News Blog

Monday could be the day that iPhone fans have been waiting for. According to News.com reporter Tom Krazit, who I interviewed for Thursday's Daily Debrief video, Apple CEO Steve Jobs will most likely announce big news on the second iteration of the phone at Monday's Worldwide Developers Conference in San Francisco. Updates could possibly include, but are not limited to, the inclusion of GPS, a slimmer body, and the ability to connect to the 3G network.

Traditionally, Jobs has used the WWDC to discuss changes to the Mac and OS X. This year, Krazit expects less sexy news on the Mac OS front, perhaps surrounding security and privacy issues. Another source of speculation has been what big cat the OS X 10.6 will be named after. Snow Leopard seems unlikely since Leopard was used last time, but what's left? LOLCat? The Cougar?

Google's Vidnik lets users take videos, trim them, and upload them to YouTube.

(Credit: Google)

Google has released basic software called Vidnik that lets Mac OS X users record video with a Webcam or built-in camera, trim its length, add tags and a title, then upload it to YouTube.

The software also can be used to upload other videos to the company's video-sharing site, and other editing software can be used on the videos taken by Vidnik, David Phillip Oster of Google's Mac team said in a blog posting.

The software is among a host of Mac applications the company has produced. (Another interesting one is Visigami, which lets people search for images on Flickr, Picasa, and Google Images and use the results as an animated screensaver.)

Google has an increasing stable of software that runs on people's computers--Google Desktop is one good example--and is working on mobile phone applications, too, through its Android project. But don't be confused by all this attention to what's known as client software: the company's higher priority is to make the Internet the application foundation of choice.

There's a good piece by Saul Hansell over on The New York Times' "Bits" blog.

Hansell describes how Comcast is being criticized for low picture quality on certain broadcasts. That's interesting, especially in light of the contention between Comcast and DirecTV on this very issue, but it isn't the most important point in Hansell's post.

Hansell goes on to give a reasonable explanation of the basic issues involved, and mentions the likely future of cable TV: digital video distributed over Internet-like network switches. Instead of always sending every TV channel to every house, a switched system sends only the data for the channels that are being watched. (While it's fair to say that the capacity of such a system has no arbitrary limits, it isn't "infinite" as Hansell said.)

But there is a big practical difference between a system with hundreds of channels and one with, at least potentially, millions. With switched video, every channel is "on demand"--and anything that customers demand can be made available. Imagine YouTube in true HD, for example. That's impossible today, but with switched video, it's merely expensive. :-)

I wrote about switched-video technology back in 2001 in my column for Electronic Business magazine, and honestly I thought this technology would be in use by now, at least in test markets.

Verizon's Fios service has most of the necessary characteristics, but even Fios carries video in pretty much the same way copper-based cable systems do, except using an optical carrier over fiber. (Wikipedia has a decent explanation here.)

Well, there's no hurry. We'll get there eventually.

PGP Corp. is planning to release a version of its whole-disk encryption software for Apple Macintosh computers running OS X.

Jon Callas, PGP's chief technology officer, told me on Monday that the software is "in active development" and will run on Intel-based Macs. Callas didn't want to elaborate on a shipping date, unfortunately.

This promises to be a boon for OS X users, especially laptop users who are more likely to lose their machines or run into snoopy border police and airport security guards who want to poke around the contents of their hard drives. Right now there's no way for OS X users to encrypt their entire boot disks.

OS X already features FileVault, of course, but that focuses on encrypting the user's home directory. Without whole-disk encryption, Unix-derived systems including OS X store in unencrypted form details about VPN usage, login times, and what applications are installed in the default location. Some applications including Thunderbird save working copies of documents in an unencrypted area outside the home directory.

Another problem with FileVault is that it hasn't always been implemented that securely. Earlier versions of OS X didn't encrypt the swapfile used for virtual memory, meaning the password could in many cases be easily extracted. And a paper (click for PDF) published last year by Jacob Appelbaum and Ralf-Philipp Weinmann found other potential security weaknesses.

PGP released its whole-disk encryption utility for Windows in May 2005. A perpetual license for PGP Whole Disk Encryption 9.8 for Windows costs $149.

I should also note here that a free volume encryption utility called TrueCrypt was released for OS X last week (it was previously available for Windows and Linux). TrueCrypt doesn't do whole-disk encryption, but it does offer a way to conceal the fact that an encrypted volume exists--although that handy feature isn't yet available on OS X and Linux.

When my posting frequency drops a bit, the usual reason is that I'm flying here and yon and otherwise occupied with goings-on at some conference, meeting, or client engagement. The situation in January was a bit different. For the first time in a while, I had some decent blocks of uncommitted time. And I put those to use fleshing out and writing some longer research notes that had been sitting on the to-do list for way too long.

Two of these deal with so-called "cloud computing"--the idea that software will increasingly run in the network. These were originally planned as a single paper, but for structural and length reasons, I decided to break out the definitional piece, "Defining Cloud Computing." To tell the truth, I don't typically find formal taxonomies and categorizations especially interesting, but I thought it useful in this case to be clear about the topic under discussion.

The main research note, "The Cloud vs. Open Source," focuses on the relevancy of open source in a cloud computing world--and, especially, whether other types of protections and rights may not be more important than the right to view, modify, and redistribute source code. Tim O'Reilly has written and spoken on this topic.

At the just-concluded Sun Analyst Summit, I also had the opportunity to broach this topic with Simon Phipps, Sun's Open Source Officer. An interesting perspective that he added is that we're really talking about two different kinds of rights. One is essentially individual--the right for me to decide who can access what "data" that I "own" (whatever those terms mean exactly) and to transfer my data from one place to another. However, there's also the idea of what I'll call community or collective rights--the idea of reciprocal obligations associated with providing application programming interfaces and access.

One follow-up piece that I want to write when I have time will be something along the lines of "Why Not the Cloud?" in which I'll look at some of the inhibitors to moving computing into the network.

Finally, "The Future of the Operating System" looks at how changes in the way that we operate computers and deploy applications is starting to change how we view the operating system, a technology construct that, in important ways, hasn't really changed for decades. Server virtualization is the big driving force behind change here. However, virtualization is hardly unrelated to cloud computing--both through services like Amazon EC2 and, more conceptually, in the fact that virtualization is all about masking lower-level details from users.

These three Illuminata research notes are all available as free samples.

Linus Torvalds woke up on Mars today (or maybe it was Oz), and had this to say about Windows Vista and Apple's OS X:

I don't think they're equally flawed. I think Leopard is a much better system. On the other hand, (I've found) OS X in some ways is actually worse than Windows to program for. Their file system is complete and utter crap, which is scary. I think OS X is nicer than Windows in many ways, but neither can hold a candle to my own (Linux). It's a race to second place.

I guess when you're famous you can say inane things and get away with it. Yes, Linux does some things better than Mac OS X and Microsoft's Windows Vista on the desktop (security, maybe), but let's be honest: the Linux desktop is "utter crap" compared to either OS X or Windows when it comes to the thing that matters most: usability.

If normal people can't use it, it just doesn't matter how beautifully architected it is. Sorry, Linus. Everyone has to be wrong sometimes. This is your turn to shine.

That said, I found his comments on whether Google is a good open-source citizen much more illuminating:

If what The Register writes is even remotely true, the writing is on the wall for Microsoft's desktop dominance. What does it say? "Game over."

The Register is reporting that Apple may be coding Leopard to run Windows applications natively (meaning, no need for Parallels, Boot Camp, etc.). It's a wild guess at this point, but the clues are there:

Leopard's PE (Portable Executable--a way of encoding executable files) support was uncovered by one Stephen Edwards, who'd been working with Wine, the open source version of the Windows application programming interface (API). He found that Leopard's Dynamic Linker (Dyld) will try to load a PE file. Soon after, Leopard's hunt for DLLs referenced by the PE file appeared as further evidence that the presence of PE support may not simply be a hang over from Apple's use of the Extensible Firmware Interface (EFI).

[Update: Corrected name of rPath CEO Billy Marshall.]

There's a nasty little war afoot over the future of the operating system.

In one corner you have the operating system vendors.

They're building in virtualization, for example. This increases the depth of their software stack. The OS vendors present virtualization as a natural addition to existing operating system functions and a means to integrate an increasingly-common software capability.

That's fair enough. But it's also about control, especially in a world where owning the hypervisor gives you an advantage when up-selling to management layers and other value-add software in which there's real money to be made (as opposed to the raw hypervisor, which is becoming increasingly commoditized).

As we saw last week in the case of Red Hat, OS vendors are on the lookout to circumvent attempts to make their operating systems (and their brands) irrelevant. In Red Hat's case, it was to quash the efforts of software appliance makers to effectively make the OS just a supporting feature of the application.

In another corner, you have the application vendors and their fellow travelers.

Software as a service (SaaS) is one aspect of this war. Taken to its logical extreme, it may change the role of systems companies as well as operating system vendors. However, we don't need to look that far into possible futures to see the application vendor front in this war.

Take the appliance makers that Red Hat was taking on last week. Rpath CEO Billy Marshall writes: "Fortunately for all of us, 'certification' will be a thing of the past when applications companies distribute their applications as virtual appliances." It's not hard to see why Red Hat doesn't exactly cotton to this way of thinking. After all, certification is a very large part of what Red Hat sells. And the number of applications certified to run on Red Hat comprises a huge barrier to any other Linux vendor delivering its own flavor of "Enterprise Linux."

Oracle's Unbreakable Linux is a different take from a different angle, but the end result is the same. Its concept is based on the idea that, when you buy an application from Oracle, you also get some bits that let the application sit on top of the hardware and perform necessary tasks like talking to disk. Oracle has been subsuming operating system functions like memory and storage management for years; subsuming the whole operating system was just the next logical step.

So is its latest move, coming out with its own hypervisor based on technology from the widely-used Xen Project. (Xen is also the basis for the hypervisor in Novell and Red Hat Linux--as well as OS-independent products from XenSource/Citrix and Virtual Iron.)

Just as Oracle wants to minimize the role of the OS, so too does it want to minimize the role of the hypervisor (which, as I noted, itself threatens to reduce the role of the OS--got all that?). From the vantage of Redwood Shores, VMware is getting altogether too much attention. The easiest way to minimize the impact of the virtualization players? Offer Oracle's own hypervisor.

The biggest challenge that I see facing Oracle here is similar to that facing Unbreakable Linux and software appliances in general. There's an implicit assumption that people will be willing to have one virtualization for their boxes that run Oracle and another virtualization for everything else--that the maker of the hypervisor bits doesn't matter.

So far, there's scant evidence that people are willing to be quite so blase about their server virtualization. Furthermore, brand preferences aside, it remains early days for standards that handle the control and movement of virtual machines across virtual infrastructures sourced from different vendors. It's perhaps more thinkable that Oracle database and application servers might be kept independent from a general virtual infrastructure than would be the case with other, often less business-critical, applications. But, at least today, its still counter the overall trend of IT shops looking at server virtualization in strategic rather than machine-by-machine tactical ways.

As a result, I don't see this announcement having a broad near-term impact (as, indeed, Unbreakable Linux did not either, once the original raft of press stories and industry discussion died down). Rather, I see this as Oracle determined to keep making its statement, time and time again, that, someday, the operating system won't matter. That's Larry's story, and he's sticking with it.

Apple on Monday released QuickTime version 7.3, addressing seven security vulnerablities for QuickTime 7.2 and earlier. Some of the flaws are serious and can be exploited by luring a victim to a Web site that contains a malicious crafted image or movie. The patches include both Mac OS X and Windows. A month ago, Apple patched another serious flaw within QuickTime for Windows. The latest version is available through the built-in software update feature of QuickTime or from the Apple Downloads site.

QuickTime (image description)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-2395. According to Apple, "a memory corruption issue exists in QuickTime's handling of image description atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution." Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution." Apple credits Dylan Ashe of Adobe Systems for reporting this vulnerability.

QuickTime (Sample Table Sample Descriptor (STSD) )
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-3750. Apple says "a heap buffer overflow exists in QuickTime Player's handling of Sample Table Sample Descriptor (STSD) atoms. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution." Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. Apple credits Tobias Klein of www.trapkit.de for reporting this vulnerability.

QuickTime (Java)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-3751. According to Apple, "multiple vulnerabilities exist in QuickTime for Java, which may allow untrusted Java applets to obtain elevated privileges. By enticing a user to visit a Web page containing a maliciously crafted Java applet, an attacker may cause the disclosure of sensitive information and arbitrary code execution with elevated privileges." Untrusted Java applets may obtain elevated privileges. Apple credits Adam Gowdiak for reporting this issue.

QuickTime (PICT image processing I)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-4672. Apple says "a stack buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution." A user opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Apple credits Ruben Santamarta of ReverseMode.com working with TippingPoint and the Zero Day Initiative for reporting this issue.

QuickTime (PICT image processing II)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-4676. According to Apple "a heap buffer overflow exists in PICT image processing. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution." A user opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. Apple credits Ruben Santamarta of ReverseMode.com working with TippingPoint and the Zero Day Initiative for reporting this issue.

QuickTime (QTVR)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-4675. Apple says "a heap buffer overflow exists in QuickTime's handling of panorama sample atoms in QTVR (QuickTime Virtual Reality) movie files. By enticing a user to view a maliciously crafted QTVR file, an attacker may cause an unexpected application termination or arbitrary code execution." Viewing a maliciously crafted QTVR movie file may lead to an unexpected application termination or arbitrary code execution. Apple credits Mario Ballano from 48Bits.com working with the VeriSign iDefense VCP for reporting this issue.

QuickTime (color table)
This patch affects users of QuickTime 7.2 on Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5, Windows Vista, and Windows XP SP2, and addresses the vulnerability in CVE-2007-4677. According to Apple, "a heap buffer overflow exists in the parsing of the color table atom when opening a movie file. By enticing a user to open a maliciously crafted movie file, an attacker may cause an unexpected application termination or arbitrary code execution." Apple credits Ruben Santamarta of ReverseMode.com and Mario Ballano of 48Bits.com working with TippingPoint and the Zero Day Initiative for reporting this issue.