Technology News and IT Business Intelligence

Late on Friday, Microsoft published the first Windows Mobile 6.5 software development kit, albeit with no announcement or fanfare. Since the operating system was released last October, the only toolkit for Windows Mobile 6.5 development was released as an add-on component to the Windows Mobile 6 SDK.

The SDK came with images for both “Professional” and “Standard” versions of Windows Mobile 6.5, also known as touch enabled, and non-touch enabled, and it reportedly also included support for the 6.5.3 update and widget development.

However, the SDK was pulled down over the weekend, because it had apparently been posted before it was even finished with testing.

This afternoon, the Windows Mobile Developer Experience team tweeted the succinct answer to questions about what happened to the SDK. “With regards to 6.5 SDK, we prematurely released an untested SDK which was not ready. We pulled it so proper testing can be completed….”

While we are not certain what Microsoft will be showing at Mobile World Congress in February, we can now at least be certain that the 6.5.3 update will be included in the SDK when it is released.

In its latest and broadest-ranging official statement since a major policy conference last week at the US State Department, aligning American foreign policy with “Internet freedom” and directing skepticism against China, the Chinese government said this morning it had absolutely nothing to do with any cyber-attack on anyone’s Internet assets. China was careful not to mention Google by name, which might have been interpreted as an acknowledgment that such an attack happened.

“Accusation that the Chinese government participated in cyber attack, either in an explicit or inexplicit way, is groundless and aims to denigrate China,” reads an official China government statement issued through the Xinhua news agency. “We firmly opposed to that [sic]. China’s policy on Internet safety is transparent and consistent… China is the biggest victim country of hacking as its Internet has long been facing severe threats of hacker and online virus attacks.”

A security researcher told The New York Times last week that an algorithm used to encrypt stealth connections used by the Hydraq exploit — pegged as the weapon used in the Google attack — was somehow Chinese in origin. But until a further explanation can be offered as to how math can have a nationality, that’s actually as close as publicly available evidence actually gets to pinning the attack on China, the country. A Google spokesperson told Betanews last week that more damning evidence does exist, and it shared that evidence with the State Dept., but neither the company nor State was not in a position to make that evidence public yet.

In his regular press briefing last Friday, State Dept. spokesperson P. J. Crowley confirmed to reporters that US diplomats had indeed raised the specific subject of the Google attack with their Chinese counterparts on Thursday. These discussions followed Sec. of State Hillary Clinton’s speech before the Internet Freedom conference last week, as well as China’s first counter-volley of denials — indicating that the talks may not have been especially successful. “We’ve had conversations over the past 24 hours with the [Chinese] ambassador here in Washington regarding the speech, regarding the issue of the Google situation, and broader aspects of a relationship. And I would anticipate that we will have ongoing meetings both here in Washington and in Beijing on all of these subjects,” said Crowley.

But the spokesperson then deferred several repeated questions about the possibility of a demarche — a formal diplomatic statement countering China’s accusation that the US was using Google’s allegations as leverage to advance its own agenda, which it said was merely a smokescreen to advance private interests such as Google itself. That first statement read, in part, “The US has criticized China’s policies to administer the internet and insinuated that China restricts internet freedom. This runs contrary to the facts and is harmful to China/US relations.”

Crowley’s initial response to that included the following: “We have a wide-ranging and deep relationship with China. And the number-one and number-two economies in the world are going to need to consult on a regular basis.”

That didn’t sound like much of a scolding was in the works; and as Crowley was later forced to admit, no demarche will be coming from the US anytime soon. But that’s because, he later said, the State Dept. had been in briefings in Washington not just once but three times, with a fourth meeting scheduled perhaps for as soon as today, between the Chinese Ambassador in Washington and US Assistant Sec. of State for Asia/Pacific Kurt Campbell.

“I think we seek an explanation from China,” Crowley told reporters. “We are, in fact, trying to ascertain facts. The Chinese have denied that anything has happened. I think the Google statement speaks for itself, that seems to point to the fact that something significant has happened. That is why we have raised the questions that we have and why we seek an explanation from China about what, in fact, did happen. We are trying to ascertain the facts in this case. A blanket denial that nothing happened we don’t think is particularly helpful.”

In a statement yesterday, China’s State Council Information Office held to the state line that it was fully justified in taking whatever steps were necessary to “deal with” illegal and pornographic content appearing on China’s Internet domain. The implication of that statement is that China asserts its rights to delete content that appears on servers in the state-run .cn domain. As the Chinese government admitted last January 12, the same day Google announced it had been attacked, it perceives the .cn domain as Chinese territory, and asserts the right to delete material from servers directly, even though 90% of servers in the .cn domain, by the government’s own estimate, reside in the US.

China did not go into any detail about how it goes about deleting material on US servers. But one theoretical mechanism for doing so could be an encrypted communication system implanted on those servers by way of a Trojan — something that clearly fits Hydraq’s profile.

In an unsigned op-ed issued through Xinhua yesterday, the country’s state run press service said, “Necessary regulation of the Internet is a consensus of the entire international community for the sake of healthy development of the Internet. No responsible country takes a laissez-faire attitude towards the use of the Internet.” The statement went on to site Microsoft CEO Steve Ballmer’s recent comments that his company, among others that do business with China, are bound by China’s laws and customs. “The US move to make Internet freedom an issue just indicates its continued application of double standards,” the Sunday op-ed concluded. “People just wish that the United States will respect facts and treat others equally. It is not acceptable for someone to assume for themselves the high moral ground and arbitrarily make baseless charges against others.”

The following day, China’s latest statement cited its country’s own counterpart to the Internet Society as saying cyber attacks on that country from abroad increased some 148% from 2008 to 2009, including from the Conficker worm, which it suggested was a foreign agent.

The Open Planning Project (TOPP) is a nonprofit organization that advocates the use of free and open source software in the public sector, and for more than ten years, TOPP’s OpenGeo initiative has worked on creating an open environment for sharing geospatial data. Its principal product, GeoServer, is a free Java-based Geographic Information server built on open standards which lets users share and edit public geographic data.

Following the GeoServer 2.0.1 update that was released last week, OpenGeo today released OpenGeo Suite Enterprise Edition 1.0, the complete package of open source mapping software that OpenGeo will professionally support.

The suite includes GeoServer, the group’s geospatial data and map server, GeoWebCache (map accelerator), OpenLayers/GeoExt (UI Libraries), GeoExplorer (browser-based map composer and publisher), Styler (map editor), Recipe Book (code samples), and Dashboard (admin system for using all the components).

“Up to this point, we have concentrated on clients already adept at downloading, integrating, and using the pieces of the Suite,” OpenGeo’s Paul Ramsey wrote today. “With version 1.0, anybody can start publishing their data and building applications right out of the box.”

“As an organization, we want to democratize mapping,” Ramsey continued. “That means offering tools available under non-discriminatory legal terms, like open source. It also means lowering barriers so that more people can use, build, and grow these tools…Version 1.0 is the first step in a long journey, but we know where we are going. Every day we ask ourselves: can we make our product easier to use? can we make it easier to learn? can we make it easier to try?”

OpenGeo is offering a 30-day free trial of OpenGeo Suite Enterprise Edition for organizations looking to try out the the fully-supported Web mapping software. As always, OpenGeo Suite Community Edition is free to download and use.

I’m not one to follow the lives of celebrities. I don’t watch TMZ, and the very sound of Entertainment Tonight’s Mary Hart’s voice is enough to make me nauseous. I turn my head as I walk past the supermarket tabloids in the checkout aisle because I could care less who Jennifer Aniston is dating this week or that Elvis was spotted in a rural Kentucky laundromat. I’ve got better things to do with my life than wonder how many more kids Angelina Jolie and Brad Pitt want to adopt or when she plans on getting another tattoo.

For all my celeb-fatigue, though, I found it interesting this past weekend when I first learned about the Brangelina supercouple’s separation not from television, radio, or a newspaper, but from my Twitter feed. After I sarcastically retweeted the supposed news, I heard from a number of friends that they, too, had gotten the news from online sources.

Things are tough all over. And tougher here.

While the recession ravaged businesses in all sectors, it’s been particularly brutal if you work in conventional media. Long in decline because of the industry’s general inability (or unwillingness; I’m still trying to figure out which one is more true) to adapt to the growing influence of online tools on how we learn about the world around us, so-called traditional media outlets have especially taken it on the chin during the recession. That’s because the advertisers who drive their major source of revenue have reined in their own marketing budgets. Well, the lucky ones have. The unlucky ones no longer exist.

So instead of reading the newspaper, we custom-build our RSS feeds and hoover them wherever we happen to be — desktop, laptop, mobile device, game console, whatever. We’re no longer stuck waiting for our favorite television shows to be delivered via conventional broadcast. Instead, we watch them online. Radio was bypassed years ago when we began using iTunes to program our own playlists instead of relying on some anonymous program director to do the same thing.

In every case, the Internet has turned us into masters of our respective media domains. While conventional media routes control of the message through relatively few gatekeepers who shape the message for the masses, new media hands that control over to us. Katie Couric is no more the sole source of breaking news from Haiti than Mary Hart is the only place we can learn about Brangelina.

Social media vs. Mary Hart

Conventional media’s monopoly over the flow of information and advertising dollars is crumbling. Or, to put it in headline form for Mary Hart’s teleprompter: The entire industry is cooked. If television, which used to be a license to print money, no longer has the sure-fire ability to suck in millions of viewers and connect them with advertisers willing to pay for that connection, Mary Hart and Katie Couric won’t be the only televisionistas headed for the unemployment line.

Those Web 2.0 — or, dare I say, Web 3.0 — tools that readers of sites like Betanews have been using to Tweet and Facebook each other for the past couple of years have evolved into de facto communication platforms in their own right. While my tech-Luddite in-laws may laugh at the thought, it is indeed possible to cut off all conventional television, radio, and newspapers and get all your news from new/social media sources.

Next week, a group of journalists will do exactly that, living in a farmhouse in the French countryside and using only social media tools to cover their respective beats. No conventional media allowed. The project, “Behind Closed Doors on the Net,” runs from February 1 through 5, and should reinforce social media’s transition from neat way to keep in touch into a powerful, real-time information medium. I’m sure when all is said and done, sipping from the media spigot through exclusively new media channels won’t pose any obstacles to news gathering. And if social media tools are good enough for professional journalists, they’ll be good enough for regular consumers, too.

A case of unfortunate timing

If only it were that simple, then every conventional media outlet on the planet would have long ago adopted the tools of new media and we’d still be relying on publishers and broadcasters for real-time news. But things rarely transition smoothly in any industry, especially those too resistant to change for their own good. Even if Twitter’s a better real-time means of learning the size, shape, and theme of Angelina’s newest tattoo, it’s a scary business model (for now, at least) because advertisers haven’t bought in just yet. So while the new tools are home to growing legions of engaged, motivated audience members, they’re not anywhere near capable of replacing the money lost by advertisers no longer content to pay premium rates for conventional media audiences who no longer exist because they’re all Facebooking and Twittering.

Welcome to today’s Social Media Catch-22.

Like most of the rest of the world, I have no idea how Brangelina’s split will play out, and I don’t much care either way. But that’s not the point. While the subject of a celebrity breakup is shallow to the extreme, I nevertheless find it fascinating to watch through the lens of social media. How we learn about everything around us — from relief workers tweeting from the front lines in Haiti to politicians blogging from the seat of power to journalists updating their Facebook pages from the anchor’s desk — is evolving almost as fast as the tools themselves. And unless Mary Hart learns to tweet for real, the scoops and the advertisers that come with them will become fewer and further between for her and others like her.

Fruity pebbles

The emergence this week of a new offering from Apple — which could, depending on who you listen to, be a tablet, a slate, or a Star Trek tricorder-like device — adds yet another wrench. If the form factor, content payment-and-delivery model and carrier/publisher partnerships pan out as the universe says they must, conventional media will end the week either saluting Apple as its savior, or blaming it for the industry’s eventual demise.

It appears that the United States isn’t the only place where broadband performance in the real world is vastly different from the performance promised by carriers in advertisements.

Leading Scandinavian mobile network operator Teliasonera AB launched the first two commercial 4G wireless networks based on LTE in mid-December. On the company’s Web site, the service is being billed as “10 times faster than 3G” with downlink speeds up 50 megabits per second.

Management consulting firm Northstream has been testing the Swedish LTE deployment with the new Samsung LTE USB modem, and like we’ve seen in the past, the real-world results aren’t quite as amazing as the promises made by the service provider.

“Our immediate reaction is that the browsing experience was rather good, probably thanks to the low latency compared to 3G networks,” the company’s blog says. “But the throughput measurements were sort of a disappointment after countless tests (with www.bredbandskollen.se), of which many were performed outdoors to eliminate any problems related to indoor coverage, never exceeded 12 Mbps in downlink. More impressive in that case was the 5 Mbps uplink.” But what really reminded us of the early days we’re still in were the rather frequent drops in service, even at locations where the signal strength indicators were maxed out just a second earlier.”

Though Northstream is very forgiving of the network’s early performance issues, the company ultimately says, “The complimentary HSPA modem that was included in the LTE deal…actually provides similar peak rates as LTE but without the drops.”

This month’s Office 2010 retail pricing announcement and ongoing discounts for Office 2007 Home and Student are Microsoft’s tacit acknowledgment that the productivity suite isn’t as valuable as it once was. Office is tracking a course of unplanned obsolescence and the inevitable end shared by oh-so many other products: Commoditization. Desktop productivity suite commoditization is inevitable, and it is a force that Microsoft can resist but not stop. Additionally, Microsoft faces a fundamental shift in what content people create and where. Commoditization and the emerging mobile device-to-cloud services applications stack are Office killers.

I’ll ask upfront: Do you really need Microsoft Office on a daily basis? Is Office vital to your work day? Do you use it at home? If you use it at work, how often? If you use it at home or for college, how often? Please respond in comments.

My answers are easy. I don’t use Office at all. The software isn’t installed on my laptop. The only scenario I could envision regularly needing Office is legacy business — where an employer had built up infrastructure around the productivity suite or had bought in Exchange, SharePoint or other Microsoft server products. These products favor the enterprise applications stack and older ways of doing business. But in a Web-connected world, Office’s value diminishes. The pressing question: How low can Office’s value go how soon?

Microsoft Office Pricing Trends

Four pricing trends show how Microsoft is finally acknowledging Office’s declining value:

• With Office 2010, the removal of retail upgrade SKUs
• Product key card purchases for Office preloaded on new PCs
• The enormous retail success of Office Home and Student Edition
• Microsoft’s development of Office Web Apps, which consumers get for free

These four trends share one thing in common: Price cuts on Office. The first two trends are related. To a question about upgrade pricing, I got this response from Microsoft’s PR agency:

When it came to upgrade pricing, we looked at how people are using and buying Office and found two things: 1) Not a lot of people were buying the upgrade. 2) When people do buy a new version of Office they do it with the purchase of a new PC. Due to this, the majority of retailers did not sell Office upgrades off their shelves.

Under the new pricing scheme, PC buyers will have the option of purchasing a license key for the pre-installed Office trial version. Office Home and Student 2010 will cost $119, instead of the $149 box retail price. Office Home and Business: $199, instead of $279. Office Professional: $349, instead of $499. PC buyers electronically purchase Office, which is unlocked using a code key. Significant pricing change: Retail copies of Office 2010 Home and Business, Professional and Professional Academic will now come with two licenses, which is a huge discount over the current one-license approach. However, digital activations for pre-installed Office will come with one license. Either way, whether digital or retail pricing, Microsoft is considerably discounting Office.

Office Home and Student is indicative of a longstanding downward pricing trend. As Microsoft’s PR e-mail response acknowledged: “We’ve never offered an upgrade price on Office Home and Student, which is the number one selling version of Office in the retail market.” I’ve written that story several times over the last eight years, most recently August 2009 post: “Office Home and Student accounts for 85% of US Office retail share.” Office Home and Student 2007 retails for $149.95 and packs licenses for three use on three PCs. Microsoft regularly discounts the software to around $100 at its online store. Amazon currently offers the software for $100.99. Office Home and Student 2007 was available most everywhere for around $100 on Black Friday. The result, according to a blog post by Rachel Bondi, general manager of Microsoft Office: ”Office Home and Student was the number one selling PC software product — including games! — at retail in the U.S. during the week of Black Friday 2009.”

What then is the value of Office for most consumers or small businesses: As much as $50 per copy. It’s interesting that Google Apps is free or $50 a year per user for the Premiere Edition; it’s no coincidence. Speaking of Google Apps, there is Microsoft’s planned release of Office Web Apps, which will offer lots of productivity applications value for free, for those users willing to put up with ads. Microsoft will charge, too. But I’ll save further discussion on Office Web Apps for later in this post.

Microsoft’s Commoditization Problem

Some Betanews readers will wonder why the heck I’m not praising Microsoft for all this massive discounting. The reason for the discounting is the answer. For years, Microsoft has kept Office pricing fairly stable, mainly because of monopoly’s power. The company has long controlled an applications stack extending from Office to Windows to server software. Since Office vanquished WordPerfect in the mid-1990s, no productivity suite could compete. But competitors emerged after all — the incorporation of of productivity suite features into other products consumers and small businesses regularly use and the emergence of a new applications stack around different content types.

Word processing reached commodity status years ago, as more applications incorporated the basic formatting features most people use more than 90 percent of the time. No external wordprocessing program is required to blog, e-mail, instant message, tweet or post to social networks like Facebook. Be honest, how much of the writing you regularly do requires a dedicated wordprocessor?

Word is the default editor for Outlook, but how important is the e-mail program anyway? As previously mentioned, Office Home and Student is the top-selling version of the commodity suite at U.S. retail, and it doesn’t include Outlook! Sure many businesses with Exchange Servers demand Outlook, but Outlook Web Access demonstrates how little or much of the features most workers really need. Looked at differently, when blogging services like Posterous allow people to blog by e-mail — meaning the formatting capabilities are enough — how necessary then is the wordprocessor?

What is Excel or any spreadsheet really necessary for? Sure, lots of business people use spreadsheets for data analysis, but what is the need for consumers or even small business owners? Many financial products or services, like Quicken or Quickbooks, put a friendly face on spreadsheets; that’s a different but still relevant kind of commoditization. Most banks or investment establishments offer desktop software — or more often cloud services — for tracking finances and investments. My bank offers granular details in pie charts about where and on how much I spent my money. The Web service eliminates any need for managing finances with Excel.

What about PowerPoint, then? For most consumers and small businesses, photo slide shows are presentation program enough. For many enterprises, collaboration applications are subsuming PowerPoint capabilities.

Among mid-size businesses and enterprises, commoditization follows two different tracks: Adoption of Web services and using Office versions for longer periods. Based on combined analyst reports and my own conversations with IT professionals, enterprises typically wait four or more years between Office upgrades. Microsoft had a good run with Office 2007, which user interface exposed many features hidden to business users. In a January 2008 Microsoft Watch blog post I asked if Office 2007 would be a one-hit wonder? Reasoning: With the Ribbon interface, v2007 will be good enough for most businesses to skip next Office version or the one after.

Microsoft has been trying to keep Office relevant to businesses by integrating more features with server software and thus extending capabilities beyond core functionality into areas like business intelligence. Meanwhile, the aforementioned Office Web Apps will be yet another effort at extending Office’s utility to cloud services, but presumably for lower cost than what many businesses pay today.

Microsoft’s aforementioned pricing changes are evidence enough of Office’s declining value. As a typical product commoditizes, pricing usually drops. Office is the longtime exception because of Microsoft’s twin monopolies. But commoditization is finally taking its toll, along with the shifting applications stack.

New Applications Stack Reaches Higher

The new applications stack, which is outside of Microsoft monopolies, is mobile device to cloud service. This application stack also is more in sync with the kind of content most popularly produced outside of large corporations: Blogs, photos, videos, tweets and social network postings, among others. These content types have little or nothing to do with wordprocessing, spreadsheet or presentation applications.

As significantly, mobile applications usurp the need for productivity applications, by extending their utility to specific needs such as Facebook sharing, entertainment, mobile finance, search or personal communications. No Office is required. The people who download applications from Apple, BlackBerry, Google, Nokia, Palm or even Microsoft mobile app stores don’t need Office — or Windows, for that matter. These applications are lightweight and many are Web connected.

According to combined analyst reports, there are 4.6 billion cell phone subscribers worldwide, with about 1.3 billion new mobile phones shipped every year. By comparison, the entire PC install base is just over 1 billion. The mobile handset market dwarfs the PC market by 4.6 times. Granted, IDC asserts that the mobile Internet is only 450 million users, which is expected to top 1 billion by 2013. PEW Internet predicts that by the end of the decade cell phones will replace PCs as primary Internet devices.

Then there are new devices, like Apple’s over-hyped, rumored tablet or ebook readers like Amazon Kindle, Barnes and Noble Nook or Sony Reader. As the mobile Internet install base increases, natural user interfaces will further supplant productivity suite functionality. For example, Google’s Android 2.1 mobile operating system has a voice-to-text feature that works remarkably well. On the Google Nexus One, I can easily dictate e-mails, text messages and even blog posts. No keyboard or wordprocessor is required.

For me, Microsoft Office already is obsolete. The question remains: When will Office be obsolete for you?

Fair warning, everyone: What follows is my opinion. Given the propensity of opinion traffic on the Web, I shouldn’t have to say this: It truly is my opinion. Nothing to which I attach my byline or my face has been adjusted or colored in order to more thoroughly polarize my characterization of the subjects I cover, or to agitate your feelings so as to prompt you to post comments.

In fact, in all sincerity, I realized long ago that I’m not a very polarizing figure, I’ve accepted that fact, and I’ve come to embrace it. The art of persuasion, I was taught centuries ago, was developed with the aim of getting other people to agree with you. I’d like to get a hold of the person by the tea bags who came up with this notion that popularity must be driven by populism, which in turn can only be generated through agitation, anger, and outrage, hoist him onto a flagpole, and tell him flat out, “Rush, Americans are smarter, more sensible, wiser, and more capable than you think they are or than you would have them become.”

So the dozens of you who came into this article expecting the Boston Tea Party may end up being disappointed. This article is not so much to stir up debate as to relieve a headache. For that, you may accuse me of being self-serving, with my permission.

The problem in front of us

There is nothing about the architecture of the delivery mechanism for the Hydraq exploit — the one that rang alarm bells at Google — that is so particularly novel that it would prevent Windows users with the requisite amount of everyday vigilance from avoiding it. If what Google appears to be saying is accurate, the original attack was not directed at the general public anyway. Nonetheless, the release of a version of Hydraq’s source code by a researcher to the general public earlier this week, probably did more to make the general public vulnerable than the original attacker.

Only in America, perhaps, will you find someone who’s not only paranoid of being blown up by a bomb from the Chinese Communist Conspiracy, but has no problems with the idea of divulging how You, Too, can build your own at home and try it yourself.

I’m attaching my latest podcast to this article, and it’s directed toward everyday users who may or may not be technically-minded. I invite you to share it with your friends, colleagues, and relatives who may have been alarmed by some of the general press coverage of the Google attack. It talks about a problem and its solution.

For anyone who has become a victim of the Insecurity Hype Machine, as perpetuated by local TV news, they should listen to this latest edition of the podcast. There are days when local TV news is more of a burden than a service: “It’s the cold war all over again, this time in cyberspace! Google is saying China is attacking American servers! Are your PC and all your files at risk? We’ll tell you in a minute, but first, here’s this week’s Adopt-a-Cat.”

One really big problem we face — certainly a subject for a separate article — is that publishers of media of all types do not believe they can capture the public’s attention for any longer than a minute without promising you a slice of Armageddon.

Hype is an insipid beast. It inflates the magnitude of the smaller issues facing us, it takes our attention from the larger issues we should be concerned with, and to an unappreciated degree, it thrives on a certain degree of automation. Like a David E. Kelley series, a bit that catches the public’s attention one week, can be rerun the next week even if it doesn’t fit the real direction of the plot. When a security engineer discovered a way that new code engineered to look like old code (so it gets run using a compatibility mode) can pretend to be part of the BIOS so it can bypass the need for privilege to determine how the operating system randomizes addresses using ASLR, the dusted-off headlines last Wednesday (which look about as stupid as yet another kooky “Boston Legal” character) called this a “14-year-old browser flaw.”

To me, that’s like saying an atom bomb is an exploit in the wild for a trillion-year-old flaw in atoms.

We don’t do ourselves any service when we fail to address problems for what they are. (Please feel free to cc: the previous sentence to the Democratic National Committee.) A security engineer discovered that code that looks old can be manipulated in a new way so that it bypasses the new restrictions imposed by ASLR. It’s a significant defect in Windows — not in a Web browser, but Windows. But unlike the Google attack, this isn’t an active exploit — not yet. To make an active exploit based on this discovery, someone has to wrap it in the usual “exploit toolkit” package — probably the same class of package in which Hydraq was deployed. And thanks to the irresistible urge among some certain individuals to make problems public rather than fix them before they hurt the public, Microsoft must now race against the usual Boys in the Basement to produce a fix before someone six or seven or eight days from now produces a “0-day.”

Regardless of the sophistication of this newfangled method for tearing old code down, the method itself cannot be enabled unless we let our guard down — unless we turn off the very feature (ASLR) that the method is designed to defeat. It’s like a bomb for a bank vault door that only works from the inside of the vault. Say what you want about the stupidity of Windows architecture throughout the 1990s, but a bomb that can only blow the barn doors off a barn whose doors are already open, sounds like something from a Bugs Bunny cartoon.

If this type of stuff — a stealth remote controller that only works on technology from the last Ice Age, and a bomb that only blows down open structures — is all that’s necessary to make us hoist the flag of revolution and start dumping our Web browsers in the river, then we are seriously overdue for a diaper change.

Next: The problem that should be behind us…

I was just old enough to remember, and appreciate the significance of, the Tiananmen Square Massacre in 1989. The iconic image of a dissident standing defiantly in front of a column of People’s Liberation Army tanks is as powerful today as it was when we first saw it.

Back then, activists fighting for greater freedom used surreptitiously acquired fax machines to get the word out to the rest of the world. It was an early sign that technology held the potential to undercut control-freak-government efforts to stifle free speech. Now that the Internet has taken over as the platform of choice for Chinese freedom-lovers and freedom-crushers alike, the battleground has shifted irrevocably, and the autocratic Chinese government hardly has enough political officers to keep its spy game machinery in balance.

That doesn’t mean it isn’t trying, however.

It all begins to unravel 

Four years after it launched its google.cn search service in China, Google now finds itself staring down the gun barrel of that proverbial tank. At the time (and ever since, if we’re picking nits) the company was derided for censoring search results in accordance with limitations imposed by the Chinese government. Google justified its decision then by saying this is the price foreign firms must pay if they wish to do business in China. 

That all changed earlier this month. On January 12, just after discovering an unprecedented cyber attack on its services and users, the company published the following on its blog: 

We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results.

Fair enough, and from where I sit, it was a Hobson’s Choice that the “Do No Evil” company has balanced quite nicely these past four years. Google made a deal with the devil with its eyes focused intently on a bigger picture that envisioned delivering greater access to class-leading Internet Web services for Chinese citizens. It held its nose for the entire time, confident its move would eventually spark greater freedoms in a country where the government’s definition of the word differs from that used elsewhere. 

We won’t directly accuse the government, but…

After revealing that its systems had been hacked and it would enter into discussions with the Chinese government (and possibly exit the Chinese market entirely if things weren’t resolved to the company’s satisfaction), Google didn’t specifically accuse the Chinese government of backing the attacks. But it’s fairly clear to anyone reading between the lines that Google believes the Chinese government was trying to take its censorship deal with Google to places never envisioned four years ago.

Simply put, no one outside the Chinese government has access to the scaled resources necessary to mount attacks of the magnitude uncovered by Google. Never mind the fact that the Chinese government stands virtually alone in having a motive to spy on human rights activists and their sympathizers in the first place.

The fact that Google is willing to walk away from the largest, fastest growing Internet market on earth — it grew from 10 million users a decade ago to 340 million today — just before it starts generating world-beating revenue, speaks volumes about how its corporate ethics have evolved since google.cn went live in 2006. Although Google plays second fiddle in Chinese search (31% market share to Baidu’s 60%) it remains well ahead of Yahoo and Microsoft and stands positioned to cash in on its strong-second position as this market matures. It’s all potential from where Google sits, so its threat to take its ball and go home should send a message to competing tech firms that deals with devils ultimately have limits.

Not everyone gets the message, however. Microsoft, which in December referred to China as “the most important strategic market,” shows no signs of growing a spine. CEO Steve Ballmer told CNBC, “We’ve been quite clear that we are going to operate in China, (and) we’re going to abide by the law.” I guess “abide by the law” makes it sound palatable, even if “the law” is little more than an autocratic edict designed to suppress the actions of freedom-seeking Chinese citizens.

At least Microsoft has company in the “Do Some Evil” camp. Yahoo, an organization that apparently never met a Communist regime it didn’t like, happily filtered its search results before hooking up with Alibaba in 2005. After buying 39% of the Alibaba partnership, Yahoo made headlines later that year when it delivered material from Shi Tao, a journalist, to the Chinese regime. Mr. Tao was subsequently convicted and is now serving 10 years in prison.

I’m sure leaders of both companies are sitting on pins and needles as they wait for the outcome of Google’s negotiations with Chinese authorities. I’m certain they’d be beside themselves with glee if the company that’s kicked their Web services tail in virtually every international market decides to abandon this one. I’m certain their PR minders will find ways to soft pedal their cozy relationship with the Chinese government in light of the Google hacking.

Principle over profits

While the end result remains a great unknown, the fact that a profit-seeking American company would put its most promising growth market on the line over a fundamental issue of freedom and security, and be willing to duke it out with the world’s most powerful Communist government, should be an eye-opener for any Western firm thinking of doing business in a country where freedom remains something of a four-letter word. Compromises made in the interest of maintaining a guiding presence in the market mean little if the government ultimately chooses to bulldoze its way to confidential data after a few years have passed.

Even if you have no business in China, ask yourself which company you’d trust with your data: the one with a spine, or the one that gives Communist officials anything they’re looking for? In the end, what happens in the Far East may very well dictate what happens here, and who deserves to prevail as Web- and cloud-based services continue to creep into the mainstream.

In green-lighting Oracle’s proposed acquisition of Sun Microsystems today, the European Commission says it considered whether in doing so, Oracle would effectively eliminate the “competitive constraint” of competition from the open source field by way of MySQL, the open source relational database that Sun acquired in 2008. That acquisition gave Sun its first competitive database product; but Oracle already has one of the leading commercial entries.

The conclusion the Commission reached today is a surprising one, especially from Competition Commissioner Neelie Kroes just days before a planned Commission-wide job swap. Kroes had been seen as a protector of the interests of open source alternatives as a plurality. But in today’s decision, the EC implied that the open source field only needed one active competitor to be relevant. If that competitor for some reason stops being MySQL, it announced, then PostgreSQL can step in and fill its shoes.

“The Commission’s investigation showed that another open source database, PostgreSQL, is considered by many database users to be a credible alternative to MySQL and could be expected to replace to some extent the competitive force currently exerted by MySQL on the database market,” reads this morning’s EC announcement.

Postgres Software last year released its own enterprise-class database alternative, EnterpriseDB, building onto its previous work with Postgres Plus. Last year, Postgres CEO Ed Boyajian made the case that Oracle’s Sun buyout could end up fracturing the MySQL community. That would be perfectly fine with Postgres, which offers EnterpriseDB as an alternative not to MySQL but to Oracle.

A second, equally surprising conclusion emerged from the EC today: Since MySQL is open source, the EC concluded, then Oracle’s acquisition of its management would not necessarily mean that it would acquire the intellectual property of the database. Thus open source developers outside of Oracle could feasibly pick apart the remains of MySQL, even if Oracle were to stop producing it, and make it into something else that’s potentially as competitive.

Or as the EC put it in its announcement today, “In addition, the Commission found that ‘forks’ (branches of the MySQL code base), which are legally possible given MySQL’s open source nature, might also develop in future to exercise a competitive constraint on Oracle in a sufficient and timely manner.” The Commission may have been referring indirectly to MariaDB, a derivative of the MySQL 5.1 codebase under development by former MySQL co-founder Michael Widenius. That derivative now also includes a storage engine plug-in called XtraDB, which replaces MySQL’s InnoDB storage engine — a component that Oracle acquired way back in October 2005.

Widenius’ apparent mission: Make his database a completely transparent replacement for MySQL, but that’s also independent of anything that could eventually, even partly, be considered Oracle’s IP. Last December, in a last-ditch effort to block the merger and, in his view, save a chunk of the Internet, Widenius pleaded with Internet users to make their voices heard, as part of his Save MySQL effort. He claimed at the time that the effort was responsible for some 10,000 letters sent to the EC, 99.3% of which were in opposition to the deal.

“Oracle is the company that has the biggest market share in revenues for databases in all customer markets/segments,” Widenius wrote at the time, entitled, “Help keep the Internet free.” “MySQL is the database with the highest number of installed units in all markets (except in the high enterprise market where it has only a medium size unit share). If Oracle were allowed to buy MySQL then Oracle would almost be in a monopoly position in many market segments.”

Sadly for Widenius, his MariaDB brainchild may have been the undoing of Save MySQL. The Commission apparently concluded that projects like MariaDB are healthy enough to sustain the competitiveness of open source against Oracle, even in the absence of MySQL. In the EC’s view, open source only needs one competitor — as though rather than a unified community, it’s a single corporation.

The EC also concluded that with respect to Java — Sun’s other principal product — a sufficient oversight body of independent developers is already in place to provide the checks and balances necessary against any attempt by Oracle to restrict the licensing for Java developers.

In response to today’s news, Oracle has planned something of a celebration. On January 27 (since no one else at Oracle had anything planned that day, apparently…no other big premiere to attend, for instance), CEO Larry Ellison has planned a five-hour event at its Redwood Shores headquarters, where the company says he will unveil his completed “industry-in-a-box” strategy for hardware, middleware, and software.

Over the past few days, security engineers have warned that variations of the publicly-released Hydraq exploit are being engineered for later versions of Internet Explorer than the one targeted in the recently discovered wave of attacks against Google and others, IE6. One security researcher on the “good side,” Dino Dai Zovi, claimed on Twitter earlier today he has a functional derivative of Hydraq for IE7 and IE8…kind of. To make them work, two of Windows 7’s more celebrated security features — Address Space Load Randomization and Data Execution Prevention — have to be manually turned off first.

Still, the nearness of such an exploit to reality prompted Microsoft to release its out-of-band security update today, as promised yesterday, for IE6, IE7, and IE8. Separate update packages are currently being deployed through Windows Update, and are available for download now.

Microsoft Senior Security Program manager Jerry Bryant informed Betanews just moments ago that as of this moment it has only seen evidence of actual Hydraq attacks in the wild targeting IE6. However, as Bryant warned customers in a blog post yesterday, more than the Web browser may be theoretically vulnerable.

Specifically, earlier versions of other Microsoft software, including Outlook, Outlook Express, and Windows Live Mail that used the mshtml.dll rendering library for showing HTML e-mails, but whose default security states may have been turned off by users (for instance, enabling ActiveX controls), could be vulnerable. Those users may not be vulnerable, Bryant said, if their security configurations are left in their recommended states. Outlook 2007 uses a later version of the library, Bryant said, and is therefore not immediately vulnerable at all.

However, if mutants of Hydraq that work on IE7 and IE8 ever do get exploited in the wild, users without today’s IE patch installed (which addresses this shared rendering library as well) could be in trouble. Up until very recently, third parties answering reader and customer troubles about software incompatibilities they’ve encountered, have advised them to turn DEP off.

Sometimes the problem itself didn’t have to be explained in detail; publications and services have advised, turn DEP off and see if that works. “User who facing problem when using Office applications can use the following trick to turn off and disable DEP for Office applications,” reads a post on MyDigitalLife.info dated last August.

Microsoft, of course, continues to suggest that DEP remain turned on, stating that any software incompatibilities users may face are much less serious than being exposed to a critical exploit.

As Dino Dai Zovi told his followers on Twitter earlier today, “Right now, my exploit works against IE7 on Vista with ASLR but no DEP, but not against IE8 with ASLR + DEP.” Later, he added, “My exploit works on all IE targets with none of, or one of, DEP and ASLR, but not when both are in use.”

Although Hydraq’s payload — a veritable communications platform for stealth intellectual property theft — is one of the more sophisticated such payloads that some security researchers have encountered, the package it’s delivered in has been said to be not sophisticated at all. That could be one reason why Microsoft was able to patch this problem so quickly, just two weeks after Google apparently notified Microsoft of its existence.

For better or worse, the source code of a version of Hydraq (which may or may not be the version used in the Google attack) was released last week by students working with the Wepawet malware analysis service, at the University of California at Santa Barbara. Marco Cova is one of those students. This morning, Cova told Betanews that the lack of sophistication necessary for Hydraq to deliver its sophisticated stealth service, should itself be considered sophisticated.

“I would say that the attack was technically sophisticated, mostly because, as far as I know, it was targeting a previously unknown vulnerability, rather than using one of the well-known exploits that are implemented in popular exploit packs,” Cova told us. “The attack techniques themselves (the shellcode injection, etc.) are well known; so the novelty here would be knowing or finding what to attack rather than how to attack.”

Addressing the possibility that Google’s attackers chose IE6 not out of convenience but because they knew what systems they would be attacking, Cova said, “An attack may be sophisticated from points of view other than the technical one. For example, an attack may be sophisticated because it leverages sophisticated knowledge of its targets (who is to be targeted, how, etc.). Whether this is the case may be better assessed by somebody at Google.”