UR Solutions

Subscribe to UR Solutions feed
Updated: 2 hours 22 min ago

Part 3: The Urgent Need for a Future-Ready Board

Wed, 09/09/2020 - 17:47

Part 3: The Urgent Need for a Future-Ready Board
~ Dr. Justo Ortiz of UnionBank ‘shows us the money’!

Or, how to bring in the money, at the very least.

To be future-ready, one has to be future-thinking. Ortiz’s UnionBank seemingly is ahead of counterparts supported by some digital banking excellence global awards. The bank’s Board has ‘Future-ready’ written on its target bull’s eye.

The old model does not work anymore. The constant nagging of ‘Change in mindset’ beats ‘Unlearn and relearn only by a few blips.

The bank’s Vice-Chairman is quick to the draw, stating, “People get to be on the Board by being very successful people. But that heuristics no longer produce predicted outcomes as we get deeper and deeper into the Fourth Industrial Age, even though they were very valuable in the previous Industrial Age.”

In UnionBank, each director has goals. Specific ones go into the collective Board goals, and separate personal goals are set to build their own capabilities and accomplishments.

On paper, it’s a simple 4-step process:
1. Discover: How to help the organization meet goals, advance its vision, identify its uniqueness, as well as its competition. Also, what are the barriers, and what might be done differently
2. Synthesize: Summarize insights and recommendations culled from focused discussions with management and Board
3. Activate: Create activities that move the insights forward, and strengthen the efforts, inspiring mindset changes, and building portfolios of Board directors; directly answer the challenges of being future-ready, and being equipped to steer the organization into the future
4. Review: More than monthly meetings, hold quarterly meetings to review actions versus Board moves and Personal moves per Director.

Four simple steps might seem tenuous, but being future ready need not be complex. It’s taking the first few steps that ultimately gets things done.

Ortiz shares, “Future-ready Boards ask, ‘where, and with whom do I connect to learn from, and get the right information to stay relevant? How do I close the gap between ideas and execution? And, how can I learn how to shape the environment? ***

The Urgent Need for Future-Ready Boards (of Directors)

Tue, 09/08/2020 - 15:10

Part 2: A few easy steps

“Boards that are digitally savvy outperform (their non-savvy counterparts),” shared Aliza Knox in a recent online general membership meeting of the Management Association of the Philippines (MAP). Knox is Non Executive Director, Grant Thornton International Ltd.

Numbers don’t lie.

Knox cites from a 2017 MIT Sloan Center for Information Systems Research, analysis of companies with 6 or more directors with annual revenues of over US$1B. It’s a 34% difference for both ROA and 3-year Market Cap Growth. A healthy 17% difference in Profit Margin, but a whopping 38% difference in Revenue Growth over 3 years.
Very simple starter steps can steer Boards towards a state of being digital savvy.

Again, it’s a change in mindset. Boards need to understand what about being digital should be the focus.

1. Topics discussed in Board meetings are a tell-all. Digital savvy Board need to discuss immediate, and extended issues that include:
1.1 Cybersecurity (how to keep client accounts and privacy safe and secure);
1.2. Disruptions and Innovators (understanding the digital environment, knowing who the players are, and what are the elements in the scene that can change the business); 1.3. Transformation (what is the company’s online presence, is it friendly, easily accessible); and
1.4. Tech spending (knowing what to spend on, and what’s on the immediate pipeline).

2. Board Members, the personalities that compose the Board must be remarkably diverse. Consider age and gender, where youth and experience can mix well with established and experience. Digital is technology, so a Technology, Sustainability expert, or Data analyst would be wise considerations.

Another would be to invite an Indie whose background or external POVs might prove insightful.

It is also good consideration to constantly study the composition and diversity and effect beneficial change as necessary.

3. Tech Fluency is emphasized as staying connected. Learn from the company technologist, stay abreast of your digital posts, from the people in the company. Read a lot, and pay attention to trends. PayMaya, TikTok are not the latest Disney characters. And, AI and IoT are not hip-hop stars.

Where PayMaya disrupted normal payment transactions and banking functions by simplifying online payments, and giving power to those without credit, TikTok 'shookt' the internet via a throng of bored youth during the early lockdown—and eventually cause POTUS to sever ties from its Chinese makers.

A digitally paying public is hand-held by secure, reliable and accessible online payment methods. Thus, a sparkling and robust eCommerce community is another trend digital savvy Boards must be able to take advantage of.

Changing business models go beyond eComm and online payments. Freebies (freemiums), loyalty rewards, streaming and on-demand, are only a handful of the current disruptions that are making a killing.

Knox makes a strong case for Boards to make the crucial leap, saying, “I hope I was able to communicate that there’s a real financial value in having a digitally savvy Board. There are a lot of concrete actions to take to both digitize Board tools, and digitize the Board’s thinking to make management teams future ready.”

Part 1: Management leaders see need for future-ready Boards

Wed, 08/26/2020 - 18:03

~ Immediate change in mindset first step towards digital transformation

Last Tuesday, 18 August 2020, the Management Association of the Philippines (MAP) held its 6th Online General Membership Meeting. MAP president Atty. Francis Lim opened the session summarizing the association’s efforts in times of pandemic.

MAP easily transitioned to digital delivering GMMs on ICT, digital transformation, platforms, security, etc. “MAP is showing leadership and resilience in a digital ecosystem… with topics that are relevant, and speakers that are world class,” said Atty. Lim.

A record-breaking 45 new members were inducted by immediate past-president Rissa Mantaring.

The 6th GMM topic: ‘The Urgent Need for a Future-Ready Board was hatched by the ICT Committee head Patrick Reidenbach of UR Solutions who moderated the event. More than 170 attendees logged in.

Speakers included: Aliza Knox, Non-Executive Director of Grant Thornton, and Head of APAC of Cloudflare; Rey Lugtu, Founder and CEO of Hungry Workhorse; Justo ‘Tito’ Ortiz, and Vice Chair of UnionBank. Knox joined the session from Singapore.

Systematically judged as old-fashioned and steadfast at best, or closed-minded and archaic at worst, a corporate Board elicits judgment not entirely kind. The topic addressed an immediate concern—perhaps even prodding action.

Knox opened the session sharing telltale signs of a time-weary Board, including:

1. Rubber stamp action, with Directors not challenging the norm
2. Focus is only on operational performance, with no need to know strategic trends and marketplace issues
3. Directors are of similar backgrounds and expertise, mostly emerging from internal talent
4. Cannot identify disruptive technology, and therefore cannot do anything about it
5. A lack of perspective or experience to move business from its current state, and uncomfortable with any movement or change

Perhaps the very first step is a willingness to adapt for the sake of being more effective. The pandemic pushed otherwise archaic Boards off the precipice, and into platforms. Virtual Board meetings were suddenly necessary. Digital stood between death, or merely being in dire straits.

For the Board to undergo digital transformation, the steps are basic. Mindset and materials need not even be entirely digital.

Knox, who has been a Director in various Boards for 10 years, in many markets including Germany London, Australia, and Singapore. Here are valuable tips from the veteran of Board protocols, standard processes, and not a few idiosyncrasies.

1. BITE-SIZE: Make agenda into 15-minute increments. Short, sharp bursts allow attendees to stay focused. Keep the whole meeting under 90 minutes, limiting discussion to 4 to 6 topics.

2. BREATHER: Encourage 15-minute breaks as well, and If and when allowed (due to pandemic restrictions) encourage ‘a walk outside’, or some activity to ‘really let the brain reset and refocus’.

3. PRE-READS|PRE-MEETS: One of the best practices that saves time, and maximizes decision making is to send out the info for discussion days ahead. This allows time to assimilate the info, and makes it easier to digest—leading to better decision making, in a shorter period. Bridging No. 1 and No. 3, smaller sessions on key points can be held for more in-depth discussions prior to Board meeting and decision making

4. MEETING ROOMS: Most virtual meeting platforms have Breakout Room functions that allow more person-to-person(s) interface. Not only will this allow better discussions, it will also allow attendees to ‘open up’ on some matters. It also provides attendees the environment to make better ratings of people, discussion, etc.—data that will prove very useful to assessment improvement.

5. GUEST EXPERTS: Bringing in a guest expert breaks the monotony of a Board meeting. This ushers something fresh or new from learning new technologies or best practices. Learning outside of the regular will enable the Board to get exposed to new ideas, and will gear them to embrace new directions.

6. SHARED DOCUMENTS: The Board will benefit a lot from shared resources. Data, reports, white papers archived with the best ‘security’ and made accessible will vastly improve collaboration, and encourage teamwork while streamlining processes.

Red Hat Releases JBoss Enterprise Application Platform 7.2

Sat, 06/22/2019 - 09:53

From: ADTMAG

Red Hat today announced the general availability of the 7.2 release of its JBoss Enterprise Application Platform (EAP). This release comes with greater compliance with Java Enterprise Edition (EE) 8, JDK 11, Java SE 11 and additional support for Microsoft Windows and enterprise Java microservices.

The JBoss EAP is an open source Java EE 8-compliant application server used to deploy and manage enterprise Java apps in bare-metal, virtualized and containerized environments, as well as on-premises, private, public and hybrid clouds. Version 7.2 is Java EE 8 certified, which means it comes with new functionality and updates to existing capabilities.

In its announcement, Red Hat underscored its continuing our commitment to Java EE 8 and Jakarta EE; the latter technology is now under the stewardship of the Eclipse Foundation, "the new home for cloud-native Java," the company said.

"As a Java EE-certified platform, JBoss EAP 7.2 is designed for organizations whose enterprise Java application workloads demand reliability, availability, scalability, performance, transactionality, and strong security capabilities," the company said, "and that also may have compliance requirements that need to be juggled alongside a developer-friendly, more highly productive technology that offers flexible deployment."

Java EE 8 certification of this release introduces new capabilities designed to improve portability and security of applications and the manipulation of JSON (JavaScript Object Notation) documents. It also includes updates designed to increase the reusability of functionality across Java EE and Java SE, resulting, the company said, in a "more coherent set of capabilities that are designed to improve the development experience."

This release also comes with enhancements related to the support of HTTP/2, as well as support for OpenJDK 11, Oracle JDK 11, Java SE 11 and long-term support releases of OpenJDK.

Red Hat is providing support for OpenJDK 8 until 2023 and OpenJDK 11 until 2024. The JBoss EAP 7.2 release also includes Technology Preview support for Eclipse MicroProfile Config, REST Client, OpenTracing and Health, four of the 12 libraries that are currently part of the community-driven open source project for enterprise Java microservices.

In addition, this release is certified for Red Hat Developer Studio 12, supports Red Hat Enterprise Linux 8 Beta and adds Federal Information Processing Standards (FIPS) 140-2 security enhancements, which comply with U.S. federal security standards.

There's also a server management, console and CLI improvements in this release, which can help apply and manage changes faster and shorten the time spent on maintenance tasks. There's a new ability to build once and deploy anywhere, within a single subscription, new Maven bill-of-materials (BOMs) for JBoss EAP and Java EE 8, tighter integration with Red Hat OpenShift for clustered applications, and support for IBM Db2 e11.1, IBM MQ 9 and PostgreSQL 10.1

JBoss EAP 7.2 is a key component of Red Hat Application Runtimes, which also includes OpenJDK, Red Hat OpenShift Application Runtimes, ActiveMQ, and Red Hat JBoss Data Grid, integrated and optimized for Red Hat OpenShift. The end result is a "coherent hybrid cloud application platform" on which customers can optimize their existing Java applications, while "innovating with enterprise Java and non-Java microservices, DevOps, CI/CD, and advanced deployment techniques."

JBoss EAP is available for download by members of the Red Hat Developers community. Customers can get the latest updates from the Red Hat Customer Portal.

This is the first Red Hat product release since IBM announced in October plans to acquire the company. Reaction to the acquisition has been largely positive. "IBM and Red Hat are the two largest contributors to the Java platform, other than Oracle," Gartner analyst Anne Thomas told ADTmag in an earlier interview, "so instead of two organizations with potentially conflicting agendas, there will be one. This ensures better synergy, but reduces competition. And I anticipate that IBM will reduce the total number of people dedicated to supporting the Java community."

Red Hat revs up Ansible Engine, refurbs Ansible Tower

Sat, 06/22/2019 - 09:45

From: DEV CLASS

Red Hat has shipped updated versions of Ansible Tower and Ansible Engine this week, just meeting the deadline it set back in January for the latest versions of its automation and configuration toolset.

The changes tick most of the specific boxes sketched out by Tim Appnel, senior principal product manager for Ansible, back in January, when he promised changes to the way Ansible handles external “content”, and handles privilege escalation.

Red Hat Ansible Engine 2.8 features changes to the process for incorporating modules and plugins from external contributors. A posting announcing general availability of 2.8, explained “These changes allow for the creation of a new delivery method to users. This delivery method should not depend on Ansible maintainers to manage content as well as the platform code.”

The firm said that in future releases, content creators be able “to provide their content in a package format called a Collection.” which can be “installed in the appropriate location for execution whether that’s on the Ansible control node of the managed node. It promised further details in the coming weeks.

There are changes to the way Ansible searches for the correct path and executable name for Python on each target system, which should prevent failures on systems which have Python installed other than at usr/bin/python.

The firm promised “enhancements and additions to cloud and container modules to include Amazon Web Services, Microsoft Azure, Google Cloud, Digital Ocean, podman, and kubevirt.” Also, Ansible Engine 2.8 will no longer provide or have a dependency on paramiko, but will use ssh by default.

Changes with Ansible Tower 3.5, the management console for Ansible Engine, include the not at all surprising addition of RHEL 8 support.

It also adds support for external credential vaults, in addition to its own credential store. Support external vaults include: Hashicorp Vault; CyberArk AIMl CyberARK Conjur; and Microsoft Azure Key Vault.

New Inventory Plugins should make it easier to connect to hybrid cloud environments. They include Ansible Engine Plugins for Azure, Google Cloud, and RedHat OpenStack Platform. Likewise, new Privilege Escalation Plugins handle plugins allow more granular control of what users can execute on managed systems.

One thing Appnel couldn’t comment on back in January was what effect the upcoming merger into IBM would have on the direction of Ansible. The takeover has been approved, and is due to close in the second half of this year. Which means the next Ansible releases could come under the new regime.

Synacor’s Zimbra Collaboration Platform Delivers New Q1 Customer Wins and Deal Expansions

Sat, 06/22/2019 - 09:40

From: Yahoo! Finance

BUFFALO, N.Y.--(BUSINESS WIRE)--

Synacor Inc. (SYNC) today provided additional details regarding its previously announced customer wins and deal expansions for Zimbra, the company’s email and collaboration platform. For the first quarter of 2019, the Company reported 96 new customers and expanded bookings with 184 customers. The customer wins spanned governments, utilities, universities, service providers, and businesses around the world, including one of Europe’s largest universities, a major state-owned utility in Asia, and one of the largest insurance companies in the Czech Republic.

“With Zimbra X, our first-of-its-kind containerized email and collaboration platform, ready for deployment among service providers, and Zimbra 8.8 continuing to be the platform of choice for an expanding set of global businesses, Synacor is ideally positioned to meet all market deployment needs,” said Marcus Teo, SVP Enterprise Sales & Marketing, Synacor. “Our customers recognize the extensibility, scalability, cloud-availability, and security features our platforms offer, especially in a world where collaboration and identity are increasingly critical for business productivity and growth.”

Zimbra continues to be deployed by a diverse set of global organizations eager for alternatives to inflexible and expensive email solutions. During Q1, Zimbra was rolled out by:

  • A Japanese service provider that deployed Zimbra in the cloud for over three million users with IIJ, a major systems integrator in Japan.
  • Court of Justice of the State of Tocantins and the Court of Justice of Maranhão, two Brazilian judicial court offices that house federal judges and their staffs, with a focus on combatting crime and corruption.
  • Conectys, a Romania-based outsourcing trailblazer with more than a decade providing global multilingual outsourcing services.

 
"At Conectys, we chose Zimbra as our new email platform as it offers the best value-for-money solution we have found after comparing against the other leading email solutions in the market,” said George Lazăr, VP Global IT, Conectys.

Synacor recently wrapped its Zimbra ACTIV8 European Tour, which showcased the company’s product and roadmap to more than 60 channel partners, including business service providers and value added resellers. Zimbra added new features to Zimbra Drive such as file sync, sharing and storage, and to Zimbra Docs, such as the ability to create and collaborate using documents, spreadsheets and presentations. These features can be used within the Zimbra Web Client.

About Zimbra Email and Collaboration

Zimbra, a Synacor product, is an email and collaboration platform that includes contacts, calendar, tasks, instant messaging, and file sharing, plus add-ons such as videoconferencing, document creation, and file storage. Zimbra powers hundreds of millions of mailboxes in 140+ countries and is offered through more than 1,900 channel partners. Enterprises, governments, and service providers trust Zimbra.

Zimbra can be deployed in the cloud, on-premises (private cloud), or as a hybrid service. The Zimbra Business Solution Provider Network offers it as a Hosted Service. Synacor operates a turnkey, fully hosted/managed, and monetized solution for Service Providers.

To request an invitation for the Zimbra X Partner Development Program for North America-based Service Providers (SPs), visit https://info.zimbra.com/zimbra-x-beta.

For more information about becoming a Zimbra Channel Partner, visit https://www.zimbra.com/partners/become-partner/.

About Synacor

Synacor (SYNC) is the trusted technology development, multiplatform services and revenue partner for video, internet and communications providers, device manufacturers, governments and enterprises. Synacor’s mission is to enable its customers to better engage with their consumers. Its customers use Synacor’s technology platforms and services to scale their businesses and extend their subscriber relationships. Synacor delivers managed portals, advertising solutions, email and collaboration platforms, and cloud-based identity management. www.synacor.com

View source version on businesswire.com: https://www.businesswire.com/news/home/20190516005522/en/

Multiple RCE vulnerabilities impact all versions of Zimbra email software

Fri, 06/21/2019 - 18:15

From: The Daily Swig

Patches released for latest builds, but older versions are still vulnerable

Several vulnerabilities in open source email suite Zimbra could be leveraged in a chained attack leading to remote code execution (RCE), a security researcher has found.

All versions of Zimbra are said to have been impacted, but the issue has now been fixed in 8.7.11 and 8.8x, the latest versions.

Researcher An Trinh (who goes by the Twitter handle @_tint0) said that Zimbra’s reliance of Extensible Markup Language (XML) for encoding its operations laid the path for multiple vulnerabilities – CVE-2016-9924, CVE-2018-20160, and CVE-2019-9670.

These are all XML external entity injection (XXE) vulnerabilities, which arise when applications process user-supplied XML documents without disabling references to external resources.

XML parsing often supports the use of external entities in order to check the validity of the data file through certain network protocols. An attacker can exploit this process in multiple ways, if any of part of its implementation is insecure.

“For more recent versions, CVE-2019-9670 works flawlessly where the XXE lies in the handling of Autodiscover requests,” Trinh said in a blog post published this week, explaining how the exploit could be leveraged on Zimbra versions 8.5 to 8.7.11.

“And for the sake of completeness, CVE-2018-20160 is an XXE in the handling of XMPP protocol and an additional bug along CVE-2019-9670 is a prevention bypass in the sanitizing of XHTML documents which also leads to XXE, however they both require some additional conditions to trigger,” Trinh said. “These all allow direct file extraction through response.”

Vulnerabilities like these can allow for privilege escalation and, in some cases, RCE, Trinh explained. Due to Zimbra’s token-based authentication method, an attacker needs access to the default admin port 7071, he said.

To complete the exploit chain an attacker makes use of another vulnerability – CVE-2019-9621 – for a work around to the admin port’s whitelist through ProxyServlet.doProxy().

“In short, if we send a request with 'foo:7071' Host header and a valid token in cookie, we can proxy a request to arbitrary targets that is otherwise only accessible to admins.”

A valid token is generated through a ‘hidden’ feature in Zimbra which can then provide access to the admin port, and the final requirement of the exploit chain attack to gain full control.

“The flow is to read the config file via XXE, generate a low-priv token through a normal AuthRequest, proxy an admin AuthRequest to the local admin port via ProxyServlet and finally, use the global admin token to upload a webshell via the ClientUploader extension,” Trinh said.

RCE via Memcached

RCE can also occur in Zimbra through an escalation of a Memcached injection vulnerability – as long as the email suite is using Memcached as its caching mechanism.

“The deserialization process happens at ImapMemcachedSerializer.deserialize() and triggers on ImapHandler.doSELECT() i.e. when a user invoking an IMAP SELECT command,” said Trinh.

“The IMAP port in most cases is publicly accessible, so we can safely assume the trigger of this exploit.”

Older versions of Zimbra are still impacted by all bugs, and users are advised to update.

The Daily Swig has reached out to Zimbra for comment.

IBM's Red Hat acquisition moves forward

Fri, 06/21/2019 - 17:59

From: ZDNet

The Department of Justice has approved IBM's acquisition of Red Hat. Since IDC thinks Red Hat Enterprise Linux alone is expected to contribute to more than $10 trillion worth of global business revenues in 2019, IBM's $34 billion acquisition of Red Hat is looking better than ever.

Just ahead of Red Hat Summit in Boston on May 3, the US Department of Justice concluded its review of IBM's proposed Red Hat acquisition and essentially approved the IBM/Red Hat deal. This means the IBM/Red Hat acquisition is still on track for the second half of 2019.

At Red Hat Summit, Red Hat released the results of a commissioned IDC study, which concluded software and applications running on Red Hat Enterprise Linux (RHEL) are expected to contribute to more than $10 trillion worth of global business revenues in 2019.

That's about 5% of the worldwide economy for those of you following at home.

Oh, and you read that right. It's "trillion"with a "t" -- not "billion" with a "b".

By this the IDC means the software and applications running on RHEL will "touch" $10 trillion of business revenue this year and grow at twice the rate of the economy. Business revenue will top $188 trillion.

So, what does 'touch' mean? For 2019, IDC has estimated global business revenue of $188 trillion. Of this, IDC estimates that at least 40 percent use software. For 2019, IDC has estimated the total IT "footprint" at $81 trillion. Now, consider all that software has to run on an operating system -- and much of the software "touching" enterprise functions run on servers. IDC knows Linux runs more than half of all servers. Of those, RHEL accounts for around 25% of deployed corporate server Linux operating systems. Do the math.

So, those trillions represents not just Red Hat's influence on the global economy, but how Linux is dominating all of IT. As Cushing Anderson, IDC VP of business consulting said: "As the world's leading enterprise Linux platform, Red Hat Enterprise Linux fuels these operations and more, touching trillions of dollars of global business revenue, creating hundreds of thousands of jobs and opening tens of billions of dollars in opportunities to ecosystem partners."

How does Red Hat do this? The research found that RHEL is most frequently used for enterprise management and production (26%), IT infrastructure (20%), and customer relationship management (18%). In each workload, customers see an increase in revenues from using RHEL, a decrease in expenses, and/or an increase in employee productivity.

How we redesigned our new corporate logo

Fri, 06/21/2019 - 17:48

From: redhat.com

Building a better logo for us

There were lots of reasons why we changed our logo.

Starting over was never part of our strategy. We needed to keep a certain amount of recognizability, so we chose an evolutionary path.
 
 
Ok, so what happened to the guy?

Originally called “The Red Hat Man,” then later, “Shadowman,” the figure under the red fedora personified the company. Red Hatters knew Shadowman was a benevolent, liberating figure, introducing then-taboo open source software to the mainstream. In a way, Shadowman was a playful and defiant comment on the vilification of open source. As Red Hat grew into a mainstream company and open source began gaining trust and traction in the marketplace, the image no longer made quite as much sense.
How do you spell Red Hat?

Also, our name (Red Hat) was spelled as 1 word and in lowercase (redhat) in our logo.
 
 
Type

We also had issues with our typeface. We wanted to create something more liberating and useful, and we wanted to open source it and share it with everyone. So we collaborated with type designer Jeremy Mickel on 2 new open source fonts.

We’re calling them Red Hat Display and Red Hat Text and they will be available to everyone on Earth (who has access to a computer) in a variety of weights and italics.
 
 
Logo system

Our previous logo formed a single horizontal rectangle, with the Shadowman icon on the left and our name on the right. This configuration didn’t always work for things like favicons, app icons, and T-shirts.

Our new logo gives us the flexibility to choose the best version for each placement, such as in event wayfinding, on webpages, on buildings, and on branded swag. It can be used vertically or horizontally, and the “Red Hat” text can be large or small.
 
 
Applications

Put it all together and you get a fresh, clean, flexible visual system. We can unify products and services; give internal teams, projects, and programs a crisp consistent look; and share our brand in ways that we couldn’t before.
 
 
Color

The color red is our second most recognizable brand asset. Red symbolizes energy, strength, power, determination, passion, love, and courage. Red is the color of revolution. But even with all that oomph, our red needed a refresh.

We used science to make some minor adjustments. Our last shade of red failed contrast ratio checks on dark backgrounds, which means it was difficult or impossible to read for people with no or limited visual acuity, and could also cause eye strain for sighted people.
 
 
New look. Same vision.

We didn’t start over. We kept the most recognizable and important elements and collaboratively crafted a logo with more resonance with our truth. We thought through the connections linking our story with our symbol. Now, we are more Red Hat than ever.

Untangle Appoints UR Solutions as its Partner in the RP

Mon, 10/01/2007 - 17:15

UR Solutions was recently appointed by Untangle, The integrated Open Source Network Gateway software designed for spam blocking, web filtering, remote access and more, to be its RP partner for marketing and technical support. UR Solutions has been in the business of open source for the past three years and will be an ideal partner for this exciting new software that will make gateway management a much easier task.­

Study: Red Hat Benefiting from MS-Novell Deal Fallout

Mon, 07/23/2007 - 15:46

From eWeek.com

A global survey of open-so­urce enterprise users of Alfresco software has found that deployments of Red Hat Linux have grown twice as fast as those for Novell SUSE Linux since Novell signed its controversial patent and interoperability agreement with Microsoft in November 2006.

Alfresco Software, an open-source enterprise content management provider, surveyed more than 10,000 of its community members between March and June, and will release the findings July 23 in a report titled "The Alfresco Open Source Barometer."

An executive summary and complete survey results are available here.

"What we've seen is that Alfresco's content community is growing in a true 'hockey stick' fashion, with the ratio of new members each month exceeding that of the previous month," said Ian Howells, Alfresco's chief marketing officer, who conducted the survey and analyzed the data.

"From March to May, for example, the rate of new members joining the Alfresco community rose by more than 130 percent month-on-month," he said. "The number of those new users with Red Hat Linux nearly tripled over that period, while the number of Novell SUSE Linux users remained relatively static. This suggests that customers may increasingly not like the terms of the Microsoft-Novell deal, especially as more information becomes public."

While Alfresco did not specifically ask community members the reason for their Linux choice, the findings are "not a coincidence and, while we can't be certain, customer unhappiness with the Novell-Microsoft deal is probably the most likely reason for that," Howells said. "There was also a backlash against Microsoft about its patent position during this time."

The survey's findings can also be extrapolated to the broader open-source software industry and are not limited to those enterprise customers using Alfresco software "because of the wide range of open-source and proprietary software use cases captured and the large sample size of the survey," Howells said. "We think these findings accurately reflect the broad technology trends across modern stacks in organizations of all sizes." Gallup polls about U.S. presidential candidates typically survey about 1,000 likely voters, while Alfresco surveyed more than 10,000 people, he said.

The report also shows that while Windows is an increasingly popular evaluation platform for open-source software, most enterprises use Linux when they go into production.

"Windows plays an increasingly important role in testing and evaluation because it is the operating system found on most desktops," Howells said.

Since there is not a large sales force for open-source software in comparison to the larger proprietary software vendors, users need to be able to discover, try and buy the software without actually talking to the vendor, he said.

"So the first experience is phenomenally important, and the first experience for most users is going to be downloading the software onto their laptop and trying it out, which is why the Windows platform is very important. But the installation process and the ability to get users running and productive is equally important," he said.

Alfresco has more than 300 paying customers globally, many of which are large, global 2000 organizations, including Electronic Arts, the European Commission, the U.S. Federal Aviation Administration, Kaplan, NASA, Rayley's and several of the world's largest financial services companies, Howells said.

Mandriva says no to Microsoft Linux deal

Thu, 06/21/2007 - 15:37

From TECHWORLD

French Linux vendor Mandriva said no to dealing with Microsoft on open source patents - the third Linux vendor in a week to do so. In a statement on his company blog , Francois Bancilhon, CEO of Paris-based Mandriva, said, "We don't believe it is necessary for us to get protection from Microsoft to do our job, or to pay protection money to anyone."

Bancilhon acknowledged that several other­ Linux vendors, including Linspire and Xandros, recently signed intellectual property and collaboration deals with Microsoft to protect them from potential patent claims related to their code. Those agreements followed a highly publicised deal Microsoft reached with Novell and SUSE Linux in November.

Such deals have been more common since Brad Smith, Microsoft's general counsel, and Horacio Gutierrez, the company's vice president of intellectual property and licensing, said last month that open-source software, including Linux, violates 235 Microsoft patents and that the company wants distributors and users of open-source software to start paying royalties for the alleged violations.

Last Saturday, Ubuntu Linux founder Mark Shuttleworth wrote in his personal blog that Ubuntu has no plans to sign a licensing deal with Microsoft, and US Linux market leader Red Hat has reiterated that it's not interested either.

"Novell, Xandros and Linspire have signed well-publicised agreements with Microsoft," Bancilhon wrote in his blog. "Rumors on the web have hinted that we might be next on the list. So we would like to clarify our position. As far as [intellectual property] is concerned, we are, to say the least, not great fans of software patents and of the current patent system, which we consider as counter productive for the industry as a whole. We also believe what we see, and up to now, there has been absolutely no hard evidence from any of the FUD propagators that Linux and open source applications are in breach of any patents. So we think that, as in any democracy, people are innocent unless proven guilty and we can continue working in good faith."

Bruce Perens, an open-source advocate and a founder of the non-profit group Open Source Initiative, said that Mandriva's stand is the right one. "Microsoft has been buying up deals with little fish and companies that aren't quite making it financially," he said of the Linspire, Xandros and Novell agreements. "So it has been easy for [Microsoft], because they have been going after small vendors and getting them [to sign]."

Jonathan Eunice, an analyst at Illuminata, said Microsoft's deals with Xandros and Linspire don't have the same impact as they would if they had been made with a major Linux vendor such as Red Hat. "I think Microsoft is going to second-tier players, and they're cutting deals with them because they are softer targets," Eunice said. More influential Linux vendors, such as Red Hat and Ubuntu, "don't need to take out the insurance policies" with Microsoft. "Plus, they benefit by appealing to the Linux stalwarts - those who feel that any deal with Microsoft is tarrying with the devil.

"This is about Microsoft trying to create the image that there's an intellectual property issue with Linux," Eunice said.

Daniel Kusnetzky, principal analyst at Kusnetzy, said that smart enterprise Linux users "will watch this but not let it control their decisions."

"Microsoft is trying to get people to move with little or no information on what their patent portfolio contains," he said.

Laura DiDio, an analyst at Boston-based Yankee Group Research, disagreed, arguing that the licensing deals are the right thing for some Linux vendors on a case-by-case basis.

"It makes sense for some of them to do this type of thing and indemnify their customers," DiDio said. "It can impact enterprise users if somebody decides to sue for patent infringement ... and they don't have any protection in place. That is always a danger and always a risk, particularly in large enterprises."

Zimbra Appoints UR Solutions as Partner

Fri, 06/08/2007 - 18:51

Zimbra the leader in Open S­ource Messaging and Collaboration has just appointed UR Solutions to be its partner to help market and support the Zimbra Collaboration Suite (ZCS), one of the hottest open source software products available today. A proud user of the fantastic new product for the past few months, UR Solutions believes they will be the perfect partner to market ZCS as one of their premier open source ­solutions. The ZCS has been eating up the market share of its closest rivals MS Exchange and Lotus Notes for the past year, with over 9,000,000 paid subscribers around the world. UR Solutions plans to market the ZCS as a superior alternative to the other proprietary messaging and collaboration products that dominate the marketplace locally. For more information about Zimbra and the ZCS,
visit their website at www.zimbra.com or contact UR Solutions.

CensorNet appoints UR Solutions as Philippine reseller

Tue, 04/17/2007 - 18:39

CensorNet, the world's favorite open source Internet Web Filtering & Management solution for Enterprise, Education and Personal use, recently appointed UR Solutions to be one of its resellers in the Philippines.

CensorNet addresses the growing concern of users accessing unsuitable and offensive material on the Internet in a powerful, reliable and cost effective way. Consistently CensorNet is chosen as the best alternative to commercial filteri­ng solutions. CensorNet fits in perfectly with UR Solutions array of Linux-based and open source software products.

For more information about CensorNet, visit their website at www.censornet.com or contact UR Solutions.

Top 10 Technology Projects in '07

Wed, 03/07/2007 - 18:22

From Baseline

If there is any question that technology initiatives must respond to business needs, it is put to rest by what readers of this magazine say they're focusing on in 2007.

More than a third of those who took our top-projects survey say they are looking to do business process improvement. The next hottest areas, customer relationship management and business analytics, also require collaboration between information technologists and business people. Nowadays, businesses aren't funding anything whose return on investment they can't see.

"The projects we have scheduled for 2007 all answer a particular business need," says Gabrielle Wolfson, chief information officer of Spring Valley, N.Y.-based Par Pharmaceutical. "You're not going to implement technology for the sake of technology."

The unrelenting focus on ROI is leading companies to do more pilot projects and cut the number of risky big-bang initiatives they take on.

­The ROI focus is also prompting companies to make better use of the systems they have in place. That's what the new push toward service-oriented architectures is all about. Indeed, while SOA itself doesn't appear on our list of the top 10 projects (it was the 12th-most-common project, cited by 12% of our readers), its principles of making better use of existing infrastructure and leveraging applications already in place are behind several of those that do, including Web services (No. 5 on our list) and enterprise systems planning (No. 9).

A total of 363 readers in I.T. and business management responded to Baseline's survey, which was conducted in January. For a look at their top priorities, read more.

Calif. school district aims 5,000 desktops at Linux

Tue, 03/06/2007 - 18:06

From DesktopLinux.com

A school district technology director is making wholesale changes in her employer's IT system by migrating most of 5,000 Windows desktops to a new setup based primarily on Linux-powered desktop PCs and thin clients. The change aims to reduce annual costs, offer many more applications, and use less energy.

Windsor, Calif. School District IT administrator Heather Carver is migrating most of the district's 70 servers and most of its 5,000 desktop machines from a mostly-Windows environment that is quickly becoming obsolete to a new mixed environment that includes PCs running SUSE Linux, Wyse Linux thin-client terminals, and a smattering of Mac and Windows machines.

When all the phasing-in is completed sometime next year, the district will be operating about 2,000 SUSE Linux desktops, 50 SUSE Linux servers, 2,700 Linux thin clients, and a few hundred Mac and Windows machines for special purposes, Carver said.

Additionally, she expects to save thousands of dollars each year in hardware and software costs by doing it.

"One key to all this is that we're using Citrix (as the bridge) to run Windows apps on thin-client terminals -- which the adults are most used to -- on the new SUSE Linux 10.1 servers," Carver told DesktopLinux.com. "The kids, well, they adjust to new operating systems and applications very quickly, so a changeover to Linux is no big deal."

Citrix Presentation Server enables Windows applications, hosted on remote servers, to "run" on networked thin clients (or PCs) that need not themselves be Windows machines. Using Citrix, the thin clients act as remote consoles -- the applications run on the servers, while screen contents, keyboard entry, and mouse movements traverse the network between the servers and the thin clients. In this manner, Citrix can be used to run such standard-issue Windows-based education applications as KidPix, Reading Counts, and Type to Learn from the Linux servers with no problems, Carver explains.

"It's the adults that tend to stay with what they're familiar with," added Carver. "This way, they can run their Windows apps as usual on the Linux OS, and everybody is happy."

Following Easter break in a few weeks, about half of the 3,500 students and 250 teachers will be working on Linux-based thin clients running OpenOffice.org, and most of the district's servers will be running Novell SUSE Linux Enterprise Server.

At this point, Carver said, she isn't sure exactly how many actual Linux desktops will be cohabiting along with Linux thin clients and Macs. "We'll end up with 2,500 to 3,000 thin clients, and will keep some Macs in the audio-visual departments," Carver said.

The rest of the 5,000 --between 2,000 and 2,500 -- will be Linux-driven desktops with a small number of Windows machines mixed in, she said.

One major advantage to all this consolidation is that teachers and students alike will now have the advantage of a lot more applications to choose from -- Linux or Windows -- because both will run "seamlessly" on SUSE 10.1," Carver said.

A number of the servers have already been migrated to Linux, and Carver says she's already noticing a downward change in the district's electric bill.

"Thanks to the new thin-client Linux system, we've been able to shut off 36 machines -- and we've set it up so teachers can log into their school desktops from home to grade papers and do other work," Carver said. This has encouraged teachers to work from home more often, whereas in the past they would have had to come back onto campus and work from their offices, she said.

"I think we saved about $300 on last month's power bill already," Carver said. "I've been monitoring it."

When Carver arrived last August, she saw an IT system that would have needed upgrades in hardware and software that would have totaled about $100,000. No way the district could afford that, she said.

"I was looking at spending $100 per year for 30 Microsoft Office installations, and we just weren't going to go for that," Carver said. OpenOffice.org, with its similarity to Office and free cost, has been well accepted, she added.

Even so, Carver still looked for ways to to keep some Windows machines -- mostly for the teachers' and administrators' sakes.

Carver said it cost the district about $2,500 per school to migrate to Linux, compared with the estimated $100,000 it would have cost to upgrade their Windows infrastructure.

"The uptime benefit has been tremendous," Carver added. "We wanted people using the same apps anyway -- a system can't handle five email clients, etc. We've standardized on the key applications, and people aren't having the issues (security, installation, maintenance, etc.) they used to have with Windows, so that been's a real advantage."

So far, the migration from Windows to Linux has progressed smoothly, Carver told DesktopLinux.com. Next, she hopes to start branching out with her migration setup to other school districts.

"I've been talking to Cloverdale (a neighboring town and district). It makes sense for us to share resources and help each other," Carver concluded.­­

Too late to discredit open source, advocates say

Tue, 03/06/2007 - 17:49

From Computerworld

Advocates and users of free and open source software (FOSS) technology believe that it is too late for any form of crus­ade to discredit FOSS as it is already widely used.

The sources made the statement following reports that some private software firms are now using marketing funds to mislead enterprises towards adopting the open source strategy.

"It's too late," exclaimed Winston Damarillo, founder and chairman of software development firm Exist Global, in an intervie­w with Computerworld Philippines. "Open source is all over the place."

Damarillo said his company even plans to discuss open source with the Philippine Software Industry Association (PSIA) and would try to convince the latter in promoting open source.

In a recent press briefing, Damarillo shared his company draws from its success and experience in open source software development, reporting that Exist Global has developed a hosted operating infrastructure called Distributed Engineering Network (DEN). The latter enables the company to deliver the benefits of open source style development to distributed engineering projects, building proprietary and Web delivered applications in addition to open source software.

Anson Uy, president of Touch Solutions Inc. (a Red Hat Linux company), earlier on broke the news to Computerworld Philippines about the alleged "funded missions" by some software firms to discredit open source, although he did not identify any company. Anson revealed among the top three actions against FOSS are being done through "sponsored studies, piracy of open source developers, and bold press releases."

The PSIA recently opposed House Bill 5679 or the Free Open Source Software (FOSS) Act of 2006, filed by Congressman Teodoro Casino, which seeks to mandate government agencies, including public schools to use FOSS instead of proprietary software.

FOSS advocates believe the proposed law's enactment would lead to several benefits such as usage of legal and affordable software that are stable, user-friendly and low-cost, also reduction in software piracy, and emergence of local software companies.

However, Paul Zaldarriaga, chief information officer (CIO) of fast food giant Jollibee Group of Companies, and a Linux user, said legislation is not the right approach. "I think eventually the market would decide. The most they can do is to give incentives to people who want to play in the open source space to spawn usage." Zaldarriaga clarified he doesn't consider himself as a Linux advocate and is just a plain user. "When I shop around I try to get the best deal that I can.  That's my only motivation." Yet Zaldarriaga stressed schools should develop the skills on Linux as he believes that it would put the Philippines at a very good competitive advantage versus everybody else. "Even at the company level, they should ramp up on Linux skills," Zaldarriaga said, adding that the next big thing would be on Web development, since a lot of the Web-based applications are expected to be on Linux.

Linspire, Canonical, Freespire, Ubuntu join forces

Thu, 02/08/2007 - 17:37

From DesktopLinux.com

Canonical Ltd., the sponsor of Ubuntu, and Linspire Inc., the developer of Linspire and Freespire, on February 8 announced a technology partnership to integrate with each other's Linux distributions. Linspire/Freespire will be based on Ubuntu, rather than Debian, and Ubuntu will integrate with Linspire's CNR package installer/updater.

Starting with Ubuntu's 7.04 release in April, Ubuntu users will gain access to Linspire's newly opened CNR (Click and Run) e-commerce and software delivery system. For Linspire, that will mean moving from Debian to Ubuntu as the base for its Linspire and Freespire desktop operating systems (see full article).

Planning to Buy a Linux-compatible Mobile Device?

Sun, 01/28/2007 - 17:08

From Packt Publishing

Most devices these days will run on your Linux distribution. Still for every device that's supported there are a dozen that aren't. If you are wondering whether the device you are planning to buy can work with Linux, head over to TuxMobil.org (http://tuxmobil.org/). The website has a comprehensive list of devices that are supported on Linux. You'll find reports on Laptops, PDA's, mobile phones, graphics cards, PCMICA cards, internal modems, infrared chips, and several other hardware that people have got working on a Linux distribution. If you are a Linux user planning to buy a device, you cannot afford to miss TuxMobil.org.

TuxMobil.org is run by Werner Heuser, who has 20 years of experience with UNIX and has been a Linux user since the availability of kernel v2.0. With a background in server and network administration, Heuser didn't let his very basic programming skills, hinder his contribution to the Linux community. He is well-known as the author of the very popular Linux-Infrared-HOWTO and the Linux-Mobile Guide. In this discussion I enquire Heuser about the evolution of TuxMobil and its importance in the hardware buying decision.

Mayank Sharma: Hello Werner. Let's begin with a recap on the origins of TuxMobil.

Werner Heuser: When I bought my first laptop and installed Linux on it, I made an installation report available online almost ten years ago in March 1997. Some features of my HP OmniBook 800 were not supported on Linux. Trying to get the IrDA port to work, I missed documentation about infrared support for Linux and started to write my first HOWTO. The Linux-Infrared-HOWTO has been published by The Linux Documentation Project (http://tldp.org). During the next few months I installed Linux on some other laptops and discovered even more lack of documentation, so I started the Linux-Laptop-HOWTO. It turned out that portable devices like laptops, PDAs, mobile phones, and portable media players have much in common. For example, they often feature wireless connectivity like Infrared, BlueTooth, and Wireless LAN. So I turned the Linux-Laptop-HOWTO into the Linux-Mobile-Guide (also available at TLDP). The Linux-Mobile-Guide gives a detailed overview about Linux on mobile computer devices as well as connectivity issues with portable devices without our favorite operating system. Over the years I stumbled over much more stuff related to Linux on mobile devices. I finally decided to put it all together under a dedicated domain. That's how TuxMobil.org was born.

MS: Interesting. So how has the site grown since it first went online?

WH: TuxMobil is still growing. I maintain the site daily and add new content as well as check the old one. Also I write a daily newsletter "TuxMobil News" (http://tuxmobil.org/newsfeed.html), which is available as a RSS feed. Currently more than 6,000 links to Linux laptop and notebook installation guides are listed (http://tuxmobil.org/mylaptops.html). More than 300 links to PDA compatibility guides (http://tuxmobil.org/pda_linux.html), more than 400 guides to mobile phone connectivity (http://tuxmobil.org/phones_linux.html) and more than 100 portable media players (http://tuxmobil.org/portable_players.html) compatibility guides. I expect to reach 10,000 laptop installation reports next year. Many installation and compatibility reports are available in different languages (http://tuxmobil.org/lang.html ) though no languages from India yet.

MS: That's a lot of content. So how does TuxMobil help me as a buyer?

WH: Before buying a laptop or notebook, handheld or PDA, mobile phone or portable media player, you should first check TuxMobil.org for compatibility issues. If you want to get a device with Linux pre-installed there is a list of retailers around the world (http://tuxmobil.org/reseller.html) and for laptops there is a survey of laptops which are currently available on the market (http://tuxmobil.org/recent_linux_laptops.html).

MS: But how do ensure the accuracy of the information?

WH: It takes a lot of time, so much so, that it has become a fulltime job. I follow every submitted link to an installation or compatibility report. And I read these documents fully. Sometimes I even give advice on how to improve the documentation. Once a year I check all the links with 'linkchecker' (http://linkchecker.sourceforge.net). For certain accessories the output of Linux commands is required. For example an entry in the Linux and PCMCIA cards survey (http://tuxmobil.org/pcmcia_linux.html) requires the output of the command 'pccardctl ident' (earlier 'cardctl ident') otherwise I reject the entry. And I improve by discussing TuxMobil.org with others. I give talks about Linux and mobile devices around Europe in English and German. And during these events I usually have a TuxMobil booth where people can get advice for their mobile gadgets. You can learn much this way, I always wonder how many aspects about Linux and mobile devices I still don't know. Currently I am preparing a new talk "Theft Protection for Linux Laptops", which still gives me new insights into the topics which I have being studying for the past ten years.

MS: Why do you think is finding a Linux compatible device an issue? Can something be done (by the manufacturers and distributions) to improve support?

WH: First of all, it's difficult to get a laptop without Microsoft-Tax. Some minor brands are offering laptops without pre-installed Microsoft operating systems, but often these companies don't survive. In the rare cases where major brands offer laptops without Microsoft-Tax, these devices are not much cheaper than with pre-installed Microsoft operating system. I have encountered cases where these machines were even more expensive. Secondly, people buying a new laptop with the intention of installing Linux on it, might be a little apprehensive. Someone has to be the first to do an installation and write an installation report. If companies would like to support Linux, they could either test Linux on their laptops themselves or give some machines to the Linux community before launching them in the market. On the bright side, all major Linux distributions are aware of the special issues with Linux on laptops. Some even have a dedicated task force to support Linux on laptops (http://tuxmobil.org/distribution_linux_laptop.html).

MS: Since you have been working with devices for so long, what trends have you been noticing with respect to Linux support on mobile devices? Are some hardware vendors more Linux-friendly than others?

WH: The Linux-based Zaurus PDAs made by Sharp have been in the market for many years. During 2005 some smartphones with pre-installed Linux have emerged. I suppose that PDAs will be replaced by smartphones soon and many of these smartphones will come with Linux. On a sidenote, the iPhone announced by Steve Jobs a few days ago, will come with Mac OSX which is just another UNIX operating system. Like I said earlier, some companies sometimes offer Linux pre-installed on their laptops and notebooks. But their Linux support is usually poor. In some cases you even have to install an obscure Linux distribution from an enclosed DVD. Drivers for internal modems and graphics chips are binary only still. Problems with suspend modes are often unsolved. Some peripherals like SD/MMC card readers and fingerprint readers may even come unsupported. If there are drivers for Linux available they often don't support every feature, e.g. graphics cards don't work in 3D mode or an external projector doesn't work; WLAN cards don't support monitor mode.

MS: Coming back to TuxMobil, how do you support the site, since all the information is available for free?

WH: When I created the project which is now TuxMobil I found out really soon that I needed some sponsoring to get hardware. For example, I required a second infrared device besides my laptop to write the Linux-Infrared-HOWTO. So I asked a great bunch of companies for sponsorship, but without any success. Finally, in May 2000, I decided to start Xtops.DE (http://xtops.de/) to sponsor TuxMobil.org. At Xtops.DE I sell laptops and PDAs with Linux pre-installed all over Europe. In 2005 I did get some sponsorship from other companies. Not much, but enough to give some hardware support to Linux developers creating drivers and tools for portable devices like PDAs. With the goodies I have got, I launched the TuxMobil GNU/Linux Award 2005 (http://tuxmobil.org/linux_award.html). I am confident of having the award in 2007 as well. My addiction to portable computers have led me to launch Repair4Laptop.org (http://repair4laptop.org/) and Repair4MobilePhone.org (http://repair4mobilephone.org/), where I help people repair, upgrade and customize laptops and mobile phones. If I can say something to your readers, I would love to link to their Linux laptop, mobile phone, PDA or portable media player guide.

MS: Sure thing Werner. Thanks for the interview.

What Scares Me About Security in 2007

Thu, 01/04/2007 - 16:51

From eWeek.com

Opinion: 2007 is the year that attackers get more creative. The low-hanging fruit is gone.

I'm always annoyed when it comes to the end-of-year retrospectives and predictions, especially the predictions. "More of the sam­e" is never an acceptable answer, even if it's true, because it's boring. But I do think that the security landscape has been changing over the last year and should accelerate in 2007.­

The "malware winter" began some time before client vulnerabilities began to shrink in urgency. There have been some pretenders to the malware-of-the-year throne, but no real winners.

We could see in 2006 the shift from mass vulnerability-based attacks, even as a rash of "zero day" attacks emerged. Almost all of these zero-day attacks affected very few users.

This is not to say that there are no threats out there, far from it. Leave an unprotected computer out there and act irresponsibly with it, and you'll be "0wned" in no time flat. But protection against these threats has gotten much better and cheaper; anyone who is interested in protecting themselves can for a reasonable amount of money.

Security vendors are even beginning to be more reasonable with their pricing. The Norton 2007 line permits you to use one copy on up to three computers. That's a big step forward for consumer protection.

But we've also been hearing for years about the more sophisticated next generation of attacks. Recently I've seen a few examples that really concern me. Consider the "man-in-the-middle" phishing attack described by Brian Krebs.

In this example, instead of hosting a real phishing site, the site runs a program that proxies for the site being phished, in this example Amazon.com. The user sees what appears to be Amazon.com in the window, and, in fact, it is Amazon.com, having passed through the phishing program on its way to the user.

The attack site just tries to get log-in info, but it could keylog a lot more than that, including credit card info. The user can even buy merchandise and get it delivered! All this particular attack needs is a better domain name.

Another "advance" in phishing came my way today from F-Secure, which identifies phishing sites based on Flash content. This allows realistic sites that can elude many anti-phishing filters.

In the long term I'm optimistic about the ability of security software to combat phishing; there's so much more that it can do, but we're still in the baby steps.

Expect to see many more attacks this year moving up the application stack, both on the client and server, as the base operating system and the browser have become much harder to attack.

On the client, attacks may find it easier to get through more narrow targets. Maybe the scariest bug I've heard of in the last few months was the Broadcom Wireless Driver Probe Response SSID Overflow from the Month of Kernel Bugs. A stranger nearby can exploit you through this over wireless!

One way to avoid phishing sites is to look for the Extended Validation certificate.

But in fact, as Oliver Friedrichs of Symantec Security Response says, the real action in vulnerabilities and exploits is on the server, where more than 70 percent of vulnerabilities are from Web apps, PHP, Perl and similar systems. Many of the sites with these vulnerabilities are front ends for important databases.

With such potential you can expect to see Web app worms going nuts this year, causing massive damage. And since PHP has suffered them before and so much research is focused on it, expect the attacks to center on those servers. If you run a PHP server, better keep up with those updates.

It's going to be a harder year for security in 2007 because it will be harder to explain problems, and perhaps harder to write tools to detect them. But part of this is because we've already made things hard for the bad guys.

Pages