Microsoft washes its hands of UEFI/Linux mess

Shifts responsibility to hardware vendors
Linux Australia is fit to be tied over recent reports that Microsoft is requiring Windows 8 certified machines to support UEFI secure booting, a situation that could most likely hamper or block Linux booting on such machines.

Indeed, Linux Australia is so ticked off, they plan to file a formal anti-competitive complaint against Microsoft with the Australian Competition and Consumer Commission (ACCC).

Unfortunately, all I can say is, good luck with that.

I am unfamiliar with the burden of proof the ACCC holds for such complaints, but I'm pretty sure Microsoft will be able to get itself off the hook for this one. Why? Because nothing in the language they have used to describe the UEFI secure boot process or the need for this process mentions other operating systems in any way. The case Microsoft has carefully and consistently made is that secure booting is good for Windows because it shuts down one more avenue of malware.
There's been some confusion about why the UEFI proposal is such a bad thing, so let's walk through it again, if I may beg your indulgence:

Red Hat developer Matthew Garrett blogged on Sept. 20 that according to the new Windows 8 logo rules, all Windows 8 machines will need to be have the Unified Extensible Firmware Interface (UEFI) instead of the venerable BIOS firmware layer. BIOS has been pretty much the sole firmware interface for PCs for a long time. Under Windows 8, BIOS will be gone, replaced by the UEFI layer.

And not just any old UEFI layer, either, but secure UEFI. Meaning a hardened boot process. This hardened boot means that "all firmware and software in the boot process must be signed by a trusted Certificate Authority (CA)," according to slides from a recent presentation on the UEFI boot process made by Arie van der Hoeven, Microsoft Principal Lead Program Manager.

It's the secure booting that puts Linux on the spot, because it means in order to be bootable on one of these Windows 8-certified machines, the Linux distribution will need to have certified keys from the manufacturer. Now, from a technical point of view, Garrett posted in a follow-up blog Friday afternoon, implementing such keys would be a week's worth of work.

Practically and legally, it's a whole different ball game.

First, there's the legalities. According to Garrett, GRUB 2 is licensed under the GPLv3, which means the signing keys may have to be provided along with the source code. It's fuzzy: the GPLv3 requires signing keys be released when hardware is sold with GPLv3 software that's encrypted. But if the signed software is used on someone else's hardware, then the keys are not required. It's not even clear with the GPLv2, the license for the original GRUB bootloader. In order to clear the ambiguity altogether, Garrett recommends a non-GPL bootloader.

But that scenario, as unsavory as it sounds, could be worse. Bootloading is one of the services that is being pulled into the Linux kernel, which is most definitely GPLv2, and isn't going to change.

And then there's the practical issue Garrett mentions: who's to say the OEMs are going to provide keys for Linux to hook into? Sure, they have to provide keys for Windows 8 if they want to be able to sell Windows 8 on their hardware, but there's no rule that says they have to provide keys for anyone else.

Which is why I don't think Linux Australia's complaint has a hope of succeeding. Microsoft will argue--in fact, has argued in a rebuttal on this matter on Sept. 22--that this is a security matter for Microsoft Windows deployments, and they are in no way influencing what the hardware vendors are doing with their keys. Microsoft is not preventing other operating systems' keys from being handed out, and it's not their problem if the OEMs aren't accommodating to other operating systems.

The funny thing is, they're right. In one fell swoop, Microsoft has shifted the blame from their requirements to the actions (or inactions) of the OEMs. And why should the hardware vendors feel any pressure to provide keys, as Garrett summarizes?

"Microsoft can require that hardware vendors include their keys. Their competition can't. A system that ships with Microsoft's signing keys and no others will be unable to perform secure boot of any operating system other than Microsoft's. No other vendor has the same position of power over the hardware vendors. Red Hat is unable to ensure that every OEM carries their signing key. Nor is Canonical. Nor is Nvidia, or AMD or any other PC component manufacturer. Microsoft's influence here is greater than even Intel's."

When this issue first came to light, it seemed to be a worry for desktop Linux alone. But as time went on, I began to wonder how many blade and rack servers come with that Windows Server certified logo. If Microsoft gets around to requiring UEFI secure booting for server hardware in a future version of Windows Server, then vendors like Red Hat and SUSE, who really don't play much in the desktop space, would take a serious hit if OEMs opted not to bother giving them keys. So would all the other Linux server distros.

For what it's worth, I don't see it coming to that. In server-space at least, vendors like IBM, HP, and Dell have too much invested in Linux, cloud, and virtual systems to prevent Linux installs. But in a world where barely any OEMs will even ship with Linux now, what incentive will hardware vendors have to provide keys for Linux distros?

For now, Microsoft isn't even bothering to argue these points, and from where I stand, they won't. If they are smart, they won't even mention complaints about other operating systems, and keep hammering home the point about security and malware. And, like a politician on a stump speech, that message will be drilled so many times it will even start to sound like the truth.

Source: ITWorld.com

Read More

Yahoo blocks emails about Wall Street protest

Ready for conspiracy theories? Folks emailing information about the Wall Street protests on Monday using Yahoo discovered their emails failed, and received a message from Yahoo claiming "suspicious activity." Does that sound suspicious?

ThinkProgress.org has perhaps the best coverage, including a YouTube video of users trying to send emails that mention the "OccupyWallSt.org" web site. That seemed to be the magic phrase to get your email blocked.
Yahoo spokespeople claim it was a glitch, a mistake, unintentional, and they don't know how their spam filters became so sensitive. Via Twitter, Yahoo announced the blockage was now fixed, but "there may be residual delays." There will certainly be some residual questions. But remember, censorship requires a government entity squelching speech, not an email provider.

Source: ITWorld.com

Read More

Cisco compacts Catalyst switches

New C-series line targeted at wiring-constrained environments
Cisco this week is rolling out two lines of Catalyst Ethernet switches in compact form factors intended for deployment in workgroups closer to users vs. wiring closets.

The Catalyst 3560-C and 2960-C Compact Series (C-Series) switches are designed to extend connectivity to IT deployments outside of the wiring closet -- customer check-outs, kiosks, warehouses, conference rooms, classrooms, hotel rooms, cruise ship cabins, gaming floors and other space- and wiring-constrained networking environments.Cisco says this market is about $1 billion and is being underserved by low-end, commodity switches. The C-series are “enterprise-class,” and carry all the features of the higher-end Catalyst 3560 and 2960 switches, but in a compact form factor, says Rob Soderbery, senior vice president and general manager, Ethernet Switching Technology Group at Cisco.
So the C-series will compete with both low-end commodity switches and enterprise-class compact switches from Cisco’s traditional competitors in the enterprise and SMB switch market – HP, Adtran, Netgear, D-Link, etc.

Click to see: Photo of Cisco C-series family
The switches are comprised of five models. They sport eight to 12 Fast Ethernet and Gigabit Ethernet ports, and two Gigabit Ethernet uplinks. They also include hardware acceleration for IPv6, IP multicast and access control lists.

The switches feature what Cisco calls Power over Ethernet (PoE) pass-through, a capability that allows the products to draw 30 watts/port of power from PoE switches deeper in the network – like in the wiring closets -- and not require dedicated power outlets or power supplies. The switches are also designed to reduce cabling costs by eliminating the need for individual cable drops from the wiring closet to far-flung network endpoints.

The switches can be deployed up to 100 meters away from the wiring closet, Cisco says. They are fanless, and can be placed on or mounted underneath desktops and countertops or on a wall.
For security, the switches support Cisco’s TrustSec technology, which determines, through policies, the role of users and devices in the network before granting access to resources. The C-Series switches are also PCI compliant, Cisco says, for regulatory compliance of payment transactions.

The switches encrypt all packets between the switch and the end device, and malicious users can be blocked from eavesdropping on the conversation between two endpoints, Cisco says. The switches also come with an optional security lock and cable guard to prevent theft of the switch and unauthorized access to the cables.
The C-Series switches also feature tools for simplified configuration and management, and QoS implementation for IP telephony and video. The switches can be remotely managed along with the switches in the wiring closet, Cisco says.

They also support Cisco’s EnergyWise software for monitoring and managing energy consumption of the devices connected to the switch. EnergyWise turns off or powers down devices when they are not needed.
"This is a long, overdue and good move by Cisco," says Andre Kindness of Forrester Research. "The retail and education markets that have always had a need a for smaller, more efficient, and quieter switches which has been traditionally filled by D-Link, HP and 3Com" before HP’s acquisition of them.

Kindness says Cisco is responding to trends in retail, education and enterprise in general where users are moving to more a distributed workforce with smaller campuses and more branch/remote locations. This means there will be shift in edges switches from large 24 and 48 port ones to compact and fanless ones, Kindness says.

Businesses are also setting themselves up in more locations but with smaller footprints to connect with more customers, Kindness says. An example of this is banks that have carved out locations within grocery stores instead of leasing large buildings on the corner of major streets.

The strengths of Cisco's C-Series line are simplicity, security and deployment flexibility, Kindness says. The downsides may be price and feature overkill for some markets.
"They are packing all the features into each physical form factor instead of offering different firmware levels for each form," Kindness says. "For example, the education market doesn’t really need the security rich feature set as the retail industry."

The switches may also overlap with Cisco's 500 series switches for the SMB market, Kindness says. Cisco may need to do a better job articulating the differences between these and other offerings, he says.

Pricing for the C-series ranges from $745 to $1,995. They will be available in March.

Read More

Facebook ignites Bubble 2.0 chatter

Can the next hottest dotcoms live up to Wall Street's expectations?
Remember Webvan? The online grocer, whose initial public offering in March 2000 was among the most hotly anticipated during the dot-com boom, is now viewed as one of the greatest disasters of the era.

Fast forward 11 years and the feeding frenzy around Facebook and its exponentially expanding valuations are conjuring fears of a Bubble 2.0.

Goldman Sachs bankers have offered their private wealth clients less than a week to decide whether they want to hand over US$2 million apiece for a sliver of the Web darling du jour: Facebook at a $50 billion valuation.
For one Goldman client, who was expecting a 100-page financial document on Facebook to be hand-delivered on Thursday, hours before the deadline to invest in the company -- the whole thing "felt a bit like 1999."

Thanks to Goldman Sachs' latest cash infusion of about US$450 million with a commitment to raise another US$1.5 billion, Facebook has become the lightning rod for debate over whether these new Internet hotshots possess the profit-generating muscles to justify Wall Street's unforgiving expectations.

Twitter and Groupon, an online coupons site considered by some as the fastest growing company in Web history, are also mulling plans for IPOs well ahead of Facebook's potential offering at the end of 2012, investment bankers have told Reuters.

LinkedIn is wasting no time. The social network for professionals, with 85 million members, has hired bankers to go public this year.

For Facebook, which generated about US$2 billion in revenue in 2010, according to media reports, the US$50 billion valuation means investors have awarded it a multiple of 25 times sales, compared with a nine-times multiple for Google, and Amazon.com's 2.5-times multiple.

Facebook generates US$4 per user, compared with Google's US$24 per user and Yahoo's US$8 per user, according to a recent report by JPMorgan.

All that makes Facebook look expensive in the eyes of investors who measure businesses using traditional financial yardsticks, said Ken Sawyer, the managing director of venture capital firm Saints Capital, which owns shares of Facebook.

Investors will need to look past existing financial returns to focus on the company's business-transforming potential.

"It depends on your view of the world," said Sawyer. "If you believe that the ability to leverage this social network fabric will change the way companies acquire customers, then the valuation looks cheap."

Just as Google's search advertisements revolutionised the way businesses reach customers, Facebook's audience of a half-a-billion members has allowed companies like social gaming service Zynga and online dating service Zoosk to sign-up tens of millions of customers of their own in record time, Sawyer said.

As Facebook devises more ways to make money from that capability, such as by taking a cut of transactions made by other companies on its platform, the opportunity could be substantial, he said.



GLOBAL PHENOMENON

Facebook, born as a Harvard dorm-room project to help students to stay connected, has evolved into a global phenomenon, whose users include nearly as many people over 45 years of age as it does people under 24 years old.

In 2010, Facebook displaced Google as the most visited website in the United States, and nearly one out of every four graphical display ads viewed in the United States in the third quarter was on Facebook's website, according to analytics firm comScore.

Other young social networking businesses are experiencing similar growth.

Twitter, the microblogging service that has become an indispensable tool for celebrities and politicians to connect with fans, now counts more than 175 million users and fetched a US$3.7 billion valuation in a recent round of venture capital funding.

Online coupon service Groupon recently announced plans to raise up to US$950 million, implying a valuation that one research firm estimated could be as high US$7.8 billion.

Premium valuations for top-tier players like Facebook and Groupon are usually worth it, wrote Google "developer advocate" Don Dodge in a widely read blog post on Tuesday. The potential for a bubble comes when investors bid up prices for third-tier companies, whose business prospects aren't as solid, he wrote.

Unlike in the late 1990s, shares of today's Web sensations are privately held and not available to the general public. But a growing secondary market has developed in which investors meeting certain criteria, such as minimum net worth, can buy and sell shares.

Goldman Sachs plans to raise up to US$1.5 billion to invest in Facebook through a special purpose investment vehicle marketed to its private wealth management customers.

Such trading in companies that are not required to provide investors with the same kind of detailed financial reports and updates as public companies is raising alarms.

"It feels a little irrationally exuberant with some of these transactions, some of these values, particularly given the level of disclosure," said Robert Ackerman, the founder of early-stage venture capital firm Allegis Capital.

"Maybe with Facebook that's well placed," he said, "but what about all the other companies that are going to ride on Facebook's coat-tails."

The laws of gravity are also different in the private markets in which the new generation of Web superstars trade.

Because there's no way to short shares of private companies, the shares are subject to upward pressure but not downward pressure, noted BGC Financial analyst Colin Gillis.

"There's no counterbalance," he said.

Read More

AT&T exec says CDMA iPhone users won't like 'life in the slow lane'

AT&T's top PR exec decided to stir the pot on the eve of an expected announcement that Apple's popular iPhone would finally be available on Verizon Wireless' CDMA-based network.

Verizon is widely expected tomorrow to announce it will be the second U.S. carrier to offer the iPhone, and the first to do on a CDMA network.

GET THE SCOOP: Will a Verizon iPhone be announced next Tuesday?

AT&T Executive Vice President Larry Solomon today reacted to a Wall Street Journal story which reported that Verizon is confident enough of its beefed up network to offer iPhone subscribers unlimited data plans for $30 a month. AT&T currently charges them $25 a month, with a data limit of 2 Gigabytes.
Solomon sent out the following statement, according to Business Insider: "The iPhone is built for speed, but that's not what you get with a CDMA phone. I'm not sure iPhone users are ready for life in the slow lane." Solomon noted that AT&T's GSM network is faster than Verizon's CDMA network.

That's already sparking a wave of commentary.

"Theoretically, Solomon is correct, as AT&T's 3G network offers higher peak speeds than Verizon's," writes MobileBeat's Devindra Hardawar.

"But that doesn't mean much when you can't get a network connection at all — something the 140,000-plus attendees of the Consumer Electronics Show saw last week, and something that residents of big cities like New York and San Francisco deal with every day."

AT&T has been the exclusive U.S. carrier for iPhone since the wildly popular handset was released in mid-2007. But the carrier has been plagued with complaints about missing or dropped or slow connections and poor customer service almost from the start. The company has said it under-estimated the data traffic impact of iPhone users, and has spent a lot of money to bolster its cellular infrastructure.

Late last week, in what was widely interpreted as a pre-emptive move, AT&T announced it was cutting the price of the iPhone 3Gs in half, to $49 from $99.

The big question, assuming Verizon Wireless does indeed announce a CDMA iPhone, is how many units it will sell. Several analysts have forecast that Verizon, with a current subscriber base of about 93 million, will sell 9 million to 12 million iPhones in the first 12 months. The Wall Street Journal reported that AT&T sold 11.1 million iPhones in the first nine months of 2010, and one analyst estimates the 2010 total will be about 14.5 million.

Read More

Hacker to use cloud for brute force WiFi crack

WPA-PSK not powerful enough in a cloud world.

A security researcher claims to have figured out a quick and inexpensive way to break a commonly used form of password protection for wireless networks using powerful computers that anybody can lease from Amazon.com over the Web.

Thomas Roth, a computer security consultant based in Cologne, Germany, says he can hack into protected networks using specialised software that he has written that runs on Amazon's cloud-based computers. It tests 400,000 potential passwords per second using Amazon's high-speed computers.
That leaves businesses as well as home networks prone to attack if they use relatively simple passwords to secure their networks.

Amazon leases time on computers to developers and companies that don't have the money to buy their own equipment, or don't use it frequently enough to justify doing so. Customers include individual programmers and corporate users.

A spokesman for Amazon said that Roth's research would only violate his company's policies if he were to use Amazon Web Services (AWS) and its Elastic Compute Cloud (EC2) computing service to break into a network without permission of its owner.

"Nothing in this researcher's work is predicated on the use of Amazon EC2. As researchers often do, he used EC2 as a tool to show how the security of some network configurations can be improved," said Amazon spokesman Drew Herdener.

"Testing is an excellent use of AWS, however, it is a violation of our acceptable use policy to use our services to compromise the security of a network without authorisation."

Roth will distribute his software to the public and teach people how to use it later this month at the Black Hat hacking conference in Washington, D.C.

He said he is publicising his research in a bid to convince skeptical network administrators that a commonly used method for scrambling data that travels across WiFi network passwords is not strong enough to keep crafty intruders from breaking in to networks.

That encryption method, dubbed WPA-PSK, scrambles data using a single password. If a potential intruder is able to figure out the password, he or she can gain access to computers and other devices on the network.

Roth said that the networks can be broken into if hackers use enough computer power to "brute force" their way into figuring out the passwords that protect networks.

Those passwords were difficult for the average hacker to break until Amazon.com recently started leasing time on powerful computers at relatively inexpensive rates: It takes the processing capability of multiple computers to perform mathematical calculations needed to break the passwords.

The online retailer charges users 28 cents a minute to use machines that Roth used in his attack. It would cost at least tens of thousands of dollars to purchase and maintain that equipment.

Roth said that he used his software and Amazon's cloud-based computers to break into a WPA-PSK protected network in his neighborhood. It took about 20 minutes of processing time. He has since updated his software to speed its performance and believes he could hack into the same network in about 6 minutes.

"Once you are in, you can do everything you can do if you are connected to the network," he said.

Roth said he was not publicising his discovery to encourage crime, but to change a misconception among network administrators:

"People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so," he said. "But it is easy to brute force them."

Read More

RIM to block access to porn on BlackBerry in Indonesia

Research in Motion said Monday it will work with Indonesia's carriers to filter out pornography websites as soon as possible for BlackBerry subscribers.

Internet service providers are required by law to block pornographic content, said Heru Sutadi, commissioner of Badan Regulasi Telekomunikasi Indonesia (BRTI), the telecommunications regulator in the country. If RIM does not block pornographic sites, Indonesia may consider blocking the service, Sutadi said.

Tifatul Sembiring, Indonesia's minister of communications and information, had warned of legal action if RIM did not filter pornographic web sites, according to media reports.RIM said in its statement that it shares Sembiring's sense of urgency on the matter and that it is fully committed to working with Indonesia's carriers to put in place "a prompt, compliant filtering solution for BlackBerry subscribers in Indonesia."

A meeting between RIM and the government is scheduled for Jan. 17. “We hope RIM will be compliant by then,” Sutadi said.

The BRTI is also pressing RIM on an earlier demand that RIM should install a server in Jakarta so that domestic communications traffic does not go out of the country, Sutadi said. It also wants access to some of the communications for security reasons.

RIM is already under pressure in India to allow the country's security agencies access to communications on its services. The company has agreed to provide lawful access under certain conditions to traffic in India on the BlackBerry Messenger service, but said that it does not have the technical ability to provide its customers' encryption keys for its corporate service, the BlackBerry Enterprise Server.

Read More

Facebook's leaked financials show possible $1B profit in '11

Goldman Sachs' not-so-secretive document spills beans on site.
Facebook reportedly generated $1.2 billion in revenue in the first nine months of 2010, according to a document being distributed by Goldman Sachs.

What are reportedly Facebook's financials began leaking out Friday thanks to a not-very-secretive 101-page document that Goldman Sachs is sending out to potential Facebook investors, according to Reuters. Goldman Sachs, which earlier this week invested $450 million in Facebook and valued the social networking company at $50 billion, is providing its wealthiest customers with the most detailed information about Facebook's financials to hit the street yet.Citing an unnamed source who received the document, Reuters is reporting that Facebook earned $355 million in net income in the first nine months of 2010. It also noted that the financial statements being handed out have not been audited and do not specify how Facebook is pulling in its revenue.

Businessweek is reporting that if Facebook can maintain its growth and margins, the company could realistically pull in $1 billion in profit in 2011.
Facebook declined to comment for this story.

"We're finally seeing some numbers on Facebook's revenue and profitability and the news is mostly good," said Dan Olds, an analyst with The Gabriel Consulting Group. "The company has solid revenues north of a billion and profit margins of anywhere from 25% to 35%. These are great numbers, but not necessarily high enough to support a $50 billion valuation."

To financially get where Goldman Sachs thinks Facebook can go, the company won't be able to just stay the course.

"The only way Facebook at $50 billion looks like a good investment is if you believe that the company is going to continue to grow revenue and profits at a huge clip well into the future," added Olds.

News of Facebook's financials surfaced just one day after reports hit that the social networking company is on the cusp of gaining 500 shareholders, an invisible line enforced by the U.S. Securities and Exchange Commission (SEC) that will force Facebook to disclose its financials even though it's not a publicly traded company.

Discussion of the site's finances was widespread this week, even turning up in a segment on The Daily Show, where host Jon Stewart lampooned Facebook's desire to keep its information secret.
The Wall Street Journal reported yesterday that Mark Zuckerberg, CEO and co-founder of Facebook, is preparing to launch an initial public offering in 2012. That echoes statements made last September by Facebook board member, venture capitalist and PayPal co-founder Peter Thiel that Facebook was eyeing an IPO in late 2012.

News about Facebook's IPO prospects follow widespread speculation in recent days that another social networking company, LinkedIn, is working on an IPO of its own and could beat social networking heavyweights like Facebook and Twitter to the IPO gate.

Read More

Fear not, Facebook isn't shutting down

Social network moves quickly to quash rumors Zuckerberg is set to call it quits.
No need to worry that Facebook will shut down on March 15, as reported by the supermarket tabloid Weekly World News.

Facebook quickly dispelled rampant online rumors that the site will be shut down for good on March 15. The rumors spread after Weekly World News, best known for stories about UFOs, aliens and the like, published a story over the weekend saying that Facebook CEO Mark Zuckerberg announced he was shuttering the company because it had become too stressful for him.

Facebook's quick reply: "We didn't get the memo about shutting down, so we'll keep working away like always. We aren't going anywhere; we're just getting started."

"It's hard to believe that anyone would take this seriously," said Dan Olds, an analyst at Gabriel Consulting Group. "But Weekly World News readers probably have bigger things on their minds, like their story about aliens attacking Earth in 2011 or the story about developing the skills to be invisible and levitate."

The rumors come just a week after Goldman Sachs and Digital Sky Technologies invested $500 million in the company, which gives Facebook a valuation of $50 billion. Shortly thereafter, leaked financial documents shows that Facebook generated a profit of $355 million on $1.2 billion in revenue during the first nine months of 2010.

The financials began leaking out last Friday thanks to a not-very-secretive 101-page document that Goldman Sachs sent to potential Facebook investors. Citing an unnamed source who had reportedly received the document, Businessweek reported that Facebook is on a path to generate $1 billion in profit this year.

Read More