We've had a couple customers recently ask us how to synch the timezones for Apache web server and JBoss Application Server.  

The question goes something like this:  

I have servers living in Arizona. Our Linux team has set the native time to AZ. I need to set the apache and JBoss to CT for testing. How can this be done? 

This question has two answers: 

1. Apache uses the operating systems TZ variable to set the timestamp in the log files. Unless you are using any cgi scripts like php or perl on the server you can't change the Apaches TZ. If you have php you would change the TZ in php.ini and perl in the perl.conf but if Apache is just handling static files or it is a mod_jk/proxy server you can't change the apaches TZ unless you change the servers TZ. 

2. JBoss TZ is different. In your JBoss startup script make sure you xport the TZ variable like so: 

export TZ='CST' 

If you want to do this for testing purposes you can just execute the export before you start JBoss. 

As enterprise use of open source software continues to expand, companies are increasingly aware of the importance of open source governance. If you're interested in learning about the essentials required for an effective open source governance process, be sure to sign up for our next webinar, "Ten Key Elements of Effective Open Source Governance in the Enterprise," which will be held on Wednesday, June 17 at 11:00 Pacific / 2:00 Eastern.

In this webinar, Kim Weins of OpenLogic and Greg Olsen of Olliance Group will discuss the ten essential elements for creating and maintaining an effective open source governance program in the enterprise. Topics to be covered include:

• Defining and implementing enterprise open source policies
• Securing support within the organization
• Taking inventory of open source software usage
• Managing requests and approvals for open source
• Ensuring ongoing compliance through auditing and reporting

Space is limited, so reserve your spot today for this informative session.

In my one-man crusade to make security news something useful, looks like the White House took my advice and decided not to call the position “Cybersecurity Czar”, but rather “Cybersecurity Coordinator”. Whew! Close PR shave for the Pres.

From the article “Obama Announce creation of cybersecurity coordinator position”:

The coordinator will not only run a new White House cybersecurity office, but will also be a member of the National Security Staff and National Economic Council.

In other security related news, I found this article especially interesting, Security and Regulatory Concerns Slow Some Virtualization Efforts. Specifically, it discusses how any regulated server or service, for example, card processing and HIPPA regulated systems and data, should not be implemented on a virtualized server.

Thought the article was particularly useful in drawing out the concerns of other stakeholders in an enterprise besides just the server guys whose concerns are mainly saving rack space and being green. One of those stakeholders was the security team - where do you position your taps and intrusion detection nodes in a virtualized network?

Last I checked Snort didn’t run on the backplane, but that’s where it needs to go next.

[update: 5/29, 2:50p - PC World picked up on the Czar-thing: Best quote:

Notably absent from Obama’s description of the position was the word “czar.”

“I’m really happy he didn’t use the word czar,” said Jeff Moss, director of the Black Hat information-security conferences. “We’re a democracy and we don’t have dictators. How could we have one person sweeping away all these problems?”

About me

I’m an independent consultant who used to do a lot of work for OpenLogic. I greatly appreciate OpenLogic and the mission they are fulfilling as well as their willingness to let me contribute to this blog. Views expressed here are not necessarily those of OpenLogic and any mistakes are 100% attributable to me. You can contact me at: landon at 360vl dot com or visit http://sawdust.see-do.org Twitter @esawdust

I fear for the state of computer and network security because the industry is becoming a lot like diet and nutrition news. One day, this food is good for you, the next day it’s not. After a steady barrage of security news, the average user can hardly pay attention.

Should Obama appoint a cyber security czar? No, some say. Instead, he should appoint a “federal chief of information security.” That certainly clears up the issue for me. If you’re still feeling fuzzy on the point, I suggest you keep reading.

Cybersecurity is an “operations issue”…all well understood, according to the Gartner group. Cybersecurity is just a lowly operations issue - old hat, we’re told. What we need to focus on instead: “improve security in cyberspace…” Ah, the light is now dawning on Marblehead. It’s all so clear now.

In case you were ready to pack it in on the hard-core security problems of our nation’s infrastructure, you may not ever want to search for anything that includes the words “free” - a free piece of advice proffered by our friends at ZDNet and McAfee in The Web’s most dangerous keywords to search for [sic]

Upon searching for 2,658 unique popular keywords and phrases across 413,368 unique URLs, McAfee’s research concludes that lyrics and anything that includes ‘free” has the highest risk percentage of exposing users to malware and fraudulent web sites.

Well, that pretty much takes the legs out from under Google since I suspect a fair number of people are looking for free stuff. And here we thought Wolfram Alpha was going to be the Google-killer.

To make matters worse, the CVE databases, instead of being a beacon of clarity, problem isolation, and direction, are evolving into a window into how muddled and complex some security vulnerabilities are, even for the developers themselves. (See OSVDB on Problems with Identifying Vulnerabilities.)

As Richard Bejtlich puts it in the article:

It’s really an problem of incentives. The group with the strongest incentive to fully comprehend the vulnerability is the group that seeks to exploit it. Once they understand the vulnerability they have a strong incentive to not tell anyone else so they can financially or otherwise benefit from their asymmetric knowledge.

So, in some sense, the news you hear about security issues is already pre-digested and potentially not a threat if the real vulnerabilities are those which are least well known and characterized, even by the developers themselves. Brian (jericho) from the article “if you can’t, how can we?”:

Lately, Mozilla advisories are getting worse as they clump a dozen issues with “evidence of memory corruption” into a single advisory, that gets lumped into a single CVE. Doesn’t matter that they can be exploited separately or that some may not be exploitable at all. Reading the bugzilla entries that cover the issues is headache-inducing as their own devs frequently don’t understand the extent of the issues. Oh, if they make the bugzilla entry public. If the Linux Kernel devs and Mozilla browser wonks cannot figure out the extent of the issue, how are VDBs supposed to?…

Is it just my perception, or is any government position with the word “czar” tacked onto the end of it bound to fail? I can’t think of any XYZ-czar we’ve touted that’s ever succeeded. So, just from a PR point of view, lets not talk in terms of a cybersecurity czar…that’s for sure the kiss of death, even if it’s superstitious.

Some real coordinated corporate, open source, and government leadership is needed - I wish I had the answer - but I’m not sure the latest hype about a cybersecurity czar is anything more than security theater.

About me

I’m an independent consultant who used to do a lot of work for OpenLogic. I greatly appreciate OpenLogic and the mission they are fulfilling as well as their willingness to let me contribute to this blog. Views expressed here are not necessarily those of OpenLogic and any mistakes are 100% attributable to me. You can contact me at: landon at 360vl dot com or visit http://sawdust.see-do.org Twitter @esawdust

I’m always boggled by the number of things that exist under the open source umbrella. Recently, thanks to twitter @chrisindallas, I came across an open source rocket project, YikStik.

YikStik is the labor of love of Bdale Garbee who is HP’s Linux CTO and acting secretary of the Debian project.

YikStick is licensed Creative Commons Share Alike 3.0, so get going if you have your own 3-axis CNC milling machine.

Speaking of CNC milling machines, and carrying on the rich open source tradition of bad naming, check out the open source CNC, cupcake. Cupcake is another in the line of machines that can make machines like Reprap.

Finally, if you haven’t already seen it, check out the world’s largest model rocket launched by Steve Eves. It is a 1:10 scale Saturn V - 36 foot tall model rocket. Boggles my mind what people can accomplish in their “spare” time.

About me

I’m an independent consultant who used to do a lot of work for OpenLogic. I greatly appreciate OpenLogic and the mission they are fulfilling as well as their willingness to let me contribute to this blog. Views expressed here are not necessarily those of OpenLogic and any mistakes are 100% attributable to me. You can contact me at: landon at 360vl dot com or visit http://sawdust.see-do.org Twitter @esawdust

The open source pundits are out in full force trying to anticipate what Oracle's acquisition of Sun means for MySQL. It's a fun exercise to try to predict the future — which may be why there’s no consensus. Here are some of the quotes that we found interesting.

• Larry Dignan, ZDNET: "Oracle gets to kill MySQL. There’s no way Ellison will let that open source database mess with the margins of his database. MySQL at best will wither from neglect. In any case, MySQL is MyToast."
• Larry Augustin, long time open source investor and entrepreneur, suggested on his Twitter feed "Oracle probably keeps some of the storage software assets while selling the hardware parts to EMC, Hitachi or HP. Win-win."
• Marten Mikos, former MySQL chief told Forbes: "Larry Ellison is smart. MySQL was getting around 70,000 downloads a day when I left. It's an amazing grip on young developers. Having MySQL makes business sense for Oracle."

We agree with Larry and Marten – we don't think the MySQL community would let MySQL die even if Oracle wanted to kill it. Open source communities are resilient and have the ability to be self-repairing. There are plenty of people in the developer and user community who want the MySQL technology to continue to grow and evolve. If Oracle either neglected MySQL or actively tried to kill it, the community could and likely would fork the project and continue on. So, we don't think MySQL will die.

But we also think there is a valid concern that Oracle will raise the support costs of MySQL. There are a couple of reasons we think this is likely:

1. History
After Red Hat acquired JBoss, we started to get JBoss customers coming to us when their RedHat/JBoss subscriptions came up for renewal. They were reporting increases in subscription prices from RedHat/JBoss — by as much as 400%. We expect that trend to continue with Oracle's acquisition of Sun.

2. Business Models
Oracle has a typical high-cost enterprise software business model. They spend a lot of money to acquire and retain customers. And they expect and get high margins for their maintenance business. Successful open source companies need to learn how to operate with much lower expenses — in order to provide subscriptions and support to customers at much lower costs. As MySQL begins to be offered through the Oracle sales force and channels, Oracle's enterprise sales model will impact costs of selling MySQL and will likely result in higher prices for MySQL support from Oracle.

In addition, there will be pressure to avoid cannibalization of revenue on the Oracle database, which will drive Oracle to reduce the price differential between Oracle DB and MySQL.

The promise of open source companies lies in their ability to offer significantly lower cost support and solutions to customers. To deliver on this promise, a different mentality is required.

First, open source companies must foster open communities. To gain the cost savings and quality benefits that come with open source, you need communities that extend beyond the walls of one company. Only then can you break free of the high development costs that come with traditional proprietary software.

Second, open source companies must foster low cost sales models. Typical software sales approaches are simply too expensive when you are trying to deliver software at a fraction of the cost.

It's highly doubtful that Oracle will be able to change their mentality and their approach — so the result will unfortunately be higher pricing from Oracle on MySQL support and subscriptions.

Luckily, one of the other benefits of open source is that customers have choice. They are not locked-in to one vendor for support.

As InfoWorld's Savio Rodrigues reported in February, one of the leading reasons that almost 100 medium-sized and Fortune 500 companies come to OpenLogic is for our low-cost MySQL, JBoss, and Tomcat support.

For cost-effective consolidated support providers such as OpenLogic, we expect this acquisition to drive more customers to compare prices on open source support and bump our sales, just as the RedHat/JBoss acquisition did a few years ago.

This morning I was browsing my twitter stream and came across one of the many “life coaches” that seem to have found twitter like stink on a skunk and saw this little jewel:

ConnectSocMediaRT @lifesuccesstv One of the greatest gifts you can give to anyone is the gift of attention. Jim Rohn

I laughed out loud and thought “That has to be one of the most ironic, moronic, hypo-critic things I’ve ever seen on twitter.” What’s even more ironic was the fact it was a retweet (and what’s more ironic is that I’m effectively retweeting it now in this blog post.) How’s that for sick?

It reminded me of the Crosby Stills and Nash song Daylight Again and their lyrics “When everyone’s talking and no one is listening…how can we decide?”

I’m sure I’m like most grizzled veterans of the net who, when we first heard the hype of twitter, rolled our eyes and thought “Here we go again.” And like most grizzled veterans of the net, we’re doing what we all do best when given a huge network to play with, try to take advantage of it.

With that reluctant intro, take a look at Spaz, an open source twitter client. It’s an Adobe Air client that runs on Windows, Mac, and Linux…some might argue it can’t be open source if the tool used to build it isn’t, but there you are.

The first client that lets me do a good job of filtering X,000 followers (like I have that many), down to about 10, will get my vote. I’m realizing that as twitter supplies RSS feeds for each account, what I really need is an uber newsfeed reader for twitter. Lots and lots of twitter “productivity” tools popping up in the cesspool of social networks. How gross is that? The ultimate oxymoron: productive social networking. Seems less like evidence of a fertile and useful environment than one that’s systemically broken.

The problem with twitter is that every so often, a little jewel floats down the River Ganges like flotsam and it’s that which keeps some of us coming back for more.

About me

I’m an independent consultant who used to do a lot of work for OpenLogic. I greatly appreciate OpenLogic and the mission they are fulfilling as well as their willingness to let me contribute to this blog. Views expressed here are not necessarily those of OpenLogic and any mistakes are 100% attributable to me. You can contact me at: landon at 360vl dot com or visit http://sawdust.see-do.org

If you really want to “follow me” (cough), you can find me at http://twitter.com/esawdust ( @esawdust )

Wikipedia defines application lifecycle management (ALM) as "the marriage of business management to software engineering made possible by tools that facilitate and integrate requirements management, architecture, coding, testing, tracking, and release management." Source control management (SCM) tools are a key component of the ALM process, and developers today have many good open source options when it comes to selecting SCM tools.

We're hosting a webinar on April 28 in which we'll compare and contrast some of the most popular open source tools for SCM, including Bazaar, CVS, Git, Mercurial, and Subversion. Brad Reeves, Senior Content Engineer at OpenLogic, will examine the features included with popular open source SCM tools and discuss which tools best interface with other commonly used ALM applications.

Other topics covered to be covered this webinar include:

• Which open source SCM tools are best at branching, merging, and tagging
• Client/server vs. single repository SCM tools
• Peer-to-peer vs. distributed system SCM tools
• How the leading open source SCM tools compare to commercial alternatives

Whether you're evaluating open source SCM tools for use in your software engineering process or simply want to stay abreast of new trends, please be sure to join us on Tuesday, April 28 at 11:00 Pacific / 2:00 Eastern.

Over the last several weeks I’ve been reading a lot of Richard Bejtlich’s material - books and blogs. Richard is a frequent Black Hat speaker and emphasizes network security monitoring. He officially lists himself has “Director of Incident Response, General Electric”, but has been a former Air Force intelligence officer (described as a soldier who protects national security data.)

He’s posted a good essay on using open source security tools and specifically open source infrastructure like OpenDNS in order to battle large malware threats like Conficker.

I really like Bejtlich’s way of thinking - particularly his NMS framework he writes about in The Tao of Network Security Monitoring. He’s got several other books which I own but haven’t plowed through yet, but I can highly recommend:

“The Tao of Network Security Monitoring: Beyond Intrusion Detection” (Richard Bejtlich)

I’ve bought a 3 foot stack of books on security tools over the last few months, but out of all of them, “The Tao” is by far the best money spent. So, if you need a crash course in how to think about network security and you could only buy one book, that would be it.

About me

I’m an independent consultant who used to do a lot of work for OpenLogic. I greatly appreciate OpenLogic and the mission they are fulfilling as well as their willingness to let me contribute to this blog. Views expressed here are not necessarily those of OpenLogic and any mistakes are 100% attributable to me. You can contact me at: landon at 360vl dot com or visit http://sawdust.see-do.org

If you're interested in learning about the features and benefits of the top open source application development frameworks, you won't want to miss our next technical webinar—“A Comparison of Open Source Application Development Frameworks for the Enterprise.” This webinar will be held on Thursday, March 12 at 11:00 Pacific / 2:00 Eastern, and as usual the recording and slides will be available for download after the event.

In this webinar Kelby Zorgdrager, President of DevelopIntelligence, will join us to provide a comparison of key attributes for the leading open source application development frameworks including MyFaces, SEAM, Spring, Struts, and Tapestry. Attendees will also gain insights on how open source frameworks can be leveraged to rapidly build extraordinary web applications.

By attending this webinar you'll learn about:

• Key differences amongst the leading open source application development frameworks
• Other frameworks on the rise, and why they're gaining market share
• Selecting the right open source framework for a development environment
• Creating web applications more productively and elegantly

Whether you're just getting started with open source frameworks or simply want to stay abreast of new trends, please be sure to join us on March 12 at 11:00 Pacific / 2:00 Eastern.