately mean that the <video> tag in HTML5 does - or doesn't get widely used. In my opinion - it's great to have the tag, but if there is no general agreement on underlying video codec - at least as a choice - then <video>  just won't not a viable option for the majority of web developers.

That's where Flash video - with all of its associated patent and licensing issues - has worked well and will continue to work well for years to come. Flash is pervasive and it has completely abstracted the underlying video codec agrument. If you have Flash then YouTube or any other site delivering video by way of Flash simply works. The added compexity that HTML5 (at this early point) brings to the discussion with codec issues is one that no doubt will scare away a few (non-early adopter) web developers.

Will Twitter end today with the Twitpocalypse?

By Sean Kerner   |    June 12, 2009

twitter.jpg
From the 'shadow of Y2K' files:

At 5 PM ET/2PM PT today (Friday June 12, 2009) Twitter will officially hit what is being called the Twitpocalypse.

The Twitpolcalypse is a mathematical event that could spell the end (for a short period) for third party Twitter clients. The way the Twitter API works is that a unique numeric identifier is assigned to each and every tweet.

At 5PM ET (or so) the unique identified will hit 2,147,483,647. That number apparently is the signed integer limit and it will cause third party Twitter clients to crash.

The 5 PM ET Twitpocalypse is actually an induced event...it was originally going to occur sometime around 3 AM PT on Saturday. But Twitter developers figured it would be better to trigger the event on a Friday afternoon than  naturally allowing the event to occur

"This will let us make sure we have all
staff available in the unlikely event something goes wrong on our end," Twitter developer Matt Sanford wrote in a mailing list posting. "We'll also be available when people who don't follow the twitter-dev-
talk list start reporting errors. While we did warn developers about
the Twitpocalypse I'm sorry we didn't think about setting a drop-dead
date and scheduling this previously.We'll keep trying to improve on
warnings like this.

Good night, and good luck."

There is no indication that the Twitpocalypse will affect the web based Twitter client - but hey most people (myself included use a third party client). So if you're out tonight and can't seem to access Twitter - don't blame the Fail Whale - it's the Twitpocalypse.

Oh and if you want to watch the official countdown - it's all online at Twitpocalypse.com

Follow me on Twitter @TechJournalist

Safari 4 tops 11 million downloads, most on Windows

By Sean Kerner   |    June 12, 2009

safari.jpg
From the 'Apple tech for Windows users' files:

Apple is reporting that it's new Safari 4 web browser was downloaded 11 million times in the first three days (two of those downloads are mine).

I don't own a Mac (my last Apple was an Apple ][e) but i do have a PC (dual-boot and vm'ed Windows/Linux). I'm not alone as a PC/Windows downloader of Safari, Apple is reporting some 6 million downloads -- that's more than 50 percent -- on Windows.

That's  astounding. I would have thought that the majority of download would be Mac!

In terms of download success, Firefox 3 set a world record in its first 24 hours of release with 8.3 million downloads. The Firefox 3.5 release is nearing and no doubt the marketing people at Mozilla will be looking to top their record.

Records aside, Safari 4 is a slick, fast browser. No doubt some of the Apple brand halo from the iPhone and iPod product lines have rubbed off on Safari with Windows users. It's also important to see a base of Safari that goes beyond just Mac's - as that means the browser is more likely to actually work well on even more sites - and have even more developers try and take advantage of some of its features.

I'm especially keen on the evolution of HTML 5 features -- particularly video - which is part of Safari 4. As more and more users embrace next generation browsers that support HTML 5 video, it's increasingly likely that more sites will develop with HTML 5 features in mind too.

Fedora is concerned about Mono

By Sean Kerner   |    June 12, 2009

mono_small.gif

From the 'it's not contagious is it?' files:
 

Mono - Novell's implementation of Microsoft's .NET framework on Linux is an interesting technology. It enables some valuable Linux applications like Tomboy (for note taking) and also raises some interesting legal questions.

Since Mono benefits from the Microsoft/Novell interoperability agreement, some in the Linux community have concerns about the legal status of mono when it comes to redistribution. Among those that have a concern is Fedora Project Leader Paul Frields.

While Mono is part of the new Fedora 11 distribution (in the repository), at this point it's likely not going to be part of Fedora 12. Frields told me that the change for Fedora 12 is mostly around the fact that there is now another project to replace Tomboy (gNote) that does not require Mono.

That said, Frields also told me that in his view there are some problems with the language used in the legalese surrounding Mono and its redistribution.

"We do have some serious concerns about Mono and we'll continue to look at it with our legal counsel to see what if any steps are needed on our part," Frields said.

While Mono is part of Fedora, Mono is not part of Red Hat Enterprise Linux and hasn't been since 2006. It's not clear if mono will stay or go for the final Fedora 12 release when it appears 6 months from now.

"We haven't come to a legal conclusion that is pat enough for us to make the decision to take mono out," Frields said. "Right now we're in a status quo. Gnote is a relatively recent development and unfortunately was too late in the Fedora 11 development cycle to include by default."

Legal issues aside -- that's the real crux of the matter. It's all about the apps. If there are mono apps that really add value, that mono enables then surely mono will either be bundled directly or downloaded by users -- regardless of the position taken by any distribution itself.

Mozilla calls on all browsers to support Ogg for HTML 5

By Sean Kerner   |    June 11, 2009

Mozilla.Toronto.Door_small.jpg
From the 'open web video' files:

A key part of the HTML 5 specification is support for the new <video> tag. It's a new tag that could potentially revolutionize the world of web view by enabling web browsers to directly load and control video.

The only issue -- and it's a big one in my view -- is what video codec should be used?

Google Chrome, Apple Safari 4, and Firefox 3.5 all have some type of support for HTML 5 and the video tag, but not all of those browsers support the same video codec/formats for use with the tag.

Mozilla has chosen to use the Ogg format, which is an open format that will work for Windows, Mac and Linux users.

I recently visited the Mozilla Toronto office (that's their door in the pic above) and sat down with Director of Firefox, Mike Beltzner.

In the video below, Beltzner explains to me why Ogg is the key to ending the codec wars and encourages other browser vendors to get on board too.

Google set to go Native with Chrome

By Sean Kerner   |    June 11, 2009

googlechromologo.jpg
From the 'big ideas that will change the web' files:

Native Client is coming to Google -- soon. This is big news. Native Client is a technology that will enable a browser to run code over the web (not just JavaScript or Java) but regular software. It's an approach that has profound technological implications in terms of software delivery, the cloud and oh yeah --security.

In a mailing list posting Google Brad Chen, Google's Native Client engineering manager, announced that Native Client (which had been just a research project) is now moving into it early production development phase.

"Based on our experience to date, we believe that the basic architecture of our system is sound and the implementation is supportable," Chen wrote. "So now we are undertaking a number of tasks to transition Native Client from a research technology to a development platform."

Among those tasks, is getting the code into the Chromium project (Chromium is Google's open source development effort that leads to Chrome browser releases).  Currently the Native Client is being implemented as a browser plug-in, though Google is planning on fully integrating the technology into the core of Chrome.

Google crashes Chrome 3.0.187.0, update halted

By Sean Kerner   |    June 11, 2009

googlechromologo.jpg
From the 'they never said it was stable' files:

At 6:28 PM PT on Wednesday, Google issued Chrome dev-channel version 3.0.187.0. Just over an hour later (7:31 PM) the update to Chrome users was halted -- due to a serious crash condition that made the browser difficult to use.

"The crash is http://code.google.com/p/chromium/issues/detail?id=13759," Google's Mark Larson wrote in responce to Chrome user complaints about 3.0.187.0. "

I'm stopping the update of this build. Apologies to those who've already got the update.

We'll push a fix as soon as we can tomorrow."

As a Chrome dev-channel user myself, I did not get the update prior to it being halted by Google - but the comment on the release page speak volumes. The simple act of checking menus and version number (which is something that is a common activity) triggers the crash.

Crashing this version version of Chrome should not be a terrible surprise -- after all Google does name it the dev-channel version. Google has three versions of Chrome dev, beta and stable.

Aside for the crash condition, the 3.0.187.0 release (when updated will it be 3.0.187.1?) is interesting in that it is an update for Windows, Mac and LInux. This is the first simultaneous release of Chrome for all three platforms ever.

Google just started making public builds for Mac and Linux last week.

The ironic thing, from my point of view is that the 3.0.187.0 release itself was supposed to be a big update for crash conditions. The release notes indicate at least 17 different fixes for crash conditions fixed in this version.

But apparently it was the one they missed that halted this release.

**UPDATE**
Google has now issued an update -now called 3.0.187.1

Red Hat JBoss gets eXo portal tech

By Sean Kerner   |    June 10, 2009

JBoss.gif
From the 'open source contributions' files:

Red Hat's JBoss is getting a technology infusion by way of the contribution of the eXo portal.

The eXo portal is now going to be part of a new joint JBoss Red Hat project and does not replace the existing JBoss Portal effort, but could end benefiting it -- eventually.

According to a Red Hat blog post,"the new combined project will leverage the best elements and
technologies from the existing JBoss Portal and eXo Portal projects."

What's interesting to me is that this is a growth of the JBoss.org community and follows a similar path to other JBoss open source efforts. Back in 2007, JBoss got code contributions from Exadel, which led to new JBoss products.

It will be interesting to see where this new collaboration leads and if the two parties - eXo and Red Hat actually remain separate - (that is Red Hat doesn't acquire them outright).

"The eXo portal has some impressive functionality in terms of ease of use, UI flexibility and straightforward management administration-- JBoss.org's current portal project has a robust engine, performance and security features, combined this collaboration project will help drive portal capabilities forward," said Mark Little, Sr. Director of Engineering, Middleware at Red Hat in a statement. "We are pleased that eXo is joining the JBoss Community to collaborate on this newly formed project."

Jitterbit 3 expands open source data integration

By Sean Kerner   |    June 10, 2009

jitterbit_small.gif
From the 'complex things we need to do' files:

In a perfect world, data would all be easily transportable and consumable. The world is not perfect, and that's why the work that open source data integration vendor Jitterbit does, is valuable to many organizations. I first wrote about Jitterbit around the time of their 1.0 release in 2006 ,and now they're gearing up with their 3.0 release.

What has changed in the last three years is that Jitterbit now has some big name customers including NASA, and Continental Airlines and their software is scaling to meet the demand of larger organizations and more complex types of data integration

Jitterbit 3.0 now has support for multi-user environments as well as the ability to stream data via HTTP.

What is helping to drive Jitterbit's business forward is the cloud.

"The lion's share of our business today is coming from organizations that are adopting some kind of cloud computing," Ilan Sehayek, CTO of Jitterbit told me.

That makes a lot of sense. Cloud infrastructures by their nature are distributed and have a build-in need to pull data for multiple sources.

IE 8 gets fixed for PWN2OWN vuln (again?)

By Sean Kerner   |    June 09, 2009

IE.jpg
From the 'double checking facts' files:

There was an interesting update as part of today's Microsoft Patch Tuesday, for a vulnerability that I personally had thought was already patched. The vulnerability is one discovered by security researcher Nils at the PWN2OWN event in March.

In the April Patch Tuesday, I was expecting a Microsoft update for the issue but one never came -- at the time Microsoft told me that the version of IE 8 that Nils was using was not the final version of IE8 and wasn't vulnerable.

So what happened between April and June that Microsoft is now patching for an issue that I had thought (based on what Microsoft told me) wasn't an issue?

Open Source Vyatta raises $10 million led by Citrix

By Sean Kerner   |    June 09, 2009

vyatta_small.jpg
From the 'Linux routers' files:

Vyatta, the feisty open source startup that is trying to take router market share from Cisco and Juniper - is getting an injection of $10 million today. The $10 million is Vyatta's 'C' round of financing and is led by Citrix Systems.
That's a decent sized investment from my point of view.

Aside from the dollars, Vyatta is now also part of the Citrix Ready product verification platform that will make Vyatta's routers ready for Citrix's cloud and virtualization offerings.

This is an interesting partnership - the way I see it, this partnership will give Citrix users/customers the ability to do an integrated routing/virtualization/remote desktop kind of stack. Citrix however has its own hardware too, like the Netscaler lineup, so it's not clear to me how the Vyatta partnership will compete - or just complement that offering.

For Citrix, they see Vyatta as complementary.

"Vyatta's solution is very complementary to the Citrix Cloud Center product family," said John Fanelli, vice president, solutions and community marketing at Citrix Systems in a statement. "Together, our goal is to provide customers with tightly integrated virtual infrastructure solutions that deliver cost savings and greater efficiency in enterprise and data center environments. Vyatta delivers a unique piece of the cloud puzzle by delivering open, scalable routing and security that is not tied to proprietary hardware."

Technical solutions aside - the fact that Citrix is now a key investor in Vyatta also raises the question of whether Citrix might just acquire Vyatta outright. It would give Citrix a more complete end-to-end stack against competitors like Cisco and provide differentiation against Blue Coat.

Time will tell how deep and how wide the Citrix/Vyatta partnership extends, but one thing is for sure - Vyatta has managed to convince at least one big vendor that an open source Linux router is the way forward for networking.

Apple Safari 4 out of beta - that was fast

By Sean Kerner   |    June 08, 2009

safari.jpg
From the 'what will Apple announce at WWDC' files:

It's official - Apple's Safari 4 is now out of beta. Frankly, I'm not surprised.

I've been running Safari 4 (on a Windows test box) since February when the first Beta came out. Since that time, I know that Apple has updated Safari at least once (mostly for security).

In my experience, Safari 4 as a beta was already production quality so it's not surprising that the it's now final. The key things about this release are the same themes that highlight new Google Chrome and Firefox 3.5 releases -- namely faster JavaScript (in Apple's case they call their engine Nitro now) and HTML 5 support.

For Safari 3.x users, Safari 4 is a huge leap forward, the speed of the browser is something that actually changes the browsing experience. The top sites feature, which is Apple's approach to show users the top sites that they've visited is a neat 'eye-candy' feature.

HTML 5 support in my view is the item that will really help to literally change the web experience. Among the HTML 5 supported features in Safari 4, Apple is supporting offline storage, which means that users can access some of their cloud/on-demand data - locally. Offline storage is the standardized approach to what Google is trying to do with Gears. It's not yet widespread across the internet as a whole, but it will be (at least, I think so).

In terms of competition, Apple states in its release that, "Safari quickly loads HTML web pages more than three times faster than IE 8 and three times faster than Firefox 3."  Mozilla's MIke Beltzner has told me that Firefox 3.5 (which is nearing completion) is three times faster than Firefox 3 as well (which means that Safari 4 and Firefox 3.5 are nearly the same speed?).

Apple also states in its release that, "Safari is enjoyed by 70 million users worldwide," with Safari 4 now out for both Mac and Windows users, I'd say it's a safe bet that Safari 4 is likely to help Apple grow its base.

**UPDATE**
Just finished going through Apple's security notes on the Safari 4.0 release.

There are a lot of updates, some more serious than others, but nothing too shocking in my view. WebKit gets a bunch of fixes for images handling and even cross site scripting issues. Safari's private mode also gets a fix to actually keep cookies private -- so if you were using the beta before - guess what? - your sessions were not as private as you may have thought.

Happy Birthday PHP!

By Sean Kerner   |    June 08, 2009

php.gif
From the 'was it really that long ago?' files:

On June 8, 1995, Rasmus Lerdorf issued the first public release of PHP. It's a language that became the key development language of the Web 1.0 world powering millions of sites (including InternetNews.com).

Sure you can argue that PHP didn't 'really' take off until PHP 3 or 4, but it's important to note the birthday of the first PHP public release. It's a dynamic language that quite literally helped to power the Internet revolution.  PHP is the 'P' in the LAMP stack (Linux/Apache/MySQL/PHP).

For me, PHP 3 and moreso 4 is where I spent the bulk of my development time in the early days. Remember there was no Ruby on Rails, no .NET and JavaScript was for eye candy mostly and not dynamic website generation.

Now in 2009, PHP has its fair share of competitors but it still soldiers on.   PHP 4, is now at its end of life and PHP 5 (first released in 2005) is the way forward for PHP developers. PHP 5.3 is nearing completion adding elements that originally were destined for PHP 6.

Zend, the company founded by Andi Gutmans Zeev Suraski (the two guys that drove the PHP 3 release) put out a Zend Server release this year - marking in my view - the debut of an easy to setup/manage PHP middleware distribution.

What's amazing to remember in the story of PHP is that this is a language that has grown and prospered as an open source project. Sure Zend is a commercial backer, but they're not the only ones driving it. The community has provided key direction and continues to help push it forward.

So Happy Birthday PHP and thanks for all the code.

Nortel carrier softswitch biz still thriving

By Sean Kerner   |    June 08, 2009

nortel.jpg
From the 'counter-intuitive stats' files:

Nortel has had a challenging year in 2009, entering into bankruptcy protection in January. Yet even with its financial challenges, according to a pair of industry research forecasts, Nortel is still the leader in the carrier softwswitch market.

In release issues this AM by Nortel, they cite research from Dell'Oro Group and from Infonetics research that shows Nortel as the leader. Dell'Oro reported that Nortel has a global market share for softswitchs of 20.3 percent
Infonetics reported that in North America, Nortel held a 59.1 percent market share by revenue and 29 percent in EMEA.

With such (reported) strong revenue shares, it's somewhat interesting to note that Nortel itself is still losing money. For the first quarter of 2009, Nortel lost $507 million.

Clearly there is a disconnect - Nortel has some market leading products, yet it is still losing money. That's the challenge that Nortel's management continues to face as it tries to restructure its business. Cut out the money losing operation, become more efficient and continue to grow the technologies that are already winners.

It's no small task, and it sure will be interesting to see if Nortel can successful emerge from its restructing as a leader in the areas that it currently leads in (like the carrier softswitch market). 

Black Hat founder Jeff Moss joins DHS Advisory Council

By Sean Kerner   |    June 08, 2009

blackhat.jpg
From the 'insiders viewpoint' files:

Jeff Moss, the founder of the Black Hat and Defcon conferences is now officially helping the U.S Government. Moss was sworn in on Friday by U.S. Department of Homeland Security (DHS) Secretary Janet Napolitano to the Homeland Security Advisory Council (HSAC).

HSAC is a group of 16 member from various sectors of the US economy that provides advice to the DHS secretary.   Moss is an incredible addition to the HSAC in my view.

Black Hat and Defcon as conferences have always skirted the thin line between legitimacy and hacking, always trying to stay on the right side in my view. Moss's approach has been to expose the issues and the research that leaves IT users at risk - with an eye towards responsible disclosure.

Sure there have been issues in the past (and likely always will be) with session being pulled at a Black Hat event -- that's part the mythos of Black Hat. But Moss is the man that is at the center of it all. He sees both sides of the equation with the vendors and the researcher.

It makes good sense for the DHS to lean on Moss's expertise as part of its efforts to secure the US. I've seen plenty of 'Feds' at Black Hat events over the years (often on the 'Meet the Feds' panels) and the Government has made a plea in the past for more security research involvement and participation in the cyber defense of the US.

While the advice of one man alone will not make the US secure, Moss's voice is one that I personally am really glad that DHS is now officially listening too.

Google Chrome lands on Linux, Mac

By Sean Kerner   |    June 05, 2009

Google.Chrome.dev.build.splash.png
From the 'still in the oven' files:

Google at long last, has publicly made a build of its Chrome browser available for Linux and Mac users.

But don't get too excited yet- it doesn't work (well) yet.

When Google Chrome first debuted, it was Windows only with the promise of more platforms 'soon'. Now more than ten months later, neither Mac nor Linux versions are actually ready for public consumption, but they are getting closer.

For the Linux version, Google right now only has .deb package files for Ubuntu, so other Linux users will have to (try) build from source. That's right -NO RPMs!!

Plug-ins don't work, which means no Flash and no YouTube. Printing doesn't work (shouldn't that just be a CUPS thing?) and the browser seems to crash more often than it should, in limited testing I've done so far with it on Ubuntu Jaunty.

But it is here.

What the delay in the Linux and Mac version further reminds us - is that Windows is and was the first priority for Google Chrome. Developers made choices that make it better for Windows, but difficult to port for other platforms.

Had Google simply chosen a cross-platform GUI toolkit like GTK+ or Qt perhaps they could have had a single build for multiple platforms.  Then again, Chrome on Windows wouldn't be as fast as it is now if they made that choice.

It is still too early to know if Chrome on Linux and Mac will actually be faster (or better) than Firefox or Safari on those platforms. That said, it will be interesting to see if, and how Google actually keeps the new Mac and Linux builds on the exact same pace as the Windows builds or if they will lag.

Intel buying Wind River for $884 million

By Sean Kerner   |    June 04, 2009

wind.gif

From the 'all your OS are belong to us' files:

Intel (NASDAQ:INTC) is acquiring embedding software developer Wind River (NASDAQ:WIND) for $884 million. Wind River is a company I've been tracking for years as a key player in the embedded software operating system space, first with its proprietary VxWorks OS and since 2004 with Linux.

Wind River is also doing reasonably well in the current economy. For its fiscal 2009 year, which ended on January 31, 2009, Wind River reported $359.8 million in revenue, a 9 percent increase in year over year increase.

Intel and Wind River are hardly strangers. Wind River has been working closely with Intel for years, on both Moblin (Mobile Linux) as well in the in-car infotainment area.

What is particularly interesting though is the fact that in the embedded space, Wind River is not an Intel only embedded vendor. In fact VxWorks works on a wide number of embedded processors as does its flavor of Linux.

In my view,  the acquisition of Wind River gives Intel, a massive new entry point into the broad market for embedded software. With Wind River, Intel gets a company that has been active in embedded development - both proprietary and open source - for years.

Having silicon and CPUs alone is simply not enough to drive adoption, what Intel is doing with this acquisition is recognizing once again that developers are the key and that software development tools and operating systems are the path to developers.

This acquisition will also change the competitive landscape somewhat.

MontaVista Linux which competes against Wind River is also a supporter of Intel's Moblin. MontaVista however also supports more processors than just Intel and perhaps could use the fact that it is not owned by Intel as leverage with other embedded silicon vendors.

It's a bold step for Intel and certainly one that will shake up the embedded market. It will be interesting to see how Intel uses its Wind River assets to either support other silicon vendors or drive more device vendors to Intel platforms.

SAP gets closer to open source with Eclipse

By Sean Kerner   |    June 03, 2009

Thumbnail image for SAP_CTO_small.jpg
From the 'who isn't open?' files:

When I was at Interop in Las Vegas a few weeks ago, I heard SAP CTO Vishal Sikka (pic left that I took) explain how SAP supports Open Source for the cloud.

Today ,SAP extended its open source commitment by upping its membership status within the Eclipse Foundation. SAP is now a Strategic Developer (up from being a Strategic Consumer).  With the new membership level, SAP is set to provide at least eight full-time development resources as well help lead an open source project within Eclipse.

Basically it means that SAP will become more active in open source development at Eclipse. SAP has actually also proposed a new Eclipse project codename Pave, that will be a template-based application framework for complex application development.

SAP is no stranger to Eclipse and is in fact a founding member of the foundation and uses Eclipse as the basis of its NetWeaver technology.

Moving from consumer to developer is key in my view because it is a different level of participation. It means that SAP will contribute more resources - which could ultimately benefit SAP as well as the broader based of Eclipse users.

Red Hat Linux helps to power Verizon's Cloud

By Sean Kerner   |    June 03, 2009

redhat.png
From the 'who said penguins can't fly' files:

Verizon Business rolled out its Computing as a Service (CaaS) product today, which brings the big carrier directly into the cloud marketplace. While the cloud is a compute infrastructure, it still needs an operating system and for Verizon that means both Red Hat Enterprise Linux and Microsoft Windows.

That's a big deal in my view, it means that when it comes to choice for cloud computing from one of the biggest US carriers there are only two choices:  Red Hat or Microsoft.

Unix isn't a choice in the Verizon cloud and neither are other flavors of Linux. Have we now reached a point in the IT marketplace where it really is just a battle between Microsoft and Red Hat? 

What will be interesting to see over time from Verizon is how the numbers shake down in terns of actual usage. That is - are more Verizon users running their cloud apps on Linux or Windows?

Red Hat already has a cloud offering with Amazon - as does Ubuntu. Red Hat also has a partnership with Cisco on the Unified Computing System (UCS) where some 80 percent of initial deployments were all using Linux. Clearly Red Hat sees opportunity in the cloud and clearly they are getting some traction with some of the biggest names in technology to push Linux off the ground and into the cloud.

"Verizon CaaS was engineered to meet the challenging security needs and performance requirements faced by enterprises and the Red Hat Enterprise Linux operating system is playing a big part as we bring this unique offering to customers around the world," said Michael Marcellin, vice president of global managed solutions, Verizon in a statement.

Opera 10 Beta is out. But does it matter?

By Sean Kerner   |    June 03, 2009

opera.jpg
From the 'nice guys finish last?' files:

Opera is out today with the first Opera 10 beta. The new browser had been in Alpha since at least December of 2008. Opera is claiming the new version is faster than its predecessor by way of the Opera Presto 2.2 rendering engine.

Though speed is key (and is a major selling point for all modern browsers), the big shift from my point of view is the inclusion of (even more) HTML 5 specifications items, including support for CSS Web Fonts. The Web Fonts spec (also supported in Firefox 3.5) means that web sites will no longer be limited in the font (as opposed to images for text fonts) they can use. This is a huge shift and one that has monumental implications for web layout and design.

Opera 10's overall standards score is -- well it's a perfect 10 on the ACID 3 scale  - which is a score that few (if any) other browsers can claim.

But that's the problem in my view for Opera - there are other browsers.

Other browsers with more users, more marketing pull and more momentum. Microsoft's IE is still the leader - primarily because it is still installed by defuault on hundreds of millions of PCs worldwide. Apple's Safari is the default on tens of millions of Macs and iPhones. Google Chrome uses its search engine power and status to help push its new browser. Mozilla Firefox has over 270 million users driven partly by its Netscape legacy and more importnatly by its open source community momentum.

How can Opera compete? On technology? Maybe -- but technology alone is not enough to gain mind and market share. I personally think that there will always be users that are loyal to Opera, that have used it for years and will continue to use it for years to come. Getting existing Firefox, Safari or Chrome users to migrate is probably more difficult and Microsoft continues to improve IE.

That's all the desktop - Opera has a leading status on mobile phones (thanks in no small part to Nokia), and as the number of mobile devices proliferate, Opera could end up getting the last laugh.

That said, the modern browser marketplace is now the most competitive of all time and it is harder than ever to stand out from the pack. Whether or not the final version of Opera 10 has the impact necessary to advance Opera (or just to keep it in the game) on the desktop remains to be seen. One thing is for sure, innovation is always a good thing and Opera 10 beta sure has more than its fair share of innovation.

Want a Linux.com email address? It'll cost $99

By Sean Kerner   |    June 02, 2009

tux.jpg
From the 'membership has its privileges' files:

If you've ever wanted your very own Linux.com email address (and didn't work for SourceForge/OSDN) - you too can now get one. All you need to do is join the Linux Foundation.

The Linux Foundation is set to formally announce a new individual membership program tomorrow that costs $99 that will include an @Linux.com email address. The Linux.com domain was acquired by the Linux Foundation in March and was re-launched in May.

Having an individual membership class is a far cry from how things were in the OSDL days (prior to the creation of the Linux Foundation). Then membership was a pricey affair often tipping $1 million or more.

The idea is that membership fees support the development of Linux since the Linux Foundation is the organization that employs Linus Torvalds. Membership also gives individuals a voice in the structure of the foundation.

"The collective results of thousands of individual contributions are what have paved the way for Linux. This membership class enables more people to have an impact on the operating system while enjoying benefits such as major discounts off of industry events," said Jim Zemlin, executive director at the Linux Foundation in a statement."And, if you are tired of the e-mail roysmith3526@mail.com now is your chance to switch to roy@linux.com."

It's an interesting idea, but don't forget that participating in the Linux community isn't just about paying a membership fee. Not everyone can write code and not everyone can contribute documentation and not everyone can test code/applications -- though those are all needed contributions.

As for the email address that is cool but then again I'm already pretty lucky. My email address is @internet.com.

HP ProCurve puts wireless,PoE into wall outlets

By Sean Kerner   |    June 02, 2009

MSM317_small.jpg

From the 'wires in the walls' files:

Some networking gear is small than others. HP ProCurve (NYSE:HPQ) is out this week with what I consider to be a really innovative new devices.

The HP ProCurve MSM317 Access Device looks like just a basic Ethernet wall jack. We've all seen plenty of those (and installed more than my fair share over the years).

This one is a little different though.

This wall outlet integrates an 802.11b/g wireless access point and includes PoE (power over Ethernet) as well as a four-port wired Ethernet switch. The device/outlet is centrally managed by any HP ProCurve MultiService Mobility controller.

That's right - a Wi Fi access point in the wall that is centrally managed. Sounds simple enough, but it has some profound implications for networking topologies.

You could use this device in place of other switching gear (since its managed), taking up less space and less effort to manage. Instead of trying to cover an entire building with Wi Fi coverage, just drop in one of these for every room. There is a clear use case for this in hotel type deployments (which is where HP ProCurve will be deploying this with Marriot).

This is one of those things that just makes you wonder why no-one thought about doing this before.

Apple patches QuickTime 7.6.2 for ZDI flaws

By Sean Kerner   |    June 02, 2009

quicktime.jpg

From the 'pay for bugs' files:

Apple is out with QuickTime 7.6.2 patching at least 10 security issues, six of which were credited to Tipping Points Zero Day Initiative (ZDI) which pays security researcher for their bug finds.

Among the critical issues patched by Apple is one discovered by noted security researcher Charlie Miller (who sold the vulnerability to ZDI). Miller has successfully hacked Macs and iPhones at PWN2OWN and Black Hat events in the past.

Miller reported an issue where the simple act of viewing a malicious crafted image could lead to arbitrary code execution.

Many of the issue patched by Apple in the 7.6.2 update are related to heap buffer overflow conditions, which when violated enable an attacker to execute code. The fix for Apple in most cases is to implement more bounds checking to ensure that overflows don't occur and that when they do code can't be arbitrarily executed.

Apple's QuickTime was patched earlier this year for seven different issues. Over the course of 2008, security researchers repeatedly found multiple vulnerabilities in QuickTime.

With so many of the flaw in this update being reported by way of a single reporting group, I think it clearly shows the value of the ZDI model. If you pay for security research, then results will follow.  Had ZDI not paid for these flaw, I think there could have been more potential for these issues to have been legitimate zero day issues in the wild that put millions of users at risk. ZDI keeps the vulnerabilities private and doesn't release them, providing Apple and its users with what I consider to be an invaluable service.

Moblin v2 coming to Ubuntu

By Sean Kerner   |    June 01, 2009

ubuntulogo.png

From the 'they have an office in Taiwan?' files:

Computex, the big tech hardware show in Taiwan takes off this week and there should be several Linux related items being shown off. Linux vendor Ubuntu actually has an office in Taipei (they're in the Taipei 101 building). Ubuntu will be showing the Moblin version of the Ubuntu Netbook Remix (UNR), based on the beta code from Intel.

What is interesting to me personally is the reminder that Moblin should not just be regular Linux for a different device. It looks different than your typical GNOME/KDE/Xfce Linux desktop and is optmized for the netbook experience. A netbook is not the same thing a notebook -- it just doesn't have the same power. A netbook is supposed to be about easy/quick access to the net.

Check out the screen cap below (from Ubuntu) of the new Moblin based netbook edition. It sure doesn't look like the Jaunty release that I've got on my regular notebook desktop now.

ubuntu-moblin-remix-mzone_small.jpg

 Ubuntu of course is not alone in supporting Moblin. Last week, I wrote about Linpus and their support for Moblin v2 (also for Computex).

The new capabilities that Clutter (new UI/graphics technology)  provides makes Moblin a really interesting opportunity on netbooks.

Ubuntu is also set to to announce a version of its netbook remix for the Intel clasmate PC as well as some new efforts with SanDisk around solid state drives.

Ubuntu founder Mark Shuttleworth has publicly said (and told me in briefings too) that the netbook market is a key one for his distribution.

We know now that numerous Linux distros will support Moblin -- we don't know how Windows 7 for netbooks will actually compare - yet.  That said, the fact that multiple Linux distributions will be Moblin v2 compliant will mean an ecosystem of developers and vendors that could well mean an engine of innovation that will be difficult for Microsoft to compete against.

Cisco joins the DOW at GM's expense

By Sean Kerner   |    June 01, 2009

cisco.gif
From the 'General Motors fallout' files:

With GM now in bankruptcy protection, it's getting the boot from the prestigious Dow Jones Industrial Average. In GM's place, the DOW  is set to add Cisco (NASDAQ:CSCO) to the index.

Cisco could be added to the DOW as soon a June 8th (according to the Wall Street Journal). It is no surprise at this point that GM is in bankruptcy protection and similarly no surprise that a bankrupt company (though once one of the world's largest) is getting kicked off the DOW.

The addition of Cisco should also not really be seen as a big surprise. Cisco with 65,000 plus employees and multiple tech divisions spanning consumer, enterprise and governement networking and collaboration gear is a stalwart of the US economy. It is, and has been for some time a good leading indicator for buyer sentiment in technology.

Cisco CEO John Chambers was among the first tech leaders to point out that the current economic slowdown was global and would affect technology vendors like Cisco. The buying patterns that Cisco sees from government, enterprise and consumer customers gives it a broad cross section of the economy and makes it a decent benchmark for buyer sentiment in my view.

Cisco is also a company with some $30 billion or so of cash on hand, and despite the challenging economy, seems to be staying the course of sustainability for its business.

The addition of Cisco to the DOW also marks an interesting milestone for tech. Cisco is the first "pure" technology vendor to be added to the DOW since Micrsofot (NASDAQ:MSFT) and Intel (NASDAQ:INTC) in 1999.

Though Cisco today is already among the most heavily traded stock on the Nasdaq, I would expect that with its inclusion on the DOW it might receive just a bit more interest from an even broader base of analysts and investors.

The addition of Cisco to the DOW, ultimately will not likely make any real difference to Cisco's technology initivatives. It does however give them even more prominence as a key element of one of the world's leading financial indicators.