Oracle: 11g Xpress Edition 'a year or two' away

It may be "a year or two" before Oracle releases a no-cost Express Edition (XE) of its 11g database, according to Andrew Mendelsohn, the company's senior vice president of database server technologies. Oracle took the same approach with the current 10g Express Edition, according to Mendelsohn, who oversees database development at the vendor. That's because Oracle is going to wait until after the first patch set ships for 11g Release 2, which was launched in July, Mendelsohn said in a brief interview following a speech at Oracle's OpenWorld conference in San Francisco on Monday.

Developers and ISVs (independent software vendors) prize XE because it includes many core features, and allows them to prototype, deploy and distribute applications without any licensing costs. Users with greater needs would need to upgrade to a paid database version such as Standard Edition. However, XE is limited to 4GB of user data, 1GB of memory and a single CPU, and is available on only 32-bit Windows or Linux systems. Some Oracle database administrators believe there is a deliberate reason for the protracted rollout. "It's an approach that ensures that adoption is nil," said Paul Vallée, founder of the Pythian Group, a database management outsourcing company in Ontario, Canada. "I don't think they're interested in adoption. ... I think they have to have it out there just for maybe a check box, just to maybe say they have a free edition." IBM and Microsoft also offer certain versions of databases at no cost. Oracle is attempting to buy Sun Microsystems for US$7.4 billion, but the deal is on hold while European officials conduct an antitrust review.

Oracle simply isn't "gunning for market share in the free database segment," Vallée added. "If they were, the strategy would be to release this exactly the way it is and then sell support and commit to patch sets for it." That is essentially the model Sun Microsystems has used for the open-source MySQL database. Instead, Oracle wants lower-end customers to use a paid version of the database, such as Standard Edition One, said Pythian Group CTO Alexander Gorbachev. It's unclear how the arrival of MySQL will affect XE, or any other aspect of Oracle's database strategy, Vallée said. A Standard Edition One processor license costs $5,800, according to Oracle's latest price list. Oracle plans to increase investment in MySQL, CEO Larry Ellison said during a keynote Sunday.

Gmail, Yahoo Mail join Hotmail; passwords exposed

Google's Gmail and Yahoo's Mail were also targeted by a large-scale phishing attack, perhaps the same one that harvested at least 10,000 passwords from Microsoft's Windows Live Hotmail, according to a report by the BBC. Microsoft , for its part, said late yesterday that it had blocked all hijacked Hotmail accounts, and offered tools to help users who had lost control of their e-mail. The BBC also said it has seen a list of some 20,000 hijacked e-mail accounts; the list included accounts from Gmail, Yahoo Mail, AOL, Comcast and EarthLink. Gmail was the target of what Google called a large-scale phishing campaign, the company told the BBC . "We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts," a Google spokesperson told the news network. The latter two are major U.S. Internet service providers. "As soon as we learned of the attack, we forced password resets on the affected accounts," the Google spokesperson also told the BBC. "We will continue to force password resets on additional accounts when we become aware of them." Neither Google's or Yahoo's U.S. representatives responded to e-mails from Computerworld seeking confirmation that their Gmail and Yahoo Mail services were targeted by phishers, or answers to questions about how many accounts had been compromised and what the firms are doing to help users.

Late Monday, Microsoft said it was blocking access to all the accounts whose details had been posted on the Web last week. "We are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts," the company said on its Windows Live blog . Microsoft posted an online form where users who have been locked out of their accounts can verify their identity and reclaim control, and also pointed users to a support page from October 2008 that spells out steps users can take if they think their accounts have been hijacked. Neowin.net, the site that first reported the Hotmail account hijacking early Monday, today added that it had seen the same list of compromised accounts as the BBC. "Neowin can today reveal that more lists are circulating with genuine account information and that over 20,000 accounts have now been compromised," said the Windows enthusiast site . "[The] new list contains e-mail accounts for Gmail, Yahoo, Comcast, EarthLink and other third-party popular Web mail services." Microsoft has acknowledged that log-on credentials for "several thousand" Hotmail accounts had been obtained by criminals, probably through a phishing attack that had duped users into divulging their usernames and passwords. After a slump earlier this year, phishing attacks are on the upswing, according to the Anti-Phishing Working Group (APWG). Its most recent data - for the first half of 2009 ( download PDF ) - noted that the number of unique phishing-oriented Web sites had surged to nearly 50,000 in June, the largest number since April 2007 and the second-highest total since the industry association started keeping records. Yesterday, Dave Jevans, the chairman of APWG, called the Hotmail phishing attack one of the largest ever, but cautioned that the usernames and passwords may have been harvested over several months, and not by a single, defined attack.

McCain Moves to Block FCC Net Neutrality

The FCC voted unanimously yesterday to move forward with the debate in an effort to formalize net neutrality guidelines. In the wake of FCC chairman Julius Genachowski's initial announcement of his intent to pursue formal net neutrality rules, a group of GOP lawmakers already initiated a similar attempt. Senator John McCain followed up by introducing a bill that would prohibit the FCC from governing communications. However, that amendment was retracted almost as quickly as it was filed.

Basically, those in power or those who pay more will have better access. McCain's bill, the Internet Freedom Act, seeks to do the opposite of what its name implies by ensuring that broadband and wireless providers can discriminate and throttle certain traffic while giving preferential treatment to other traffic. Apparently we have different definitions of 'freedom'. According to the text of the McCain bill, the FCC "shall not propose, promulgate, or issue any regulations regarding the Internet or IP-enabled services." Isn't that what the FCC does? Oddly, the bill also contains text stating that any regulations in effect on the day before the Internet Freedom Act is officially enacted are grandfathered in and exempt from the provisions of the Internet Freedom Act. Isn't that sort of like introducing a bill to prohibit the Treasury from printing money, or a bill to prohibit the IRS from collecting taxes? The implication seems to be that if the FCC can formalize net neutrality rules before McCain can get the Internet Freedom Act signed into law, the net neutrality rules would still apply.

However, Comcast tried to throttle peer-to-peer networking traffic and only changed policy after the threat of FCC net neutrality rules. Net neutrality opponents claim that the free market can police itself and that any net neutrality restrictions will stifle innovation and competition. AT&T sought to block customers from using VoIP services from its wireless network, but changed policy out of fear of the net neutrality rules. What the FCC voted on yesterday is simply to start the debate. The trend seems to be that these providers only do the 'right thing' when the net neutrality gun is pointing at their head. Its an open discussion, so what are net neutrality opponents afraid of?

If there are valid issues that need to be resolved, then go ahead and bring them to the table. They have 120 days to gather information and collect data and present their case. Don't initiate legislation that seeks to pretend the table doesn't exist. While Obama was attached surgically to his CrackBerry and his staff leveraged social media from their Macbooks, McCain admitted having little or no knowledge or interest in modern technologies like email or the Internet. During the Presidential election campaign last year the differences between the two candidates was stark.

It seems suspicious that the Internet is suddenly a major concern for him. Tony Bradley is an information security and unified communications expert with more than a decade of enterprise IT experience. Maybe he just missed seeing his name in the paper. He tweets as @PCSecurityNews and provides tips, advice and reviews on information security and unified communications technologies on his site at tonybradley.com.

GAO: Los Alamos National Lab's cybersecurity lacking

Cybersecurity efforts to protect a leading U.S. nuclear laboratory's classified computer network remain lacking even after a series of security lapses, according to a new report from the U.S. Government Accountability Office. The lab has vulnerabilities in several "critical" areas, including identifying and authenticating users, authorizing user access, encrypting classified information and maintaining secure software configurations, the GAO report said. "A key reason for the information security weaknesses GAO identified was that the laboratory had not fully implemented an information security program to ensure that controls were effectively established and maintained," the report said. The Los Alamos National Laboratory, which has suffered multiple security breaches in recent years, continues to have "significant weaknesses ... in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network," the GAO said in a report released Friday. The lab has not conducted comprehensive risk assessments to ensure against unauthorized use, has not marked the classification level of information stored on its classified network, and has inadequate training for users with security responsibilities, the GAO report said.

Later reports said as many as 67 computers were missing from the lab. In January, there were reports of the theft of three computers from a lab employee's home in Santa Fe, New Mexico. In July 2007, the U.S. Department of Energy moved to fine the lab for an October 2006 breach that exposed classified data. Also in mid-2007, U.S. lawmakers criticized the lab after reports that several officials there had used unprotected e-mail networks to share highly classified information. A contract worker illegally downloaded and removed hundreds of pages of data from the lab using USB thumb drives.

There were other security problems at the lab, including instances in 2003 and 2004 when the lab could not account for classified removable electronic media, such as compact discs and removable hard drives. The DOE's National Nuclear Security Administration (NNSA), while it said it generally agreed with the report, said the lab has made progress in its cybersecurity efforts. A lab spokesman did not immediately return an e-mail seeking comment on the GAO report. Many of the shortcomings have been addressed, said Michael Kane, associate administrator for the NNSA, in a letter to the GAO. In response to a DOE compliance order issued in 2007, "a number of key technical issues and policy implementation concerns have been or are currently being addressed," Kane said. The lab is jointly operated by several groups, including NNSA and the University of California.

The DOE oversees the lab, a multidisciplinary research institution working on strategic science on behalf of U.S. national security.

US relationship with ICANN may not end

A longtime agreement in which the U.S. Department of Commerce has oversight of the Internet Corporation for Assigned Names and Numbers (ICANN) is due to expire Wednesday, but that may not be the end of the relationship. This new type of agreement would allow ICANN to become more independent, while addressing concerns from several other countries that the U.S. has too much control over ICANN, said Michael Palage, a former ICANN board member. While ICANN isn't talking, some observers expect a new type of agreement to be announced as soon as Wednesday, with the U.S. government sharing oversight of the nonprofit organization that controls the Internet's domain name system with other countries. The new agreement would create several oversight boards, with international representation, Palage said.

What it's also doing is ... it's putting in some accountability mechanisms." Palage hasn't heard all the details about the new agreement, including how people will be appointed to the new oversight panels. The Economist reported last week that a new agreement, called an affirmation of commitments, will replace the existing pact between the U.S. government and ICANN. The Department of Commerce and ICANN have operated under a series of agreements laying out expectations for the nonprofit since November 1998. The new agreement "will tell them what it should do, but it can't legally bind them," much like past agreements, said Palage, now a senior fellow at the Progress and Freedom Foundation, a conservative think tank. "It gives the appearance in the global community that the U.S. government has recognized that ICANN has done what is was supposed to do. He's also concerned about whether private entities will have the same representation as governments. Many critics of ICANN have complained in recent years that the organization has moved forward with plans to expand services without widespread agreement. While not perfect, the new agreement being talked about would be an improvement over the existing agreement, he said. "Now while the devil will be in the detail, the only concern I have is that the private sector be on equal footing with the public sector in being able to hold ICANN accountable," he said. "If ICANN is to remain a public-private partnership that is founded on the principles of openness, transparency, inclusiveness, accountability and bottom-up coordination, then both the private and public sectors should have equal confidence in the accountability mechanism available to them." Under the latest agreement between the Department of Commerce and ICANN, the nonprofit reaffirmed its commitment to maintaining the security and stability of the domain name system, or DNS. ICANN also promised to stick to the principles of competition, bottom-up coordination and representation.

In particular, ICANN's board in June 2008 voted to allow an unlimited number of new generic top-level domains, such as .food or .basketball, but trademark owners have complained that new gTLDs would force them to register many new Web sites to protect their brands. Asked this week about what happens after the current agreement expires, an ICANN spokeswoman said the Department of Commerce has asked ICANN officials not to comment until Wednesday. Last week, several members of a U.S. Congress subcommittee urged ICANN to back off the gTLD plan until concerns could be resolved. A representative of Viviane Reding, the European commissioner in charge of the information society and the telecom industry, also declined to comment until "the situation in the U.S. has been officially confirmed." Reding has called for more international oversight of ICANN. But Steve DelBianco, executive director of NetChoice, an e-commerce trade group, said he expects a "new formal review process looking at security, consumer trust, and the interests of global Internet users." DelBianco expects that government and private stakeholders will be represented in the new review process, he said. "Prodded by public comments and encouragement from Congress, I'd expect to see a new arrangement that delivers what the global Internet community has wanted: an independent ICANN that preserves private-sector leadership with increased accountability to its core mission," he said. "The tricky part is how to give governments a well-defined role while preserving ICANN's private-sector orientation." An important part of the oversight going forward will likely be on cybersecurity, added DelBianco, a critic of ICANN's gTLD plan. "I'd expect to see explicit accountability for ICANN to make sure the DNS stays up 24-7 and around the world, even as we see increased cyber attacks and a significant expansion of top-level domains," he said. Heather Greenfield, a spokeswoman for the Computer and Communications Industry Association (CCIA), said the trade group expects the U.S. government to stay involved in ICANN. CCIA has also heard that oversight panels, involving the international community, will provide ICANN oversight going forward, she said. "We expect ICANN will retain some type of long-term relationship with the United States, while expanding the involvement of other countries," she added. "Ahead of this agreement ending, ICANN has been making a real effort to respond to past criticism about not being transparent enough."