RealTime IT News

Blog Archives

Why the Smart Grid will be more secure than the regular grid

By Sean Kerner   |    September 30, 2009

security-200x180-redlock_small.jpg

From the 'We Know Better Now' files:

The U.S National Institutes of Standards and Technology (NIST) is now out with a draft of a 236 page report on smart grid security.

Is the smart grid - the effort to modernize and connect the global energy delivery system - that vulnerable? In my view, that question is not the point.

The way I see it, the efforts of NIST and others simply underscores how the world is a different place in the post 9/11 world.

When the original electrical grid was put in place, the risks from potential attacks were not as real as they are today.

The original electrical grid did not have to consider the same connection risks that we have today either.

With the smart grid, literally everyone that has power is connected to the same network, and every node is a potential access point. There is security in numbers in my view so that's a good thing.

Mozilla opposes Google Chrome Frame. No soup for you.

By Sean Kerner   |    September 29, 2009

sr-firefox3.jpg
From the 'Mozilla Agreeing with Microsoft' files:

Microsoft and Mozilla are two organizations that tend not to agree on many different topics. When it comes to Google's Chrome Frame, it's a different story.

Mitchell Baker Chair of the Mozilla Foundation has come out swinging against Chrome Frame, which is a plug-in for Microsoft's Internet Explorer providing Google Chrome rendering technology. Microsoft has said that Chrome Frame isn't a good thing and Mozilla's Baker sees it as leading to further browser fragmentation as well.

Baker sees Chrome Frame leading to a 'browser soup' where users (and developers to some extent) are using a 'soup' of browser components which could lead to control and potential security issues.

"I predict positive results will not be enduring and -- to the extent it
is adopted -- Chrome Frame will end in growing fragmentation and loss of
control for most of us, including web developers," Baker blogged.

Among the concerns that Baker has is how passwords, security settings, personalization, tagging and bookmarking will be handled across the Chrome Frame/IE hybrid.

In her view, due to the fact that various parts of the browser are no longer
connected, it's not clear that actions made in IE will have the same results if the user is using Chrome frame, which is essentially a browser-within-a-browser.

"Once your browser has fragmented into multiple rendering engines, it's
very hard to manage information across websites," Baker said. "Some information will
be manageable from the browser you use and some information from Chrome
Frame."

Report: Carrier Ethernet market to hit $34 billion in 2013

By Sean Kerner   |    September 29, 2009

From the 'Big Pipes, Big Money' files:

Infonetics Research is out with a new forecast on the Carrier Ethernet market. According to Infonetics, revenues from Carrier Ethernet equipment manufacturers will reach $34 billion by 2013.

The $34 billion figure is nearly double the $17 billion in Carrier Ethernet equipment manufacturer revenues that Infonetics reported for 2008. The 2008 revenues report came out in April and at that time, Infonetics had forecast 2013 revenues to be $32 billion, so they've now revised their figures upwards by $2 billion.

According to Infonetics, networking giant Cisco currently is the global leader in terms of revenue market share for carrier Ethernet switches, IP core routers and IP edge routers with Juniper Networks coming in second for the core router segment.

While the market for equipment is set to bring in revenues of $34 billion by 2013 the total amount spent on Carrier Ethernet over the next five years is projected by Infonetics to be $146 billion.

"Carrier Ethernet technology is integral to service provider IP next gen network projects aimed at transforming from TDM- to packet-based networks to handle ever-growing consumer, business, mobile backhaul, and video traffic," Michael Howard, principal analyst for carrier and data center networks at Infonetics Research said in a statement. "Service provider investment in carrier Ethernet continues to defy the economic downturn and outpace overall telecom capital expenditure investments."

The future of ICANN. Should it stay under U.S control?

By Sean Kerner   |    September 29, 2009

icann.jpg
From the 'Who Owns the Internet?' files:

Tomorrow (Sept. 30th) is a big day of the Internet. The Joint Project Agreement (JPA) between the U.S Department of Commerce and ICANN (Internet Corporation for Assigned Names and Numbers) expires.

ICANN has operated under a yearly JPA from the Department of Commerce since 1998. Will it be renewed again this year?

Here's what I know at this point. ICANN will make some kind of formal announcement on September 30th about the JPA, beyond that, details are few and far between (and yes I'll be speaking with ICANN first thing Wednesday morning..).

There are some people that think that ICANN, operating under contract from the U.S government. means that the U.S exerts unfair influence over ICANN and by extension, the Internet itself. Among those that don't like the U.S influence is a top European Union commissioner.

Truth is, even today (before whatever announcement is made tomorrow), there is multi-national input into the governance and operations of ICANN.

Rob Beckstrom the recently anointed CEO of ICANN said in a June press conference that, ICANN already has
participation from over 80 countries by way of the Governmental
Advisory Committee (GAC), which is an ICANN advisory body.

The other side of the argument, is the simple fact that control (however menial) is in the best interests of the U.S as ICANN and the Internet represent a strategic U.S interest. How could the U.S ever give that up?

Does Silverlight on Linux matter?

By Sean Kerner   |    September 25, 2009

silverlight.jpg
From the 'Practical Utility' files:

During the Intel Developer Forum this week, Microsoft announced that it was planning on delivering its Silverlight media for Intel's Moblin Linux.

This was a piece of news that caught me off guard a bit. After all, isn't Novell's Moonlight effort, Silverlight on Linux?

What's the point of replicating what Novell already does?

What Microsoft is actually doing in this case isn't necessarily an incident of stepping on their own partners toes. Rather the way I see it, Microsoft is actually followed a very common open source tradition. In open source, there is often two (or more) choices of applications/libraries for any type of application. Just look at the desktop, there is GNOME, KDE, Xfce, Fluxbox and a few others. They all kinda/sorta do the same thing don't they?

That said the deeper question of having Silverlight on Moblin is about need, or lack thereoff.

Does anyone really need Silverlight on Linux? 

Google Chrome Frame makes IE more or less secure?

By Sean Kerner   |    September 25, 2009

googlechromologo.jpg
From the 'My Browser is More Secure Than Yours' files:

There has been some back and forth finger pointing in the last few days between Google and Microsoft over Chrome Frame. According to multiple reports, Microsoft has said that the Chrome Frame IE plug-in (which embeds Google Chrome JavaScript and HTML 5) into IE 6,7 and 8, puts IE users at risk. It's a claim that Google disagrees with.

From my perspective they're both right ... and wrong. Here's why:

Chrome Frame, like any plug-in for any browser, does provide extra functionality and code. As such, from a purely objective point of view, it does present a broader potential attack surface and new attack vectors. Simply put, when there is more code, there is more code to attack that is potentially vulnerable.

As well, the known risk from all plug-ins (highlighted recently with Adobe's Flash) is that users do not update them as often as they should, leaving them at risk.

At this early stage, it's not clear to me how Chrome Frame is updated. Though Google Chrome itself has one of the best updating systems around, providing transparent automatic updates to users.

On the other side of the equation, Chrome (to date) has not been as widely attacked as IE. There have not been nearly as many (not even close) publicly known vulnerabilities in Chrome or Chrome specific malware or scripting (XSS, CSRF etc.) attacks.

GNOME 2.28 previews new Linux shell

By Sean Kerner   |    September 24, 2009

gnome.jpg
From 'Evolution of the Linux Desktop' files:

GNOME 2.28 is out today, bringing with it a bunch of improvements to its Linux desktop GUI.

It's got better and more integrated support for Bluetooth devices, improved sound control,  an improved time tracker and overall improved 'fit and finish.'

The thing that has really caught my eye though is the future of GNOME which this release hints at. Included in 2.28 is the preview release of the GNOME shell which is a different type of desktop interface. It's not quite a 'shell' in the traditional *nix sense and it's not exactly a regular desktop GUI either.

"GNOME Shell features an innovative new user interface using the power
of a composited desktop," the GNOME release notes state. "GNOME Shell makes it easy to add additional
workspaces, start frequently-used applications and access your
most-used files and documents."

I don't have it running on my own test box (yet) but the screenshot as shown on gnome.org has me interested.

Could this be the 'defining' visual feature of GNOME 3?

GNOME developers have not yet officially decided whether the next GNOME release, currently known as GNOME 2.30 and due out in six months will in fact be re-named GNOME 3 or not. The naming decision is expected in November.

HP launches CommunityLinux.org for Linux support

By Sean Kerner   |    September 23, 2009

bdale.community.linux_small.jpg
From the 'Commercial Debian Support' files:

Typically enterprise hardware support for Linux is somewhat limited by the fact that, the major hardware vendors only support two or three major enterprise Linux distributions (Red Hat, SUSE and Ubuntu LTS).

Bdale Garbee, open source and Linux chief technologist at  HP (pic left)

wants to change that. Speaking at the LinuxCon conference, Garbee said that HP has now launched a new effort called CommunityLinux.org to help provide support for non-commercial Linux distros.

"It's a focal point for collaboration on ways to use HP servers and
related products with non-commercial Linux distributions," Garbee said. "We intentionally set this up for hosting outside of HP so it can be a focal point so
whatever the community wants to do, in terms of capturing best practices
for making non-commercial Linux working well on everyone's hardware."

HP is no stranger to supporting non-commercial versions of Linux.

In 2006, HP began providing commercial support options for Debian Linux. Garbee noted that three years later, HP's support of Debian is still unique in the industry.

It's a claim that to the best of my knowledge is accurate. Remember of course though that things have changed a bit in the Debian community since 2006. Back then Ubuntu didn't really exist (Ubuntu is based on Debian).

"One of the things we've learned is that all the things we have learned
about participating and collaborating in upstream development projects
has enabled us to have a broader set of distribution support options,"
Garbee said. 

IBM markets Linux to Africa. Why not the U.S?

By Sean Kerner   |    September 23, 2009

tuxsmall.jpg
From the 'Year of the Linux Desktop' files:

IBM today announced a continuation of a deal with Linux vendor Ubuntu that will see Linux netbook software and solutions sold in Africa.

The way I see it, this is just the delivery portion of something IBM has been talking about since at least August of 2008. At that time, IBM announced its 'Microsoft-Free' PC effort. The basic idea is to have an Linux OS, with IBM smart client applications called Open Collaboration Client Solution software (OCCS)(Lotus Symphony and Notes) for enterprise apps.

Today's announcement looks remarkably similar to what IBM and Canonical announced nine months ago. Last December, IBM and Canonical (the lead sponsor behind the Ubuntu project) announced a virtual desktop solution (today it's called the 'cloud').

The new news is that IBM is now calling the solution 'The IBM Client for Smart Work' and are marketing the solution across Africa. There are on-premise components as well as cloud (virtual) components. Again, to my eye this is all stuff that IBM and Canonical have already announced. The difference here is about the target market and availability.

In my view, the speed with which the IBM 'Microsoft-Free PC' is coming to market is very questionable. Does it really take more than a year to put together a solution from components that already exist in the market?

Why Africa and not the U.S?

Google Chrome Frame enhances Microsoft IE

By Sean Kerner   |    September 22, 2009

googlechromologo.jpg
From the "If You Can't Beat Them, Make An Add-On' files:

Google today released a new open source effort that aims to bring advanced web technologies to Microsoft's Internet Explorer browser.  The Chrome Frame effort is a plug-in for IE 6,7 and 8 that brings HTML 5 and enhanced JavaScript performance for IE users.

That's right, IE users (even IE 6 users) don't have to use a different browser to get some Chrome goodness. They can just get the Chrome Frame plug-in and use their existing IE browser.

Why is Google doing this? Why not just focus on getting users to migrate to Chrome or Firefox? The answer provided by Google shows me that Google is a realist when it comes to browser shares.

"Recent JavaScript performance improvements and the emergence of HTML5
have enabled web applications to do things that could previously only
be done by desktop software," Google blogged. "One challenge developers face in using
these new technologies is that they are not yet supported by Internet
Explorer. Developers can't afford to ignore IE -- most people use some
version of IE -- so they end up spending lots of time implementing
work-arounds or limiting the functionality of their apps."

Now to be fair, IE 8 does support a number of HTML 5 features and has better performance than IE 7 or 6. That said, IE 8 does not support every single HTML 5 feature that Google Chrome supports today.
So in one swift stroke, Google's Chrome Frame could now be the engine behind IE. It's astounding isn't it?

Why Linux succeeds while other open source projects fail

By Sean Kerner   |    September 22, 2009

dirk.1_small.jpg
From the 'Strategies for Success' files:

One persistent topic that crops up at many open source conferences is a discussion of what it takes to be successful.

At the LinuxCon conference (Webcast from Portland), Intel's Dirk Hohndel, chief Linux and open source technologist, gave what I thought was one of the best versions of the 'how to be successful in open source' talks I've ever heard.

Hohndel used Linux as his model for how to be successful.

His basic premise is that a combination of innovation, vision, focus and persistence are the keys to success. If you're lacking in any of those key areas, the project isn't likely to succeed.

"Whenever you think you found a niche, you  will find that someone else is already doing it," Hohndel said.

"Linus is not the first to come up with an open source operating system but he managed to shine. When it comes to vision there are lots of missionaries out there, I can't turn on the TV without meeting 25 of them."

Hohndel added that vision is critical but it's easy because anyone can make stuff up. You need the competence to implement and you need to know how to get to where you want.

It makes a lot of sense to me.

Ideas alone just aren't enough if you don't have the skills and determination to build momentum.

Klingon anti-virus discontinued by Sophos

By Sean Kerner   |    September 21, 2009

klingon.jpg
From the 'Tribbles are a form of malware' files:

PC security vendor Sophos is ending its glorious experiment into Klingon PC anti-virus defense. No this is not an early April Fool's Day joke, Sophos states that they've had over 100,000 downloads of its Star Trek bad/good guy inspired anti-virus software, which scanned for the usual malware, as well as Tribbles.

Basically, the software was a Klingon language version of Sophos' malware scanner. So why did Sophos discontinue the offer?

No it's not some crafty Federation deception, but rather a testament to the valor of the Klingon warrior race.

"A meeting of the Klingon High Council recently expressed concern
that the continued existence of Klingon Anti-Virus reflected badly on
the Klingon race, as they claim to have eradicated all Qo'noS-related
malware, past present and future in both this and mirror universes," Graham Cluely senior technology consultant Sophos blogged."And
we don't like to upset them.
Live long and prosper."

Ubuntu 10.04 The Lucid Lynx. Shuttleworth says it won't stink

By Sean Kerner   |    September 21, 2009

ubuntulogo.png
From the 'Wacky Software Names' files:

Ubuntu Linux founder Mark Shuttleworth has announced the name of 2010's first Ubuntu release. Ubuntu 10.04 will be named the Lucid Lynx.

No, I've never seen a drunk Lynx before myself, but then again it's not like I see Lynx's on a regular basis either.

Shuttleworth made the announcement via Webcast (now posted on YouTube), to the Atlanta Linux Fest which occurred over the weekend. During the announcement, he also explained the rationale for the name and why it will lead to a sweet smell.

"Coming up with a name for a distribution is a wonderful challenge and a
wonderful art form," Shuttleworth said. "Ubuntu 10.04 will be the Lucid Lynx which is a name
that I think brings together all of the key characteristics that we're
striving for in our next LTS.
To be Lucid means to be very clear and focused on the important points."

As far as the Lynx part goes, Shuttleworth noted that the Lynx is a predator, but it's a very thoughtful and considered
predator that is focused on finding the right target opportunity at the
right time.

So what about the smell part? That's where some Shuttleworth humor comes into play.

"Lynx is also well known as a global brand of deodorant so this year's Ubuntu developer summit is going to be the sweetest smelling Ubuntu developer summit ever," Shuttleworth said. "Despite the fact that's it's happening in Dallas."

Google's open source Noop language takes off

By Sean Kerner   |    September 18, 2009

code_small.png
From the 'Why Is Java So Hard?' files

Developers get ready for yet another open source language to help make it easier to run code on a Java Virtual Machine (JVM).

This time the code is from Google (hosted on Google code), it's called Noop and is licensed under the open source Apache 2.0 license.

According to the project site, "Noop (pronounced noh-awp, like the machine
instruction) is a new language experiment that attempts to blend the
best lessons of languages old and new, while syntactically encouraging
industry best-practices and discouraging the worst offenses."

Sounds interesting, but is also not necessarily a new idea. The project page notes that the noop will run on a JVM and  in source form will look similar to Java.

"The goal
is to build dependency injection and testability into the language from
the beginning, rather than rely on third-party libraries as other
languages do," the noop site states.

So if I understand this correctly, this is yet another attempt to build a better Java. Nothing wrong with that idea.

DragonFly BSD 2.4 released. It's not FreeBSD anymore

By Sean Kerner   |    September 17, 2009

dragonfly_bsd_small.gif
From the "Long-Lived Forks' files:

DragonFly BSD 2.4 is now out,including a new 64-bit ISO image, kernel and feature updates.

According to the release notes, the single most invasive change is the introduction of DEVFS.

"The /dev filesystem is now mounted by the kernel after it mounts the root filesystem," the release notes state.

DragonFly BSD developers already know that the DEVFS change, as well as a few other items, might be problematic for some users. There is already a plan to release version 2.4.1 in a month to deal with issues that come up.

New features, aside, what is interesting to me is that DragonFly BSD still exists. It's an effort that started out in 2003 as a fork of FreeBSD 4.x. Here we are six years later and this fork is still alive and well.

FreeBSD is now moving toward its FreeBSD 8 release and many, many things have changed, in both BSD's.

Mozilla Firefox upgrades 10 million Flash users

By Sean Kerner   |    September 17, 2009

sr-firefox3.jpg
From the 'Sad But True' files:

Last week Mozilla rolled out Firefox 3.5.3, which checks the user's version of Adobe Flash. As it turns out, in one week alone, 10 million people clicked on the Adobe update, according to Mozilla.

That's a staggering number. That potentially means that 10 million people were running older out-of-date and insecure versions of Flash. It means that despite Adobe's own efforts to get people to update with their own update mechanisms and public outreach that 10 million people were still left out of the loop.

Flash is at risk from a critical vulnerability that Adobe has already patched. Yet there are still a good number of un-patched Flash users. One study I reported on last month claimed that the number is as high as 80 percent of Flash users.

How does that correlate with Mozilla's numbers? Are 80 percent of Firefox users running un-patched versions of Firefox?

The current publicly available figures from Mozilla do not seem to lead to that conclusion. Though the 10 million figure is certainly a number to take seriously. Mozilla's numbers guy Ken Novash blogged that the click through rate on the Firefox 3.5.3 What's New page, (which is where the Flash update notice first appears) was 30 percent.  Taking a (small) leap of faith and without having the full data set myself, I'm going to assume that means that at least 30 percent of Firefox 3.5.3 users had out-of-date versions of Flash.

So no, it's not 80 percent, but it's still a non-trivial number. It also raises another huge question.

HP's new switch blades take on rivals

By Sean Kerner   |    September 16, 2009

hp.blade_small.jpg

From the 'Sharp Edged Networking Gear' files:

HP (NYSE:HPQ) today announced a new line of blade switches for its c-class BladeSystems. The new switches (switch blades if you will) are called the HP ProCurve 6120 series and includes the ProCurve 6120XG Blade Switch (pic above left) which is a 10 GbE switch that can give networking connectivity for up to 16 blade servers.

What's interesting about this news isn't so much about the fact that there are new blade switches for HP's Bladesystem, but that the new switches are actually from HP.

"Today HP does offer blade switches from other vendors to support different customer use models," Matt Zanner, HP ProCurve director of data center solutions told InternetNews.com. "What's different is this the first time the two business units (HP and HP ProCurve) have combined forces to have a more tightly integrated solution set that ties into all the management layers as well as bring into the c class all of the elements of ProCurve."

That is really the critical news from my point of view.

For years, HP has not fully integrated its ProCurve networking gear more directly into its HP hardware systems. That's no longer the case.

Iran testing DNSSEC domain security

By Sean Kerner   |    September 16, 2009

iran_small.jpg

From the 'No UN Inspectors Required' files:

The Islamic Republic of Iran is now testing out DNSSEC (DNS Security) for the its dot ir (.ir) country code domain.

That's right, Iran is now improving the security of its domain. Politics of what is going on in Iran (elections, nuclear aspirations) aside, the move towards DNSSEC is a good thing.

According to Iran's nic @ir domain registration authority, a DNSSEC testbed began operations on Aug 30, 2009 and will continue until Feb 26, 2010.

Iran will be joining .se, .org and .edu (among others) as DNSSEC secured domain space. This means that at some point in 2010, the authenticity and security of domain holders in Iran will be better than it is today.

No one should really be surprised by this move as the move to DNSSEC is at this point a global movement that is now really starting to pick up momentum.

VMware officially closes Springsource acquisition

By Sean Kerner   |    September 16, 2009

spring_small.gif
From the '30 days' files:

VMware today announced that they have officially completed their acquisition of open source Java dev tools vendor Springsource.

The deal was originally announced on August 10th, for a total cost of $420 million.

The close of the deal seems quite rapid to me, but then again Springsource was not a public company. As such, it appears to have been a pretty quick closing process for VMware.

As expected, Springsource's founder Rod Johnson will continue to lead
Springsource as a VMware division. His new title is General Manager.

Springsource itself has been active since August 10th, putting out a major new initiative that should mesh well with what VMware is now doing. On August 19th, Springsource announced a new cloud effort called SpringSource Cloud Foundry, that brings together Java middleware,
management and cloud delivery. The technology is based in part on
SpringSource's quiet acquisition earlier this year of a small,
privately held open source firm called (surprise, surprise) Cloud
Foundry.

At the time of the Cloud Foundry announcement, Springsource execs hinted at SpringSource's future roadmap as a
VMware company, with end-to-end physical, virtual and cloud delivery
options for Java applications.

Google Chrome 3 gets stable release, faster JavaScript

By Sean Kerner   |    September 15, 2009

googlechromologo.jpg
From the 'Dev-Channel Is Faster' files:

Google Chrome 3 is now out for the mainstream with a new stable-channel release. The new release is officially numbered 3.0.195.21 and includes a faster JavaScript engine, improved HTML 5 features and new tabs pages.

As a dev-channel user myself, this is all stuff I've seen for months. Google has three versions of Chrome, each of which are called channel releases. There is the dev, beta and stable channels with the dev being the most rapid release and the stable being, well the more stable tested release.

The dev version of Chrome is actually a whole version ahead of the stable channel now and is currently at its 4.x release. There are at least two key items in Chrome 4 that are not yet in the new Chrome 3 stable release.

First off is the Google Extensions system. Chrome 3 stable doesn't have it, but I don't doubt that this will be the last version of Chrome stable to ship that doesn't have extensions.

The new stable release also does not include the bookmarking syncing capability that is currently in the dev-channel release. Those are both really interesting features that will bring the functionality of Chrome to the next level.

Those features aside, for everyday users the stable Chrome 3 release will be a leap forward in terms of speed. Google states that the Chrome 3 release is 25 percent faster than the most recent stable release.

Operating Systems not the key security risk anymore

By Sean Kerner   |    September 15, 2009

sans_small.gif
From the 'Security Stats' files:

The SANS Institute is out today with a new Cyber Security Risks report. Among their top conclusions is the assertion that operating systems are not the biggest IT security problem.

Add-on applications and web application vulnerabilities, top SANS list for security vulnerabilities. 

"Waves of targeted email attacks, often called spear phishing, are
exploiting client-side vulnerabilities in commonly used programs such
as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office," the report states. "This
is currently the primary initial infection vector used to compromise
computers that have Internet access."

This is not a surprising finding to me.

Users are not updating apps as often as they should, whether it's Adobe Flash or Apple QuickTime. Other security researchers have pointed out the same issue, time and again as well.

The other big issue is web application vulnerability, which again is something that is no surprise either.

MonitoringForge launches for open source network monitoring

By Sean Kerner   |    September 15, 2009

monitoringforge_small.gif
From the 'Interesting Idea' files:

There are a lot of different open source system and network monitoring projects. Then there are the professional open source vendors like Zenoss, Hyperic and Groundwork that integrate some projects together. 

Now one of those professional vendors is trying something new.

Groundwork today is officially launching the monitoringforge.org site, as an effort to be a portal for open source network and system monitoring apps. According to Groundwork, at launch there are already more than 1,700 open source
projects and plugins listed.

I spoke with Tara Spalding, vp of marketing for Groundwork about MonitoringForge and she stressed that the idea was to create an open space that is vendor-neutral.

Makes sense to me, but then again there are already so many different places to get the same information isn't there?

There are projects that have their own sites, there are the big code hosting sites like Sourceforge and Google Code too. How is a user supposed to know where to go to file a bug or get the latest update?

Mozilla Jetpack gets bootstrapped for add-ons

By Sean Kerner   |    September 14, 2009

jetpack_smaller.jpg
From the 'Big Add-on News' files:

Mozilla's Jetpack is a new approach to deploying and building browser add-ons, but it's always had one big problem.

You first had to get users to actually install Jetpack first. In contrast every other add-on just work when you install it into Firefox. That now changes thanks to the Jetpack 0.5 bootstrap edition.

"You can now provide a one-line install link which will, if the user
doesn't already have Jetpack, both install Jetpack as well as your
feature," Mozilla's Jetpack site states. "With bootstrapping, the install experience for a jetpack is
now easily accessible to everyday users".

It's a simple enough thing, but a big deal nonetheless. Now devs can actually write a Jetpack and add-on and have a reasonable expectation that they'll get more users than just the bleeding edge of early adopters.

Jetpack itself is also getting a real improvement in this release. It's more stable, adds audio capabilities and new twitter functions too.

With the new Twitter library, it should be trivial for someone to create their own Twitter enhanced add-on, or even just yet another Twitter client.

I still haven't seen any official word on whether or not Jetpack will be part of Firefox 3.6, but at this point I'm not sure if it matters. With the bootstrap adoption in earnest can begin now with Firefox 3.5 users.

Apple's Grand Central Dispatch now open source

By Sean Kerner   |    September 11, 2009

libdispatch-icon.png
From the 'Apple Envy' files:

Apple is open sourcing one component of its new Mac OS X 10.6 (Snow Leopard) operating system. Grand Central Dispatch (GCD) is key new feature in Snow Leopard that is intended to help optimize multicore processing for apps.

The open source effort is called 'libdispatch' and it's being made available under the Apache open source license. According to Apple, the project currently includes the user space implementation of
the Grand Central Dispatch API as seen in Mac OS X version 10.6 Snow
Leopard.

The project page also notes that though the overall GCD effort has support for the Mac OS X kernel it isn't required.

That's a big deal. It means that GCD can be ported to other platforms potentially.

I'm not sure who would want to implement this. Considering the shared lineage that Mac OS X has with Unix and specifically FreeBSD, that might be one potential target.

Apple does after all have an ok track record with spinning out open source efforts. Actually come to think of it, I can only really think of one and that's WebKit.  It's an effort that is still mostly run by Apple but Google and now RIM are also active as well.

Could the same sort of success come to GCD? I'm not so sure, but time will tell.

Verizon opposes Avaya's Nortel Bid. Who will buy them now?

By Sean Kerner   |    September 11, 2009

nortel.jpg
From the 'Unsupported' files:

Verizon is now opposing the sale of Nortel's Enterprise networking assets on the grounds that it represents a national security risk to the U.S.

According to a court filing made by Verizon,"communications networks critical to the operation of the federal government, and the defense, safety, health and security of the American public are at risk."

To me this represents a really interesting turn of events. Essentially what is going on is Nortel today (even though there are in bankruptcy protection) is still supporting Verizon and its users. With a sale, the worry is that Avaya (or whoever ends up acquiring the assets - the auction is supposed to occur today) will leave some users unsupported.

Nortel has been under bankruptcy protection since the beginning of the year and has already sold off its wireless division to Ericsson. The Enterprise business is the next business unit on the auction block and to date, Avaya is the only vendor that has publicly announced their bid.

The big question that leaves me with is, isn't there still a revenue opportunity for whomever wins the Nortel business to continue to support the Verizon business?

Google Chrome 4.0.207.0 gets XSS protection

By Sean Kerner   |    September 11, 2009

googlechromologo.jpg
From the 'Rad Security Features' files:

Cross Site Scripting (XSS) is one of the most common types of web attacks. Yet for Windows, Mac and Linux users there is no type of desktop protection for XSS issues that could affect any OS.

That's why browser security, like the type that Google is baking into Chrome 4.0.207.0 is so important.

"Basically, the filter checks each script before it executes to see whether the script appears in the request that generated the page," Google developer Adam Barth wrote in a mailing list posting. 'If it finds a match, it blocks the script from executing.  We're planning to write up an academic paper that has all the details."

It's an idea that makes a whole lot of sense to me. But there is still some work that needs to be done.

Sam Ramji leaving Microsoft

By Sean Kerner   |    September 10, 2009

msft.jpg
From the 'Good Luck In Your Future Endeavors' files:

Sam Ramji, Microsoft's front man for all things open source, is leaving Microsoft effective September 25th.

Ramji made the announcement today during a call with press announcing the formation of the CodePlex Foundation. I've spoken with Ramji many times over the last few years and met him on a number of occasions.  I've always been impressed with how he stands his ground and responds to questions, not always from friendly audiences.

"I am leaving on Microsoft on Sept 25th," Ramji said during the call. "I leave Microsoft at a time when I believe that open source has become part of the DNA of the company, especially engineering teams.
There are many people within and across Microsoft that will continue to advocate for open source."

The decision to leave Microsoft was a personal one. Ramji said during the call that due to illness in the family, he wanted to return to California. With Microsoft, he currently works in the Seattle area.  Ramji said he will be joining a Silicon Valley cloud startup, though he didn't specifically name which one.

Microsoft is currently in the process of searching for a replacement for Ramji, no word on whether they will promote someone internally or hire externally.

Microsoft launches open source foundation

By Sean Kerner   |    September 10, 2009

msft.jpg
From the 'They Did What?!' files:

Microsoft today is spinning up a new 501.c non-profit effort as a forum to support open source community projects. The new effort is called the CodePlex Foundation and it builds on the efforts of Microsoft's Codeplex site.

The timing of this foundation, during the same week in which it was revealed that Microsoft was allegedly trying to unload anti-Linux patent is somewhat curious, don't you think?

The foundation is initially being funded by Microsoft and will be led by Microsoft's Sam Ramji (**UPDATED** Ramji is leaving Microsoft on September 25th) . Novell's  Miguel de Icaza will be part of the new foundation's Board of Directors (don't forget Microsoft and Novell have an interop and patent deal).

So why does Microsoft need its own open source foundation? And what's the difference vs what they are doing with Codeplex.com anyways?

A Microsoft FAQ on the new foundation notes that Codeplex was started in 2006 as a project hosting site that met the needs of commercial developers. The Foundation is related but is a seperate effort.

"The Foundation is
solving similar challenges; ultimately aiming to bring open source and
commercial software developers together in a place where they can
collaborate," the foundation FAQ states. "This is absolutely independent from the project hosting
site, but it is essentially trying to support the same mission. It is
just solving a different part of the challenge, a part that
Codeplex.com isn't designed to solve."

Mozilla Firefox 3.5.3 patches a trio of critical vulns

By Sean Kerner   |    September 10, 2009

sr-firefox3.jpg
From the 'Time To Update' files:

Mozilla is updating its Firefox web browser to plug holes in its own software and to help prevent users from running other vendors vulnerable software as well.

Firefox 3.5.3 is being released with three critical bug security advisories from Mozilla. There is, "Crashes with evidence of memory corruption" advisory as has been the case with many Firefox release over the past two years.

"Some of these crashes showed evidence of
memory corruption under certain circumstances and we presume that with
enough effort at least some of these could be exploited to run
arbitrary code," Mozilla states in its advisory.

There is also an interesting, "TreeColumns dangling pointer vulnerability" that was reported to Mozilla by way of the Tipping Point Zero Day Initiative (ZDI). ZDI pays security researchers for their vulnerabilities and then responsibly discloses them to vendors so they can be fixed.

The tree element flaw deals with a XUL (XML User-interface Language) element that could have been abused to let an attacker potentially run arbitrary code.

The final critical advisory issued by Mozilla is privilege escalation issue in the  BrowserFeedWriter element.

Microsoft's Linux Best Buy is great news

By Sean Kerner   |    September 09, 2009

tux.jpg
From the 'Retail Competition' files:

Does it surprise anyone that Microsoft is allegedly helping to train BestBuy employees to sell Windows 7 against Linux?

It shouldn't.

A post on the overclock.net forum this week made by a self-described BestBuy employee includes a PowerPoint deck to help the retailer differentiate against Linux.

This is a marvelous thing for Linux fans everywhere.

It means that Microsoft takes the threat from Linux ON THE DESKTOP (BestBuy isn't really in the server biz is it?) very seriously. Microsoft has gone through the time and expense to educate its retail partners about the differences between operating systems which means that the question must be coming up.

Consumers must be asking about Linux. Why else would Microsoft bother to spend the resources to differentiate their products? If Microsoft was truly the only choice available for consumer desktops there would be no need to say why they are better than Linux.

That said can you actually buy Linux at BestBuy?

Red Hat accuses Microsoft of patent FUD

By Sean Kerner   |    September 09, 2009

tux.jpg
From the 'People In Glass Houses...' files:

Linux vendor Red Hat sure doesn't seem to like Microsoft much. Red Hat is now alleging that Microsoft is not committed to the path of peace with open source software vendors.

I haven't had direct contact with Microsoft (yet), but given the conversations I've had with them over the years (especially with the ever so articulate Sam Ramji), this is a claim they will vehemently dispute.

Red Hat's latest attack on Microsoft comes on the heals of the disclosure that the Open Invention Network (OIN) that Red Hat supports, acquired 22 patents formerly held by Microsoft. For the record, OIN was less than forthcoming with me, though they did respond to me late yesterday and they did issue a press release at 4 PM yesterday as well.

Red Hat blogged that the patents acquired by OIN were being marketed by Microsoft to
patent trolls.

"It also used marketing materials
that highlighted offensive uses of the patents against open source
software, including a number of the most popular open source packages," Red Hat blogged. "This looked to us like a classic FUD effort. To unleash FUD, you
assemble a lot of patents of uncertain value, annotate them with a
roadmap for the companies and products to be targeted with the patents,
put the lot in the hands of trolls schooled in patent aggression, and
then stand back and wait for the FUD to spread with its chilling
effect."

The only problem with Red Hat's assertion though, is that according to a comment I got late yesterday from the OIN, they didn't think the actual patents were all that strong or that open source software actually infringed on the patents.

Cisco fixes massive TCP flaw

By Sean Kerner   |    September 09, 2009

cisco.gif
From the 'Bigger Than DNS' files:

Cisco (NASDAQ:CSCO) now has a critical patch out for its IOS operating system fixing a TCP flaw that could trigger a Denial of Service (DoS) condition.

The TCP flaw is similar in nature to one that Microsoft patched as part of its September Patch Tuesday update. TCP is the core transport protocol for most web traffic and the flaw is one that is not trivial.

"By manipulating the state of a TCP connection, an attacker
could force the TCP connection to remain in a long-lived state, possibly
indefinitely," Cisco's warns in its advisory. "If enough TCP connections are forced into a long-lived or
indefinite state, resources on a system under attack may be consumed,
preventing new TCP connections from being accepted."

In other words, a flaw in TCP could have enable a DoS attack.

According to Cisco's advisory, actually triggering the DoS requires the attacker  to complete a TCP three-way handshake
with a vulnerable system.

Such an attack was made simple in 2008 by way of a tool called Sockstress which was released by outpost24 security researchers. According the Sockstress website the tool is able to hep security researchers test for a generic issue that affects the availability of TCP services and the issue could be used to create a Denial of Service attack.

Why then if a tool has been available for a year has it taken so long for this issue to be fixed?

Why did open source group buy Microsoft patents?

By Sean Kerner   |    September 08, 2009

tux.jpg
From the 'No Comment' files:

The Wall Street Journal reported this AM, that the Open Invention Network (OIN) was in the process of acquiring former Microsoft patents in a bid to help protect open source users.

I contacted OIN first thing this morning by voice and email and they haven't responded to my questions (yet), there also is no public press release yet available.

The gist of the WSJ story is that the OIN is acquiring 22 patents that Microsoft sold to Allied Security Trust earlier this year. It isn't clear whether those patents are part of the 235 patents that Microsoft has alleged open source software infringes on in 2007. The WSJ quotes a Microsoft source that stated, that the patents were not important to Microsoft's business going forward.

Without any additional details (and thanks a lot OIN for being as closed as the best proprietary software company), this is an interesting, but not critical step for Linux and open source.

Patents in general, can represent a risk to any open source vendor
that doesn't have its own patent portfolio. They can also represent a
risk to ANY software vendor with the potential for patent claims
(legitimate or otherwise, I'm not debating the merits of software
patents here
).

By buying the 22 patents, OIN is essentially taking them off the market and removing the risk of future litigation.

Google Chrome 4.0.206.1 updates for extensions, FTP

By Sean Kerner   |    September 08, 2009

googlechromologo.jpg
From the 'FTP Is Still Useful' files:

Late Friday, Google released dev-channel version 4.0.206.1 of its Chrome browser, including a new FTP implementation and updates to the emerging extension system.

In my view, with the release, Chrome's extension system takes a big step toward being ready for the masses, as the API and user interface stabilize.

The release notes for Chrome 4.0.206.1, detail seven development items for Chrome extensions that are now included. Among them is a set of more consistent APIs, more granular permissions and a polished extension user interface.

Additionally, the extension toolstrip itself can now be detached from the main interface using using with  ctrl+alt+b.

For extension developers, Google Chrome 4.0.206.1 adds what the release notes refer to as, "..convenience developer tools to load an extension and pack an extension."

These are the types of dev changes that I think of as 'fit and finish' (crossing the t's and dotting the i's) the types of items that go in at the final stages of development.

Mozilla Firefox 3.5.3 will check for Flash update

By Sean Kerner   |    September 08, 2009

sr-firefox3.jpg
From the 'It's About Time' files:

There are many (millions?) users that open their browsers every day and browse sites using outdated versions of Adobe Flash. I suspect that most of those users don't have a clue that they are using vulnerable software.

Mozilla is about to change that for Firefox users. In the next round of updates due out this month, Firefox will check the Flash version number and advise users to update if they've got an out-of-date version.

It's about time.

I wrote a story in August about one security vendor's claims that 80 percent of Adobe Flash users were running old versions. Adobe responded that they were being responsible and alerting users via a number of different approaches.

Having the browser, the place where most users interact with Flash, as the place where an update notification is made is just such an obvious (and great) idea.

Sure, there will be users that will just click through the warning, just like there are countless numbers of users that click through SSL certificate warnings today. But there will be many users that will notice, and who will update their versions of Flash, making the web a safer place.

Qwest moving to 100 GbE by 2010

By Sean Kerner   |    September 04, 2009

qwest.gif
From the 'Speed Rules' files:

It looks like 100 GbE (Gigabit Ethernet) is coming to market fast (pun intended).

Qwest (NYSE:Q) announced this week that they are now beginning a build-out of 100 GbE that will continue through 2010. From a networking gear perspective, Qwest is using the Alcatel-Lucent's recently announced 100 GbE services card, that will plug into the ALU 7750 Service Router and 7450 Ethernet Service Switch.

Financial terms of the deal have not been publicly disclosed.

100 GbE is 10 times faster than the current top-end of Ethernet at 10 GbE, which is common in many carrier networks. Less common is OC-768 which delivers 40 Gbps and according to most of the carriers I talk too, is more expensive than aggregating 4 x 10 GbE links.

That's one of the promises of 100 GbE that I've heard from multiple vendors including Alcatel-Lucent, namely that 100 GbE will be more cost effective than OC-768.

With the current state of the economy, costs are obviously a concern, but carriers still need to grow their networks just to keep up with demand.

.edu getting secured with DNSSEC

By Sean Kerner   |    September 04, 2009

educause.gif
From the 'Securing Education' files:

DNSSEC is the smart, educated way to secure DNS right?

Ever since security researcher Dan Kaminsky big DNS security disclosure in 2008, the need for DNSSEC, which provides integrity security for DNS information has been obvious. Yet relatively few top level domains (TLDs) have actually signed their zones for DNSSEC.

The .edu (for education) TLD, operated by Educause is now set to join the ranks of DNSSEC secured TLDs by March of 2010. A testbed is set to be in place this month to begin the preliminary work.

Educause manages the .edu TLD under an agreement with the U.S Department of Commerce.

"The Internet plays a vital role in higher education by facilitating
online learning, collaboration, and research," said Lawrence E.
Strickling, Assistant Secretary for Communications and Information at
the Department of Commerce in a statement. "We are pleased that DNSSEC will be
implemented in the .edu domain, which complements work already underway
to better secure the Domain Name System overall."

This is clearly good news and further adds to the momentum that DNSSEC is now enjoying.

From my vantage point, I see 2010 as the year of DNSSEC with the beginning of wide adoption. I still think it will take a year (or more) until the whole Internet is secured (if ever) but there is light at the end of the tunnel.

Red Hat opens up the cloud with Deltacloud

By Sean Kerner   |    September 03, 2009

delta_cloud_small.jpg

From the 'Private/Public Cloud Hybrid' files:

Red Hat today officially launched an ambitious new effort called Deltacloud to help abstract away the differences between public and private cloud deployments.

Oh and it's all open source too.

"Today each infrastructure-as-a-service cloud presents a unique API
that developers and ISVs need to write to in order to consume the cloud
service," Red Hat CTO Brian Stevens blogged. "The Deltacloud effort is creating a common, REST-based API,
such that developers can write once and manage anywhere."

This is what open source is all about in my opinion, namely breaking lock-in and opening things up.

How many enterprises out there were afraid of cloud deployments because it meant locking into one vendor's roadmap?

Red Hat launches GateIN open source portal project

By Sean Kerner   |    September 03, 2009

gateIN_small.jpg
From the 'Portals R Us' files:

Red Hat (NYSE:RHT) today officially launched the GateIN portal project on its JBoss.org project site.

GateIN melds JBoss Portal technologies with the eXo portal to create a new portal framework. Red Hat originally announced the partnership with eXo in June and the today's availability of GateIN is the first deliverable.

Beyond the eXo partnership, other vendors are now joining in to help build out the JBoss portal community. Among the partners are enterprise content management vendor Alfresco and business intelligence vendor Jaspersoft.

According to Red Hat, the ultimate goal for the GateIN project is to be the foundation for
Red Hat's future portal infrastructure products and enable
organizations to build rich portal-based application experiences for
users.

"The GateIn project represents the advantages of working through the
open source development model; through collaboration we are creating
cutting-edge innovation combined with a community of support to ensure
that the best technology features make it into the project," said
Stephen Hess, senior director of product management, middleware, Red
Hat in a statement.

Overall, I think it's a great idea to build a portal project like GateIN in the open, though portals are a relatively mature technology. From a competitive point of view, even though this is open source and others can use this project, I doubt that other big portal vendors will join into this effort.

For better or for worse, portals are often closely aligned with the middleware on which they run and as such, the way I see it, GateIN is likely to be primarily a JBoss middleware play.

Happy Birthday Google Chrome! You're growing up fast

By Sean Kerner   |    September 02, 2009

googlechromologo.jpg
From the 'Birthday' files:

It was one year ago today that Google Chrome was officially launched. In that time, Google has removed the Beta tag and moved from a version 0.x to a 4.x dev version.

Google has been putting out releases on the dev side fairly regularly (nearly one a week) since the browser's launch, but is still growing. A year after the official launch of Google Chrome, it isn't perfect and it has more work yet to be done.

Among the items that Google promised us a year ago were Linux and Mac versions. Today we've got dev versions for both platforms, but no stable release.

A year ago, I personally was also looking forward to Google add-ons/extensions, which are not yet part of the main Chrome release either. They are coming though, and the dev channel versions have the key infrastructure in place so it's just a matter of time (I'd guess weeks not months).

We also have not yet seen the full integration of Chrome with Google's Apps or cloud efforts. Though again this is coming. Bookmark syncing is now part of the dev-channel browser too.

Google Gmail 100 minute outage is a big deal

By Sean Kerner   |    September 02, 2009

gmail.gif
From the 'Everyone Makes Mistakes' files:

Google Gmail users were hit with a 100 minutes outage yesterday due to an upgrade issue.

Ben Treynor, VP Engineering for Google Gmail blogged that,Google took some of the Gmail servers offline on Tuesday AM for routine upgrades. It was those upgrades that led to the service disruption.

That's right, due to miscalculation on Google's part, an action (the
upgrade) which should have provided better service, resulted in no
service for tens of millions of Gmail users around the world.

"We had slightly underestimated the load which some recent changes
(ironically, some designed to improve service availability) placed on
the request routers -- servers which direct web queries to the
appropriate Gmail server for response," Treynor blogged.

In my opinion, this is a classic load balancing newbie error. Problem is Google isn't a newbie.

How could they not know the load on their servers? More importantly how come they don't have some kind of virtual (or physical) pool of burst bandwidth on demand capability to deal with issues?

Red Hat Network Satellite 5.3 hits orbit with open source

By Sean Kerner   |    September 02, 2009

spacewalk_small.jpg
From the 'As Promised' files:

Red Hat (NYSE:RHT) today announced the release of Red Hat Network Satellite 5.3, the first release of the systems management tool built from the Spacewalk open source project.

Spacewalk is an effort that Red Hat started last year at its Red Hat Summit in Boston and has been working on ever since. The basic idea behind Spacewalk was to have an open source Red Hat Linux system management app project as an evolution of Red Hat's proprietary Network Satellite (RHN) .

When I spoke with Red Hat in December of 2008, they told me that the plan was to have the generally available version of Network Satellite built from the Spacewalk project by some point in 2009. Here we are.

In my opinion, one of the biggest issues that Red Hat was dealing with at the Spacewalk project revolved around database issues. Red Hat Network Satellite, as I understand it, needs an Oracle database. Developers have been working on open source  PostgreSQL database compatibility, but it's not quite done from what I can tell.

The latest Spacewalk 0.6 release includes PostgreSQL support from a code infrastructure perspective, though the release notes indicate that it does not yet work.

From a new functionality perspective,  version 5.3 of Red Hat Network Satellite now supports both KVM and Xen virtualization technologies. This makes a whole lot of sense to me. Virtualization is an item that all systems management tool must have today as enterprises deploy both physical and virtual instances of their operating systems.