I was sitting in the audience of an ISO/IEC meeting in Geneva, Switzerland about to give a presentation on the intersection of open source and open standards when I received an email with a link to this story at CNET.News.com:
Researchers at Kaspersky Lab have spotted what they believe is the first virus for OpenOffice, the open-source rival to Microsoft's Office productivity suite.
The virus, dubbed Stardust, is capable of infecting OpenOffice and StarOffice, which is sold by Sun Microsystems, a Kaspersky Lab researcher wrote on the Russian company's on Tuesday. "Stardust is a macro virus written for StarOffice, the first one I've seen," the researcher wrote. "Macro viruses usually infect MS Office applications." The pest is written in Star Basic. It downloads an image file with adult content from the Internet and opens that file in a new document, according to Kaspersky's posting.
So far, Stardust is a proof-of-concept virus, which means that it was created to demonstrate that an OpenOffice virus is possible. The virus has not been sent out in the wild and is not actually attacking people's systems.
I did a quick and dirty blog entry then, which I'm updating now.
Hmm. Now that I have time to give this a closer reading, it appears that this bit o' malware has hit only StarOffice, not OpenOffice. So while the conclusion may (or may not) be correct to say it can be adapted to hit OpenOffice, it's a stretch to assume that it was "created to demonstrate that an OpenOffice virus is possible." If that was the goal, why not _start_ by hitting an OpenOffice user, eh?
Be that as it may, you may recall that only a week ago I did an article about the Word Trojan, and how the press reported it. Through this new hack on StarOffice we have the opportunity to see how the press reports an equally (or less) insignificant attack on one version of ODF compliant software, so let's see what we see.
Lately I've been blogging quite a bit on the state of on-line journalism. One aspect of that topic that I haven't touched on for awhile is the way in which a story breaks, builds, morphs and spreads electronically. The recent announcement of the Backdoor.Ginwui virus provides an interesting opportunity to do this once again, in order to see who addressed the story and how (including by me), and what, if anything, it all means.
Cutting to the bottom line: it doesn't matter how little impact a virus may have, if it targets Microsoft (a/ka/ the world's desktop), its likely that every conceivable and theoretical angle of the story will get poked and prodded, whether it deserves to be or not. The reasons are two fold: first the threat of a really bad virus is akin to an IT bird flu epidemic, so the mere possibility of a massive break out captures the mind. And second, it offers an opportunity for authors to explore other current issues in the market place that are directly, or tangentially related.
Taking a look at how stories are written on line is also illuminating. In fact, it's been my consistent experience when I've conducted a survey like this that only a small percentage of the on-line articles that are written on any story are the product of any actual first hand research by the author. The vast majority are either short rehashes of information taken from other peoples' stories (and research) and/or from readily-available on-line alerts, press releases and public statements.
Dan Geer is an extremely well respected security expert. When he worries about something, people listen.
One of the things he has worried - and warned - about is the danger represented by IT "monocultures" - the situation that arises when everyone uses the same software, for example, and therefore everyone shares the same vulnerability to a computer virus or other security threat.
Just as the word "virus" has been borrowed from biology and provides an apt and vivid descriptor for its IT analogue, so also does the word monoculture function: think of the consequences of Irish potato blight, or of the wiping out of the American Chestnut tree, which once numbered in the billions in the forests of the American East and is almost extinct as a mature species.
Well, last November, Dan wrote a perspective piece for CNETnews.com, called Massachusetts Assaults Monoculture. In that article, he wrote:
As a matter of logic alone: If you care about the security of the commonwealth, then you care about the risk of a computing monoculture. If you care about the risk of a computing monoculture, then you care about barriers to diversification. If you care about barriers to diversification, then you care about user-level lock-in. And if you care about user-level lock-in, then you must break the proprietary format stranglehold on the commonwealth. Until that is done, the user-level lock-in will preclude diversification and the monoculture bomb keeps ticking.
As it happens, Dan's bomb went off a few days ago, with the breakout of the "Backdoor.Ginwui" virus, a malicious bit of code that Symantec introduced in an alert as follows:
It has been reported that Backdoor.Ginwui may be dropped by a malicious Word document exploiting an undocumented vulnerability in Microsoft Word. This malicious Word document is currently detected as Trojan.Mdropper.H.
For the last couple of weeks I've been writing a number of blog entries focusing on poorly researched and deliberately misleading items in the news. One of those pieces is called >The Script Reloaded: Recognizing "Them." The first premise of that entry was that it's easy to spot opinion pieces that derive from a common source, based on the points made and the language used. The second was that there's a difference between pieces from interested sources that are based on "talking points," and planted stories that contain the same message, but don't disclose that they're just a conduit for someone else's message (or worse yet, disinformation). For example, you expect an op/ed piece by a vendor officer, or a quote from a vendor spokesperson, to be toeing the party line. But when you read a "citizen" op/ed piece, you don't want to worry whether it's been vendor-influenced unless there's the usual italicized disclosure at the end of the piece.
This difference is important, because most of us are willing to give a "citizen" op/ed or a report issued by a neutral non-profit more credence than a vendor-piece - unless we know that they have an economic axe to grind. That's where paying attention to the language can help - especially when there is a campaign to spread a Big Lie - the subject of another recent blog entry of mine on the same theme.
I promised in my last entry to highlight new articles that caught my eye that seem suspect, and this morning read one that has all of the hallmarks that I noted before. The piece in question is by Steven Titch, a Senior Fellow of the Index.cfm">Heartland Institute, and also the editor of its monthly newsletter. The Institute describes itself on its home page as, "devoted to discovering and promoting free-market solutions to social and economic problems," and the article is called The Dangers of Dictating Procurement.
And this is just the first draft
Microsoft spokesperson, commenting on the 4,000 page
first draft of Open XML, as quoted at
The first draft of Open XML has been posted for public viewing at the >Ecma Website, five months after Ecma accepted Microsoft's submission of what was then less-appealingly referred to as the XML Reference Schema. The most detailed source of information I've found so far is this page at Brian Jones' blog, which focuses heavily on XML in Office and the development work on Open XML file formats (Brian is a Microsoft Office Program Manager who has frequently provided public comments on the progress and purpose of Open XML). You can also find short press articles at >NetworkWorld.com, by IDG's Elizabeth Montalbano, and at by Peter Galli. Both Elizabeth and Peter have been following the ODF/XML Open story for many months.
According to Jones, the specification is now 4,000 pages long (roughly twice its original size) and has been the subject of weekly two hour conference calls and three day face-to-face meetings about every two months.
Each of these sources is quite brief, and therefore there is little new information to be gleaned about the draft specification, short of downloading it and diving in yourself. For those not so able or inclined, though, here is one out take from Brian's blog that is instructive regarding the differing approaches (and constraints) represented by the ODF and the XML Open approaches:
There have been a number of stories published on-line in recent days that warrant both comment and qualification. The good news is that more and more journalists are being attracted to the OpenDocument Format (ODF) story, largely because of the increasing credibility of the threat to Microsoft Office that ODF poses. A measure of the appeal of that story line is the fact that it is beginning to surface in articles appearing in the mainstream press (look for a story in Fortune magazine this week, for example). The bad news is that some of these articles have been poorly researched and/or reported. The result is that more care is now needed when reading the news than was required a short while ago when only a small number of reporters were covering the story, each of whom had taken the time to acquire a good understanding of what was involved, and had the chronology of events and the facts in focus. Free lancer John K. Waters and ComputerWorld's Carol Sliwa, in particular, have impressed me with the quality of their coverage.
In this entry, I'll look at some of the significant news that has broken in the past week, and highlight the ways in which I believe it has, and hasn't, been accurately reported on-line.
Let's start with one of the big news stories that emerged yesterday: the first public, pre-release demonstration by IBM of some of the ODF-supporting features of its new "Hannover" release of Lotus Notes. The news that the next release of the Notes client would support ODF is not new (IBM had announced last January that its Workplace Managed Client (WMC) software would support ODF), but the demo offered a media opportunity to showcase the fact that progress was proceeding apace. The first article to be issued of which I am aware was reported from the Deutsche Notes Users Group conference in Karlsruhe, Germany, where the demonstration was given. You can find it here.
Just over a week ago, I posted the first of what I hope will be a complete set of interviews with the developers of the major open source and proprietary software suites that implement ODF. That Interview was with KDE's Inge Wallin, and addressed the KOffice suite — one of the two best known open source implementations of ODF. Today, it's the turn of OpenOffice — the other well-known open source implementation of ODF, and the most implemented of all software packages that support ODF. The interview that follows is with Louis Suarez-Pots, OpenOffice's Community Manager (LSP in the responses below), and John McCreesh, Marketing co-lead (JM).
The purpose of this series of interviews is to provide a comparative picture of the evolving ODF landscape, highlighting the strengths (and weaknesses) of each current implementation, so that potential users can judge which alternative is right for them. At the same time, it will illustrate the fact that a standard such as ODF, far from limiting innovation, can instead enable a rich set of products that distinguish themselves with additional features to attract users to their particular flavor of the same software tool.
Each of the interviews contains the same set of comparative questions, plus a smaller number of queries directed at features, history, or other factors unique to that product. As with the KOffice interview, this series of questions and answers is included in full and unedited, with the goal of creating a record of the developer's or communities view of its product today, and its vision for the future of that product tomorrow.
At the end of the series, I will seek to summarize the results and, if possible, find a suitable expert(s) to provide their own comparative evaluation of the implementations. If you are such an expert and willing to participate, please get in touch with me.
"Public Relations" is one of those funny phrases that has very little to do with what it really means. At sixty thousand feet, it's about influencing opinion, which (at that altitude) doesn't sound all that bad. But when it gets down into the bushes, it starts to become a bit less innocuous, and more unsavory. For example, when you watch a political ad and listen to a smarmy voice malign another politician, you know exactly what's going on, and it's not pretty. Still, at least you have your radar spinning, and can take the statements for what they're worth, which is not expected to be much.
But how about messages that are delivered in sheep's clothing, in other contexts, where you don't expect to be listening to a paid political announcement, and therefore won't necessarily recognize what you're listening to for what it is?
Here's where the fun comes in (I use the word "fun" in the darkest and most cynical fashion), because in order for messaging to be effective, it must be consistent. And if it is consistent, it can be spotted. But once you learn how to spot it, you enter into a disquieting science fiction world where ostensibly innocent, normal people are suddenly revealed to be "them" - but only you can see them.
This blog entry is the first of what I fear will be a long series of posts where I will cut and paste outtakes from various sources, putting the key words from the script in bold, and paraphrasing the rest to thwart Googling. Over time, you can assemble the script yourself, and start spotting "them" yourself when you see them.
It's not my goal at this blog to nominate myself as the official FUD Ombudsman for the contest between the ODF standard and Microsoft's Open XML (especially since the connotations of the name "Ombudsman" in this saga ain't what they used to be). But a press release issued late Monday falls so neatly into the pattern that I wrote about two days ago that I'm not feeling a lot of choice on the matter this morning. Sadly, the text of that release also points out an unfortunate by-product of "objective journalism" - the ability to have outrageous statements broadly disseminated by journalists who feel bound to provide both sides of an issue, but don't have the time to research and report whether the statements are true or false.
The press release in question was issued by the Initiative for Software Choice (ISC), an affiliate of CompTIA, and is titled "Coalition Says Massachusetts' Search for ODF Plug-in Evidences Flaw in Mandate Policy." The news-based message of the release, as I read it, is that the issuance by the Massachusetts Information Technology Division (ITD) of a request for information illustrates that free market dynamics are preferable to imposed technical requirements. The press release concludes by saying: "We applaud these and subsequent, market-based developments."
David Gardner wrote a piece at InformationWeek.com based on the same press release, and titled it "Trade Group Blasts Massachusetts Call for Office Plug-in." Perhaps we shouldn't be too hard on David for getting the formal message wrong, because in fact he got the underlying message regarding the ITD's policy dead on.
For a sequel to this blog entry, see: A Tale of Two Press Releases: Big Lies and Objective Journalism
This blog entry is a rarity for me: an exegesis on the deliberate disinformation spread by a single vendor. I generally avoid a piece like this for two reasons: first, every vendor has its own PR agenda, with the differences being a matter of degree between the egregious and the merely disingenuous. More importantly, there is a risk when focusing on a single vendor of decreasing one's reputation for objectivity, despite the fact that one may certainly focus on the statements of a single source and fairly find them to be both inaccurate and cynical.
What persuaded me to take up the cudgels in this case was a quote I read earlier this week in eWeek, and then spotted again Bob Sutor's blog today:
"You can achieve interoperability in a number of ways," said [Microsoft's] Robertson. Among them: joint collaboration agreements, technology licensing and interoperability pacts.
The reason this statement caught my eye was that Scott Edwards (also of Microsoft) had used virtually the exact same words at a NIST workshop that I spoke at a month or so ago, offering such methods as valid alternatives to "open standards." My reaction then, as now, is that such means can in no way represent equivalent alternatives to open standards, although they might offer an avenue to a single vendor, or to a cadre of vendors, to control a marketplace to their own advantage. When you hear something once, it can be off-hand remark, but when you hear it twice, it's clear that it's a corporate talking point. And when it comes from the General Manager for Standards of a dominant vendor, it becomes worrisome.
Still and all, and to be fair, Roberson's statement is accurate in a technical sense, although when used in certain contexts (such as the NIST workshop) it can be misleading to an audience that isn't knowledgeable about standards.