Tuesday, September 13, 2011


"Hacker Rattles Security Circles" by SOMINI SENGUPTA, New York Times 9/11/2011


He claims to be 21 years old, a student of software engineering in Tehran who reveres Ayatollah Ali Khamenei and despises dissidents in his country.

He sneaked into the computer systems of a security firm on the outskirts of Amsterdam. He created fake credentials that could allow someone to snoop on Internet connections that appeared to be secure. He then shared that bounty with people he declines to name.

The fruits of his labor are believed to have been used to tap into the online communications of as many as 300,000 unsuspecting Iranians this summer. What’s more, he punched a hole in an online security mechanism that is trusted by millions of Internet users all over the world.

Comodohacker, as he calls himself, insists he acted on his own and is unperturbed by the notion that his work may have been used to spy on antigovernment compatriots.

“I’m totally independent,” he said in an e-mail exchange with The New York Times. “I just share my findings with some people in Iran. They are free to do anything they want with my findings and things I share with them, but I’m not responsible.”

In the annals of Internet attacks, this is likely to go down as a moment of reckoning. For activists, it shows the downside of using online tools to organize: an opponent with enough determination and resources just might find a way to track their every move.

It also calls into question the reliability of a basic system of trust that global Internet brands like Google and Facebook, along with their users, rely upon. The system is intended to verify the authenticity of a particular Web site — to ensure, in effect, that Gmail is Gmail, and that the connection to the site is encrypted and difficult for an outsider to monitor.

Hundreds of companies and government authorities around the world, including in the United States and China, have the power to issue the digital certificates that the system relies upon to verify a site’s identity. The same hacker is believed to be responsible for attacks on three such companies.

In March, he claimed credit for a breach of Comodo, in Italy. In late August came the attack on the Dutch company DigiNotar. On Friday evening, a company called GlobalSign said it had detected an intrusion into its Web site, but not into more confidential systems.

Armed with certificates stolen from companies like these, someone with control over an Internet service provider, like the Iranian authorities, could trick Internet users into thinking they were safely connected to a familiar site, while eavesdropping on their online activity.

Fearing the prospect of other breaches similar to those carried out by this hacker, Mozilla, the maker of the Firefox Web browser, last week issued a warning to certificate authority companies to audit their security systems or risk being booted off Firefox.

“It is a real example of a weakness in security infrastructure that many people assumed was trustworthy,” said Richard Bejtlich, the chief security officer of Mandiant Security in Alexandria, Va. “It’s a reminder that it is only as trustworthy as the companies that make up the system. There are bound to be some that can’t protect their infrastructure, and you have results like this.”

Thursday, September 8, 2011

SOFTWARE - Linux Ubuntu on IBM Mainframes?

"Mainframe Ubuntu Linux?" by Steven J. Vaughan-Nichols, ZDNet 9/7/2011

When you think of “Ubuntu Linux,” you probably think of the community Linux distribution and the Linux desktop. That’s great, but Canonical, Ubuntu’s parent company, also wants you to think of Ubuntu as a server and cloud operating system platform. To that end, Canonical has been working with IBM to get Ubuntu certified on IBM’s high-end System P Power hardware line and System z mainframes.

Yes, that’s right little Ubuntu Linux may soon be certified and running on top-of-the-line IBM enterprise hardware. Before this, Canonical worked successfully with IBM on bringing Ubuntu certifications for IBM’s x86-powered System x and BladeCenter lines.

Officially, all Canonical has to say is “Our company policy is that we don’t comment on any rumors that might be circulating. We’ll of course keep you well informed of any news that comes out of Canonical.” Away from public relations though I’m hearing that Canonical and IBM have working hard on expanding Ubuntu’s reach on IBM hardware.

If all goes well, Ubuntu will be officially supported on System p within the month and it will be certified on the Z mainframes by year’s end. This is happening because Canonical is working hard on increasing its business market share. While Ubuntu is arguably the single most popular Linux distribution with individuals, it’s always lagged behind most Red Hat and SUSE, formerly Novell, in business. Canonical wants to change that.

In order to do that, Canonical has been improving its partnerships with Original Equipment Manufacturers (OEMs); major server companies such as Dell, and its enterprise customers. This next step into high-end business computing with IBM makes perfect sense in pursuing this strategy.

As for IBM? Linux has been very, very good for IBM over the last decade and they’re getting to like Ubuntu. Historically, IBM has allied with Red Hat and Novell/SUSE. But, as IBM’s VP of Open Systems Development, Dan Frye told me recently, IBM is operating system and Linux agnostic. IBM will support what its customers want, and so, it appears to me, that IBM’s customers must now be asking for Ubuntu. Sometime soon it looks like they’ll be getting it.

This could be a very big win for the Linux world.