Time traces

The beta of Firefox 3.1 has been pushed back to mid September.

At the Mozilla group’s weekly meeting Tuesday, one developer said “there is a big gap between the features planned for 3.1 and what will make it if we freeze on the 19th.”

Some of the features planned for 3.1 — including bulk tagging, Javascript enhancements, cross-site XHR and workers threads — are not going to be ready by the end of the month.

Since the team is pushing back the beta code freeze for three weeks, users won’t have it in hand until mid next month.

The Firefox team originally planned to freeze the beta code on August 19th but have now set the date for beta freeze on September 9. In the interim, the team will freeze the code for alpha 2 on the 19th.

Alpha 1 was released on July 28th.  Beta 1 is now tentatively scheduled for September 9th.  Based on the input during the 75 minute meeting, the pushback has more to do with the heaver summer vacation period than technical difficulties.

Michael Arrington’s post on creating a cheap web tablet is generating a lot of discussion on the internet and as a mobile enthusiast I wanted to add some of my thoughts to the discussion. There is a device available now that has dropped down as low as US$299.99 recently that runs an excellent Mozilla-based browser and has much more functionality than Arrington is asking for. If you took out the GPS receiver and maybe even the keyboard from the Nokia N810 Internet Tablet Nokia could probably produce one for around US$200. Actually, the Nokia N800 model can be upgraded to the latest Tablet OS 2008 and that is available for just around US$200 so that may be a good alternative that is already available.

The N800/N810 devices run on Maemo Linux and there is quite a community of developers always working to make the device better and better. Check out the Featured Maemo Apps site to see how much you can do with these Nokia Internet Tablets. There is also the excellent Maemo.org site and Internet Tablet Talk community site that you should visit.

Michael also wants the device to run Skype and the N800/N810 do this wonderfully. I actually kept in touch with my family while on a couple of European trips using the N800/N810 connected via a WiFi hotspot with Skype and the client has been around for over a year now.

As Michael thinks more about this endeavor, he may want to chat with Kevin Tofel who has been using his UMPC in the cloud only now for 44 days and has lots of experiences trying to get things done with web services. I would actually like to see Kevin’s same experiment ran on the Nokia N800 or N810. I think if Nokia wanted to sell more of these devices, they should think about marketing it more as a “cloud” computer now that there are more and more web services available. I know when I showed off the N800 to family at recent events they said that the device was all they need since it lets them check email, surf the sites they want to view, and still perform some other tasks like word processing, media playback, and more.

This just in from the Black Hat security confab currently taking place in Las Vegas: Dan Kaminsky, a well-known IT security researcher, disclosed his findings around the Domain Name Server flaw, (or DNS cache poisoning vulnerability), and where it can bite. Tim Wilson of Dark Reading reported on Kaminsky’s presentation, who said the flaw enables attackers “to exploit the DNS design to quickly guess the transaction ID of an address query and potentially re-route the user to an unexpected domain.”

(For more details, ZDNet colleague Ryan Nariane provides an interesting behind-the-scenes look at the politics and posturing that took place behind the vulnerability, and ensuing July 8th patch release to help mitigate the threat.)

As Kaminsky put it, there are apparently implications for companies SOA-enabling their applications. As relayed by Tim Wilson, Kaminsky said the problem extends far and wide across the enterprise:

“While most early discussions focused on Web surfing and the potential hijacking of users’ browser sessions, Kaminsky today pointed out that DNS address queries are embedded in a wide variety of applications and services that had not entered the conversation previously.

“The Internet is more than just the Web,” Kaminsky said. “HTTP is used in more than just the browser.”

Most email systems, for example, contain DNS lookup capabilities and even their own name servers, Kaminsky observed. “Email servers are awesome at doing DNS lookups,” he said. “They will do a DNS lookup for any reason at all. And your spam filter will not stop this problem.”

Many enterprises also believe that their internal DNS environments will not be vulnerable, Kaminsky observed. But many internal environments also work with external DNS servers, and even if they didn’t, most internal environments are also connected to DNS servers used by customers or suppliers, he noted.

The DNS flaw can affect any system that uses the Internet, including older applications such as FTP that are still widely used, Kaminsky noted. Back-end IT systems such as Telnet, SNMP, authentication servers (such as Radius), backup and restoral systems, and even service-oriented architecture (SOA) environments all use DNS, and could be subject to attack via the newly discovered flaw.”

Interesting stuff, and a reminder that SOA means security needs to be a holistic enterprise commitment. Especially since organizations will be relying more on services that not only come from other parts of the organization, but from outside the firewall, too. Be sure to practice “Safe SOA…”

Carefully managed virtual servers can make the job of attackers more difficult by reducing the time that any one version of a server is exposed to the Internet, according to a George Mason University professor who has developed software that phases virtual servers in and out of use.

By limiting how long virtual servers remain online and synchronizing their replacement with fresh servers, businesses can cut the damage hackers inflict, says Arun Sood, a computer science professor at the school.

His software, called Self Cleansing Intrusion Tolerance, or SCIT, resides on physical servers and coordinates the life cycle of the virtual servers. Sood has started privately funded SCIT Labs to create a commercial SCIT product.

Traditional physical servers are exposed to the Internet for months on end, providing a vast window of opportunity for attackers, Sood says. “You can call them overexposed or you can call them sitting ducks,” he says.

SCIT-controlled virtual servers can be scheduled for exposures lasting just seconds before being shut down.

Sood supports layered network defenses, and says he is not trying to displace intrusion prevention systems or other security systems that seek to block attacks. But because these other systems don’t block all malicious behavior, he is working toward intrusion tolerance - systems that keep functioning and fix themselves even when they are attacked. (Compare intrusion detection systems.)

“I’m not smart enough to keep people out of the system,” Sood says, “but I’m going to try my best to limit the damage they can do.”

Sood says his technology will make successful attacks harder and will reduce their number. “If you take a server offline every minute, the intruder has just one minute to play games,” he says.

Timing capabilities within SCIT manage the life cycles of virtual servers, making sure some server is always available so that service is uninterrupted, Sood says. To client machines, SCIT-ized virtual servers appear as if they are a single server.

SCIT is best suited to servers with short transaction times and has been tested with DNS, Web and single-sign-on servers, he says, which can perform effectively even if each virtual server is in use for just seconds, he says.

Once a server has been in use for the prescribed period, it is taken offline where it can be killed. The SCIT Controller generates replacement virtual servers from a server image of known state. Used virtual servers can be analyzed before they are killed to look for whether any attacks were carried out against them. They can also be saved but kept offline for future reference, Sood says.

SCIT can further complicate the job of hackers by generating replacement virtual servers that perform the same function from different platforms. So the server being taken offline may have Linux as an operating system and the one replacing it may have Windows. Or one may be BIND DNS while the replacement is Microsoft DNS server. He calls this strategy security by diversity.

So far Sood has used VMware as the platform to create the virtual machines and claims any other virtualization software would work as well.