RealTime IT News

Blog Archives

Red Hat plugs NULL Linux hole - a week late?

By Sean Kerner   |    August 25, 2009

tux.jpg
From the "How Long Does It Take Linux Vendors To Patch?' files:

On August 14th, I wrote about a Linux NULL security flaw affecting all Linux vendors. Linux founder Linus Torvalds had a patch for the kernel the same day, but how long did it take the big enterprise vendors?

You might be surprised. I know I was.

Red Hat, the leading enterprise Linux vendor just issued a patch for the flaw yesterday (so if you're keeping score that 10 days). Novell was a little faster issuing their update on August 20th (so only 6 days for them). The Ubuntu fix came on August 19th.

So what took Red Hat so long?

SCO wins Unix copyright appeal. Trouble for Linux?

By Sean Kerner   |    August 25, 2009

sco.gif
From the 'It's Not Over, Until It's Over' files:

Bankrupt Unix vendor  SCO now has a new leg to stand on. A U.S Federal Appeals court judge has overturned part of a 2007 ruling which gave ownership of the Unix copyrights to Novell. The appeals judge upheld the monetary portion of the 2007 judgment which awarded Novell $3 million in royalties, but the issue of who owns Unix is now back on the table.

Shocking isn't it?

So after years of SCO arguing that they owned Unix, losing a 2007 judgment and going bankrupt, SCO now is back.

They now have the basis on which they can have another trial, and they now have the basis on which they could potentially move forward against IBM and Linux. To be sure, it's still a sliver of a basis, but no doubt SCO will do everything they can to make the most of it.

Later this morning, I'll be on a call for something I likely would have never guessed would happen. SCO is holding a conference call (remember those from years past?) to talk about what they are doing next.

This is not SCO the dead company that had been limping along. This is SCO renewed with the hope of legal victory thanks to an appeals court judge. Had this appeal been struck done, we finally could have nailed the SCO saga closed. Now it begins anew.

Will SCO win? Not likely, but the fact that it is going back to court, yet again, means that there is always a chance.  If SCO can find some big money backers to help foot its legal bills and ongoing operations, they could still drag this ordeal out deep into 2010 and beyond.

Personally I had though that SCO was done in 2007. To see them still make news, and more importantly actually win an appeal is astounding. I don't think that Linux users need worry much though, SCO in 2009 is a shell of its former self and doesn't have the ability to be the massive FUD-monger it was in 2005. Still they do still exist and they do still represent risk.

I think a safe way to think of it is like being struck by lightning. Sure it can happen, but what are the odds?

RIM acquires WebKit vendor for mobile browsing

By Sean Kerner   |    August 24, 2009

safari.jpg
From the 'Whither Mozilla?' files:

I'm calling this one early. WebKit is the winner of the mobile browsing war.

WebKit the browsing engine behind Google Android (and Chrome), Apple Safari (and the iPhone) is soon to be the browsing engine behind RIM Blackberry devices.

What's left for Mozilla (and Windows)? Probably more than a few devices, but RIM's endorsement of WebKit is a big deal. RIM is buying its way into WebKit with the acquisition of mobile browser vendor Torch Mobile. Financial terms of the deal have not yet been publicly disclosed.

"Torch Mobile's team of highly skilled developers has been actively
involved in Open Source development and includes contributors, committers and reviewers of the WebKit project," Torch Mobile said on its website. "As part of RIM, these
developers will continue to be active participants in the WebKit
development community."

What I'd expect to see from RIM is a new browser for Blackberry devices, sooner rather than later. My early (safe) guess is that this new browser will be based on WebKit, it will offer performance and features that other WebKit based browsers offer users.

Apple has set a standard for mobile browser performance with Safari on the iPhone. It's one that that I think, other mobile handset vendors are keen to replicate.

Red Hat HornetQ debuts for open source messaging

By Sean Kerner   |    August 24, 2009

hornetq_small.jpg
From the 'What's All The Buzz About?' files:

Red Hat (NYSE:RHT) today officially launched a new open source messaging system called HornetQ.  The new effort has its roots in the JBoss Messaging platform, that has been around since at least 2006.

In a blog post, Red Hat developer Tim Fox wrote that," HornetQ is an open source project to
build a multi-protocol, embeddable, high performance, clustered,
asynchronous messaging system. HornetQ is an example of Message
Oriented Middleware (MoM)."

That's right, messaging for middleware is now MoM. I expect we'll see that acronym more over the course of what is left of 2009.

HornetQ is being licensed under the Apache Public License, which is somewhat of a departure for Red Hat and JBoss.

For years, Red Hat and JBoss have told me (and everyone else) that they are firm backers of the GPL, which is the license under which most JBoss products are licensed. Back in 2007, Red Hat and IBM argued over who was more open, based on the fact that IBM was using the Apache license while Red Hat was using GPL.

I wonder if HornetQ marks a new trend for Red Hat. Or perhaps, it's just a very clever ploy to get HornetQ used by IBM Websphere users.

The other interesting part of this is the name. Red Hat could have easily called this technology JBoss Messaging 2.0.

"We decided to rename it and separate it as an independent project since it differs in a many ways from JBoss Messaging 1.x and we did not want to confuse the two, quite different, systems," Red Hat stated in the HornetQ blog. " The vast majority of the code base of HornetQ is different to the code base of JBoss Messaging 1.x

So, what happens with JBoss Messaging now? JBoss Messaging 1.x continues to be known under the name of JBoss Messaging and the project is now in maintenance mode only, with all new messaging development happening on the HornetQ project."

So, we've got a new/old project using a license that JBoss traditionally has not used (much) before. In my view this is an interesting strategy my Red Hat to create buzz (sorry couldn't avoid the pun) and time will tell if that translates into usages and $$ for Red Hat.

How Facebook CSRF attack was discovered

By Sean Kerner   |    August 24, 2009

facebook_small.gif
From the 'Eureka!' files:

One of the things that always interests me about security disclosures is how the researcher actually found a particular vulnerability. Sometimes, security researchers are actively looking for flaws, other times the flaws are found by accident.

In the recent case of a Facebook Cross-Site Request Forgery (CSRF) attack the researcher wasn't actively looking for flaw. 

Security Researcher Ronen Zilberman reported the flaw to Facebook in early August and it was officially patched last week. In an email to InternetNews.com Zilberman explained how he found the flaw in the first place.

"I was working on a Facebook application for a client and when I read
the documentation the potential vulnerability hit me (I used to work as
a security consultant, so I guess this way of thinking is now
automatic)," Zilberman said. "However, it took a while to think of "upgrading" the attack
to use images and 3rd party sites."

That's astounding isn't it? Yet is really should be the norm.

Security shouldn't be an afterthought, it should be top of mind when developing applications from beginning to end. It is with that type of mindset that more flaws can be caught sooner, at Facebook or anywhere else.

The other interesting tidbit of information that Zilberman shared with me is the fact that his CSRF attack would not have been blocked by any anti-virus software. He explained that the flaw is not a browser issue and for that reason the attack works on all browsers. He add that, there is nothing wrong or even suspicious with a redirect response to an HTTP image request.

"As I wrote in the aftermath, while the attack makes use of a specific flaw that was patched, the entire setup is valid HTTP behavior and acceptable behavior from Facebook (if a bit lenient)," Zilberman said "This is what makes the attack in its entirety, in my mind, surprising and powerful."

Anti-virus technology would not detect the rogue image because the image and the image request process is completely legit.

Zilberman also hinted in his disclosure that other sites could be vulnerable to the same technique and possibly that Facebook itself could have other such issues.

"I haven't found (or looked for) any others, I am more interested in the technique itself," Zilberman said. "I stated that I speculate that this setup could be used elsewhere."

From my point of view, I think it will be interesting to see how  many other sites are in fact vulnerable to the same setup. I suspect that Zilberman's speculation is not all that far fetched.

Adobe updates open source Flex for XSS security issue

By Sean Kerner   |    August 21, 2009

adobe.jpg
From the 'Busy Times For Adobe Security' files:

Another day, another Adobe security update.

US-CERT warned this morning that there is a security flaw in Adobe's Flex 3.3 SDK and earlier versions.

"This vulnerability may allow an attacker to conduct a cross-site scripting attack," US-CERT warned.

Adobe has a fix available now in the Flex 3.4 SDK, which also includes the latest version of the Flash Player. Adobe updated Flash at the end of July for a critical security issue.

The actual flaw fixed by Adobe is a Cross-Site Scripting (XSS) attack within something known as the Flex SDK express-install templates. Adobe credited Adam Bixby of Gotham Digital Science with discovering and reporting the flaw.

"An instance of a DOM-based Cross Site Scripting (XSS) vulnerability was
found in the default index.template.html file of the SDK which is a
template used by FlexBuilder to generate the wrapper html for all
application files in your project," Bixby wrote in his advisory. "The XSS vulnerability appears to
affect all user's that download and utilize this html wrapper."

Flex is Adobe's open source framework for building RIA web applications. The flaw does not affect Adobe's under-development Flex 4 SDK which is still in beta.

"This fix does not apply to Flex 4 projects, as they use the SWFObject templates by default," Adobe wrote in its advisory.

Google Chrome gets 64-bit version, but only for Linux

By Sean Kerner   |    August 21, 2009

googlechromologo.jpg
From the '32-bit Still Rules' files:

A 64-bit version of the Google Chrome browser is now ready, but Windows users will still have some time to wait for their version.

In a mailing list posting this week, Chrome developer Dean McNamee wrote that the Google v8 JavaScript team have working on a 64-bit port. There are now full instructions on the Google Code wiki for Chromium on how to build Chrome for 64-bit Linux.

Additionally there is now a native 64-bit (amd64) build available to Ubuntu users, by way of an Ubuntu Launchpad PPA (Personal Package Archive).

This is good news for 64-bit Linux users.

It could also signal a potential direction for Chrome OS as an operating systems that will be 64-bit capable out of the box. Though, I'm not sure that 64-bit is a major issue for Chrome OS, since the way I understand it is that it's initially targeting netbooks which are not known for their 64-bit processors.

What about Windows?

KDE set to be default for openSUSE 11.2

By Sean Kerner   |    August 20, 2009

opensuse.small.jpg
From the 'It's About Time?!' files:

Many Linux distributions offer their users a number of choices for their desktop GUI, with the default often being GNOME. For years, KDE has been the most selected choice by openSUSE users and now it's going to be the default for the next release, openSUSE 11.2.

This is fantastic news for fans of KDE.

For better or for worse, there are many new users that will simply choose to go with the default settings, so KDE has perhaps not been given a fair shake. KDE has long been backed strongly by SUSE, long before Novell bought them out KDE was led by SUSE contributions. When Ximian and its people (including the founders of the GNOME project itself) were brought into Novell, many people (myself included) speculated on the future of KDE as SUSE.

By making KDE default, openSUSE devs were keen to point out that they are not neglecting GNOME.

IE most secure? Maybe, then again maybe not

By Sean Kerner   |    August 20, 2009

IE.jpg

From the 'Read The Fine Print' files:

A new Microsoft-sponsored study from NSS Labs is out with a finding that IE 8 is the most secure browser, when it comes to catching, socially engineered malware. The study however did not look at the security of the browser or related plug-ins (like Flash).

What is socially engineered malware?

According to the NSS report, they defined a socially engineered malware URL as, "a web page link that directly leads to a
'download' that delivers a malicious payload whose content type would
lead to execution."

So for that type of scenario, NSS reported that IE 8 caught 81 percent of all threats. In contrast, Firefox 3 (they did their test prior to the final Firefox 3.5 release) only caught 27 percent while Google Chrome 2 caught 7 percent.

The interesting part of the Firefox 3 to Chrome 2 comparison, in my opinion, is the fact that both Firefox and Chrome use Google's SafeBrowsing API.  Firefox has been using Google's API since the Firefox 2 release. In 2006, a Mozilla-sponsored study found that Firefox 2 was superior at catching phishing sites. Another 2006 study, sponsored by Microsoft found that IE 7 had the best anti-phishing filter.

So what's my point?

From the Moon to the Earth at 100 Mbps

By Sean Kerner   |    August 20, 2009

nasa_small1.jpg

From the 'Better Than Sci-Fi' Files:

NASA now has technology in place, for data transfer from the Earth to the Moon at an astounding 100 Mbps.

That's right, NASA has more bandwidth on the (literally) long haul between the Moon and the Earth than most Americans between their ISP's and their homes.

NASA has deployed a new type of transmitter on its Lunar Reconnaissance Orbiter (LRO) which is now orbiting the Moon. In an article on NASA.gov this week, NASA explained how the new technology works.

The 100 Mbps transmission is delivered from the Moon orbiting LRO by way of a 12-inch tube, called the Traveling Wave Tube Amplifier. NASA explained that the device
uses electrodes in a vacuum tube to amplify microwave signals to high
power. NASA noted that the LRO is able to transmit a whopping 461 gigabytes of data per day.

Adobe ColdFusion, JRun get hotfixes

By Sean Kerner   |    August 20, 2009

adobe.jpg
From the 'Macromedia apps' files:

Adobe is out this week with a fix for their ColdFusion and JRun technologies. In total, the two technologies were at risk from at least 7 different vulnerabilities.

US-CERT issued a warning on the vulnerabilities earlier this week.

 "These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, or operate with escalated privileges," US-CERT warned."

Both ColdFusion and JRun are application servers. ColdFusion has its own file types while JRun is a Java application server.

The ColdFusion updates include two cross-site scripting
vulnerabilities, that could potentially lead to arbitrary code execution
(CVE-2009-1872 and CVE-2009-1877).

On the less serious, but still important list of bug fixes is an update for ColdFusion that
fixes a double-encoded null character
vulnerability that could potentially lead to information disclosure
(CVE-2009-1876). There is also a fix for a potential privilege escalation (CVE-2009-1878) issue that is the result of a session fixation vulnerability.

The JRun updates include what Adobe's advisory refers to as,".. multiple
management console cross-site scripting vulnerabilities that could
potentially lead to code execution (CVE-2009-1874). There is also an update for a management console directory traversal
vulnerability (CVE-2009-1873).

ColdFusion is an application server originally developed by a vendor
called Allaire, then acquired by Macromedia in 2001 for $360 million.
Macromedia in turn was acquired by Adobe in 2005. Adobe has since updated ColdFusion to work well with Adobe's AIR and Flex technologies. JRun is a Java EE app server that also came to Adobe by way of the Macromedia acquisition.

The JRun and ColdFusion updates come just a month after Adobe was hit by a pair of critical issues in its Flash and PDF technologies.  At least one researcher has claimed that Adobe isn't moving fast enough to update users with Flash and PDF.

When it comes to ColdFusion and JRun the attack surface is somewhat smaller in my view. Instead of tens of millions of home users that need to update Flash, there are likely at best tens of thousands (or just thousands) of users that may need to update ColdFusion and JRun.

Google Chrome 4.0.202.0 updates for A/V and Bing

By Sean Kerner   |    August 20, 2009

googlechromologo.jpg
From the 'Second Update This Week' files:

Users of Google Chrome dev-channel edition are used to weekly updates. This week, users have now received two updates, the first including new syncing tech marking the debut of the 4.x series and now a second update with version 4.0.202.0.

The 4.0.202.0 update includes fixes for at least 12, HTML 5 video and audio tag issues.

There is also a fix for a bug that causes issues when trying to import bookmarks from Firefox 3.1 (beta) and 3.5 browsers.

On the strange but true, side of things there is a fix for a bug to change the search entry for Microsoft's Live Search to Microsoft's new Bing service.

"Changes Live Search to Bing for en_US only," Google's revision notes. "A full worldwide review is in progress and we'll pick up the other countries eventually."

So yes, Google Chrome is trying to play nice with other search services, even Bing.

Red Hat 'pleased' to be top Linux contributor

By Sean Kerner   |    August 19, 2009

tux.jpg

From the 'Modest Market Leader' files:

Linux vendor Red Hat (NYSE:RHT) was named in a study today by the Linux Foundation as being the top Linux kernel contribution company.

Red Hat had 12 percent of all change contributions, led by their key kernel contributors Ingo Molnar and David S. Miller. I reached out to Red Hat to get their take on their status, and they were somewhat humble in their position as the leaders in Linux.

"We are always pleased with these numbers, and given the large scale of resources we put into making Linux enterprise-ready, the numbers are not too surprising,"  Nick Carr, Red Hat marketing director wrote in an email to me. "We track activity numbers internally on an occasional basis, and know that Red Hat has been the leading contributor to the Linux kernel for many years."

Though Red Hat has been the leading contributor for years, as it turns out, being the leader is not a conscious status that Red Hat is chasing.

Linux vendor revenue $1 billion by 2012? Or is it $49 billion+ ?

By Sean Kerner   |    August 18, 2009

tux.jpg
From the 'More Fun With Stats' files:

IDC is out with a new report (here's the abstract link), forecasting Linux revenue from 2009-2013. I don't have the full report (if you work for IDC can you help me out?) but at least one Linux vendor has already posted on some of the detailed information.

According to a post on the data, from Novell CMO John Dragoon, in 2008,  the Linux vendor community saw a 23.4 percent growth in revenue. 

"While Red Hat continues to have the largest share, Novell had a particularly good 2008 growing total Linux operating system revenue by 50.3% from 2007 to 2008 while growing overall market share over five points to 29.8 percent in 2008."

That's good for Novell (and the overall Linux market). The part of the data that I find really surprising, is the fact that Dragoon notes that according to IDC's forecast, Linux operating systems revenue will exceed
$1 billion in 2012 and continue to grow to $1.2 billion in 2013.

IDC is in the habit of forecasting big numbers for Linux. Let's take a trip down memory lane shall we?

In 2007, IDC analyst Al Gillen (the same guy that wrote the current report), forecast that the Linux ecosystem would be worth $40 billion by 2010. In 2008, IDC forecast the Linux ecosystem to be worth $49 billion by 2011.

All seems just a bit confusing, doesn't it?

Google Chrome 4 debuts with bookmark sync

By Sean Kerner   |    August 18, 2009

googlechromologo.jpg

From the 'Zero to Four Versions in a Year' files:

Google is now out with Chrome 4.0.201.1, introducing browser bookmark syncing, kinda/sorta.

No that's not a typo in the version number either. This is Google Chrome 4, in its dev-channel release format. So for those of you keeping score at home, Google has gone from a pre 1.0 release of Chrome in September of 2008, to Chrome version 4 in less than a year.

I'm not sure if this is a race by Google to try and be at Google Chrome version 9 before Microsoft releases IE 9, but it sure seems that way to me.

Enough about the numbering scheme, Chrome 4 marks the debut of Google's bookmark synchronization feature, albeit in a very limited way. Simply clicking your Chrome app shortcut (on Windows) to start Chrome 4 will not give you a version of Chrome 4 that will actually start with the bookmark synchronization feature (that would be too easy). Instead, users must start Chrome at the command line, with the flag --enable-sync to get the sync option.

The actual synchronization capability at this early stage isn't particularly impressive. In my own limited test on Windows XP SP3 test box (sync isn't avail on Linux versions yet as far as I could tell), the sync actually failed to sync up my bookmarks.

Heartland breach indictment is heartwarming for 130 million people

By Sean Kerner   |    August 18, 2009

security-200x180-redlock_small.jpg
From the 'Do Not Pass Go, Do Not Collect $200' files:

How does one man in Florida (along with two co-conspirators in Russia) steal 130 million credit numbers?

It all starts with a trojan and a SQL injection attack that creates a back-door.  Yes there are problems with technology security. In my view though, there is a more important message to the story.

The fact that one man could be the ringleader for such massive fraud is staggering, but the fact that the U.S Justice system and law enforcement found and caught the perpetrator is a key point. The key message is that cyber-criminals can and will be brought to justice and the Internet isn't a place to hide.

"In a two-count indictment alleging conspiracy and conspiracy to engage
in wire fraud, Gonzalez, AKA "segvec," "soupnazi" and "j4guar17," is
charged, along with two unnamed co-conspirators, with using a
sophisticated hacking technique called an "SQL injection attack," which
seeks to exploit computer networks by finding a way around the
network's firewall to steal credit and debit card information," the U.S Justice department said in a statement.

Gonzalez hacked Heartland Payment
Systems, 7-Eleven Inc., a
Texas-based nationwide convenience store chain; and Hannaford Brothers
Co. Inc., a Maine-based supermarket chain. The Justice Department calls the indictment, the largest alleged credit and debit card data breach ever charged in the United States.

Tr.im going open source

By Sean Kerner   |    August 17, 2009

trim.png
From the "If You Can't Beat Them Go Open Source' files:

URL shortening service tr.im is going open source. That's right - after a week in which they first were planning to go kaput, then got resurrected - this week Eric Woodward, the guy behind tr.im is planning to set it all free.

It's a stroke of pure genius.

The plan is for the code to be licensed under the MIT open source license and the tr.im name and its associated URLs are being donated to the community.  The plan is for all this to happen by September 15th.

"It is our hope that tr.im, being an excellent URL shortener in its own
right, can now begin to stand in contrast to the closed twitter/bit.ly
walled garden: it will become a completely open solution owned and
operated by the community for the benefit of the entire community," Woodward blogged.

Woodward has also pledged to bankroll the tech infrastructure behind tr.im so that existing services will be maintained.

For whatever reason, Woodward has not been able to monetize tr.im. With the source code behind tr.im in open source i would not be surprised if a service organization doesn't build a tr.im based service and charge for service and support.

In fact with tr.im free and open, I would not be surprised if it became the basis for a dozen or more new services come September of October of this year.

Woodward could have just let tr.im die.

He didn't

Instead he decided to set it free. Time will prove whether or not this is a stroke of genius (as I think) or just another guy throwing code over the wall to see what will happen.

Mozilla pushing Firefox 3 users to move to Firefox 3.5

By Sean Kerner   |    August 17, 2009

sr-firefox3.jpg
From the 'you should have updated weeks ago, slacker!' files:

Mozilla is now formally encouraging its Firefox 3.0.x users, to migrate to Firefox 3.5 by way of an update notification. I personally upgraded when Firefox 3.5 came out 6 weeks ago, but there are always lots of people that for whatever reason, don't upgrade right away.

One very good reason not to update right away is the fact that there are always some incremental updates after an initial release. In the case of Firefox 3.5, Mozilla has actually issued two updates and is now at version 3.5.2.

Another reason why some choose not to update is because their favorite extension/add-on doesn't work right away. In my own personal case, I use the Sage RSS add-on and it wasn't officially available for Firefox 3.5, 6 weeks ago. But that didn't stop me from using it.

The trick for me in the case of the incompatible Sage add-on (which now has actually been updated to be compatible) was to change one line of code in the description of the add-on which sets the max version for the add-on.

Firefox 3.0.x is still going to be supported until the end of the year, it's not a major rush, but upgrading is the right thing to do in my opinion. Firefox 3.5 is a superior browser to Firefox 3.0.x in many ways. There are always add-ons that lag behind, but that's not Mozilla's fault, though they do have a solution for the problem.

With the new Jetpack add-on technology, add-on incompatibility from version to version will likely cease to be a problem.

Torvalds bashes vendor-sec private Linux security list

By Sean Kerner   |    August 17, 2009

tux.jpg
From the 'rare praise' files:

Last week, Linux was tagged with a local NULL pointer flaw that could have led to a privilege escalation issue. Linux founder Linus Torvalds pushed a patch upstream quickly and now that patch is in the Linux 2.6.31 -rc6 milestone.

Torvalds notes in the 2.6.31 rc6 releases notes that the issue wasn't as bad as it could have been, and that he would have likely delayed the fix were it not for the fact that a private list (vendor-sec), apparently wasn't private after all.

"There's the NULL pointer fix that was already talked up on Slashdot, but
quite frankly, assuming we got all the "you can't map things at zero"
issues fixed from the last scare, that one hopefully wasn't quite as bad
as it could have been," Torvalds wrote. "What was perhaps an interesting (if trivial) detail is that if it
hadn't been for vendor-sec apparently leaking like a sieve, we'd have
delayed the fix until the next -rc due to trying to be polite to
vendors."

Torvalds has never really been a fan of the vendor-sec list. Vendor-sec is supposed to be a vendor only list that is not publicly available. It's supposed to ensure that vendors will have the time they need to make fixes.

Back in 2005, Torvalds criticized vendor-sec, arguing that delayed disclosure, as is currently done by the vendor-sec list, is broken. He said he strongly believes that users should get updates before a disclosure is made.

"I think kernel bugs should be fixed as soon as humanly possible, and any
delay is basically just about making excuses," Torvalds said in 2005. "And that means
that as many people as possible should know about the problem as early as possible,
because any closed list (or even just anybody sending a message to me personally)
just increases the risk of the thing getting lost and delayed for the wrong reasons." 

I completely agree. Openness and transparency are the key to true security. However, I do also understand how this can put vendors and users at risk, since patches aren't going to be co-ordinated. It's a tough call and very delicate balance that needs to be achieved.

Happy sweet 16 Debian - where now?

By Sean Kerner   |    August 17, 2009

debianlogo.png
From the 'Birthday' files:

The Debian Linux distribution celebrates its 16th anniversary this week (official birthday is:  August 16, 1993). It sure has been an interesting ride.

When Debian turned 15 last year, I asked if they were still relevant. It's a question that still can be asked now.  Debian in some ways is arguably more relevant today, thanks to Ubuntu.

Ubuntu grabs the lion's share of media hype thanks to its charismatic founder, tight release schedule, easy installation for noobs and snappy release names. Yet time and again, Ubuntu developers and spokespersons from founder Mark Shuttleworth on down sing Debian's praises as the shoulder on which Ubuntu continues to be built.

What of Debian's founder?

His future is less clear, in my opinion. After founding Debian in 1993 and being a champion of Linux for over a decade, Ian Murdock's last few years have been spent building Sun's openSolaris.

With Sun now entering its sunset period as Oracle rises, will Murdock remain at Oracle? Will he remain a champion of openSolaris or will he return to the Linux fold?

I don't know the answer. I suspect that he has many choices and opportunities, including staying the course with Oracle to see what happens.

Debian itself is getting (arguably) better at putting out releases on a more regular basis. It's something that the Debian project has been trying to do since the Sarge release.  The future for Debian, in my view, is one where the current path of wide architecture support and massive repositories will continue and expand. There will continue to be debate about the Debian Social Contract that guides the inclusion of various software, but that's part of the Debian tradition at this point too.

So Happy 16th Debian. It's no small feat to continue a free operating system used by millions for so long.

China's Green Dam doesn't matter - they have the Great Wall

By Sean Kerner   |    August 14, 2009

security-200x180-redlock_small.jpg
From the 'network admins know all' files:

China's Green Dam content filtering software may not necessarily go into all new PCs sold in China after all.  Chinese news service Xinhua reported Thursday, that China's Minister of Industry and Information Technology, Li Yizhong said, that installation of Green Dam will be up to users and will not be mandatory.

Personally I don't think it matters. The Government of China still has other avenues available to block content.

Desktop PC-based filtering can always be circumvented by users. The Chinese Government, if they wanted too, could easily block whatever they find objectionable, at the main network access points and GigaPOPs that provide access to the Chinese population.

So even if a user didn't have Green Dam, the Great Firewall of China could still block access to the outside world. Remember, the Chinese government did cause some concern around the time of the Olympics last year with Internet censorship - and those were with users that didn't have Green Dam.

The network, and more specifically network gateways, are the real choke point for Internet control and censorship, in my opinion.

Novell cuts openSUSE Linux support to 18 months

By Sean Kerner   |    August 14, 2009

opensuse.small.jpg
From the 'interesting to note' files:

The issue of how long a Linux distribution will support a release is one that tends to go back and forth. Novell's openSUSE Linux is now revising its policy.

Starting with the openSUSE 11.2, maintenance support will be approximately 18 months which is a reduction of 6 months from what openSUSE 11.1 and prior releases, offered users.

"OpenSUSE will shorten the maintenance period to 2 versions plus 2 months
which translates with the current release cycle of 8 months to 18 months
instead of 24 months we had with openSUSE 11.1 and previous releases," Michael Loffler, Product Management at SUSE wrote in a mailing list posting. "With that we now can guarantee an overlap time from a maintenance perspective
which gives enough time to update machines to newer versions."

OpenSUSE 11.2 is codenamed 'Fichte' and is set for release later this year.

On the maintenance side of things, the new openSUSE policy is actually closer to what its competitors,  Fedora and Ubuntu offer their community users.

The current Fedora policy is that releases will live only until one month after the N-2 (next two) release is out. So if my math is correct that means that openSUSE has one month extra, but that depends on how long the actual release cycle is, which can vary a bit. Ubuntu also has  approximately 18 months of support for its releases.

Linux at risk from NULL security flaw

By Sean Kerner   |    August 14, 2009

tux.jpg
From the 'this is not a drill' files:

Linux users take note: we're all at risk from a kernel privilege escalation flaw. No it's not the end of the world, that will lead to massive remote exploits and all Linux servers being pwnd. But it is something to be concerned about.

The flaw is a NULL pointer error that exists in all versions of the Linux kernel released since 2001. No that's not a typo.

This is a flaw that potentially has been in Linux for eight years and has somehow escaped the 'many eyes' philosophy of finding security flaws. It has also somehow escaped the static analysis that is performed on the Linux kernel that is supposed to find such NULL pointer flaws.

"Tavis Ormandy and myself have recently found and investigated a Linux kernel vulnerability," Security Researcher Julien Tinnes wrote in his advisory. "It affects all 2.4 and 2.6 kernels since 2001 on all architectures. We believe this is the public vulnerability affecting the greatest number of kernel versions."

Linux founder Linus Torvalds, late Thursday committed a patch to the Linux kernel that will mitigate the issue - which is good. But considering that it takes time for such a patch to propagate into kernel builds used by the Linux distributions, there is cause for concern.

Twitter developing Retweet API

By Sean Kerner   |    August 13, 2009

twitter.jpg
From the 'Retweeting is the highest form of Twitter flattery' files:

I retweet my fair share of tweets on a regular basis. Usually it's a simple" RT@username Something interesting" kind of tweet. But soon, Twitter is going to have new built-in retweeting powers,  thanks to an API that is currently under development.

The basic idea is to provide a more connected and integrated approach for retweeting.

"We are still sketching out exactly how this feature and its API counterpart works," Twitter's Biz Stone blogged."Sharing our thoughts before launching means developers will have the opportunity to prepare their applications. In a few weeks or so we'll launch the feature on our web site and because app developers had a chance to prepare, it should become available across most of the Twitter ecosystem about the same time. This way, we can all enjoy retweeting - however we choose to access Twitter."

In his blog post, Stone provides a basic usage scenario for the new retweet capability. The way I understand it is, say you follow me (I'm @TechJournalist) and I retweet something really cool from one of my colleagues at InternetNews.com (@internetnews). With the new retweet, you'd see the post from internetnews show up in your timeline - even if you don't follow internetnews.

This could be confusing in some respects - but it could also be a major new way for people to build followers and to connect people together. 

One measure that I've seen PR people use for Twitter effectiveness is how much a post is retweeted. It certainly is also a measure of influence too. If you add in links and track clickthroughs, well no doubt the number of clicks will increase with the number of retweets too.

With an API hook into that type of data and new capabilities, retweeting could truly become the most powerful thing one user can do for another tweet on Twitter.

Microsoft Word patent issue not a problem for Open Source

By Sean Kerner   |    August 13, 2009

i4i.png
From the "What Did You Know and When Did you Know It?' files:

The i4i XML patent issue that could take Microsoft Word from store shelves, isn't a big problem for open source users in my opinion - for a very simple reason.

As far as I can tell, i4i is not a patent troll. That is, they are a vendor that developed a technology that they were using in their own products that were being sold. Microsoft was aware of them and they even had some kind of partnership which ended when Word 2003 was released including the XML features.

Whether an open source vendor uses the same technology somehow or not, isn't likely an issue in my opinion - since this is a case where the patent case is specifically targeted against a vendor with whom the patent holder had some kind of relationship.

The other issue here is the fact that the invention as named by i4i - is now known. So if there is a potential infringement issue, an open source project can try and code around it. The same thing is being done now to try and get around Microsoft FAT patents.

Microsoft in my opinion doesn't quite have that same luxury, since they've been aware of this issue for several years. I suspect, that much as they did with EOLAS years ago, Microsoft will end up paying something and doing some adjustment too.

Open source users likely have nothing to worry about, but I do hope that project owners are evaluating their own code to ensure that they aren't now knowingly infringing on someone else's patent.

Dept of Energy gets $62 million for 100 gig Ethernet

By Sean Kerner   |    August 13, 2009

berkely_small.gif
From the 'Fast Ethernet Getting Faster' files:

The U.S Department of Energy (DoE) is getting $62 million in U.S government stimulus funding to build out a 100 GbE (gigabit Ethernet) network. The network will be developed and used by ESnet (Energy Sciences Network) at the DoE's  Lawrence Berkeley National Laboratory.

The goal is to provide a 100 GbE transport between DoE supercomputing centers in California, Illinois and Tennessee.

"ESnet has always been a service organization," said Steve Cotter, ESnet Department Head at Berkeley Lab in a statement."We exist to enable DOE scientists to do great work at the cutting edge, and to increase the scientific capabilities of the United States. The deployment of a next-generation 100 Gbps network will ensure that we continue to provide state-of-the-art services to our constituents and continue to enable scientific discovery."

The fastest Ethernet connections currently deployed are at 10 GbE, so a move to 100 GbE represents a ten fold bandwidth increase. The actual 100 GbE standard is not yet ratified, but networking vendors including Juniper, Cisco, Alcatel-Lucent and Cienna all have equipment testing underway and in some cases, announced products as well.

Back in November of 2008, ESnet was part of a group backing 100 GbE deployment for Internet2 research network. In that effort networking vendors, Juniper, Infinera and Level 3 were working together. ESnet has not named any specific networking vendors as part of this new $62 million deployment. I personally would expect some of the same names that are involved in the Internet2 effort to be involved in this effort.

Apple patches Mac OS X for BIND DNS - 2 weeks late!?

By Sean Kerner   |    August 13, 2009

apple_new_macs_200x180.jpg
From the 'What's Going On?' files:

Apple is updating its Mac OS X for a BIND DNS issue that was patched by other vendors two weeks ago.

The issue is a critical vulnerability in the BIND 9 DNS server that could lead to a Denial of Service (DoS) attack condition. It's an issue that US-CERT issued a warning on, and was reported to be exploited in the wild.

The ISC - the group that leads development of BIND - had a patch out on July 29th - so that means to my naked eye, that Apple Mac OS X server users have been at risk for two weeks.

Not only at risk, but at risk from a known flaw for which exploit code exists in the wild.  Not only does exploit code exist, but so did a patch - but not for Mac OS X.

Is it the ISC's fault? I don't think so. They put out the source code and enable anyone to repackage a binary that would work for multiple operating systems.

Apple in my opinion was just a bit slow in this case.

Mozilla Firefox Test Pilot takes off

By Sean Kerner   |    August 12, 2009

testpilot.png

From the 'Yo Quiero Mozilla' files:

Eight months ago, Mozilla announced a new effort called Test Pilot to help get user feedback. Today Mozilla is now making that effort available with the Test Pilot add-on for Firefox.

The basic idea is that the add-on will make users part of the Test Pilot community where Mozilla will give users various tests. The whole effort is supposed to sanitize any personal information to protect individual user privacy.

 "As a Test Pilot, you will not only be able to try out the newest features and user interface ideas before anyone else, but also see and learn how those results may contribute back to the product design," Mozilla states in a blog post.

It's an interesting idea and one that I suspect will have good traction for Mozilla. After all, Mozilla's products are all opt-in (on Windows at least). 

Then again, I don't see Mozilla as having had difficulty getting people to try out new things in the past. Think of the recent Firefox 3.5 release, the beta releases (arguably a type of test) were widely used by tens of thousands of users.

The way I see Test Pilot is as a way to get even more feedback, for a number of different things, ranging from new features to usage behavior.

Wordpress fixes password reset security flaw

By Sean Kerner   |    August 12, 2009

wordpresslogo.jpg
From the 'scary security flaws' files:

Imagine this scenario. An attacker visits your blog, inputs an array in the http address header and PRESTO, your admin password is automatically reset - locking the real admin out of their own site.

A vulnerability fixed by the open source Wordpress blog software today isn't quite that scary but it's close.

"Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset," Wordpress states in an advisory. "As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn't allow remote access, but it is very annoying."

Wordpress has a free online hosted blogging service, where the site software is automatically updated -- then there are thousands of users that have installed Wordpress on their own sites - those are the ones that need to update on their own and soon.

Apple Safari 4.0.3. Is it a 'haphazard' security update?

By Sean Kerner   |    August 12, 2009

safari.jpg
From the 'heckling in the cheap seats' files:

Apple is updating its Safari web browser on both Mac and Windows platform to version 4.0.3. The new browser releases fixes at least 6 different security issues that could potentially expose users to risk.

The Safari 4.0.3 update follows a Mac OS X 10.5.8 update by a week, which has caused one security analyst to label Apple's software update process as occurring,"...at a haphazard pace."

"This release makes the contrast between the security processes of Microsoft
and Apple even more stark," Andrew Storms, director of security operations for
nCircle, said in an e-mail sent to InternetNews.com. "Microsoft's release was planned, but Apple's updates
seem to arrive at a haphazard pace."

I personally disagree with Storms' comments. As a Linux user myself, I'm used to getting updates, when updates are needed and available and not at some arbitrary monthly level. Certainly the Safari browser is an integral part of the Mac OS X experience but it is also a standalone application that has millions of Windows users too, that don't necessarily need to be tied to the Apple OS X updates.

Looking at the Safari 4.0.3 update itself, two of the fixed issues - one for ImageIO and one for CoreGraphics - are both malicious image issues for Windows users. Similar issues were fixed in Mac OS X 10.5.8 itself at an operating system level and not the browser level.

Additionally, Safari 4.0.3 includes, three advisories for issues affecting its WebKit rendering engine. WebKit is a technology also used by Google Chrome and as such, I suspect that there is a level of what I will call 'developer diplomacy' that Apple needs to navigate in order not to expose other WebKit users to risk pre-maturely.

Tr.im is back - but for how long?

By Sean Kerner   |    August 11, 2009

trim.png
From the 'playing chicken with links' files:

URL shortening service tr.im is back - after telling us all just yesterday that the service was being terminated. Apparently making the top of Google News Sci/Tech section and all the feedback made Nambu (the vendor behind tr.im) change their mind.

There still is a fundamental problem though - tr.im - and URL shortening in general - don't have a business model attached to them yet. Nambu isn't going to insert adds into links either.

"We have no interest in framing tr.im URLs, or adding interstitial advertising to redirects, and some have suggested we do, or others would do with tr.im should they acquire it," Nambu wrote in a blog post. "We will simply never do that out of respect for the fact that users created tr.im URLs based on this commitment. We do not see that as a viable revenue model as well, as it is not expected or welcomed by the individual visiting a shortened link."

So they still don't have a model - and without a model can any of us be sure they'll still be here in a year? Then again as I've said before, Twitter doesn't have a revenue model yet either.

Here's my idea for a URL shortening service revenue model: Charge for premium analytics.  Yeaah tr.im offers decent analytics now, but perhaps a more robust reporting service that measures conversions, looks at referrers and has long term reports. Business would pay for that, tr.im can still have a free service, with a premium offering for those that need or want more.

Sun ending Solaris Express Community Edition (SXCE)

By Sean Kerner   |    August 11, 2009

opensolaris_small.gif
From the 'soon to be Oracle Solaris' files:

Sun is planning on ending the production of its Solaris
Express
Community Edition (SXCE) by the end of October. SXCE is (soon to be - was) a binary release of the leading edge of OpenSolaris development. SXCE is updated every other week by Sun.

Though the actual 'release' is ending, development will continue. What this represents is really a packaging issue and a move towards Sun's next generation Image Packaging System.

"As we
intend to
continue on a bi-weekly build schedule, consolidations will move towards
producing native Image Packaging System (IPS) packages alongside SVR4
packages and then phase out the latter completely," Sun's Glynn Foster said in a mailing list posting. "Technologies such as
IPS, Automated Install, Snap Upgrade and the Distribution Constructor
will be
integrating into a consolidation after following through the established
processes including architectural (ARC) review."

So, if I understand this 'discontinuation' of SXCE correctly - if I want an updated OpenSolaris system, I'll just have to download the last milestone release (as opposed to the SXCE build) and then update (with IPS) to the latest components.

As OpenSolaris is Sun's Solaris Next this does make a whole lot of sense. IPS is Solaris's future and it should be the default mechanism for updating the operating system too.

Nokia adjusts Qt brand, website

By Sean Kerner   |    August 11, 2009

qt.logo.png
From the 'does it really matter?' files:

Nokia is changing the name of its open source software division - once known as Trolltech - again. Nokia acquired Trolltech in 2008 for $150 million and brought the company's technology into Nokia under the name Qt Software.

Qt was/is Trolltech's primary technology and is the open source GUI toolkit behind KDE (and in many ways WebKit too) - it's also a key part of Nokia's open source mobile phone strategy moving forward.

Now Qt Software is being renamed as Qt Development Frameworks and the web address will change to http://qt.nokia.com.

Daniel Kihlberg, director of global sales, marketing, and services for Nokia, Qt Development Frameworks, explains the rationale behind the selection of the name and domain:

"We want to increase the use of Qt by mobile developers and to achieve this we've strengthened our name's link to the Nokia brand,"  Daniel Kihlberg, director of global sales, marketing, and services for Nokia, Qt Development Frameworks said in a statement. "The progress of our new Qt for S60 product and our future involvement in Maemo are examples of how Qt will reach out to mobile developers in addition to desktop and web developers. We selected Qt Development Frameworks because at the end of the day, our goal is to provide developers with the best framework: Qt."

To me this is a TomAYto/TomAHto change.

Calling it Software versus a Framework is a semantic change that doesn't change the underlying technology at all. For those that don't know Qt - sure calling it a framework is better than just calling it software. But then again couldn't it have just been a software framework?

Mod Anti-Malware goes open source for server security

By Sean Kerner   |    August 11, 2009

dasient_small.jpg
From the 'kinda/sorta open source' files:

Web security vendor Dasient today released an open source version of their Web Anti-Malware (WAM) server security technology. It's called mod anti-malware lite and the basic idea is that it will identify and block/redirect malware on a server.

Dasient announced their core technology in June, but the new part in my view, is the open source aspect. Dasient is not open sourcing their whole product, instead it's just the 'lite' version - the difference between the lite and the full version is that the lite version does not actually remove the detected malware, but it does enable a server admin to put up a page that can redirect users away from the issue.

I spoke with Dasient founders Neil Daswani and Ameet Ranadive and asked them why they open sourced mod anti-malware. Their answer (to me) sounded like they were using open source as a 'trial-mode' channel of distribution as opposed to a method of development. But they are open to community participation. Here is what they said.

"This is our first step into the  open source world," Daswani told InternetNews.com."We're doing it mostly so web hosting providers and other sites can try it out. If  people have interest in helping us build it out we're more then happy to work with them."

The other key question that I had for Dasient was how their technology is different than say the mod_security Web Application Firewall (WAF), that is also open source.

VMware acquires SpringSource for $362 million

By Sean Kerner   |    August 10, 2009

spring_small.gif

From the 'VMware did what?' files:

Virtualization vendor VMware today announced the acquisition of Java web development and middleware vendor SpringSource for $362 million.

SpringSource is the vendor behind the popular open source Spring Framework that is used and supported by numerous Java middleware vendors including Red Hat JBoss and IBM Websphere.

VMware expects the deal to close in the third quarter of 2009. The total value of the deal could top $400 million when it's all said and done as VMware is also taking on $58 million of unvested stock and options in addition of the $362 million of cash and equity that VMware is offering privately held SpringSource.

This is a deal that will change the dynamic for VMware in my opinion. Now VMware moves from being a virtualization vendor to being a virtualization vendor with development, middleware and server management for both physical and virtual environments.

Earlier this year SpringSource made an acquisition of its own by acquiring open source systems management and monitoring vendor Hyperic.

Beyond acquisitions, SpringSource released a new commercially supported Apache Tomcat Java middleware server this year as well as a new tools release with Spring Tools Suite 2.0. Coming just around the corner is a major new release of SpringSource's Spring Framework with the Spring 3.0 release set for later year.

Google Chrome 3.0.197.x fixes Linux plugins

By Sean Kerner   |    August 10, 2009

googlechromologo.jpg
From the 'seems stable to me' files:

There still isn't a stable release of Google's Chrome browser for either Linux or Mac users, but Google is getting closer with the Chrome 3.0.197.x dev-channel release.

Chrome 3.9.197.x fixes at least three different issues related to plugins, that were affecting the Linux version of Chrome. Google has also fixed a really frustrating bug (in my opinion as a user) that had previously caused Gmail to hang and/or crash when using Chrome for Linux. Mac users also get a number of fixes for common crashes.

With the Gmail fix, Chrome on Linux is now a usable browser for me. No I'm not saying it will replace Firefox as my default, but at least now I have that choice.

I haven't yet seen an indication of when Google will promote Chrome to a beta release for Mac and Linux, but in my opinion, that could come at any arbitrary point now. The Linux version has matured over the last few point releases and I can now keep it open for a full day of browsing without it crashing/hanging - that's a big step from where it started in June.

Considering that Chrome OS, is set to be a Linux based distribution - it makes sense that Google has invested its engineering resources into getting the Linux version of Chrome in order.  Chrome for Linux and Mac is not yet at the same level of maturity and stability as Chrome for Windows - but it's getting there.

Windows users for Chrome 3.0.197.x actually get at least one item that isn't in the Linux or Mac versions - yet. That is the first crack at the Google's Extensions installation prompt. Extensions are nearly done for Chrome on Windows and having an installation screen is a critical step towards making them available and consumable by beta and stable users.

Apache updates to 2.2.13 for security

By Sean Kerner   |    August 10, 2009

apache.gif
From the 'time to update Apache' files:

A new Apache HTTP server release is out, fixing at least 4 security issues in the popular open source web server. None of the fixed security issues look like show stoppers to me.

Only one of the listed security updates for Apache 2.2.13 actually has a CVE number attached to it (CVE-2009-2412). That issue fixes a potential overflow issue in  APR (Apache Portable Runtime).

The other issues fixed in 2.2.13 include improvements to the mod_ssl module to improve compatibility with OpenSSL 1.0.0. There is also a fix for mod_cgid, eliminating an empty argument when calling the CGI script (could potentially be a vulnerability).

Apache still maintains its older HTTP servers - the 2.x branch and the older 1.3.x branch - neither of which are affected by the new 2.2.13 update. The 1.3.41 and the 2.0.63 releases (the most recent for those branches) came out in January of 2008.
.

Tr.im trimmed by Twitter

By Sean Kerner   |    August 10, 2009

trim.png
From the 'bit by bit' files:

There is soon to be one less URL shortening service - tr.im has announced that it is ending its service.

Existing users will have their links continue to work until December 31, 2009.  Why is tr.im ending? According to tr.im they just couldn't make any money at it - and oh yeah Twitter squeezed them out.

"There is no way for us to monetize URL shortening -- users won't pay for it -- and we just can't
justify further development since Twitter has all but anointed bit.ly the market winner," tr.im stated on its website.
"There is simply no point for us to continue operating tr.im, and pay for its upkeep."

Nambu, the company behind tr.im had tried to sell off the tr.im service but according Nambu, no one wanted to pay for it. Add to that the fact that it costs money to keep the service running and well - it was only a matter of time until tr.im would end.

"Users will not pay for URL shortening, and why should they?

And, the data that tr.im generates -  the hottest links that people are sharing right now -  is all well and good, but everyone has this data. tr.im gets hit by countless bots every day farming this data to create and operate websites such as tweetmeme.com," Nambu wrote developers wrote in a blog post.  "So, *everyone* has this data, meaning it is basically worthless *by itself* to base a business on (as bit.ly and others are attempting to do) at least in our humble opinions."

Firefox 3.6 hits Alpha 1

By Sean Kerner   |    August 10, 2009

sr-firefox3.jpg
From the 'ongoing development' files:

The first Alpha milestone release of Firefox 3.6, codenamed Namoroka is now out. The early indication from Mozilla developers is that this release will be out in less time than it took to put out Firefox 3.5.

Firefox 3.5, was originally supposed to be Firefox 3.1 and got stretched out to a year of development after the Firefox 3.0 release.

"Unlike the year that passed between Firefox 3 and Firefox 3.5, we expect that this 3.6 release will be released in a small number of months," Mozilla's Christopher Blizzard blogged."
"Our main focus for the 3.6 release will be end-user perceived performance, TraceMonkey and DOM performance and new web developer features."

When 3.6 was first announced in April of this year, one of the key release goals was faster startup time - and it will be interesting to see as the milestones are release how that is achieved. At the time of the first 3.6 announcement, 3.6 was pegged for a mid-2010 release -- given Blizzard's comments now we might well see Firefox 3.6 somewhat sooner.

Overall, 3.6 at this early stage includes some new CSS 3 features including: background size and gradients for background images.. Tracemonkey (Firefox's JavaScript engine) gets a speed boost and there is a new technology called Compositor which according to Mozilla, "moves Gecko to using one native widget per top-level content document."

Early days still to be sure, and with Firefox alphas there are always new features added in with each milestone, so lots to look forward too in this release as it continues to develop.

Are Anti-Virus signatures dead?

By Sean Kerner   |    August 07, 2009

security-200x180-redlock_small.jpg
From the 'multi-layered defense' files:

There are a number of myths and misconceptions about how modern anti-virus (AV) technologies work. It used to be that they just used signatures of known malware, but is that still the case?

I recently sat down with Roel Schouwenberg, Senior anti-virus researcher at Kaspersky Lab, to get his take on the myths and misconceptions of the modern AV industry.

Schouwenberg agreed that signatures by themselves are dead. He commented that just a pure signature approach isn't enough anymore, but it's still an essential element and a tool used to detect malware. 

In his view whitelisting and access control have a role to play as well, but aren't the ultimate solution either.

"You can whitelist applications but you can't whitelist script files,"  Schouwenberg said. "You can't whitelist the internet."

 


SCO can't sell itself

By Sean Kerner   |    August 06, 2009

sco.gif
From the 'they're still around?' files:

The judge in the on-going SCO bankruptcy case has denied SCO's attempt to sell itself off. Back in June, SCO tried to sell off part of its business to investor Stephen Norris in an effort to seperate SCO's Unix business and it's ongoing litigation against Novell and IBM.

Both Novell and IBM, had their own motion in play - to get the judge to convert SCO's chapter 11 bankruptcy protection into a Chapter 7 Bankruptcy liquidation. Judge Kevin Gross denied Novell and IBM's motion as well.

What did happen is that the Judge appointed a trustee to oversee SCO and to evaluate what should happen next. The way I read the court's opinion, is actually somewhat favorable to SCO. It looks to me like the Judge is giving SCO a way out against the 'big wealthy' companies they are facing off against.

"The Court's decision is not intended as a criticism of Debtors' efforts or conduct," Gross stated."SCO found their UNIX operating system under attack and sought redress through litigation.Their principal adversaries, IBM and Novell, are wealthy and have used their deep pockets in the Litigation and in these bankruptcy cases to Debtors' disadvantage."

Gross goes on to note that IBM and Novell are entitled to act in their self-interest and that is what they are doing.

But at the heart of the situation is the fact that SCO really has no money. 

Sun updates Java for Microsoft flaw

By Sean Kerner   |    August 06, 2009

javasmall.jpg
From the 'have you updated yet?' files:

Sun is out this week with a significant security update for Java SE 6.  US-CERT warns that the Java vulnerabilities could potentially enable an attacker to execute arbitrary code or bypass authentication methods.

Technically speaking, the update is labeled update 15 (6u15) and is accompanied by no less than 7 seperate Sun security alerts:263408
,
263409
,
263428
,
263429
,
263488
,
263489
,
and

264648
.

Perhaps the most significant flaw patched by Sun in the Java update is detailed in alert
264648
, which is directly related to the recent out of band updates from Microsoft.

"A security vulnerability in the Active Template
Library (ATL) in various releases of Microsoft Visual Studio that is
used by the Java Web Start ActiveX control may allow the Java Web Start
ActiveX control to be leveraged to execute arbitrary code," Sun's advisory states. "This may
occur as the result of a user of the Java Runtime Environment viewing a
specially crafted web page that exploits this vulnerability."

It's interesting to see how many third party vendors were affected by the ATL issue. Adobe was also affected by the same issue.

Mac OS X 10.5.8 fixes 18 security flaws

By Sean Kerner   |    August 06, 2009

apple_new_macs_200x180.jpg
From 'time to update' files:

Apple is out with the Mac OS X 10.5.8 security update release fixing a range of issues.

At the top of the list is a flaw in how OS X handles compressed bzip files. According to Apple's advisory on the issue, "Decompressing maliciously crafted data may lead to an unexpected application termination."

Apple is also fixing a web browser issue, by way of the CFNetwork layer in OS X. CFNetwork is Apple's core services framework that provides network layer abstraction to applications. The flaw could potentially have enabled an attacker to spoof a website URL after a browser is redirected with an HTML 302 redirect.

"This may allow a maliciously
crafted website that is reached via an open redirector on a
user-trusted website to control the displayed website URL in a
certificate warning," Apple's advisory states.

To my naked eye this sound like a similar flaw to one Mozilla fixed with Firefox 3.5.2 earlier this week. Mozilla also had a URL spoofing issue though, Mozilla specifically called out SSL, which is something that Apple has not done in its advisory.

Report: Ethernet switch revenue down 19 percent

By Sean Kerner   |    August 05, 2009

dg.logo.gif
From the 'economic slowdown stats' files:

Research firm Dell 'Oro Group put out a report this week on the Worldwide Shared Hub, Ethernet & LAN Switch market. The report shows the damage that the current economy has done to the switch market.

For 2009, Dell 'Oro is forecasting global Ethernet switch revenues of $15.8 billion which is a 19 percent decline over the $19.5 billion reported for 2008.

Moving forward the forecast is for 1 percent growth in 2009 for market revenues of $16.0 billion. By 2013 the current forecast model has global  Ethernet & LAN Switch market at $18.3 billion.

To my naked eye that means over the next five years, the Ethernet switch market will not recover to 2008 levels of revenue. Frankly, I find that shocking.

I queried Dell'Oro about the report (they graciously sent me the numbers but didn't have time to answer my questions). I also tried to get the opinions of the major switch vendors, but they were also quiet.

Skype for Asterisk Beta avail until Aug 7th

By Sean Kerner   |    August 05, 2009

asterisk.small.jpg

From the 'time limited offers' files:

If you're running an open source Asterisk PBX and you want to integrate it with Skype, you need to move fast - the open public beta availability of Skype for Asterisk closed on August 7th.

The way I understand it is with Skype for Asterisk you could use Skype just like a normal phone line as part of the PBX which is kinda cool. It basically means you can have your own Skype based call center potentially. But unlike Asterisk which is freely available and open source Skype for Asterisk has some limitations.

"This is a "time-expiring" beta - the software will stop working on
August 31. The download is also currently time-limited - it will be
available until August 7 on our website," Asterisk community manager John Todd  said in a mailing list post. "After the 31st, you would
need to have purchased a license for the SfA software."

Todd did not have any pricing or licensing info available to share.

Earlier this year Todd did tell me that the plan was to have AsteriskNOW 2.0 - which is an all in one Asterisk/Linux OS/GUI app - would have the Skype for Asterisk piece integrated in. Currently AsteriskNOW is at version 1.5 and it is a freely available application.

While I understand that Skype is not an open source application, it makes sense from my point of view that Skype for Asterisk be freely available for community use. Sure Skype to Skype users won't generate any revenues for Skype, but it's all the add-ons (SkypeIN, SkypeOut) that generates the money anyways and likely Asterisk users will still need those services too.

If you're looking for the public beta -it's available here until August 7th.

Microsoft $ impacted by Linux's Free Beer

By Sean Kerner   |    August 05, 2009

tux.jpg
From the 'why buy the cow when you can get the milk for free?' files:

Microsoft has listed in its 10-K, open source software and specifically Linux as one of the risk factors that could negatively impact Microsoft's revenues.

This shouldn't be a surprise, but it's interesting to look at the specific language and the specific companies that Microsoft calls out.

"Our
business model has been based upon customers paying a fee to license
software that we develop and distribute," Microsoft states in the 10-K. "Under this license-based
software model, software developers bear the costs of converting
original ideas into software products through
investments in research and development, offsetting these costs with
the revenue received from the distribution of their products. Certain "open source" software business models challenge our license-based
software model."

For it's operating system business Microsoft's 10-K specifically called out 'variants of Unix' among which it includes, Apple, Canonical, and Red Hat.  Notice how Novell is not mentioned?  There are similar omissions when it comes to the partners disclosure.

Google launches Chrome gallery

By Sean Kerner   |    August 05, 2009

chrome.gallery.small.gif
From the 'pimping your browser' files:

Google is out with a new Themes Gallery site for Chrome users - but not all Chrome users.

The new Themes Gallery currently is only for dev and beta channel users running Chrome 3.x.  So for stable Windows users, you're out of luck.

For Linux and Mac users, there is no stable version, only the dev version, so you are in luck.

Currently there are 49 themes in the gallery, which enable a Chrome user to change the look of their browser. This isn't revolutionary technology, but it is a feature that a modern browser should have, and now Chrome has it.

In comparison, Mozilla now has 20,000 different Personas (basically themes) available for Firefox users - so yeah Mozilla has a bit of a lead there. But hey you gotta start somewhere.

Mozilla Store hit by security breach

By Sean Kerner   |    August 05, 2009

mozstore_small.gif
From the 'they have a store?' files:

Mozilla is reporting that its Mozilla Store (which sells Mozilla 'stuff') was hit by a security breach, by way of their backend payment gateway provider, GatewayCDI.

Mozilla notes that once they found out GatewayCDI had a security breach, they shut down the store. As of 9:30 AM ET on Wed Aug 5th, the store remains closed with the notice"The Mozilla Store has been closed for maintenance."

"Mozilla immediately reached out to GatewayCDI and encouraged them to quickly inform individuals whose data had been compromised," Mozilla's blog post on the issue states. "GatewayCDI is currently investigating their systems and determining the cause and extent of the breach. Mozilla Store customers who are affected will be contacted directly by GatewayCDI."

The Mozilla Store won't re-open until Mozilla is assured that security is what it should be.

It's unfortunate - but these types of breaches do occur. In my opinion, Mozilla is doing the responsible thing here, shutting down the store and be as open as they can be about what occurred.

Black Hat Wi-Fi network hit by 154 DoS attacks

By Sean Kerner   |    August 04, 2009

blackhat.hostile.gif

From the 'hostile Wi-Fi network' files:

The Wi-Fi network at last week's Black Hat conference in Las Vegas was pummeled by multiple types of attacks -- but the network held (at least that was my experience).

The stats are now out on the security status of the Wi-Fi network at Black Hat, which was run by wireless vendor Aruba Networks. I spoke with Aruba prior to the event and they were confident they had the gear to keep the network secure.
So what was the damage?

  • 9 suspected rogue APs were detected.
  • 175 attempts by a wireless user to access the Aruba mobility controller were blocked by the Aruba firewall.
  • 23 impersonation attacks were detected.
  • 71 non-Blackhat APs were detected.
  • 154 denial-of-service (DoS) attacks were detected.

That doesn't seem too crazy, but when you consider the briefings portion was only two days long, that's a non-trivial amount of attacks for a Wi-Fi network.

The DoS attack number is the one that is the most significant in my view, especially when compared on a year over year basis.  For 2008, Aruba reported only 24 DoS attacks.

That means (if my math is correct) there was a 600% increase in DoS attacks at Black Hat in 2009.

Come to think of it, I did have the odd connection drop when I was in the Augustus Ballroom, but overall as a user I really didn't notice any significant connection issues when connected to the Black Hat Wi-Fi network this year.

Twitter visibility improves with Blue Coat

By Sean Kerner   |    August 04, 2009

blue.coat.jpg
From the 'yeaaah companies use Twitter' files:

Twitter is not just something people use at home, it's being used by business and that's why enterprise IT needs to know about Twitter - from a network traffic perspective.

Network optimization vendor Blue Coat (Nasdaq:BCSI), now has the ability to detect Twitter traffic with its PacketShaper WAN optimization appliances. That means that instead of enterprises just using Twitter without any degree of optimization or control, an IT manager can actually identify and manage Twitter traffic from a network level.

That's a big deal. It means that Twitter goes from the realm of just being something that runs on Port 80 - to being an identified application that has enterprise policy and control attached to it.

Twitter now joins other enterprise applications that Blue Coat can identify including Microsoft Outlook and Oracle database.

"Understanding which social media tools are being utilized and how employees are using them is valuable information that helps network administrators set and enforce corporate policies," said Steve House, Director of Product Marketing at Blue Coat Systems in a statement.

Mozilla aware of SSL flaw in Feb. Advisory issued in August

By Sean Kerner   |    August 03, 2009

sr-firefox3.jpg
From the 'late advisory' files:

One of the biggest stories out of last week's Black Hat event was the disclosure that Firefox and other web browsers were at risk from  SSL man in the middle attacks. The attacks which were discussed (and reported by) Dan Kaminsky and Moxie Marlinspike involve null wildcards for SSL certificates which tricked the browser into thinking that /o*.attackdomain.realdomain.com was actually a legitimate SSL certificate for realdomain.com

Mozilla was aware of the issues as far back as Feburary according to the bugzilla report and Firefox 3.5 was already fixed for the flaw when the Firefox 3.5 browser was released in June.

Mozilla published an advisory on the issue on Saturday.

"Users of unfixed versions of Firefox 3.0 who are concerned about the potential for this attack on their network should download the latest Firefox 3.5 from our web site, and on Windows ensure that the installer is signed and that "Mozilla Corporation" is the publisher."

Google Chrome Sync coming

By Sean Kerner   |    August 03, 2009

googlechromologo.jpg
From the 'Chrome OS's browser' files:

Google Chrome 3.0.196.2 is now out, but trying to figure out what's new in it is more difficult that previous releases. Up until version 3.0.195.1 Google provided release notes for most Chrome updates - that's not the case with the 3.0.196.x series (yet).

Instead Google points users to the build notes, which actually provide more specific detail than the release notes - but do not provide the total macro-view summary. I don't know why Google didn't put out release notes, but one thing is for sure, they have been busy.

The volume of changes on all platforms (Windows, Mac, Linux) is large, with the Extensions system getting a whole lot of attention.

One thing that isn't in the build notes - but will likely show up there soon - is a new feature for Browser synchronization.

"A bunch of us have been working on a feature to sync user data in Chromium with a Google account.  (Surprise! :)) ," Google developers wrote in a mailing list posting. "The great news is that we'll be starting to work directly in the Chromium project this week."

Basically what it means is using Google as a cloud based back-end for user data synchronization - think something like delicious or better yet Mozilla Weave. The plan is for the whole sync effort to be open source using the open protbuf format.

That's a really big deal - especially considering that Chrome as the browser is the underlying layer of the future Chrome OS.

It means that Chrome OS will have built in Google cloud sync capabilities for data. That means you could probably just use a Chrome OS netbook as a conduit to your data, with that ability to sync multiple machines - which could be useful for work/home environment or for disaster recovery.

Hackers spot fake ATM. Could you?

By Sean Kerner   |    August 03, 2009

security-200x180-redlock_small.jpg
From the 'carbon receipts' files:

Over the weekend, there were multiple reports of a rogue ATM machine at the Defcon conference in Las Vegas. The story is that there was some kind of fake ATM machine that was allegedly skimming users info.

Defcon attendees spotted the rogue and it got removed. 

Goes to show that you shouldn't try and hack a hacker right? The irony of the situation is that there was supposed to be a presentation at Defcon on how to 'hack' (or jackpot) legitimate ATM machines - a talk that got pulled by the vendor.

The larger question in my mind though is - Would I (or would you) be able to spot a fake ATM?

It's not usually an easy task. In the Defcon case, the reports note that there was something suspicious about the ATM unit itself. That's usually the first clue. If the cash machine doesn't look 'right' it probably isn't.