Chinese Professor Cracks Fifth Data Security Algorithm SHA-1 added to list of "accomplishments" Central News Agency http://en.epochtimes.com/news/7-1-11/50336.html Jan 11, 2007 Associate professor Wang Xiaoyun of Beijing's Tsinghua University and Shandong University of Technology has cracked SHA-1, a widely used data security algorithm. TAIPEI—Within four years, the U.S. government will cease to use SHA-1 (Secure Hash Algorithm) for digital signatures, and convert to a new and more advanced "hash" algorithm, according to the article "Security Cracked!" from New Scientist . The reason for this change is that associate professor Wang Xiaoyun of Beijing's Tsinghua University and Shandong University of Technology, and her associates, have already cracked SHA-1. Wang also cracked MD5 (Message Digest 5), the hash algorithm most commonly used before SHA-1 became popular. Previous attacks on MD5 required over a million years of supercomputer time, but Wang and her research team obtained results using ordinary personal computers. In early 2005, Wang and her research team announced that they had succeeded in cracking SHA-1. In addition to the U.S. government, well-known companies like Microsoft, Sun, Atmel, and others have also announced that they will no longer be using SHA-1. Two years ago, Wang announced at an international data security conference that her team had successfully cracked four well-known hash algorithms—MD5, HAVAL-128, MD4, and RIPEMD—within ten years. A few months later, she cracked the even more robust SHA-1. Focus and Dedication According to the article, Wang's research focusses on hash algorithms. A hash algorithm is a mathematical procedure for deriving a 'fingerprint' of a block of data. The hash algorithms used in cryptography are "one-way": it is easy to derive hash values from inputs, but very difficult to work backwards, finding an input message that yields a given hash value. Cryptographic hash algorithms are also resistant to "collisions": that is, it is computationally infeasible to find any two messages that yield the same hash value. Hash algorithms' usefulness in data security relies on these properties, and much research focusses in this area. Recent years have seen a stream of ever-more-refined attacks on MD5 and SHA-1—including, notably, Wang's team's results on SHA-1, which permit finding collisions in SHA-1 about 2,000 times more quickly than brute-force guessing. Wang's technique makes attacking SHA-1 efficient enough to be feasible. MD5 and SHA-1 are the two most extensively used hash algorithms in the world. These two algorithms underpin many digital signature and other security schemes in use throughout the international community. They are widely used in banking, securities, and e-commerce. SHA-1 has been recognized as the cornerstone for modern Internet security. According to the article, in the early stages of Wang's research, there were other researchers who tried to crack it. However, none of them succeeded. This is why in 15 years hash research had become the domain of hopeless research in many scientists' minds. Wang's method of cracking algorithms differs from others'. Although such analysis usually cannot be done without the use of computers, according to Wang, the computer only assisted in cracking the algorithm. Most of the time, she calculated manually, and manually designed the methods. "Hackers crack passwords with bad intentions," Wang said. "I hope efforts to protect against password theft will benefit [from this]. Password analysts work to evaluate the security of data encryption and to search for even more secure … algorithms." "On the day that I cracked SHA-1," she added, "I went out to eat. I was very excited. I knew I was the only person who knew this world-class secret." Within ten years, Wang cracked the five biggest names in cryptographic hash algorithms. Many people would think the life of this scientist must be monotonous, but "That ten years was a very relaxed time for me," she says. During her work, she bore a daughter and cultivated a balcony full of flowers. The only mathematics-related habit in her life is that she remembers the license plates of taxi cabs. With additional reporting by The Epoch Times.

This is going to be a long one. Oracle recently announced that "it would provide the same enterprise class support for Linux as it provides for its database, middleware and applications products. Oracle starts with Red Hat Linux, removes Red Hat trademarks, and then adds Linux bug fixes." Oracle Announces The Same Enterprise Class Support For Linux As For Its Database Dell, Intel, HP, IBM, Accenture, AMD, BP, EMC, BMC, and NetApp Join Unbreakable Linux Program http://www.oracle.com/corporate/press/2006_oct/Oracle-Linux-Program.html REDWOOD SHORES, Calif., 25-OCT-2006 01:03 PM Today Oracle announced that it would provide the same enterprise class support for Linux as it provides for its database, middleware and applications products. Oracle starts with Red Hat Linux, removes Red Hat trademarks, and then adds Linux bug fixes. Currently, Red Hat only provides bug fixes for the latest version of its software. This often requires customers to upgrade to a new version of Linux software to get a bug fixed. Oracle's new Unbreakable Linux program will provide bug fixes to future, current, and back releases of Linux. In other words, Oracle will provide the same level of enterprise support for Linux as is available for other operating systems. Oracle is offering its Unbreakable Linux program for substantially less than Red Hat currently charges for its best support. "We believe that better support and lower support prices will speed the adoption of Linux, and we are working closely with our partners to make that happen," said Oracle CEO Larry Ellison. "Intel is a development partner. Dell and HP are resellers and support partners. Many others are signed up to help us move Linux up to mission critical status in the data center." "Oracle's Unbreakable Linux program is available to all Linux users for as low as $99 per system per year," said Oracle President Charles Phillips. "You do not have to be a user of Oracle software to qualify. This is all about broadening the success of Linux. To get Oracle support for Red Hat Linux all you have to do is point your Red Hat server to the Oracle network. The switch takes less than a minute." "We think it's important not to fragment the market," said Oracle's Chief Corporate Architect Edward Screven. "We will maintain compatibility with Red Hat Linux. Every time Red Hat distributes a new version we will resynchronize with their code. All we add are bug fixes, which are immediately available to Red Hat and the rest of the community. We have years of Linux engineering experience. Several Oracle employees are Linux mainline maintainers." DELL "As a customer with first hand experience of Oracle's outstanding support organization, Dell will use Oracle to support Linux operating systems internally," said Michael Dell, Chairman of the Board, Dell. "Oracle's new Linux support program will help us drive standards deeper into the enterprise. Today we're announcing that Dell customers can choose Oracle's Unbreakable Linux program to support Linux environments running on Dell PowerEdge servers." Intel "Having worked with Oracle for many years in the enterprise computing space, we believe that the Oracle Unbreakable Linux program will bring tremendous value to our mutual Linux customers," said Paul Otellini, President and CEO, Intel Corporation. "Our work with Oracle on this program will be an important extension to our longstanding enterprise computing relationship." HP "HP and Oracle's collaboration and testing of Linux with integrated stacks of hardware, software, storage, and networking has helped create numerous best practices across the industry. HP welcomes the addition of Oracle's Unbreakable Linux program to the portfolio," said Mark Hurd, Chairman and Chief Executive Officer, HP. IBM "Oracle's support for Red Hat Linux will encourage broader adoption of Linux in the enterprise," said Bill Zeitler, Senior Vice President & Group Executive, IBM Systems and Technology Group. "IBM shares Oracle's goal of making Linux a reliable, highly standard, cost effective platform for mission critical applications backed by world class support." Accenture "Linux is important to us, and to our customers," said Don Rippert, Chief Technology Officer, Accenture. "We applaud Oracle's efforts to bring enterprise-quality support to Linux with the Oracle Unbreakable Linux program announcement. Together with Oracle, we at Accenture look forward to making the Linux experience even better for our customers." AMD "Oracle's Unbreakable Linux program will greatly expand the servicing options available to our AMD Linux customers," said Hector Ruiz, Chairman and Chief Executive Officer of Advanced Micro Devices. "We are excited by the program's potential to further enhance the success of AMD Linux servers in the enterprise." Bearing Point "It is critical that our customers have true enterprise-quality support for their Linux deployments. Oracle's Unbreakable Linux program support delivers the level of confidence our customers need to run Linux in their data centers," said Harry You, CEO, Bearing Point. EMC "The combined power of EMC and Oracle solutions bring superior reliability, scalability, high availability, and now, enhanced enterprise supportability to Linux users. We are confident that joint Linux solutions from EMC and Oracle will deliver enterprise scale and quality while lowering the cost of infrastructure for our customers," said Joe Tucci, Chairman, CEO, President, EMC. BMC "As Oracle's only systems management ISV at the highest level in Oracle's Partner Program, BMC Software is excited to see Oracle's deepening commitment to Linux," said Bob Beauchamp, BMC Software President and CEO. "Business Service Management from BMC Software with the Oracle Unbreakable Linux program meets customer demand for lower cost and higher quality support for their infrastructure." NetApp "The world's largest enterprises must have the flexibility to quickly and continually adapt to today's rapidly changing business requirements, without incurring risk," said Dan Warmenhoven, CEO of Network Appliance. "The Oracle Unbreakable Linux program is designed to drive the key benefits of Linux - including flexibility, reliability, and simplicity - directly into the data center. The longstanding relationship between NetApp and Oracle has enabled us to continuously deliver superior enterprise solutions to enable business agility and improve reliability - all tenets of the NetApp brand." Oracle Support Oracle's breadth and depth of technical expertise, advanced support technologies, and global reach includes 7,000 support staff in 17 global support centers, providing help to our customers in 27 languages, in any time zone. Oracle has recently been awarded the J.D. Power and Associates Global Technology Service and Support Certification for "an outstanding customer service experience." "With the scale of our support organization we can provide much better Linux support at a much lower price," said Executive Vice President of Oracle Customer Services Juergen Rottler. "We have the expertise and infrastructure to improve substantially the quality of support for enterprise Linux customers." Enterprise Linux binaries will be available for free from Oracle. Enterprise Linux Network Support will be offered for $99.00 per system / per year. Enterprise Linux Basic support, which offers Network access plus 24x7 global coverage will be offered for $399 for a 2 CPU system per year and $999 for a system with unlimited CPU's. Enterprise Linux Premier Support, which offers Basic support plus back port of fixes to earlier releases as well as Oracle Lifetime Support will be offered for $1,199 for a 2 CPU system per year and $1,999 for a system with unlimited CPU's. Oracle and Linux Oracle has been a long-standing, key contributor to the Linux community. Oracle produced its first commercial Linux database in 1998. Since that time Oracle has worked steadily to improve the experience of all Linux users. Oracle's Linux Engineering team is a trusted part of the Linux community, and has made major code contributions such as Oracle Cluster File System that is now part of Linux kernel 2.6.16. Oracle has been and will continue contributing Linux related innovations, modifications, documentation and fixes directly to the Linux community on a timely basis. Now here's Red Hat's "interesting" response: Red Hat Responds http://www.redhat.com/promo/unfakeable/ The opportunity for Linux just got bigger. Oracle's support for Linux reaffirms Red Hat's technical industry leadership and the end of proprietary Unix. It's no accident that Red Hat was chosen #1 in value two years running. Want to know what else we think? Read on. Red Hat & Oracle Partnership Q: Does Oracle's recent announcement change Red Hat's partnership with Oracle? A: No. Red Hat has had a productive 7-year relationship with Oracle. Red Hat will continue to work closely with Oracle to optimize Red Hat Enterprise Linux and JBoss middleware subscriptions for Oracle products, and to support joint customers. Red Hat & JBoss Subscriptions Q: Does Oracle's announcement include support for the Red Hat Application Stack, JBoss, Hibernate, Red Hat GFS, Red Hat Cluster Suite, and Red Hat Directory Server? A: No. Oracle does not support any of these leading open source products. Hardware Compatibility Q: Oracle says their Linux support includes the same hardware compatibility and certifications as Red Hat Enterprise Linux. Is this true? A: No. Oracle has stated they will make changes to the code independently of Red Hat. As a result these changes will not be tested during Red Hat's hardware testing and certification process, and may cause unexpected behavior. Hence Red Hat hardware certifications are invalidated. Software Compatibility Q: Oracle says their Linux support includes the same software compatibility and ISV certifications of Red Hat Enterprise Linux. Is this true? A: No. Oracle has stated they will make changes to the code independently of Red Hat. These changes will not be tested during Red Hat's software testing and certification process, and may cause unexpected behavior. Hence Red Hat software certifications are invalidated. Binary Compatibility Q: Will Oracle's Linux support be binary compatible with Red Hat Enterprise Linux so that my applications continue to work? A: There is no way to guarantee that changes made by Oracle will maintain API (Application Programming Interface) or ABI (Application Binary Interface) compatibility; there may be material differences in the code that will result in application failures. Compatibility with Red Hat Enterprise Linux can only be verified by Red Hat's internal test suite. Source Code Compatibility Q: Will Oracle's product result in a "fork" of the operating system? A: Yes. The changes Oracle has stated they will make will result in a different code base than Red Hat Enterprise Linux. Simply put, this derivative will not be Red Hat Enterprise Linux and customers will not have the assurance of compatibility with the Red Hat Enterprise Linux hardware and application ecosystem. Indemnification Q: What do Customers need to give in order to get Oracle's indemnification? A: Customers are required to provide Oracle with IP indemnification without financial limitation for any software or materials provided to Oracle (e.g. patch or enhancement). Unlike Oracle, a Customer's liability is not capped at the value of the software or materials it provides to Oracle. Q: Are backports covered by Oracle's indemnification? A: Only if Oracle has not released a later non-infringing version of the code. Red Hat's Open Source Assurance covers all released versions and updates. Q: What protection does Red Hat provide? A: Under Red Hat's Open Source Assurance Program, if the Red Hat Software is found to infringe, Red Hat will (a) obtain the rights necessary for Customer to continue to use the Software; (b) modify the Software so that it is non-infringing; or (c) replace the infringing portion of the Software with non-infringing. And it also provides for indemnification. Q: So in the end, is Oracle's indemnification revolutionary? Does it provide greater value? A: No. With its Open Source Assurance Policy, Red Hat focuses on the Customer's business continuity in the face of an infringement claim. With Oracle's indemnity program, you only get an indemnity so long as you give Oracle an unlimited one in return. Updates Q: Oracle says they will provide the same updates as Red Hat Enterprise Linux. Can they do this? A: There are multiple requirements to building binary compatible software. One piece is the source code; another is the build and test environment. While Oracle may be able to take the source code at some point after a Red Hat update release, obviously their build and test environment will be inherently different than that of Red Hat Enterprise Linux. For similar reasons, there is no guarantee that the source code for the Red Hat Enterprise Linux update will work correctly when integrated into Oracle's modified Linux code base. Support & Maintenance Lifecycle Q: In order to get support and maintenance for Red Hat Enterprise Linux, do you need to upgrade to the most recent version? A: No. Red Hat subscribers enjoy support and updates for all versions for up to 7 years. Throughout that time, Red Hat provides regular maintenance releases as part of the Red Hat Enterprise Linux subscription. This is supplemented through our support services by a 'hot-fix' process that provides critical bug fixes on a customer-specific basis. Oracle "reserves the right to desupport certain Enterprise Linux program releases" as part of their Oracle Enterprise Linux support policies. Support Level Flexibility Q: Does Red Hat allow you to tailor your support level to your workload? A: Yes. Many customers match their Red Hat Enterprise Linux subscription level to their application SLA requirements. For example, customers may choose a Basic subscription for non-mission critical file and print servers, while selecting Premium subscriptions for database servers. Oracle does not allow this flexibility - their support policy reads: "If acquiring Enterprise Linux Premier Support, all of your Oracle supported systems must be supported with Enterprise Linux Premier Support." Security Q: Can Oracle produce timely security updates to Red Hat Enterprise Linux as they stated? A: No. There will be a delay between the time a Red Hat Enterprise Linux update is issued and the time the source code makes its way to Oracle. There is no guarantee that the source code for the Red Hat Enterprise Linux update will work correctly when integrated into Oracle's Linux code base; this integration and test will take additional time. In the case where the update corrects critical security flaws, Oracle customers may be exposed to additional risk. Linux Assurance Q: Red Hat Enterprise Linux has government security certifications including Common Criteria Evaluated Assurance Level (EAL) 4+/Controlled Access Protection Profile (CAPP). Will Oracle's version of Linux inherit these certifications? A: No. Common Criteria evaluations are conducted on a specific configuration of software and hardware. Any changes to the software such as those Oracle has announced will invalidate certification. Customer Collaboration Q: Will Oracle's Linux customers have the same degree of influence over Oracle's Linux as Red Hat's customers do with Red Hat Enterprise Linux? A: The support we provide for Red Hat Enterprise Linux starts when Red Hat and its customers collaborate in the design of new versions. This collaboration extends through the development, testing, and production deployment of Red Hat Enterprise Linux. Vendors of a derivative distribution are simply not positioned to provide their customers the same collaboration opportunity. Support Partners Q: Hardware vendors such as Dell, HP, and IBM provide support for Red Hat Enterprise Linux. How is Oracle's support offering different? A: Red Hat's hardware partners provide front line support to customers, backed by Red Hat. Red Hat has a close contractual relationship with these partners, which requires training, well defined escalation paths, Red Hat back-line support, and cooperative customer issue management. Our joint customers enjoy the same degree of collaborative participation as any Red Hat customer.

From: "Fyodor" <fyodor@insecure.org> Subject: Seclists.Org shut down by Myspace and GoDaddy Date: Thu, January 25, 2007 5:47 pm To: nmap-hackers@insecure.org Hi everyone, Many of you reported that our SecLists.Org security mailing list archive was down most of yesterday (Wed), and all you really need to know is that we're back up and running! But I'm going into rant mode anyway in case you care for the details. I woke up yesterday morning to find a voice message from my domain registrar (GoDaddy) saying they were suspending the domain SecLists.org. One minute later I received an email saying that SecLists.org has "been suspended for violation of the GoDaddy.com Abuse Policy". And also "if the domain name(s) listed above are private, your Domains By Proxy(R) account has also been suspended." WTF??! Neither the email nor voicemail gave a phone number to reach them at, nor did they feel it was worth the effort to explain what the supposed violation was. They changed my domain nameserver to "NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM". Cute, eh? I called GoDaddy several times, and all three support people I spoke with (Craig, Ricky, then Wael) said that the abuse department doesn't take calls. They said I had email abuse@godaddy.com (which I had already done 3 times) and that I could then expect a response "within 1 or two business days". Given that tens of thousands of people use SecLists.Org every day, I didn't take that well. When they realized I was going to just keep calling until they did something, they finally persuaded the abuse department to explain why they cut me off: Myspace.Com asked them to. Apparently Myspace is still reeling from all the news reports more than a week ago about a list of 56,000 myspace usernames+passwords making the rounds. It was all over the news, and reminded people of a completely different list of 34,000 MySpace passwords which was floating around last year. MySpace users fall for a LOT of phishing scams. They are basically the new AOL. Anyway, everyone has this latest password list now, and it was even posted (several times) to the thousands of members of the fulldisclosure mailing list more than a week ago. So it was archived by all the sites which archive full-disclosure, including SecLists.Org. Instead of simply writing me (or abuse@seclists.org) asking to have the password list removed, MySpace decided to contact (only) GoDaddy and try to have the whole site of 250,000 pages removed because they don't like one of them. And GoDaddy cowardly and lazily decided to simply shut down the site rather than actually investigating or giving me a chance to contest or comply with the complaint. Needless to say, I'm in the market for a new registrar. One who doesn't immediately bend over for any large corporation who asks. One who considers it their job just to refer people to the SecLists.Org nameserver at 205.217.153.50, not to police the content of the services hosted at the domains. The GoDaddy ToS forbids hosting what they call "morally objectionable activities". It is way too late for MySpace to put the cat back in the bag anyway. The bad guys already have the file, and anyone else who wants it need only Google for "myspace1.txt.bz2" or "duckqueen1". Is MySpace going to try and shut down Google next? For some reason, this is only one of a spate of bogus Seclists removal requests. I do remove material that is clearly illegal or inappropriate for SecLists.org (like the bonehead who keeps posting furry porn to fulldisclosure). But one company sent a legal threat demanding[1] that I remove a 7-year old Bugtraq posting which was a complaint about previous bogus legal threats they had sent. Another guy[2] last week sent a complaint to my ISP saying that an image was child porn and declaring that he would notify the FBI. When asked why he thought the picture was of a child, he tried a different tack: sending a DMCA complaint declaring under penalty of perjury that he is the copyright holder of the photo! Michael Crook told me on the phone that he sent the DMCA request, but when I forwarded the info to the EFF (who is already suing this guy for sending other bogus DMCA complaints), he changed his mind and wrote that "after further review, I can find no record" or mailing the complaint. Most of the censorship attempts are for the full-disclosure list. It would be easiest just to cease archiving that list, but I do think it serves an important purpose in keeping the industry honest. And many good postings do make it through if you can filter out all the junk. So I'm keeping it, no matter how "morally objectionable" GoDaddy and MySpace may think it to be! In much happier Nmap news, I'm pleased to report that the Nmap project now has a public SVN server so you can always check out the latest version. Due to a bug in SVN, we use a username as "guest" with no password rather than anonymous. So check it out with the command: svn co --username guest --password "" svn://svn.insecure.org/nmap Then do the normal: ./configure make And install it or set NMAPDIR to "." to run in place. Among other goodies, this release includes the Nmap scripting language[3]. If you want to follow Nmap development on a check-in by check-in basis, there is a new nmap-svn mailing list[4] for that. But be prepared for some high traffic as you'll get every patch! 2007 will be a good year for Nmap! Cheers, Fyodor [1] http://seclists.org/nmap-dev/2006/q4/0302.html [2] http://seclists.org/nmap-dev/2007/q1/0067.html [3] http://insecure.org/nmap/nse/ [4] http://cgi.insecure.org/mailman/listinfo/nmap-svn _______________________________________________ Sent through the nmap-hackers mailing list http://cgi.insecure.org/mailman/listinfo/nmap-hackers Archived at http://seclists.org

The Open Source Developer Labs and the Free Standards Group have merged today as the Linux Foundation.

Novell and Microsoft Collaborate Frequently Asked Questions (FAQ) http://www.novell.com/linux/microsoft/faq.html Q. What are you announcing? Novell and Microsoft are announcing an historic bridging of the divide between open source and proprietary software. They have signed three related agreements which, taken together, will greatly enhance interoperability between Linux and Windows and give customers greater flexibility in their IT environments. Under a technical cooperation agreement, Novell and Microsoft will work together in three primary areas to deliver new solutions to customers: virtualization, web services management and document format compatibility. Under a patent cooperation agreement, Microsoft and Novell provide patent coverage for each others customers, giving customers peace of mind regarding patent issues. Finally, under a business cooperation agreement, Novell and Microsoft are committing to dedicate marketing and sales resources to promote joint solutions. Q. What does this mean for Linux? Novell and Microsoft recognize that many customers have, and will continue to have, multiple platforms, including Linux and Windows, in their environments. Customers are asking for highly reliable, secure, and interoperable solutions. Enabling easy and powerful virtualization of Linux on Windows and Windows on Linux is a great step forward towards this goal. Novell will continue to promote Linux as the premier platform for core infrastructure and application services. This deal strengthens Novell's commitment to the community through leading-edge development projects as well as the continued promotion of Linux in the marketplace. Novell recognizes the significant contribution open source developers have made to Linux and their reliance on the General Public License. The patent agreement signed by Novell and Microsoft was designed with the principles and obligations of the GPL in mind. Under this agreement, customers of SUSE Linux Enterprise know they have patent protection from Microsoft in connection with their use of SUSE Linux Enterprise, further encouraging the adoption of Linux in the marketplace. Q. Will Novell and Microsoft stop competing? This agreement is focused on building a bridge between business and development models, not removing competition in the marketplace. We will continue to compete in a number of arenas, including the desktop, identity and security management, and systems and resource management. At the product level, Windows and SUSE Linux Enterprise will continue to compete; however, the agreement is focused on making it easier for customers who want to run both Windows and Linux to do so. This is a very common relationship for large businesses where we simultaneously partner and compete in different areas. Q. I am a current Novell customer who subscribes to SUSE Linux Enterprise Server. Does the patent protection offered by Microsoft apply to me? Yes. The patent protection offered by Microsoft applies to ALL customers who subscribe to a SUSE Linux Enterprise product. It does not matter if you purchased SLES or SLED, if you bought it directly from Novell, from a reseller, from a distributor, or acquired it via a coupon from Microsoft. If you have a current subscription to SUSE Linux Enterprise, then you are covered by the Microsoft patent protection. Microsoft has provided a covenant not to assert its patent portfolio directly to customers who have purchased SUSE Linux Enterprise from Novell. Q. From the customer's perspective, what is covered in openSUSE? The patent agreement covers everything from openSUSE.org that is included in past and current Novell supported versions of SUSE Linux Enterprise Server and SUSE Linux Enterprise Desktop. It also covers future versions (for 5 years) of SUSE Linux Enterprise Server and SUSE Linux Enterprise Desktop, with recognition of the fact that development changes may occur that fall outside the terms of this agreement. While some future scenarios may not be included, we have established a working relationship and structure to have conversations about those issues as they arise. Q. Does this covenant apply to original equipment manufacturers (OEMs) that buy SUSE Linux Enterprise and preload or resell it? The covenant applies to end customers of Novell products. Q. Is this in response to recent events, such as Oracle's announcement about Red Hat? No. Negotiations on this agreement have been going on for many months. This agreement reflects a joint assessment by Novell and Microsoft that customers will be best served by ensuring Linux and Windows can interoperate effectively. In terms of a possible Oracle move to offer support for SUSE Linux Enterprise, Novell believes customers with heterogeneous networks are best served by an independent operating systems vendor like Novell with broad hardware and software support. Q. What are the financial benefits to Novell? To Microsoft? Novell anticipates the agreement will increase demand for SUSE Linux Enterprise, although they are not putting out any formal estimates. Through the improved interoperability and patent protection offered as part of this agreement, both Novell and Microsoft anticipate increased business opportunity through both best of breed product solutions and market differentiation. Q. What are the specifics of the agreement? Like many commercial transactions, the financial terms of the agreement are not being disclosed at this time. Under the technical collaboration agreement, the companies will create a joint research facility and pursue new software solutions for virtualization, management, and document format compatibility. These are potentially huge markets — IDC projects the overall market for virtual machine software to be $1.8 billion by 2010, and the overall market for distributed system management software to be $10.2 billion by 2010 — and the companies believe their investment in interoperability will make their respective products more attractive to customers. Under the business collaboration agreement, the companies will pursue a variety of joint marketing activities. In addition, Microsoft will distribute as part of a resale arrangement approximately 70,000 coupons for SUSE Linux Enterprise Server maintenance and support per year so that customers can benefit from the use of the new software solutions developed through the collaborative research effort, as well as a version of Linux that is covered with respect to Microsoft's IP rights. Under the patent agreement, both companies will make up-front payments in exchange for a release from any potential liability for use of each others patented intellectual property, with a net balancing payment from Microsoft to Novell reflecting the larger applicable volume of Microsoft's product shipments. Novell will also make running royalty payments based on a percentage of its revenues from open source products. Q. Does this mean that Microsoft will now sell Linux? No. However, as part of this agreement, Microsoft and Novell want to ensure our joint customers have the opportunity to take advantage of the improved interoperability and patent protection enabled by this agreement. To help promote these new solutions, Microsoft has purchased a quantity of coupons from Novell that entitle the recipient to a 1-year subscription for maintenance and updates to SUSE Linux Enterprise Server. Microsoft will make these coupons available to joint customers who are interested in deploying virtualized Windows on SUSE Linux Enterprise Server, or virtualized SUSE Linux Enterprise Server on Windows. For customers who have a significant Windows investment and want to add Linux to their IT infrastructure, Microsoft will recommend SUSE Linux Enterprise for Windows-Linux solutions. Q. What does this mean for customers? Customers have repeatedly told both Novell and Microsoft that flexibility is an increasingly important part of their data center. At a time when CIOs are being asked to do more with less, and improve utilization, virtualization is a key to solving that problem. Both Novell and Microsoft realize that the data center of the future will have both Linux and Windows as significant platforms. This agreement is all about making those two platforms work together, and providing the enterprise support for that interoperability that customers demand. By working together, Novell and Microsoft enable customers to choose the operating system that best fits their applications and business needs. Q. Why is the patent agreement important? The patent agreement demonstrates that Microsoft is willing to enter into agreements that extend its patent protection to open source customers. This is an important foundation in building the bridge between proprietary and open source software. One of the biggest perceived differences between open and closed source software revolves around intellectual property. Because open source software is developed in a cooperative environment, some have expressed concerns that intellectual property protections could be compromised more easily in open source. Today's agreement between Novell and Microsoft provides confidence on intellectual property for Novell and Microsoft customers. By mutually agreeing not to assert their patent rights against one another's customers, the two companies give customers greater peace of mind regarding the patents in the solutions they're deploying. Novell and Microsoft believe that this arrangement makes it possible to offer customers the highest level of interoperability with the assurance that both companies stand behind these solutions. Q. The press release indicates Microsoft is also pledging not to assert its patents against individual, non-commercial open source developers. How is this connected to Novell? Microsoft and Novell felt it was important to establish a precedent for the individual, non-commercial open source developer community that potential patent litigation need not be a concern. Microsoft is excited to more actively participate in the open source community and Novell is and will continue to be an important enabler for this bridge. For these reasons, both Novell and Microsoft felt it was appropriate to make this pledge for Microsoft not to assert its patents against the non-commercial community. Q. What are the exact terms of the individual, non-commercial developer patent non-assert? Who is covered and who is not? The terms of the individual, non-commercial developer patent non-assert are on www.microsoft.com/interop. You are covered if you are doing non-commercial open source software development. This includes individual enthusiasts, such as a student or a developer who does work on his own time on a project of personal interest to him. If you are compensated for your development, then your activities are considered "commercial", and you would not be covered. Q. How will the technical cooperation work? The two companies will create a joint research facility at which Microsoft and Novell technical experts will architect and test new software solutions and work with customers and the community to build and support these technologies. The agreement between Microsoft and Novell focuses on three technical areas that provide important value and choice to the market: Virtualization. Virtualization is one of the most important trends in the industry. Customers tell us that virtualization is one way they can consolidate and more easily manage rapidly growing server workloads and their large set of server applications. Microsoft and Novell will jointly develop the most compelling virtualization offering in the market for Linux and Windows. Web Services for managing physical and virtual servers. Web Services and service oriented architectures continue to be one of the defining ways software companies can deliver greater value to customers. Microsoft and Novell will undertake work to make it easier for customers to manage mixed Windows and SUSE Linux Enterprise environments and to make it easier for customers to federate Microsoft Active Directory with Novell eDirectory. Document Format Compatibility. Microsoft and Novell have been focusing on ways to improve interoperability between office productivity applications. The two companies will now work together on ways for OpenOffice.org and Microsoft Office users to best share documents and both will take steps to make translators available to improve interoperability between Open XML and OpenDocument Formats. Q. What are the main components of the business cooperation agreement? The business cooperation agreement addresses a series of issues designed to maximize the value of the patent cooperation and technical collaboration agreements, including: marketing, training, support, and sales resources. Q. By making it easy to run Windows virtualized on Linux, isn't Novell undercutting its own Mono project, which shares a similar goal? Mono provides developers a way to run applications designed using Microsoft .NET technologies to run on Linux and other platforms. Its main focus is the Linux desktop, where Mono has been leveraged to build a series of new services, including search, music playback, and more. Virtualization focuses on maximizing the value of server hardware by running multiple operating systems. It is used for server consolidation, workload balancing and other corporate needs. So while both approaches are designed to give customers flexibility in their IT systems, their focuses are quite different. Q. What does the patent agreement cover with regard to Mono and OpenOffice? Under the patent agreement, customers will receive coverage for Mono, Samba, and OpenOffice.org as well as .NET and Windows Server. All of these technologies will be improved upon during the five years of the agreement and there are some limits on the coverage that would be provided for future technologies added to these offerings. The collaboration framework we have put in place allows us to work on complex subjects such as this where intellectual property and innovation are important parts of the conversation.