Gilles Gravier's Weblog
Gilles Gravier's rants about things in general... security, open source, privacy, java, music... in particular.
Sun and appGATE in Government Webminar on March 12th!
We're going to be doing a webminar with our partner appGATE!
If you are interested in securing remote accesses to applications and data in government, read below... and plan to attend!
The world is changing and so is how we work. Technology has provided great opportunities to take traditional desk jobs into the field to be more efficient and effective. The challenge lies in how to develop a secure, unified approach to managing an IT infrastructure with so many access points.
 |
Today's Government agencies need to provide secure communication between different regions. Information of all government agencies, civilian, intelligence and defense, must be absolutely protected. But implementing it may be harder than it seems.
Join industry leaders from The 451 Group, Sun Microsystems, and AppGate Network Security for this informative web event and you will learn:
|
| • | The driving factors behind a growing mobile workforce in government
|
|
| • | The benefits - and pitfalls - of solutions on the market today
|
|
| • | Successful methods of protecting government services from unauthorized access, regardless of device |
|
March 12 at 8:00am PT
|
|
If you have any questions or feedback, please send a message to GEH-webrequests@sun.com.
Posted at 12:15PM Feb 25, 2009 by gravax in General | Comments[0]
appGATE Free Edition is out!
Finally it's there! appGATE has just released their new Free Edition of their Security Server. The general idea is that you can download a virtualized version of it, run it in VMware (hopefully soon VirtualBox). You just need to go to appGATE's web site, apply for a free license, download the image, and off you go.
While this isn't open source... it's using a similar business model. You get the basic for free... you can then decide if you want / need (paying) support. Of course there is a limitation in terms of number of users... but, should you need more, you probably will want a fully scalable appliance version of the product, in which case you'll be happy to purchase it pre-bundled and configured for you. That's added value that you'll appreciate.
appGATE is doing the right thing. In these times of economical difficulties, they are making their product available for free to small enterprises as well as anybody who wants to do a small pilot... and that will let people discover the benefits of remotely accessing corporate data and applications.
You know what's even nicer about all this? It's based on OpenSolaris, our very own open source operating system. And, I think, the worlds most secure general purpose operating system. You can, of course, if you want something a bit less bleeding edge, and you need the certification, get the appliance on Solaris 10 which has undergone IT-SEC EAL4+ certification. And since the actual appGATE security server is EAL2+ certified, you get pretty much state of the art security, with certifications to prove it.
Way to go!
Posted at 12:09PM Feb 23, 2009 by gravax in Security | Comments[1]
Solving the governmental secure SOA jigsaw puzzle with soda...
With the growing requirements for more and more complex services to be offered to citizens, and also the ever increasing requirements for integrated internal processes (like integrated tax systems, for example), governments around the world are being faced with what I call the secure SOA jigsaw puzzle syndrome. (That is, of course, if one believes that SOA is still a relevant terms... It seems some people, and not the least, think we need to shift away from the SOA terminology...
How do you mash up multiple services that have been provided by different vendors? How do you ensure that this mashup remains secure. You might trust one of the vendors more than another. How do you prevent the code running on one of the services from turning rogue and doing a bit more than you expected on your network? How do you ensure that there is no data leak between services, either through the services infrastructure itself, or at the user point of view?
Your typical solution to the problem becomes very complicated as you have to go through all kinds of network topology hoops to separate your different service providers, and even doing that, at the point of user interaction, it still is very hard to prevent a state revenue service worker from accessing a citizen's tax records and then copy/pasting it to a web-mail connected to the internet.
I'm currently designing an architecture that is aimed at solving these issues in a very elegant way. We call it SODA, or, to be precise, S3ODA for Secure Shared Services Open Delivery Architecture.
The idea is very simple. Solaris 10 and OpenSolaris both share a common feature called Trusted Extensions (TX, as we call them, between friends). By using TX you can assign a label (you can think in military terms, with labels like Confidential, Secret, Top Secret... but also without hiearchy, you can think labels in terms of names of services like ServiceA, ServiceB, ServiceC).
You basically assign a label to each service component you are going to plug into your services architecture. Either you are running the service on a Solaris system, in which case you enable TX on that system and run the service inside the corresponding label, or, if the service isn't running on Solaris, you proxy it behind a Solaris + TX server which enforces the labeling, or using a network environment supporting CIPSO labels and map your service to the corresponding label.
On the service switch side, the magic resides in implementing your ESB stacked inside a multi-label Solaris system. You create one label per service, and you have one instance of the ESB per label running on the Solaris machine. And behind that, you implement, as part of your policy engine, the rules than enable the different labels to communicate only when the application workflow mandates it.
That way, service A
components can only talk to service B components when they are allowed
to. At any other time, since they are running at different labels, both
the network infrastructure (CIPSO or Solaris TX servers) do not allow
different labels to intercommunicate, and the ESBs can't communicate
between each other unless it's time in the application workflow and the
Solaris TX switch server opens up the communication for that specific
task. This takes care of the information leaks from the services infrastructure side of things...
Now how do you handle the prevention of data leaks at the user point of interaction? Sun has been developing (initially for defense customers, but it's really usable by everybody) an environment called SNAP for Secure Network Access Platform. The general idea behind SNAP is that you implement a Sun Ray server on top of Solaris and Trusted Extensions. Sun Ray clients are very slick devices. They are thin clients, with absolutely zero state, no hard disk, and minimal information in FLASH (basically just enough to boot using BOOT/DHCP on a network and then figure out from there how to load their software and start being useful). The advantage is that since there is no local storage, theft of a device brings no data theft... and is also useless as a Sun Ray without the Sun Ray server behind it is pretty much a paper weight. 
Now once you have the proper server infrastructure, they are very very useful. And if you use SNAP, what happens is that on your terminal, each window you see on the screen operates at a specific security label. Yes, the same as the ones on the network and services switch. What happens then is that it is not possible to copy/paste between windows that don't share the same label (or, in defense environments, you can't paste from a high security level to a low one - you can't declassify). So here is what you do. Your tax worker can be accessing tax records of celebrities, but that person has no possibility to copy from the tax application window to, say, a web browser that might be open elsewhere to enable him to do background checks... impossible to take the the tax data and paste it in the browser. But the system may have a rule in place enabling pasting from the browser to the tax application in order to keep a track of things like pictures of expensive houses used to justify that tax was maybe under declared by the celebrity...
Do you want to know more about this architecture? Send an e-mail!
Posted at 11:33AM Feb 23, 2009 by gravax in Government | Comments[0]
Jet lag and appGATE
I arrived yesterday in the SF Bay Area for a week of meetings and this is the first night. Jet lag just hit at its strongest and weirdest as I woke up at 2:15 this morning fresh out of a dream that (since I woke up during it) I remember in every vivid (and strange) detail.
So in my dream, I was with a friend who is the IT director from the Grande Chartreuse monastry in France, a beautiful place near Grenoble where they make one of my all (adult) time favorite drinks : La Chartreuse. Now this is strange as I have no friend who works in, or for, a monastry... But if I had, it would probably be one working right there.
So what was I doing in my dream, well, we were home, and he was asking me (thus adhering to the oh-so-common tradition around me : "Hey, Gilles, you work in computer security, can you give me some ideas about what I'm trying to do?"
how to enable the monks in the monastry who are travelling around the globe (I don't even know if the Carthusian monks actually do so) could securely access their internal network.
And so, in my dream, I had brough him up to my work room and was explaining, using drawings on the big whiteboard, how appGATE Security Server enables roaming users to identify themselves, have their role and its current implications in term of access to applications and data checked by Sun's Identity Management suite so that the system knows that, while they are travelling, they are currently in service, so have access to all their applications (albeit in a potentially limited fashion do the the remote location or constrained device), or maybe that they are travelling and not in service, so only have access to a subset of features (like, just e-mail). I was showing how only one port needs to be open on the appGATE security server (usually port 22 for SSH), and that there is never direct contact from the outside of the network to the inside, but rather that the security server offers a relay to a view on what specific tasks and resources are allowed given the user's current context.
I had also told him that this was secure enough to be used by defense, government, banks and other very sensitive customers worldwide and that this was a very cool company as their stuff was running on Sun hardware, and about how the roaming features allowed the underlying network variations to be abstracted from the applications by the appGATE client on the device.
And then I woke up. 2:15 AM, in my usual hotel in Newark... So here I am writing about this. Yes, there would have been many more things to say about the Sun / appGATE partnership, about how appGATE's solutions perfectly complement Sun's own Secure Global Desktop offering when roaming is key and how appGATE is packaged through Sun's CRS service in the form of easy to order, and use, appliances... but it was just a dream, so limited in time and scope.
And talking about time... it's about time I got back to bed and tried to get back on track to California time. This week will be a long week, and unfortunately, I don't know if, or where, I'll be able to sip a glass of delicious Chartreuse. One more thing to look forward to when I get back home to my lovely family.
Posted at 12:01PM Feb 01, 2009 by gravax in Security | Comments[0]
Remotely connecting to a Solaris machine... with security, minimal fuss and stuff!
I figured (OK... it was suggested to me by Karim Berrah who runs the CHOSUG Wiki) that others might be interested in knowing how I remotely connect to my favorite OpenSolaris machines.
It's actually very simple... all the tools are there for you!
The basic protocol that we will be using is called VNC. OpenSolaris comes with 2 different VNC servers.
The first one is the traditional "vncserver" process, which you can start manually, specifying resolution "-geometry XxY" and a number of virtual display to use ":X". E.g. "vncserver -geometry 1024x768 :2". The first time you use vncserver it will ask you to specify a password to protect the conenction to your system. (You can change it later with "vncpasswd".) If you don't do anything special, the session starts with twm as the window manager. You can edit the .vnc/xstartup file and change the "twm &" line to start some other window manager if you want. But twm is very lightweight. You can kill the vnc server by using "vncserver -kill :X" where X is the same you used to start the server. You can run multiple vncservers...
The second means comes bundled with GNOME, and is done using vino, which is the GNOME vnc server. It is embedded with GNOME and starts when you start your session. You first configure and enable it with the command vino-preferences (or through the menus System->Preferences->Desktop Sharing). Allow users to view and control your desktop... and very important, set a password! Current build of OpenSolaris has an "Advanced" tab there that offers additional options. Have a look. Note that since vino is sharing your GNOME display it is automatically set to number :0.
To connect to your machine from remote, there are 2 ways. The "fat" way by using the native VNC client "vncviewer :X" where X is the number you defined when starting vncserver or, for vino, :0.
You will be prompted for the password you specified.
Vino is interesting as, since it's integrated with GNOME, it offers full DBus integration... but has the drawback of being fixed to :0 ... and requiring the GNOME session to be started on the machine by loging in... where vncserver can be remotely started from a shell and doesn't require the user to be logged in, but doesn't offer that full GNOME integration.
VNC traditionally uses 2 ports to work.
One is the normal VNC protocol port and is 5900+X (where X is the number you chose when launching vncserver)... so 5900 for vino and (in my example when I used :2) 5902. This needs to be tunneled if you are going to go through a NAT router.
The second port is 5800+X (same rules for X)... and that's the Java client for VNC. This is the light way of accessing it. If your server is, say, :0 (case of vino) just open a browser to http://yourhost:5800/ and it will start a Java vncviewer directly to port 5900. VINO comes with the Java client by default. vncserver doesn't (you have to manually add -httpd to the vncserver command - i.e. vncserver -httpd -geometry 800x600 :2). This Java solution is nice as it doesn't require a local vncviewer client... can be run from any modern browser with a Java VM installed.
Here is an added bit of magic... I don't like to run vnc over a cleartext network connection. VINO supports encryption, but not all clients. So what I do is that I don't open 5800+X and 5900+X on my NAT router. Instead I open port 22 and SSH to my server, and there, through SSH I tunnel ports 5800+X and 5900+X. And from my client machine I "vncviewer localhost:5900+X". This is now tunneled through SSH from my client machine to the actual server.
My favorite application to do this SSH magic is AppGate's MindTerm. It's a free (for personal and small business) Java SSH client. It's a jar file that can be run as an application or hosted as a Java applet (I have the application on my OpenSolaris laptop, but the applet served from the web server on my home network so that it's always available to me wherever I am comming from). When you launch it, you specify which machine you want to connect to. You do the login... and then Tunnels->Setup and select "Add". Since I have vino on my local laptop, I can't use local port 5900... so I forward 5901 to the remote "localhost" 5900 (since the remote server is also running vino on :0). This is done by selecting
- Type : local
- Bind address : localhost
- Bind port : 5901
- Dest address : localhost
- Dest port : 5900
And then clicking OK. Voila. You can then run "vncviewer :1" from a terminal and it will connect to vino (:0) on the remote machine, tunneled through SSH.
Have fun!
Gilles.
Posted at 11:38AM Dec 10, 2008 by gravax in Security | Comments[0]
Rockbandism... is it for Sun?
My friend Henriette Weber Andersen (she runs Toothless Tiger - if you're looking for a different kind of marketing, she's just what your company might need) just started a new idea. It's called Rockbandism (she puts an apostrophe in there - I prefer without). A new way to look at your company.
In these extremely hectic times ( the Chinese would say "interesting times" ) ... it's no more business as usual. It's time for changing the cards, turning the company around... 405 degrees. (the first 360 to confuse the competition, the next 45 so that you stay aligned with your corporate goals, but are ready to get there by taking angles).
Have a look at her blog entry on 24ways.org. 10 steps to move your company towards Rockband status.
You know what... maybe Sun should do more of that. Get today's startups hooked on OpenSolaris, JavaFX, OpenStorage, MySQL (OK, they're already hooked on that one), Glassfish... using means of communication that they relate to (like blogging - oh wait, we already do that) and turning them in ways that really appeals to them (i.e. not using blogs like institutional PR tools - ah, yeah... we seem to do that a lot these days).
Read Henriette's eBook at Toothless Tiger Press and make your own idea... and tell me what you think. Does that lady rock?
Posted at 12:24PM Dec 08, 2008 by gravax in General | Comments[0]
Chosing the right license in the open source world
So you are now ready to start creating a product. This product will contain software. Software you will write, or have already written, but possibly also third party software that you will bundle with your own code, and maybe some hardware.
You need to start thinking, very early on, about a crucial element when using software.
Licensing.
You may already have made the decision on whether your software will be commercial or free, closed source, or open source... but you need to look at licensing issues in at least 2 very important places, in particular if you plan to include open source software.
- How do you plan to license your own software within your product
- What license applies to the third party software you are bundling and how does it interact with, or impact your own software
Many people tend to associate open source with only the freedom aspect it brings. But it also comes with a serious amount of obligations and responsibilities.
Selecting the right license is the work of licensing experts and lawyers. But I'll try to give some ideas on how to go about making reasonably good choices in this area.
First things first. The Open Source Initiative has a definition of what an open source license is. This definition is available at : http://www.opensource.org/docs/osd/. They also do the complex task of reviewing popular open source licenses and listing the ones that match the definition. This list is at : http://www.opensource.org/licenses/. It provides a basis for selecting licenses from, at least, a limited list.
So what is that makes an open source license. Let me start by quoting the 10 points of the Open Source Definition mentioned above :
---
As you can see, that's a pretty strong definition. Lots of things that must be done, and lots that can't be done, if a license is to merit the qualification of open source.
Not everything can be called open source. Good thing there is a definition.
So. How do you pick the right license for you? What are the implications?
Well, there are 3 main types of licenses available to pick from.
- Type A : Unrestrictive licenses
- Type B : File-based licenses
- Type C : Project-based licenses
Type A licenses, also refered to as “attribution licenses” are the ones with the fewest requirements. They allow unrestricted development of derived works. You can typically use type A licensed code in any way you like, embedding it into other applications with almost no constraints. Example type A licenses include the popular Apache or, the very simple, yet effective BSD (example from the FreeBSD project) license. One of my favorite ones (which I have yet to see used in common software is the WTFPL “Do What The Fuck You Want To Public License”.
One of the aspects that I've noticed about type A licensed projects is that despite the fact that the license doesn't mandate that derived works should be submitted back to the original project, they tend to generate a strong community feeling in the user / developer community and people still do contribute back to the original source commons. Which goes to show that you don't have to force people to contribute for them to do so.
Type B licenses are the ones that are normally considered as community fostering licenses. The point of these licenses is that when you take code from such a project, you have to contribute back to the project any chance you make to files from the project. You are free to add any new file covered by any license you want (as long as that license of yours doesn't conflict with the normal licensing of the original project files), but any existing file that you change needs to be contributed back to the project if required. Example type B licenses include Sun's own Common Development and Distribution License (CDDL) which covers OpenSolaris.
Many developers use type B licenses when they want to embed some open source project (say, an operating system) into a bundle (could be an appliance) which is licensed differently. Doing so, they have to keep the original open source project with its license, and thus, with source code available, even if they do modifications in the project files. But they can add their own files, drivers, applications, glue and keep those licensed as they want (even, possibly, commercially licensed).
Finally, type C licenses which tend to be project fostering licenses, are such that like type B, any file you modify from the original source commons keeps the original license, but also, any file you add to the project inherits that project's license. These license inherently seek to propagate open source by, in a way, contaminating what they touch. They are often qualified as viral licenses. Should you bundle your own software with a type-B licensed project, your own software automatically gets contaminated and turned into a type-B licensed code for which you also will have to publish source code as defined in the original project's license. This is great when you want the project community to benefit from any derived works built upon that project. But it can also have the side effect that people using code from these projects are forced into publishing their own intellectual property. Examples of type C licenses include the universally known GNU General Public License (GPL) which is used for example for the Linux kernel. Anything tightly bundled with a Linux kernel has to be licensed under the GPL as well.
In order to make this contamination aspect less constraining, there is a derived licensed based on the GPL called the GNU Lesser General Public License (LGPL). It is possible to link through specific means software to an LGPL licensed project without that software being contaminated by the original license. This enables one to bundle an LGPL project with non LGPL code and keep the licenses different for each part of the bundle. OpenOffice.org is licensed under the LGPL, enabling one to plug pieces of code into proper APIs in OpenOffice.org and keeping these plugins licensed the way initially planned.
A typical example of unplanned contamination would be an appliance vendor that makes small consumer devices that sell in hundreds of thousands of units. In order to limit costs, they elect to use a standard chip set that provides the basic functionality directly, then they pick the operating environment to put on it. For costs and simplicity, they pick en embedded Linux platform. Then they develop their own code and glue. They write device drivers for custom hardware, they write a complete GUI that directly plugs into deeply embedded aspects of the operating system, and device configuration, and they sell the whole thing as a consumer appliance. The problem is when somebody figures out that it's Linux inside... and since Linux is covered by GPL, that means that all the software that is deeply linked to the OS is also, necessarily, made GPL. First of all, they have to make the whole source code available (as per GPL, and any other open source license)... but worse, if they embedded other third party code, they can get into legal issues because that third party tool probably also must be made available under the GPL. It can get nasty. Because they didn't consider the implications in advance.
On the other side, sometimes, you WANT to use a viral license like the GPL. Sun has published the OpenSPARC processor under the GPL exactly with that viral aspect in mind. We want other companies to build fancy, successful, commercial products based on the OpenSPARC processor. We want them to not only benefit from the R&D we did to come up with the OpenSPARC processors, but also, we want them to bring their own enhancements, and contribute back to us the good work they throw into the processor. We want the next hot microcontroler based on OpenSPARC to benefit the whole OpenSPARC development efforts.
So as you can see, there are several types of licenses, each with very distinct characteristics. Choosing one isn't something you do lightly.
In order to choose the right license for you, you must first decide what you want to do with your own project. Deciding if you want to make it commercial, or not. Closed, or open source. You need also think about how you expect your users, and possible developers down the line might want to use or reuse your code into their own projects.
Then, if you are going to bundle your code with third party code, you must carefully examine the license you want for your code, and the available third party projects that fit your requirements and their own licenses. Make sure the one you pick has a license that is compatible with your selected license to avoid legal issues down the line.
As you see, choosing proper open source licenses (in products you will use, as well as in products you will develop) is not necessarily an easy task. Following the above guidelines will help you get a general idea. But probably the best single advice to give is to talk to a lawyer specialized in software licensing. They will help you pick the right license that is best for the model you have in mind for your product. Also, people like the FSF organize licensing workshops. For example, the FSF Europe is running a 'Licensing questions and other legal issues' workshop in Zurich, Switzerland on October 17th, 2008. There may be others in your region to chose from.
Posted at 07:03PM Jul 23, 2008 by gravax in Opensource | Comments[1]
Why high definition DVDs are good for privacy and security...
So here's the situation... nowadays, when crossing border control, and in particular when entering the US of A, you may be asked to turn over your laptop, and other electronic devices to border control who, fearful of terrorists crossing their border, will want to search your corporate data for any kind of document that my prove you are on your way to planning something nasty.
Bruce Schneier has commented many times on how you should prepare your laptops, cell phones, and other devices so that when seized, nothing bad happens.
There is one additional option that he doesn't mention (yet), but that I think will become more and more feasible given where the media industry is taking us.
Take a movie. Yes, one that you rightfully own, of course. Convert it into a Divx (you bought the movie, you should be able to view it on the player of your choice). Actually, my friend Darren Moffat suggests even better, take a personal home movie that you made with your own camcorder, so that there are no issues whatsoever about fair use or alternate formats... you made the movie, it's yourse to do what you want with it. If it's a normal movie, you get an 800MB file... that's small... but if you take an average HD-DVD (R.I.P.) or BluRay movie, then you get a multi gigabyte file. That's much better...
What can one do with a multi-GB file of seemingly random bytes. Well, you can tweak lower order bits to hide data inside it. That's called steganography. And with multi gigabytes of storage to start with, you can store a whole lot of useful information.
Suddenly, that 32 GB SDHC card you just bought can be used to watch a movie on the plane all while carrying your sentitive personal or corporate data. And all in perfect deniability. "Mr Officer, this is just a Divx which I've been watching on the plane during the flight where they had very boring movies scheduled. Here let me show you that movie." and you go on to play it in your favorite (open source) media player to prove your case.
I love technology!
Posted at 10:59AM Jun 17, 2008 by gravax in Security | Comments[0]
OpenJDK 6 in Ubuntu Hardy!
So yesterday I had a very nice surprise. I moved my old home server from NetBSD (had been running that OS faithfully for the past 7 years - through a few hardware updates - but I've been bitten too many times by pkgsrc updates that broke most of GNOME and required heavy sessions of recompiling individual stuff to fix for my own comfort) to Ubuntu Hardy (I've been using Ubuntu on other laptops for quite some time, since version 6.04).
Basically, I first copied the 550GB of data from the 750GB disk of the NetBSD machine (since Ubuntu can't read the NetBSD filesystem natively) through the network to a new 750GB disk plugged into a Ubuntu machine... That took over 24H... Yech. Then I installed Ubuntu on a 200GB SATA disk and the new 750 GB disk in the small server that had previously been running NetBSD.
My first two steps were installing SqueezeCenter (for my Logitech Squeezeboxen music streamers) and SwissCenter (for my Pinnacle Systems ShowCenter 200 media streamer) which required some fiddling around because of Hardy's new AppArmor security scheme which messed up PHPMySQL... and Apache 2 who is new to me (the old NetBSD machine was running Apache 1.3)... I now have multimedia again at home. accessing
Then I prepared the P2P downloading stuff... aMule and Azureus... And that's where the cool thing happened. First, Azureus is directly in the Ubuntu repositories... which is nice. Second, when I installed Azureus, it naturally added the dependencies, which, to my big surprise, include... OpenJDK 6! Very nicely done! Completely transparent.
(As a note to Azureus authors : Because Azureus uses Eclipse's binary SWT for GUI, it is
not platform independent - which is stupid as it breaks one of the main
interests of using Java... so it wasn't available on NetBSD... which
is why I got used to using the excellent (and lightweight) Transmission BitTorrent GTK+ client. And as such, I guess I will, finally, stick with Transmission also on Ubuntu...)
So automatically, now, on Ubuntu, when needed, OpenJDK 6 gets installed... I'm curious to see how the updates will take place through the Ubuntu update manager. And with what delay compared to the official updates to JDK 6 from Sun. But this is very very good news for the Ubuntu users community, and for the Java world in general. From now on, one can assume that the official JDK will be available in Linux... transparently... just like that, when needed.
Java. There, for you, when, and where you need it!
My next steps include getting Apache 2 fully working with all the relevant virtual domains that I used to host... and also getting the SAMBA file server up and running for the family users on the home LAN. A few more nights of hacking fun in perspective and I'm all set!
Again... thanks Sun and Ubuntu for having made OpenJDK 6 directly available, no hassle, in Ubuntu Linux (and others, as I understand)! A beginning of a new era... Microsoft won't ship Java by default in Windows... fine. Linux will. Guess who wins?
Posted at 03:26PM Apr 30, 2008 by gravax in Opensource | Comments[8]
Oh my gosh! Java is Old!
OK... I'm going to sound like an old fart here. But well, maybe I'm starting to be.
I just realized that Java being over 13 years old, while I was there when it was born (I was actually already working at Sun - that's the 'I'm an old fart' part), many of today's developer came to the IT world after Java was born.
Just as for me, during all of my career, I've known that things like FORTRAN and COBOL had always been (and likely will always be) around... for the new army of developers writing AMP applications, AJAX, .Net, Ruby-on-Rails... Java has always been around (and likely will always be).
So maybe it's time at Sun that we start talking to these people not like if Java was the latest hip thing, but more as if Java was something that's always been there and will always be. There's really no point in telling developers that FORTRAN or COBOL is there... they know it. They also know Java is there.
We've got to make Java evolve, live on, become even better... and we have to keep the developer community interested in Java, not because of hype, but because it truly is one of the best platforms in the market. Probably the only one that offers as much portability and interoperability on the planet. But this is not new. This is not news. This is.
So how do we keep developers interested in Java, in this old news? How do we get them to write in Java, to target the Java platform? We're already doing quite a bit to address this. But we need more.
We are making sure that Java keeps up-to-date with the required set of features that the world expects of such a universal platform. Now that Java is GPL, we'll get even more contributions, and hopefully, it will get richer and richer... without getting bloated.
We need to revise how we drive our JavaOne conference. We need to target a different audience. We need to make it cooler, more hip, fancier. We need to make it more into a community event. Add unconferencing to it. We might need to hire people who are more versed into the new-world marketing / communication tools. It's not just about blogging, but goes way beyond if we want the communities to adopt Java.
We need to make the Java community a user community, even more than we need to make it a developer community. In the open source world, the users are turning into developers. The more users of Java, the more they will contribute, as developers. And we've got to be ready to include them in the development process of Java... as every good open source project does with their user-contributors.
Posted at 12:36PM Mar 18, 2008 by gravax in Java | Comments[2]
Web 2.0... anything more than just a marketing term?
I've heard so many people talk about the Web 2.0... or write about it... just as if it were an actual physical reality, a fact of life. I've already commented about this... about a year ago. Yet I keep hearing this. I keep seeing new definitions of Web 2.0... as if there was a desperate need to find a way to define this inexistant reality to give it some kind of legitimity.
The latest attempt to date compares the ease of creating web sites pre-web-2.0 and post.
I still don't buy it.
Before, building a web site required knowledge of HTML, and a proper
HTML editor (vi for some of us, something more fancy for others). If
you had to install the stuff to run it on a machine, you basically
installed Linux (or Solaris, or Windows, or *BSD) and then slapped
Apache on top. Pretty simple... and direct.
Nowadays, you have to install Apache, PHP, Ruby, who knows what other
toolkit, and configure all of these building blocks to talk to
each-other. Anybody here know what ap-php is? Well, that's the
additional piece of code needed to tell Apache to know about PHP... and
so on. Then you have to learn HTML, PHP, Python, Ruby, AJAX, and who
knows what else.
What is easier, these days, with the so called "web 2.0" (which I still
consider a fancy marketing term, with no actual measurable difference
from, say, web 1.1, web 1.2, web 1.3...) is that there are a bunch of
portals that people have taken GREAT PAINS to build, which allow
unknowledgeable users to actually publis stuff. But these "publishers"
don't know how to create a web site anymore than they did before. They
just are given the tools to put stuff in placeholders. They still, for
most of the "facebook" users, have no clue as to what gears are turning
behind the blue and white screen they are putting their stuff in. Heck,
they probably even don't understand (or care about) the privacy issues
related to puting on line what they are publishing.
Now back to web 2.0... why 2.0? I wasn't really aware that the web had
reached a 1.0. As far as I'm concerned, since I first saw the Mozaic"
web browser appear around 1994, the web has slowly, but surely, been
evolving. It's not reached, yet, the "itchi dan", the first degree that
will show some maturity.
It's gone from static, non moving, pages, with links (Tim Berner Lee's
original web - would THAT be 1.0? or is it web pre-release-0.1?)
To static pages with moving things (thanks to our Java, then Flash,
then ActiveX)
To being an insecure space (thanks to ActiveX - ok, maybe in some cases
to Flash, and even to a lesser extent, in some rare cases, Java)
To being a searchable web (Yahoo)
To being a commercial web
To being an advertizement powered web
To hosting the dot.com bubble burst
To being an even more searchable web (Google)
To starting again to be a commercial web (maybe it never stopped that,
but just slowed down)
To begin a collaborative web (wikipedia)
To being a res-publica, a web of it's own denisens (facebook, myspace,
and other sites where the user creates the content)
What will be the next steps? Which one of the previous steps marks Web
1.0? Any one could... but then the next ones would be 2.0, 3.0, 4.0...
I prefer to think that the web has no version number. It's a constantly
evolving entity, and there will never be clearly defined thresholds
that we will reasonably be able to label as 1.0, 2.0, 3.0.
Proof? Getting back to "2.0" ... nobody really agrees on a common
definition.
It's because there IS no 2.0... just as there WAS no 1.0... And there
WON'T BE a 3.0...
If it was a discreet progression (1.0, 2.0, 3.0), it might stop at any
of these values.
It's all an analog progression through the digital space. That's why it
will always continue to evolve.
Posted at 10:26PM Feb 18, 2008 by gravax in General | Comments[2]
25 Years Online, And More To Come
Today I just realized that it's been over 25 years that I've been online.
25 years...
Wow!
Things have changed! I feel the need to write down some of the highlights of my online life.
25 years... More or less the same
age as Sun Microsystems. “The Network Is The Computer”. I was
trying to get that to work back then, without TCP/IP.
My first real computer was a TRS 80 Model I. I bought the beast around 1981 / 1982. My parents helped me buy it (though all of my pocket money that I had earned working during vacation – I was 17 at the time – went into it).
At this time, I was heavily into CB radios. A friend of mine (actually, neighbor, living across the road, called Frank Salomé – hi Frank!) had a TRS 80 Model III and we wanted to exchange information. These machines had audio cassette I/O... so we got that to work, plugging the cassette-out to the microphone IN of our Thomson ERA 2000T (22 channels FM 2 Watt CB radio) and the cassette-in to the microphone OUT of same transceiver. That worked... though not the actual bidirectional networking we would have wanted.
Some time later, a schoolmate of mine brought me a fully populated computer board that his dad had brought back from his office (Alcatel, if I remember well). Wow! What luck. The board had, soldered onto it, all the expensive chips I needed to build the expansion interface of my TRS 80... it had 2 banks of 4116 RAM chips (very fragile CMOS that I unsoldered by blowing high pressure air using my dad's compressor – in the process, pulverizing droplets of soldering lead all over the wall of his workbench – my dad was really pissed off – all that without destroying a single chip). It also had a had floppy disk controller (the famous – at the time – WD 1771 chip).
With my expansion interface came a modem. 300 baud. Unfortunately, it was Bell standard, and in France, we needed CCITT. I hacked the 600 ohm transformer and R/C bridge and I was more or less in business (though not perfect). Didn't use that one much.
Some time later, I got my first PC compatible. An Amstrad. After just a few minutes of having it at home, I realized my mistake. This machine wasn't build to be opened by the user. It was extremely hard to hack into it. I sold it, and got myself a real PC compatible for which I chose the motherboard, the graphics controller, the IDE controller, and... got a big (I think Alcatel, again) modem. 1200 baud. What a luxury compared to my 300 baud on the TRS 80.
With that weapon in hand, I started playing around with BBSes. Found a toll free number that was connected to a research X.25 network, wich was, very conveniently interconnected to Transpac (the French commercial X.25 network). Through that, I would log on to servers around Europe. Mostly in the UK. So many things to download. At that time, I was also a student in university. Got my first official e-mail address. I was corwin@ensta.fr. 1988.
In school, I was a hacker. Broke quite a few of the systems... sometimes voluntarily, sometimes less. Until the system administrator came to me and said “Gilles, instead of breaking machines, why not help get them to run. We have received a batch of machines from a company called Sun. We have no idea how to set them up, but please come help, I'm sure you'll like it.” I did. That mostly turned me away from the dark side. Though, I remember once bringing down a whole class of students trying to learn LISP by writing a recursive virus that spawned processes on the server until it was saturated. At the time, SunOS didn't limit the number of processes per user in a way that would have prevented it. Took a few hours to bring it back up (fscks, you know) and I had a few system admins and teachers somewhat unhappy at me. Oh well. Live and learn. No more recursive spawns for me.
But I was not completely done trying things online. I had a fun idea. What would happen if I sent a mail to “*@*.*” I tried. At the time, the university was interconnected to USENET through the French node INRIA. And I got a very upset e-mail from the system administrator of INRIA to the effect of “Don't EVER do that again.” No idea if it really got the network down, over there... but certainly attracted attention.
Time passes. I'm still connected with my 1200 baud modem to the rest of the world, in my appartment in Sceaux, near Paris. I'm now working at Uniplex. My e-mail at work is UUCP... bang bang! I'm just about to do my first online purchase. A chap in the UK called Adam Black published the Munitions Shirt. A shirt that has a bar code encoded version of the RSA encryption algorithm. As such, it is machine readable and considered a munition in many countries, including my own, France. Since there is no such thing as the commercial web, and HTTPS / SSL, the only way to place a secure order is to send a PGP encrypted mail. I take the source code of PGP 2.3 and port it to the MIPS RC/3230 of my company since it's not available on this machine and I need it. I place my first order. I still have the shirt (though, as my friends will confirm, it LOOKS its age).
Back to my home, December 1993. id Software is about to release Doom. The game of the century. Everybody is expecting it. The buzz is incredible. At 1200 baud, it's going to take hours to download. My apartment is small. The bedroom and living room are one. The computer is in the same room I sleep. The download starts during the day... and my communication software PROCOM (anybody still remember these guys) wakes me up beeping after the Z-MODEM transfer has completed (and to think that I still use Z-MODEM every now and then today – my last use of Z-MODEM was summer 2007 to transfer a copy of Linux onto an iPAQ 3600 PDA). At 2 in the morning, I wake up. Doom is transferred to my computer. Time to re-assemble the archive, decompress it, and install the game. I play for about an hour. Jumping every time a pumpkin or an imp attacks... and after that, so pumped up with adrenalin, I am incapable of finding sleep... but I loved it all the way. My friend Jessie Collet shares the same experience.
Uniplex moves to internet style e-mail and I become ggravier@uniplex.co.uk. Welcome to a modern world. Except that when I need to receive or send an urgent mail, I still have to manually trigger the Telebit Trailblazer model to dial and uucp all the messages in the queue... Oh well. After the PGP port, I contribute to another piece of open source, hp2xx by writing the RGIP converter, with my management's approval, and publish it back.
October 1994 I join Sun. It's the start of the commercial internet. Mosaic is the browser of choice. Netscape? Microsoft still has no (public) idea of what Internet is all about. Sun has been shipping systems with TCP/IP for already a decade. One of my colleagues comes and shows me something called LiveOak. A web browser, looking furiously like Mosaic, but with animated things in the web page... supposedly written in a special language called Oak. I send him off telling him that web pages are documents, and as such should be static, not animated. Of course, my first feat of arms as a visionary isn't very successful... in particular as this was soon to be renamed HotJava™ (the browser) and Java™ (the platform and language). I've done better since...
It's now been over 13 years that I've been having a blast here at Sun. I've seen things you people wouldn't believe. Attacking worms off the borders of corporate networks... I watched C compilers go from free to commercial and back to free. I watched the Internet, go from a research network to a full blown commercial environment where billions of dollars are exchanged in transactions every day.
So where are we going from now on? Let's see if I can make some predictions... and they'll come back to haunt me in another 20 years or so...
COBOL will still be there for the foreseeable future. (OK, this one was easy, but I had to do it.)
There will be a need for more than 5 supercomputers in the world. (Ditto)
Internet access will be flat fee, unlimited volumes, high bandwidth, regardless of the medium. This means that, yes, you will get flat fee wireless internet access on your phone. It will take some time, but cell phone operators will all have to get to there. We've been telling them that at Sun for ages. It's going to happen. No other way possible.
Security will always be an issue. And not just because the guys in Redmond don't know how to architect a secure OS from the bottom up, but because the more interconnected systems, the more value, so the more interest in taking an (illegitimate) chunk of that value. Viruses, worms, hacks will take a more and more commercial nature, people exploiting holes for benefit, rather than for glory. Everybody, the bad guys, but also the good guys will be using malicious techniques to do their thing. Good guys to protect legitimate interests, bad guys to attack you.
Open source, collaborative development will become the dominant mode of software (and, to some extent, hardware) project development. Open source will be used as the main source of mission critical software.
However much I would like to NOT see that happen, advertisement will be more and more present in our every day life, online or offline. Lucky technology savvy people will block it with technology tools. Others will get the full blast. This will have the advantage of making more and more services appear free (the actual, hidden, cost being “add-time in your brain”).
People will be spending more time online then in front of their TV. As such, conventional TV will slowly decrease in audience and advertisement revenue, favoring community media sites where users publish their own contents.
DRM will die. Heck, it's almost dead today. It won't be used to control on which player, in which context, how many times you play your media. It will, more likely, be used (through techniques like watermarking) for traceability purposes.
My friend and colleague Alec Muffett predicted the 1TB iPod. I concur. We will be carrying massive amounts of storage and processing power in handheld (or worn) devices that will participate in our daily activities. Playing media, communicating with distant as well as close people and entities. We will use technology to favor interpersonal exchanges. Your phone/PDA/media-player/link-to-the-net will tell you somebody whom you might want to meet, or avoid, is near you.
So now that I've layed these out, I'm sure to be proven wrong on a few... but by how much? And when?
You tell me if you think different!
Posted at 05:26PM Jan 31, 2008 by gravax in General | Comments[4]
Skype 1.4 on Solaris in a Ubuntu BrandZ zone!
At last! I got it working!
Since Solaris Express Developer Edition build 72 (you might have to wait for build 72 to be published), we have experimental support for Linux kernel 2.6 in a BrandZ zone!
Instructions on how to install are here...
What I did was install Ubuntu on a separate machine. Configured the repositories for Skype and Medibuntu. Installed Skype and Google Earth... then did the tar cjf from / as documented in the installation instructions for Linux 2.6 BrandZ zones... and created my zone and installed it from the .tar.gz archive on my Nevada b72 system.
When I did the zoneadm install, I got a bunch of error messages at the end... but despite that, network which was configured as DHCP in Ubuntu picks up the address I hard coded when creating the BrandZ zone (and store in /etc/zones/ubuntu.xml - my zone configuration file).
Note... I had to enable sshd in the Ubuntu zone for this to work.
And despite that, I can't just ssh into the zone... bash starts up when I do so... but doesn't give me the prompt... But I can ssh -X MyZone /command/to/run and run any X11 command...
So what I now do is run ssh -X MyZone /usr/bin/skype and I get Skype up and running.
Note that Skype 1.4 uses only ALSA and BrandZ only maps OSS... so no audio yet. 
But I can chat nicely
Skype 1.3 uses OSS... And with that one, in the Ubuntu branded zone, I get proper Audio!
We are making progress!
Gilles.
Posted at 12:03PM Sep 13, 2007 by gravax in Opensource | Comments[16]
Fun ways to freak off airport security
Fun way #1 : pack one or more harmonicas in your hand luggage.
It seems that it looks like gun chargers with the 10 little metal slots (yes, I (try to) play blues harp).
Optional bonus way : add a mini photo tripod in same bag. Guaranties bag examination, if you want my opinion.
Oh well... another day, another plane.
Posted at 01:16PM Jun 21, 2007 by gravax in Security | Comments[0]
Making Money Out Of Open Source
So you're considering writing your application and making it available
in open source. But you're also hoping to make a profit from it. And,
frankly, you're wondering how you're going to make a profit by offering
a product where you make all the sources available for free. Rejoice!
Quite a few people have had this same situation before and have come up
with some pretty good ideas.
We're going to look at a few of them here.
I'm
going to assume, here, that you've already sorted out what kind of
licensing your software will be published under. If not, look for a
soon-to-come entry in my blog about open source licensing and I'll give
you some guildelines on how to pick the correct license(s) for your
project.
Here are six of the most common business models around open source.
Dual license
Under a dual license model, you would publish your product in 2 ways. One would be an open source license, say GPL, CDDL, BSD, so free to download and use and modify. The other would be a different license, possibly a commercial one. In this case, you would probably elect to bundle, with your original software, additional features that bring value-add, justifying that a customer might want to purchase that bundle rather than download the purely free open-source block.
Some of the features that you could consider bundling might include :
- Multiple dictionnaries for spell checking (case of Sun's Star Office, compared to OpenOffice.org which only comes with one dictionnary by default).
- Fancy administration tools
- Enterprise-class management / monitoring
Picking the right set of additional commercial features is critical to generating demand for the commercial version of your product, so should be the fruit of very serious thinking.
Subscription
Here, you aren't really selling a product, but rather services around your products in order to make it useable in enterprise deployments. So for example, you'd be looking at offering services like :
- Support
- Training
- Installation
- Integration
- Customization
Your typical customer running a mission critical sales server would not want to do that without a very efficient support service available to help them fix things if their system breaks down smack in the 15 days before christmas when they make 80% of their yearly revenue... And they will pay for that kind of support.
Some companies like JBoss (now part of Red Hat) have become very popular using just that model.
Sun now offers most of its software products also under that model. You download and use Solaris for free, but we'll offer you world-class support contracts to ensure proper response to incidents should they happen.
Hosted
Sun develops a free Grid Engine. You can download it. You can use it. But we've built a grid for you that you can connect to, and purchase CPU cycles on, in order to upload your applications on it, or use the ones we provide, to run your enterprise on by processing your data sets.
Companies like SalesForce.com also have a similar model
Consulting
This is one very nice area of the open-source community where everybody benefits from the work done. This model has led to the creation of many local businesses, as well as whole divisions of global comsulting firms, that specialize in delivering consulting services around existing open-source software. They will take a set of products that they consider being interesting by their standards, and offer a whole set of services around them
This is interesting in many cases, but here is a particular example of where it benefits the original software author. Suppose that the software author is a local company in, say Europe. They don't have the size to distribute and, more importantly, support, their product all over the planet. But if their product is sufficiently interesting, chances are that they will have users on every continent. So what do they do? Probably nothing... because in places where there are enough users that have shown a need for proper services around the products, there will likely be some small, local, but highly competent groups of people that will set up a structure to distribute, and more importantly support with services like first level support, integration, training... your product. You might even want to consider striking a partnership deal with these local structures and make some money off of it, to your mutual benefits.
Near where I work in Geneva, there's a small company called LynuxTraining. They do just that with their sister company LynuxSolutions.
Embedded
Some companies have found that they could build a very fancy product, but that they could gain a lot of time by not re-inventing the wheel, but, rather, by re-using something already available. In most cases, this will be something like an infrastructure component. Think about it. If you are going to build a computer, will you design your own CPU? Probably not (though in some cases, this has been known to happen). Well, same applies to things like an operating system. If you are going to build an appliance, you might want to use an existing operating system. You will pick that OS according to the needs of your appliance. Do you need real-time? You might pick something like QNX. If you're building an extremely secure security appliance, like AppGate's Security Server, you would pick Sun's ITSEC EAL 4+ certified Solaris 10. You might even want to build a vertical solution for office automation based on the open-source OpenOffice.org. Be careful what license governs the product you pick to embedd, as you might be forced to give away some or all of the source code of additional code you've written to make your whole product due to license contamination issues.
Stewardship
This isn't per se
a business model. Rather, it's a way to generate indirect revenue. The
point here is to drive, actively participate in, an open source
project, to ensure that it becomes successful. If it does, you hope
that the reputation of your company will increase from it, and that it
will drive customers to you. It's not easy to live just from that, and
you might want to combine this model with some of the previous ones
above in order to ensure a viable revenue stream.
There.
You have it. Of course, this isn't a definitive list. I'm sure that the
open-source community with it's very bright minds will (probably already has) come up with new, more creative, models for making a living from their collaborative work. So will you.
Now
you have an interesting subject of reflexion while you create your
business plan that you will present to your future investors, that will
show them a proper potential for profits!
Posted at 05:58PM Jun 13, 2007 by gravax in Opensource | Comments[0]
Today's Page Hits: 133