Microsoft Outsources Blogging

September 30, 2010

At the TechCrunch Disrupt conference in San Francisco this week, Microsoft made what, for it, is an unusual sort of announcement.  Dharmesh Mehta, Director of Product Management for Windows Live, announced that Microsoft was abandoning its Windows Live Spaces blogging service, and would migrate the  existing user base to   (That is, of course, the platform for this blog.)   Toni Schneider, CEO of Automattic, the company behind WordPress, was also present for the announcement.  Microsoft’s initial statement was that Live Spaces had 30 million users, but it appears that many of these accounts may have been dormant for a long while, and that the number of active users may be considerably less.

I did an informal survey of blogging platforms before I launched Random Walks, and WordPress was considerably superior to Microsoft’s offering in terms of flexibility and features offered.  So, in one sense, this is a perfectly rational decision on Microsoft’s part, especially since Live Spaces never really took off.

But in another sense, it is a decision one would not expect from Microsoft.  There has always been a strong bias in Redmond against outside technology, and sometimes against common standards — the Not Invented Here syndrome is alive and well there.   One might think, for example, that the world probably has enough different programming languages, but that has not stopped Microsoft from developing their own.  Witness also Microsoft’s machinations to get its OOXML document format approved as a standard, rather than cooperating with the proposed, and now ISO standard, Open Document Format [ODF].  So for Microsoft to accept using someone else’s technology for one of its services is, well, unusual.  Another interesting aspect of the switch is that WordPress software is an open-source project, written in PHP, and running on the open-source Apache Web server — something of a climb-down for Microsoft, which has in the past likened open-source to communism and a cancer.

In the blog post announcing the change, the company freely acknowledged that the focus should be on providing the best possible consumer experience, and when this means using best-of-breed third-party services, that should be the approach.

Obviously, it will be something of a nuisance for Live Spaces users to get acquainted with a new platform, but I think the change will be a good one in the longer term.  And if Microsoft has decided that it can, at least in some circumstances, play nice with NIH technology, that is probably good news for a wider audience.

Microsoft has posted a fuller announcement on the Windows Team Blog.

OpenOffice Splits from Oracle

September 29, 2010

The productivity suite has been a key piece in the open-source software puzzle for a number of years.  It offers the ability to read and write files in Microsoft Office formats, as well as in its native Open Document Formats [ODF], and can additionally read a number of “legacy” formats, including those from Lotus 1-2-3, WordPerfect, and Quattro.   Although it is not point-for-point identical in features to Microsoft Office, it offers almost all of the same capabilities in a package that runs on Windows, Mac OS X, Solaris, and Linux.  The OpenOffice code base is also used in IBM’s Lotus Symphony product (available for Windows, Mac OS X, and Linux).

OpenOffice originated as StarOffice, a product of Star Division, a German software developer; the firm and product were acquired by Sun Microsystems in 1999.   Sun launched the OpenOffice project as open source, although it still sold a commercial version in parallel.  While never amounting to a blockbuster, OpenOffice has gained a solid foothold, especially with Linux users (like me) and those who value its cross-platform availability.

As readers probably remember, Sun Microsystems was recently acquired by Oracle.  Although there had been some grousing about Sun’s management of the OpenOffice project, and about its requirement that developers assign their copyrights to the company, concerns grew with the acquisition, since Oracle’s commitment to open source is not really clear.  Now, as reported in an article at Ars Technica, a group of OpenOffice contributors  has formed a non-profit organization, the Document Foundation, to go forward with a community-driven fork, or development branch, of the project.

The Document Foundation serves the long-standing need for a more inclusive culture around the project. The group is creating a fork of OOo called LibreOffice that will be distributed independently of OOo. The foundation’s steering committee is diverse and includes some key members of the OOo project. Corporate supporters include Novell, Red Hat, Canonical, and Google.

The new version, which is available as a beta version, is being provisionally called LibreOffice, since the OpenOffice name is owned by Oracle, although the Document Foundation expresses the hope that Oracle might join the project, or at least donate the name.

The Document Foundation intends to license the software under either the Mozilla Public License, or the Lesser General Public License.  It will not require contributors to assign their copyrights.  Development plans for the new version are stil in the formative stage, although there is some general agreement that a code clean-up is in order.

Potentially, this could be a very positive step for the future of the project.  The example of Mozilla is instructive.  Since it became an independent organization, outside the tar-pit of AOL/Netscape, the Firefox browser has emerged as a clear success story.

ASP.NET Patch Released

September 28, 2010

As expected, Microsoft has released an out-of-band security patch for the ASP.NET vulnerability.   Details of the patch, and download links, are given in the Security Bulletin MS10-070.    (This information is also in the updated Security Bulletin Summary for September 2010, but that page is slightly harder to work with, since it also contains information about all the vulnerabilities patched earlier this month.)  Microsoft rates this update as Important; it affects all versions of the .NET framework, on all supported versions of Windows, except Microsoft .NET Framework 1.0 Service Pack 3.

According to a report in the ThreatPost blog from Kaspersky Labs, the researchers who developed the original attack say that the workaround provided earlier by Microsoft does not give complete protection against the attack.  Especially for server machines, I recommend that you apply this update as soon as you can.

Update Tuesday, 28 September, 17:35 EDT

Upon re-reading this post, I realized I had not been sufficiently clear about one point: to get this patch, you must download it from Microsoft’s Download Center (or use the links in the MS10-070 Bulletin).  It has not yet been made available via Windows Update or other automatic update mechanisms, although Microsoft has said it will be available “within the next few days”.

Update Wednesday, 29 September, 10:55 EDT

Microsoft VP Scott Guthrie, a/k/a ScottGu, who manages ASP.NET development, has a blog post that provides some additional information n this patch, some of which may be of particular interest if you have a large installation.

Microsoft to Patch ASP.NET Flaw Tomorrow

September 27, 2010

In a post on the official Security Response Center Blog, Microsoft has announced that it intends to release an out-of-band patch for the ASP.NET security vulnerability that has been getting a lot of attention recently.   The vulnerability affects all versions of the .NET framework on Windows servers; clients are also theoretically vulnerable, but in practice are not at risk if they are not providing Web services.  Microsoft says that the unscheduled update is justified by the level of attack attempts they are seeing:

Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers as we have seen limited attacks and continued attempts to bypass current defenses and workarounds.

The announcement says that the initial release of this patch will be via the Download Center, at approximately 10:00 AM PDT tomorrow.  (The link for this specific update will be in the Security Bulletin that Microsoft will release at the same time; I will post a link to it here as soon as I get it.)  The patch will be released through Windows Update and Windows Server Update “within the next few days”.

Microsoft has also updated their suggested workaround for this problem, for those who cannot install the patch right away.  The details are explained in a post on Scott Guthrie’s blog, and in the updated version of the original Security Advisory [2416728].

Update Tuesday, 28 September, 11:15 EDT

Microsoft has now released a Security Bulletin Advanced Notification for this patch; this will be replaced with the actual Security Bulletin (with links to the updates) when the patch is released later today.

Analyzing Malicious PDF Files

September 27, 2010

Using PDF files as an attack vector has become increasingly popular with malware developers in the last few years.  This is a slightly ironic but predictable result of urging users to be very careful of executable (e.g., .EXE) attachments.  PDF files are attractive to the Bad Guys because the vast majority of users have Adobe’s Reader, or some other PDF viewer, installed, and because, unlike overtly executable files, PDF files are not generally blocked by filtering systems.

Didier Stevens, a Belgian security researcher, has published a paper on the analysis of malicious PDF files.  (The downloadable file from the previous link is a ZIP’ed copy of the original PDF document.)  Mr. Stevens wrote this as a chapter for a proposed book project, since abandoned by the promoter.  It is a bit dated if you are looking for information on the very latest malware techniques, but it’s full of useful information for anyone who has to deal with PDFs.

Open Source by the Rules

September 26, 2010

I’ve written here a number of times about open-source software, and it will come as no surprise to any regular reader that I am, on the whole, a fan of the idea.  I have been using the open-source Linux OS on my personal PCs for more than seven years, as well as open-source applications like Firefox and Open Office; I’ve made a few modest contributions to open-source projects.  So I was interested to see an article in the New York Times about some of the efforts that are put into enforcing the licenses under which open-source software is distributed.

For anyone who is not familiar with open-source, I should probably start by explaining that open-source software is not in the public domain; like proprietary software, it is copyrighted and distributed under a license agreement.  Indeed, the entire open-source concept relies on copyright law to make its license agreements enforceable.  Probably the most well-known open-source license is the General Public License [GPL] developed by the Free Software Foundation, and used in many open-source projects, including Linux.  The license terms basically provide that you are free to use and modify the software, for which the source code is provided, in whatever way suits your purpose.  You may also re-distribute the software, with modifications, provided that the re-distribution is done on the same (GPL) terms.  This means that, if you re-distribute modified software, you must provide the source code, and must grant the recipients the same rights that you have.  You may distribute your modified version free of charge, or you may charge a fee; but you are not allowed to vary the license terms.  (This is the origin of the description of open-source software as “free as in speech, not free as in beer”.)

Many manufacturers of commercial products have made the choice to incorporate open-source software in those products.  Linux software is used, for example,  in TiVo video boxes, in Linksys routers, and is the basis for Google’s Android operating system for mobile devices, as well as its forthcoming Chrome OS.

As related in the article, one problem that crops up sometimes is that the vendors do not necessarily comply with the terms of the GPL or other open-source license.

… some companies, even some technology-savvy ones, may be violating the rather easy-to-follow requirements associated with free software licenses. Typically, these include making tweaked versions of a free software product available to the public, or simply giving credit to the original developers.

Some of the companies in this position claim that they have violated the license terms out of ignorance.  Although this may be true to some extent, it is difficult to imagine that they would start to incorporate software from a proprietary vendor, such as Microsoft or Oracle, without doing their homework.

Although a few large companies have been sued by the Software Freedom Law Center for license violations, most are contacted initially by volunteers, like Mr Armijn Hemel, profiled in the article, who attempt to get the vendors to voluntarily bring their products into compliance.

These days, Mr. Hemel tries to find a contact in the legal department at the companies to discuss the issues. If no response or action follows, a cease-and-desist letter arrives. When the problem lingers, a lawsuit follows.

There are also efforts underway to make it easier for companies to comply with the license requirements.

The nonprofit Linux Foundation has started a program meant to teach companies how to comply with open-source licenses. Cisco, Google, Intel, I.B.M., Sony and a host of other companies have backed the effort.

Personally, I’m pleased to see these efforts, and hope that they can help us all avoid the kind of acrimony common in claims of “software piracy”.

Incidentally, if you are interested in the legal details of open-source software, the Groklaw site is an excellent resource.  It was set up initially to follow the case of SCO v. IBM (which itself has interesting open-source aspects), but has branched out to cover much more.

For Sale, Cheap

September 25, 2010

Brian Krebs has an interesting post at his Krebs on Security about the thriving market in stolen credit cards.  There are many sites on the Internet that offer a considerable selection of stolen card numbers, and competition between them has resulted in knock-down prices.

When you’re shopping for stolen credit and debit cards online, there are so many choices these days. A glut of stolen data — combined with innovation and cutthroat competition among vendors — is conspiring to keep prices for stolen account numbers exceptionally low. Even so, many readers probably have no idea that their credit card information is worth only about $1.50 on the black market.

Mr. Krebs reports that US residents’ card numbers go for about $1.50; numbers for UK residents run about $4.00.  (I’m not sure, offhand, why UK cards should command a premium.)  It is also possible, for an additional fee, to get personal details of the card holder (date of birth, for example).   The sites even offer search tools so that, if you want a card from a particular region or city, you can easily find one.  Taking a leaf from the credit card issuers’ book, the site does of course charge a small fee for this added service.

This is another manifestation of the maturation of malware into a thriving criminal industry.

%d bloggers like this: