The innovation the industry talks about so much is bullshit, says Linus Torvalds

"The innovation the industry talks about so much is bullshit," he said. "Anybody can innovate. Don't do this big 'think different'... screw that. It's meaningless. Ninety-nine per cent of it is get the work done."

I encourage you to read the whole article at theregister.co.uk.

Is Android the New IBM PC Compatible?

(translated from the French article) 

Above is a map giving the date when, for the first time, country by country, web searches related to Android have exceeded those related to iPhones and iPads. The color key is on the left.
Grey means that it hasn't happened yet. White means there was not enough data (approx. 2% of world population).

For information, I made this map with The GIMP, based on graphs from Google Trends comparing the number of web searches containing the names of the various Android smartphones and tablets, iPhones and iPads. The map background is from www.histgeo.ac-aix-marseille.fr. All demographic data used below is from the CIA Fact Book.

First, some facts:

1. The trend is worldwide. It's not yet over but actually present everywhere: searches about Android do exceed those about Apple smartphones, showing a greater interest in the products based on the Google environment.
2. The date when the Google trend exceeds the Apple trend is an interesting criterion to be put on a world map, because it's highlighting clear patterns.
3. In terms of compared populations, thus in terms of potential markets, this is a major trend, as is showing the demographic count below.

Census :

• early adopters of Android (yellow and red) : 22.4%
• happy followers (green) : 11.1%
• followers (blue) : 27.2%
• laggards (grey) : 37.2%
• no data (white) : 2.1%

I can identify the following patterns:

• Mid-developed countries are the first to adopt. Look on the map: Central Europe, India, Indonesia, South America.
• Then come the other developing countries, especially Africa and former USSR.
• Developed countries are the laggards. West Europe, United States, South Africa, Japan, Australia.

With notable exceptions:

• Why is Germany among early adopters ? I think that the current actual economic success of Germany resides in its industrial relations with Central Europe. Such relations make that the interests are common and web searches follow.
• Same for France, dragging Morocco, Algeria and Tunisia towards Apple.
• Same for South America dragging Spain and Portugal towards Android.
• The following countries would need further explanations that I cannot provide: China, Myanmar, Thailand, Cambodia, Laos, Vietnam. I don't have the necessary knowledge about this region to make assumptions. I think that the reasons why China is late and the impacts of it would merit a whole article by themselves.

Starting from the following hypotheses about Android's most attractive features:

• The relative freedom of its environment.
• The low cost of tablets.
• The diversity of makers and vendors, thanks to Google's policy about it.

I deduce the following:

• There is a real mass market to be taken by Google in new developing countries.
• It's developing countries best interest to push a company that allows reuse, adaptation, competition and enhancement, rather than conforming to closed Apple platforms (thinks about the markets created by the IBM compatible PC in 1981).
• The diversity of actors and thinking heads in developing countries will ensure that Android soon becomes a more diverse and useful ecosystem than that of iOS or even that of Windows on PC or even than anything we have known so far (here again, think about the growth of the PC).
• The direct earnings from making and selling this ecosystem, added to the indirect gains related to just using a better ecosystem, will broadly influence the economies of those early adopters countries and the best among them will probably overtake West countries in terms of technological progress (think of how the US profited from the PC boom).
• Central Europe is certainly the best place to invest industrially right now. early adopters + relatively low costs + stable democracies + known and mastered history and management culture + availability of experienced West Europe managers if needed + European infrastructures + neighbourhood of West European markets + proximity of Turkey for even lower cost of manufacture if required.

Android est-il le nouveau PC compatible IBM ?

Ci-dessus une carte donnant la date à laquelle, pour la première fois, pays par pays, les recherches web concernant Android ont dépassé celles concernant iPad et iPhones. Se reporter à la colonne de gauche pour la légende. En gris les pays pour lesquels ce n'est pas encore arrivé.
En blanc ceux pour lesquels je ne disposais pas de données suffisantes (environ 2% de la population mondiale).

Pour info, j'ai fabriqué cette carte avec The GIMP à partir de graphes Google Trends comparant le nombre des recherches web contenant les noms des différents téléphones Android, iPhone et iPad. Le fond de carte vient de www.histgeo.ac-aix-marseille.fr. Les démographies que je compare ci-dessous sont issues du CIA Fact Book.

En premier lieu, quelques faits :

1. La tendance est mondiale. Elle n'est pas encore achevée mais bel et bien présente partout : les recherches concernant Android dépassent celles concernant les smartphones Apple, montrant un intérêt supérieur pour les produits à base d'OS Google.
2. La date à laquelle la "tendance Google" dépasse la "tendance Apple" est un critère intéressant à positionner sur une carte mondiale. En effet, elle met en valeur des motifs clairement identifiables.
3. En termes de masses de populations et donc en termes de marchés potentiels, cela n'a rien d'insignifiant, comme le prouve le compte démographique ci-dessous.

Compte démographique :

• early adopters d'Android (jaunes et rouges) : 22.4%
• happy followers (verts) : 11.1%
• followers (bleus) : 27.2%
• laggards (gris) : 37.2%
• no data (blanc) : 2.1%

 J'identifie les tendances suivantes :

• Les pays en bonne voie de développement sont les premiers à adopter. Voyez : Europe Centrale, Inde et Indonésie, Amérique du Sud.
• Puis viennent les autres pays en voie de développement, notamment Afrique et pays d'ancienne URSS.
• Les pays développés sont les retardataires. Voyez : Europe de l'Ouest, États-Unis, Afrique du Sud, Japon, Australie.

Avec toutefois des exceptions notables :

• Pourquoi l'Allemagne et l'Autriche sont-elles parmi les early adopters ? Je propose la véritable réussite allemande actuelle qui consiste à utiliser à plein profit la proximité avec l'Europe Centrale. Ainsi, les échanges sont tels que les préoccupations sont communes.
• Même chose pour la France et ses partenaires commerciaux majeurs, anciennes colonies, que sont le Maroc, l'Algérie et la Tunisie.
• Même chose pour l'Espagne et le Portugal, qui ont des préoccupations communes avec leurs rejetons géants d'Amérique du Sud.
• Reste à comprendre la zone Chine, Birmanie, Thaïlande, Cambodge, Laos, Vietnam. Je n'ai pas les connaissances nécessaires pour faire des hypothèses sur cette zone. Les tenants et les aboutissants de cet étonnant retard de la Chine mériteraient un article à eux seuls.

En partant du principe que trois des atouts d'Android sont :

• La relative liberté de son environnement.
• Le prix bas des tablettes.
• La diversité des fabricants et revendeurs, grâce à la politique Google sur ce sujet.

Je déduis les éléments suivants :

• qu'il y a un réel marché de masse à prendre par Google,
• que les pays en développement ont tout intérêt à appuyer un fabricant qui autorise la réutilisation, l'adaptation, la compétition et l'amélioration, plutôt que d'adopter les plateformes fermées d'Apple (pensez à la libération du compatible IBM en 1981),
• que la diversité des acteurs et le nombre de têtes pensantes dans ces pays vont bientôt faire d'Android un écosystème plus varié et plus utile qu'iOS, que Windows sur PC, voire que tout ce que nous avons connu jusque-là (là aussi, pensez essor du PC),
• que le gain direct lié à la fabrication et la commercialisation de cet écosystème, ajouté au gain indirect lié à l'utilisation de ce meilleur écosystème, vont largement influer sur l'économie des pays early adopters et que les meilleurs de ceux-ci vont rattraper ou dépasser les pays occidentaux en termes d'avance technologique (là encore, pensez essor du PC),
• que l'Europe Centrale est certainement le meilleur endroit pour investir à l'heure actuelle. early adopters + coûts assez bas + démocraties stables + historique et culture managériale connue + disponibilité de nombreux managers de l'ouest expérimentés à l'est + infrastructures européennes + proximité des marchés ouest-européens + proximité de la Turquie pour des coûts de main-d'œuvre plus bas si nécessaire.

Remarque agnostique sur Linux en entreprise

Pour avoir travaillé dans de nombreuses sociétés, il me semble évident que Linux représente une menace. Notez que je ne dis pas que c’est le choix de Linux qui représente une menace, car Linux n’est pas un choix. Linux est imposé par le marché. De plus en plus d’outils utilisent Linux, y compris des sociétés très respectables et des éditeurs de logiciels métier. Ce qui représente une menace, c’est le manque de réaction managériale face à l’arrivée de Linux.

Deux menaces principales existent :

• Le scénario de ne pas savoir intervenir en cas de panne, par faute de formation.
• Le scénario d’avoir tellement de Linux différents que l’on ne sait plus comment les gérer et que l’on multiplie les coûts.

Ces remarques s’étendent à Linux, à Mac OSX, aux BSD et aux autres sortes d’Unix.

Ma recommandation

Tout d’abord, cesser le déni et reconnaître que Linux est utilisé au sein de l'entreprise. Ensuite, accorder un crédit de temps *qui peut être de l’autoformation* à un ou plusieurs administrateurs système, pour se former à Linux.

Enfin, faire un certain nombre de choix concernant Linux, visant à éviter le chaos de la muliplication. Par exemple, le choix d’une ou deux distributions « supportées » par le service informatique et l’achat d’une suite logicielle permettant l’intégration des machines Linux aux outils centraux, y compris outils Microsoft.

Back on my 2010 security predictions

For an ITsec worker, every year comes with some pieces of satisfaction and a lot of frustration. For instance, you'll hear about rocket-science ITsec techniques and observe that your neighbour's techniques are more snail-like, ostrich-like or dodo-like :-(

I did a few predictions at the beginning of the year of what would happen in the ITsec field, let's see if they actually happened.
What I wrote back then is given in yellow and today's comment is in white.

1. Linux systems will become an interesting target for hackers because of Google's OS.
   The free software community will react fast to vulnerabilities. If Google is up to the task, they will integrate the changes very fast and it will result in Linux systems being the most secure. Competitors will finally be forced to take vulnerabilities more seriously. That's the optimist hypothesis. The pessimist one is Google not being interested in building better security and not reacting faster than the others.
   Did not happen. There are traces of some attacks on Google's OS but nothing the depth of what happens on Windows. (so far)
   
2. Microsoft will (finally!) propose a centralized software installation and update manager, quickly adopted by the big software companies, reducing the number of heterogeneous installation modes, late updates and so on. Something apt-like, in a Microsoft-way, of course.
   It's either this or Microsoft platforms will be progressively abandoned for integrated products such as iPhone or platforms with that functionality such as Linux (servers) or Mac OSX (clients).
   Did not happen. But I hear Symantec is on the subject and it's quite promising.
3. Viruses will spread to Mac and iPhones up to the same level as that under Windows.
   Clearly did not happen, though there are a few examples of such viruses.
   
4. Generalization of new authentication modes including smart cards with microchips, user/machine certificates, fingerprints on laptops, will happen.
   There will be a fashion for it and a lot of blunders will be made in the beginning.
   Happened. I saw many examples of considering fingerprints as a good means of authentication, which it often is not, and worst of all: some companies start relying on "private questions" to enable users self-resetting their passwords.
   
5. There will be reports about IT services clouding the wrong parts of themselves: critical infrastructure, already very profitable services, legally protected information...
   Certainly happened, though those companies will not make a failure report before they've withdrawn, which is no easy thing ^^ The funniest story I heard (nothing written, sorry) is that of a web development company whose managers decided to cloud infrastructure, thus turning Apache settings, PHP settings and so on into read-only, contractual, data.
   
6. There will be an overflow of non-browser software using SSL.
   Each of them has its own libraries and each blunder or vulnerability in the use of SSL will have to be addressed in each of these libraries. This is not addressable in a correct time. For this reason, there will be new products or services around gathering all this SSL traffic and forwarding it in an actually secure way.
   Happened, even Microsoft got into the market.
   
7. Social harvesting will rise to unprecedented peaks. Because of poor legal harmonization (or even concern, for that matter!) in various countries, automated social harvesting services will be made available.
   Happened, see Day's comment on the original article: pleaserobme.com, a site that harvests Twitter to guess whose homes are empty and easy to rob. One could also quote personalized ads or so many articles on the web.
   
8. Governments from developed countries will try to censor, filter and/or index the web. They will fail for two major reasons:
   
   • The web is too huge for any current government to master it, or even understand it.
   • The free software community will sidestep any technical measure towards censorship.
   I don't know yet whether governments will fail, but the current wikileaks wars certainly are an example.
   
9. There will be stories, news, rumours, about Google having connections with the US intelligence agencies. Google's business is a source of information just too much important nowadays for intelligence agencies to neglect it. I won't tempt any prediction about Google's reactions.
   Did not happen, so far as I'm aware.
   
10. PCI DSS-like standards (simple checklist, minimalist, technical, yet very efficient) will be published about various matters of ITsec. Or maybe I just read too many people interested in that.
    Did not happen, I just read too many people interested in that.
    

And now a few wishes:

• That people stop thinking I work on viruses when I say I work on ITsec.
  There's certainly some change, but I can't identify it so far. People seem to start being aware of the "information-side", as opposed to the "technology-side"...
  
• That IT managers (non-security) stop thinking there is a fixed list of requirements for security and each of them requires purchasing a "security product" and each of these products works standalone.
  No change.
  
• That service managers start budgeting time for service reviews and corrections, not only service implementations.
  No particular change.
  
• That Adobe distinguishes between PDF designed for review and printing and PDF designed for automated administrative tasks in complex forms. This may prevent a lot of problems to come.
  They didn't, though they reacted by adding sandboxes to the software. Makes me think of old families that had many children to "avoid" child mortality...
  
• That my government stops being such a liberty killer about IT.
  Not happening before the next election...
  
• [...]
  
• That my readers consider the strange situation of using an Excel-controlled Visual Basic script to interact with an AS/400 terminal emulator, written in Java, inside a Citrix session running on a Windows Server "cluster" inside a VMware architecture. (You can have screenshots and photos of the AS/400 on IBM's website, for instance, there.) That was my only nightmare these last years. Does virtualization never end?
  I don't know whether my readers did consider this situation. Did you?
  

Security predictions for 2010 and a few wishes

As usual, nothing posted on this blog is related to my job at my employer. These are merely thoughts gathered from readings on the web and personal considerations.

(If you're wondering why I didn't post this in January, think that holidays spent in Sicily, Romania, Hungary and Serbia are worth being late. I really love the Carpathians.)

1. Linux systems will become an interesting target for hackers because of Google's OS.
   The free software community will react fast to vulnerabilities. If Google is up to the task, they will integrate the changes very fast and it will result in Linux systems being the most secure. Competitors will finally be forced to take vulnerabilities more seriously. That's the optimist hypothesis. The pessimist one is Google not being interested in building better security and not reacting faster than the others.
   
2. Microsoft will (finally!) propose a centralized software installation and update manager, quickly adopted by the big software companies, reducing the number of heterogeneous installation modes, late updates and so on. Something apt-like, in a Microsoft-way, of course.
   It's either this or Microsoft platforms will be progressively abandoned for integrated products such as iPhone or platforms with that functionality such as Linux (servers) or Mac OSX (clients).
   
3. Viruses will spread to Mac and iPhones up to the same level as that under Windows.
4. Generalization of new authentication modes including smart cards with microchips, user/machine certificates, fingerprints on laptops, will happen.
   There will be a fashion for it and a lot of blunders will be made in the beginning.
5. There will be reports about IT services clouding the wrong parts of themselves: critical infrastructure, already very profitable services, legally protected information...
6. There will be an overflow of non-browser software using SSL.
   Each of them has its own libraries and each blunder or vulnerability in the use of SSL will have to be addressed in each of these libraries. This is not addressable in a correct time. For this reason, there will be new products or services around gathering all this SSL traffic and forwarding it in an actually secure way.
7. Social harvesting will rise to unprecedented peaks. Because of poor legal harmonization (or even concern, for that matter!) in various countries, automated social harvesting services will be made available.
8. Governments from developed countries will try to censor, filter and/or index the web. They will fail for two major reasons:
   
   • The web is too huge for any current government to master it, or even understand it.
   • The free software community will sidestep any technical measure towards censorship.
     
9. There will be stories, news, rumours, about Google having connections with the US intelligence agencies. Google's business is a source of information just too much important nowadays for intelligence agencies to neglect it. I won't tempt any prediction about Google's reactions.
10. PCI DSS-like standards (simple checklist, minimalist, technical, yet very efficient) will be published about various matters of ITsec. Or maybe I just read too many people interested in that.

And now a few wishes:

• That people stop thinking I work on viruses when I say I work on ITsec.
• That IT managers (non-security) stop thinking there is a fixed list of requirements for security and each of them requires purchasing a "security product" and each of these products works standalone.
• That service managers start budgeting time for service reviews and corrections, not only service implementations.
• That Adobe distinguishes between PDF designed for review and printing and PDF designed for automated administrative tasks in complex forms. This may prevent a lot of problems to come.
• That my government stops being such a liberty killer about IT.
• [...]
  
• That my readers consider the strange situation of using an Excel-controlled Visual Basic script to interact with an AS/400 terminal emulator, written in Java, inside a Citrix session running on a Windows Server "cluster" inside a VMware architecture. (You can have screenshots and photos of the AS/400 on IBM's website, for instance, there.) That was my only nightmare these last years. Does virtualization never end?
  

Why Windows 7 will not crush Linux

Sorry, just a rant against a nonsensical piece "Why Windows 7 will crush Linux" from Ron Barret who, surprisingly, usually has good technical articles and a few interesting non-technical articles.

This one piece shows, very clearly, a lack of knowledge of how things work outside the Microsoft world. Let me comment point by point, before I make more general statements further down. Quotes are in italic.

Okay it is no secret that Linux has not been able to crack the desktop, either at the home or at the workplace. Not to ignored either is that Windows lost some desktops last year (a little over 3%),but let’s not panic just yet, Windows still owns over 88% of all the desktops according to leading research.

Why does Ron Barret concentrate on "crushing" Linux when he could attack the main marketshare grabber: Apple? Does he really think of panicking or is that just an expression?

[...]Windows 7 installs easier, has simpler configuration of user settings, greater availability of software, support (you could argue that all support is awful, which is probably true) Windows support is easier to get when you need help. Gaming, MP3’s,… I could go on and on.

• Windows 7 installs easier, but by the installation you get only the OS, not the office suite, the usual programs, the good media players, the image manipulation programs, etc.
• Windows 7 has simpler configuration of user settings. But simplicity isn't the only question since you can get the MacOSX perverse effect : too many hidden options, which makes that anything a little more complicated than usual cannot get done from the interface, you have to go commandline. So my question is quantity of settings VS simplicity VS good explanation VS automation of whatever can be automated. And here, if whoever has any precise comparison list, I am listening carefully.
• Windows 7 has greater availability of software. Depends on what you want to do. When my WAMP solution claims that a WAMP is only for testing and that a production tool should be a LAMP, what should I do? I am also a firm believer in centralized depots, and I find that the way to install software under Linux (like Synaptic) is much more modern and efficient than Windows software install.
  

To real Linux die hards… terminals rule.

Yeah, conquering die hards is the crucial problem when you're getting after marketshares!?

So Powershell presents an interesting argument for Windows adoption by the Linux user.

The very idea that an experienced Linux user could switch from the Unix philosophy to the Windows philosophy "disguised" as a command line drains tears of laughter from my eyes. Words or icons are just means, but the Unix philosophy that transpires through bash, csh or perl is a cement stronger than any interface tool.

Some people want free software (even if support is limited or non-existent).

RedHat sales are going higher and higher, is that a coincidence or does support just exist?

Applications like Firefox, Open Office, MYSQL, GIMP… wait all these applications are now available for Windows.

OK but with the exception of Firefox, most of them still run better and integrate better under Linux than under Windows.

Moreover, they are easier to install in Windows then they are in Linux.

Complete idiocy: once you have installed Ubuntu, the applications like Firefox, OOo, GIMP... are already installed. Concerning MySQL, you just have to go to Synaptic, check the "mysql" checkbox and click "install". Far easier than under Windows.

Windows 7 has solved a long-standing thorn in Microsoft’s side, How to deliver a feature rich OS without killing resources?

Okay, so Ron Barrett just confesses that Windows has long lagged behind competitors in terms of resource usage. Fine. Thanks.

Linux users have no reason to hold back anymore. Windows 7 is well placed to crush and put an end to the penguin.

Except complete programming station, polyvalent kernel that puts it everywhere from DVD players to car computers to mainframe servers, freedom from unwanted "home calls", complete view on the software from the kernel to the application, ready and working middlewares such as Apache, very good support (with full source access) like those of RedHat, IBM, HP and others...

Now that I could calm down, seriously, why would anything change about Linux users? There are two major situations:

• Those who were fed up with Microsoft or wanted specific freedom and they will not change anything because of Windows 7.
• Those who use Linux because it's at work or because they have a specific technical reason and they will not change either. At best they will consider changing, but whether that will be worth the migration, I doubt.
  

Virus free OSes and Google Chrome OS

It's been buzzing all around about Google Chrome OS. Google announced they would create a new Linux-based OS called Google Chrome OS and they said "[they would make it] so that users don't have to deal with viruses, malware and security updates".

A lot of articles have reacted to the news, and to the claim. Bruce Schneier was quoted saying that it was an idiotic claim to pretend it would be a virus free OS. And he explained later that it was an answer on the phone, to a journalist, and that he hadn't read the news in the original text by then.

Indeed, Google didn't claim they would produce a virus free OS, and they did well. If I am not mistaken, it is always possible to create a virus on a Turing machine or equivalent. And, as Schneier quotes from Fred Cohen (1986), it's never possible to create a perfect antivirus program.

Google's claim is much more subtle and quite interesting. They said that the user would not have to deal with viruses, malware and security updates. And that seems quite possible to me, or at least quite feasible to improve on, compared to the current situation.
In my imagination, Google wants to silently push all that's needed from the web directly onto their OS. OS patches, antivirus definition files, and why not also manual patches when needed?

Take the example of the handling of spam by Gmail. They have a set of rules, which they can modify very quickly, and even modify "by hand" for a singular point. In comparison, at the workstation level:

• in a typical open source environment, you would need an update command. Even if that's quick, that would require something like:

  # apt-get update; apt-get install last-spam-filter

• in a typical closed source environment, it would require an update by hand.

Here, the rules, updates, patches, and even new versions of the soft immediately come through the browser. Even if the system makes no breakthrough in terms of fundamental security, you will get an excellent increase in overall security from the regular update of software. No more unpatched OS, unpatched browser, unpatched AV...

So far as I can tell, that would save companies big heaps of money on exploitation.

PS: That uncovers a lot of questions for me, such as: How will MS react? Why didn't MS try to do the same? How can competitors get a foot into the same market? Won't Google become a new empire of evil? Will Google's business survive to DoS attacks? How can any evil competitor prevent Google from getting into that market? How will the Google Chrome OS get onto the PCs in the first place, will it be shipped with PCs, or will users need to install it? Where do you set the limit between what Google remotely do and what they don't do? How will governments react? What about privacy of information? What about national spying issues?

Raw unrefined suggestion about firewall rules

Since now we see attacks from inside intranets, using zombie networks, I think it could be a good idea to turn on the firewalls on each machine in the network (including on Windows stations, which I know is sometimes a problem) and to set up a detailed set of rules for them.

My problem was: how to figure out which rules for such a complex problem, so many machines?
My suggestion: why not propose a standard for a single file giving the positive rules necessary for a software to operate?

One file per application, that would come shipped with the application, and would describe all the things that need be open, for the application to work. The file would not describe what set of rules to put on which firewall, but simply what needs to be open.

If we have a look at the TCP/IP layers

This picture from Wikipedia under the GFDL license.

we see that simple firewalls operate on the Internet and Transport layers. Modern firewalls and proxies also operate on the Application layer.
I guess a simple XML dialect could be created to describe which things need be let in and out, on which layer. If this gets standardized or at least RFC'ed, there is a good chance to see opensource software adopt it, both on the application and on the firewall sides. On which case, since opensource is biggest marketshare on infrastructure, others should follow.
(All that raw and unrefined.)

My first virus under Linux [joke]

I just experienced my first virus under Linux. In a virtual machine running Windows XP. Of course, it was just for testing purpose... I installed a fresh Windows XP, tried to share files between the real machine and the virtual machine through Samba. To ease the configuration, I deactivated the firewall of Windows. I didn't use Internet Explorer at all.

And the result was there in less than five minutes. Multiple windows popped-up out of nowhere, proposing to install sex software, false anti-virus software... and I don't want to think of the things that happened without displaying a pop-up window.

There was a statistic a few months ago, saying that a non-secured Windows box alone in the wild was compromised in a few minutes. I can confirm.