November 24th, 2009

Chrome OS will rise or fall on the safety dance

Posted by Dana Blankenhorn @ 6:37 am

Categories: Development, General, Google, Security

Tags: Developer, Google Inc., Web Browser, Linux, Web Browsers, Security, Operating Systems, Software, Internet, Dana Blankenhorn

Google has the chance to make desktop Linux secure.

By starting with a blank sheet of paper, and lessons learned while developing its browser, Google wants to build a lightweight OS for netbooks that avoids the weekly “security update” hassles of its big-time rival.

This means the processes Google is addressing with Chrome — system hardening, process isolation, secure auto-update, verified boot, intuitive account management, defenses in depth, and devices secure by default — have to be more than buzzwords.

But there is something even more important Chrome OS has to do in terms of security. That is it has to develop  an ecosystem of applications around itself that are themselves secure.

This is something it has yet to do with the underlying browser (and Google is clear that the browser is the technology under its operating system). Most Chrome add-ons are Google-written. Compare it to what Firefox offers — there is no comparison.

Google has to find a way to reach out to the creators of add-ons and plug-ins, as well as applications, and not only get them supporting the OS but supporting it in the same secure way Google supports it.

This will not be easy.

An alternative is to focus on the Linux application space rather than the browser space, even though, as Google says, all Chrome OS applications will run from the browser.

In this case Google must convince Linux application developers to emulate its secure process, promising massive distribution for apps that may not now be ready for prime time.

So it’s not just about what Google’s programmers do in terms of security that will drive Chrome OS. Google needs application developers to accept its security development framework as well. That means doing the kind of marketing to developers (developers, developers, developers, developers) Microsoft has been doing for decades.

And it’s not just about doing the Ballmer dance. It’s about getting those developers to do the safety dance.

October 27th, 2009

Black Duck finds its business makes sense

Posted by Dana Blankenhorn @ 5:24 am

Categories: Development, General, Security, business models, support

Tags: Encryption, Security, Dana Blankenhorn

I am of two minds concerning the Black Duck release on encryption in open source.

On the one hand it’s interesting to know that 4,000 out of 220,000 tested (less than 2% if you’re scoring at home) contain strong encryption, the kind the U.S. still thinks of as “munitions grade.”

On the other hand there is no reason to panic, as Dr. Dobbs did. And a close look reveals this release is basically a product launch for Black Duck Export, a new feature in its “watch out, look out, over there” suite of offerings that includes warnings on copyrights and other important issues.

The image that often comes to mind when I think of Black Duck is of Daffy and his friends flying across the sky when Elmer Fudd & Co. start blasting from down below. On the other hand lawyers and spies can also use Black Duck software, so security through obscurity may be a bad move.

For the government this is an opportunity to choose its attitude regarding encryption, which has been an issue for software developers going on 20 years now. Pretending that the U.S. is the only home of this stuff is just plain silly and rules should be uniform. The encryption wars should have ended a decade ago.

October 22nd, 2009

Metasploit finds another way to go commercial

Posted by Dana Blankenhorn @ 5:17 am

Categories: Development, General, Security, mergers & acquisitions

Tags: Community, Founder, Metasploit, Metasploit Project, Rapid7, Keyboards, Hardware, Peripherals, Dana Blankenhorn

The Metasploit Project has found a way to go commercial without turning its design team into suits, as it was acquired by Rapid7.

Details on the deal were not released, but Rapid7 did go through a $7 million venture financing round last year with Bain Capital.

Metasploit, which is a penetration testing project, will become part of Rapid7’s NexPose security suite.

In reaction to this deal the usual suspects made the usual noises, worried that Metasploit may go closed source or take its eye off the ball, but to founder HD Moore it’s all good.

He revealed in a blog post called Metasploit Rising that he’s been working on the project as a hobby for six years, but he will now have a full-time job as Chief Security Officer for Rapid7. The Metasploit developer who goes by the nom de keyboard Egypt will also go on salary at Rapid7. (Don’t knock it if you haven’t tried it.)

Projects get commercial arms all the time, with lead developers often becoming executives like Dries Buytaert at Drupal or Matt Mullenweg at WordPress. This is generally received with much rejoicing among community members. It means software will get regular updates and they can obtain professional help when their questions go beyond what the community can answer.

This deal seems like just another way of doing the same thing, only the founders get to stay at their keyboards, in development, without having to become salesmen or magazine cover boys. The concern is whether the commercial sponsor/owner has the same love of the code and the community that the founders did.

I can’t answer that for certain, but that’s the way toward profit. If a community has value, and that of Metasploit certainly does, then Rapid7 would be foolish to do anything but support it.

October 19th, 2009

Microsoft breaks Firefox

Posted by Dana Blankenhorn @ 5:10 am

Categories: Distributions, General, Internet, Microsoft, Network Administration, Not Linux, Security, software appliance

Tags: Mozilla Firefox, Microsoft Corp., Web Browsers, Microsoft Windows, Security, Viruses And Worms, Internet, Operating Systems, Software, Dana Blankenhorn

Mozilla vice president for engineering Mike Shaver is being polite about it, but basically Microsoft pushed some software into Firefox last week that left users vulnerable to attack.

(Wise guys might confuse this Three Stooges bit with a recent Microsoft security meeting.)

Windows Presentation Foundation (which those with a sense of humor now call Windows Thepresentation Foundation or WTF), along with .NET Framework 3.5 (which is now OK), were originally pushed as part of Windows in February, and their problems within Windows were fixed in May.

On Tuesday Microsoft pushed a patch to fix the problem within Internet Explorer. So if you’re patching your Microsoft browser your Firefox is safe. Let me repeat that. Microsoft insists its MS09-054 patch made even Firefox users safe.

But if you’re not following Microsoft directions then WTF you may now be vulnerable to exploit. So Mozilla told Microsoft it would “blocklist” both WTF and the .NET Framework, backing off on the latter after discussions with Microsoft.

The WTF plug-in supports an XML-based user interface called XBAP, and lets its XAML applications run. But the technology was vulnerable to a “drive-by” exploit, in which your hitting a specific Web page would download malware.

I’m reading a lot of blog posts calling this deliberate, even malicious. I don’t think it is. I suspect Microsoft is confusing its convenience with users’ security desires, rationalizing that this power lets it fix security holes automatically.

But its technology makes Microsoft the potential source of great big security holes, which can leave it with egg on its collective face. The kindest thing one can say is that this is vaudeville comedy. Others will call it burlesque or, perhaps, a horror show.

What’s your view?

October 5th, 2009

How open source defends itself in the PR wars

Posted by Dana Blankenhorn @ 5:50 am

Categories: General, Infrastructure, Internet, LANs and WANs, Network Administration, Security, marketing

Tags: BIND, Nominem, Domain Names, Public Relations, Open Source, Internet, Marketing, Corporate Communications, Dana Blankenhorn

At first, opposing candidates were shocked when Web users used the Web to fisk their latest campaign charges, often turning them back on the attacker inside the same news cycle.

They adapted, and eventually companies like Nominem will, too.

I offered snark in reaction to Nominem’s attack on BIND as “legacy freeware”. But it did not take long for the DNS community to offer more:

• Nominem was subject to DNS cache poisoning attacks open source alternatives were not.
• Nominem’s Web server runs on Apache, which is open source.
• Nominem was founded to develop a version of BIND.

Nominem’s PR people did the best they could under the circumstances, but they were Custer at Little Big Horn, surrounded and under constant fire.

Open source attacks tend to be like zombies in that they demand human sacrifices before they go away. The Skye executive who started this kerfluffle, Jon Shalowitz, (above) might want to avoid any open mics for a while.

Next time Jon and his fellow Stanford Business School alums get together for a chat he’ll have a story for them.

October 2nd, 2009

Open source and forced obsolescence

Posted by Dana Blankenhorn @ 4:56 am

Categories: Development, Distributions, General, Security, business models, management

Tags: Open Source, Dana Blankenhorn

One of the primary reasons for FOSS was to fight forced obsolescence.

When something works well you don’t want to spend good money to replace it. Different is not always better.

(I found this little cutie at a blog site in 2005. She’s probably in first grade by now and looks nothing like this.)

But many proprietary companies force you to upgrade anyway. It’s necessary for their business models. A company that sells the market once can’t keep paying its people, so the old stuff must wear out in some way and you must insist the new stuff is better.

I know many people who chafe at this. For them open source is a godsend. They can ignore the siren call of change, use what works, and save money.

But obsolescence is a double-edged sword.

One of the biggest problems open source projects have is that users resist security updates. Unless you patch your stuff when called upon you are insecure, an easy mark for a hacker who can exploit the old code.

In this way bad guys become the best marketers you have. Security patches maintain the link between buyer and seller, providing a steady stream of service that buyers find worth paying for.

Security patches don’t make software functionally better. They are simply necessary, especially if your open source runs under Windows.

But you are left back where you started. The project has a continuing obligation to patch, and a continuing reason to keep dinging users for support. If the project fails users still have the code, but they are on their own against the bad guys.

So is forced obsolescence really a problem, or is it a challenge?

September 24th, 2009

The state of open source integrity is pretty good

Posted by Dana Blankenhorn @ 4:47 am

Categories: Development, General, Security

Tags: Coverity, Coverity Scan Service, Open Source, Dana Blankenhorn

One reason I went off on Skye calling BIND “legacy freeware” yesterday is because I assume open source gets better with age, and hard work.

While I was writing, Coverity was hitting my inbox with its annual Coverity Scan Open Source Report, an annual analysis of the integrity of open source software. (You can get the full report here.)

The results were pretty good. The “density” of open source defects has been cut 16% in just three years. We’re talking here of popular open source programs such as Firefox, Linux, PHP, Ruby and Samba, for both consumer and business markets.

The Coverity Scan service has identified over 11,200 defects, which have since been fixed, since 2006. Some 180 programs are now in the program.

Coverity uses a system of “rungs” to rank the integrity of programs, and says open source is moving up the rungs smartly.  OpenPAM, Ruby, Samba and tor are the first open source programs to make it to Rung 3, the company said.

Coverity is also collecting comments on the scan at its blog.

It is often assumed, in the proprietary world, that old software is stale software. It gets stale in terms of sales, and the development effort can decline with time, as its owner moves on to other projects that make more money. Old products become different products, and old versions are forgotten.

The Coverity Scan effort, and the work of projects to support it, proves this is not the case in the open source world. Older software can be better software, just like older writers can be better with experience.

September 21st, 2009

Open source does not work well for bad guys

Posted by Dana Blankenhorn @ 5:44 am

Categories: Applications, Development, General, Internet, Security

Tags: Malware, Malware Writer, Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Security, Open Source, Dana Blankenhorn

While some researchers expressfear of malware writers using open source to improve their work, a C|Net investigation shows it really does not help them.

Authors of the Limbo Trojan,. the most popular such program in the world in 2007, tried the open source model to reverse a slide in fortunes, Nick Heath wrote. It did not help. (Former ZDNet writer Richard Steinnon hosted the ThreatCast podcast, and I thought its logo was cute.)

The big problem? Revealing the code means delivering security companies everything they need to write an identifying virus “signature” for it. Even if you enhance the base program, the original signature will still identify it.

It’s in the nature of crime. A bad guy’s actions can only work if they are done in secret.

Secrecy, in fact, is behind the big new infection trend, “drive by” infections. A malware writer secretly gains control of a Web site address, places the malware there so it’s the first thing loaded by a visitor, then works to get page views as with any other web marketer.

Or, as The New York Times found out, a malware author may masquerade as a legitimate advertiser and place their work, as an ad, directly onto the pages of a widely-read site.

There is nothing open about any of this.

While malware writers are finding only limited success in open sourcing their work, the open source movement has been an enormous boon to the good guys. Programs like ClamAV, Snort, and BitDefender use the open source process for both development and distribution.

The bottom line here is that open source shines a light on code, and like cockroaches bad guys don’t like the light.

September 14th, 2009

Would you march for Internet privacy?

Posted by Dana Blankenhorn @ 5:31 am

Categories: General, Government, Internet, Legal, Security, identity, mass market, politics, values

Tags: Law, Internet, Government, Vertical Industries, Dana Blankenhorn

It’s marching season again, time for the political opposition to take it to the streets, and show its strength in numbers. (Picture from CBS News.)

But this article is no tea party. It’s about another march that happened over the weekend, in Germany. Over 10,000 people marched in Berlin marched for data protection.

They were protesting a new law meant to guarantee police the right to track back Internet traffic, with tamper-proof IDs and special police.

Germany has long been a world champion at seeking to monitor its citizens online, its avowed goal to make  online law conform to what is allowed offline.

So if the German law says the government has a monopoly on gambling, so should it be online. If German law says thou shalt not speak of Nazis, so should it be online. If sharing files is truly a copyright violation, the law must halt it, regardless.

The American reaction to such government actions is generally to engineer around them, or to laugh them off. My spam folder says they have apoint. Yet even here there are magic words that cause most voters to surrender any zone of privacy once offered by someone in authority. Watch.

Child pornography. (Open your laptop.) Terrorism. (Take off your shoes.)

The Internet, being based on computing, is a binary sort of place. To be effective, laws must become absolute. Which means, at some point, we’re trusting the government with the medium’s future.

In Europe, it should be noted, data privacy marches are the property of leftists, Greens, even pirate parties. In American, right now, it’s the right that’s out of power, fearful of an intrusive government.

Anyone expecting a tea party for the Internet?

August 6th, 2009

Code Red for XML open source

Posted by Dana Blankenhorn @ 7:03 am

Categories: Applications, General, Security, java

Tags: Code Red Worm, Open Source, JRE, Python, XML, Virus, Cyberthreats, Java, Viruses And Worms, Security

In a sign of things to come, Codenomicon has issued an alert against “multiple critical security issues in XML libraries,” which include libraries from Sun, Apache, Python and GNOME.

Codenomicon said it found the issues early this year while developing a product for XML testing, and has already been working with Finland’s CERT-FI on remediation.

Recommendations and patches are already going out. (I first found this cute little guy in 2004, while I was blogging for Corante. A now extinct firm called Irenecrafts was offering instructions on making them.)

Both ZDNet’s UK security team and our own Joe McKendrick have been putting out the word, but it’s also important to note where we are in terms of Bruce Schneier’s famous “window of exposure” chart, first published in the year 2000.

The announcement of a vulnerability is a virus’s second level of fame. You know, who’s virus, get me virus, get me something like virus, get me young virus, and who’s virus. An announcement alerts virus writers to a vulnerability, and exploits follow, meaning the risk to users immediately starts jumping.

The peak moment of risk comes when a vendor discloses a patch, but it does not start declining until after users install the patch.

All this means that we are now entering the key window of vulnerability to this problem, and that window closes only after all your XML libraries have been updated.

If you own any of the following libraries you need to be alert and ready to patch:

• Python libexpat
• Apache Xerces
• Sun JDK and JRE 6 Update 14 and earlier
• Sun JDK and JRE 5.0 Update 19 and earlier.

Not only will servers and PCs be vulnerable until patches are installed, but so will embedded systems and mobile devices.

Sun says it has patched JRE 6 Update 15 and JRE 5 Update 19 but warns it has no workaround for earlier versions, so this may be around a while. Xerces got out a patch in June and one is in process for Python.

July 30th, 2009

Ending DNS abuse with European open source

Posted by Dana Blankenhorn @ 12:34 pm

Categories: Development, Infrastructure, Security, identity, support

Tags: DNS, Open Source, Sponsors, Domain Names, Networking, Security, Internet, Dana Blankenhorn

A collection of European Internet insiders have announced OpenDNSSEC, a project aimed at managing the security of domain names on the Internet.

The group notes that DNS caches are no longer secure, and a white paper says the automated checks will make the creation of secure zones automatic, combining DNS records and digital signatures.

Sponsors are in Europe include the English registry Nominet,  NLnet Labs of the Netherlands, the Internet Infrastructure Foundation .SE in Sweden, the Swedish Kirei AB consultancy, SIDN, which maintains the .NL Netherlands domain, and SURFnet, which handles the same country’s university network, and English DNS consultant John Dickinson.

Secure domain name abuse is one of the main tools hackers have for getting past security systems, and making domains tougher to forge is something that is devoutly to be wished. The announcement of OpenDNSSEC follows an Internet Engineering Task Force meeting in Sweden.

The poisoning of DNS cache has become commonplace since Dan Kaminsky demonstrated how the DNS security model is flawed two years ago.

April 16th, 2009

OpenRemote home control delivered on iPhone

Posted by Dana Blankenhorn @ 8:03 am

Categories: Applications, Development, General, Hardware, Infrastructure, Internet, Security, business models, mass market, wireless

Tags: Apple iPhone, Federal Government, Wireless LANs, Wi-Fi, Wireless And Mobility, Government, Dana Blankenhorn

Marc Fleury’s OpenRemote project has delivered its first home automation console - for the iPhone.

The software sends signals via WiFi to a hardware device which in turn is designed to work with home automation protocols you never heard of — X10 and KNX.

I started writing about this technology in 2003, calling it Always On because, well, it is. Sensors, motes, and other low power devices can be controlled via a wireless network and then, remotely, via a cellular link.

One of my great fears from that time has proven true, in that the application spaces have parted and are becoming incompatible. Medical applications require FDA approval, while those in home automation need only please the market.

The other important point is that, while the medical market is being pioneered by real companies that can install and service their gear, OpenRemote remains, as of this writing, a hobbyist market.

That needs to change. To succeed OpenRemote gear needs to be productized, and turned into services companies can sell.

But I’m certain that’s coming.

February 6th, 2009

Fortify pushback is easily fisked

Posted by Dana Blankenhorn @ 7:21 am

Categories: Enterprise Policy, General, Government, Infrastructure, Security, Strategy, management, politics

Tags: Stimulus, Internet, Open Source, Dana Blankenhorn

One of the great things about this medium is how, unlike TV, it’s able to take apart spin and then dogpile on the spinner.

It’s easy to see when you contrast the debate over President Obama’s stimulus package and what happened when Richard Kirk of Fortify tried to claim open source is insecure.

The stimulus debate has been marked by polemics and an incoherent confusion over what stimulus is and what it does. Go ahead, use this talkback thread to argue the stimulus, but I guarantee you will generate more heat than light.

This is not an argument on the merits, but on the argument itself. It is dramatic, it is personal, and maybe that’s the way politics has to be.

But open source is not politics. Open source is business. And when Kirk decided to make a political attack on the Conservative call for more open source, folks were quick to look inside the claim, take it apart, and ridicule it — in Internet terms “fisk” it.

In the case of Fortify, Kirk was relying on his own company’s study of 11 Java packages made last year, which relates to the general subject of open source about as much as this blog item relates to Wolf Blitzer’s Situation Room.

Our own Dave Rosenberg also caught a howler, a blanket statement that closed source packages are patched more quickly because the maker has an incentive to do so. I’m still waiting for Vista to work.

Now it’s true that some publications just took what Kirk said and ran with it. But counter arguments are also coming out at Internet speed. As is the revelation that Kirk’s job is not so much to solve problems as to cry wolf over security threats.

He’s a professional security agitator, in other words. Not that there’s anything wrong with that. In fact we need more Richard Kirks. But his expertise is not in government, nor in open source, and his game is to get you to increase your costs, not cut them.

By the way, using the Internet you can not only learn about Kirk’s background and expertise, but that of all his critics, including yours truly, and make your own determination on his argument. The Internet is both broad and deep, not broad and shallow like TV, and the point today is that makes all the difference.

February 2nd, 2009

Will Pentagon take open source seriously?

Posted by Dana Blankenhorn @ 7:08 am

Categories: Development, General, Government, Internet, Security

Tags: Forge, Programmer, Pentagon, Open Source, Dana Blankenhorn

UPDATE: The current forge.mil address requires a PKI credential from the military for access. A public site describing the new forge has been set up at http:www.disa.mil/forge.

Tech Republic’s Jack Wallen reports that the Department of Defense has established its own Sourceforge clone at Forge.mil. (This lovely bit of fruit salad is said to denote membership in a military intelligence unit.)

There is much rejoicing going on at Slashdot but I think we have to remain skeptical. Defense is notorious for appearing to support change while the bureaucracy continues to stifle it.

What’s most important to note is we’re not just talking about security here. Jack reports that the first fruit of this effort is a system for automating the secure configuration of Solaris systems.

We should also note that Defense programmers also have access to the rest of the open source mountain. It’s not necessary for the military to run its own molehill in order to gain the public benefits open source provides. Just let its programmers out.

Jack is concerned that access to the new forge is strictly limited, with only 20 projects due to go online in the next six months. That should not be a problem if the new forge encourages use of other forges, and of open source code generally. In theory forge.mil should only be necessary for projects which need special security before being used.

Some Slashdotters are skeptical of the whole story. It’s not yet on DefenseLink. It’s hosted at a publicly-registered site called forgemil.com. Access procedures seem to be squirrelly.

Point is we’re at the start of a process, one milestone down a long road. What happens to programmers who bring things in from outside — do they win promotion for initiative or do they get pushed out?

That’s a more important question to me than whether there is a forge site in the military network.

January 29th, 2009

Microsoft makes a real open source move

Posted by Dana Blankenhorn @ 7:03 am

Categories: Applications, BSD, Distributions, General, Internet, Microsoft, Security, Software Licensing

Tags: Web, Apache Software Foundation, Microsoft Corp., Open Source, Channel Management, Marketing, Dana Blankenhorn

Whenever Microsoft does something involving open source, look at the fine print.

Sometimes it’s under a bogus unapproved license written by Microsoft lawyers. Sometimes it’s under a Microsoft license its lawyers got through the OSI, after much wailing-and-gnashing-of-teeth.

But this is the real deal. This is Apache 2.0 licensing.

And this is pretty cool code, too.

Specifically we’re talking about Web Sandbox, which aims at securing Web content through virtualization. OK, that’s not a cool thing, but wait.

As Ray Valdes of Gartner Group has noted, this can also protect against cross-site scripting, an increasingly common attack of hackers against Web sites of all types. So it is a cool thing.

It’s a framework that works under Javascript, requires no plug-ins, and offers consistent support for Web objects, writes Peter Galli. He also notes that Microsoft is a sponsor of Apache and Sam Ramji delivered the keynote at their last conference.

If this move is followed up by others along the Apache line it will be a very good thing. It would not help my traffic if Microsoft becomes a non-controversial word in the open source community, but it will help open source.

January 1st, 2009

The biggest threat to open source in 2009

Posted by Dana Blankenhorn @ 3:23 pm

Categories: 2009 Preview, Enterprise Policy, General, Security, business models, mass market, support

Tags: Open Source, Dana Blankenhorn

Security and updates, which are often the same thing.

There is no longer any doubt that hackers and malware writers are going after open source projects as they once went after Windows. Vulnerabilities are being found, discovered, created, exchanged.

The best protection against vulnerabilities is to keep software updated, but most open source lacks update services. That’s one part of the Windows license that is worth paying for, and there does not seem to be an open source equivalent.

An exception is Firefox (above, from SecurityMike). But how many take advantage of this? And how tied is Firefox to updating for security purposes? Remember we’re talking about pushing updates, not asking users to pull them.

In any case, the enterprise market is more important here. Servers hold more secrets than clients.

Palamida is trying to build a model for supporting updates, as I described in November. Such a service could, if executed correctly, even give many open source projects a valid business model.

But until this ramps up (hopefully in a competitive market), enterprise managers have an easy way to say “no” to open source.

Regardless of how dangerous this is, the fact that managers feel it’s dangerous makes it so.

This may be the first challenge to open source’s growth in the enterprise since that growth began, and for some it may prove intractable.

There is a way forward, using the enterprise business model, but how many projects will be able to exploit it in a professional way and retain their enterprise credibility remains open to question.

It’s a story I’ll be watching closely as the year unfolds, and I suggest you do the same.

December 16th, 2008

Which open source projects are most secure?

Posted by Dana Blankenhorn @ 9:29 am

Categories: Applications, Distributions, General, Security

Tags: Palamida, Open Source, Security, Dana Blankenhorn

Palamida, which has been adjusting its business model to concentrate on issues of security and updates, rather than licenses, says security is the big issue hampering open source adoption.

Having discussed this issue with them recently it is easier to see where they are coming from. Maintaining the latest version of software is the best way to improve security, and many people don’t update their open source packages routinely.

But instead of looking at the glass as half-empty this Christmas, Palamida is offering the glass half-full approach. Specifically, they’ve got a list of the 25 most secure open source projects out there posted on their Web site.

There are what I’d call the “usual suspects” on the list (Eclipse, NetBeans, JasperReports). Projects managed by strong companies might afford Palamida services and focus on the security issue.

But there are also some surprises. I picked out a few:

• The Yahoo User Interface library. Who knew? Also note I found no Google projects on the list.
• Apache Derby. The Apache folks have so many fine projects it was surprising to see this little database engine as the only one listed.
• libpng, the PNG reference library. It lists just one dedicated maintainer and 8 contributors, proof a project does not have to be big to be secure.

I think of this as a Christmas stocking to all IT managers focused on security. Open it at your leisure. (Jaxrant hung this stocking on the virtual mantle last year.)

November 20th, 2008

Some open source attacks on Windows may be unfair

Posted by Dana Blankenhorn @ 6:22 am

Categories: General, Linux, Linux Server OS, Microsoft, Satire, Security

Tags: Attack, Microsoft Windows, Open Source, Operating Systems, Software, Dana Blankenhorn, Microsoft Corp., Home Page

Here is one.

Pingdom recently did a comparison of uptime for the home pages of major OS distributors — 16 Linux distros, Apple, and Microsoft. (The image is a reduced screen grab of their chart — see the whole thing.)

Over the course of a month Apple’s downtime was 2 minutes, putting them in the middle of the pack. Microsoft’s? An hour and 19 minutes.

This proves what, exactly? That we all need to switch to Knoppix, whose home page experienced zero downtime? That Arch Linux really stinks?

Microsoft’s corporate home page is a favorite target for script kiddies and no-goodniks everywhere. The page is complex and constantly changing. And no matter how big your budget the page, in the end, is always the work of a small team.

I can’t imagine Microsoft has someone whose job it is to sit in front of a terminal with the home page in front of them and jump or ring an alarm bell if it goes down.

Now, I have to give Red Hat credit. Both their corporate and Fedora home pages were bulletproof during the test period. But what if the power goes out tomorrow? Is their software suddenly bogus?

There are a lot of ways to compare operating systems in a Web environment. One is how your own home page holds up, and the pages behind it. Another is to look at faults over a period of time and count only those tied to software.

But this comparison, to my way of thinking, is unfair and silly.

Let me end on a humorous anecdote. My son, who is in high school, has a running gag. He wants us to give him a grant so he can create a “time machine,” based on an experiment in which he throws rocks at our house until it goes back in time.

Should I send him to Pingdom for the grant money?

November 19th, 2008

Will identity be open source?

Posted by Dana Blankenhorn @ 6:46 am

Categories: Applications, Development, Distributions, General, Infrastructure, Security, identity

Tags: Open Source, Identity, Dana Blankenhorn

The release of ArisIS, a Version 1.0 identity framework from Open Liberty, could be a milestone in corporate identity.

It could be Sun’s second biggest contribution to open source, second only to Java in importance.

It combines two projects formerly code-named Aristotle and Wakame,  the first a governance framework, the second a client library.

Classics scholars may remember Aristotle as the first Greek to take identity seriously. Try the wakame with sake and some rice crackers before the sushi comes out — yum-o.

The release follows six months of relative radio silence from Liberty, which last posted news in May. One of the last missives before this announcement began as follows:

I am in Mountain View, surfing on google’s ubiquitous wifi, finishing up preparations for my IIW demo. It has been a very busy (yet somewhat behind the scene) couple of months for OpenLiberty

It’s fun to imagine that right after this the monolith got him.

Seriously this may have been one of the the toughest jobs open source has yet attempted. Not from a coding standpoint, but from a political standpoint.

Not only have project managers had to explain and defend the need for secure identities to a consumer audience which thinks it Big Brother, but they had to navigate among the interests of several big-name vendors — Sun, Oracle and IBM among them.

The biggest achievement was to implement CARML (Client Attribute Requirements Markup Language), a sort of HTML for identity management, over existing protocols like LDAP, SAML, WS-Trust, ID-WSF, and others.

Client code is simplified in what are called ArisID-Beans, based on CARML declarations created at the top of an application — so it takes the skills of a web developer, not a programmer, to make it happen and follow the work.

That’s important because following the work, not just that of the people on a project but the person who set up the rules, is an essential element in achieving transparency.

Transparency, it turns out, may be the key that unlocks the use of secure identity to the world. Watching the watchers is as vital as watching what the watcher watches.

November 4th, 2008

Private browsing added to Firefox 3.1 beta code

Posted by Paula Rooney @ 6:38 pm

Categories: Distributions, FOSS, GPL, Google, Linux, Linux Desktop OS, Security

Tags: Mozilla Firefox, Beta, Private Browsing, Web Browsers, Internet, Paula Rooney

Private browsing was added to the Firefox 3.1 pre-release code today, just hours before the scheduled code freeze on beta 2.

Private browsing is referred to as the “Don’t Leave A Trace” feature because it allows users to hide online activities and one’s surfing history.

Getting this feature into version 3.1 was especially critical since Google’s recently released Chrome browser, Microsoft Internet Explorer and Apple Safari have it. The feature was originally expected to be in Firefox 3.0 but wasn’t quite ready when that  released in June.

Here’s what private browsing will and won’t do, as noted by its developer.

““Private Browsing aims to help you make sure that your web browsing activities don’t leave any trace on your own computer,” wrote Ehsan Akhgari, the feature’s developer. “It is very important to note that Private Browsing is not a tool to keep you anonymous from websites or your ISP, or for example protect you from all kinds of spyware applications which use sophisticated techniques to intercept your online traffic.  Private Browsing is only about making sure that Firefox doesn’t store any data which can be used to trace your online activities, no more, no less.”

Mozilla has stated that the Beta 2 code freeze is 11:59 pm EST on Nov. 4.