Internetnews Blog

Google laughs off the 'Osborne Effect'

David Needle — 2009-11-20T17:56:21-05:00

I’m guessing not many folks at Google are old enough to remember Adam Osborne (though CEO Eric Schmidt is one). Back in the ’80s Osborne’s namesake Osborne Computer Corp. introduced the first popular portable computer.

In those days, a 25-pound luggable qualified as portable and the Osborne sold like hotcakes.

But It was also one of the great early flameouts of the PC era. Osborne made the mistake of pre-announcing a successor machine months before it could be delivered and sales of its existing line dried up sending the company into a tailspin it never recovered from. The preannouncement, while according to some accounts wasn’t the main cause of Osborne’s demise, became known as the “Osborne Effect,” a cautionary tale for any company considering pre-announcing products before they’re available.

But there have been many significance pre-announcements of new tech products. The famously secretive Apple previewed the iPhone six months ahead of delivery. The company said the details would have come out in its FCC filing so it figured better to spill the beans on its own terms. More importantly, Apple didn’t have to worry about dampening sales since the iPhone was its first foray in the phone market.

Blue Coat securing local networks with the Cloud

Sean Kerner — 2009-11-20T17:18:38-05:00

From the 'Faster' files:

A big emerging trend in enterprise IT this year has been the move to the Cloud, for almost everything. One particular area where I'm seeing a strong use of a hybrid cloud/on-premise model is for security and one of the chief proponents of that model is enterprise IT vendor Blue Coat (NASDAQ: BCSI).

This week Blue Coat announced the release of new ProxySG and ProxyAV web gateway appliances and the Web Pulse cloud service that complements them both.

The Blue Coat ProxySG network gateway appliances now support up to 60,000 users in a single appliance which is a whole lot of power and overall they're claiming a 5x performance gain over their previous generation. The bulk of the improvements in speed come by way of multi-core related threading and optimizations.

I spoke with Blue Coat's Chief Scientist Mikko Valimaki about the new releases and he was keen on pointing out how important the cloud element is to the overall solution.

Blue Coat has a cloud security service called WebPulse which does some interesting real time threat analysis. In addition to being part of Blue Coat's enterprise products, it's is also freely accessible by home users by way of Blue Coat's K9 security service.

PHP 5.3.1 released for 5 security flaws, 113 bugs

Sean Kerner — 2009-11-20T10:28:53-05:00

From the 'Yum/Apt-Get Update' files:

The first update to PHP 5.3 is now available providing 5 security fixes in addition a long list of bug fixes to the popular open source dynamic language.

PHP 5.3 was released at the end of June, so the 5.3.1 point update has been in the works for five months at this point.

On the security fix front two of the bug fixes are for safe mode items which could have left a PHP system at risk:

Fixed a safe_mode bypass in tempnam().
Fixed bug #50063 (safe_mode_include_dir fails).

The three other fixes are a collection of different issues.

Among them is a new "max_file_uploads" INI directive, which according to the PHP 5.3.1 release notes, "...can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion."

Sanity check are added to exif processing and there is a fix for an open_basedir bypass in posix_mkfifo().

While the security fixes are obviously an important reason for PHP users to migrate immediately, the long list of non-security items is also noteworthy.

Fedora 12 updates package installation policy

Sean Kerner — 2009-11-20T10:06:22-05:00

From the 'Error Correction' files:

The public milestone release of Fedora 12 this week had one big flaw in it that is now set to be corrected.

One key standard practice on nearly every Linux system I have ever seen or used is the separation of root and user roles. New software installation that affects an entire system typically can only be installed by the root user. That's a behavior that was modified with the Fedora 12 release such that a local user could install signed applications without root authorization.

Now Fedora is reversing that policy.

"After more discussion and thought, though, the package maintainers have posted to the fedora-devel-list mailing list agreeing to provide an update to Fedora 12's PackageKit," Fedora Project Leader Paul Frields wrote. "The update will require local console users to enter the root password to install new software packages."

Makes sense to me. What doesn't make sense is why the new policy was put into Fedora 12 in the first place.

Fedora developer Owen Taylor though has put together a lengthy post about the developer rationale for the initial policy change and I can kinda/sorta see why at first it might have made sense for some people (but not all).

"In Fedora 9, 10, and 11, the first time a user tried to install a package from the Fedora repositories, they would be prompted for a root password, with a checkbox to remember that permission for the future. (Before Fedora 9, you had to enter the root password every time.)," Taylor wrote.

Mozilla earned $78.6 million in 2008

Sean Kerner — 2009-11-19T15:57:18-05:00

From the 'Free Software Making $$' files:

Mozilla gives its software away for free, yet year after year they keep making money. For the 2008 year, Mozilla is just now disclosing how much revenue it generated and it was another growth year for the open source group.

Revenue at Mozilla was reported at $78.6 for 2008 which is a 5 percent increase over the $75.1 million reported in 2007. The revenue growth rate appears to have slowed somewhat in my opinion. Back in 2005, Mozilla's revenues were only $53 million.

As has been the case over the last several year the bulk of Mozilla's revenue is driven by search revenues generated from Firefox by Google, Yahoo, Amazon and eBay. So whenever you search using the default start page in Firefox, you're actually helping to support Mozilla.

Digging deeper into Mozilla's financial report shows some other interesting tidbits of information.

For example, Mozilla actually lost $7.8 million (which is taken into account as part of the revenue calculation) from its investments. As well Mozilla's expenses in 2008 skyrocketed by 48 percent to $49.4 million up from $33.3 million in 2007.

Google Chrome OS goes open source in Chromium OS

Sean Kerner — 2009-11-19T13:58:28-05:00

From the 'Browser Operating System' files:

Google today has officially open sourced its under-development Chrome OS operating system under the Chromium OS project.

The code is available now at: http://www.chromium.org/chromium-os/building-chromium-os - I'm currently in the process of trying to build a full system now (so more to come from me soon). Right now the gziped Tarball is 232 MB (pretty small for an OS) and the official build milestone number is 0.4.22.8.

Google is working with Canonical, the lead sponsor behind the Ubuntu Linux project on part of the underlying OS. Chris Kenyon VP of OEM services at Canonical blogged today Canonical is contributing engineering to Google under contract. So, that means that there IS a link between Ubuntu and Chrome OS! That's a surprise. But hey it's still all open source.

By making the project fully open source,Google is opening the project up to participation and comment from interested developers. It also means that they'll be contributing code back to the open source community, which ultimately means that other vendors could benefit as well.

Aside from the Chromium OS announcement today, Google has provided a whole lot of interesting information about Chrome OS.

During a live event (that was also webcast) today Google detailed what we should all look for in their new ChromeOS.

Basically it's all about the web. Apps are in the cloud as well as users' data. Sundar Pichai, VP of Product Management at Google explained that the local hard drive in Chrome OS should just be thought of as a local cache for syncing with the cloud. That's cool.

Going a step further, by design Chrome OS will specify a reference hardware architecture which will require Solid State Drives (SSDs) instead of regular hard drives. The idea is to provide for a faster overall user experience.

"Every application is a web application so users don't have to install program," Pichai said.

Pichai also showed off how Chrome OS would have a new apps tab to make it easier to load and access apps.

The screenshot (left) gives us a glimpse of how that new apps tab may look. Those apps are basically just url shortcuts, organized in a window.

There is also an Mac OS 'fish-eye' type of interface for scrolling between open windows which looked pretty interesting as well.

Schmidt, Otellini join tech lobby

Kenneth Corbin — 2009-11-19T12:15:55-05:00

The chief executives of Google and Intel have joined the executive committee of TechNet, a lobbying group representing the technology industry.

TechNet announced the appointments of Google's Eric Schmidt and Intel's Paul Otellini along with word that Rey Ramsey would be taking over as the group's CEO in January.

Ramsey has been serving as chief executive of One Economy, a nonprofit that focuses on delivering technology training and Internet access to low-income people.

In his role at One Economy, Ramsey has figured prominently in the broadband policy discussion, frequently appearing at FCC proceedings and congressional hearings.

Cisco CEO John Chambers, who co-founded TechNet and currently co-chairs the group, called Ramsey's selection "an inspired choice."

Schmidt and Otellini will join tech luminaries such as EMC CEO Joseph Tucci, Genentech CEO Arthur Levinson and Symantec President on CEO Enrique Salem on TechNet's executive committee.

Google Chrome Frame security flaw discovered by Microsoft

Sean Kerner — 2009-11-19T10:55:18-05:00

From the 'I Told You So' files:

Back in September, Google launched Chrome Frame which embeds a Chrome-type browser inside of a Microsoft Internet Explorer(IE) browser. At the time, Microsoft claimed that Chrome Frame could make IE less secure.

Guess what? Turns out Microsoft was right.

Late Wednesday, Google issued an update to Chrome Frame with version 4.0.245.1 for a cross-origin bypass security vulnerability.

"An attacker could have bypassed cross-origin protections," Google warned in its advisory. "Although important, "High" severity issues do not permit persistent malware to infect a user's machine. We're unaware of any exploitation of this issue."

What's also particularly interesting about this Chrome Frame vulnerability is that it was not discovered by Google itself. It was discovered by Microsoft.

So to recap, Microsoft was worried months ago that Google Chrome Frame put IE at risk and now they've proven it.

Mozilla Firefox 3.6 Beta 3 released with 83 bug fixes

Sean Kerner — 2009-11-18T12:09:14-05:00

From the 'Coming Soon, Very Soon' files:

The third beta of Mozilla's open source Firefox 3.6 browser is now adding fixing 83 bugs and adding several new features.

Of the 83 bugs fixed, 13 have been tagged as being critical. It looks to me like the majority of those critical flaws are crash related items.

One particularly interesting critical bug fix is one for the crash reporter itself. According to Mozilla".., the updater crashes when trying to update with crash reporter open."

One of the key goals overall for the Firefox 3.6 release is to increase performance. To that end, there is at least one new feature in Firefox 3.6 Beta 3 that will help to support that goal. From a technical perspective, Firefox 3.6 Beta 3 now implements the async attribute of script elements. Basically its a way run scripts asynchronously to improve overall page load times.

Another new change is the component directory lock-down for add-ons.

"In addition to the standard mechanism for extending the browser via add-ons and plugins, though, there has historically been another way to do it," Mozilla developer Johnathan Nightingale wrote. "Third-party applications installed on your machine would sometimes try extend Firefox by just adding their own code directly to the "components" directory, where much of Firefox's own code is stored."

That's a problem for a number of potential stability and security reasons, but it's a problem that is being eliminated with Firefox 3.6 Beta 3.

Google Chrome OS: What to look for this week

Sean Kerner — 2009-11-18T09:35:53-05:00

From the 'It's Not Vaporware' files:

Google is holding an event on Thursday to discuss its Chrome OS open source operating system. Details are sparse at this point, though the official media invitation gives us some clues that we'll get some real technical insights.

"This event is a follow-up to the announcement we made in July, and Sundar Pichai, Vice President of Product Management will be speaking along with Matthew Papakipos, Engineering Director for Google Chrome OS," the Google media invite states.

Though the official briefing is tomorrow, there is a whole lot that we know today about Chrome OS. There are also a few items that we can speculate on, (which is always good fun in the absence of the official specs).

We know that Chrome OS uses the Chrome Browser, most likely built from the dev-channel for Linux Chromium build. I use Chrome for Linux everyday now and it is a solid, capable and fast browser.

We know that Chrome OS will be Linux based. We don't know which distro (if any) it will be based on. Chromium is available in the .deb packaging format (used by Debian based distribution including Ubuntu), so one obvious guess would be that Chrome OS will in some way shape or form be Debian based as well.

That said, Android (Google's other open source operating system) is not Debian based, so perhaps Google will just build their own Linux distro from the kernel up for Chrome OS. Personally, I think that's the better route for Chrome OS, though they really should stick with a common packaging format (.deb or .rpm) in order to enable some degree of easy packaging for applications.

Mozilla Weave nears release

Sean Kerner — 2009-11-17T13:00:45-05:00

From the 'Open Source Sync' files:

Mozilla this week released the first beta for its browser data synchronization service, Weave 1.0.

I've been tracking Weave for nearly two years now and it sure has been a long and winding road for this interesting project to get close to it's 1.0 release.

At its core, Weave is services backend. Initially the services are all about basic browser data synchronization with support for bookmarks, history, passwords, tabs, add-one and preferences.

So yeah, it's more than just a del.icio.us knockoff.

With the Weave 1.0 beta, Mozilla developers note that the new release, "...marks a significant step towards making Weave Sync a production quality add-on."

Aside from being more stable and usable (in my own limited usage so far), the 1.0 beta includes some functional improvements as well. For one, data is now backed up via an incremental sync behavior. Basically that means the system can sync data more intelligently and in chunks instead of sucking up all of your local system resources.

From my perspective it is critical that Mozilla gets Weave 1.0 up to full release status sooner rather than later at this point. Looking at the competitive landscape, bookmark sync is part of latest Google Chrome builds and it is a compelling feature to have.

Right now Weave is an add-on to Firefox, but I would also hope that sooner rather than later it gets baked into the mainline of Firefox development. Having an add-on directly integrated into Firefox will no doubt increase the adoption and perhaps the practical utility of Weave.

SSL at risk (again), this time Twitter is the first target

Sean Kerner — 2009-11-17T09:18:03-05:00

From the 'Not a Hoax' files:

SSL is of critical importance to all web users as the most commonly used method for securing websites. There is now a new publicly posted exploit technique available for SSL that takes advantage of a renegotiation flaw with TLS <DEFINE:TLS>.

As a proof of concept, security researcher Anil Kurmas has blogged about how TLS/SSL renegotiation can be used to exploit Twitter's HTTPS (that is SSL secured) API.

"All in all, a man in the middle is able to steal the credentials of a user authenticating himself through HTTPS to a trusted website, and CSRF protections do not apply here," Kurmas wrote.

This is extremely serious and in my opinion represents perhaps the single biggest threat to the integrity of the Internet today. Without SSL, ecommerce becomes insecure and the vast majority of the web's population cannot login securely to any website.

Sure there have been SSL threats before.

Most notably, I've seen security researcher Moxie Marlinspike present his ideas at Black Hat on SSLstrip in February, then again in July. Marlinspike however wasn't directly attacking SSL itself, though. His attacks involved a man in the middle type attack as well, but where a regular HTTP user is tricked into thinking they are actually on an HTTPS (SSL) protected site.

The new attack (if I understand it correctly) actually intercepts legitimate HTTPS traffic. It's a subtle but very significant difference.

Obama takes Internet freedom message to China

Kenneth Corbin — 2009-11-16T18:07:28-05:00

In a town hall meeting with university students in Shanghai Monday morning, President Obama tried to strike a diplomatic tone when asked about his views on China's less-than-stellar record on Internet censorship.

"I've always been a strong supporter of open Internet use. I'm a big supporter of non-censorship," Obama said. "This is part of the tradition of the United States that I discussed before, and I recognize that different countries have different traditions."

The question was submitted, fittingly, through the Internet, as the town hall meeting was also available as a live-streaming Webcast.

In defense of a free and open Internet, Obama referred to his success as a candidate organizing supporters online, and alluded to his support for Net neutrality rules, citing everyone's favorite example of the proverbial garage startup that changed the world.

"If it had not been for the freedom and the openness that the Internet allows, Google wouldn't exist," he said.

Linux dominates top 500 supercomputer list

Sean Kerner — 2009-11-16T14:47:37-05:00

From the 'Beefy Penguin' files:

The latest Top 500 Supercomputer list is now out (see my colleague Andy Patrizio's story on InternetNews.com), with the top rig doubling its performance to 1.75 petaflops.

Of particular interest to me is the fact that while multi-core CPU's are the hardware components enabling the fastest computers, it is Linux as the operating system the powers the software.

Just over 78 percent of the top 500 supercomputers run some type of Linux. The official Top 500 Supercomputer site lists 391 of the top 500 supercomputers as using 'Linux'.

Digging a little deeper, there are 32 additional machines that identify themselves as running some version of Novell's SUSE Linux Enterprise Server. There are some 16 that identify Red Hat Linux or one of its derivatives including CentOS.

So doing a little bit of math, at least 88 percent of the list is using some form of Linux, generic or otherwise.

That's astounding. The only other operating system that is even noteworthy beyond Linux is IBM's AIX Unix at 22 systems (or just over 4 percent).

It's also interesting to see how the list has changed over the past nine years.

Cisco blinks and increases Tandberg offer

Sean Kerner — 2009-11-16T10:21:47-05:00

From the 'Kroner, Corona' files:

Over the last several weeks, Cisco executives have publicly said on a number of occasions that their offer $3 billion for Tandberg was a fair and that they'd walk if they didn't get it. To me it looked like a high-stakes game of chicken as Tandberg shareholders held out for more to see who would blink first.

Cisco blinked.

Today Cisco upped their offer to $3.4 billion.

That's right, a $400 million increase on a bid that CEO John Chambers had previously said was already fair. The problem is that under Norwegian law, 90 percent of shareholders need to approve the deal and Cisco didn't have the required percentage.

With the $3.4 billion bid, Cisco said it now has 40 percent of shares agreeing to the bid, which still leaves a big outstanding amount.

"Cisco believes that this revised offer remains consistent with the principles of prudence and financial fairness," Cisco said in a statement. "If Cisco does not achieve the desired level of acceptances, the company will withdraw the offer and evaluate alternative ways to expand our activities in the video communications market. As a result of the revised offer, Cisco has extended the acceptance period until December 1, 2009."

Once again Cisco is making this a take it or leave it offer, but seeing as they have already blinked once, who is to say they won't do it again.