Sign up for our Technology Newsletter 
Oracle Issues Massive Security Update
Oracle has issued its critical patch update advisory for July, plugging a total of 89 security holes across its product portfolio.
The fixes focus mainly on remotely exploitable vulnerabilities in four widely used products, with 27 fixes issued for the Oracle Database, Fusion Middleware, the Oracle and Sun Systems Product Suite and the MySQL database.
Out of the 89 security fixes included with this update, the firm said six are for Oracle Database, with one of the vulnerabilities being remotely exploitable without authentication.
Oracle revealed that the highest CVSS Base Score for these database vulnerabilities is 9.0, a score related to vulnerability CVE-2013-3751, which affects the XML Parser on Oracle Database 11.2.0.2 and 11.2.0.3.
A further 21 patched vulnerabilities listed in Oracle’s Critical Patch Update are for Oracle Fusion Middleware; 16 of these vulnerabilities are remotely exploitable without authentication, with the highest CVSS Base Score being 7.5.
As for the Oracle and Sun Systems Products Suite, these products received a total of 16 security fixes, eight of which were also remotely exploitable without authentication, with a maximum CVSS Base Score of 7.8.
“As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible,” Oracle’s director of Oracle Software Security Assurance Eric Maurice wrote in a blog post.
Craig Young, a security researcher at Tripwire commented on the Oracle patch, saying the “drumbeat of critical patches” is more than alarming because the vulnerabilities are frequently reported by third parties who presumably do not have access to full source code.
“It’s also noteworthy that […] every Oracle CPU release this year has plugged dozens of vulnerabilities,” he added. “By my count, Oracle has already acknowledged and fixed 343 security issues in 2013. In case there was any doubt, this should be a big red flag to end users that Oracle’s security practices are simply not working.”
Oracle Changing Berkeley
Oracle has changed the license of its embedded database library, Berkeley DB. The software is widely used as a key-value store within other applications and historically used an OSI-approved strong copyleft license which was similar to the GPL.
Under that license, distributing software that embedded Berkeley DB involved also providing “information on how to obtain complete source code for the DB software and any accompanying software that uses the DB software.”
Now future versions of Berkeley DB use the GNU Affero General Public License (AGPL). This says “your modified version must prominently offer all users interacting with it remotely through a computer network … an opportunity to receive the Corresponding Source of your version.”
This will cause some problems for Web developers using Berkeley DB for local storage. Compliance has not really been an issue because they never “redistributed” the source of their Web apps.Now they will have to make sure their whole Web app is compliant with the AGPL and make full corresponding source to their Web application available.
They also need to ensure the full app has compatible licensing. Practically that means that the whole source code has to be licensed under the GPLv3 or the AGPL.
Collaborating Viruses Showing Up
Two computer viruses are collaborating to defeat clean-up operations. Microsoft researcher Hyun Choi has found that the pair of viruses foil removal by regularly downloading updated versions of their malware partner.
It is the first time that such a defense plan has been noticed before. Choi said that the Vobfus and Beebone viruses, were regularly found together. Vobfus was the first to arrive on a machine, he said, and used different tactics to infect victims. Vobfus could be installed via booby-trapped links on websites, travel via network links to other machines or lurk on USB drives and infect machines they are plugged into.
Once installed, Vobfus downloaded Beebone which enrolled the machine into a botnet. After this the two start to work together to regularly download new versions of each other. If Vobfus was detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus.
Vobfus become a persistent problem since 2009 when it first appeared.
Dell Promises ExaScale By 2015
Dell has claimed it will make exascale computing available by 2015, as the firm enters the high performance computing (HPC) market.
Speaking at the firm’s Enterprise Forum in San Jose, Sam Greenblatt, chief architect of Dell’s Enterprise Solutions Group, said the firm will have exascale systems by 2015, ahead of rival vendors. However, he added that development will not be boosted by a doubling in processor performance, saying Moore’s Law is no longer valid and is actually presenting a barrier for vendors.
“It’s not doubling every two years any more, it has flattened out significantly,” he said. According to Greenblatt, the only way firms can achieve exascale computing is through clustering. “We have to design servers that can actually get us to exascale. The only way you can do it is to use a form of clustering, which is getting multiple parallel processes going,” he said.
Not only did Greenblatt warn that hardware will have to be packaged differently to reach exascale performance, he said that programmers will also need to change. “This is going to be an area that’s really great, but the problem is you never programmed for this area, you programmed to that old Von Neumann machine.”
According to Greenblatt, shifting of data will also be cut down, a move that he said will lead to network latency being less of a performance issue.”Things are going to change very dramatically, your data is going to get bigger, processing power is going to get bigger and network latency is going to start to diminish, because we can’t move all this [data] through the pipe,” he said.
Greenblatt’s reference to data being closer to the processor is a nod to the increasing volume of data that is being handled. While HPC networking firms such as Mellanox and Emulex are increasing bandwidths on their respective switch gear, bandwidth increases are being outpaced by the growth in the size of datasets used by firms deploying analytics workloads or academic research.
That Dell is projecting 2015 for the arrival of exascale clusters is at least a few years sooner than firms such as Intel, Cray and HP, all of which have put a “by 2020″ timeframe on the challenge. However what Greenblatt did not mention is the projected power efficiency of Dell’s 2015 exascale cluster, something that will be critical to its usability.
Will Oracle Retire MySQL?
The founder of MySQL Michael Widenius “Monty” claims that Oracle is killing off his MySQL database and he is recommending that people move to his new project MariaDB. In an interview with Muktware Widenius said his MariaDB, which is also open source, its on track to replacing MySQL at WikiMedia and other major organizations and companies.
He said MySQL was widely popular long before MySQL was bought by Sun because it was free and had good support. There was a rule that anyone should get MySQL up and running in 15 minutes. Widenius was concerned about MySQL’s sale to Oracle and has been watching as the popularity of MySQL has been declining. He said that Oracle was making a number of mistakes. Firstly new ‘enterprise’ extensions in MySQL were closed source, the bugs database is not public, and the MySQL public repositories are not anymore actively updated.
Widenius said that security problems were not communicated nor addressed quickly and instead of fixing bugs, Oracle is removing features. It is not all bad. Some of the new code is surprisingly good by Oracle, but unfortunately the quality varies and a notable part needs to be rewritten before we can include it in things like MariaDB. Widenius said that it’s impossible for the community to work with the MySQL developers at Oracle as it doesn’t accept patches, does not have a public roadmap and there was no way to discuss with MySQL developers how to implement things or how the current code works.
Basically Oracle has made the project less open and the beast has tanked, while at the same time more open versions of the code, such as MariaDB are rising in popularity.
MS Surface Pro Sells Out
Microsoft started selling its Surface Pro tablet last Saturday, and quickly ran out of its supply of the 128GB configuration.
While the less expensive 64GB device was also listed as out of stock Saturday on Microsoft’s online store, by Sunday it was again available.
The company acknowledged the outages.
“We’re working with our retail partners who are currently out of stock of the 128GB Surface Pro to replenish supplies as quickly as possible,” said Panos Panay, general manager for Microsoft’s Surface line, in a Saturday blog post. “Our priority is to ensure that every customer gets their new Surface Pro as soon as possible.”
Numerous online reports noted the shortages, saying that some Microsoft retail stores sported Apple-esque lines on Saturday and that many Best Buy and Staples locations — Microsoft’s retail partners for the Surface in the U.S. — had single-digit supplies that in some cases were claimed earlier in the week.
Microsoft is selling the Surface Pro in the U.S. through its online e-mart, its approximately 70 retail outlets, and the Best Buy and Staples chains.
The device, which runs Windows 8 and is powered by an Intel processor, sells for $899 in a 64GB storage configuration, and for $999 with 128GB. Keyboard-cover accessories — the Touch Cover and Type Cover — sell separately for $120 and $130, respectively.
Passwords Continue As The Weakest Link
Comments Off on Passwords Continue As The Weakest Link
Passwords aren’t the only failure point in many recent widely publicized intrusions by hackers.
But passwords played a part in the perfect storm of users, service providers and technology failures that can result in epic network disasters. Password-based security mechanisms — which can be cracked, reset and socially engineered — no longer suffice in the era of cloud computing.
The problem is this: The more complex a password is, the harder it is to guess and the more secure it is. But the more complex a password is, the more likely it is to be written down or otherwise stored in an easily accessible location, and therefore the less secure it is. And the killer corollary: If a password is stolen, its relative simplicity or complexity becomes irrelevant.
Password security is the common cold of our technological age, a persistent problem that we can’t seem to solve. The technologies that promised to reduce our dependence on passwords — biometrics, smart cards, key fobs, tokens — have all thus far fallen short in terms of cost, reliability or other attributes. And yet, as ongoing news reports about password breaches show, password management is now more important than ever.
All of which makes password management a nightmare for IT shops. “IT faces competing interests,” says Forrester analyst Eve Maler. “They want to be compliant and secure, but they also want to be fast and expedient when it comes to synchronizing user accounts.”
IBM Sued Over Disaster
IBM has been hit with a multimillion-dollar lawsuit by chemical products manufacturer Avantor Performance Materials, which alleges that IBM lied about the suitability of an SAP-based software package it sells in order to win Avantor’s business.
In 2010, Avantor decided to upgrade its ERP (enterprise resource planning) platform to SAP software, according to the lawsuit, filed Thursday in U.S. District Court for the District of New Jersey.
“Seizing upon Avantor’s decision — and fully aware that, given the competitive pressures of Avantor’s industry, and the specialized demands of its customers, Avantor could not tolerate any disruptions in customer service — IBM represented that IBM’s ‘Express Life Sciences Solution’ … was uniquely suited to Avantor’s business,” the lawsuit states. “The Express Solution is a proprietary IBM pre-packaged software solution that runs on an SAP platform.”
But Avantor discovered a different truth after signing on with IBM, finding that Express Life was “woefully unsuited” to its business and the implementation brought its operations to “a near standstill,” according to the suit.
IBM also violated its contract by staffing the project with “incompetent and reckless consultants” who made “numerous design, configuration and programming errors,” it states.
In addition, IBM “intentionally or recklessly failed” to tell Avantor about risks to the project and hurried towards a go-live date, the suit alleges.
“To conceal the System’s defects and functional gaps, IBM ignored the results of its own pre-go-live tests, conducted inadequate and truncated testing and instead recommended that Avantor proceed with the go-live as scheduled — even though Avantor had repeatedly emphasized to IBM that meeting a projected go-live date was far less important than having a fully functional System that would not disrupt Avantor’s ability to service its customers,” the suit states.
The resulting go-live, which occurred in May, “was a disaster,” with the system failing to process orders properly, losing some orders altogether, failing to generate need paperwork for U.S. Customs officials and directing “that dangerous chemicals be stored in inappropriate locations,” the suit states.
Avantor has suffered tens of millions of dollars in monetary damages, as well as taken a hit to its reputation among partners and customers, the suit states.
1 In 5 U.S. PCs Have No Antivirus Protection
Comments Off on 1 In 5 U.S. PCs Have No Antivirus Protection
Nearly a fifth of Windows PCs in the U.S. lack any active security protection, an antivirus vendor stated on Wednesday, citing numbers from a year-long project.
“The scale of this is unprecedented,” argued Gary Davis, the director of global consumer product marketing for McAfee, talking about the scope of his company’s sampling of PC security.
McAfee took measurements from scans of more than 280 million PCs over the last 12 months, and found that 19.3% of all U.S. Windows computers browsed the Web sans security software. Owners of those systems downloaded and used McAfee’s free Security Scan Plus, a tool that checks for antivirus programs and enabled firewalls.
Globally, the average rate was 17%, putting the U.S. in the top 5 most-unprotected countries of the 24 represented in the scans.
Of the unprotected PCs in the U.S., 63% had no security software at all, while the remaining 37% had an AV program that was no longer active. The latter were likely trial versions of commercial antivirus software that had expired.
Antivirus trials are a fact of life in the Windows world. Most new machines come with security software that runs for a limited time. Some new Dell PCs, for example, come with a 30-day trial of McAfee’s Security Center program.
Future PCs Will Be Constant Learners
Comments Off on Future PCs Will Be Constant Learners
Tomorrow’s computers will constantly improve their understanding of the data they work with, which in turn will aid them in providing users with more appropriate information, predicted the software mastermind behind IBM’s Watson system.
Computers in the future “will learn through interacting with us. They will not necessarily require us to sit down and explicitly program them, but through continuous interaction with humans they will start to understand the kind of data and the kind of computation we need,” said IBM Fellow David Ferrucci, who was IBM’s principal investigator for Watson technologies. Ferrucci spoke at the IBM Smarter Computing Executive Forum, held Wednesday in New York.
“This notion of learning through collaboration and interaction is where we think computing is going,” he said.
IBM’s Watson project was an exercise for the company in how to build machines that can better anticipate user needs.
IBM researchers spent four years developing Watson, a supercomputer designed specifically to compete in the TV quiz show “Jeopardy,” a contest that took place last year. On “Jeopardy,” contestants are asked a range of questions across a wide variety of topic areas.
Watson did win at its “Jeopardy” match. Now IBM thinks the Watson computing model can have a wide range of uses.