Over at OSCON just a short time ago, the Open Web Foundation was just announced. Eran Hammer-Lahav just blogged about it at the OWF site. This is great news, and should go a long way to enabling better community development of standards and specs in a non-proprietary fashion.

This morning at OSCON, David Recordon announced the creation of the Open Web Foundation. The Open Web Foundation is an attempt to create a home for community-driven specifications. Following the open source model similar to the Apache Software Foundation, the foundation is aimed at building a lightweight framework to help communities deal with the legal requirements necessary to create successful and widely adopted specification.

The presentation slides are also available in Eran's post.

What would Steve click?

It's not often you find advertising that doesn't just bother you. I try to keep the ads on this site relevant, minimalist and out of the way. But on a limited-size device like the iPhone, not to mention it's a device that has that "cool usability" vibe, the need for ultra-careful advertising design is critical. Acceptance is important.

Enter AdMob. They've created advertising blocks for the iPhone that are - well - pretty darn cool. Hopefully the advertisements that show up in them in practice will be relevant and cool, too. Check out the video.

First, a big congrats to the guys at jkOnTheRun for their acquisition by GigaOm and their continued full-time blogging careers. Great people, and a great deal.

Kevin at jkOnTheRun posted a preview article the other day that I somehow missed until now, describing the Microsoft Live Mesh client for the Mac. It's not available yet, but Kevin was able to try it out. Previously he'd reviewed the mobile client for Live Mesh.

I've been using Live Mesh for a few months now in a limited fashion because only one of my computers at home will work (meaning only one runs a Windows desktop OS). My other machines are a Home Server and Mac, and my mobile decide is an iPhone. But I like what I have seen in the Mesh system, including the UI. So, I am looking forward to the release of a Mac client.

Check out Kevin's preview of the pre-release Mac app here.

In the case of Terry Childs, a network admin who gained notoriety recently for locking the City of San Francisco and his managers out of their own critical network, comic-book style progress has been made, with Childs' attorney inviting the mayor of SF to a secret meeting at the jail, where Childs handed over the passwords he'd previously refused to disclose.

Childs' lawyer, again in typical comic book fashion, has also come out saying that Childs' actions were essentially noble and that he was acting to protect the network he built from his management and peers, whom he characterized as being neglectful and without the proper knowledge to support the network. About what you'd expect from a defense lawyer in a public case, I suppose.

But Childs is in no way a hero. Even if what he says is completely true, he's (allegedly) committed a real crime. He does not own that network even if he helped build it, and regardless of whether the management in his department was capable of exercising its responsibilities, when Childs locked everyone out he crossed a clear line. If it was to make a point, he simply went overboard. The whole unfortunate case just smacks of ego and manic behavior.

But from arm's length the city doesn't exactly look like a helpless victim, either. Any professional management team that creates an environment where one person can control a critical and sensitive network in the manner exercised in this case has missed some of the most crucial and common-sense aspects of IT and security design. In fact, most of the time when cases of one-man-too-much-power crop up, we find that the IT staff is also responsible for security with little or no separation of duties, no checks and balances, and no controls to ensure one bad apple doesn't ruin the whole barrel.

Was Childs right? Absolutely not. Was the City wrong? I don't see how you can argue otherwise.

You'd likely be surprised how many real-world computer networks - big and small, important and less so - are run on the concept of "we just trust that one guy." It's what we call a "Beer Truck" risk problem: If I'm that guy you trust, what if I get hit by a beer truck and killed, or alternatively what if I drink everything on that beer truck and go nuts and wipe out the network? What then?

Systems should be set up to ensure no one person holds all the keys. Over the past few days I've read comments made about this story, in many cases by angry IT-types who say if you hire someone you have to give them access to everything and you have to trust them to do the right thing. Otherwise they cannot do their job, you're a terrible person and your network and systems are doomed. That premise is simply and blatantly false, and in fact following that method puts you in the same boat the City of San Francisco has just found itself in. Please, don't listen to the old-skool IT admin crowd, telling you to hand it all over to them because you obviously don't know what you're doing. Fire those guys and find some real help.

If you want a healthier view of the situation, check out articles written by smart, thoughtful people, like this one by Paul Doyle. Also, Paul Venezia wrote an in-depth article about what went wrong, with some detailed inside information.

To be clear, no one person should control all the systems. Control and authority are not the same thing. Checks and balances are important. The Air Force doesn't allow one person to perform all the steps needed to launch a ballistic missile, right? Apply the same principles to your IT systems.

Case in point: I was the chief security executive at a major online financial services company. I had administrative access to nothing. I couldn't even get in the data center without an escort and records being kept. I had no account access to critical or sensitive systems. And no one person there could make changes in a vacuum. IT workers didn't have access to security systems. Security workers didn't have administrative access to anything by default. And we operated effectively, smoothly, with full knowledge of what was happening on the network and systems. No one person had control. Authority, sure. But actual control of systems? No. To operate otherwise would have been negligent.

I often preach the value of formalizing security management and putting proper process, technology and organization in place to ensure a good, stable system that can effectively support business. One of the pillars of an effective security management system is hiring good people (probably not ones who have been convicted of aggravated robbery in the past, sorry) and separating duties in a way that protects everyone involved - employees included. Doing so is not punishment, it's just good common sense.

If nothing else, lets hope businesses and governments all over learn from this embarrassing public spectacle. There are standards out there (my background and experience is in ISO 27001, an international security management standard), the very purpose of which is to make sure things like this don't happen. It's high time to start using them.

DNS has a hole in it. Bad guys are working on exploits right now. Patches are available right now. Anyone responsible for a DNS server needs to exercise that responsibility. Right Now.

Dan Kaminsky found a security hole in DNS recently, the details of which he was keeping quiet so providers could fix and release patches and DNS server owners could get those patches deployed, in order to avoid security breaches on the Internet. His intent was to release the gory details in a couple weeks at the Black Hat conference.

But the other day word of the details inadvertently leaked out, and so now everyone responsible for a DNS system must - and I do mean must - drop what they're doing and make sure their systems are patched and safe. Failure to do so puts Internet users at risk of site fraud and hijacking.

DNS is a system that translates names you can remember (like www.greghughes.net) to especially non-memorable numerical addresses the Internet can route (such as 208.109.238.146). It's the Internet's phone book, so to speak.

The security hole allows malicious people to spoof a web site using the actual, legitimate domain name. In other words, bad guys could hijack a DNS server, and if it happens to be one your computer relys upon, you could type in a legitimate address like www.google.com or www.yourbank.com, but the web page would be a malicious one - a fake. The recently-released patches plug the hole and prevent this misuse (although it doesn't really change the underlying protocol).

Aaron Massey wrote a very good post describing the issue and it's various details. He also links to Halvar Flake, a talented reverse-engineering guy who thought the threat through and pretty much guessed it right on his blog. After Halvar's guess, another security blog that had specific knowledge of the threat details confirmed Flake's hypothesis. As a result, the threat was disclosed.

Luckily, the various creators of the DNS systems used all over the Internet released patches about two weeks ago. The real question is, have you patched your servers? This is a critical flaw - it needs to be patched immediately.

If you want to know whether the DNS server your computer relies upon is vulnerable or not, you can use the DNS Checker in the sidebar of Kaminsky's blog (as long as it remains there).

A couple weeks ago I mentioned the release of Identi.ca, a social networking/microblogging site built on an open platform and allowing federation. Today, a beta release of Twhirl, one of the more popular clients used on the Twitter microblogging service as well as a couple others, adds support for Identi.ca and includes "push" support. Many of us who have come to like Indenti.ca are very happy.

That means Twhirl doesn't have to pole (read: overwhelm) the Identi.ca servers to see if you have any new items to read. Instead the servers just let you client know there's new content and pass it along. It works using the jabber/instant messaging interface (identi.ca sends it's push messages to your jabber account, and you tell Twhirl how to log into your IM account).

This is pretty darned smart (and takes a couple steps to set up). It's something that Twitter could probably use on their service to potentially reduce load (although I cannot say for sure that a push service would actually reduce the issues related to overloading of their servers).

Read more about it at CNET or grab the latest beta of Twhirl with Identi.ca support from this link.

Chances are, if you're reading this around the time I am writing it, that your computer is not exposed to an IPv6 network. You're most likely on an IPv4 (classic) network. You can easily tell by trying the quick IPv6 test on this page.

Even if you're not on the new network stack yet, change is happening, and systems have to be adapted to make sure not only that the new network works (most - but not all - modern hardware and software "understands" IPv6), but also that when you do actually start to operate in an IPv6 world, that you are properly secured.

In an effective security world, you need to put protections in place soon enough, meaning before the threat appears. You have to protect proactively, without waiting for bad guys to exploit a network or system. In the case of the IPv4 to IPv6 transition, that means making sure things like intrusion prevention and detection systems, firewalls, and other software and devices that function in the network layer even know how to "talk" the IPv6 language.

A number of current security applications just don't know how, so now is the time for a call to action: IPv6-enable your technology right now, to prevent opportune threats in the future. Don't get caught with your pants down.

Kim Zetter wrote a good article on the subject the other day at WIred. "The Ghost in Your Machine: IPv6 Gateway to Hackers" outlines quite well the potential threat imposed by a lack of readiness from a security perspective. It's not all bleak and terrible news, but as the article makes clear, now is the time to fix the problem, before something bad happens.

Probably the most difficult aspect of understanding the potential issues introduced by an environment not ready for IPv6 is the lack of awareness among IT folk in general as to how IPv6 works, how it's used, and the services (quite good ones, I might add - take a look at how IPsec is baked right in, for example) integral to the protocol.

What's it take to get from here to there? Being prepared with real, solid and accurate information is probably the most important step. Not many of us are naturally wired to take action before something bad happens. As an IT guy, I can tell you this: In the real world, most IT people don't learn what they need to know until after they need to know it. A lazy learning methodology just won't work in this case.

For IT professionals, do not assume that just because you were able to pick up your IPv4 knowledge over a long weekend of studying and tinkering that you'll be able to do the same with IPv6 - That's just not the case. IPv6 is more complex and has a lot more parts to understand. If you haven't learned it by now, for shame. Some of you have a little time left. Get on the ball, and gain the deep understanding you need to do your job properly.

For application and hardware vendors that haven't yet dealt with the IPv6 change, you're running late. While many vendors of firewall software, switched, home routers, etc. have made the proper changes, there are also many that have not. Even worse, there are a variety of IPv4-to-IPv6 workarounds that can relatively easily be put in place by unknowing people (read: the IT guys mentioned above) that circumvent firewalls and other protections that are relied upon for good security. Bad design, convenient at the time, disaster waiting to happen. Prevent this.

If you're an individual computer user or owner, what is the status of your software vendors with regard to dealing with IPv6 network traffic? Are you running the latest firewall software, current router firmware? Do the latest versions protect you in an IPv6 world?

IPv6 is a great move, and in time it will dramatically change for the better how computers and devices interact. That is, if we don't manage to screw it all up in the process.

Now is the time. IPv6 is here, Go forth. Learn, analyze and secure.

Several years ago I remember when my boss at the time, Chris Brooks, and others at work set up and ran Terrarium, a .NET v1.0 app that allowed peer-to-peer networking of machines running code with "bugs" (not the defect kind) in a virtual environment. It was a sort of a survival-of-the-fittest-bug kind of game, and they used it at work to build some fun learning into the process.

Fast-forward a few years, and the team at Microsoft that originally built the Terrarium app has scattered to the wind. But Bill Simser, a solutions architect, avid .NET guy and Microsoft MVP for SharePoint, took the initiative to find the code inside Microsoft, update it to .NET v2.0, and released it on CodePlex for the community to use and help maintain.

It's now a client-server application and has a worldwide-participation capability (as well as single-machine and closed local peering capabilities). Pretty cool stuff.

If you're an individual, team or group that wants to get some practice or learn more about programming in .NET and you want to have some fun in the process, check out Terrarium v2.

Resources:

• Bill Simser's blog post about Terrarium v2
• Terrarium v2 on CodePlex

There's some great news out of the Microsoft Xbox crew at the E3 conference - NetFlix integration with your XBox 360:

Microsoft revealed that beginning later this year, Netflix subscribers would gain access to the entire Netflix digital library through their online XBox 360's.  Gold membership is required to take advantage of this partnership, but the newfound capacity represents a large step forward in increasing the XBox 360's appeal as a living room media box.  The present Netflix digital library includes roughly 10,000 titles, and on the 360 will feature the ability for watching videos concurrently with friends over the Internet through the new community party system.

Xbox 360 will be the only game system that lets users instantly watch movies and TV episodes streamed from Netflix. Xbox LIVE Gold members who are also Netflix subscribers will be able to streaming movies and television show episodes from Netflix at no additional cost. I'm really looking forward to that. All we need now is a Blu-Ray drive for the 360 console...

Also announced was a revamped user experience and interface (implemented completely through software updates, and allowing more personalization and social interactivity), new HD programming partners and content (including Battlestar Galactica, which I am looking forward to), a price cut on the "Pro" model of the Xbox 360 and a new model slated for August, a future feature which will allow you to copy your game disk to the Xbox hard drive for faster loading and smoother play (you still need to have the original disc though), and a bunch of new games.

On TechCrunch IT, in a post called "The New Apple Walled Garden," author Nik Cubrilovic makes a good point...

TechCrunchIT » The New Apple Walled Garden

Geeks and enthusiasts wearing Wordpress t-shirts, using laptops covered in Data Portability, Microformats and RSS stickers lined up enthusiastically on Friday to purchase a device that is completely proprietary, controlled and wrapped in DRM. The irony was lost on some as they ran home, docked their new devices into a proprietary media player and downloaded closed source applications wrapped in DRM.

I am referring to the new iPhone - and the new Apple iPhone SDK that allows developers to build ‘native’ applications. The announcement was greeted with a web-wide standing ovation, especially from the developer community. The same community who demand all from Microsoft, feel gifted and special when Apple give them an inch of rope. When Microsoft introduced DRM into Media Player it was bad bad bad - and it wasn’t even mandatory, it simply allowed content owners a way to distribute and sell content from anywhere.

How can people who preach and pontificate open systems be so enamored with a completely closed, proprietary system as Apple's? Now, don't get me wrong. I was in line at an Apple store last week with all the people Nik talks about in his article. I really like the iPhone and I think my Mac is great, hardware-wise (okay, the OS is not too bad either). But there's something that's always lurking there in the back of my mind, like a pestering little voice that doesn't want me to give in or forget lessons of the past. "A closed system is a system doomed to fail," the voice tells me. Either that, or it is so limiting as to stifle. Or both. Maybe I need to get my medication checked. On the other hand, maybe the voice is right. Or both.

Risking cliche cynicism, I think one has to consider whether The Church of The Steve congregation is further developing (or devolving, if you prefer) in its adoration, at the expense of long-term good. Blind faith, crazed unthinking people saying one thing yet doing another, the how-dare-you-question mentality... Sounds familiar. And that's coming from an Episcopalian. An imperfect, sometimes-questioning, sometimes-doubting, cynical one -- But you get the point. I hope.

Perhaps the scariest part of my thought process today is that I actually agree completely with Dave Winer on this one. He nails it right on the head. Okay, there are times when I agree with Dave, but until now I've never really admitted it in public. :)

What do you think about Apple's model? Fanboy? Concerned? Who cares? End of the world as we know it? Utopia? Told-ya-so?

You can spend literally minutes (many of them) watching Gary Busey comment on various aspects of business and entrepreneurialism, and laughing in the process. Awesome. Highly recommended, since Gary is one of my favorites. You can click the buttons at the bottom of the video screen to get to different sections, each with several "episodes."

And by the way, the gotvmail service this video series is meant to virally market is pretty great, too. You might want to check that service out if you need a more-formal call-handling system for your smaller-sized business but don't want to shell out the money to buy all the classic PBX hardware. Great for distributed teams and virtual offices, too.

I know this isn't exactly a new thing, but as I was installing the IE8 Beta 1 for x64 architecture on a computer today to do some testing, I felt a warm-fuzzy sense of appreciation for the fact that more and more we are seeing software that checks for patches and updates before installing and running for the first time. It makes for more-secure system, which is nothing but good.

No matter what you think of Internet Explorer (and for the record/what it's worth, I like it quite a bit these days), you have to admit the safer installation process is a great improvement.