In late March we mentioned that Sybase were making threats against a security company about disclosure of security flaws they found in Sybase code and a French company that took a security researcher to court and had him fined 5000 Euro. Going from this Register story, it looks like Sybase and NGSSoftware are going to settle their dispute amicably, but it really does bring into view a point that many in the Open Source community have been trying to make known for ages.

It seems that most Commercial companies would very much prefer it if you only gave them security flaw research and didn’t reveal it publicly at all, but the problem with that is there is nothing in it for the security companies if they do this. The current standard procedure appears to be to tell the software vendor first, then wait for a predetermined period before publicly releasing your findings. By adopting such a stance, the vendor is forced to quickly patch the flaws and roll the patches out to their users, which can only be a good thing right? Well not all vendors are happy about the pressure on themselves and on their users (to install the patches), and legal proceedings are a good way (in their minds at least) to stop bug disclosure. The problem with making things difficult for security researchers to do their jobs, is that if you succeed, you have a situation where only malicious crackers (black hats) are actively looking for security flaws and the vendor has no way of knowing what they find until after it has been used against one of their customers. All of this makes you wonder how many flaws have been found in commercial software that we simply don’t know about because of actions like those above.

Contrast that with Open Source software, like Linux, Apache and Firefox where not only is the source code of the relevant applications freely available to anyone that wants it, but the creators actively encourage users and developers to find and report bugs in the software so that they can be fixed and the software improved as a result. In fact the Mozilla Foundation actually pays people to find security flaws in it’s software with the goal of making the software as secure and bug free as it can possibly be. Now you decide if you will believe past claims by old school commercial software companies (you know who you are) that having the source code openly available is a bad thing for security.

Just when users were gaining control over website cookies, and learning how they can be used to track users for both good and bad reasons, and how to remove the ones they consider invasive of their privacy, a company comes along and introduces to the masses a method whereby Flash shared objects can be used to restore deleted cookies and replicate their functionality by containing identification tags. The company with this new offering (called PIE or “Persistent Identification Element”), United Virtualities said they do not wish to see this new method used by unsavoury types and are talking to Mozilla foundation and other browser makers about allowing uses to control privacy with shared objects the same way they control cookies now. That begs the question: “If you can remove shared objects the same way you can remove cookies, what benefit does it offer for anybody over cookies in the first place?”

I’m a big fan of anonymity online. To reveal yourself online should be a personal choice, not something forced on users without their consent. And I look at this new development much the same way I viewed the PDF tracking story we covered earlier. Shared Objects can be used to personalise a users web experience, or they can be used to track users and develop user profiles by online advertisers to better deluge you in advertising. From the press release, United Virtualities seem to be targeting the product to advertisers, which to me can only be a bad sign, but time will tell right? Macromedia have a page on controlling your privacy in Flash with the settings manager that covers shared objects.

In other Flash related news, the Mozilla foundation has released a beta of a new improved pop-up blocker that adds the ability to block pop-ups caused by Flash and other similar plug-ins. Such pop-ups have become more common since Since Firefox and IE6 SP2 both already have blockers that will stop traditional pop-up windows. The new blocker is still beta and could block pop-ups that are necessary for some sites to function, (but you can white list sites that you wish to allow pop-ups from). You can try the new pop-up blocker by downloading the .xpi file, then go to “tools” ->”extensions” and then drag the saved XPI file into the extensions window and follow the prompts.

Not much about the legal industry is funny, in fact a good deal of it makes most people cringe (myself included), but while checking out Groklaw tonight I found a link to a legal story that was so funny I found myself needing to share it here. The short of the story as detailed here, is that a young University student legally bought some Microsoft software, then realised he’d likely have to wipe his hard drive and start from scratch to use it. So he decided to return it to the shop, and was rejected. Then he tried to return it to Microsoft, and was rejected again. Lastly he decided to sell the unopened software on Ebay and after some tussling, he sold both items and made roughly $145 profit to boot. Microsoft then filed a lawsuit against the young man claiming he infringed their trademark and copyright, and that he caused: “irreparable injury to its business reputation and goodwill”.

The young lad chose to fight back rather then cave to the demand for his car, and after about 37 filings, a counter-claim and a request for a jury trial, Microsoft relented and said they’d drop the suit if he dropped his counter-claim. This was no longer enough for the young student who wanted an apology and reimbursement for his copies. After realising that he wasn’t likely to get an apology from Microsoft he went to the press. When the lawyers realised that the case was a PR nightmare for Microsoft he got a settlement, part of which was a Microsoft non-disclosure agreement, meaning that he isn’t allowed to talk about the case any more. The ironic thing about it all, is that Microsoft would be paying a pretty penny to it’s lawyers, so the cost of this case to them would have been an order of magnitude more then the full retail price of the two items of software at issue. Not only that, but they relented too late and it was too late to stop the story getting out.

This is seriously funny, but don’t take my word for it, read the full story yourself. It’s much funnier then my summary here. Myself, I’m starting to get a real understanding for that joke about the difference between a dead dog on the road and a dead lawyer. (There are skid marks in front of the dog).

Forbes has done a spring review of the best of the web for 2005 and Firefox came up as their preferred web browser. Unsurprisingly, the other category that interested me was search engines and Google won that one. The list of companies, groups and organisations backing Firefox is growing at an astonishing rate. If you haven’t tried it, perhaps you should find out what they are all going on about.

Sometimes a new feature comes along that leaves you unsure if it’s a good or bad development. This is one such development. A company by the name of Remote Approach has developed a system whereby PDF files can be tagged with the addition of some code so that it reports home every time someone opens the file and reports the IP address and other details, including any unique identifiers the makers choose to add, back to the author. They are also apparently working on a method of denying access to the PDF if the reader is not online at the time.

My concern is that this could become yet another tool for tracking users habits, and also that companies will start using the facility to require users be online to read ebooks, so that they can track piracy. Since ebook readers and other such tools are unlikely to be online most of the time, this could create serious usability issues. My laptop has been very handy for reading long PDF’s while sitting on a deck chair out in the back and out of range of the Wireless network. I’d hate to lose that ability due to a restrictive new tool. I’m also not convinced that such a tool should allow collection of IP address’s and other such explicit information about users as it increases the likely hood that in future such a tool might be used by unscrupulous types. This particular tool is subscription based and as such will be under the control of Remote Approach, but there is a good likelihood that the technology can be co-opted by people of less moral fibre and that worries me somewhat. Trends seem to strongly indicate that the days of the anonymous Internet are drawing to a close. As John Bielby of Remote Approach points out, such information gathering takes place already with Web server logs, but what they don’t mention is that web users can use an anonymizer service to hide their details from web servers if they chose to do so. No such facility is currently available for the new PDF system.

We have just been offered one suggested solution (along with a $30 donation for mentioning it through December 13, 2007) to the offline use dilemma is to use a PDF to HTML Converter. This would allow you to instead use the document in straight html that would be available offline. That suggests an intriguing solution. For a long time, Google has converted pdf documents to html, and I often use that method when searching to get a sense for what is in the document because of the relatively lighter download that I have to take. Unfortunately I have not been able to test able2extract because the donation didn’t come with a copy of the software. It suggests that unlike Google, it will convert images as well as text. Google mainly converts the text portion in my experience.

I’ll admit, I have yet to actually encounter one of these files that isn’t available offline, so perhaps we are thus far tilting windmills? If it becomes common place, then I’ll definately try something like able2extract.

Third world countries have many problems to overcome. Some can be overcome by sending aid money to those countries, setting up wells, hospitals, schools and food programs, but not all of the problems can be solved in this manner. As the saying goes: “Give a person a fish and feed them for a day, teach them to fish and they will feed themselves indefinitely.” Getting these developing countries into the modern world and teaching them how to survive and indeed flourish in such an environment is the key to their prosperity. To do that you must logically begin with the school age children as they are the ones that will be in the position to take the countries forward. To that end, the founder of the MIT media lab, together with AMD, Google and News corp are putting together plans to supply a 100 dollar laptop running the Linux Open Source Operating System, to be purchased by governments and supplied to school children in the developing countries. Building a complete laptop for only 100 dollars is a serious challenge as often single parts are worth most of that amount, (like the screen for example). The likely specs for such a laptop would be somewhat lower then existing mainstream laptops but not so much that they can’t be used for most of the same things most of us use our computers for, (not counting gaming of course).

By using Open Source software like GNU/Linux, the makers avoid the heavy cost of software licenses, and as an added bonus, they avoid the vast majority of spyware and virues problems that plagues the Windows world. From an Open Source perspective, the good news is that whole new generations will learn and use Free (as in freedom) Open Source software and will become valuable additions to the OSS world once they are educated.

The units are expected to be ready for distribution by late 2006 or early 2007. Read the MIT media lab site on the project for more specific detail, or see this nice Wired article on the subject.

With the speed at which RSS feeds are growing in popularity, two things are becoming necessary. The first is ways to make money from RSS feeds, and the other is to set your server up so it can handle the ever increasing load that RSS will put on your system. This article is concerned only with the second item.

Part of the problem is that most RSS feeders seem to all fetch their feeds every hour on the hour, meaning you get hit by everybody at the same time, the other part of the problem is that many readers don’t check to see if the feed has been updated since the last download and instead just download the whole thing again. To get the most from your RSS, there are two things you should do. The first is to make sure your server uses Gzip compression like mod_gzip or mod_deflate. This will compress the XML to a fraction of its former size which will drastically reduce bandwidth and increase download speed for your users. Those Apache modules will not just improve your RSS feeds, they will improve all text based transfers (like HTML, Javascript, CSS etc).

The second thing is to ensure your feeds support “conditional GET” which basically ensures that a feed isn’t downloaded again if it hasn’t changed since the last download. Many blogs now support conditional GET, so you should check to make sure yours does also. A good choice of blog that supports both Gzip and conditional GET is WordPress, but it certainly isn’t the only one. By following the above steps, you can significantly reduce your own bandwidth bills, and also give your users a faster more pleasant experience. To check if your feed or site is using Gzip compression, you can run it though this handy tester. To help lower your peak bandwidth, you should also encourage your users to set their readers to update feeds at random times but set intervals so that they spread the load over the full hour rather then all fetching the feeds on the hour.