Firefox hit with 0day Nobel Peace Prize vulnBy Sean Kerner | October 27, 2010
Firefox 3.6.x and 3.5.x users are all potentially at risk from a new 0 day vulnerability linked to the Nobel Peace Prize website.
Though the flaw is technically a 0 Day - and there is currently no patch from Mozilla, in my opinion users shouldn't be too worried as multiple efforts are already underway to mitigate the risk.
"Users who visited an infected site could have been affected by the
malware through the vulnerability," Mozilla warned. "The trojan was initially reported as
live on the Nobel Peace Prize site, and that specific site is now being
blocked by Firefox's built-in malware protection. However, the exploit
code could still be live on other websites."
Mozilla's Daniel Veditz let me know that Firefox's built-in malware protection is still in fact the Google SafeBrowsing API.
"We got the site blocked by Google's SafeBrowsing within a couple of hours of learning about the exploit," Veditz commented.
SafeBrowsing is also used by Chrome and Safari, which means that hundreds of millions of browser users are already safe (just in case those other browser were also at risk -- though that hasn't been reported).
In terms of a code level fix, one is being worked on and I'd expect a Firefox 3.6.12 update before the end of the week.
**UPDATED** As expected Mozilla has issued an update quickly fixing this issue for both Firefox 3.6 and 3.5 users.
Fuzzing proprietary protocols not that hard #sectorcaBy Sean Kerner | October 26, 2010
From the 'Fuzzing Fun' files:
TORONTO. I'm a fan of fuzzing, which is basically a way to throw garbage input at an application to see if it will break.
At the SecTOR security conference currently underway in Toronto, Dr. Thomas Proll of Siemens explained how he goes about fuzzing proprietary protocols.
Proll explained that in his job as a penetration tester he has to fuzz proprietary protocol frequently and he usually doesn't have enough to reverse engineer protocols either. The types of tech that he is testing is often infrastructure like electricity, oil & gas and transportation system.
"Fuzzing is breaking the communication protocol," Proll said. "Unfortunately I can't show you how to break a power plant."
Fedora 15 will not be going to VegasBy Sean Kerner | October 25, 2010
The Fedora 14 Linux release codenamed 'Laughlin' is just around the corner -- which means it's now time for Fedora community to name Fedora 15.
Back in May, I thought that Vegas was the obvious choice. The way that Fedora choose its release names has to do with a relationship with the previous release. So I figured, well Laughlin is in Nevada so is Vegas and there you go.
Apparently not one Fedora contributor agreed with me, and even though other names like Roswell and Viva were on the long list.
The short list of names that Fedora community member will get to vote on includes:
The one name that stuck out to me on the short list is pushcart. The rationale for its inclusion is:
The Pushcart prize focuses on independent press and independence is also
a keyword for Linux/Fedora. The idea of a compact, convenient yet very
practical vehicle that is naturally adapted by its users fits Fedora.
So next year we could have a Pushcart going up against a Narwall. Nice.
OpenLogic joins the Linux Foundation - Why now?By Sean Kerner | October 22, 2010
From the 'Linux Foundation is Working' files:
It seems to me that hardly a week goes by when I don't see a release about yet another vendor joining the Linux Foundation.
This week, the vendor is OpenLogic, an open source support and services vendor that I've covered for many years. It struck me as odd that OpenLogic is just joining the Linux Foundation now. After all, OpenLogic offers support for CentOS (and hundreds of other critical projects) and has for years. They also have some really great open source discovery tools which are important for compliance.
So why is OpenLogic now joining the Linux Foundation?
"The activities of the Linux Foundation have expanded in the last year
to include more governance and compliance activities," Kim Weins, senior vp of marketing at OpenLogic told me. "With these additional programs,
the activities of the Linux Foundation have become even more directly
relevant to our business in helping companies to safely and
successfully use open source."
Makes sense, but then again OpenLogic has been participating in compliance efforts led by the Linux Foundation, without being a member before. So what do they gain by giving money to Mr. Zemlin and crew at the Foundation?
Mozilla goes chromeless so you can build your own browserBy Sean Kerner | October 22, 2010
The browser now know as Firefox began as an effort at Mozilla to create stripped down faster version of the Mozilla Browser suite. It now seems that Mozilla is considering the same thing again -- this time a stripped down version of Firefox called 'chromeless'.
No, chromeless is not a swipe at Google Chrome.
Chrome is the browser window in Mozilla and always has been. The general idea behind chromeless is to strip away the extra shell to make for a faster and more streamlined browsing experience. With chromeless, Mozilla wants to enable developers to be able to build their own browser.
Again, this is something that Mozilla, by way of XULrunner and in limited respects the Prism project - has already enabled. There are already some great projects including the Kommodo IDE that already use the Mozilla Framework as the basis of their technologies.
Prism which essentially creates a minimal, chrome-less browser window for a web-application is also an interesting effort, though it seems to have stalled lately in terms of developer releases.
Pidgin 2.7.4 secures open source IMBy Sean Kerner | October 21, 2010
My favorite open source instant messaging (IM) client is getting an important update this week with the release of Pidgin 2.7.4.
As is the case with all Pidgin updates there is a long list bug fixes and with this update, at least one named security updates too.
Pidgin 2.7.4 provides a security fix for CVE-2010-3711 by properly validating return values from the
purple_base64_decode() function before using them, according to the release notes.
There are also a number of SSL related improvements. Pidgin now has added support for
Deutsche Telekom, Thawte Primary, and Go Daddy Class 2 root certificate authorities.
As well the release notes indicate that a sentence has been added to the certificate warning for expired certificates
suggesting the user check their computer's date and time.
One other interesting item of note that affect my own personal usage. Finally, Pidgin now recognized Google Chrome as a possible browser on non-Windows (i.e. Linux) systems. Why this took Pidgin developers so long, I don't know. I can only assume it's just an issue that hasn't been an issue because no one logged a bug about it before.
Interop saves IPv4 for another dayBy Sean Kerner | October 20, 2010
In the same week that the NRO claimed that IPv4 address space has dipped below 5 percent remaining, comes a story that really makes me think that there is a lot more IPv4 address space yet to be found.
The Interop trade show announced that it is returning a portion of its /8 IPv4 address block allocation. A /8 block contains 16,777,216 addresses. That's right, a trade show had nearly 17 million IPv4 addresses allocated to it.
Interop likely could have made do with 100 or less unique IP address and then used NAT and port forwarding to achieve full conference connectivity for any location in the world. Then again, back in the day, I remember provisioning real unique IP's to every user in the various networks I managed (no I didn't understand or need to understand NAT, IP space was cheap and plentiful).
How many other organizations are out there that have huge address block that they shouldn't have?
When I asked ARIN about un-used IPv4 address space earlier this year. they told me that they've had some success in getting space back. What is unclear to me, is how much more they can get.
No doubt, even with reclamation, IPv4 has a limited life remaining for new address allocations. But I don't doubt that this new very public return of space by Interop will get organization big and small thinking about how they can do their part to keep the IPv4 address pool alive for another day.
Novell openSUSE Build Service 2.1 releasedBy Sean Kerner | October 19, 2010
Novell's openSUSE Build Service is among the useful online tools for Linux developers. It lets you build packages for multiple targets including other Linux distributions (Fedora, Debian, Mandriva and Ubuntu), as well as being the platform that SUSE developers use to build SUSE Linux.
The openSUSE Build Service is now getting a boost with the new 2.1 release which includes an enhanced web interface, access control and integration with online source code management tools.
The core of changes seems to be about workflow and enabling the Build Service to be a better platform to collaborate on the building of packages. The web interface now provides a history option to track changes and associated comments.
With the external source code management, the Build Service can now be better integrated into the existing workflow of a developer/project too. That's where I see the access controls also being key, by providing (or restricting) access.
It's all good stuff that is widely used now too with the public instance of Build Service at build.opensuse.org building approximately 100,000 packages. The service can also be deployed locally which is how the MeeGo project is currently using the Build Service.
IPv4 addresses fall below 5 percent. Is it time for IPv6 yet?By Sean Kerner | October 18, 2010
The Number Resource Organization (NRO) announced today the less than 5 percent of the IPv4 address space now remains.
We've been hearing about IPv4 address space depletion for years and various organizations have kept trying to predict the year we'd 'run out' of address spaces. The reality is that year after year IPv4 has continued to stay alive - even as pundits proclaim its death. The fact that less than 5 percent of IPv4 address remain is not a cause for U.S. based enterprises or consumers to be concerned - the Internet is not running out of IP addresses as some mainstream media might proclaim - you can go about your business as usual.
For service providers, it's another story. The big carriers have had IPv6 pilots for a few years and as more mobile devices are deployed the need for IPv6 on those devices will become a major issue.
In my view however, IPv6 - at least for the next three to five years will be important as a bridging band-aid technology. IPv4 sites and services aren't going away anytime soon and the vast majority of the Internet will remain on IPv4 for at least the next 10 years in my opinion.
Is Facebook Anti-Social if they're not OpenSocial?By Sean Kerner | October 15, 2010
From the 'Do As We Say, Not As We Do' files:
Facebook is THE site now for social collaboration with 500 million plus users. From a technical collaboration perspective though, is Facebook 'socializing' as it should?
Last week I wrote a story about Apache Shindig 2.0, an implementation of the OpenSocial standards. OpenSocial is a set of open standards designed to help enable developers and social sites collaborate around widgets and content.
While a number of big online players including Google and LinkedIN support OpenSocial, Facebook does not.
Why is that? Is Facebook anti-social when it comes to tech collaboration?
I actually got a statement from the fine PR people at Facebook after I had published my story about their official position on OpenSocial.
"While Facebook does not work with OpenSocial,
our Platform is built on a number of standards," Facebook stated. "The most recent being
OAuth 2.0 which we're working actively within the IETF to develop along
with a number of other companies and individuals."
Again, this makes good sense. But wouldn't adopting OpenSocial fall into the above category of improving ways for developers to share and connect?
applications which means we make technology decisions based on what will
be good for developers," Facebook stated. "Generally, we believe that the future of an
open and social Web will be measured not by protocols, but by how much
we collectively improve the standards and technologies that enable us
and others to give people more powerful ways to share and connect."
Facebook leverages open source and open standards for its own benefit, as do others. However, I also think that they've got such a large platform now, that they will continue to do things that keep people on their platform. OpenSocial as such represents a potential risk as widgets are cross-platform and might be able to draw traffic away from Facebook, instead of always to it.
I understand why OpenSocial might not make sense for Facebook from a business perspective, not so much from a developer one. Then again, Facebook is so much more massive than any other social network at this point, does it really matter? Developers will target Facebook, regardless of whether or not they use OpenSocial or not.
Mozilla names Gary Kovacs as new CEOBy Sean Kerner | October 14, 2010
Browser vendor Mozilla has a new CEO with the appointment of Gary Kovacs.
Kovacs will takeover from outgoing CEO John Lilly in November.
Before today, I personally had never heard of Kovacs. Apparently he has work experience at Macromedia / Adobe, SAP and Sybase -- companies that aren't known for being open source in the same sense as Mozilla.
"He's got deep background in the battlefields that will define the future
of the Open Web: mobile and rich media, and he's been involved in
building great organizations several times over," outgoing CEO John Lilly blogged.
Kovacs is also coming into Mozilla at a time of exceptional challenges both technical and financial. Firefox 4 is currently in development and should be completed by the end of the year.
The new browser already faces competition from Microsoft's renewed browser focus in IE9 for Windows. Google's Chrome effort is now spinning out new major releases every 12 weeks that continue to pick up speed and market share.
On top of that is the fact that (unless I'm mistaken), Mozilla still earns most of its money by way of a deal with Google - that is set to expire -- sooner rather than later.
I personally would have thought that Mozilla would have turned to someone with experience in building open source businesses (like an ex-Red Hat person perhaps) as that's where I see Mozilla's challenge. Proprietary vendors like Adobe and SAP have very different models than Mozilla.
Technically and legally (with licensing), Mozilla's leadership from Brendan Eich as CTO and Mitchell Baker as the chief lizard wrangler (or co-CEO perhaps?) remains intact, so I don't think we'll see any major shift.
That said, perhaps a new outsider perspective is precisely what Mozilla needs to move to the next stage of its development.
Extensions debut in Opera 11 - Android coming soon.By Sean Kerner | October 14, 2010
The ability to extend a browser, called extensions or add-ons depending on the vendor, is now finally set to debut in the upcoming Opera 11 browser.
According to Opera, their extensions will be based on the W3C Widget spec and they'll be trying to enable developers to be able to port extensions from other browsers.
Considering that Mozilla has had add-ons for years, IE has them too and Chrome has been busy raising its extensions as well, Opera is a bit behind the curve here. Though giving developers the ability to leverage work they've already done for other browsers is the right decision.
As to why after all these years Opera is just now deciding to jump on the Extension bandwagon - I'm not sure. The ability to extend a browser seems so common sense and 'must-have' to me, that I'm shocked that it has taken Opera so long to come to the same conclusion.
Beyond Extensions, Opera is now also ramping up the development of an Android version of their browser.
Again, this is a good idea, but as I've written before, Android already has a great browser so any new browser - Opera, Firefox or otherwise - will face a challenge. I personally would love to see more choices for the Blackberry platform, where browser innovation is something that is desperately needed.
Google Chrome 8 starts to take shapeBy Sean Kerner | October 13, 2010
Chrome version 8 is now available in developer channel for Google's web browser. That's right version 8.
Chrome 7 just hit beta at the end of September and I'd suspect a stable release of Chrome for all platforms is just around the corner.
So what's new in Chrome 8?
That's not as easy a question to answer as you might think. Google for some unknown reason doesn't produce release notes in the same sense that other browser provide. That said the SVN revision log shows lots of activity.
The big new item from my viewpoint that Chrome 8 will debut is hardware acceleration, officially titled in the SVN entry as, "Lab strings for accelerated compositor, canvas 2d, and WebGL added. Canvas Lab exposed."
There is also the initial implementation of Google Instant for Mac users and for Windows users there is a big fix that will enable them to import locally saved IE toolbar autofill data.
Still early days for Chrome 8, but Google's rapid development process means that this new browser will likely be ready for the mainstream inside of the next 12 weeks.
Red Hat hails IBM's move to Oracle OpenJDKBy Sean Kerner | October 12, 2010
From the "Yes We Can Get Along' files:
IBM's embrace of Oracle's OpenJDK is a good thing for a lot of people in the Java community. Three years ago, I wrote about Red Hat joining the OpenJDK effort (then under the leadership of Sun) at the time Sun was hopeful that IBM would join too, but they didn't until this week.
So now we've got, Oracle, IBM and Red Hat all on the same basic page when it comes to Java and its open source implementation.
"We are pleased to see IBM joining Oracle on the OpenJDK," Mark Little, Sr. Director of Engineering, Middleware, Red Hat and JCP Executive Committee member said in an email statement that Red Hat sent me. "When industry leaders are collaborating and working together in a community versus fracturing it and going their own way, customers will benefit."
Little added that IBM's commitment to open source development for OpenJDK is consistent with Red Hat's philosophy and they are happy to support it. Considering that Red Hat has already been at the OpenJDK table for three years, Little's comments don't surprise me.
Smeegol is a precious Linux netbook UIBy Sean Kerner | October 08, 2010
Netbooks are apparently still a hot target for Linux vendors. The Novell backed openSUSE effort this week launched their latest netbook UI effort called Smeegol (yeaah you know the LOR reference..).
Smeegol is an effort to bring MeeGo to openSUSE and at first glance it sure looks...precious.. to me.
"Users are able to
pull from the full openSUSE ecosystem for applications, using
repositories on the Build Service and other 3rd party repositories," openSUSE developer Andrew Wafaa wrote in a mailing list posting. "Moreover, thanks to SUSE Studio anyone can now easily create a
customized Smeegol based OS from a convenient web interface."
The integration with SUSE Studio is the part that makes Smeegol very attractive to me (and no, I'm no normally attracted to such wretched middle-earth creatures). It basically means that I can build a custom Smeegol distro for my own use case whenever I want. For those that just want to try it out, there is already a Smeegol appliance pre-built.
The customization that SUSE Studio enabled could make Smeegol a really interesting approach for those that want to deploy to netbooks but haven't (yet) figured out a good approach.
Yes, I know, Ubuntu has their own slick Unity interface for netbooks now too, but they don't (yet) have the same simple to use/deploy online custom appliance builder tech that SUSE Studio already delivers, now with Smeegol.
Firefox 4 Mobile may not be the droid you're looking forBy Sean Kerner | October 08, 2010
Mozilla has had a long and somewhat frustrating experience trying to build a mobile web browser. They failed with Minimo, they started again with Fennec in 2008, specifically targeting Maemo.
Then Fennec morphed into Firefox Mobile, which hit its 1.0 release earlier this year - again only for Maemo, but with a goal to expand to other platfoms including Android.
So here we are more than two years after Mozilla kickstarted its mobile efforts, and they've announce the first beta for Firefox 4 Mobile on Android and Maemo. So forgive me for not being too excited about the this new beta, I've heard this song before.
Sure, there are differences this time around. Firefox 4 is a superior browser to the base that Mozilla developers first started with for Fennec and yes Android is likely the best target they've ever had for a mobile platform with vastly more users than Maemo (isn't that supposed to be MeeGo now?!)
The ability to sync desktop and mobile is a great idea and that's likely the ideal use case scenario under which Firefox 4 Mobile will thrive on Android devices. For iPhone users, there is no Firefox Mobile, but they can benefit from the Firefox Home application instead.
Choice is always a great thing, though in my experience the Android web browser is already a fast and very capable technology. It's not like Windows users with IE that really need another option, Android users aren't exactly suffering. Blackberry users, now that's another story -- I haven't seen any effort from Mozilla to target that platform (and likely won't either).
Alcatel-Lucent powers wireless with Wind River LinuxBy Sean Kerner | October 07, 2010
I talk to a lot of networking vendors that tell me that they're running Linux inside of their devices. The problem that I usually encounter is that the vendors hardly ever tell me where their Linux is sourced from (kernel.org or otherwise).
With Alcatel-Lucent, that's now changing as they've officially revealed that they're using Wind River as their embedded Linux vendor of choice, as part of a new wireless networking gear roll-out.
Alcatel-Lucent will be using a Wind River Linux platform based on the 2.6.34 kernel including the PREEMPT RT realtime kernel patch to improve latency and determinism.
Sure there are likely plenty of embedded networking vendors that do in fact build their own Linux distros from a kernel.org or CentOS base - but it does make sense to rely on a partner Wind River in this case (though MontaVista makes a fine embedded Linux as well).
"The need for higher speeds from wireless networks requires top performance, and to achieve this we needed to look to the latest multi-core technologies integrated with a world-class Linux distribution," said Bill Zucker, vice president of wireless common assets and platforms at Alcatel-Lucent in a statement.
Outercurve packs in open source .NET packagerBy Sean Kerner | October 06, 2010
The Microsoft sponsored Outercurve Foundation has added a new open source project to its roster.
NuPack is an open source project management system for .NET. NuPack is all about enabling developers to more easily incorporate third party libraries and in my view makes perfect sense as an open source project.
"The NuPack project is significant because two groups of developers -
one independent, one from Microsoft - discovered they were working to
solve the same problem and decided to collaborate and contribute the
combined project to the Foundation." said Paula Hunter, Executive
Director, The Outercurve Foundation in a statement.
According to the Outercurve Foundation, NuPack was jointly contributed by Microsoft, the foundation's funding
sponsor, and the independent developers of the Nubular (NU) project.
Beyond the joint contribution, NuPack is also significant since this is the first project being added to Outcurve since it rebranded itself from previously being known as CodePlex.
Google lashes out at Oracle. Is anyone surprised?By Sean Kerner | October 05, 2010
So the other shoe has dropped and Google has now legally responded to Oracle's lawsuit on alleged Android patent infringement on Java intellectual property issues.
It's a 27 page legal filing, but let me summarize it succinctly for you. Google is denying Oracle's claims of patent infringement. Going a step further, Google is questioning the validity of Oracle's patents
Is anyone surprised? Well they shouldn't be.
Back when Oracle first filed there lawsuit, Google sent out a statement that said they would defend open source standard and called the Oracle lawsuit 'baseless'.
The way I read Google's response is that this will become a case about patent validity, which will ultimately have much wider repercussions than than just the Google/Oracle case. This case will test some the patentability of one of the most popular development languages.
Red Hat settles patent case with Acacia - shares few detailsBy Sean Kerner | October 04, 2010
Open source is all about transparency, but that doesn't always apply to all aspects of the open source ecosystem.
Red Hat has settled an alleged patent infringement case with IP firm Acacia Research Corporation around U.S. Patent #6,163,776. That particular case was pending in the United States District Court for the
Eastern District of Texas, Civil Action No: 6:09-cv-00097-LED.
As far as I could tell from the legal filing, the action was in reference to alleged intellectual property infringement in Red Hat's open source JBoss middleware software filed in March of 2009 by Acacia's Software Tree LLC division.The patent in question is titled,"System and method for exchanging data and commands between an object oriented system and relational system."
As to how Red Hat has settled the alleged IP infringement, that's where the transparency (or lack thereof) is my concern. When I asked Red Hat about the patent settlement with Acacia I got the following statement:
"Red Hat routinely addresses attempts to impede the innovative forces of open source via allegations of patent infringement. We can confirm that Red Hat, Inc and Software Tree LLC have settled patent litigation that was pending in federal court in the Eastern District of Texas (Civil Action No. 6:09-cv-00097-LED)."
Ubuntu Linux font takes flight in MaverickBy Sean Kerner | October 01, 2010
From the 'Talk To Me Goose' files:
Ubuntu is out this week with the release candidate for Ubuntu 10.10, loaded with all kinds of Linux goodness including a new kernel and updated applications up and down the stack.
From a user-facing desktop perspective, there is one key thing that jumped out at me immediately - the new font. That's right, Ubuntu has its own font and it's the default for the desktop now too.
Talk about the power of branding. Ubunutu is following their re-branding all the way down to the font level, creating a unique look and feel for their distro. Yes I know a font is a small thing in the grand scheme of the massive effort that is a new Linux distro release, but it is a noticeable small thing.
I personally like the new Ubuntu font that I'll likely will use it for any Ubuntu specific post I blog about. The Ubuntu font is the default in Maverick, but it's also just a regular OpenType font that can run on any distro (or even Windows) and through the magic of @font-face, on any modern browser as well.
Is Google's WebP image format the right approach?By Sean Kerner | October 01, 2010
Google is launching a new web format for images called WebP this week that aims to provide faster images for the web.
While I personally believe that it's a great idea to have faster images, having a new image format might not be the right way to go either. There are hundreds of millions (billions?) of jpeg images on the web today that will likely never be converted to a different format. There are browsers - old and new - that will likely never support the WebP format.
Yes, it makes sense for new images and even for users of a Google-friendly environment (Chrome, Android). But what about the rest of the web?
Developers and website owners should be taking advantage of tools like Google Page Speed and Yahoo Yslow to improve image compression on standard image format that exist today and are supported on all major computing platforms.
The other thing that can and should happen is that the operating systems themselves can build in new tools to handle existing image formats faster. One such example is the libjpeg turbo effort.