Oracle Is Bleeding At The Hands Of Database Rivals
Something is seriously wrong in Larry Land. Oracle does not command absolute control like it once did. You can see this clearly with the earnings the company posted last week and the growth that startups like Datastax are witnessing as more customers seek alternative databases for online applications.
Until this past week, the extent of Oracle’s problems were not known. But there is a cut, a slight bleeding that’s now visible. But how deep is the cut? How much is Oracle really bleeding? That’s exactly the question analysts asked in a Reuters story after the earnings results:
“Data base revenue, which has been the cash machine of the company, has changed. There are now alternative databases, as well as the cloud,” said Mark Moerdler, an analyst at Bernstein Research. “That pressure is still a tiny bleed, but it is out there and the question is – is it bigger than we think it is?”
We know this much. Oracle reported this week that new software licenses are down two percent. And that decline is in part reflected by the adoption of NoSQL databases offered by Datastax and a variety of other services that use in-memory technology at the database layer.
The reason for the drop has more to do with the enterprise acceptance of online applications more than anything else, said Datatastax CEO Billy Bosworth in an interview last week.
That’s the truth. NEA Ventures Scott Sandell said to me at SXSW that CIOs are convinced to move their workloads but cloud security is still an issue.
That’s where companies like Datastax enter the picture. Datastax is built on Cassandra, a high performance Apache open-source database technology with security at its core.
Here’s how Bosworth described it to me in February at the Strata Conference.
Datastax, founded in April 2010, finished its first year with 26 employees. It ended 2012 with 100 employees. Bosworth expects to have 160 people on staff by the end of this year.
Customer growth has increased significantly. By the end of 2011, Datstax had 27 customers. One year later it had 270, with 20 from the Fortune 100.
Several dozen of those customers have moved either all or parts of their application off relational technology such as what Oracle provides.
When companies come to Datastax, they say the number one thing they need is security, Bosworth said. They are building from day one to avoid disaster scenarios.
Datastax, like other NoSQL providers, spans its database technology in a fully distributed way, across private data centers and the cloud.
Datastax differentiates by offering high performance at scale but without complexity.
How customers use Cassandra reflects on why Oracle growth has begun to stall. Often, customers will continue to use Oracle databases but will put it deeper in the backend. They will take another piece of the app and put it on Datastax.
Customers will build in a middle layer of services components that allows the app to decide which database to use for which workload.
Lighter Oracle workloads means less revenues, which we see reflected in the company’s earnings.
To counter this swarming hive of distributed systems, Oracle has taken the opposite approach, building out engineered solutions with their software running on big, new age mainframes. That strategy does not seem to be working very well. Oracle bought Sun Microsystems with plans to sell the hardware with its software.
Analysts tend to agree:
“The problem is, the growth of SaaS (software as a service) applications is undermining that strategy. When you subscribe to salesforce.com, you don’t need to buy a database, middleware or hardware,” said Patrick Walravens, an analyst at JMP Securities in a Reuters story last week.
Oracle has lost money every quarter since it acquired Sun for $5.6 billion. And there is little proof that companies are going to start using one company like Oracle for all their hardware and software needs. Instead, they will mix Oracle software on commodity systems. Or they may even go with the new open-source server technology coming out of Open Compute. They have plenty of other options, too. OpenStack, the open cloud effort, is growing fast, as is Cloudstack, the open-source cloud service now part of the Apache Foundation.
Datastax has its own challenges. It competes with Amazon Web Services and all the other NoSQL providers such as 10gen. The ecosystem is still quite young. Finding qualified people is a challenge. Developers need more education, a change in thinking for the new cloud approach.
But overall, it’s clear that Oracle really is starting to show the pains of being an aging innovator. The earnings show a slight cut. The question is how deep the cut is and how Oracle will respond to challengers like Datastax.
Read this article: Oracle Is Bleeding At The Hands Of Database Rivals
Facebook: Java exploit used to install malware on employee computers, ‘no evidence’ user data was compromised
Facebook on Friday announced its systems were compromised last month as part of a sophisticated attack exploiting a Java vulnerability. Although the investigation is still ongoing, the company says it has “found no evidence” that “user data was compromised.”
Facebook explains its security team discovered sometime in January that “a handful of employees” had visited an unnamed compromised mobile developer website hosting a Java exploit which then allowed malware to be installed on these employee laptops. Facebook says that the laptops in question “were fully-patched and running up-to-date anti-virus software.”
Facebook doesn’t give much of a timeline as to when the malware was installed nor when it discovered its existence. The company does say, however, that upon its finding, the infected computers in question were immediately remediated, law enforcement was contacted, and a “significant investigation” was launched “that continues to this day.” Facebook also says it is still working with security teams at other companies and with law enforcement authorities to learn everything about the attack and how to prevent similar incidents in the future.
Here’s the crux of what Facebook knows so far:
In this particular instance, we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop. Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops.
After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.
Security gurus will remember that on this day Oracle released Java 7 Update 13. That patch addressed 50 vulnerabilities and arrived more than two weeks early (the February 2013 Critical Patch was originally scheduled for February 19), but it was rushed out because Oracle was notified of “active exploitation in the wild of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.”
It’s still not clear which one of the 50 fixed flaws was the reason for the JRE rush fix. As we noted when Update 13 was released, between the previous patch and this most recent one, multiple vulnerabilities have been publicly discussed: at least one was being sold for $5,000 on January 16, two we reported about on January 18, and another one was mentioned on January 28.
Facebook says it was not alone in this attack, declaring that “it is clear that others were attacked and infiltrated recently as well” but the company’s influence definitely got Oracle moving. The social firm also said it was “one of the first companies” to discover the malware and thus started sharing details about the infiltration with other affected firms and “entities.”
You might be wondering why Facebook is only revealing this information now, especially given that it has 1 billion users, many of whom share very personal information on the social network. The reason is simple: don’t share bad news until you have something good to say (in this case, that user data is safe as far as the company can tell right now, the malware has been removed, and the flawed software has been patched).
This is probably why Facebook has waited at least two weeks (it’s likely more given that the breach was discovered in January, but the company won’t say exactly when) to reveal it was attacked. It’s also likely the reason why the news is being revealed on a Friday, and not, say, a Monday.
Facebook made the following promise to its members and the broader public: “We will continue to work with law enforcement and the other organizations and entities affected by this attack. It is in everyone’s interests for our industry to work together to prevent attacks such as these in the future.”
Correct. This is not the first time popular software like Oracle’s Java has been used to infiltrate companies, it won’t be the last, and those affected need to team up to fight back.
Image credit: Armin Hanisch
Originally posted here: Facebook: Java exploit used to install malware on employee computers, ‘no evidence’ user data was compromised
Twitter says that it was hacked and 250,000 users may have been compromised
Twitter has announced that this week it was the the recipient of an attempt by a hacker to gain unauthorized access to its users’ data. In a blog post, it says that approximately 250,000 users may have been compromised as a result with limited user information accessed, including usernames, email addresses, session tokens, and encrypted/salted versions of passwords.
The attack on Twitter comes at a time when media companies such as the Wall Street Journal and the New York Times have also been affected, with some accusing the Chinese government of being behind it. With regards to Twitter, no evidence has been found yet linking the cyberattack to China, but what the social network has said is that there was one live attack it discovered and shut it down in process moments later.
It believes that while a “very small percentage” of its users were “potentially affected”, it is encouraging everyone to ensure that passwords are secure — or follow “good password hygiene” — wherever they need to use login credentials. Please don’t use common ones, like these, for example.
To that end, Twitter has reset passwords and revoked session tokens for those accounts it believes were affected. If you received an email from Twitter at the address assigned to your account, it might be a sign you could have had your account compromised and that you will need to create a new password. Twitter says old passwords will not work anymore.
According to Bob Lord, Twitter’s Director of Information Security:
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.
This isn’t the first time Twitter has faced an attack by hackers. Last May, the company had approximately 55,000 accounts compromised with accounts belonging to celebrities attacked in the process. In November, Twitter again sent emails to some users warning them that their accounts may have been compromised because of another hack.
Twitter has warned users to pay attention to an advisory by the US Department of Homeland Security that encourages users to disable Java on their computers.
If you’ve been following TNW’s coverage about Java, you’ll know that just today, Oracle announced the release of a Java 7 Update 13 to address 50 vulnerabilities. It seems that every time an update is released, more vulnerabilities with Java are found. This time, Oracle was notified of “active exploitation in the wild of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers.”
Here is the email that Twitter is sending out to those it believes were affected by the hacking:
If you don’t know if your account was affected and you wish to change your password, you can update it here.
Photo credit: Shawn Campbell/Flickr
Read the original post: Twitter says that it was hacked and 250,000 users may have been compromised
Your Database Is Probably Terrible
Databases aren’t sexy, but they’re the absolute foundation of the tech world, the ground on which all of its edifices are constructed. You probably use a hundred every day. At least. They’re like the Spice in Dune: “S/he who controls the database, controls the universe!” Well, don’t look now, but that universe is beginning to quake.
In the beginning was the flat file, and lo, it was pretty awful, so help us Codd. Then came SQL and Larry Ellison, who inexplicably became the world’s sixth-wealthiest man on the back of the thoroughly mediocre Oracle database. (I once spent several months as an Oracle developer. It was the longest several months of my professional life.)
For a long while the relational-database triumvirate of Oracle, IBM’s DB2, and Microsoft’s SQL Server ruled unchallenged, with Oracle first among equals. Then came the open-source revolution, and MySQL and PostgreSQL. (As well as SQLite, which runs on mobile devices. But everyone knew 10 years ago that that was just a niche market. Right?)
Then Web 2.0 hit, and it turned out that relational databases did not scale well. Oh, they were fine up to a point. But when the whole world starts hitting your server? Your server falls over. Facebook still runs on MySQL, but they have to jump through many (expensive) brilliant hoops to do so. Same with Twitter. Reddit abandoned traditional relational-database design entirely.
Google tackled this problem before anyone else, as usual, with its BigTable database, which scaled brilliantly…at the cost of several quirks, including forbidding more than one inequality operator per query. (For instance, if you have a database of “boxes,” you can search for boxes with “length greater than 5″ or “width greater than 3″…but not both at the same time. I’m actually very fond of BigTable, which I’ve used fairly extensively, but I have on multiple occasions found this infuriating.) This ushered in the age of NoSQL. MongoDB, CouchDB, arguably Redis, etc: They scaled like crazy! And they were really easy to use!
Unfortunately, they had to sacrifice a few things that relational databases were good at. Like transactional integrity. You could have a database that scaled really well, or you could have ACID (Atomicity, Consistency, Isolation, Durability. Trust me, these are all important things.) But you couldn’t have both. Everyone knew that. Engineering is a question of optimizing compromises, that’s all. You always have to compromise. Everyone knows that.
Well. Almost everyone.
It turned out that within Google, there were a whole lot of people who didn’t think too much of BigTable and its limitations. So they went and built Spanner, a relational database that doesn’t just scale, but scales across the planet. Meanwhile, FoundationDB was attacking the problem from one end, creating a datastore that is both NoSQL and ACID, while Clustrix was making a relational database that can happily and seamlessly scale horizontally as you add more servers. (As of this week they launched on Amazon Web Services, too.)
Database admins are famously conservative. Which makes sense. You don’t want to mess with your data. Again, it’s the ground on which everything else is built. And once you’ve gone and built an entire system upon a database, the last thing you want to do is migrate to another one. But at the same time, DB technology has been advancing by leaps and bounds, especially of late.
So the database(s) you’re using at your workplace? They’re probably not the best available; in fact, they’re probably pretty bad, relatively speaking; and that’s probably not going to change anytime soon. It’s food for thought the next time you expect some new technology to thoroughly revolutionize the world just because it’s better than all its competition. Most of the world doesn’t want to be revolutionized. Most of the world likes its databases just fine. You can’t convince them to change; you have to drive them to it.
More here: Your Database Is Probably Terrible
The Changing Of The Enterprise Guard
Editor’s note: Aaron Levie is CEO and co-founder of Box. Follow him on Twitter @levie.
When we decided to focus on selling to enterprises five years ago at Box, we saw some exciting emerging trends: workers needed tools that were far simpler to use; cloud-delivered technology meant that IT departments could spend less time maintaining infrastructure and play a more strategic role in organizations; and with enterprise incumbents getting far too comfortable with the status quo, a massive opportunity opened up for startups to respond to the rapidly changing needs of customers.
A lot has happened in the five years since. Workers not only went around archaic software by bringing new, unsanctioned services into their organizations, but IT departments finally paid attention. The iPad launched, and created the ever-morphing tablet category, demanding an all-new set of applications along with it. And CIOs finally warmed up to the cloud, sending incumbents scrambling.
Perhaps most intriguingly, sentiment is finally catching up with opportunity. Whereas “enterprise” was glaringly absent from Paul Graham’s “Frighteningly Ambitious” list of startup ideas early last year, this won’t happen again in 2013.
In just the last quarter, Workday had an unparalleled IPO and is now valued at just around $9 billion. Meraki, just a few years after transitioning to focus on enterprise, was gobbled up by its main competitor, Cisco, for $1.2 billion. Eloqua, too, was swept up for around $900 million by Oracle as it wages battle with cloud rival Salesforce.
And as we look ahead to the next five years, we’re realizing that the scale of disruption is far greater and deeper than we originally imagined. The advantages and opportunities we saw in 2007 were just vibrations on the surface of much more violent tectonic shifts.
We’re about to witness a decade-long changing of the guard, and nearly $1 trillion dollars of enterprise value is up for grabs.
From Wintel To The Four (Or Five) Horsemen
The rise of PCs produced an enterprise IT model that was quite profitable for Microsoft and few others. But today, this model is quickly crumbling. Wintel is giving way to a whole new set of technology platforms, driven primarily by mobility, and the software buyer of 2013 is far more concerned with supporting and securing the devices that leave the office than those that stay within.
“Mobile” doesn’t just introduce a new endpoint for software delivery in the enterprise; it topples the long-standing architecture of the enterprise software world, and with it, long-standing monopolies.
Innovation led by Apple, Samsung, Google and others is irreversibly changing the technology makeup of today’s organizations. While Windows still dominates desktops with ~90 percent market share, they’re behind in smartphone and tablet categories with single-digit penetration. And it’s not just that people are buying more mobile phones and tablets. They’re actually buying fewer PCs in aggregate, as well.
Only five years ago, a CIO could deploy software from Microsoft and not wince about integration concerns, but today that’s far from the case. In speaking with hundreds of CIOs, they all share a common concern: Legacy vendors won’t move fast enough to support these new platforms at the rate they’re being adopted by employees.
Advantage: startups.
Startup vendors have proliferated in the enterprise at an unexpected rate, solving problems the incumbents can’t. Services like MobileIron, Airwatch, Good, Lookout, OpenDNS’s Umbrella and Divide secure these devices as they enter the enterprise; Parse and Appcelerator have evolved how mobile enterprise apps are getting built; and software like CloudOn, Domo and Notability are engineering the next wave of killer apps that make these devices productive in an enterprise context.
In all of these cases, a new landscape is emerging for the CIO to contend with – or embrace – and it’s driving an all-new IT architecture of the future.
Rise Of The Cloud Stack
In the previous predominant IT architecture (client-server), leading vendors built an expertise at selling entire application suites: everything from content management and CRM to ERP. It was a very attractive, and almost necessary, offer for IT buyers – mixing and matching independent solutions was wildly impractical if not impossible. Each new system implemented took on significant fixed and variable costs, as well as new skills and talents required. Integration? Just give up now. Companies like Microsoft, Oracle and IBM championed a vision of buying all, or most, of your technology from a single provider.
Bill Gates, circa 1997: “Customers wanted somebody who integrated the user interface and made all the software work together. That is just more attractive than having piece parts that people buy separately.”
Or take an equally self-interested pitch from Larry Ellison: “It’s incredibly difficult and expensive to make these systems communicate at all.” His solution? Buy up the market and tie all the solutions together.
The consequence of this aggregation was that startups had little chance to compete for customer wallet share. Vendors once dominated by being “good enough” at everything, but truly amazing at nothing; today that no longer satisfies customers.
And an emerging “cloud stack” is leveling the playing field. The synergies customers (theoretically) once achieved by buying from a single vendor can now be achieved by buying from multiple vendors.
A customer interaction on Facebook can spawn Zendesk tickets, which then propagate inside of Salesforce; employee records from Workday can be seamlessly loaded into Salesforce’s Work.com; financial analysts can navigate customer data in Zuora visually using GoodData. A new level of openness has emerged with cloud solutions, allowing better results to be driven from all applications. And each new cloud solution can often be implemented with an order of magnitude less cost and support than its on-premise counterpart.
Exploding Markets And Expanding Pies
Previously, if you had a large enough IT staff, you could support the costly and breathtakingly large deployment of Oracle Financials or EMC’s Documentum. But organizations with only a handful of employees – millions of businesses worldwide – were out of luck.
For enterprise vendors, the cost of selling to SMB customers simply wasn’t worth the contract value; and for businesses, the upfront infrastructure and licensing fees were cost-prohibitive. But with cloud solutions, a small and medium-sized business operates on the same technology that its far larger counterparts use, only at a fraction of the cost.
Today, viral marketing, freemium, and lower-cost acquisition are causing startups like Wave, Base, and Xero to attract hundreds of thousands of SMBs globally to solutions that would have never taken off a decade ago. Together, these companies will dramatically expand the market size of business software – the SMB cloud market is estimated to be nearly $50 billion by 2015 – while addressing a space that is virtually inaccessible to incumbent players.
And the pie isn’t just expanding to include businesses of different sizes; it’s expanding to include new geographies, too. With the cloud, you’re inherently global on day one, making an international focus key to success. Markets like Brazil, Singapore, Japan, India and Europe will experience growth rates of SaaS adoption that surpass the U.S. in the next five years. Companies like Zendesk, Netsuite, and Salesforce already see significant portions of their revenue coming from overseas.
Thanks to the emergence of an all-new IT architecture and the rise of the cloud stack, once-loyal customers are ditching slow-moving incumbents for a new guard of enterprise vendors. Meanwhile, customers that were never served by the old guard are getting access to best-in-class technology for the first time. We’re just at the beginning of this shift, but it will be one of the most profound and disruptive turnovers in the history of technology.
Read the rest here: The Changing Of The Enterprise Guard