How to run Linux in a window inside Chrome OS

Thanks to a handy set of scripts, you’ve long been able to install an instance of Linux on a Chromebook and switch between the two platforms with a simple keypress. What if you could run Linux inside the Chrome OS environment in its own window, though? That’s even better.

On this week’s Chrome Show podcast, we highlighted the Crouton Integration extension that lets you do just that. We also discussed why the new Acer Chromebook 15 isn’t likely on store shelves before April and why if you are still using [company]Google[/company] Android 4.0 on a mobile device you might want to consider a replacement for the Chrome browser. Tune in below or download the podcast here.

[soundcloud url=”https://api.soundcloud.com/tracks/194195833″ params=”color=ff5500″ width=”100%” height=”166″ iframe=”true” /]

Microsoft embraces Python, Linux in new big data tools

Continuing its quest to make Microsoft Azure comfy for the non-Windows world, Microsoft just launched a preview of its Hadoop-based cloud tool (HDInsight) that runs on Linux. It’s also making its Azure ML machine learning service widely available now with new support for Python as well as the already-planned support for the popular R language. Microsoft bought Revolution Analytics, the company behind a commercial version of R, last month.

Azure HDInsight is thus “Microsoft’s first fully Linux-based service for big data,” Joseph Sirosh, Microsoft’s corporate VP of machine learning, said in an interview. Microsoft says 20 percent of all VMs running on Azure run Linux.

Asked if he sees any open-source oriented developers still wary of using Microsoft’s cloud, Sirosh said the perception of Microsoft as a Windows-only company is fading. “There is a new breed of developers [who want] to leverage features … whether they are Linux- or Windows-based is becoming less important,” he said. With cloud services, “you really don’t have to know a lot about deep inner details to use these services.”

Azure ML’s embrace of Python also shows just how popular that language has become and that [company]Microsoft[/company] Azure is building on its promise of language agnosticism. “Python has become the number one language of choice for developers. We can now claim to be the most comprehensive analytics service — no other product lets you integrate SQL, R and Python into one project,” Sirosh said.

Microsoft CEO Satya Nadella.

Microsoft CEO Satya Nadella

Microsoft is also making Storm, the open-source stream analytics tool, available for HDInsight with support for both .NET and Java. The company already offered Azure Stream Analytics and will continue to sell, support and upgrade that as well. Storm is another option, Sirosh said.

In the massive public cloud infrastructure arena, Microsoft must contend with [company]Amazon[/company] Web Services and [company]Google[/company] Cloud Platform, both of which are targeting developers with fancy analytics and other services. I agree with Sirosh that Microsoft has done a good job of embracing open-source frameworks and languages in Azure. But the perception, especially among young startups, of Microsoft as a Windows-and-Office-first monolith dies hard.

I’ll be sure to ask Sirosh more about how Microsoft Azure can win over startups as well as big business accounts when we’re on stage next month at Structure Data.

This story was updated at 10:05 a.m. PST to reflect Microsoft’s assertion that 20 percent of all VMs on Azure run Linux

The Ubuntu phone is about to go on sale, but curb your enthusiasm

Finally, after many delays, the first Ubuntu phone is about to hit the market. In Europe. And only through a series of online flash sales. And you’ve almost certainly never heard of the manufacturer.

On the plus side, it will come with quite a few recognizable mobile services, including [company]Facebook[/company], [company]Twitter[/company], [company]eBay[/company], [company]Amazon[/company], [company]Time Out[/company], [company]Yelp[/company], [company]SoundCloud[/company] and [company]Grooveshark[/company]. It won’t have WhatsApp but it will have the Telegram encrypted messaging service. However, given how Canonical has talked up Ubuntu for phones in the last few years, it’s hard not to feel let down.

Great expectations

Canonical promised a uniquely converged device that behaves like a phone until it’s plugged into a keyboard and monitor, at which point it becomes a fully-fledged Ubuntu desktop. The Ubuntu Edge crowdfunding campaign was a record-breaker even though that flagship concept phone would never be made, but still failed to pique the interest of major manufacturers.

The device that will go on sale next week is a variant of the Aquaris E4.5, a modest handset from Spanish manufacturer BQ, which is slightly better known for making e-readers. It will certainly be on the cheaper side at €170 ($193), and it will have two SIM slots, but otherwise the specs are quite middling: a quad-core processor running at “up to 1.3GHz”, 1GB of RAM, 8GB of storage, an 8MP back camera and a 5MP front camera.

The key differentiator is of course the software, which is based on Ubuntu’s “Scopes” concept. Rather than using a grid of app icons, Scopes aggregates content from various services into type-specific screens, such as music, video and news. It’s a radically different approach in a mobile scene that is so tuned to the Android/iOS user experience, and I fear Canonical will struggle to show it off properly without putting phones in physical shops.

Ubuntu phone Scopes feature

Ubuntu phone Scopes feature

What would give the company a ready-made audience would be that converged handset/desktop thing we were promised. So when’s that happening? According to Canonical mobile chief Cristian Parrino, it’s “part of our future vision.” Parrino said in a Thursday pre-brief, “In the next couple of releases there will be major improvements on that story.”

Drones not phones

Given that this feature was supposed to appear almost a year and a half ago, when Ubuntu mobile first became available to flash onto certain Android devices, you’ll forgive me for not holding my breath. Oh, and that whole thing about putting Ubuntu onto Android phones without having to de-Androidify them? That’s also not happening because (unsurprisingly) “it doesn’t have backing from the industry.”

Ubuntu phones also won’t be able to run the “snappy” apps that people will be building for the Ubuntu Core connected-devices push – which just got a big boost through the appearance of the Core-supporting Raspberry Pi 2 — because, while snappy/Core evolved out of the “click” app packaging mechanism used on Ubuntu for phones, Ubuntu handsets are still stuck on click. This is, Parrino said, a “timing issue.”

I’m a lot more confident about Ubuntu’s future in drones than I am about its future in phones. The promise of mobile Ubuntu is hugely attractive, but it’s not what’s being delivered this month, and I’m not sure how Canonical is going to get from here to there.

But anyway, perhaps I’m being overly harsh. It’s not like the handset is super-expensive, after all. If you’re in Europe and you want one, keep an eye on the Ubuntu and BQ social media channels on Monday for announcements of the flash sale dates. SIM cards from 3 Sweden, Spain’s Amena, the U.K. GiffGaff and Portugal Telecom will also be offered at checkout, if you’re in one of those countries.

Severe “Ghost” flaw leaves Linux systems vulnerable to takeover

A serious vulnerability in a key Linux library could let attackers take complete control of systems, such as servers, that are based on the open-source operating system. Those running Linux systems are advised to download a patch for their distribution immediately.

Qualys researchers discovered the “Ghost” vulnerability – named for the fact that it can be triggered by “gethostbyname” DNS resolution functions – during a recent code audit.

In a Tuesday blog post and video they said they had “developed a proof-of-concept in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine,” though they won’t release this exploit until they see around half of the Linux servers out there have been patched appropriately.

The researchers said the buffer overflow flaw in the GNU C (“glibc”) library had been around since 2000 and had actually been fixed in 2013 (only versions before 2.18 are affected). However, it wasn’t recognized as a security threat at the time, so many long-term-support versions of Linux distros are still affected.

Distros that are known to be affected include: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, and Ubuntu 12.04. Patches for these distros are now available to download, and doing so would be a very good idea. End-of-life distros are obviously also affected, but you shouldn’t be using those anyway.

It’s impossible to tell whether the vulnerability has been exploited, though Trend Micro has noted, “with only four or eight bytes as the initial exploit vector, gaining further access is highly dependent on application design and memory usage.” Also, as Robert Graham at Errata Security has pointed out, the gethostbyname() function is obsolete and people should rather be using the IPv6-friendly getaddrinfo() function instead.

This article was updated at 2.15am PT to include Trend Micro’s observation.

Peerio is a chat and storage service with big security claims

A Canadian outfit called Peerio has put its eponymous secure messaging and cloud storage app into public beta, promising a much more usable alternative to PGP email and file encryption.

Peerio was released on Wednesday for Windows, Mac and Chrome (which also gives Linux users an option) – apps for Android and iOS are in the works. It’s not quite perfect just yet, but it’s an intriguingly user-friendly take on secure cloud communications and storage.

“Our goal is for Peerio to succeed PGP in the use-cases of mail and file sharing,” co-founder and lead cryptography designer Nadim Kobeissi told me via a Peerio encrypted conversation. “We’ve developed a system built on foundations that are more modern, stronger, and simpler than PGP. Anyone who uses Peerio for a few minutes will quickly see how it’s years ahead of using PGP with Thunderbird, and never go back.”

Open-source and audited

The two-decade-old PGP is certainly a pain to use — at least, if you want to get it right — largely because of the complexity of PGP key management. Rather than requiring users to have their private key file to hand, Peerio requires them to create memorable (and long) passphrases that are then used to locally generate private keys for each session. The passphrase is used to log into Peerio for the first time on each new device. After that, a shorter, easier-to-type password can be created for that device, and two-factor authentication is also available.

Peerio incorporates the encryption technology of Kobeissi’s Minilock file encryption app. Users have usernames rather than email addresses and their client-generated, abstract avatars are used to verify their cryptographic identity (the client can automatically detect changes.)

From a functionality perspective, Peerio is a cross between email (albeit without the universality) and instant messaging. Files can be attached to messages, and conversations are threaded and searchable. There’s no draft functionality at the moment, which can be a pain when jumping between conversations mid-message, but Kobeissi said this will come soon and drafts will be safely encrypted.

Kobeissi, a PhD student in applied cryptography, is best-known as the creator of the Cryptocat chat app, which had a nasty security scare in 2013 (a bug left group chats vulnerable for months). However, this time round his co-creation has been audited by “expert cryptographers and system penetration testers” (Germany’s Cure53, per Wired). What’s more, the client code is open source and available on Github for scrutiny by whoever can offer it.

Metadata issue

Kobeissi seems pretty confident about Peerio’s security. When I asked whether it was tough enough to be a secure channel for leaking information, he replied: “I think people doing something like leaking state secrets should not depend on the internet at all, personally. But I would say that Peerio can protect the content of people’s communications, even if they’re operating from a highly surveilled context.”

However, the service’s end-to-end encryption only protects the contents of communications, not the metadata about who contacted whom and when. Peerio’s Canadian servers still hold users’ contact lists, the number of files and messages sent, and message timestamps. Kobeissi told me access to this metadata is “quite minimal and well-guarded” and he and his colleagues “pledge to fight any overreaching government requests”, but still, the information is there and, unlike the contents of messages, available to Peerio itself. Will Peerio create a way to encrypt this metadata? “One thing at a time,” Kobeissi said.

Peerio’s team includes four permanent staff, but numbers 12 with hired contractors – the outfit has $250,000 in seed funding. The plan is to make money by charging for premium features such as more than a gigabyte of storage, and by targeting the business market at some point.

For a product just entering public beta, Peerio seems admirably clean, functional and user-friendly. As long as people don’t find nasty vulnerabilities – and the firm deals with its metadata-related issues — it could be a viable mass-market encrypted communications and collaboration service. (A minor warning, though: If you import a contacts list, Peerio will send out an invite to everyone on it.)

Chromebooks can now run Linux in a Chrome OS window

This is cool: Chromebook users can now run their favorite Linux distribution within a window right on their Chrome OS desktop. Google’s own happiness evangelist François Beaufort revealed with a Google+ post Tuesday that Chromebook oners who have set their device in developer mode can download special Crouton Chrome extension to run Linux without being forced to switch back and forth between the two operating systems.

Screenshot 2014-12-29 at 11.09.09 AM

Running Linux on a Chromebook is not a new thing. Chrome OS is based on the Linux kernel, and there are a number of ways to run both Chrome OS and Linux on the device. My colleague Kevin Tofel highlighted three ways of accessing Linux (and other operating systems as well) a while back, and he even recorded a video of using Crouton to run Chrome OS and Linux simultaneously, which you can watch below. However, the new Crouton Chrome extension makes it possible for the first time to run Linux in a window.

[youtube=http://www.youtube.com/watch?v=v031udlfY5E]

Red Hat’s success aside, it’s hard to profit from free

Red Hat, which just reported a profit of $47.9 million (or 26 cents a share) on revenue of $456 million for its third quarter, has managed to pull off a tricky feat: It’s been able to make money off of free, well, open-source, software. (It’s profit for the year-ago quarter was $52 million.)

In a blog post, [company]Red Hat [/company]CEO Jim Whitehurst said the old days when IT pros risked their careers by betting on open source rather than proprietary software are over. That old adage that you can’t be fired for buying [company]IBM[/company] should be updated, I guess.

In what looks something like a victory lap, Whitehurst wrote that every company now runs some sort of open source software. He wrote:

Many of us remember the now infamous “Halloween Documents,” the classic quote from former Microsoft CEO Steve Ballmer describing Linux as a “cancer,” and comments made by former Microsoft CEO Bill Gates, saying, “So certainly we think of [Linux] as a competitor in the student and hobbyist market. But I really do not think in the commercial market, we’ll see it [compete with Windows] in any significant way.”

He contrasted that to Ballmer successor’s Satya Nadella’s professed love of Linux. To be fair, Azure was well down the road to embracing open source late in Ballmer’s reign but Microsoft’s transition from open-source basher to open-source lover is still noteworthy — and indicative of open-source software’s wide spread adoption. If you can’t beat ’em, join ’em.

Open source is great, but profitable?

Red Hat CEO Jim Whitehurst

Red Hat CEO Jim Whitehurst

So everyone agrees that open source is goodness. But not everyone is sure that many companies will be able to replicate Red Hat’s success profiting from it.

Sure, [company]Microsoft[/company] wants people to run Linux and Java and whatever on Azure because that gives Azure a critical mass of new-age users who are not necessarily enamored of .NET and Windows. And, Microsoft has lots of revenue opportunities once those developers and companies are on Azure. (The fact that Microsoft is open-sourcing .NET is icing on the open-source cake.)

But how does a company that is 100 percent focused on say, selling support and services and enhancements to Apache Hadoop, make money?  A couple of these companies are extremely well-funded and it’s unclear where the cash burn ends and the profits can begin.

Replicating Red Hat — no easy task

Gigaom Research Analyst Andrew Brust has a good take on Hortonworks as a potential tracking stock for those who want to see if the open-source-plus-IPO-model will pay off. As he states:

“Hadoop is becoming a universal data layer, increasingly embedded in other software. Open source may not be the fastest road to monetizing software, but it is a super highway for establishing standards that gain rapid industry-wide support.”

In an interesting blog post coming about a month before the Hortonworks IPO, Host Analytics CEO Dave Kellogg said Red Hat’s model may be hard for Hortonworks and others to replicate. In his view, Red Hat’s model of selling professional services, support and maintenance for Red Hat Enterprise Linux (RHEL) operating system and JBoss middleware works because these products are relatively low-level infrastructure. In his words:

  • The lower-level the category the more customers want support on it.
  • The more you can commoditize the layers below you, the more the market likes it. Red Hat does this for servers.
  • The lower-level the category the more the market actually “wants” it standardized in order to minimize entropy. This is why low-level infrastructure categories become natural monopolies or oligopolies.

And even given Red Hat’s success, it is still a small company compared to commercial software giants like [company]Oracle[/company], Microsoft, IBM etc., as Kellogg also pointed out.

RHT Market Cap Chart

RHT Market Cap data by YCharts

So, the big question is whether a new generation of open-source-rooted companies — in big data, in analytics, in middleware — can wring profits out of what is essentially free stuff. I’m not convinced.

That is not to say there can’t be a highly profitable exit. Something along the lines of Oracle’s $7.4 billion pick-up of Java and MySQL via Sun Microsystems. As one wag said at the time: “Doesn’t [Oracle Chairman] Larry Ellison know he could have just downloaded MySQL for free?”