Sun and Oracle Deal Final (at last!)

The huge cloud that has been hanging over the Sun-Oracle deal has finally been swept away and the deal consumated with blessings from regulators.

Oracle discussed their plans for Sun on 27 January, stating that they would cut Sun’s server line by 50% while increasing commitment to Sparc processors. They also restated a commitment to Java and called Java “the crown jewel” from Sun.

The press has been mum on Sun’s other products, including StarOffice, Solaris, the Modular Data Center, and VirtualBox for just a few. Oracle’s commitment has been stated towards these products in the past; whether that commitment will translate into action is yet to be seen.

Also not mentioned is Sun’s participation in open source projects such as NetBeans, OpenSPARC, and OpenSolaris. However, all three of these projects now show Oracle branding. This at least suggests that Oracle is aware of these projects (if it wasn’t just a case of switching out an Oracle logo instead of a Sun logo).

Google v. China: More Updates

Microsoft, as was mentioned before, is not going to pull out of China and has actually spoken up against Google’s stance. Ballmer called their stand against censorship an irrational business decision.

In fact, Google founder Sergei Brin (born in Moscow in the USSR) has long championed against working in China, encountering resistance from Google CEO Eric Schmidt. The Independent details some of Brin’s history and his difficulties with Google’s work in China.

Microsoft’s take appears to resonate with Google’s CEO. It appears to also echo the political stand that favors “engagement” with oppressive regimes over the principled rejection of any oppression. Microsoft’s founder Bill Gates, CEO Steve Ballmer, and Chief Research and Strategy Officer Craig Mundie have all rejected pulling out of China.

In contrast, Twitter cofounder and CEO Evan Williams elaborated at the World Economic Forum on Twitter’s plans to make the service less prone to censorship such as has been attempted in China and Iran. In fact, on 9 December 2009, a Chinese lawyer was jailed briefly for teaching about Twitter and how to use it.

What makes this interesting is the far-reaching impact that Google’s hack and response is having. Politicians are talking about stands against China; diplomats are reconsidering US-Chinese relations; companies are reconsidering their Chinese operations; security specialists are considering new computer security implications; and some are worrying about their Chinese jobs. Censorship is being discussed like never before.

One organization dedicated to freedom of the press around the world is Reporters Sans Frontieres (www.rsf.org). RSF has an extensive section about China, as well as other countries. They have also published a guide for cyber-dissidents as well.

System Management Software (Spacewalk and Landscape)

System management software is a nebulous term; the discussion here is about software to provision new servers, manage packages, control updates, and monitor servers, all from a central location. This does not necessarily include server hardware inventory, software build management, and other related tasks.

The Red Hat Network is a perfect example; Spacewalk is the open-source version of the Red Hat Network Satellite. Spacewalk has been out for a while, and recently released version 0.7. Originally, Spacewalk required Oracle as the back-end database; they may have been able to remove this dependency (replacing Oracle with PostgreSQL). The CentOS Wiki has a very nice HowTo describing how to install and run Spacewalk.

However, before implementing Spacewalk 0.7, note that Lee Verbern notes that the 0.7 client is broken (rhnsd does not work properly). The problems should be fixed in the next release.

Canonical’s Landscape is a counterpart to the Red Hat Network and is available for Ubuntu systems. Like the Red Hat Network, Canonical’s Landscape is a commercial product and closed source. Canonical has a blog for Landscape news, but the blog hasn’t been updated since November 2009. The Landscape project has a nice page with links to descriptions, tours, frequently asked questions, and more.

The blog WorkswithU has a nice article describing Landscape (albeit from February 2009).

Amazingly, the Canonical Landscape team even has a YouTube account with many valuable videos describing Landscape as well as many tutorials. They have a video introduction to Landscape you might want to see.

Finding an open source provisioning tool (outside of Spacewalk) is difficult; these tools are not common nor are they used by the average user.

One apparently powerful tool seems to be ControlTier, although it leans more towards package (and service) management than provisioning. ControlTier seems to be extremely flexible, allowing you to write scripts to interface with a variety of products and systems. ControlTier also has a blog, though it hasn’t been updated since November 2009.

The ControlTier team worked with Reductive Labs (the folks behind the open source configuration management tool Puppet) to create an interesting whitepaper about integrating ControlTier with Puppet.

I think I’d like to try ControlTier with Puppet; in particular, learning Puppet would be a good thing. I’ll report my experiences.

Linux Filesystem Comparison Test

Recently, Google announced it would move from ext3 to ext4 and also announced hiring the developer of ext4, Theodore Tso.

Now the technology site Phoronix has benchmarked ext3, ext4, XFS, ReiserFS, and Btrfs (no word on why JFS was not included).

The interesting thing about this set of benchmarks is that it seems to be quite a mixed set of results. Almost every filesystem came in first place at least once.

Another interesting thing is that the tests were done on a solid state SATA drive, the OCZ Agility EX 60GB SSD. One wonders what the tests would show with an IDE hard drive.

I’ve always been partial to XFS, given its capability for on-line expansion, its large capacity, and its reasonable performance. Of course, the targets are continuously moving onward – but XFS has always been respectable. Unfortunately, these benchmarks don’t show it as being the best.

The article recommends using ext3 over ext4 for now, given the loss in filesystem performance with ext4. This is particularly interesting given Google’s choice to migrate from ext3 to ext4; however, their choice was based on the fact that ext3 is showing data loss and they need better protection.

Now if someone would only benchmark OpenVMS ODS-5…

Google v. China: the Saga Continues

Last Thursday, 21 January 2009, US Secretary of State Hillary Clinton spoke out against Internet censorship and stated that the United States would take a stronger stance against Internet censorship; Chinese censorship was referenced several times in the speech. Both ComputerWorld and CNet had articles covering her speech.

During the speech, Secretary Clinton urged US companies to push back against censorship.

What is interesting is this: while the focus is currently on China, they are not the only one; in particular, Australia seems to be favoring censorship. A lot of European countries have censorship as well.

For its part, China responded angrily against Clinton’s comments. China said that the US position elaborated by Clinton could harm US-China relations. China also denied having anything to do with the attack on Google or other companies.

Computer security specialist Bruce Schneier published an essay on CNN.com talking about the security weaknesses inherent in backdoor access systems, using the Google hack as an example. John Mark Walker contests Bruce’s facts in an article on OStatic, stating that it was not a backdoor at all, but rather something much less sinister – a product used by Google to assist in responding to warrants.

Earlier, Microsoft’s CEO Steve Ballmer announced that Microsoft would remain in China, and would not pull out of that market.

Google has also delayed the release of their new phone, the Nexus One, into the Chinese market.

Google’s research into the hack now suggests that Google China insiders may have assisted. Attackers also used instant messaging to try to get Google employees to click on links to malware. After compromising one account, the attackers would send a link to all buddies from that account, hoping that someone would click.

Chinese human rights web sites reported this week that they had been attacked; while unproven, they suspect the Chinese authorities. One of the organizations stated that attacks come during “sensitive times” in China, such as the current Google-China flap.

UPDATE: There is also some suspicion (though no proof) that the Chinese were responsible for attacking three US oil companies in 2008 according to a report in the Christian Science Monitor discussed in an article in ComputerWorld.

UPDATE: Over at the Register, an article points out that the attack (which had been suggested as uniquely Chinese in origin) appears to be much older and more widely known than previously acknowledged. This means that the proof that China was the actual culprit becomes weaker.

Why I Use Google Chrome

Recently there was an article in Web Worker Daily about the release of Firefox 3.6 – and why the writer won’t give up Google Chrome.

A while ago, I found that Firefox would not render a particular page I needed desperately – but Google Chrome did (and on Linux, no less).

I also like the way that Google Chrome has the fastest (or one of the fastest) Javascript engines: so much of the “cloud” applications are based on Javascript, whether its Google Reader, Zoho Office, or whatever. A few cloud applications rely on Flash or on Java, but not many compared to Javascript.

Another thing that I like is that in Google Chrome the tabs can be manipulated, moved around, and even pulled out of windows or moved into new windows.

I’ve been using Google Chrome for several weeks now, and love it. Many of the things that I liked ar e available as bookmarklets (which is normally Javascript): Passpack and Clippable for instance.

Google Moves to ext4 Filesystem

Michael Rubin announced that internally Google had decided to move from ext2 to ext4 after careful consideration of ext4, IBM’s JFS, and SGI’s XFS.

Along with this, Google hired Theodore T’so, the man behind ext2 and ext4 to help with the migration.

The decision came down to between XFS and ext4, and the easier migration to ext4 was the deciding factor for Google. I am partial to XFS – it’s older and is perhaps more stable – but ext4 should be good as well.

I switched to OpenSUSE at one time because they offered XFS and Red Hat did not – and converted a Red Hat 7.1 install to XFS as well. Never had any problems with either installation at all.

Google Hacked by Chinese Government

This news has been developing all week, with extensive coverage: the technology media picked it up first, but so did the law media and the mainstream media.

Google announced that it (and an estimated 33 other companies) had been attacked by sources in the Chinese government and that GMail accounts of Chinese dissidents had been targeted. Many companies refuse to specify whether they were, in fact, attacked by China (including Yahoo and Symantec). Also attacked were Dow Chemical, Northrup Grumman, and Juniper Networks, as well as an attack against Gibson Hoffman & Pancione, the law firm prosecuting a lawsuit against China for code theft involving an Internet filter.

In response to the attack, Google said that it would seek to provide uncensored results on google.cn (Google’s Chinese search engine) and that it would pull out of China if it could not – shutting down their Chinese offices entirely.

The US Secretary of State, Hilary Clinton, stated that she would be lodging a formal complaint this week.

The attack against Google has been picked apart; a zero-day exploit in Internet Explorer was the method. The method was covered at CNET and is described in detail by McAfee’s CTO, George Kurtz, in a blog post. The blog Praetorian Prefect has a description and video of the attack in action.

Another aspect of the attack is that the surveillance tools were in fact, compromised, providing easy access to a lot of data. This was covered by Timothy Lee over at the Freedom to Tinker blog.

Not all accept the fact that Google would pull out of China because of human rights issues; at the French blog Transnets by Francis Pisani at Le Monde, there is a two-part article (Google Power/1 and Google Power/2, in French) about the unanswered questions behind Google’s possible removal from China.

The Electronic Frontier Foundation (EFF) took note; there is an article about the unanswered questions related to the events, including commentary and links.

Several countries have been recommending that their citizens not use Internet Explorer; specifically, Le Monde has an article (in French) that the countries of Germany and France are suggesting that their citizens use other browsers.

Media coverage has been extensive. Elinor Mills over at CNET has a complete FAQ, as well as a video description of what happened. The New York Times is also covering the story.

Juniper Gateways Vulnerable to Malicious Traffic

This is a big deal. While Cisco is the number one router and gateway vendor, Juniper is not small by any means – and with the properly crafted traffic, a Juniper gateway can be crashed. This then affects any traffic that will use that gateway, no matter where it is going.

Releases 3 through 10 of Junos are vulnerable; there is no way to fix this problem with the firewall or other work arounds. Releases that were released later than January 8, 2009, are not vulnerable.

Over at the Praetorian Prefect blog, there is a detailed description of the vulnerability.

Russian Security Firm to Release 0-Day Vulnerabilities

The Russian security firm Intevydis has announced that they will be releasing a number of security vulnerabilities that have not yet been fixed by the manufacturers, all of which have already been notified. According to a interview with Krebs on Security, the founder is sick of notifying the vendors with no fixes being released.

The debate around the discovery of security weaknesses focuses on two distinct areas: do you announce to the entire world the weakness you found (and a way to fix it or resolve it), or do you keep it secret and only notify the vendor? The first is called “full disclosure” and is generally only used by individuals; the latter is called “responsible disclosure” and is the normal method for most security firms.

One question often raised is this: are users best served if the problem is kept secret while the vendor fixes it, or when users (and crackers and the public at large) are notified so they can work around it?

Unfortunately, vendors sometimes take several months or years to fix vulnerabilities, during which time the users have no idea they are vulnerable – and one hopes, crackers have yet found the vulnerability.

Underlying all of this is the important idea that system administrators must keep their systems up-to-date on the most recent patches; systems are often hacked through vulnerabilities that are old and have been fixed by the vendor for months or years.