IBM IHS And IBM WAS: Bash Vulnerability Update

The recently-discovered Bash vulnerability (also known as Shellshock) affects Unix-based operating systems such as Linux and Mac OS X. In some non-default configurations, the vulnerability could allow a remote attacker to execute arbitrary code on an affected system. The weakness lies within the Bash (for Bourne-Again SHell) command prompt.
IBM recently issued a bulletin to clarify that that its IBM HTTP Server (IHS) and WebSphere Application Server (WAS), as shipped out of the box, are not vulnerable to Bash. However, action is required to ensure that no vulnerable scripts have been added to the IHS.
According to IBM, any Bash fixes for its products will come via Unix distribution. IHS does not ship bash nor CGI scripts. IHS does not provide any vulnerable bash-based usage that could be tainted with user-supplied data, but several modules included with IHS could be vulnerable.
Any users with scripts that contain a direct or indirect  bash dependency may be vulnerable to a remote attack if the scripts are configured to be invoked by the following Apache modules: mod_cgi, mod_cgid, mod_fastcgi, mod_include or mod_ext_filter.

  • By default, mod_cgid/mod_cgi will execute any scripts added to $IHSROOT/cgi-bin/ (which is shipped empty) and can be configured to execute scripts from other directories via ScriptAlias or “Options” directives including ExecCGI (including “Options All”)
  • mod_include is loaded but not configured to process any includes (Options +Includes, XbitHack ON)
  • mod_ext_filter is not loaded or configured
  • mod_fastcgi is not loaded or configured

Use of these modules or directives may be via httpd.conf, an “Include”ed configuration file, or in an .htaccess file. You can confirm the list of loaded modules by running apachetcl -M (or httpd.exe -M) with any additional arguments (such as -f) that you normally use.
IBM highly recommends upgrading bash from your operating system vendor. If you cannot apply the fixes for bash, unload the following IBM HTTP Server modules: mod_cgid, mod_cgi, mod_fastcgi, mod_include and mod_ext_filter until you can apply the bash fix or determine that the scripts these modules have been configured to execute do not use bash directly or indirectly.
Not sure if your systems are affected? Contact TxMQ president Chuck Fried for an immediate and confidential consultation: (716) 636-0070 x222, [email protected].
(Photo by zodman under Creative Commons license.)
 

IBM Worklight Foundation Now Available In Cloud Version

IBM Worklight Foundation is a tool that helps users easily extend their business to mobile devices. It’s best-known known for its open, comprehensive platform that allows users to build, test, run and manage native, hybrid and mobile web apps. It reduces both development time and maintenance overhead (hence the “light” name).
If you’re competing against other businesses to bring an app or use case to mobile, Worklight slices the time-to-market and helps beat the competition.
IBM recently announced the availability of a new Worklight Foundation Cloud Edition V6.2. With this new option for deployment, current Worklight Foundation customers can leverage their existing Worklight investment by deploying their applications in the cloud.
The Worklight Cloud edition also helps clients to:

  • Accelerate web, hybrid, and native mobile development
  • Engage users by integrating applications with existing enterprise data
  • Facilitate application security and trustworthiness
  • Provide support for mobile IT operations

In terms of platforms, Worklight Cloud simplifies the development of mobile web, hybrid, and native applications across iOS, Android, BlackBerry, WindowsTM, Windows RT, Windows Phone, and JavaTM ME.
Also of note: It provides visual-development capabilities and source-code enhancements to help developers accelerate the development, test, and deployment of mobile applications in the cloud.
Interested in mobile development, deployment or integration? TxMQ can help. Initial consultations are free and communications are always confidential. Contact vice president Miles Roty for more information: (716) 636-0070 x228, [email protected].

How Videogames Drive Technology

For good or bad, I think this can be said as true: Major technological advances are driven by two factors – war and entertainment.
On the one hand is the practical military necessity for a nation to continue to advance at breakneck speeds to better defend itself in an uncertain world. It’s one of the darker sides of technology: That some of the most peacefully brilliant minds in history have developed some of the deadliest weapons.
On the other hand we have entertainment, and the necessity for businesses to continue to advance at breakneck speeds to develop the next trillion-dollar content genre or delivery platform.
My love affair with technology decidedly stems from the latter, when I was a one of those bleary-eyed kids standing in dimly lit arcades pushing quarter after quarter into vector-graphic, analog-controlled standup videogames. I don’t think it’s any coincidence that all the branches of modern computing stem from the original video-game tree. To have been alive and to have gamed during those formative years of the computing industry was a privilege because it was the time when some of our most fundamental theories were developed.
Games gave us the idea of a balanced input and output – that a computer can do no more than what the user actually asks it to do, and that great advancements in computing will only stem from equally great advancements in input.Wargames_Jim_Melvin
Games also showed us the legend of the backdoor – a principal made famous by Jim and Melvin in Wargames (clip can be viewed here). Tempest (1981) was the first arcade game I knew of with a significant built-in developer code to skip levels. It reminded us that as long as a human programmed a computer, there would always be a hidden shortcut. A vulnerability. A cheat.
Games painted worlds with the beauty of random and gave us a lasting respect for analog. What happened on the screen wasn’t just a function of a pre-scripted if>then argument. Just as in life, our movement affected the computations and no two games were ever the same. It allowed us to shake that nagging Protestant new-world mentality that everything is pre-determined – that we’re all part of some grand design.
Games delivered artificial intelligence – tens then hundreds then thousands of vectors and sprites reacting to an input and forcing adjustments. Games with the best AI were the best games. We believed in the Ghost in the Machine.
It continues and gaming still drives advancement. It’s the fuel that feeds the beast. Microsoft just paid over $2 billion for the free-form Minecraft. Games are a child’s first introduction to technology. Games like Angry Birds and Words With Friends drove social-media networking and mobile use through the roof and created billions in new revenue from age groups otherwise ignored.
Fact is, gaming has always driven technology and has always brought people together within that technology. The human need to game trumps our need to read and our need to know. Games were the seed that sprung the silicon revolution, and I believe that seminal relationship will continue.

Mobile Data: What It Means To 'Engage Customers In Context'

Here’s a stat to get you thinking:
Only 21% of marketers actively use mobile, but 81% of mobile leaders say that mobile fundamentally changed their businesses
Bottom line: If your business touches the public, and you’re not using mobile, then your business is immobile.
The world of mobile-data analytics and marketing is undergoing a revolution. It’s driving new revenue and forging new connections to the public. And it allows businesses to engage customers in context.
What does it mean to engage customers in context? In the simplest terms, it means the ability to serve customers content and experiences that they want within certain surroundings or as events or experiences unfold.
Wimbledon’s a great example. Only a few hundred thousand people can attend the event. And television coverage is often limited to choice matches at inconvenient viewing times. IBM developed the Wimbledon app and crunched streaming analytics and big data to deliver real-time info on every point in every match on every one of Wimbledon’s 19 courts.
The data involved 101,778 tennis points across 660 matches, corresponding to 852,752 data points. A team of 48 statisticians – all of them high-quality tennis players – provided contextual data (like speed of the serve) to enrich the machine-collected data. All data was combined with historical performance data and live data from the web and social networks, then fed into an advanced set of analytical tools to provide real-time insight to sports analysts, TV presenters and the global audience.
Impressive? Absolutely. But the same tools can be employed within any business that engages customers. Instead of data about serves and historical matches and points totals, businesses can directly engage customers in the act of shopping, or searching, or traveling, or vacationing with information that incorporates social-media activity, preferred brands, coupons, recent purchases, weather forecasts and so on. Businesses that provide value, or important information, or community – in other words, businesses that engage their customers in context – realize a much greater ROI on their marketing spends.
That’s what is means to engage customers in context, and that’s why it’s so important.
It’s not automatic though. Efforts to engage in context take foresight, solid application integration and a business climate ready to embrace change within the new mobile landscape.
Interested in mobile development, deployment or integration? TxMQ can help. Initial consultations are free and communications are always confidential. Contact vice president Miles Roty for more information: (716) 636-0070 x228, [email protected].
 
 
 
 

IBM's SoftLayer and MobileFirst Portfolios Create Leadership Position In Latest Gartner Magic Quadrant Report

Gartner recently recognized IBM as a leader in its 2014 Gartner Magic Quadrant for Managed Mobility Services (MMS). The distinction is noteworthy for several reasons.
First is the scale of the report. Gartner evaluated 14 vendors, and among them, IBM was the only leader based on what Gartner described as “completeness of vision” and “ability to execute.” To distill it a bit more, IBM’s suite of services, including SoftLayer cloud services, delivers a top-to-bottom mobile support and integration solution – very important for shops that don’t want the hassle of mix-and-match technology and platforms.
IBM’s mobility services fall within its IBM MobileFirst portfolio – an enterprise initiative that is the first product of the recently announced partnership between Apple and IBM.  MobileFirst enables clients to build and deploy mobile applications, and at the same time protect and manage the mobile infrastructure and engage customers in context. Think of it as a ground-up mobile approach – not a simple “desktop migration.”
Even though IBM continues to invest in its mobile-support and enablement portfolio, the Gartner report clearly shows the importance of a growing Soft Layer investment combined with the MobileFirst focus. That strategy continues to be strengthened with further acquisitions including the purchase of Fiberlink, which specializes in mobile-device management and security.
Interested in a new way to develop and manage mobile? TxMQ is an IBM Premier Partner with capabilities across IBM’s mobile platforms. Contact vice president Miles Roty for more information: (716) 636-0070 x228, [email protected].
(Photo by Michael Coghlan under Creative Commons license.)

MQ Capacity Planner FAQ: Six Questions About The Tool

TxMQ will debut is new MQ Capacity Planner (for IBM WebSphere MQ) next week at the MQ Technical Conference in Sandusky, Ohio. This new tool allows for the testing of a virtually unlimited number of messages from any number of concurrent applications. It reveals micro details and offers a powerful lens to inspect, diagnose and performance-tune your MQ.
In anticipation of the pilot release, here’s a brief FAQ.
Which message patterns can MQCP measure?
MQCP can measure simple and multi-threaded Put: Local and Remote Queues, as well as  Simulated Request/Response using UTurn and MQ-Triggered Process/Publish/Subscribe.
What specific metrics does MQCP deliver?
MQCP captures elapsed time in milliseconds, message size and number of threads to calculate TPS (transactions per second) and volume throughput. It also produces all statistical values to the 90th percentile to offer a more accurate measure of your environment’s Queue Manager/Infrastructure.
Does MQCP measure system usage?
Yes, MQCP measures CPU usage and wait times (using tools like Nmon for Linux and AIX and Perfmon for Microsoft platforms) from MQCP test cycles.
What are some of the customization options?
There are many. Some of the most important include options for configuration relating to the Queue Manager and Queues to be used, MQ Client Connection options, Application Message Size options, and Application Reflection. Additionally, MQCP dynamically invokes the required application for getting and putting messages
Are there any features to be added that are not found in the pilot release?
Yes, we are currently working to add a Trigger Monitor process, which is a custom Java Trigger Monitor supporting the Request/Response flow tests. The Trigger Monitor is a configuration and is a production-ready process. We’re also adding publish/subscriber processes to support both JMS and native MQ Java processing. These publisher processes are configurable for multi-threaded publishing and message sizes.
Is TxMQ willing to address general questions about the product?
Yes, TxMQ will continue to discuss the product and respond to questions before, during and after the rollout. We encourage anyone with questions to contact us. Communications are always confidential.
Interested in trying the MQCP? Contact TxMQ president Chuck Fried and ask about the MQCP Pilot Program: (716) 636-0070 x222, [email protected].
(photo by Taber Andrew Bain, Creative Commons license)

So You Want To Be A Writer?  Here's Some Advice From A Veteran

By the 8th grade I knew I was going to be a writer. It’s funny the way that happens – how some of us know exactly what we want to do at such a young age. Even funnier that I find myself telling my kids now that they’re “way too young to know what they want to do,” even though my oldest starts college next September.
Back then  – which was about 1982, to date myself – it was a good thing I decided so early to become a writer. The industry was fairly closed. It was tough to make it. Opportunities were limited and you had to find some way into the walled pillars of publishing. So you had to prepare yourself to fail, and you had to prepare yourself to make very little money. But if you worked incredibly hard and were one of the very gifted few, you could eventually be anointed and live the rest of life on Easy Street.
How times have changed. The market is now exploding with opportunities for writers. Each assignment pays less – sometimes pennies compared to the dollars of old – but there’s incredible opportunity to volume-write. Every company needs content. Every market segment needs bloggers. Every IT department needs documentation. Every club needs publicity. Every social-media platform needs an opinion leader. Five stories a day at $50 each adds up quickly.
If you want to be a writer in today’s world (and really, it’s never too late to start),  then you need to choose English or journalism or composition as a minor. There’s just not enough to teach about writing that demands a $100,000 college investment. Solid grammar, effective sentence structure, an active writing voice, well-scripted bridges and a focused topic can be learned with tools like the AP Manual of Style, a few good books and a dependable mentor. The study of Literary History, which is the English major, is an awesome degree that transports you into the center of the written record of the world’s greatest thoughts and works of art, but it’s more of a combined history/philosophy degree that has little to do with practical writing.
If you truly want to make a living writing, then major or co-major in a broader field such as engineering or biology or business or mathematics, then use your English minor or co-major to become a leading voice in a subject area you know and love.
Want to write novels? Every great novelist, including Mark Twain,  had a dayjob. You’ll need one too. Which is why today’s writing trade is so exciting. You can actually find that dayjob and earn a living by writing content and human interest for a biotech firm, or an architecture firm, or a marine-biology firm, or a chemical company, or a retail chain, or a sustainable-tech startup.
That’s a wholly new phenomenon. It’s a byproduct of the Internet and the new service-driven economy.
The market for writers has never, ever been stronger. But if you don’t have an area of specialization, you’ll have trouble breaking in and you’ll face a steep climb toward a decent living and better jobs down the line. Trust me: That novel you want to write? It’ll be much easier to write with the peace of mind that comes with a comfortable chair, a decent meal, a livable apartment and a great health plan.
 (Photo by David Turnbull / Creative Commons license)
 

Shellshock / Bash Bug Vulnerability Bulletins And Fixes

Today’s breaking news of the Unix “Shellshock” vulnerability reminds me instantly of the famous auror-turned-Hogwarts-professor Alastor Moody, who preaches that the fight against the dark arts demands “Constant Vigilance.” Same for cybersecurity. Constant Vigilance.
Consider: The Heartbleed issue affected potentially 500,000 machines worldwide. The new Shellshock (or “Bash Bug”) could potentially affect 500 million.
Cures for the Shellshock vulnerability, at the time of this writing, are still being sorted out. It affects Unix-based operating systems such as Linux and Mac OS X, which in some non-default configurations could allow a remote attacker to execute arbitrary code on an affected system. The weakness lies within the Bash (for Bourne-Again Shell) command prompt.
The simplicity of an attack is what scares system admins the most: The vulnerability is truly easy to exploit.
The US Computer Emergency Readiness Team (US-CERT) is tracking the issue (see Bourne Again Shell (Bash) Remote Code Execution Vulnerability.) Following is CERT’s list of vendors that are confirmed to be exposed to the vulnerability. This list is initial and is expected to grow.

US-CERT recommends the following system-specific pages for hardening and patch info:

US-CERT aldo recommends users and administrators review TA14-268AVulnerability Note VU#252743 and the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. A GNU Bash patch is also available for experienced users and administrators to implement.
Not sure where to start, or if your systems are affected? Contact TxMQ president Chuck Fried for an immediate and confidential consultation: (716) 636-0070 x222, [email protected].

Go 'Lite" With Liberty Core Option For IBM WebSphere Application Server

Sometimes less is more. So beware of companies and consultants who want to sell you too much. Application-server software is a perfect example. If you’re a smaller shop, or a shop that runs lightweight apps, you probably don’t need a full-suite server-software deployment. TxMQ often advises clients to lighten up. Within an IBM environment, we commonly recommend WebSphere Application Server (WAS) Liberty Core rather then a full WAS Liberty Profile deployment.
Liberty Core offers an entry-level price point for smaller shops like small businesses and independent software vendors. But it’s also popular for larger enterprises – especially larger IT-development shops – where rapid app dev and deployment are the prime directives. The nice thing about opting for Core is the ease with which you can then upgrade into the entire WAS product sphere. There’s no penalty for starting small.
To lay out the Liberty Core option a bit more,  the software helps you:

  • Leverage the integrated tooling to increase development productivity and complete projects much more quickly – all while adhering to open standards.
  • Save money through the more efficient use of resources – both human and metal. Think lightweight functionality that drives stout production.
  • “Future-Proof” your apps through the easy addition of custom or 3rd-party components.

As of this writing, Liberty Core was in version 8.5.5 with documented support for AIX, HP-UX, Linux, Solaris, Windows, IBM i and Mac OS.
TxMQ is ready to answer any and all of your application-server questions. Initial consultations are free and always confidential. Contact vice president Miles Roty: (716) 636-0070 x228, [email protected].
 

MQ Capacity Planner: More Info About MQ Monitoring

TxMQ is set to debut its new MQ Capacity Planner (MQCP) utility next week at the MQ Technical Conference in Sandusky, Ohio. We’re offering two live-demo sessions with MQCP author Allan Bartleywood:

  • Monday, Sept. 29 at 11:15 a.m.
  • Wednesday, Oct. 1 at 11:15 a.m.

For those who can’t attend, MQCP is a brand-new, proprietary MQ monitoring and testing utility for MQ message flow. More specifically, MQCP is a multithread testing tool for IBM WebSphere MQ environments that is capable of testing any volume of application-data messages generated by any number of concurrent application instances assigned to any number of queue managers in order to obtain highly detailed performance reports of queue times and package priorities measured against total message capacity, CPU loads and throughput times.
Results provide accurate estimates of optimal message sizes to better diagnose bottlenecks and boost overall MQ, network and application performance.
To dig a bit deeper into functionality, MQCP’s strength is in the detail. Typical MQ test scripts simply can’t offer the insight and absolute detail of MQCP, which essentially allows the user to shine a light into the dark corners of an MQ environment to reveal any cobwebs that slow down performance. And the tool is indispensible for network change control: Anytime you change out a network configuration item, run MQCP again and compare performance to the previous baseline to measure how an implementation truly affects MQ performance. It’s really that simple.
More details on MQCP will emerge over the following weeks. There’s additional information included on our MQCP page (click here to visit).
Interested in trying the MQCP? Contact TxMQ president Chuck Fried and ask about our MQCP Pilot Program: (716) 636-0070 x222, [email protected].