The Open Road

I thought of just Tweeting a few of these news bits, but some deserve to be blogged. Alas! I lack the time today but....

• Joomla has surpassed 10,000,000 downloads. It's hard to describe just how impressive this is, and particularly given the fact that these have come in the past four years, and after a fractious fork from Mambo.
• The University of Southern Mississippi and the Department of Homeland Security's Science and Technology Directorate have launched the Homeland Open Security Technology (HOST) program, along with Open Source Software Institute (OSSI) and the U.S. Navy, to invest $1.5 million in the development of open-source technology.
• A new report from Gartner suggests 42 percent of CIOs surveyed chopped their IT budgets in the first quarter of the year. Less budget almost certainly will mean more open source.
• MindTouch (Disclosure: I am an advisor to MindTouch) CEO Aaron Fulkerson asks what's the big deal with Google's new Wave collaborative platform, given that wiki technology (like MindTouch's Dekiwiki) has been "waving" for years. Rafael Laguna, Open-XChange CEO, agrees. I still think Wave is cool.
• Speaking of Google, the company recently launched Page Speed, an open-source Firefox add-on that "web developers can use...to evaluate the performance of their web pages and to get suggestions on how to improve them. Google continues to demonstrate ever-stronger commitment to feeding the open-source community.
• Given that no one has yet settled on the optimal open-source code contribution model, MySQL developer Brian Aker discusses the Drizzle fork of MySQL and how he and the project team is handling third-party contributions to it. Very interesting insight into code contribution policies, copyright assignment, etc.
• Acer, meanwhile, is crippling its Android Netbooks by having them dual-boot Windows. I don't have anything against Windows (well, that's not really true...), but this seems like an exercise in futility. If customers want Windows, give it to them. If they want the lower price (and different experience) of Linux, give that to them. But don't give them both, or they'll likely revert to Windows out of sheer habit.
• Cloudera CEO Mike Olson indicates that Web applications are just the beginning for Hadoop. Indeed, Cloudera's easier-to-use commercial version of Hadoop is doing so well that Cloudera had to raise another $6 million just to keep up. Fortune, for one, thinks that Hadoop might be perfect to help power the electrical power grid.
• Back in Redmond, Microsoft is coming under increased pressure from the European Commission, reports The Register, which may force Microsoft to offer rival browsers with Windows. Microsoft probably feels pretty beleaguered, but Roy Schestowitz offers up some data that indicates it's spending its free time pressuring European groups to side with it. It doesn't seem to be working.
• Finally, Oracle executives didn't mince words in a town hall meeting with Sun employees, stipulating that some tough choices will be made about Sun technology and personnel. Indeed.

Recently ParisHilton.com got hacked. In the rush to find a culprit, however, security experts quoted in InformationWeek incorrectly blamed the open-source Joomla web content management system for the security breaches.

According to [a senior security researcher at ScanSafe], there's an iFrame that has been embedded in the ParisHilton.com Web site....She said it wasn't clear how the iFrame got added to Paris Hilton's site, but she said it could be because of a vulnerability in the open source content management system Joomla, which has been a common factor in other reports.

Such "other reports" include this one in ComputerWeekly. The problem with blaming Joomla for security breaches at ParisHilton.com and many of the other sites in question?

They aren't Joomla sites at all.

This is lazy security "research" by the ScanSafe researcher and other "experts" noted in these articles. It's like me blaming Microsoft for security breaches...on a Linux server. It might make for an easy scapegoat, but that doesn't make it any less untrue.

I spoke with Elin Waring, president of Open Source Matters, a part of the Joomla! project, who suggested that "both times [the security allegations surfaced] within a week of a regular release that included some security patches, which I think probably is not a coincidence." She may have a point. Is the security community seeing the patches and assuming they must have been released to fix the high-profile security website breaches?

This is plausible, but again, ParisHilton.com and others among the websites in question weren't Joomla-managed websites at all. It's therefore understandable when commentators to the InformationWeek story on the ParisHilton.com hack say things like this:

For the expert to say, "it could be because of a vulnerability in the open source content management system Joomla, which has been a common factor in other reports" when not doing the basic research to know if the site was actually running Joomla really brings into question both the credibility of the expert as well as the reporter that quoted said expert.

It "could be" any software package that manages Web sites, because any of them "could have" been the application behind the site in question. Naming a specific Web application in such a manner without being certain it is the one managing the site is ethically and morally wrong if not legally.

Amen. Whether Joomla was simply a convenient scapegoat or a likely culprit, the reporters and "security experts" did a shoddy job by unfairly and inaccurately allocating blame to Joomla. Time for a retraction? The days of being able to casually blame open source for being a security risk are long gone. Time for the "security" community to wake up.

Disclosure: I work for Alfresco, which both competes with and partners with/supports the Joomla open-source WCM project. And, yes, I quite like Joomla.

Vendors with the most reported security vulnerabilities

(Credit: IBM)

Proprietary vendors, including study author IBM, take a beating in a new report that catalogs software vulnerabilities.

Apple, Microsoft, Sun Microsystems, and IBM each sprinted to finish in the top five for most reported security vulnerabilities in the IBM Internet Security Systems's X-Force 2008 Mid-Year Trend Statistics report (PDF).

Not to be outdone, Joomla, WordPress, Drupal, and Linux also fought bravely to make the top 10. This is an indication of their growing adoption. As Sam Dean notes: no one bothers to hack a lonely system that few use.

However, it may also have much to do with the language in which all but Linux are written. According to the report:

An obvious trend demonstrated by the appearance of these (open-source) vendors on the top 10 list is the increasing prevalence of Web-related vulnerabilities...Another commonality between these three vendors is that they are all written in PHP. If we look back over last year's disclosures and apply the new CPE methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendor list.

Suddenly, fuddy-duddy Java starts looking pretty good--or would, if the proprietary vendors on the list weren't also using Java or .Net. Perhaps there's simply no language that can protect users from determined bad guys.

As for who is finding the vulnerabilities, this is particularly interesting, especially in light of the "given enough eyeballs, all bugs are shallow" theory of open source. According to the report:

Over the past 1 1/2 years, independent researchers have been responsible for approximately 70 percent of all vulnerability disclosures (critical, high, medium, and low) that were not anonymously disclosed. However, research organizations are responsible for finding nearly 80 percent of critical vulnerabilities (those with a CVSS base score of 10).

In other words, trained eyeballs are better than average eyeballs for finding critical security problems in software. Does this inure to open source's benefit or undermine the "eyeballs/bugs" theory? I'm not sure. I can see both sides on this one.

As suggested above, the report finds that attacks are shifting from the operating system to Web applications...but not necessarily Web browsers, which are becoming more secure. Instead, attackers increasingly rely on "automated toolkits, obfuscation, and the prevalence of unpatched browsers and plug-ins" to attack users' systems. Indeed, plug-ins represent 78 percent of public security exploits affecting browsers.

What to do? Well, there's always the possibility of not using any of the companies or projects on the top 10 list, but that would leave you with a pretty lame technology existence. A little dose of intelligence online would probably go furthest in protecting users from attacks.

You just can't please everyone. I read this post from an irate Joomla! user who is incensed that he has to pay - drum roll, please! - $25 to $300 for a Joomla! theme. Let's be clear: This theme is not required to use the Joomla! web content management system. It's not even made by Joomla, so far as I can tell.

Instead, he's chafing at having to pay a third-party developer for the software:

...I ran into a very disappointing surprise regarding Joomla. As I searched for themes, (templates) all the ones I came across that looked halfway decent were "Paid" themes that you had to buy ranging from $25 to $300 dollars depending on the site and the subscription. A lot of the modules I was looking at also carried a hefty price tag to use with this "Open Source" software.

In conflating "open" with "free cost," this Joomla! user has completely missed the point of open source. He's also missed the point that $25 is a drop in the bucket compared to the tens to hundreds of thousands of dollars he'd otherwise be paying Vignette, Fatwire, Interwoven, etc.

I'm not suggesting that this person is representative of the Joomla! community. I'm just annoyed that we still have people who feel that open source was divinely ordained to be free of cost. It's not. Get over it.

One of the things that I love about open source is that it's a great way to let innovation and collaboration happen in the absence of lawyers dictating every jot and tittle of an integration. As a case in point, I woke up today to see that someone has integrated Joomla! with Alfresco (and dubbed the result "Joosco").

In a nutshell, Joosco is a front-end for Alfresco, in Joomla!. It works by creating a new entry in a menu in Joomla, called Documents, for example. The users can click on this link to go to a new page where they can browse through spaces and content of the Alfresco Repository. The plugin is used to authenticate users to the Alfresco repository. Alfresco users can now log in to Joomla, and their permissions in Alfresco are used to display only the content they have permission to access.

Alfresco, my company, didn't write that extension. To the best of my knowledge, the core Joomla! team didn't, either. Who did? The community. Why? Because they had that need and so filled it. What enabled it? Open source.

Open source lets code speak for itself. I'm a big fan of Joomla! but don't have the expertise to write this sort of integration. The community does. So it did. Because it can. That's open source.

We're now at 199 projects that have adopted GPLv3, which represents a 21% increase over last week. Clearly, GPLv3 has legs. Significantly, Snort made the move this past week. This is a major coup for GPLv3. [I just found out that, in fact, Snort did not make the move to GPLv3.]

What's most interesting to me, however, are the projects this past week that have decided to stick with GPLv2. Two of my content management compatriots (Joomla and Mambo - who says they can't get along? :-), as well as Compiere. These are highly visible projects and, as such, it would be useful to know their reasons. (Of course, the Mambo and Joomla projects are tightly linked restricting their, or at least Joomla's, ability to act completely independently, as I understand it).

Sometimes popularity isn't worth the trade-offs it may require, it would seem. Anyway, not for Joomla!, as Linux.com highlights in an article yesterday. The Joomla! team had apparently allowed proprietary extensions to its GPL code base as a way to grow in popularity, but the effect has been to breed mistrust and confusion.

Joomla's original intention was arguably a good one: be very "open" to outside development - of proprietary and open source kinds - so as to serve a more diverse community:

It seemed that Joomla! had created a thriving economy for developers, arguably because its tolerance for proprietary extensions attracted entrepreneurs who discovered an audience hungry for inexpensive but useful add-ons. Further solidifying the third-party developers' position that they were within their rights to develop non-GPL addons, Landry and others explicitly stated in Joomla! forums that the decision about whether to allow proprietary extensions was up to the copyright holder. In a June 2006 topic entitled "1.5 licence change clarification," Landry wrote that the Joomla! license in version 1.5 would "make sure that commercial third-party developers that use Joomla! as a platform can do so without fear of having to release GPL."

The problem, however, is that it's hard to serve two masters. ... Read more