opensprings.org

Security vendor Trend Micro’s Web site was hacked earlier this week in an attack that spread to hundreds of other sites, according to an InfoWorld report.

Trend Micro discovered the attack on Wednesday and took steps to shut it down. It affected about 20,000 Web pages written with Microsoft’s Active Server Pages Web development software. According to Trend Micro:

The malicious code tries to embed software that steals passwords from users as they visit Web sites, according to the report.

(A similar previous) attack seems to have started more than a week ago, and nearly 200,000 Web pages have been found to be compromised, most of which are running phpBB. This contrasts (Wednesday’s) attack in that the vast majority of those were active server pages (.ASP). The ASP attacks are different than the phpBB ones in that the payload and method are quite different. Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering. phpBB mass hacks have occurred in the past, including those done by the Perl/Santy.worm back in 2004.

Trend Micro also provided a video demonstration of what the attack looks like from the end user’s perspective.

One possible reason, Farmer wrote, is the fact that Facebook isn’t the only hub for social-network application developers anymore. Google kickstarted the OpenSocial standard last year, and Bebo, newly acquired by AOL, is currently the only social network that supports both Facebook and OpenSocial applications.

“Networks like Zynga and Social Gaming Network have cropped up in the last few months and have made it their business to consolidate the game space on Facebook, probably the only real vertical that has found success on the platform,” Farmer wrote. “Bigger companies like Slide and RockYou have been actively recruiting from the Facebook developer pool all along, too.”

Facebook developer Jesse Farmer, creator of developer analytics service Adonomics, did an extensive amount of number-crunching after coming to an odd observation earlier this year: “Something is wrong in the Facebook developer community,” Farmer wrote in a blog post Tuesday. “Starting in March I began noticing that the level of activity in the Facebook developers forum was dropping sharply.”

Farmer’s research confirmed his speculation: activity in the Facebook developer forum, from posts per day to highly active users, had fallen notably from January to April. In other words, that likely means there’s less activity on the part of independent developers hoping to tap into Facebook’s massive audience.

Is the Facebook platform doomed? Hardly. But if Farmer’s research is accurate, it’s a sign that the initial frenzy is finally quieting–it’s been a year, after all.

Or perhaps, he suggests, small-time developers might be disillusioned. Facebook, in an effort to curb spam, has instituted new regulations that some developers find controversial. Then there’s the presence of big application companies like Slide and RockYou, which dominate the rankings of the most popular Facebook applications and have valuations in the hundreds of millions. Not only do they dwarf smaller developers, but they also snap up programmer talent that might otherwise be independent.

All gold rushes must come to an end, and according to one new report, Facebook’s developer platform is no exception.

It could also mean, as Farmer pointed out, less chatter taking place in an open forum as application creators grow more concerned about the effect of competition in the packed developer space.

Incidentally, this is why there is some cause for concern in Red Hat’s acquisition of JBoss. It doesn’t appear that Red Hat has done a good job of driving ancillary value from the JBoss team, many of whom have left for other opportunities. Red Hat may well end up making JBoss pay (in terms of revenue), but if it doesn’t get the JBoss personnel benefit then it has overpaid.

Indeed, that acquisition offers an interesting commentary on the value derived from open-source acquisitions. Here’s why Red Hat bought Cygnus:

I do mean, however, that it would be hard to single out Cygnus’ product revenue from the revenue-related and other contributions that the Cygnus team brought to Red Hat. Ditto for MySQL within Sun. MySQL database revenue will be one metric, but what Marten and team do to the overall culture and product revenue of Sun is something else entirely, and hard to measure in advance.

Royal Pingdom has compiled a list of the seven largest acquisitions in open source’s history. Sun’s acquisition of MySQL is the biggest ($1 billion), but it’s not nearly the outsized acquisition that it originally appeared to be considering that Red Hat paid $674 million for Cygnus Solutions back in 1999.

Anyone ever seen Red Hat’s market share in the embedded market? Not so great. The purported reason for the acquisition (or one of them) was a bust.

Today’s acquisition [of Cygnus] gives Red Hat an entree into “embedded” devices, machines whose inner workings such as operating systems and hardware usually are hidden from the person using it, Young said here in a keynote address. Until now, Red Hat has been focused chiefly on the server market. Now Red Hat will be able to take advantage of Cygnus’ strong relationships with embedded systems programmers, with the companies such as Sony and Fujitsu that build embedded devices and with chip manufacturers such as Intel that build chips for those devices….

Sun’s acquisition of MySQL will be judged on the product revenue that comes from MySQL, just as Red Hat has been judged on JBoss’ revenue post-acquisition. But it’s not so clear cut in an open-source company. I don’t mean that open-source companies shouldn’t be judged by financial metrics - of course they should.

But was the acquisition a bust? I don’t think so. Red Hat acquired significant development expertise and, frankly, Michael Tiemann. In an open-source company or community, people matter most. Remember Novell’s acquisition of Ximian? Mostly a waste of money in regard to the technology acquired. (Not much Evolution or Mono being sold by Novell.) But the people like Miguel de Icaza, Nat Friedman, etc.? That DNA was worth the money.

But this is another topic, one that I will address shortly in a separate post.

commentary