With the publication of drive by download attack code this week which impacts Firefox security on all platforms by exploiting an unpatched and critical flaw in the browser, and the successful hacking of the Firefox client (as well as IE8 and Safari) at the CanSecWest PWN2OWN competition, you might be getting a little concerned that the ‘more secure than Internet Explorer’ choice isn’t, perhaps, so secure after all.

It’s somewhat annoying that the exploit code was published yesterday, before Mozilla had actually released a patch, so giving the bad guys time to modify it and attempt to get malicious software onto end user machines as a result. However, the underlying vulnerability known officially as Bug 485217 - or if you are a real glutton for punishment the ‘Exploitable crash in xMozillaXSLTProcessor::TransformToDoc’ bug - which according to Bugzilla allows “Exploit code at the link iframes a little xml file with an xslt transform that causes a crash reliably on 3.0 branch and trunk” is to be fixed with the release of Firefox 3.0.8

Luckily there is not long to wait for the update, it is due to roll out at the start of next week thanks to it now being flagged as a high priority security update.

Unluckily, there is no word yet of a fix for the PWN2OWN vulnerability, and anyway a week is a hell of a long time in the world of the malware hacker.

Maybe Google Chrome is a more secure browser bet after all?

Think open source and you might think many things, but I doubt very much that banking will be towards the top of the list or even on the radar for that matter. Yet the concept of a hacker bank to fund open source projects is exactly what has come out of discussions between a couple of open source hardware nuts, Justin Huynh and Matt Stack, who have now started the Open Source Hardware Central Bank.

Think of this as the ‘Bank of P2P’ and you will not be far wrong; peer-to-peer financing for open source projects, drawing funds from groups of people with a passionate shared interest that means the project is more important that some sterile big bucks business plan.

The Open Source Hardware Central Bank has come about due to the difficulties of getting traditional lenders, even those who ‘get’ the open source software movement to understand how open source can translate to hardware. Matt Stack explains it as open source software being made with time whereas hardware needs both time and money. According to Matt, while the principles of an open source software time economy translate easily to an open source hardware one, the same is not true of the OSHW money economy. “Just try to answer any of these questions” Matt suggests “who makes money from it, who funds it, why do they fund it, and who’s helping to make it sustainable for the community?”

Which makes it difficult for like minded folk to get together and build a successful hardware project without getting into some serious personal debt. So why not take the venture capital route like any other start-up might? Because, Matt argues, if he is devoting time and money to a project that is then given away for the benefit of the community he wants to know that “the community is reaping as close to 100% of the benefits.”

Which is where the Open Source Hardware Bank comes in, with principles that ensure there is a mechanism to reduce margins and share costs for the community, minimise risk, give rewards and profits back to those who contributed and allow for the distribution of low quantity and non-scalable products. It hopes to enable people to invest not just to profit off of the work of others but rather want to help build a sustainable system of hardware innovation. The bank will provide a sustainable if modest return of 5 to 10 percent on investment, and will fund the build of twice the quantity of any OSH product. Find 10 buyers and the bank will fund the building of 10 more products to double the potential in total. The more you build the cheaper it becomes.

Of course, this will also be an open source bank in the rue spirit of the term and will run fully transparently courtesy of being wiki based. Unfortunately it could be pretty much all over before it starts if the experiences of other peer-to-peer banks is anything to go by. Anyone recall ‘Prosper’ which was closed down after three years for failing to register with US Securities and Exchange Commission regulators in the US? Here’s hoping the guys behind the OSHCP can get around the regulatory issues and make a success of this interesting new fork in open source development.

Which web browser client is least at risk from hackers? If the PWN2OWN hacking competition is any measure of client security, then the clear winner was Google Chrome.

Of course, not everything is always as straightforward as it seems. And that is certainly the case when it comes to the annual PWN2OWN hacking championships that are run during the CanSecWest security conference. Standard PCs and Macs running default OS installations are used, loaded up with fully patched and current versions of the target software and no additional plug-ins to help the hackers. The rules seems pretty simple: hack the app as quickly as possible, with code execution as a requirement.

First of the web browsers to fall was Apple Safari running on a MacBook which lasted between 5 and 10 seconds in total. Charlie Miller managed to ‘own’ it by exploiting a previously unknown vulnerability and then simply clicking on a malicious URL. He proved to the judges that as a result of the remote code execution he had full control over the Mac.

Next was, perhaps a little surprisingly, Internet Explorer 8. A German chap known only as Nils managed to exploit a new vulnerability in IE8, running on a recent build of Windows 7. Someone who was no doubt surprised would be the main Internet Explorer 8 man at Microsoft, Dean Hachamovitch, who gave his keynote at the Las Vegas Mix 09 conference to launch the public release of IE8 just a few hours later proclaiming that the browser had been engineered to withstand evolving attack methods used by hackers. Oh dear. Nils, mean while, went back to the keyboard and then managed to successfully hack the Firefox browser client as well.

Two bits of good news did emerge from all this though. Firstly that these new vulnerabilities will not remain exploitable for long, indeed Microsoft are said to have already fixed the IE8 one and the patch is likely to roll out real soon now. This courtesy of the competition sponsors, TippingPoint, who pay the winning hackers a cash prize which also buys them the rights to the vulnerability details and exploit code which are immediately passed over to the vendors concerned.

Secondly, the competition did seem to prove one thing: if you want the most secure of the mainstream web browser clients then Google Chrome would appear to be the way to go. During the course of the competition, it remained unhackable it would seem. Safari hacking supremo Charlie Miller did manage to find a vulnerability, but unlike previous vulnerabilities Miller reports that he was unable to exploit this one thanks to the sandboxing and security features of Chrome.

With apologies to The Eagles:

Cisco stood in the doorway; I heard the marketing yell
And I was thinking to myself, this could be heaven or this could be hell

Now that Cisco Systems has landed with both feet firmly in the server business with the launch of its Project California ‘Unified Computing System’ the big question is will it rock the competition?

Certainly the whole point is to try and top the data centre charts with a mix of networking and virtualisation beats that Cisco hopes will worry the likes of old rockers IBM and Hewlett-Packard. Talk by Cisco CEO of “25 percent or more of the data centre market” might, however, be a little premature.

Not that there is anything inherently wrong with the UCS concept, which brings together both Ethernet networks and Fibre Channel storage with a single 10 Gbit/s FCoE link and so reduces cards and cabling while embedding a VMWare co-developed virtualisation module for server hopping fun in the switch.

Tim Stammers, a senior analyst at Ovum, reckons that Cisco’s move could “signal a milestone in the convergence of computing and networking.” According to Stammers businesses will want to buy their unified management systems from one supplier rather than stitching it together from multiple sources, which puts Cisco in a strong position. “Alongside the servers” Stammers explains “Cisco is also promising networking gear that it says will simplify connections to racks of virtualised blade servers.” Which could, in effect, mean Cisco server blades in the Nexus switch, eliminating complex I/O protocols between server application and network transport layers.

The small matter of competition is also something that Cisco might not need ne as worried about as some, generally speaking the competition itself it has to be said, are claiming. After all,
Cisco is already in competition with HP and IBM on the networking front. While HP has a small share of the high-end data centre networking market (Procurve switches) and IBM partners with Juniper, Cisco pretty much owns the data centre network side of things. “That” Stammers insists “highlights Cisco’s huge strength in a coming unified market.”

Of course, the question remains as to whether a networking giant such as Cisco can become a systems management player? But then again, on the flipside, server and systems suppliers need to become networking management specialists in order to survive in this new space.

There will be an avenue of opportunity as the Cisco market stalls, waiting for industry standards ratification for the FCoE protocol, but that is expected to close by the start of the summer. Which happily coincides with the scheduled release dates for the new Cisco blade server family of course.

As The Eagles sang: “They gathered for the feast, They stab it with their steely knives, But they just can’t kill the beast.” Which just might sum up the problems IBM and HP face in dealing with Cisco over the coming year.

Ever had a geeky dream where your lithium-ion batteries did not take hours to recharge but rather did so from completely flat to fantastically full in a matter of seconds instead? No, me neither. However, in the real world it seems that the geeks at the Massachusetts Institute of Technology have not only been dreaming if such a thing but have only gone and invented one.

Not only does the prototype battery, developed by MIT professor of materials Gerbrand Cedar, charge in seconds but it can discharge really quickly as well. Which is actually handier than it sounds, depending upon the application. Rapid power bursts are a good thing if you want to fire a laser weapon or drive an electric car really quickly. Of course, when it comes to laptops you don’t really need that kind of power injection but a lithium-ion battery that can charge in just twenty seconds, yes you read that right, is pretty much in wet dream territory for any serious mobile worker.

According to reports it seems that the new batteries are made possible by the cunning use of lithium iron phosphate that allows ions and electrodes to move around much more quickly.

It’s not all good news though, Prof Cedar admits that while the fast recharging side of things sounds attractive for laptop and mobile phone users, it would take a very expensive battery charger indeed. Which is a shame, because lithium iron phosphate is pretty immune to overheating which could save us from those iPod set my pants on fire or my laptop is burning my privates moments.

During the course of the last few weeks the lazier corners of the media has been having something of a field day in playing the ‘Internet is Evil’ game. Well, to be precise, a variation of the classic which is known as the ‘Internet is Evil: Google Edition.’

The basic rules are the same as always, namely finding some current news story and running off a knee jerk reaction to it which builds a predictably rickety case for why the Internet is to blame, is evil and as a consequence should be censored, filtered or banned. So when tragedy hits and a child is abducted, the Internet is at fault because it creates all the paedophiles, gives them a place to plan abductions, provides step by step instructions on abuse and helps them evade the long arm of the law. All nonsense, but a top scoring strategy when playing the Internet is Evil game nonetheless.

So it came as no surprise following the recent Mumbai massacre that the Internet should take the blame once again. However, this being the Google Edition that would not score many points per se. So instead we read reports suggesting that the terrorists who perpetrated the atrocity did so with the help of Google Earth, using it plot their precise routes prior to the actual attack. Of course, the truth of the matter is that you could just as easily lay the blame at any number of printed tourist maps which also showed the precise locations of the hotels, railway station and restaurant targeted by the terrorists, but I guess that does not provide the same level of smug satisfaction that can gained from wagging fingers in the direction of Google.

The latest to join in this particular game variant would appear to be a state legislator from California, one Joel Anderson, who is trying get a bill passed that would make it illegal for numerous facilities to be shown in focus within digital mapping applications. Bill AB 255 wants to blur everything from churches and mosques, to schools and hospitals, as well as government buildings of course, and all in the name of the fight against terror.

The irony of this particular move being that Bill AB 255 would, if in a bizarre losing all common sense incident managed to pass into law, only affect California. As tactics to defeat global terrorism go, this one would appear to be fatally flawed.

Now that’s what I call a cool machine, a desktop running with 24GB of RAM. Kingston Technology has showcased a desktop PC with a 24GB memory configuration running virtualisation applications in a video on YouTube. Wow! That’s a serious amount of memory for a desktop, comprising of six 4GB DDR3 ValueRAM modules together with an Intel 920 Core i7 CPU a Gigabyte GA-EX58 UD5 motherboard and NVidia graphics card.

Mark Tekunoff, Senior Technology Manager, Kingston Technology tells me that in order to demonstrate that the system was capable of running steadily a VMware workstation was turned on, along with 9 VM clients running simultaneously. “Each virtual instance was then allocated about 2GB of memory” Tekunoff says, concluding “…a copy of Crysis was turned on in the last VM, the equivalent of 10 computers running on one desktop computer. A professional gamer obviously wouldn’t choose to play this way, but it was a great way to prove that the system worked perfectly!”

Amen to that brother.

PS. I want one. Now!