– By Grant Gross –

The Cyberspace Policy Institute at The George Washington University is launching an effort to get international security ratings for the U.S. National Security Agency-driven Security Enhanced Linux project, a move that organizers hope will make Linux more attractive to cautious technology purchasers, including government agencies.

Martin R. Dean, senior security researcher at the Cyberspace Policy Institute (CPI) and principal engineer at Science Applications International Corp., said SELinux still needs some enhancements, such as becoming a fully integrated operating system instead of a patch to Red Hat Linux, but the institute is starting to look for partners to help guide the ultra-secure Linux distribution through the rigorous EAL4 security certification, known formally as the Common
Criteria for Information Technology Security Evaluation standard.

Dean spoke at a panel discussion on SELinux, one of the last events at the FOSE technology-in-government trade show Thursday. Other panelists were Peter Loscocco, the SELinux project leader at the NSA; Tony Stanco, senior policy analyst for Open Source and e-government at CPI and founder of FreeDevelopers.net; and Mark Westerman, senior consultant with network security company Westcam and administrator of the SELinux project at SourceForge.net.

Microsoft is currently trying to get the EAL4 for its Windows 2000 OS, and Dean argues that for Linux to be competitive at places like government agencies, where security ratings are used as a big evaluation tool for buying technology products, SELinux also needs the EAL4 rating.

CPI will coordinate activities like looking for developers and seeking sponsors to finance the security rating. The plan is to seek security ratings from the United States and at least one other country, possibly Great Britain, because some countries have different security standards, and some non-U.S. users might not trust the U.S. rating, Dean said.

Among Dean’s goals is making SELinux easier to install and configure. Loscocco admits SELinux, which NSA released to the public in January 2001, is still hard for non-experts to set up.

NSA’s SELinux documentation includes a sample security policy, but configuring the fine-grained controls, down to what programs individual users can run, does take some knowledge, Loscocco said.

Westerman has written a graphical installer that’s a first step to pitching SELinux to mainstream users. “What we’re looking at is getting the operating system to the point where we can roll it out to an elite IT organization, or where a user can run it on the desktop,” Dean said. “What we looking at is getting the SELinux patch and the Linux operating system to the point where it’s a robust operating system, so it’s not just the small thing that sits on the server, but on everybody’s desktop.”

Dean expects that gaining the security rating will take a couple of years. “What we’re going to have in a couple of years is an operating system that’s been evaluated … and an operating system that’s as easy to use as other operating systems,” he said.

During the panel discussion at FOSE, Loscocco and Westerman talked about the benefits of SELinux. Westerman described a customer’s experience with a cracked DNS server, which was cracked a second time as soon as the customer reloaded the DNS software.

“At that point in time, I grabbed my CDs … and we loaded the SELinux kernel and left everything else identical on the system — same DNS server with the same vulnerability,” he said. “We were watching that hacker hack into the DNS server to perform his buffer overflow and try to execute all the programs.” But with SELinux’s mandatory access controls, the hacker couldn’t execute a program once inside the box even though he had root access.

“With SELinux, we’re not as worried about the next buffer overflow,” Westerman said.

Among the 30 audience members were several Microsoft booth workers. One asked a couple of questions about the SELinux project, including, ironically, whether changes made to ready it for the security certification would be released back to the community under the GNU General Public License. Panelists said that although the rules of security certification and the GPL sometimes conflict they were looking at ways to resolve the potential problems. Among those issues: A security certified operating system that’s had outside changes made to it may lose its certification, and a distribution that’s downloaded from a site that’s not part of the official certification channels loses its certification, Westerman said.

However, Loscocco said his goal would be to release changes back to the GPL, and Dean argued that companies and government agencies looking for the security certification seal of approval may only need to see it once to trust a product.

“You need that check mark,” Dean said. “It’s important for organizations that have greater security needs than the norm to have this assurance process done.”

Anonymous Reader writes, “This review covers a basic introduction to RAV AntiVirus and may continue to update as our real-world testing continues. RAV AntiVirus v8.5 for Linux Mail Servers, Servers, and Workstations is flexible and scalable, allowing independent configuration of the scanning module, fully independent from the Mail Server. Defiantly a must have for you system administrators!

Read the review at http://www.linuxlookup.com/html/reviews/software/r av-antivirus-8.5.html.”

Michael Holve writes, “Everything Unix offers an interesting, if not somewhat heretical opinion on the Microsoft blame game. With vendors like Red Hat blaming Microsoft for hindering Linux adoptance on the desktop — maybe we should be looking at Linux, instead. Is it really ready for mom and pop desktops?”

– By Robin “Roblimo”
Miller –
The world’s first Commercial High Performance Computing Conference and Expo was held in a pink, yellow and blue Hyatt Hotel in Orlando, Florida, this week. I spent a few hours there because I figured — correctly — that Linux would be one of the major discussion topics.

This was a gathering of people interested in or selling industrial-grade cluster and grid computing hardware and software, with presentation titles like, “Managing IT on a Global Scale, A Case Study on the World’s Largest Information Technology Company.” This was not a sales pitch by IBM. It was about their own, internal operations, and the audience consisted of people from Sun, Intel, and a number of end user (non-technology) companies that are starting to explore grid computing and wanted to learn from IBM’s experience.

There was not much of an exhibition floor; a few booths in a small room was the extent of it. But it was a Linux-heavy exhibition floor, with IBM’s demo clusters booting Red Hat Linux, and Scyld not only there but quite prominent, along with Linux NetworX and several less well-known companies selling Linux-based, enterprise-level hardware and software. Intel was there — with Scyld logos visible in its booth. And Sun was there in force, the conference’s largest sponsor, touting both Solaris and Linux products.

Sun has been saying “the network is the computer” for a long time, and that’s what this grid computing stuff is all about.

Grid computing is not a new idea

Rajkumar Buyya, of Monash University, says he has been working with and writing about grid computing since 1990 or so, “except we didn’t call it grid computing back then. We used to call it networked computing or distributed computing. Grid computing is the same thing with a catchier name.”

To Buyya, the biggest recent advance in distributed computing — aside from the new, catchy name — is its move from academic curiosity out into the world of private industry. Buyya’s presentation was titled, “Weaving the World Wide Grid Marketplace: Economic Paradigm for Distributed Resource Management and Scheduling for Grid Computing,” and his presence at this conference was sponsored by GridFrastructure, a Massachussetts company that says it is “dedicated to supporting the deployment of the global grid,” and seems to have staked its entire future on distributed high performance computing.

When you think about it, most of this grid computing stuff is an extension of the SETI@home project, jazzed and prettied up, either being run internally by companies like IBM or sold as a service by GridFrastructure and others. And, according to Patrick Dreher, associate director of MIT’s Laboratory for Nuclear Science, the move toward more grid computing is inevitable. “We’re dealing with more data every year, he says. “From terabytes we’re moving to petabytes.” And Dreher points out that bandwidth is becoming “practically free” so that moving all this data from one clustered supercomputing node to another is no longer as big a deal as it once was.

Dreher’s grid computing vision is not the old SETI@home idea of harnessing the power of individual home computers, but is based on clusters that are becoming more powerful and less costly, and connecting to underutilized clusters elsewhere if and when they are confronted with a calculation set beyond their ability. Dreher sees his cluster connecting “first with ones in other departments here, then with ones at other universities.” In other words, creating Beowulf clusters of Beowulf clusters on an ad hoc basis instead of each company or university or (as is common today) each lab or department within each company or university trying to own all the computing capacity it might possibly, conceivably ever need.

The biochem and pharmaceutical industries were mentioned over and over as some of the biggest potential users of grid computing, and apparently the biotech people agree — and are also gung-ho on Linux and Open Source tools. But there is a thrust toward bringing advanced clustering and grid computing techniques to other businesses that may not need them constantly but only once in a while. This is where grid computing may eventually find its best use, allowing companies or even individuals who want to do a particularly complicated rendering or create a complex model of some sort to access a global network of networked computers for a few minutes or hours for comparatively few dollars.

More about the conference itself

Elaine Mershon, an employee of conference organizer INT Media Group told me about 400 people had preregistered and that about 200 had actually showed up. This dropoff in tech conference attendance has become typical in the last year with the tech industry recession, and combined with many people’s reluctance to fly since last September. I was only around for part of the conference’s second day, but the one time I tried to take a head count in all three occupied conference rooms, I found only about 110 people, including those hanging around in the lobby and a few lurking on the small exhibit floor.

Later I overheard Elaine and some of her coworkers talking about a severe second-day attendance drop. But there were still some interesting people floating around, and making casual contact is often the most important aspect of this kind of conference. For instance, I accidentally wandered into a conversation that included an Intel senior sysadmin talking about how his company is planning to switch all of its 26,000 Unix servers and 17,000 Windows NT/2000 servers over to Linux over the next few years to create a single, seamless, worldwide operational grid. A conversation over coffee with Etnus CEO Chris Doehlert became a discussion of software licensing issues and how to reconcile Open Source and Free Software philosophies with the need to earn a living, a conundrum Chris wrestles with — and we hope he’ll choose to write about it for us at some point. (Yes, I asked.)

The guys at the Linux NetworX booth wanted to know where the NewsVac summaries on the NewsForge front page had gone, and I told them the same thing I’ve told everyone else — they’ll be back as soon as we solve some code issues with the new NewsForge, so relax and be patient. The show was disappointing for Linux NetworX as a sales venue. They said they had hardly any real sales leads but, as one of their sales engineers pointed out, “It’s the first show like this, ever. The next one will have more people, and we’ll almost certainly be there.”

Commercial grid computing is just beginning

Even though this was billed as a commercial high performance computing conference and expo, a high percentage of attendees were connected with universities and research institutions.

The biggest grid computing dreams I heard discussed were those revolving around computing services becoming a metered, commercial utility like electricity is today, where users just plug into the grid and neither know nor care where the power they are using comes from. These are nowhere near reality. But every IT industry advance starts as a dream, and dreamers must gather and share ideas with each other, especially when their dreams involve worldwide linkages, not standalone computers.

Right now, grid computing is used either by research or academic institutions alone or in groups, and by commercial companies almost strictly as an internal, non-shared way to gain increased computing efficiency. Everything beyond that, as far as commercial grid computing, is still being worked out, and there is a lot to work out, including interconnection standards, security, and how to charge for computing services in a fair (and marketable) manner.

That’s the biggest challenge of all to market-oriented distributed computing people: how to provide large-scale, utility-style grid computing service at a profit.

Remember Buyya, and his presentation, “Weaving the World Wide Grid Marketplace: Economic Paradigm for Distributed Resource Management and Scheduling for Grid Computing?” Buyya has spent years working on ways to sell networked computing service, but when I asked him if anyone had actually managed to make money providing utility-style grid computer service yet, he answered with one word:

“No.”

Wired: “Hollings and the five senators who joined him want to embed copy-protection controls in all PCs and consumer electronic devices. Devices manufactured before the law takes effect can be resold legally.

Once known as the Security Systems Standards and Certification Act, the newly named CBDTPA says that all “digital media devices” sold in the United States or shipped across state lines must include copy-protection mechanisms to be defined by the Federal Communications Commission.”

NewsFactor Network writes: “As the market for the latest tricked-out PDAs (personal digital assistants) continues to grow, so does the number of features and add-ons available for handheld organizers. The market is swelling with PDA accessories, from digital cameras to mini-printers. Some of the most useful and successful add-ons are those that make PDAs function more like a desktop PC. Plain old keyboards, for example, let users take advantage of the mobility provided by a handheld without giving up the feel of using a PC.”

NewsFactor Network writes “Hewlett-Packard CEO Carly Fiorina has optimistically — some say prematurely — claimed victory in the company’s ongoing merger saga, as has Compaq CEO Michael Capellas. But until final voting results are in, which could take up to two weeks, analysts and industry watchers will continue their debate on the merits and pitfalls of joining the two tech giants together or letting them go their separate ways. And analysts’ opinions are as diverse and impassioned as those of the HP and Compaq shareholders who actually cast proxy ballots.”

Mark writes “Norwegian open source software developer eZ systems has chosen the Distributed Development Network (DDN), a Philippine open source company, as its first official Asian Region partner.

“We are the first official partner of eZ Systems in the Asian Region,” said Victor Serafica, Managing Partner for DDN. “With many companies in the region looking for content management solutions according to the Gartner Group, we believe we can use eZ Publish and their superior products to promote open source solutions.”

“DDN will be one of our most important partners due to their knowledge and location in the Asian market. Their unique position will enable both our companies to leverage this market.” said Paul Egell-Johnsen, Partner Manager at eZ systems. “Their experience and goals are parallel to those of eZ systems and what we are looking for in this region.”

eZ Systems develops and distributes eZ Publish, a content-management toolkit for building dynamic internet solutions such as e-commerce websites, news sites, and corporate intranets and extranets. “Our partnership with eZ Systems makes it easy for us to deliver content management solutions to our partners and clients,” Serafica noted. “Their eZ Publish is a robust application that meets more than our expectations.”

“But what is more important is that eZ Publish is also an open source application that we can freely modify to fit our clients needs and meet their expectations. eZ Systems shall provide additional support and also hosting when needed,” Serafica continued.

DDN is a Philippine company that provides open source solutions, training, user support, and open source software development. DDN’s website is at www.distdev.com.

eZ Systems is the creator of eZ publish. It provides consultancy in a wide area of fields covering development, human computer interfaces and interaction, analysis and design of software, analysis, design and deployment of content, training and development as well as pre-packaged products and solutions. More information about eZ Systems may be found at their website at www.ez.no.

DDN Press Contact:
Manny Amador, Training and Communications Director
Email: manny@iconn.com.ph
Tel.: +63 2 8966741

eZ Systems Press Contact:
Paul K Egell-Johnsen, Developer/PR Manager
eZ systems
Email: pkej@ez.no
Tel: +47 35 58 70 20″

From the press release at Linux PR: “Linux NetworX announced today new and enhanced features of its award-winning cluster appliance ICE Box. The following features of ICE Box provide
increased performance, high scalability and improved reliability.”

Francesco De Carlo writes “After Germany, France and a lot of other European countries, Italy tries to cut off proprietary solutions from its administrations.
On March 20th, with a Press Conference at Palazzo Madama (the Senate of Italy), Sen. Cortiana (Greens Federation) presented a proposal of law
regarding the introduction of Free Software in the public administration. As cited in the press release, this law will guarantee governative agencies and all public organizations freely accessing proprietary and free-software solutions for their IT needs, as would be in a full democracy.
It’s the first time a State organism debates about Free Software (and Linux and OpenSource) in Italy, and there is a good possibility to pass this law, because of the Ministry of Innovation and Technology (governative side) sponsorship of a document from an opposition party.
LinuxValley.it followed this event and a complete report (in Italian) with integral proposal of law is available here (Italian).” Translate it to English with Babelfish.