New Firefox security technology blocks Web attacks, Mozilla claims

Mozilla has released a test build of Firefox that adds new technology designed to stymie most Web-based attacks, the browser maker said Sunday. That would block any script or malicious code that's been added by hackers who manage to compromise the site or app. The technology, dubbed "Content Security Policy" (CSP), is a Mozilla-initiated specification targeted at Web site and application developers, who will be able to define which content on the site or in the online application is legitimate. Such attacks are generally tagged with the label of cross-site scripting (XSS). Preview editions of Firefox are available for developers to try out, said Mozilla in an announcement last week . "This isn't a single trick that's meant to counter a single kind of attack," said Johnathan Nightingale, the manager of the Firefox front-end development team. "This helps sites solve cross-site scripting, but it's more than that.

With CSP in place, Firefox will allow the former but will automatically block the latter. "It is in some ways similar to NoScript," said Brandon Sterne, Mozilla's security program manager, referring to the popular Firefox add-on that blocks JavaScript, Java, Flash and other plug-ins often abused by hackers. "The main difference is that the Web site itself is determining the policy. They now have a way to shut everything dynamic off, so that no matter what content gets added to a site, if it's on the page and they've sent us policy instructions in its header, we shut it down." Firefox is passing the baton to site and application developers, who will be able to separate the legitimate from the illicit content. NoScript is a great tool, but a large number of Web users are not sophisticated enough to manage the kind of decisions it requires." Nightingale and Sterne have pinned high hopes on CSP, which grew out of an idea first put forward by security researcher Robert "rsnake" Hansen in 2005. Last year, Hansen, the CEO of SecTheory, and Jeremiah Grossman, chief technology officer at WhiteHat Security, made headlines when they revealed details about how browsers were vulnerable to so-called "clickjacking" attacks . "Absolutely, this will drive a stake through the heart of cross-site scripting attacks," argued Sterne. "An attacker injects some script that harms the users of that site, that encompasses content injection. Google , the maker of Chrome, was not available over the weekend, but the company has previously said it generally doesn't comment on future product development. Out of the box, CSP [lets sites send] signals to the browser that says, 'We're gonna turn off everything by default.' Cross-site scripting will be neutered at that point." But Nightingale and Sterne realize that, even with nearly a quarter of the world's Internet users running Firefox, Mozilla faces a tough road if it's the only browser maker pushing CSP. "Both the Internet Explorer and Chrome teams have contributed to the design discussions of the specification," said Sterne. "They have some tentative interest in implementing it at some point in the future." Earlier this year, Eric Lawrence, a program manager on Microsoft 's Internet Explorer (IE) team, called CSP "a good idea" and "a promising approach" in a pair of entries on the official IE blog, but did not commit Microsoft to supporting the technology. "It's great to see that others are taking this threat seriously, as well," said Sterne.

Mozilla must also convince site and application developers that it's worth their while to use CSP. Nightingale and Sterne declined to name the sites that have expressed interest in using the technology. "The first step is for us to use it," said Nightingale, adding that Mozilla would turn one of its online properties into a guinea pig to show others that CSP is possible, and to iron out problems. The one thing they did say was that it wouldn't show up in the minor upgrade, Firefox 3.6 , that's to ship in November. The pair was also vague about when CSP would debut in a production version of Firefox. The first, and likely only, beta of Firefox 3.6 is slated to ship Oct. 13. "Whatever comes after 3.6, that's the earliest," said Sterne. Microsoft, for example, added a cross-site scripting filter to IE8 that the company said would block most attacks. Mozilla isn't the only browser maker trying to protect users from cross-site scripting attacks.

Preview builds of Firefox with CSP enabled can be downloaded for Windows, Windows Mobile, Mac and Linux from Mozilla's server . Sterne has also posted a demonstration page that graphically shows how various scripts are blocked by the technology.

Citrix desktop virtualization push: any device, any location

Citrix on Monday said its latest desktop virtualization software will give users access to high-definition desktops from any location and from just about any device, including PCs, Macs, thin clients, laptops, netbooks and smartphones. The latest version offers a range of server-and client-side virtualization options, including offline desktops hosted in local virtual machines; desktops hosted on blade PCs; hosted desktops based in virtualized servers; and hosted shared desktops. "Traditional PCs were designed for a very different world," Raj Dhingra, XenDesktop general manager, said during a press conference Monday. "Today, the world is flat and small. Citrix is betting that Windows 7 will drive a new wave of desktop virtualization adoption, and is releasing XenDesktop version 4 to take advantage of these expected new users.

We need to work in entirely different ways than before. Now it says XenDesktop with its accompanying FlexCast delivery technology is Citrix's first product "to support every major desktop virtualization model in a single, integrated solution." Citrix said XenDesktop will support high-definition graphics for all users with its HDX technology, which has been improved with support for flash multimedia, 3D graphics, webcams and VoIP, with optimized delivery to branch offices over WANs. Citrix claims that HDX requires 90% less bandwidth than competing technologies. A traditional PC that is locked to an office or a laptop is too confining." 13 desktop virtualization tools Citrix hinted at its all-devices strategy earlier this year when it brought virtual desktops and applications to the iPhone. XenDesktop 4 will be generally available Nov. 16 for prices ranging from $75 to $350 per user. The desktop virtualization market has lots of room for growth.

Customers using XenApp, Citrix's application virtualization technology, will be able to trade up to XenDesktop with discounts of up to 80%. Citrix is also enabling centralized management of virtual desktops and applications by integrating XenApp with XenDesktop, the company said. Fewer than 10% of data centers worldwide have virtualized desktops, according to ITIC lead analyst Laura DiDio. Citrix, Microsoft and VMware are all going after the virtual desktop markets, although surveys show mixed results when comparing the vendors. Thirty-one percent of customers plan to virtualize in 2010, according to an ITIC poll of 400 corporations. According to ITIC, 41% of companies using desktop virtualization went with Citrix, compared to 28% for Microsoft and 16% for VMware.

Citrix said XenDesktop 4 contains 70 new features to enhance performance and security. But when measuring by deployed seats, VMware has about a two-to-one lead over Citrix, according to Burton Group analyst Chris Wolf. But the key is delivering the right type of desktop based on users' varying needs, the company said. As many as 500 users can be accommodated by a single server in this model, according to Citrix. For example, task workers who share a similar set of applications may be best served by a shared, server-based virtual desktop, Citrix said. "This model gives each user a standardized, locked-down desktop ideally suited for jobs where user customization is not needed or desired," Citrix said.

By contrast, office workers who need more personalized desktops may be best served by a virtual desktop infrastructure model in which each desktop is a dedicated virtual machine. Blade PCs in the data center are ideal for delivering high-end applications to "power users," Citrix said. This model supports about 60 to 70 desktops per server, according to Citrix. Another option lets companies stream desktops to each user's device, which lets the user device run the desktop locally while letting administrators centrally manage the operating system, applications and data. The virtual applications can run offline, making them popular with mobile users, the company said. "By centralizing apps and delivering them as an on-demand service to existing desktops, this option offers many of the ROI and management benefits of a fully virtualized desktop with minimal setup costs, making it an ideal starting point for customers new to desktop virtualization," Citrix said in its XenDesktop announcement.

But for companies just starting out with virtualization, the simplest option may be to deliver virtual applications to traditional PCs, Citrix said. Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin

OpenDNS: Forget free. We want paying customers

Free isn't all it's cracked up to be. The idea that the best price is zero is gaining popularity, thanks to the high-tech tome "Free: The Future of a Radical Price." Author Chris Anderson makes a compelling argument that freebies and giveaways attract customers, especially on the Internet. At least according to free DNS service provider OpenDNS, which is unveiling on Monday a suite of paid services targeted at enterprise customers. But with its announcement Monday, OpenDNS makes clear that its plan is to migrate from free consumer-oriented DNS services toward paid, profit-making products used on enterprise networks. "Our plan is to transition into the enterprise following the Google model," says David Ulevitch, founder and CTO of OpenDNS. "Google did this with Gmail.

Our evolution is similar. First they had Gmail, then they had Gmail for pay, and now they have a complete office suite Google Apps. We have a free consumer service.. Now we're turning that into a paid enterprise service." OpenDNS is a venture-funded start-up with 15 million users of its free recursive DNS service. We invented and pioneered the idea of DNS with integrated security.

These users include consumers, schools and some businesses, which use OpenDNS to allow their employees to browse the Web. One advantage of OpenDNS is that it bundles Web content filtering with its DNS service. OpenDNS says it is handling more than 17 billion DNS queries per day with this service. OpenDNS also operates PhishTank.com, a community site that fights phishing. OpenDNS makes money by selling ads for its re-direction service.

Users of the free OpenDNS service view advertisements when they type in the wrong Web address. Now OpenDNS is selling an ad-free version called OpenDNS Deluxe, which is geared toward small businesses. Ulevitch says OpenDNS Deluxe and OpenDNS Enterprise are more cost-effective for companies than running separate DNS and Web content filtering software from vendors such as Websense. OpenDNS also is announcing OpenDNS Enterprise, which provides more comprehensive Web filtering, auditing and reporting features, 24/7 support and service-level agreements. Another advantage is that these premium services don't require customers to purchase or install appliances, as some rival DNS and Web filtering companies do. "We don't do everything that Websense does," Ulevitch admits.

Ulevitch says OpenDNS has 25 businesses using its premium paid services. But he says that OpenDNS offers the most popular features of a product like Websense, including the ability to block adult content and 50 other categories of Web sites. "We do 70% of the things that Websense does that people care about," he adds. These paying customers include The Coffee Bean & Tea Leaf, a retail chain that offers in-store Wi-Fi and uses OpenDNS to support Web browsing and to block adult content. "These retail chains want to monitor sites, but it's not reasonable for them to put a security device in every store," Ulevitch says. "They are growing fast, and they want to have one Web-based dashboard so they can block certain sites to all their stores. They don't want to show ads, and they are willing to pay for professional support." OpenDNS says the new premium paid services for enterprise customers are available under an early access program, with general availability expected in the fourth quarter of 2009. Free recursive DNS services such as OpenDNS and DNS Advantage Service from rival Neustar UltraDNS are gaining in popularity among corporate customers. Now they have granular control, and they don't have appliances which is a huge savings.

Neustar UltraDNS says it is handling between 3 billion and 5 billion DNS queries a day through its free DNS Advantage service. DNS Advantage "does obviously generate additional business for our managed DNS service," says Rodney Joffe, senior vice president and senior technologist at Neustar. "But companies are looking for a DNS solution that deals with phishing and pharming and malware…Some of our customers want DNS Advantage, and some of our customers already have DNS appliances in their network." Joffe says DNS is so critical to corporate networks these days that customers care more about performance than about price, be it free or paid. "The kinds of customers we have had for 10 years don't come to us because they are trying to save a buck. However, Neustar UltraDNS derives most of its revenue from selling managed external DNS services to enterprises and e-commerce sites such as J.Jill and Diamond.com. They may in the beginning, but they are staying with us because we run an enterprise-level service infrastructure," Joffe adds. "These tend to be customers for whom DNS is critical." DNS Advantage doesn't include Web filtering like OpenDNS Enterprise, but Joffe says this feature will be available in the first half of next year. Joffe says having companies like OpenDNS enter the enterprise space with outsourced DNS services helps validate the niche. "We've been the major provider for quite awhile," Joffe says. "There's definitely a market."

AT&T to offer remote PC repairs without system booting

AT&T is upgrading its remote PC repair service that will allow technicians to resolve issues without a customer fully booting a computer, the company said on Thursday. With the upgraded service, PC problems can be solved even when the system cannot be booted due to hardware problems or OS failure. Technicians from AT&T's Tech Support 360 service were previously able to remotely fix customers' PC problems only when the operating system was loaded and a browser session was running, said Ebrahim Keshavarz, vice president of business development at AT&T, during a conference call.

The capability allows technicians to fix more PC problems than was previously possible. Users need to enter a specific keystroke sequence to connect the failed PC over the Internet with AT&T technicians. For example, technicians will now be able to fix hardware-level issues like corrupted BIOS, as well as reset system passwords, repair and update network card drivers, and remove malware more effectively, Keshavarz said. "There are times when you cannot get a functioning browser to connect to the Internet," Keshavarz said. To enable that capability, AT&T is adopting Intel's Remote PC Assist Technology for the service. AT&T launched Tech Support 360 in 2008 as a service to remotely solve PC problems, including software, hardware and peripheral issues, for small and medium-size businesses.

The remote support technology is a part of Intel's vPro hardware and software management for PCs mainly used in business environments. For example, it troubleshoots Windows OS issues and hardware problems like faulty hard drives and wireless networking configurations. Monthly subscriptions will start at US$19 per month, Keshavarz said. It can also solve malware problems on PCs. AT&T will begin offering the service in the first half of next year. If a remote technician is unable to solve a problem, AT&T will dispatch technicians on site at an extra charge. The pre-boot support service won't work on PCs with chips from Advanced Micro Devices, as the underlying technology is based on Intel's vPro technology.

However, there are certain limitations attached to AT&T's upgraded service. The service also won't work on Apple's Macintosh systems. Tuhy said that the technology will be available with laptops based on Intel's Calpella platform, which will include a set of processors based on the Nehalem processor. Right now only desktops support Intel's vPro remote support technology, but it is expected to reach laptops soon, said David Tuhy, general manager of the business client group at Intel. Intel has said it would reveal details about the first chip belonging to the Calpella platform, code-named Clarksfield, next week at the Intel Developer Forum.

DOJ expands review of planned Microsoft-Yahoo agreement

The U.S. Department of Justice has asked Microsoft Corp. and Yahoo Inc. to hand over more information regarding their proposed search partnership. Nina Blackwell, a spokeswoman for Yahoo, said both companies are cooperating with federal regulators. "[We] firmly believe that the information [we] will be providing will confirm that this deal is not only good for both companies, but it is also good for advertisers, good for publishers, and good for consumers," she added. A Microsoft spokesman confirmed in an e-mail to Computerworld today that the DOJ requested additional information, but added that it came as no surprise. "As expected, we received additional request for information about the agreement earlier this week," wrote the spokesman, Jack Evans. "When the deal was announced, we said we anticipated a close review of the agreement given its scope, and we continue to be hopeful that it will close early next year." Evans declined to disclose exactly what information the DOJ is looking for.

Microsoft and Yahoo announced late in July that they had finalized negotiations on a deal that will have Microsoft's Bing search engine powering Yahoo's sites, while Yahoo sells premium search advertising services for both companies. Microsoft officials contend that the deal with Yahoo will improve competition in the search market. The partnership, which was a year-and-a-half in the making , is aimed at enabling the companies to take on search behemoth Google as a united force. Matthew Cantor, a partner at Constantine Cannon LLP in New York and an experienced antitrust litigator, disagrees. He argues that since Yahoo will cease being a competitor in the search market, the DOJ is likely to say the Microsoft/Yahoo partnership is anticompetitive . In an interview today, Cantor applauded the DOJ's request for more information. "Most deals clear without a request for additional information. Cantor said last month that when Yahoo's own search tool disappears, only two major search engines will remain - Google and Microsoft's Bing.

This is not run-of-the-mill," said Cantor. "The government believes there are potential antitrust concerns raised here. Nonetheless, Blackwell told Computerworld that Yahoo is still hopeful the deal will close early next year. They would only request additional information if there was some kind of presumption that the deal will cause antitrust effects." Cantor added that he thinks it could take months for Microsoft and Yahoo to pull this new information together, perhaps until the end of this year.

Oracle breaks silence on Sun plans in ad

Oracle Corp. ended it silence Thursday on its post-merger plans for Sun Microsystems Inc.'s Unix systems in an advertisement aimed at Sun customers to keep them from leaving the Sparc and Solaris platforms. Ever since Oracle announced in April its plans to acquire Sun, its competitors - notably IBM and Hewlett-Packard Co. - have been relentlessly pursuing Sun's core customer base, its Sparc and Solaris users. Oracle's ad to "Sun customers," makes a number of promises that includes spending more "than Sun does now," on developing Sparc and Solaris, as well as boosting service and support by having "more than twice as many hardware specialists than Sun does now." Analysts see Oracle's ad as a defensive move that doesn't answer some of the big questions ahead of the $7.4 billion merger with Sun . In fact, there may be a lot of room for skepticism and parsing of Oracle's claims, despite their apparent black and white assertions. Among the top hardware makers, Sun registered the biggest decline in server revenue in the second quarter, offering evidence that this protracted merger may be eroding Sun's value.

Europe is allowing until mid-January to sort this out, which keeps the merger in limbo for another quarter. Oracle wanted the acquisition completed by now but the European Commission this month said it would delay its antitrust review because of "serious concerns" about its impact on the database market. Analysts point out that Oracle's plans to spend more "than Sun does now," may be a little hallow because Sun's spending on developing Sparc and Solaris is probably at a low. "The ad sounds convincing - but perhaps being a word nitpicker, the Sun does now' might not mean much if Sun has drastically cut back due to plummeting sales," Rich Partridge, an analyst at Ideas International Ltd., said in an e-mail. "I think someone at Oracle suddenly realized that Sun was bleeding so badly that what would be left when Oracle finally got control would be worth a small fraction of what they paid and no one would buy the hardware unit," Rob Enderle, an independent analyst, said in an e-mail. But Enderle said the ad's claims do not preclude Oracle from selling its hardware division, and says the company "will have to support the unit for a short time after taking control; during that short time they can easily outspend Sun's nearly non-existent budgets." Gordon Haff, an analyst at Illuminata Inc., said if it was Oracle's plan to start on day one of the merger to shop the Sparc processor around, "would they have put this ad out? Taken at face value, the ad seems to indicate that Oracle will keep Sun's hardware and microprocessor capability and not spin it off, as some analysts believe possible. Probably not," he said. "Does it preclude Oracle from changing their mind?

Indeed, Oracle's major competitive concern was indicated in the ad in a quote by Oracle CEO Larry Ellison: "IBM, we're looking forward to competing with you in the hardware business." No. Companies change their mind all the time." An erosion of Sun's customer also hurts Oracle, because a lot of Sun customers are also Oracle customers, and Oracle doesn't want its existing customer to go to IBM and move away from Oracle's platform, Haff said.

At 40 years old, what's next for the Internet?

As the Internet hits 40 this week, it's not difficult to look back and see the changes it's brought to the world.

E-mail. Instant messaging. Buying and selling stocks online. Watching surgeries performed in real-time. All are now widespread activities thanks to the Internet.

The changes have been nothing less than astounding.

Businesses stay in touch with customers using Twitter and Facebook. CEOs are blogging about their companies and their daily activities. And move over presidential candidates and sports stars, now astronauts are Twittering from outer space.

Internet pioneer Leonard Kleinrock , one of the computer scientists at UCLA who on Sept. 2, 1969, created a network connection between two computers for the first time, said that while the Internet is turning 40, it's definitely not hitting middle age. In fact, far from it.

"The Internet has just reached its teenage years," Kleinrock said in an interview with Computerworld this week. "It's just beginning to flex its muscles. The fact that it's just gotten into its dark side - with spam and viruses and fraud - means that it's like an [unruly] teenager. That too will pass as it matures."

So if the Internet is just at the ground floor, what's next?

"We're clearly not through the evolutionary stage," said Rob Enderle, an analyst with the Enderle Group. "Clearly, it's going to be taking the world and the human race in a quite different direction. We just don't know what the direction is yet. It may save us. It may doom us. But it's certainly going to change us."

Marc Weber, founding curator of the Internet History Program at the Computer History Museum, agreed with Kleinrock that the Internet is still in its infancy. As it grows, the Internet is continually swallowing up other media.

"It's a mass medium that absorbs other mass media," he said. "We make telephone calls over the Web. We have the equivalent of postal mail in the form of email. You can watch TV over the Web. It's absorbing, in a sense, other media. Stuff that used to be separate keeps on getting added. What happens when you can do everything from your browser? Who knows what that will do to daily life."

Weber also noted that the Internet's increasing mobility will probably guide its growth through the next several decades.

"Think about when you're traveling," said Weber. The mobile Internet "will show you things about where you are. Information will become topical. Obviously, it'll be important for shopping, [for] connecting with people near you, [and getting] information related to where you are. Point your mobile phone at a billboard and you'll see more information. The mobile device is also going to become a mobile form of payment."

He added that he also is expecting to see more online collaboration, much like the Wikipedia process of gathering information. The online encyclopedia features articles written collaboratively by volunteers from around the globe.

More sites and applications, even those focused on news and blogging, could take advantage of the mobile Internet to become far more collaborative, according to Weber.

"Wikipedia works really well. That particular area has proven very powerful," he noted. "Blogging is great but you just have a whole bunch of scattered blogs with no central place and no interaction. [Think of ] the power of really collaborative media with everybody adding their little dab of paint to the same painting. Make journalism a big synergy of effort."

For Sean Koehl, technology evangelist for Intel Labs, the future of the Internet has a much more three-dimensional look.

"What's going to happen when you bring the visual experiences you can get in a modern game to the Internet?" asked Koehl. "It really has been mostly text-based since its inception. There's been some graphics on Web pages and animation, but bringing life-like 3D environments onto the Web really is only beginning. We're really excited about transitioning from a 2D Web to a 3D Web."

It's all about making your online life more like your real life, according to Koehl.

For instance, he foresees a time when online shoppers will scan their bodies to create life-like online models. That way they can go into 3D dressing rooms in an online store and actually see how the clothes would look on their body.

He also said people could use these 3D images of themselves in conjunction with a realistic 3D set up of a family house or favorite restaurant to set up online family reunions.

"Some of it is already happening ... though the technical capabilities are a little bit basic right now," said Koehl. "You need to be able to share a distributed environment. In the next three to five years, the capabilities of the basic worlds are going to be a lot better. You'll start to have a 3D world that will start to look pretty realistic."