Open Source Asterisk Leader Kevin Fleming Leaving ProjectBy Sean Michael Kerner | July 31, 2012
From the 'Open Source Heroes' files:
The first time I spoke with Kevin Fleming, was back in 2006 about a new collaboration that Asterisk built at the time with Zimbra. I had spoke with Mark Spencer, the founder of Asterisk many times before, but Fleming was the 'new' guy, taking on a leadership role in the open source Asterisk VoIP project.
Fleming announced today that he is now moving on from Asterisk and its corporate parent Digium.
Across the last six plus years, I've seen and reported on the incredible leadership that Fleming brought to Asterisk - an open source project that I literally cannot live without. Asterisk in the beginning was an effort to provide an open source alternative to commercial PBX systems, and over the years it has grown to be a defacto standard for many of us.
While Fleming is leaving Digium, he's not leaving open source.
"In the middle of September, I'll start working for Bloomberg, L.P., in the Office of the CTO, helping to lead their nascent open source initiative," Fleming wrote in a mailing list posting. "I'll be working to bring the power of open source software, open standards, and community building to the financial market data services industry, where it is sorely needed (and overdue)."
Good luck Kevin - hope you have as much success at Bloomberg as you had at Digium.
Digium isn't sitting idle either - they have already moved to try and replace the impossibly large shoes that Fleming filled. The new Asterisk project leader will be Matt Jordan and the Technical Lead for the project is now Mark Michelson.
Linux Desktops Dominate at Black HatBy Sean Michael Kerner | July 30, 2012
From the 'Linux Desktop Lives!'files:
There are some people that don't believe the Linux Desktop is relevant.
I'm not one of them, and apparently neither are hordes of security professionals that were at the recent Black Hat security conference in Las Vegas (including me).
The show itself doesn't calculate who uses what..but Aruba Networks (they have a Linux powered set of wireless routers) does measure.
For desktop OS users of the Wi-Fi network, the top desktop OS was...
That's right Linux (and no we're not talking about Android either).
Linux came in at 19.9 percent of the total users on the Wi-Fi network. Windows came in at 19.2 percent and Mac OS was 13.7 percent.
While Linux lead on desktops, when you add in mobile OS's it falls to second behind iOS, which came in at 29.6 percent. In contrast Android was only 17.6 percent.
So yes, the Linux desktop is alive an well. No Android isn't the savior necessarily either. Linux on its own (gnome, kde or otherwise) can do well in certain environments. Those of us that use Linux desktops have long relied on it for security, which is likely the chief reason why it showed up so well at Black Hat.
Defcon: Will Open Source Divashark Unseat Wireshark for CTP?By Sean Michael Kerner | July 29, 2012
From the 'Maybe Next Year' files:
We all love open source Wireshark for packet capture right?
Apparently, that isn't always the case. Researcher Robert Deaton took the stage at Defcon to announce a new open source effort that could one day possibly unseat Wireshark.
Deaton said that every team at the Defcon CTP (Capture the Packet) contest uses Wireshark. That said he argued that in his view it's the wrong tool for the job.
In his view there is lots of noise in Wireshark, especially when looking for something simple like usr/pswrd, there is too much detail at the tcp level. So for example, one of the CTP challenges was to find a user's Reddit login which is possible with Wireshark, but it's unduly tedious.
"Do we really care about packet level details?," Deaton said. "Divashark a tool to make live network forensics easy, it gets you the info you care about as quickly as possible without getting bogged down in small details."
Deaton explained that Divashark will do the same type of capture as Wireshark and it automatically follows tcp and udp streams as they come in, then the packets are run though a port independent classifier. He added that the system has powerful abilities to filter traffic at an application level. The http dissector lets researcher filter by user-agent, or whatever url has been requested.
"Divashark will make a competition like CTP easier as it will no longer be about who can hunt through wireshark the fastest," Deaton said. "It could make CTP as a competition, almost not a competition as everyone will be able to find almost every answer immediately."
There is however a catch.
Divashark was not done as of the time of Deaton's presentation, so he couldn't demo it. Also his project page,
divashark.org/defcon was not available. That said, Deaton pledged to have his code up within a few days and the code would be open source.
I for one am cautiously optimistic about this - I've spent my fair share of time in Wireshark and the opportunity to get an open source tool that will make that type of analysis easier is incredibly exciting.
Defcon: Hardware Security Starts with Lockpicking VillageBy Sean Michael Kerner | July 29, 2012
From the 'Good Locks Make for Good Security?' files:
LAS VEGAS. I write a lot about software security. Which is why it's always a great reminder for me to visit Lockpicking Village at Defcon.
At the Lockpick Village this year there were 6 or so main tables where attendees tried out different locks and tried to pick them. There was also a presentation area, where I have to admit I spent a tonne of time, learning about how locks really work and how to defeat them. Then there was also the vendor, selling the tools of the trades (pic left is a pic of the lockpicks for sale).
All this at the world's largest hacker convention - and the reason why is simple. Hardware hacking is just as important in many cases, as the software side. Physical security, the simple lock and key that have protected civilized persons for hundreds of years are still quite literally the lynchpin of the security industry.
Am I advocating that everyone should learn how to lockpick?
Not necessarily, though I gotta say, it really is kinda fun and a whole lot different than combing through wireshark logs looking for the magic packet to pwn a target for a Defcon contest. It is important to remember though that 'hacking' didn't begin with the computer age and the art of lockpicking is something that will likely continue to find a home at hacker conferences like Defcon for years to come.
Black Hat Defcon: Can you hack a Linux Powered SOHO Router with DLNA?By Sean Michael Kerner | July 29, 2012
From the 'Truth in Advertising' files:
LAS VEGAS.Security researcher Zachary Cutlip (my pic left) took the stage at both Black Hat and Defcon conferences this weekend.
His talk was about doing SQL Injection on MIPS Powered SOHO routers - and in particular he aimed at the Linux powered Netgear WNDR3700.
After sitting through an hour of this guy's presentation at Black Hat (I didn't bother to see it a second time at Defcon) the answer is:
Cutlip was able to determine that these Netgear routers have the DLNA (media streaming stuff) tech on them and it is possible to perform a SQL Injection against that tech. He also argued that since the device is running Linux, it makes it almost easier to exploit and control since many security researchers understand Linux and there are a lot of common tools on the OS itself.
Now with an exploit of DLNA, the only direct information available to the attacker is information about music and videos. By way of a ROP (return oriented programming) technique however, Cutlip said it would be possible to find the admin password for the router - and then full shell/root pwnage from there.
BUT WAIT. There is a catch.
One of the best things about being at a conf like Black Hat (and Defcon) is that the audience is typically very skeptical and typically as smart as the presenters themselves. A member of the audience correctly pointed out that DLNA only listens by default on the LAN.
That means that a remote exploitation of DLNA is somewhat unlikely.
Cutlip noted that there is the Rebind attack, that was first demoed at Black Hat in 2010. With Rebind it is possible in some cases to trick a router into giving a remote user, local LAN access. Cutlip admitted however that he had not tested the technique with his DLNA vulnerability.
Black Hat: Pwnie Awards Go to Flame for Epic pwnage and F5 for epic failBy Sean Michael Kerner | July 25, 2012
LAS VEGAS. One of the highlights for me in any given year of the Black Hat security conference is the Pwnie awards. It's a time for some good lighthearted fun, while still looking at some very serious problems -- and making fun of those responsible for creating the problems and praising those that found the problems..
The pwnie for the best client side bug was a joint award to pinkie pie and Sergey Glazunov for their respective Google Pwnium flaws that they found earlier this year.
The best privilege escalation bug went to Bromium's Rafal Wojtczuk for the Intel x64 sysret privilege escalation flaw. Wojtczuk detailed his flaw during a talk at Black Hat here today as well.
My favorite category however and the one that usually elicits the best audience response, is the pwnie for the most epic fail. This award was given out by Metasploit creator HD Moore.
"You have to really screw up big time to win this," Moore said.
The nominees included the entire anti-virus industry, LinkedIN for their .breach of 6 million passwords and application delivery controller F5. F5 had a static root SSH key which in effect enabled a shared key across all F5 customers.
The winner: F5.
Now normally the winner of the epic fail category doesn't show their face. This time it was different. An un-named person from F5 came up to the podium to accept the award and he even gave a few words of thanks.
"You got a bug with us, bring it to us. We want it," the F5 winner said.
The final pwnie was for the most epic 0wnage and it went to the authors of Flame for their MD5 collision attack.
"Is the author of flame in the audience? " pwnie judge Dino dai Zovi asked?
No one stood up.
Black Hat: Kaminsky Says that Developers, Not Security Pros are in Charge.By Sean Michael Kerner | July 25, 2012
LAS VEGAS. When it comes to security flaws, security pros are not in charge.
That's the message that security researcher Dan Kamsinky, delivered in a press conference at Black Hat today.
"People think that security people gets to tell people what to do, but the reality is that developers developers are in charge."
Kaminsky added that it's not like developers hate security and it's not like they want to leak information, but they also don't want to write code in ornate mechanisms of security..
"So if there is one mindset that i want to change, it is to try to bridge the gap for mutual respect from developers and security people."
Sean Michael Kerner is a senior editor at eSecurityPlanetInternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.
Shuttleworth: Next year 5 percent of the world's PCs will ship with Ubuntu pre-installed #LinuxBy Sean Michael Kerner | July 19, 2012
From the 'More Beautiful than Apple' files:
Back in 2008, I was at OSCON when Mark Shuttleworth set out the audacious goal to make the Linux desktop more beautiful than Apple.
Today, four years later, Shuttleworth returned to the OSCON stage to claim victory.
In his view Ubuntu's desktop is now better than Apple. In his view it's also easy for existing Apple users to move to Ubuntu as well.
That said he noted that Ubuntu's Unity desktop effort was a deeply unpopular process, but it is one that has delivered results.
Shuttleworth demonstrated easy applications transitions and he showed off the upcoming HUD (Heads Up Display) coming in the Ubuntu 12.10 release later this year.
The success is also translating into a bold new claim from Shuttleworth:
"Next year, 5 percent of the world's PCs will ship with Ubuntu pre-installed," Shuttleworth said.
That's a number based on emerging markets, like India and China as well as brand news PCs from Dell.
Shuttleworth has always been a big talker, with big ideas and to be fair, Ubuntu has progressed over the last four years. Unity (love it or hate it) is a very different desktop than we had four years ago. Ubuntu TV and Ubuntu for Android will bring Ubuntu (and Linux) to more form factors then ever before too.
With Windows 8 coming, users are likely to be looking for alternatives (potentially) so this could well be....(wait for it...) the Year of the Linux Desktop?
$100 Million Reasons why Open Source Git (and GithHub) is the greatest thing since sliced breadBy Sean Michael Kerner | July 10, 2012
From the 'Sourceforge and Google Code?' files:
Today for nearly anyone starting a new open source project, the default choice for code repository/dev is GitHub.
Companies big and small, developers known (like Linus Torvalds) and even wannabe (like me) all use GitHub. It has eclipsed Google Code and Sourceforge and without any doubt in my mind, it is the best way to build community too, from the code level up.
While there are tens of thousands of people that don't pay a dime to use GitHub, there are lots of companies that do. So many in fact that GitHub has now just raised $100 Million in venture capital funding.
That's a lot of money.
VCs don't invest based on what the company is worth today, they invest based on what they think it will be worth tomorrow and how much they expect to make in an exit strategy. So GitHub - a site built around Git - the open source version control system built over a short period of time by Linus Torvalds - is likely a what...$500 million business? Maybe it's a $1 billion business?
It is truly staggering to consider that in just a few short years, Git and GitHub have displaced legacy version control systems in terms of both mind share and now dollars too.
Mozilla is Wrong. There is Still Room for Open Source Thunderbird InnovationBy Sean Michael Kerner | July 09, 2012
From the 'Difficult Decisions' files:
Mozilla's current success is born out of a decision made over a decade ago to split up the Mozilla Browser Suite. The original Mozilla Browser (now continued in SeaMonkey) has both email and browser which was split out into separate projects: Thunderbird and Firefox.
While Firefox has achieved stunning success over the years and generated hundreds of millions of dollars for Mozilla - Thunderbird has not.
Thunderbird has been slower to release in my experience and the project lacks the vision and the leadership that Firefox has enjoyed for a decade. Mozilla is now (once again) pulling back from Thunderbird.
"We've tried for years to build Thunderbird as a highly innovative offering, where it plays a role in moving modern Internet messaging to a more open, innovative space, and where there is a growing, more active contributor base," Mozilla chief Mitchell Baker blogged. "To date, we haven’t achieved this."
As a historical refresher, Mozilla attempted to re-invigorate Thunderbird with the spinoff Mozilla Messaging originally announced in 2007 and given real life in 2008. In April of 2011, Mozilla realized that Mozilla Messaging was going nowhere and decided to fold the unit into Mozilla Labs.
Now Mozilla is ceasing to fund active innovation in Thunderbird.
While I have tremendous respect for Mozilla, I respectfully disagree with Mozilla's assessment of the situation. There is still a lot of room for innovation in email. Who among us is truly happy with their email experience today?
Email is a legacy tech that we all use everyday. It is a place that desperately needs to revolutionized by an open source leadership team that has a vision that goes beyond what has been done in the past and what others are doing today. Just like Mozilla has delivered an amazing new browser for Android (I love it!!) if the same bright minds put their energy behind figuring out how to make email better.......
The problem is that Thunderbird is good enough, lots of Mozilla types use Zimbra (hey i like Zimbra too) and web based Gmail is workable too. If I had Mozilla's money, I would not rest on my laurels and throw the towel in on email innovation. It's something that is in desperate need of innovation, a new way to think about collaboration and email.
No it's not easy and no there are no easy fixes. Email is essential (as is calendar which never really matured after the Firefox/Thunderbird split either) and just like Firefox revolutionized the way we think about browser - I think Mozilla should be the place to revolutionize email.
Yes I know it's open source and if I really wanted too, I could contribute my ideas to generate the ideas I'd like to see. But does that really work in Thunderbird? Can large platform ideas actually come from the community at large?
In any event, Thunderbird is not dead, Mozilla has committed to maintaining stability and it remains open and free. Perhaps a hero will come along, much like one did in the Firefox era that has the leadership, vision and guts to change the way we all think about and use email.
Mozilla Rebrands Linux Powered Boot to Gecko as Firefox OSBy Sean Michael Kerner | July 02, 2012
From the 'Following in Google's Footsteps' files:
For years, I've been saying that a Firefox OS is a good thing (and hey there is no shortage of Linux appliances that are pretty much that).
Now at long last, Mozilla has seen the same light and is rebranding the effort once known as Boot to Gecko (B2G) as Firefox OS.
Yes, it does sound familiar for other reasons...doesn't it?
Google also has an operating system named after a browser with Chrome OS. Both Chrome OS and Firefox OS are based on and leverage Linux at the core.
In the Firefox OS case, Linux is what the bare metal phone hardware will run that Firefox layers on top off. Linux is not however the defining tech of Firefox OS, it's just the boot time tech and the web, with Firefox as the engine is the real star of the show (again very similar to Chrome OS).
Chrome OS is however a very different beast than Firefox OS. With Mozilla's creation, the web is the app store and mobile is the name of the game. As opposed to Chrome OS, which is currently a dead-end platform which only Samsung seems to be interested in backing. Firefox OS now has wide industry support, something that Chrome OS, never had. So far, Deutsche Telekom, Etisalat, Smart, Sprint, Telecom Italia, Telefónica and Telenor have pledged to support Firefox OS.
Yes this will create a second major Linux based smartphone OS (no i don't count MeeGo, Tizen).
It also means that Mozilla as a company is shifting its brand strategy somewhat. With Firefox OS linked to a mobile OS, the Firefox platform brand will also now be confused as a mobile-first brand. While I don't disagree that mobile is where the growth is, I'd strongly recommend to the braintrust at Mozilla to not forget about the hundreds of millions using Firefox today. It is clear that as an OS platform, Firefox could have (and I think should have) also done something akin to Chrome OS (as well as extending it out to smart phones).
But Mozilla is doing what it must here - it's brand equity is inexorably tied to Firefox today. The only way it can get that 'instant' recognition is by extending (and in some part - cannibalizing) the Firefox brand. Think about it - who would know what a B2G phone is?
ON the other hand, a Firefox phone? It's a story (and a brand recognition exercise) that writes itself.