Where is PHP 6?By Sean Kerner | October 30, 2009
Back in 2005, I wrote a story for InternetNews.com where I wrote that I expected PHP 6 to be out in 2006. Here we are three years later and guess what? No PHP 6.
Back in 2005, the promise of PHP 6 was to be the next big thing for the open source dynamic language. At the time, I remember joking with Zend co-founder Andi Gutmans about Perl 6, which is a release that also has been promised for years and still hasn't been released either.
Instead what has happened to PHP 6 is it has become the horizon of PHP. A place that you can see off in the distance, but can never be reached.
It's also a place where features are backported from, as was the case with the PHP 5.3 release which included several key features that were originally intended for PHP 6.
Among the PHP 6 features now in PHP 5.3 is internationalization support.
"The question is now with the internationalization extension, what is the gap and how much benefit do we get from PHP 6 versus 5.3?" Zend CEO Andi Gutmans recently told me.
The irony of Juniper Networks' new brandingBy Sean Kerner | October 29, 2009
In 2006, networking giant Cisco Systems revamped it's corporate logo and its branding. At the time, rival Juniper Networks, put out its own anti-Cisco branding marketing initiative, printing up T shirts with a press release type letter on the back.
The gist of the letter was that Juniper, unlike Cisco, wasn't going to spend its money on new logos and branding. Instead Juniper (at the time) said it was sticking with what it does best, namely high speed networking.
Well, today three years later, in the midst of the worst economic slowdown of the information age, Juniper updated it logo.
Seems a bit ironic doesn't it?
Three years ago, when the economy was booming they criticize Cisco for spending money on a re-branding effort and now today they do the same thing, albeit in much more difficult circumstances. They've had to eliminate jobs (including a few that I'm aware of in PR) and cut costs, yet they manage to find the money for a corporate re-branding.
Google Chrome development slows to fix bugsBy Sean Kerner | October 29, 2009
Since its first release a year ago, Google's Chrome browser has been updated at a rapid pace -- perhaps too rapid.
This week, Chrome developer Anthony Laforge issued a 'Code Yellow' alert and put all Chrome developer releases on hold, until some high priority bugs could be fixed.
The problem was the number of un-touched P0 bugs that were in Google Chrome bug tracking system. A P0 is supposed to be the highest priority bug and could considered serious enough to be a release blocker. According to Laforge, 10 bugs were labeled as P0 that had not been worked on by developers in over five days.
After issuing the Code Yellow, further examination revealed that in fact many of the P0's were in fact mis-categorized. As such, Google developers have demoted many of them to a P1 status.
In a follow-up message to his Code Yellow alert Laforge wrote on a Google mailing list:
"Since all of the open issues have owners and are all actively being worked
on I'm lifting the code yellow status," Laforge wrote. "The embargo on the dev channel for
this week will also be release as soon as the remaining issues are resolved."
Microsoft wants open source Eclipse to work with Windows 7By Sean Kerner | October 28, 2009
Microsoft has thousands of developers building code for its platforms using Visual Studio. Thousands more use open source Eclipse based IDEs to develop their code and Microsoft wants them to target Windows platforms too.
To that end, Microsoft today announced a series of interoperability initiatives to help Eclipse users develop for Windows 7, Windows Server 2008 R2. and the Microsoft Azure cloud platform.
Frankly I'm not surprised. Microsoft has been friendly with the commercially focused Eclipse Foundation for years and I personally see the Windows 7 interop as an extension of that working relationship.
That said the new efforts are still quite interesting.
Among the new and expanded efforts is the Windows Azure Tools for Eclipse for PHP developers project, the Windows Azure Software Developer Kit (SDK) for Java and perhaps most interesting is the Eclipse Tools for Silverlight effort.
U.S Department of Defense takes a shine to open sourceBy Sean Kerner | October 27, 2009
Open Source software has a role to play in the national interest and national security of the United States. That's the gist of a new U.S Department of Defense (DoD) Memorandum providing clarifying guidance on the use of open source within the DoD.
While the tone of the memo is positive on open source, the memo is not changing or implementing any new policies
"This attachment provides clarification and additional guidelines on the use and development of OSS (open source software)," the memo states. "It does not change or create new policy, but is intended only to explain the implications of existing laws, policies and regulations."
From my point of view, the document is just a restatement of things that the DoD has already been doing in some respects. There are places for open source in the DoD and commercial open source software vendors can be engaged just like commercial proprietary vendors.
One of the of the larger open source deployments that I'm aware of is a U.S Navy deployment that uses Red Hat as part of a joint IBM/Raytheon technology called the Zumwalt Total Ship Computing Environment (TSCE).
That's right Linux is on U.S Naval Warships defending the free world and American interests and has been for a few years. Oh and it's now good enough for the President of the United States too.
Mozilla SeaMonkey FINALLY hits 2.0By Sean Kerner | October 27, 2009
Remember the Mozilla Suite? Or maybe you remember Netscape Communicator?
Neither of those all-in-one browser solutions exists under either of those names anymore, but their successor SeaMonkey is still (surprisingly) around and kinda/sorta moving forward.
Today, the SeaMonkey project released version 2.0. Yeah version 2.0. We've got IE 8, Firefox 3.5 and Safari 4 which are all 'younger' projects in many ways but SeaMonkey is a version 2.0, go figure.
In my view, this is a release that has been a long time coming.
The last time I wrote about SeaMonkey was the 1.6 release in 2004, when Mozilla still held the reigns of the project and Firefox was just taking off. Back in 2004, SeaMonkey was the Mozilla codename for the Mozilla suite, but it has since branched off into its own seperate effort with legal backing from Mozilla.
Just like the Netscape Communicator and Mozilla Suites (that I personally relied on for many years), SeaMonkey includes a web-browser, advanced e-mail, newsgroup and feed client, IRC chat, and
HTML editing capabilities.
With SeaMonkey 2.0, the project has now moved to a Firefox 3.5.x base for the underlying web browser. The mail client has also been updated providing additional stability for users. All good stuff, but does it really matter?
Internet addresses set to move beyond English?By Sean Kerner | October 26, 2009
From the 'English Monopoly' files:
ICANN is meeting in Seoul, South Korea this week with a big agenda. At the top of the list is a proposal to finally begin the process of accepting and delivering International Domain Names (IDNs).
Until now all top level domains (TLDs) have only supported ASCII (basically the Latin alphabet). That is soon going to change.
"Of the 1.6 Billion Internet users today worldwide, more than half use
languages that have scripts that are not Latin based," Rob Beckstrom CEO of ICANN said during a press conference today. "This change is
very much necessary, for not only half the world's Internet users today,
but for future users as use of the Internet continues to spread."
The idea for International Domain Names (IDNs) is not a new one and it seems to me like it has been on the agenda for every ICANN meeting over the last 9 or more years. At InternetNews.com we've been reporting...and reporting some more on IDN since the year 2000.
When ICANN spoke about the IDN issue in Egypt last year, I blogged about how long it takes for anything to get done at ICANN, noting the IDN issue in particular.
This year is different than last year.
Red Hat investing in EnterpriseDBBy Sean Kerner | October 26, 2009
Is Red Hat making a play for the open source database market?
Linux leader Red Hat (NYSE:RHT) is investing in open source database vendor EnterpriseDB, the official announcement is set for release on Tuesday October 27th.
The official press release does not disclose the exact amount that Red Hat is investing, but it is part of a $19M series C round of funding. EnterpriseDB is one of the leading commercial backers behind the PostgreSQL(also known as Postgres) database.
While the Red Hat investment in EnterpriseDB maybe new, EnterpriseDB and Red Hat are hardly strangers. EnterpriseDB's president Ed Boyajian is a former Red Hat exec.
Red Hat is also no stranger to PostgreSQL either.
The Red Hat Network Satellite, which is Red Hat's key Linux management platform is moving to PostgreSQL as its back-end database away from Oracle. With Oracle's pending acquisition of Sun and with (likely) MySQL there is even further incentive for Red Hat to take a more active role in the open source database market.
"EnterpriseDB has clearly established itself as a leading enterprise Postgres company, which is why Red Hat has chosen to partner with and invest in the company," Jim Whitehurst, CEO of Red Hat said in a statement. "EnterpriseDB is also working to create customer value through a subscription support model. Clearly, this is a model we see as beneficial."
White House goes open source with DrupalBy Sean Kerner | October 26, 2009
WhiteHouse.gov, the official website for the President of the United States is now based on open source technology.
Dries Buytaert, the founder of the Drupal open source content management system has announced that WhiteHouse.gove is now a Drupal site.
This is a big deal, though regular users will not notice a difference.
Drupal has emerged over the last few years as the leading open source CMS in the world. It's founder Dries Buytaert a bona fide open source rock star. Organizations big and small including Mozilla, NASA and now the White House use Drupal.
The move by the White House means a few things to me about the direction of the Obama Administration and also about Drupal itself.
For the new President, he has made numerous commitments to have an open government. With the new Drupal powered WhiteHouse.gov not only is the content open, but so is the underlying code that delivers the content. Can you get more open than that?
Mozilla Raindrop takes on Google WaveBy Sean Kerner | October 23, 2009
Mozilla is now testing yet another technology to try and help us all integrate the various messages we all generate everyday.
The new Raindrop effort comes from the Mozilla Messaging division as a way to help unify conversations.
"Raindrop uses a mini web server to fetch your conversations from
different sources (mail, twitter, RSS feeds), intelligently pulls out
the important parts, and allows you to interact with them using your
favorite modern web browser," the Mozilla Labs Raindrop site states.
Perhaps even more interesting is the fact that Raindrop at this point is browser agnostic. That is, it is supposed to be able to work on Firefox, Safari or Chrome (sorry IE).
Kinda/sorta might maybe be similar to Google Wave in some ways. Mozilla Labs also has its Snowl effort which brings in conversations from multiple streams as well, though it isn't tightly integrated with email -- instead Snowl is a Firefox add-on.
"When a friend's link from YouTube or flickr arrives, your messaging
client should be able to show the video or photos near or as part of
the message, rather than rudely kicking you over to a separate browser
tab,"the Raindrop blog states. "Notifications from computers and mailing lists should be organized
for you, not clutter your Inbox or require tedious manual filter setup.
It should be easy to smoothly integrate new web services into your
conversation viewer entirely using open web technologies."
Yes of course it's a good idea, and that's why others have tried and are continuing to try and do the same thing.
The future of TiVO is the Internet #sc09By Sean Kerner | October 22, 2009
Tom Rogers, President and CEO of TiVO (pic left) is on a mission to further innovate the way we all consume content on our TVs.
Speaking at the Supercomm conference in a keynote session, Rogers gave some insight into what the next generation of TiVO will be all about.
"You can get anything you want when you want it, effectively delivering millions of pieces of
content you can't get on cable or satellite right to your TV set," Rogers said. "That's the future of TV consumption. The consumer being in control as TiVO initially empowered people to be, but doing it now by virtue of what broadband is capable of delivering, giving consumers access to anything they want, when they want it."
So if I understood what Rogers said correctly, it means that TiVO, with broadband internet access will have the ability to pro-actively find content for me and let me watch it on my TV screen.
That's kinda cool.December 31, 1969
Mozilla Firefox 3.6 - a minor update?By Sean Kerner | October 21, 2009
What constitutes a major vs. a minor release for a browser vendor?
The upcoming Firefox 3.6 release is going to be classified as a minor update to the open source browser, as opposed to being a major update like Firefox 3.5.
The difference between a minor and a major release for Mozilla has a number of implications.
Earlier this year, when I was in the Mozilla Toronto office ahead of the Firefox 3.5 launch, Mozilla's Director of Firefox Mike Beltzner (Go Leafs!) explained to me what it would take to have a major release called Firefox 4.0. A major release implies major changes and requires users to migrate over to the new version. With a minor release, it's a simple upgrade, that should enable more users to adopt the release faster.
The whole issue of what is minor and what is major is now an active thread on a Mozilla mailing list, with Beltzner publicly explaining Mozilla's policy and why Firefox 3.6 will be a minor update.
"Major updates have been for code which has
been in development for at least 12 months, features visible changes to
the user interface either in terms or appearance or interaction, and/or
contains major technology changes at the platform level which may cause
significant differences in system requirements or support requirements," Beltzner wrote. "Minor updates have been for security and stability releases which do not
contain any visible user interface changes, and are limited in terms of
Makes good sense to me, though I can also see how it can be confusing to some.
Take Google Chrome for example, which is now at version 4.x in the dev-channel. Is the 4.x version a 'major' change over 3.x in that it has major user visible changes? Not really.
Open Source Metasploit gets acquiredBy Sean Kerner | October 21, 2009
to enhance their own Rapid7 NeXpose vulnerability management solution.
"At the same time we will not only maintain, but accelerate the open
source framework Metasploit with dedicated resources and contributions," Mike Tuchen, CEO of Rapid 7 said in a statement.
Here's some free advice for Tuchen - Metasploit has its own brand equity far beyond anything that the NeXpose (again something I've never heard off) product enjoys. A commercially supported version of Metasploit would be a tremendous shift in the current marketplace and further support the open source community.
IBM and Ubuntu roll Linux for U.S desktops vs Windows 7By Sean Kerner | October 20, 2009
A few weeks, back IBM and Canonical (the lead sponsor of Ubuntu Linux) announced a plan to deliver Linux desktops and software to Africa. At the time, I questioned why the offer wasn't being made available in the U.S.
That changes today as IBM and Canonical are now announcing the launch of Linux and cloud-based desktop software in the U.S.
The effort was originally announced more than a year ago, in August of 2008 as the Microsoft-Free PC effort. The basic idea is to have an Linux OS, with IBM smart client applications called Open Collaboration Client Solution software (OCCS)(Lotus Symphony and Notes) for enterprise apps.
The solution that has now been announced for the U.S, leverages the IBM Client for Smart Work which includes the same set of IBM's collaboration software. As to why IBM is marketing the solution to the U.S now, the answer is simple: Windows 7.
IBM and Canonical in their press release have stated that the cost of migrating to Windows 7 will be as much as $2,000 for most PC users, with hardware accounting for much of the expense. Linux (and specifically Ubuntu) together with the IBM software is according to the two partners, cheaper to deploy.
Red Hat Fedora 12 'Constantine' targets netbooksBy Sean Kerner | October 20, 2009
The first Fedora 12 beta is now available and at first glance it sure looks to me like it's jammed pack full of interesting and innovative new features.
Speed is a key issue for all Linux distros, and Fedora is taking an interesting approach by compiling all of its software for i686 with 'special' optimization for Intel Atom. What that means is instead of the typical generic x86 compilation, all apps could potentially run faster. Fedora now does have a specific netbook Moblin graphical interface and a Fedora 12 Moblin Fedora Remix too -- who said Fedora (or Red Hat) wasn't interested in netbooks or the Linux desktop?
There is also an enhanced NetworkManager for network configuration, Bluetooth improvements as well as improved IPv6 support.
On the video side, Fedora 12 includes Theora 1.1 for improved video quality, as well as some preliminary support for the latest Radeon HD and NVIDIA graphics cards.
Virtualization which is a key focus for Red Hat overall gets a boost in Fedora 12 with the libguesfs library and the guestfish interactive tool for modifying guest images for virtual machines.
That's just the short list from my perspective, but if you look at the full feature list, there a lot of features in this release.
MySQL Founder says Oracle should sell MySQLBy Sean Kerner | October 19, 2009
MySQL founder Monty Widenius has a solution for Oracle to get EU approval on its Sun acquistion: Sell MySQL.
Considering how long it is taking Oracle to get approvals on its acquisition of Sun, it might not be a bad idea in my opinion. The EU is holding up the Oracle/Sun deal on worries about competitive concerns surrounding the MySQL database.
According to a press release that Widenius posted to his blog, he believes that, "...the EU's antitrust regulator is 'absolutely right to be concerned' and called on Oracle to be constructive and commit to sell MySQL to a suitable third party, enabling an instant solution instead of letting Sun suffer much longer."
Considering that Widenius is no longer part of Sun and has setup his own MySQL related operation, Widenius has a lot to gain from a divested MySQL. With Oracle at the helm, Widenius' influence might not be as strong (as a third party) as it could potentially become under different ownership.
Then again, I suppose it has a lot to do with who ends up picking up the pieces.
SCO tells Darl McBride : You're Fired!By Sean Kerner | October 19, 2009
Darl McBride, the combative CEO of Linux-litigating Unix vendor SCO is out of a job. In an 8-K report filed with the SEC today, SCO reported that they had eliminated McBride's position.
McBride's termination marks the end of one of the most 'entertaining' aspects of the legal challenge against Linux.
"On October 14, 2009 the SCO Group,
Inc., ("SCO", "us", "we"or the "Company") announced that the Company has
eliminated the Chief Executive Officer and President positions and consequently
terminated Darl McBride," SCO reported. "The current management team comprised
of Chief Operating Officer, Jeff Hunsaker, Chief Financial Officer,
Ken Nielsen and General Counsel, Ryan Tibbitts, along with the rest of the
management team will continue to work closely with the Chapter 11 Trustee and
I for one will miss McBride.
On any SCO call that I've ever been on, it has been McBride's voice that has led to innumerable great quotes. In 2006, McBride said that SCO was 'Mad'. In 2007 McBride claimed that SCO was undervalued. He's never said anything nice about Novell, IBM or Red Hat either.
It has been McBride's voice that has often been the most combative against Linux. It has been McBride, that quite literally over the last 5 years or so that has truly been the voice of SCO.
I guess that when your company is a bankrupt zombie, there isn't as much need for a voice anymore.
Mozilla blocks, unblocks Microsoft add-ons for FirefoxBy Sean Kerner | October 19, 2009
From the 'Browser Security' files:
Over the weekend, potentially tens of millions of users around the world booted their Firefox browser and were told that their Microsoft add-ons were being blocked (see my screenshot left).
Specifically, Mozilla began blocking the Windows Presentation Foundation (WPF) add-on and the .NET Framework Assistant add-on. Both of those add-ons were added to Mozilla's blocklist for security issues.
Late Sunday, Mozilla VP Mike Shaver blogged that the .NET Framework Assistant add-on is now set to be removed from the blocklist but the WPF framework would stay on the list.
"We received confirmation from Microsoft this evening that the Framework
Assistant add-on is not a mechanism for exploiting the vulnerabilities
detailed in the earlier post,
so we've removed it from the blocklist," Shaver wrote. "As the blocklist update
propagates to clients, the add-on should be re-enabled for users who
had it previously enabled."
As of 9 AM EDT today (Monday Oct 19), I personally still see both Microsoft add-ons on the blocklist as published by Mozilla at https://www.mozilla.com/en-US/blocklist/. I'm not sure how long it takes to change a web page, (let alone propagate a change to tens of millions of users).
The reason why Mozilla is blocking the Microsoft add-ons in the first place is because during this month's Microsoft patch Tuesday update, the two add-ons were identified as being risky.
Is Cisco's Tandberg deal in trouble? Blame StarentBy Sean Kerner | October 15, 2009
A group of 21 shareholders, holding 24% of Tandberg's stock wants more from Cisco.
I'm not surprised.
A week after Cisco made its offer for Tandberg it made an offer for wireless vendor Starent for $2.9 Billion. The big difference between the two proposed acquisitions has to do with the relative valuations that Cisco is willing to pay. It's a point that was actually raised during the Cisco/Starent analyst call this week. One analyst asked Cisco's Ned Hooper, why Cisco was paying more for Starent on a price to earning ratio multiple than they were for Tandberg. Hooper (in my view) danced around the issue and didn't really provide a solid answer.
According to a Reuters estimate, Cisco is paying 40 times Starent's 2010 earnings estimates while Tandberg is valued at at about 23 times next year's projected earnings.
That hardly seems fair in my (fairly simplistic) view, and it looks like a few of Tandberg's shareholders agree.
Mozilla Firefox plugin check will make the web a safer placeBy Sean Kerner | October 14, 2009
From the 'Simple Ideas That Will Change The World' files:
The risks associated with running outdated and insecure plugins are not trivial. Simply put, if a user is running an old version of a plugin for which an exploit is available, they're at risk -- even if they've got an updated browser, operating system and (for Windows users) anti-virus software.
Now Mozilla has a solution to the problem that I personally think is so simple, yet effective, it will change the web security landscape for tens of millions of Firefox users.
Mozilla has already provided users with a check in Firefox 3.5.x for Adobe's Flash plugin, but they've recognized it's not enough and have expanded the effort.
With its new Plugin Check site, Mozilla will check 15 popular plugins on a users Firefox browser to ensure they are up-to-date. Yeaah it sounds simple, but in my own little test case today I found out how amazingly effective it is.
On a test Windows XP SP3 box that is in my environment, I ran the plugin
check and much to my surprise, found that a number of plugins were out
Looking for malware on your own site? Ask GoogleBy Sean Kerner | October 14, 2009
We've all known for awhile that Google indexes (nearly) everything, both good and bad. Guys like Johnny 'I Hack Stuff' Long have even made a career out of using Google to find site vulnerabilities, an activity commonly referred to as 'Google Hacking.'
Now at long last, Google itself is getting in on the action.
This week Google launched new webmaster tools that will show site owners any malware located on their site.
So, while I still think it's a good idea to own Johnny Long's Google Hacks book, Google itself is now providing some really interesting information, but it's not everything that Google itself actually indexes.
There is more info that can be publicly discovered that could really help out webmasters in the battle against malware and site vulnerabilities.
Mozilla Firefox 3.6 gets orientedBy Sean Kerner | October 13, 2009
The upcoming Firefox 3.6 release will include a number of interesting new features. One of them is support for machine orientation information.
What's that? Think iPhone with its ability to detect which direction the device is held in and if it's moving (for gameplay and for browsing).
The same tech will now be available for desktops, but not all desktops and with good reason. It's a hardware dependent technology.
A number of different phone vendors have the technology but what about desktops? Apparently Macbooks and a number Lenovo Thinkpads expose machine orientation as well.
Sweden (.se) goes offline due to DNS errorBy Sean Kerner | October 13, 2009
The entire .se (Sweden) Top Level Domain was knocked offline for a few hours today (EDT), due to an error in DNS configuration. It's an astounding revelation and one that shouldn't technically be able to occur in my opinion.
Time and again, smart people remind me that DNS is a redundant system that is highly available. Yet here we are in 2009 and the entire .se TLD is offline because of a configuration error in DNS.
According to the .SE Internet Infrastructure Foundation, they inadvertently sent out an incorrect zone file Monday October 12 at 21.45 local time, in connection with a planned maintenance work.
"The cause was an incorrect software update, which, despite our testing procedures were not detected," .SE said in a statement. "Thanks to well-functioning surveillance system .SE discovered the error immediately and a new file with the DNS data (zone file) was produced and distributed within one hour."
An hour may not sound bad, but due to the way DNS works with multiple copies of records all over the world, the end result is a cascading failure of the entire .se TLD that varies in length depending on where you are. That's 900,000 domains without service due to a DNS error that should never have happened.
Want a cheap Linux computer? Join the Linux FoundationBy Sean Kerner | October 12, 2009
The unfortunate experience that I have sometimes encountered when attempting to purchase a 'new' computer pre-installed with Linux, is that it can sometimes be more expensive than Windows (either just because, or due to the fact that Windows is already pre-installed).
A new effort from the Linux Foundation could change that, and help Linus Torvalds in the process too.
Back in June, the Linux Foundation started their individual membership program and they're now expanding it with new hardware discounts.
Starting this week, those who pay the $99 for an individual Linux Foundation membership will also get up to 40 percent off of Lenovo devices and employee purchase pricing from Dell and HP.
According to the Linux Foundation, "these benefits can translate into hundreds or thousands of dollars for those who purchase their devices as part of this program."
Mozilla Firefox 3.5.4 beta now available 3.6 comingBy Sean Kerner | October 12, 2009
Next week will be a big week of Mozilla with two releases. One showing the present, the other - the future.
Firefox 3.5.4 is now available for beta testers and it fixes a number of stability issues as well as an as-yet unreported number of security vulnerabilities. Mozilla's practice (and it's a good one) is not to post its security advisories for the beta builds, but rather not until the release is considered to be generally available.
It's a bit annoying from my own journalist point of view, but it does make sense especially if the security vulnerabilities are not being exploited (yet).
After all, why would anyone want to post a fully public advisory about a security issue that hasn't properly been fixed/tested yet? That's not a good security practice.
There will also be fixed (probably a few of the same) in Firefox 3.x wit the 3.0.15 release. Both the 3.5.4 and 3.0.15 releases are currently scheduled for Oct 21st.
Also on October 21st will be the first public beta of Firefox 3.6 codenamed Namoroka. That's right, contrary to other reports, Firefox 3.6 beta is not officially available (yet). There is a test build (in the nightlies directory), but there usually is a difference between the test builds and what ends up being the publicly available beta. So my advice is to wait for the 'real' beta.
Firefox 3.6 is a big release even though it is only being given a minor point number.
Netgear responds to open source criticismBy Sean Kerner | October 12, 2009
Open source can be a double edged source for those that aren't careful to strictly adhere to the licensing terms.
Case in point is networking vendor Netgear. Last week Netgear announced its RangeMax Wireless-N Gigabit Router, calling it an open source Linux platform.
The problem is that according to critics, Netgear is not complying with the open source GPL license. It's a claim that Netgear is now responding too.
For the record, I contacted Netgear on this issue on Oct 8th, they responded to me via email 26 hours later with a pointer to a newly posted message on the Netgear site. So, Netgear did not respond to my inquiry directly, though I tried (never a good sign and usually makes me wonder why they're afraid to talk to press?).
PR gripes aside, this is what Netgear has now publicly posted on the issue of its alleged GPL violation.
"Concern has been raised on the presence of binary modules in the pre-loaded NETGEAR firmware," Netgear's Som Pal Choudhury wrote in an open letter. "The factory-loaded firmware by NETGEAR on the WNR3500L router is there for those customers who simply want to use the router "as-is" with the features provided by the NETGEAR firmware. It is no different from the millions of other NETGEAR Linux routers we sell in the market. We do offer the GPL code on our websites for all customers to download, review, and even to modify it: something many of our development partners have already done."
The issue, as first raised by gpl-violations author Harald Welte is that Netgear's
Open Source router ships with binary-only kernel modules. Welte has noted that as such users can never update their Linux kernel to get the latest security fixes, but have to run vulnerable old kernel versions.
"One would have hoped that Netgear did thoroughly study the Open Source market that they're trying to address," Welte wrote. "Apparently they either did not do that, or they chose to ignore the values/rules by which this community works, or they had somebody with limited understanding to advise them on this."
Gentoo Linux @10 still compilingBy Sean Kerner | October 09, 2009
Gentoo Linux is celebrating 10 years as a project this week with a special Gentoo Linux 10.0 LiveDVD. The 10 year mark is a big milestone for what I personally view as, a very unique and interesting Linux distribution.
Instead of being binary based (like nearly every other distro), Gentoo's history is in the source. The benefits are that users get to actually compile applications (and the operating system itself) on their own machines.
In my own (limited) experiences with Gentoo over the years, it is the machine specific compilation that has always been very attractive. Instead of just x86 generic, you can compile for a specific computer to get a more optimized experience and better performance.
The problem with that method though is it can take a lot of time to actually get a Gentoo machine up and running. It once took me 3 days to get one test terminal built (yes it was an old CPU and should have had more memory).
Still, being able to have a CPU optimized OS is attractive to big IT vendors. It's something that at one point IBM found attractive too.
Adobe PDF at risk from 0-day (again)By Sean Kerner | October 09, 2009
Adobe issued a security advisory on Thursday warning of a currently unpatched (0-day) vulnerability in its PDF technologies, Adobe Reader and Acrobat.
A patch is currently targeted for October 13th, meaning millions of users around the world are now at risk for at least four days. To make matters even worse, Adobe's advisory notes that they are aware of reports of Adobe Reader and Acrobat for Window being exploited in the wild. No that's not good.
There are however a few work-arounds that users can enable in order to help mitigate the risks from this most recent exploit.
The advisory does not detail what the specific flaw is at this time.
This new zero day is at least the third such o-dayPDF issue this year for Adobe. In March, Adobe patched PDF on Windows for a flaw dealing with an image handling issue.
The second big flaw came in July and was related to Adobe's Flash technology as well.
Even with a patch out on October 13th, in my view, there is reason for many people to still be concerned.
Security researchers earlier this year claimed that many Adobe users do not update their software to the latest patched version, even when a patch is available.
Asterisk celebrates a decade of open source VoIPBy Sean Kerner | October 08, 2009
It doesn't seem all that long ago that I sat down with Asterisk creator Mark Spencer in Toronto, to talk about the Asterisk 1.0 release.
Asterisk is one of the most popular open source VoIP PBX applications out there and it is now celebrating its 10th anniversary.
So let's do the math on that one. Asterisk 1.0 (in my mind the first really usable very stable version of Asterisk) came out in September of 2004. So to me it's only just over five years.
Truth is Mark Spencer actually started the project in 1999 (he also by the way is the original creator of Gaim/Pidgin the popular open source IM client).
Asterisk has certainly grown over the year and particularly since 2004. The effort now has Digium as the lead commercial sponsor and is downloaded over 5,500 times every day, according to Digium.
Personally, I've written about nearly every major (and many minor) Asterisk releases since 2004 and have seen Spencer talk about it at the biggest Telecom and IT conferences in the U.S. Asterisk is no longer a dorm room open source project.
One of the most surprising things that I ever heard Spencer say about Asterisk was in 2008 when he said that, "Asterisk is Boring." His point at the time was that the core IP PBX VoIP functionality was already in Asterisk and it just works. Where the interesting stuff comes in is how Asterisk is being used to help fued innovative new services and business models.
"When I put the Asterisk platform out there 10 years ago -- using the Linux operating system and my own PBX code -- I never imagined the profound impact that it would have," Mark Spencer said in a statement. "The strength of Asterisk is a reflection of the creativity and ingenuity of the community along with the value that Asterisk provides its users. It's been gratifying to be part of its impressive growth so far and we are excited to help it evolve in the future."
Congrats on 10 years of Asterisk, and good luck for the next 10!
Who was behind GhostNet? #SecTorBy Sean Kerner | October 07, 2009
TORONTO. Who was behind the massive GhostNet botnet that comprised nearly 1,300 government computers around the world?
The short answer is : we still don't know.
That's the word from researcher Nart Villeneuve who gave a talk about his GhostNet experiences at the SecTor security conference. I wrote about GhostNet back in March, when Villeneuve and his crew at the University of Toronto first reported the diplomatically targeted botnet.
Back then, the blame was cast on the government of the People's Republic of China, which is a claim the Chinese government vehemently denied.
So seven months later, who does Villeneuve thing the culprits really are?
"We don't know for sure who was behind the attacks, Villeneuve told the capacity audience. "It could be the Chinese government, but it just as easily could have been random."
Major Malfunction details biometric security risks #SecTorBy Sean Kerner | October 07, 2009
TORONTO. Security researcher Adam Laurie, aka Major Malfunction is well known in the hacker community as an RFID hardware hacker. At the SecTor conference today, the Major gave a gory keynote talk telling the Canadian audience all that's wrong with biometrics and RFID.
I've seen Laurie speak on RFID and hardware hacking (most recently Satellite Hacking) at Black Hat events in the past. The SecTor presentation included bits of his past presentations as well as a surprise.
Laurie told attendees to look at their conference badges and to open them up. Inside there was a hidden RFID tag. He then proceeded to demonstrate how he could read that tag (and potentially do whatever he wanted to do with it).
Laurie's real passion though was a discussion about the risks of biometric security. That is items like fingerprints and retinal scans. To prove his point about the risks, he showed a litany of movie clips where the 'bad guys' get a hold of the biometric part to do bad things.
Overall his point was that breaking security models (for researchers of course) isn't always about complex attacks either.
"I like to break things with simple tools," Laurie said. "If you're attacking crypto don't try and crack the crypto just try the protocols underneath."
Red Hat and Microsoft complete virtualization interop testingBy Sean Kerner | October 07, 2009
Back in February, Microsoft and Red Hat announced a somewhat unlikely deal to validate each others virtualization interoperability.
Now eight months later,the two 'partners' have announced that the testing and validation is now complete.
That means that Microsoft Hyper-V is now validated by Microsoft and Red Hat to run Red Hat Enterprise Linux 5.2, 5.3 and 5.4 guests. On the other side, Red Hat Enterprise Linux 5.4, using the Kernel Virtual
Machine (KVM) hypervisor, with Windows Server 2003, 2008 and Windows
Server 2008 R2 guest is now validated.
I don't know what that means for RHEL 5.3 users, the press release doesn't spell it out (and as of the time of this blog post I wasn't able to get in contact with Red Hat).
NO this isn't the same kind of deal that Novell has with Microsoft. This is just a simple straightforward interoperability deal born out of necessity in my view. Simply put, Red Hat is the Linux leader and Microsoft (like it or not) needs to work with them on areas that are of mutual benefit.
It's a sentiment that Microsoft has echoed in their public statement on this (now validated) interoperability deal.
"This work is a step forward for customers, partners and hosting providers who want to offer their customers the main x86 virtualized operating systems to run applications," said Mike Neil, general manager of Windows Server and Server Virtualization at Microsoft Corp in a statement. "Customers now get improved virtualization support between the two companies so they can confidently deploy new applications and services."
Does this completed interoperability testing in any way imply that Microsoft doesn't see open source and Red Hat in particular as infringing on patents? That's still the big question that is hanging in the air in my opinion.
Frankly, I can't see Microsoft suing Red Hat users for patent infringement when Microsoft itself is now telling customers that the two technologies can interoperate (albeit virtually).
Juniper joins the NYSEBy Sean Kerner | October 07, 2009
Networking vendor Juniper Networks is currently listed on the NASDAQ as JNPR. That's soon about to change as Juniper to set to be on the NYSE by October 29th. Surprisingly though Juniper will still be traded under the JNPR symbol.
I'm not surprised that Juniper is moving to the NYSE. The reason is simple, Juniper recently was awarded a big deal that will see its networking gear help to power the NYSE's next generation data centers.
The NYSE seems to have this 'interesting' pattern of getting tech vendors that it uses for its own infrastructure, to be traded on its own exchange. Another recent example is Linux vendor Red Hat (NYSE:RHT). In May of 2008, the NYSE announced that it was going to use Red Hat's Linux for its exchange. Red Hat moved from the NASDAQ to the NYSE at the end of 2006.
In Red Hat's case they were also looking to help differentiate themselves, which I suspect is the case with Juniper as well.
"We are looking forward to participating in the world's leading and most diverse global exchange with a shared vision around technology innovation," said Kevin Johnson, Juniper's Chief Executive Officer in a statement. "Juniper is delivering an ever-broader array of networking solutions and expanding our presence into service provider and enterprise markets globally. With many of our business partners and customers already listed on the NYSE, joining them on the Big Board aligns well with our strategic goals."
SecTor's wireless wall of shame an eye openerBy Sean Kerner | October 06, 2009
TORONTO. One of the standard tables at the DefCon security conference is the Wall of Sheep, where unsecured user log-ins and passwords are displayed for all to see.
I never thought I'd see the same thing in Toronto, but I just did. I'm at the SecTor security conference and a vendor called e-sentire has a similar wall called ,the 'Wall of Shame.' The basic idea behind the wall is to catch all the users that are connecting insecurely.
Eldon Srprickerhoff founding partner of e-sentire explained to me that his company wrote its own application to sniff the traffic and capture username/passwords/cookies and other data.. As opposed to Black Hat / DefCon where the the Wall of Sheep sniffed only unencrypted traffic (that is no WPA2), this Wall was sniffing unsecured HTTP connections on both SSIDs.
The problem is that at SecTor getting the WPA2 password isn't as easy as it is at Black Hat. In order to get the password, the SecTor show guide says you have to visit the enterasys booth. I visited the booth, stood there for a few minutes and couldn't figure out where to get the WPA2 info.
The other problem is that to the best of my knowledge there was no disclaimer when you get on the open WiFi network, or even in the show guide, that the network was being monitored for a wall of shame. That doesn't seem right or fair to me.
The deeper warning of course is that a whole lot of people, at a security conference were passing their username/password for all kinds of things, in the clear. That is, they were connecting to sites/services without HTTPS. That's a big problem and could happen anywhere.
Standing for less then 3 minutes at the e-sentire booth, Sprickerhoff showed me how his company's tool not only caught the user credentials but the cookies and any attachment (for an email) that users sent.
The lesson to me is clear. Don't ever input your username/password on HTTP, because if you don't know it, someone (rightly or wrongly) could be watching you.
Apache HTTP Server 2.2.14 released for securityBy Sean Kerner | October 06, 2009
From the 'No Worries It's Apache' files:
The Apache Software Foundation is out this week with a new update to its popular open source Apache HTTP server.
Apache HTTP Server 2.2.14 fixes three security vulnerabilities which could potentially have left users at risk, albeit a small risk.
One of the fixes is for a NULL pointer dereference in the mod_proxy_ftp module. The flaw potentially could have enabled an attacked to trigger a denial of service (DoS) attack via an Apache powered FTP server. NULL pointer errors are common in software development. According to a recent Coverity study, NULL pointer errors have remained the most common type of coding error in open source software over the past three years.
There is also a security fix specific to the Solaris build of Apache, fixing a flaw that could cause the server to reset.
Apache has included numerous other (non-security) bug fixes making Apache 2.2.14 more stable.
As part of the update, Apache is not currently updating it's older Apache 2.0.x and Apache 1.3.x webservers. The last releases for those legacy webservers came in January of 2008.
Google Chrome goes Native in 18.104.22.168By Sean Kerner | October 05, 2009
Google is now out with Chrome dev-channel version 22.214.171.124 which is notable for one primary reason -- Native Client.
The 126.96.36.199 version is the first Chrome release to include Native Client as a built-in client for Windows. Native Client is a technology that will enable the browser to run code
The implications for Google are huge as it could enable a new generation of speedier, feature-rich Google Apps (and eventually other apps from other vendors).
Google first announced that they were moving Native Client out of research mode and into production in June and here we are four months later with the first Windows build.
Native Client is not without it's challenges from a number of perspectives.
The most obvious challenge are the inherent security issues that native client brings to the table. Sure, Google has this nice process isolation for Chrome, but with applications, will that same isolation hold out against the myriad of app threats that exist today?
The other challenge is to get over the notion (right or wrong) that Native Client is simply Google's attempt to replicate Microsoft's ActiveX.
Microsoft backed Barrelfish OS goes Open SourceBy Sean Kerner | October 02, 2009
If you happen to believe that Microsoft could never open source one of its operating systems, think again.
No it's not Windows (but hey try ReactOS, it's not bad). A Microsoft Research backed operating system called Barrelfish is now available under an open source BSD license.
Barrelfish is a joint collaboration between Microsoft Research and ETH Zurich, which is a science and technology university. The partners have been working on Barrelfish since October of 2007.
The code is now being made available as Barrelfish is going to be talked about at an upcoming conference and the researchers wanted other researchers to be able to see and experience what Barrelfish is all about.
is intended as a vehicle for exploring ideas about the structure of
operating systems for hardware of the future," the Barrelfish FAQ states. "We anticipate the main
challenges for operating systems will be scalability as the number of
cores increases, and in dealing with processor and system
heterogeneity. We have proposed a radically different way of
structuring an operating system to address these challenges."
So just to recap here. Microsoft is using an open source license to help it test out and validate a next generation operating system.
Ubuntu Karmic Koala Beta now out and climbingBy Sean Kerner | October 01, 2009
From the 'Cute and Cuddly'
Not far now...
The "Karmic Koala" aka Ubuntu 9.10
Desktop Beta, Server and Netbook editions,and the Ubuntu Netbook Remix are now available.
The final release is now only a few weeks away and the Beta is a major milestone. I'd expect to see a whole lot more users try out the Beta than the Alpha versions as Ubuntu devs work on eliminating any blocking bugs.
From a feature point of view it looks to me like everything is now locked down. At the top-level, the Koala is supposed to be even faster to boot up then the 9.04 Jaunty Jackalope release.
GNOME 2.28 desktop GUI which was just released a week ago. Ubuntu users will also (finally) get a much needed update to Firefox 3.5
Mozilla previews Content Security PolicyBy Sean Kerner | October 01, 2009
In June of this year, Mozilla announced a new security effort called Content Security Policy (CSP) to help prevent Cross Site Scripting (XSS) attacks. Now here we are three months later and the first previews of CSP are now available.
The basic idea with CSP is that it is an attempt to help to validate that code running in a browser is authorized.
Mozilla has also set up a demo page where developers can test to see if their pages are being properly accessed by CSP.
In my view, CSP puts, increased (but not unrealistic) additional
burden on web developers to put in additional code snippets for CSP
validation. Instead of just enabling open access for all, developers will now have to think about which sections of their web page code and which scripts should be authorized to run and where.
The new preview according to Mozilla isn't quote done by they're close.
"The implementation is not quite complete so you may notice some small gaps between the preview builds and the spec," Brandon Sterne
Security Program Manager at Mozilla blogged. "Most notably, HTTP redirects are not yet handled by CSP (but will be soon)."
Does this mean we'll see CSP in Firefox 3.6?
Open Solutions Alliance folds into new open source groupBy Sean Kerner | October 01, 2009
From the 'How Many Open Source Groups Do We Need?' files:
Back in February of 2007, I wrote about a new open source group called the Open Solutions Alliance (OSA) that was just getting started.
Over the last two and a half years, I've followed up with them a couple of times to make sure they were still alive. You see, I have this basic view, that most open source groups announced at conferences don't last very long.
In the case of the OSA, their lifespan was under three years. The OSA is now merging with another group (that I've never heard off before today) called the OW2 Consortium. The two groups are forming a new group that has yet to be officially named.
"When you look at each organization's strengths in technology and market presence, as well as the global positioning of our members, OSA and OW2 look like two puzzle pieces waiting to be put together," said Cedric Thomas, OW2 CEO in a statement. "We can do much more together than apart, and a combined entity will provide a single voice for open source worldwide and a unique global pool of open source resources."
Time will tell if Thomas' sentiments turn out to be accurate.