Update on Shellshock

Having poo-pooed much of the overreaction about the “shellshock” bug in bash, I will still be patching my systems.

Apple have released a patch for Mavericks here and it’s probably wise to patch now rather than waiting for it to be pushed in an App Store update.

I still don’t think it’s a big risk for most users, and it’s definitely not a reason to eschew cloud deployments in the future.

New features in Alfresco 5.0 Enterprise

Alfresco Summit was last week in San Francisco and there were quite a few interesting announcements timed to coincide with the show.  There was the news that Alfresco had raised another $45M to continue the expansion and “SaaS-ification of the content market” (seriously?).  I’m not at all interested in that apart from the fact that it means Alfresco will be around in the medium term to develop and update the suite. I’m outraged by the bastardization of the language in that quote above, but I’ll let that go for now.

There was less press hoopla about the new features in Alfresco 5, although those were covered more in various twitter feeds from the show.  Maybe official press releases are just for marketing fluff and actual technical stuff is covered elsewhere?

As far as I can tell, the new functionality listed here for Alfresco Community 5.0 is what is also in Enterprise 5.0 – but if I’m wrong I hope someone will correct me.  The main areas called out as new are:

The press release also talks about improvements in reporting and analytics, encryption, scalability, etc., but I’ll wait until we get more details to cover those.

I’ll be starting a new project next month in which we deploy Alfresco on AWS as an information governance solution, so I’ll be looking forward to digging into these capabilities in more detail and I will report on my impressions here.

“Shellshock” and various other FUD

I was going to write about what’s new in Alfresco Enterprise 5.0, which was launched at the Alfresco Summit in SF this week.

But then I got distracted by Bash and “shellshock“.  I linked to the Forbes article, but I could have linked to 77,500 other news articles (according to Google at 5pm today) and I guarantee that 77,000 or more of those stories will contain misinformation, confusion, FUD, and general bullshit.

I run a mac, so as soon as I read the news I knew that OSX contains bash and would therefore be vulnerable.  I’m far from a bash guru, but it’s my shell of choice and I use it on Linux and Solaris as well if I can.

Last night I checked my firewall settings and tightened them up a little by enabling “stealth mode”, deleting rights from a couple of old apps that don’t need connections, and unchecking the “automatically allow…” box

firewall copy

However, the more I read about the issue, the less I saw it being likely to affect most users.  The bug/exploit/hack requires a remote user or process to execute a script on your server/computer in order to invoke the weakness – which is executing more code than the shell should allow, usually as profile settings.  This is a decent explanation of the issue.

So the average user will be unaffected by this unless she or he has enabled advanced unix services and set up their machine to respond to requests from external servers.  Obviously web servers and other public-facing servers need to respond to such requests, so they are more at risk.  Hopefully most of those systems will be professionally managed (he says with a straight face) and patched quickly and efficiently.  The embedded systems and infrastructure (switches, routers) weaknesses are potentially more difficult to solve and patch, but that’s another topic.

What really annoyed me about the coverage of this (apart from the general cluelessness exhibited by authors writing for many publications in order to incite outrage and fear) was that people who should know better were using this as an argument *against* cloud services.  That’s absurd, since both systems are equally at risk and the chances of cloud infrastructure being professionally and competently managed is (in my experience) higher than locally managed servers.

Fascinating – insight into Larry Ellison’s early career at Oracle

I tweeted this – but for those of you who don’t follow me or are not on twitter here’s the link.

Some choice quotes:

  • “Larry always had a 10-year technical vision that he could draw on the whiteboard or spin like a yarn.  It wasn’t always perfect, but it was way more right than wrong…”
  • “I remember a brilliant young programmer whom Larry allowed to live anywhere he wanted in the US or Canada, didn’t care about hours, where he was or any of that stuff. We just got him a network connection and that was it. This was unheard of back then…”
  • “Lessons Learned
    Great entrepreneurial DNA is comprised of leadership; technological vision; frugality; and the desire to succeed.”

It’s a quick read, but fascinating.

 

WebCenter on Exalogic and Exadata

There’s currently a lot of interest in moving virtualized environments to Oracle’s engineered systems.  This is partly because they are good systems and, for organizations that can use their capabilities, provide good value for money and high performance. Partly because Oracle licensing makes it tough to virtualize cost-effectively on other platforms (looking at you, VMware). And partly because Oracle sales people are extremely motivated to sell hardware along with software.

Unfortunately, though, there is still a lot of confusion about how this might impact deployment of WebCenter on these engineered systems.  Here are a few scenarios you may come across and how to deal with them.

  • Exadata (or Database Appliance) – no impact at all from an installation point of view.  The database is still just a database from the application’s point of view and will continue to connect via jdbc.
  • Exalogic with native OEL – this is a rare configuration, but Exalogic does support install of OEL natively on compute nodes.  In this case there is no difference to installing on any other Linux OS.  Assume (and ensure) networking is handled by the Exalogic administrator because that is where the issues may arise.
  • Exalogic with virtualized compute nodes – the most common deployment.  Thestandard/supported approach is to install all the WebCenter components on virtual OEL servers as usual.  Installation of WebLogic and WebCenter on Elastic Cloud (Exalogic) is exactly the same as on a regular server. Networking can be challenging when configuring virtual environments on Exalogic, so be sure that is all worked out ahead of time. Domain configuration and data stores should be on the ZFS storage appliance.

A major value add for Exalogic is the optimization for WebLogic that is designed into the system.  All of these optimizations have to be configured on a domain or server basis, though, they are not OOTB. This is a good resource for working through the optimizations.

Two factor security challenges

<Updated> Clarification of specific issues with 2-factor authentication by vendor:

Apple – two factor authentication becomes three factor when Apple disables your password and refuses to re-enable or change it. The Recovery Key then becomes the only factor in single factor auth.

Microsoft – two factor authentication with your MS Account (live? not sure what they brand it as this week) is not supported for Office365 accounts – so you have to generate a new one time application password each time you reboot your computer.

Ebay/PayPal – handoff from Ebay to Paypal (with 2 factor auth) doesn’t work on iPad. Prompts for password and then redirects prompting for SecureID token.  Does appear to work on Safari for Mac.

Dropbox – does appear to work, but I’m sure I’ll find flaws

Google – do they even have two factor? I don’t use their spying stuff.

 

Those of you who follow me on twitter will know that earlier in the year Apple’s poor excuse for two-factor security and support frustrated me for months (literally) and ended with me losing everything I had ever paid for with that account and having to create another account from scratch.

I’m now finding out that Microsoft has implemented two factor security in a similarly half-assed way.  I just switched to a personal MS365 subscription for Office 2011. Since installing Office 2011 I had been annoyed by the 365 login screen each time I rebooted my computer.  But now I’m using my own account with 2 factor auth, it’s even worse. I get prompted for a login, but my password doesn’t work – I then have to login to account.live.com, authenticate, generate an app password, copy that and then paste it into the prompt screen.  After talking to 9 different MS support people, none of whom even understood the issue, I have to assume it’s working as designed.  Their only advice was to turn off two factor authentication.

Add to that my experience last week where the handoff between eBay and PayPal (also with 2 factor auth) was completely broken on the iPad and my conclusion is that for normal users the overhead and annoyance associated with security is untenable.

We are surrounded by news of security breaches on a daily basis and yet the largest software companies in the world can’t implement two-factor security properly. Password management is a mess because web pages prevent you from copying passwords into the login screens or because apps on your mobile devices forget the password at every update and again don’t support pasting of username and passwords.

I’m a technical person that has been using these systems since the mid 1980s. I understand the importance of password management, secure authentication, etc. and I’ve even experienced the outcome of hacked passwords and lost accounts. But to expect “normal” users to manage these broken and difficult to use tools is ridiculous.  People will just throw up their hands and go back to 1234 or password because trying to do the right thing is too hard and ends up with you locked out of your account.

I’m not sure how this is going to improve.  The burden for these insecure systems is still placed fairly and squarely on the shoulders of people with lithe to no interest or training in technology. There’s no clear competitive advantage in more secure and easy to use logins because nobody at the companies pays any price for their failures.

  • Two-factor authentication (as it is implanted by almost every tech company) is broken.
  • Username / password is broken.
  • There is no clear alternative currently out there.
  • We will continue to get daily reports of “hacking”, “cracking”, and online theft.

 

Larry stepping aside at Oracle?

A shock announcement from Oracle yesterday that Larry Ellison will be stepping aside as CEO to a new position as CTO, with Safra Catz and Mark Hurd stepping into the new co-CEO roles.  BUT, Larry was also named executive chairman of the board – so Larry will report to Mark and Safra who report to the board of which Larry is chair.

As a former Oracle employee, Larry’s presence always loomed large at the company in a way that Safra or Charles Philips  did not (I pre-dated Mark).  I’ve always respected the guy because I admire someone who grew up  poor as the child of a single mother and had the vision and tenacity to grow such a huge company from nothing.  I have never met him face to face, but people I know who have reported that he is very, very sharp technically and had a grasp of detail even when he was running this behemoth of a company.

Mark Hurd, on the other hand, is almost universally described as a spreadsheet-driven bean counter and was widely loathed at HP when he was there. A friend of mine was in an HP office in London when the news came via email that Hurd had resigned and described the celebration and joy that greeted that news.  I don’t know much about Safra Catz other than she is seen to be efficient and somewhat scary (although there may be some sexism colouring that viewpoint).

Over a few beers with friends earlier in the year, we came up with the idea that Oracle would merge with Salesforce at some point and put Marc Benioff in the CEO seat of the combined company.  I see more  charismatic leadership style from Marc than from Safra or Mark – but maybe the latter will grow into their roles as Tim Cook has at Apple.  And there’s still time for Oracle and SFDC to merge – seems like almost everyone at SFDC used to work at Oracle anyway.

FWIW – here is what Marc Benioff had to say:

beniioff copy

Oracle buys Front Porch Digital

The news to start the week was that Oracle had agreed to buy Front Porch Digital – “a provider of content storage management solutions”.  It’s an interesting and valuable acquisition because it plugs the only remaining gap in Oracle’s content portfolio – broadcast and media asset management – an area that IBM, HP, and OpenText have covered along with a host of specialized vendors.

As an interesting aside, Stellent owned Ancept (which plays in this space) for a while, but sold it to IBM shortly before Stellent’s acquisition by Oracle. Actually, it was sold to an IBM reseller rather than IBM proper but Ancept was always strongly associated with big blue. Later Ancept was sold to ViewCast, a hardware vendor.

Front Porch’s products are also mainly hardware and there is little information publicly available about their software and workflow standards.  Their “secret sauce” is optimized storage hardware and integration with broadcast and editing systems.  One easy win for Oracle sales people, though, is that there is pre-existing integration with StorageTek tape systems (another company with a tangled acquisition history).

I don’t know enough about the broadcast media space to know whether this is a good acquisition in terms of “best of breed” but it does help plug that gap in the offering portfolio – a real requirement that we often see in RFPs and in the past have had to address with integrations to third parties.  It also fits with Oracle’s expansion strategy into hardware and engineered solutions. I can definitely see value in getting these acquired products to work with the SOA suite for Healthcare, for instance, as storage for DICOM and other medical images.

I think the real challenges will come with the transition for customers from a smaller vendor (FPD is a small, privately held company with less than 200 employees) to the hard-selling behemoth that is Oracle, and also in retention of key technical people.  Oracle’s acquisitions of Stellent, BEA, and FatWire have all resulted in almost total turnover of the technical architects, developers, and product managers from those companies leaving major gaps in internal resourcing to sell and support those products.

Oracle BPM 12c launch webcast

Oracle just launched their BPM 12c suite and Andy Kershaw presented a webcast on it this lunchtime (EST).  This was mostly a business and marketing-driven event, so very lacking in the detail and architecture that I would have liked to see, but I imagine those types of presentation will be coming along later.

I was also able to review the Oracle white paper on “What’s New in Oracle BPM 12c”  and the updated data sheet which gave some more detail on subjects Andy didn’t have time to cover.

From these two sources there are a few new areas of functionality that I will be interested in digging into a little more deeply:

  • Ability to define business rules verbally in Process Composer sounds interesting and useful, but the devil will be in the details
  • Better support for mobile – absolutely crucial these days.
  • “Adaptive Case Management” – which I really hope isn’t just marketing fluff.  If it truly delivers on the closer integration of BPM, Content, Data, and BAM it will be a great thing for clients who have previously had to cobble this together themselves.
  • Better integration with cloud-based and 3rd-party applications – obviously Eloqua and Fusion Apps, but also Salesforce, SAP and others.  Strangely, I can’t find info on this on the Oracle web site, but obviously this is a big advantage for the majority of businesses that are diverse in their vendor choices.

A lot of other interesting aspects of KPI tracking, better analytics, integration with Oracle R, etc.  I wonder if a limited use license for this will still be bundled with WebCenter Content?  It certainly looks like WCC is bundled with the BPM suite for use in Case Management.

Branching out to a dedicated Tech blog

I’ve been meaning to set up this expanded WordPress site to allow me to explore technical subjects in more depth than twitter allows and with more freedom than my company’s blog allows.  So here we are – finally – after wrestling with my hosting partner, naming convention issues, WordPress configuration, and plugin challenges.

Needless to say – all opinions in here are 100% my own and do not reflect the views of my company, my colleagues, my former employers, or anyone else.  All mistakes are my own and all incorrect conclusions, laughable assertions, and illogical conclusions would reflect only on me.