May 23, 2004
by sjvn01
0 comments

Solaris on Intel: Here We Go Again

Back when we built computers with stone knives and bear skins—OK, 1993—I reviewed the first version of Solaris for Intel for PC Magazine. I liked it. I also noticed at the time that Solaris on Intel wasnt the equal of Solaris on SPARC. It never did catch up.

It didnt because Sun didnt want it to catch up. And why was that? It was because Sun was making a lot more money from its SPARC hardware than from its software.

And so it was that Solaris on Intel, also known as Solaris x86, was a loss leader to give business customers a taste of what Solaris could do. Then, when they needed to do more, theyd come to Sun to buy a SPARC box. It was an arrangement that was profitable for both Sun and its resellers.

But by the early 2000s, it wasnt working anymore. Linux was eating up what little market Solaris on Intel had. By 2002, Solaris on Intels market had shrunk so low that it was no longer working as a way to get people to move to Solaris SPARC.

Mind you, it wasnt that it wasnt popular. Solaris on Intel was, and is, popular. Suns Graham Lovell, director of Solaris product marketing, told me in 2002 that more than 1.2 million copies of Solaris under the Free Solaris program have been downloaded, and that “the vast majority—approximately a million—has been Solaris 8 on Intel.”

But Linux downloads were in the tens of millions and, popularity doesnt pay the bills.

Almost all of the downloaders were playing with Solaris, not deploying it in the enterprise. Dan Kusnetzky, IDCs vice president of system software research and grandmaster of all statistical things operating system, told me at the time that almost no one was actually using it in business.

So it was that early in 2002, Sun announced that there would be no Solaris 9 for Intel. That should have been the end of the matter. Instead, a vocal group of Solaris on Intel fans called Save-Solaris.org, refused to let Solaris on Intel die.

Now, I was sure that Solaris on Intel was as dead as a Norwegian Blue Parrot, but Sun brought Solaris 9 on Intel back from the dead.

Lovell told me at the time that Sun, then and now in financial trouble, was looking for additional sources of revenue. And it “found a lot of customers who told us that there was a value to Solaris 9 on Intel platform and they were prepared to pay for it.”

Fast forward to 2004, and Solaris x86 is still popular. I still like it, for that matter. But youll have to look long and hard to find it deployed in many businesses.

Despite the fact that it hasnt gone much of anywhere in the enterprise, Sun has found 15 more systems and embedded-device device vendors, albeit small ones, to ship Solaris on Intel.

I dont get it. I mean, yes, I like it. But then, I also like BeOS, OS/2 and CP/M-80. What can I say? Some people collect baseball cards, I collect operating systems.

As far as I and the operating-system market analysts I know can tell, there simply is no significant business market for this operating system.

The funny thing is that Solaris x86, though, could be a serious enterprise operating-system contender. It has most of the Solaris family virtues. The only thing its really lacking is real support from Sun.

For example, where do you think Solaris x86 is in the line of updates of StarOffice, Suns own office suite? If you guessed dead last, youd be right.

It was only in February of this year that StarOffice for Solaris x86 appeared, long after versions for Windows, Linux and Solaris on SPARC had been out for ages.

So, whats really going on here? I dont think you have to look far to see what the real story is. Sun, while officially on the Linux bandwagon, is continuing to rail against the leading commercial Linux company—and ironically enough its own best Linux partner—Red Hat Inc.

Once more, Sun is using Solaris on Intel not for its own virtues, but as a pawn for other business purposes. First, it was a way to try to get people off the Intel platform to SPARC. Now, its being used to try to stem the tide of people moving away from SPARC to Linux on Intel. It didnt work that well the first time; I dont think it will work that well this time.

So, Sun, would you please either really embrace Linux or just dump it from your inventory, start really pushing Solaris on Intel and declare it the one, true, Sun x86 way? This going back and forth hurts you more than it does the cause of commercial Linux.

A version of this story first appeared in eWEEK.

May 14, 2004
by sjvn01
0 comments

Why Linux Users Hate Red Hat

Tthe company most hated by Linux fans is quite possibly … no, not Microsoft, but Red Hat. I often hear longtime Linux enthusiasts say things like “Red Hat has betrayed Linux” and “Red Hat wants to be the next Microsoft.”

If you look closely, its not hard to see why so much ire is tossed on Red Hat. Late last year, Red Hats CEO, Matthew Szulik, said that for home users today, Windows is probably “the right product line.” Thats sure to win the hearts and minds of Linux fans right there.

Then, Red Hat decided to kill off its low-end Linux distribution: Red Hat Linux. You would have thought from all the screaming in some Linux circles that Red Hat was proposing dog food be made from kittens. Some Linux fans even said Red Hat is on its way to becoming a proprietary software company.

Red Hats corporate enemies and, in one case, a purported partner—Sun—are jumping on this last point It isn’t true, of course. Red Hat is still an open-source company.

What is true, though, is that Red Hat mishandled the affair. Red Hat 9 had a life span of just over a year with its April 2003 release date and its end of support on April 30, 2004. Business customers, who usually expect to get at least three years of work out of an operating system, were as mad as wet hens to find their support disappearing from underneath them. Indeed, theres been enough outrage that several integrators including at least one mid-major Linux vendor—Progeny—are making a business of supporting Red Hat 9 customers.
The release of Fedora, Red Hats free and cutting-edge Linux distribution, doesnt appear to have been enough for some of these users.

Of course, what Red Hat really wanted was to have its commercial customers switch to Red Hat Enterprise Linux (RHEL). Some Linux fans were outraged because they felt they were being forced to upgrade.

Rant, rave, rant, rave … theres a lot of hate out there aimed at Red Hat.

But you know what? Theres nothing new about this. As early as 1999, I was writing stories about people who hated Red Hat for the same general reasons, which boil down to the fact that Red Hat is getting too big for its breeches. Heck, the ill-fated UnitedLinux consortium was in many ways an attempt by other Linux powers to take Red Hat down a peg.

Now, this isn’t to say that Red Hat hasnt made mistakes. Both the timing and delivery of its message concerning the end of life for Red Hat 9 were awful. It placed many of its customers in the awkward position of having to upgrade before they were ready. It left others, including yours truly, completely bamboozled as to whether Red Hat would even continue to have a desktop distribution. As it happens, Red Hat is offering a Linux desktop, but there never should have been any doubt.
Nevertheless, the move itself was one that Red Hat had to make. For better or worse, Red Hat has decided that it wants its Linux distribution to be a high-end, profitable business distribution. Given that, the Raleigh, N.C., company had no choice but to leave Red Hat 9 behind so that it would no longer have two competing lines.

You know what? Its been a successful move. Red Hats last quarter was its best ever. Why? In large part, it was because RHEL sales increased by 87,000 during the quarter while RHEL renewal rates remained at about 90 percent. Red Hat is a profitable Linux company, and its getting more profitable.

Perhaps thats the real reason why Sun has been so grumpy with Red Hat. Sun is much bigger, but its been declining, in large part due to competition from Linux in the server market, while Red Hat has been growing.
And maybe too thats the real problem some Linux fans have with Red Hat. The company has always been about open source and profits. To these fans, the idea that Linux is becoming mainstream, that their darling, iconoclastic operating system is no longer just for rebels, is abhorrent. For these vocal, malcontent users, Red Hat is the poster child of Linuxs commercial success.

These users will likely always hate Red Hat, but you know what? Get over it. For those of us who want a solid Linux that will be successful in the enterprise, Red Hat—blunders and all—is doing just fine.

A version of this story was published in eWEEK.

April 28, 2004
by sjvn01
0 comments

Internet Explorer Is Too Dangerous to Keep Using

OK, I confess it: I’ve used Internet Explorer a lot. After being a die-hard Netscape user, I finally got fed up with the sheer bulk of that browser and started using Internet Explorer on my Windows machines.

As time went on and open-source Mozilla matured, I started using Mozilla as my main Linux Web browser and as my secondary Windows browser. This past Friday, though, I started installing Firefox, the browser-only side of Mozilla, on every one of my production Windows machines.

Why? Because Internet Explorer, like Outlook, has finally become, to my mind, a permanent security hole that masquerades as a useful application.

Strong words? Have you really thought about this latest exploit? It could hit every Internet Explorer (IE) browser that merely visited any page served by an infected Microsoft IIS (Internet Information Server).

No anti-virus program would stop it, no firewall would slow it down and no shipping IE security patch would even notice it. Visit the page, get the infection. It was that simple.

Oh, but the few thousand people running Release Candidate 2 of Windows XP Service Pack 2 were not vulnerable to the client-side attack. And if you were one of the very few people who had all of the current critical patches installed and were running IE with its security settings at “high,” you’d be OK. That leaves, oh, say, 95 percent of all IE users wide open to this attack. I feel so much better now.

And just how bad was this attack? Boys and girls, let me tell you, this was the worst security violation I have ever seen. But dont take my word for it.

Johannes Ullrich, a handler at the Internet Storm Center at The SANS Institute in Bethesda, Md., wrote, “A large number of Web sites, some of them quite popular, were compromised earlier this week to distribute malicious code.

“The attacker uploaded a small file with JavaScript to infected Web sites and altered the Web server configuration to append the script to all files served by the Web server (IIS). The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.”

What sites were spreading the infections? We still dont know. Neither the security companies nor the businesses running the infected sites are talking. Since theyre not being any help, I can only suggest that you update your anti-viral software and run it—now.

The only other thing I can say is that sites running IIS 5, which hadnt been patched up to Aprils MS04-011, were the ones targeted by this exploit. But, Im sorry to say, its still not clear that even sites that had been patched with MS04-011 were safe. There are reports that even patched IIS servers were infected.

What happened next was that after simply visiting what looked like a perfectly ordinary page, the JavaScript hidden with the page would direct your browser to quietly download and install one of several different programs from a Russian Web site. “These Trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system,” Ullrich said.

Many of the people talking about the exploit have discussed how your computers might be used by these back-door programs to launch a DDoS (distributed denial of service) attack. Yeah, thats bad news, but thats not the real problem.

In the few days that the sites provided the Trojan horses, hundreds of thousands or millions of users could have had their credit-card, stock-brokerage and bank-account numbers and passwords stolen.

Let me repeat myself: Millions of you may have every bit of your browser-driven online financial security information stolen.

Maybe this was just another massive Internet security prank. Maybe all that will happen is a DDoS attack. Well, you can hope thats all there is to it and continue to use IE. But as for me, Im done with it.

Yes, by Friday, most of the major anti-viral programs could stop this particular attack. But what about the next one?

According to the U.S. CERT (Computer Emergency Response Team), “Microsoft Internet Explorer does not adequately validate the security context of a frame that has been redirected by a Web server. An attacker could exploit this vulnerability to evaluate script in different security domains. By causing script to be evaluated in the Local Machine Zone, the attacker could execute arbitrary code with the privileges of the user running IE.”

There is, at this time, no shipping patch to stop this. Wonderful.

If you must run IE, and unfortunately, I do for at least one remote application I use every day, you can disable all active scripting and ActiveX on all IE zones. Between CERTs frequently asked questions about malicious Web scripts redirected by Web sites and Microsofts Knowledge Base article on how to strengthen the security settings for the Local Machine zone in Internet Explorer, you should be safe from most variations of this kind of attack.

Frankly, though, I think CERTs other suggestion is an even better one: Use a different Web browser.

Open-source browsers, such as Mozilla Firefox, are simply more secure than IE. Yes, I know all of the tired, old arguments about how if open-source programs were as popular as Microsofts products; theyd be just as vulnerable. You know what? I dont have time today to deal with the fundamentally inane idea that security by obscurity is somehow the best way to secure software.

The bottom line is that for all practical purposes for today, open-source browsers are inherently more secure than Internet Explorer, and I still have half a dozen more workstations to switch over to Firefox. Go ahead, stick with Internet Explorer for everyday use. Its your funeral.

A version of this story was first published in eWEEK.

April 6, 2004
by sjvn01
0 comments

Progeny to Offer Red Hat 9 Support

With little fanfare, Red Hat Linux 9 is nearing its end of life. Red Hat Inc. is encouraging its business customers to move to Red Hat Enterprise Linux and is asking its Linux-enthusiast customers to try the Fedora Project. But Progeny Linux Systems Inc. has another suggestion for these customers: Continue using Red Hat 9 with support from Progeny Transition Service (PTS).

On April 30, Raleigh, N.C.-based Red Hat will stop producing new security, bugfix or enhancement updates for this well-known Linux distribution. On May 1, Progeny is set to launch its follow-on program, to be announced Wednesday. The program is an add-on to Indianapolis, Ind.-based Progenys existing PTS support lines for Red Hat Linux 7.2, 7.3 and 8.0. Support for all of these lines will continue through the end of 2005.

Progeny, an independent provider of Linux-platform technology founded by Debian Linux creator Ian Murdock, is known primarily for customizing Linux distributions for businesses. The companys Red Hat support aims to assist users who still rely on legacy versions of Red Hat Linux and arent ready to migrate to another Linux platform.

“Ongoing customer demand for a fully supported, reliable security update service has prompted us to extend PTS through December 2005,” Greg Duwe, Progenys director of sales, said in a statement. “Our subscribers prefer to tap into our experience to help them maintain their legacy systems, rather than having to do their own monitoring, packaging and patch testing.”

“Using the Progeny service has saved our organization time, money and needless risk by allowing us to migrate from Red Hat 7.2 on our terms, when it fits our business needs, not Red Hats,” said Rudy Pawul, lead system administrator of ISO New England Inc., a nonprofit corporation responsible for the day-to-day operation of New Englands power supply.

PTS costs $5 a month per machine or a flat rate of $2,500 per month for unlimited machines. Customers gain access to a software repository containing security updates for Red Hat Linux 7.2, 7.3, 8.0 and 9 and are notified of security vulnerabilities and available patches.

Dan Kusnetzky, IDCs vice president for system software research, said he thinks Red Hats strategy of moving to a pure enterprise play “is somewhat risky but very understandable, since they realized that they needed a steady, growing steam of revenue to provide the stability and support that enterprise customers want.”

So far, Red Hats move seems to have worked. Red Hat reported good results in its last quarter on higher-than-expected sales of its Red Hat Enterprise Linux line.

On the other hand, Kusnetzky said, “This leaves the door open for another company to pick up customers. Thats the risky side of Red Hats model. [But] this is part of open source: No program is left behind.”

Kusnetzky also said he thinks Novell and SuSE are looking forward to picking up customers of Red Hat 9 and earlier. But a Novell representative said Novell and SuSE are “not making a special effort to win Red Hat 9 customers. We have offerings, of course, but were not doing anything particular to get anyone to move.”

Red Hat customers who want to stay in the Red Hat family can go to the Red Hat Linux Migration Resource Center. Customers who want to try Progeny support can visit the Progeny Transition Service site.

Progeny to Offer Red Hat 9 Support. was first published in eWEEK.

April 1, 2004
by sjvn01
0 comments

Why SCO Thinks It Can Win

LINDON, Utah—In many pro-Linux circles, its a given that The SCO Group Inc. cant possibly win in court. Obviously, SCO disagrees.

In an exclusive interview, eWEEK.com Linux and Open Source editor Steven J. Vaughan-Nichols visited SCO CEO Darl McBride and Chris Sontag, senior vice president of the SCOsource division, at the companys headquarters in Lindon, Utah. There, they explained why they think SCO can win the legal battle.

Continue Reading →

March 12, 2004
by sjvn01
0 comments

Microsoft and SCO: FUD Brothers

So, we discovered on Thursday that Microsoft talked to BayStar Capital on SCOs behalf months before the investment house brokered a deal that led to SCO getting a cool $50 million round of funding. Well, well, well.

And recently, when SCO finally announced a real, live customer for its Linux IP license, it turned out that the company, EV1Servers.Net, is promoting Windows Server 2003 over Linux for its customers and is featured in a case study showing how Windows is better than Linux at Microsofts Get the Facts Web site.

OK, before these revelations I was willing to give Microsoft the benefit of the doubt. But I was wrong. Microsoft is behind SCO.

While Microsoft has been cheering SCO on and helping the Lindon, Utah, firm with purchases of excess Unix licenses, in the past I didnt believe that Microsoft was actually bankrolling the operation. And I still dont think that Microsoft is technically putting money directly into SCOs accounts. I do think, however, that the boys from Redmond look to be making sure that SCO has the money it needs to continue its reckless course of business by litigation.

And I still dont think, as some would have it, that when Bill Gates wiggles his fingers, SCOs Darl McBride launches another Linux FUD attack. At the same time, if it wasnt for Microsofts backing, SCO would most likely be trying to settle with IBM, and AutoZone and DaimlerChrysler would never have seen a SCO attorney at their doors.

If you look at SCOs financials, its clear that SCO needed that $50 million largely to stay afloat. Its also crystal clear that Linux IP licensing isn’t bringing in the dough. In the last quarter, SCOsource, SCOs IP division, made a whopping $20,000. I had a better quarter than that!

I doubt that the SCOsource program will be doing better anytime soon. SCOs Blake Stowell told me that the EV1Servers.Net deal was in the seven-figure range. EV1Servers.Nets CEO Robert Marsh responded, “We did agree to a one-time payment. However, we did not agree to pay a seven-figure cash payment.”

So, who’s right? I suspect they both are. Let me suggest a possible scenario. Suppose Microsoft heavily discounted EV1Servers.Nets Server 2003 licenses in return for EV1Servers.Net agreeing to pay SCO for its IP license. The net result of such a package deal could be that SCO gets over a million for its licenses, while EV1Servers.Net doesn’t exactly shell out a seven-figure cash payment.

I don’t have a bit of proof for this notion, but it would explain the facts, and it would certainly be a win-win for all three parties, wouldn’t it? Microsoft would get an anti-Linux, pro-Server 2003 story while funneling revenue to its anti-Linux stalking-horse SCO. SCO would get more cash, and it could finally say that it has a real Linux IP customer. And EV1Servers.Net, when all is said and done, would pay a minimal price for its Server 2003 licenses.

Unfortunately for SCO, even if that theoretical scenario were to be true, I couldn’t see Microsoft being able to afford to pull off such a trick many more times. As for SCO finding Linux IP customers on its own, well, the biggest company that has one, Computer Associates, has denounced it. With a customer like this, who needs an enemy?

In the bigger picture, SCO isn’t doing well. Regardless of whether you think SCO can win in the courts—and, personally, I think Ill see pigs fly first—McBride’s mission was to bring SCOs stock price up. For a while, SCOs anti-Linux FUD and lawsuit saber-rattling worked. But, since the news of Microsoft’s involvement and SCO’s newest lawsuits, SCOs stock has fallen to less than $10/share from its $20 range in the fall.

In response, SCO announced that it would buy back up to 1.5 million common shares of its own stock over the next 24 months since, at its current price, the stock represents an “attractive investment opportunity.” I don’t think so! From where I sit, SCO is simply trying to prop up its stock price.

Thanks to Microsofts funding, both indirect and direct (in the case of the Unix license purchase), SCO probably has the cash to keep its head above water and its stock price in the $10 range. And, thanks to Microsofts funding, will continue to see SCO spreading Linux FUD. The Evil Empire lives.

This story was first published in eWEEK.

Practical Technology

for practical people.