Monday, March 30, 2009

DOA: The Open Cloud Manifesto

The Cloud Computing Interoperability Forum (CCIF) publicly launched its "Open Cloud Manifesto" on Monday, but the document, which advocates open standards and interoperability between cloud platforms, generated few sparks after a spokesperson indicated that the CCIF isn't vouching for it.

In an admission that the CCIF hadn't followed community "norms" with various cloud computing stakeholders, CCIF founder and spokesperson Reuven Cohen noted in his blog that "when the Open Cloud Manifesto is officially released on Monday, March 30, the CCIF's name will not appear as a signatory."

Cohen is founder and chief technologist at Enomaly, a provider of cloud computing solutions. He denies being the instigator of the "Open Cloud Manifesto," which was created by "a broader group of supporters and coauthors."

The document as of Monday had the support of 53 signers on the CCIF's Web site, but some big names went missing from the roster, including, Google, and Microsoft.

Last week, Steve Martin, Microsoft's senior director of developer platform product management, objected that Microsoft had not been allowed to offer suggestions to change the "secret" document after reviewing it.

"An open Manifesto emerging from a closed process is at least mildly ironic," Martin wrote in his blog.

Draft 1.0.9 of The Open Cloud Manifesto was leaked last week. Its mild pages hardly seem to inspire counter-revolutionary fervor. Could statements like, "hiding vendor lock-in behind the benefits of cloud computing will lead to long-term damage to the cloud computing industry," really be what irks Microsoft and other nonsigners?

Some writers have been suggesting that Microsoft's old nemesis, IBM, has been lurking in the shadows behind the CCIF and the manifesto. An InfoWorld article found proof from the confessions of two manifesto signers, who pointed to IBM.

When asked why the CCIF's process for reviewing the manifesto was "closed," Dirk Nicol, IBM's program director of emerging technology and standards, indicated that it all stemmed from a rapid creative process.

"Key members of the cloud community, including IBM, worked together to produce this document and endorse it in order to establish a set of core principles around the open cloud," Nicol wrote in an e-mail. "This foundational activity took only a few weeks and started as an idea with a small group. It then expanded to include others as it became clear that this idea needed to be shared or formalized with the broader community. This is typical of any creative process no matter if it is writing a specification, or writing open source code."

So, is the manifesto -- with its mild language and standards talk -- an IBM conspiracy to trip up Microsoft and any impetus it may have with its Windows Azure cloud computing platform, or is it "Much Ado About Nothing"?

It's hard to get too excited if you believe SAS's CEO Jim Goodnight. As reported in a ZDNet blog, Goodnight claims he simply came up with the phrase "cloud computing" as a marketing term to spruce up an otherwise dull reference to "server farms."

Martin, in a "Moving Beyond the Manifesto" blog post, indicated that Microsoft is meeting today on the matter with stakeholders attending the Cloud Computing Expo in New York City. Martin also put in a plug for a Microsoft announcement expected on Tuesday regarding the Azure Services Platform.

"Speaking of standards -- I'm thrilled to report that we will release the 'M5' (Milestone 5) CTP (Community Technology Preview -- think Beta) for .NET Services (part of the Azure Services Platform) tomorrow!"

If standards are all one, Microsoft's announcement will no doubt be happily received by all cloud computing technology providers.

Zac Efron Signs On For New (Non-Musical) Film
Microsoft Exec Reacts to ‘Open Cloud Manifesto’
‘I Love You, Man’: Slobovia, By Kurt Loder

Firefox 3.0.8 Released, Critical Security Bugs Fixed

Mozilla rolled out security updates for Firefox after the Web browser was hacked during a contest two weeks ago at a software security convention in Vancouver.

The updates address two separate vulnerabilities in Mozilla Firefox browser versions 3.0.x. Users can get them through "Check For Updates" in the Help menu of the browser, according to the Mozilla Links blog. However, users can also download the latest version of the browser, Firefox 3.0.8, which addresses those vulnerabilities and arrives one week early.

One of the vulnerabilities patched was a proof-of-concept memory corruption bug associated with XSL parsing. This so-called crashing bug was discovered last week by an Italian hacker.

The second vulnerability that Mozilla patched was found by a hacker calling himself Nils. He won $15,000 at the CanSecWest Pwn2Own competition by hacking into three fully patched browsers. Nils first hacked into Internet Explorer 8, finding DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) bugs that Microsoft since has said are fixed. He also took down Apple's Safari browser, according to this account.

Nils is a 25-year-old computer science student from Germany who would only give his first name during the event. He explained why he was able to hack the Firefox browser, indicating that the "XUL tree method _moveToEdgeShift was in some cases triggering garbage collection routines on objects which were still in use."

This bug caused Firefox to crash. It can allow an attacker the ability to run code on a victim's computer if the user is lured to a Web site laden with ready-to-deploy exploits.

In issuing the updates, Mozilla rated both vulnerabilities as "critical," Mozilla's highest severity rating. Mozilla also indicated that both bugs can also be addressed by disabling JavaScript in the Firefox browser.

March Security Bulletin Issued Without Excel Fix
‘Twilight’ Star Kristen Stewart Will Cliff-Dive In ‘New Moon’ — With CGI Help
IE 8 Bugs Squashed, Claims Microsoft

April 1: D-Day for the Conficker Worm

The Conficker malware frenzy continues as IT security pros prepare for Wednesday, April 1, which is the day when the worm is expected to take some action from infected systems.

And the date is no joke. Security pros have been warning organizations to have their Windows systems properly patched before April 1, or April Fools' Day.

Conficker, also known as W32.Downadup, is a self-replicating malware program designed to pull data from infected Windows-based machines. On April 1, botnets replicated by the worm are expected to contact Web servers owned by the worm's authors.

The worm takes a number of actions against Windows-based clients and servers. It disables the Windows security center and automatic updates. In addition, the new Conficker D strain reportedly prevents booting into safe mode, deletes system restore points and disables third-party security software.

News of the worm's impending action has lit up the blogosphere, and it was even covered by the 60 Minutes TV news program.

"Hysteria is a good description of the situation," said Phil Lieberman, president of Lieberman Software. "The Conficker April first date is more like a feeding frenzy for the anti-virus vendors akin to Black Friday for retailers or the week before Super Bowl Sunday for electronics retailers selling big screen TVs. And the funny thing is that the Conficker virus cuts through the antivirus products like they don't even exist."

The IT community should not focus on "end of the world theories at the moment," said Roger Halbheer, Microsoft's chief security advisor for Europe, the Middle East and Africa in a blog post. However, they should take measures to protect machines from infection.

April 1 could be a nonevent, like the Y2K scare, or it could be the biggest worm replication in the history of computing.

"This is the honest truth -- nobody knows what's going to happen except the bad guys," said Dan Kaminsky, director of penetration testing at security firm IOActive Inc. "We have no idea what the Conficker people want. We know they're good; we know they're adapting. We're not dealing with randomness. We shouldn't panic but we should be figuring out what's going on and act accordingly; get IT staffs better tools."

While what happens on April 1 is unclear, the general consensus seems to be that the worm might try to update itself, according to security software firm Symantec.

"It has been determined that on April 1, W32.Downadup.C, the most recent variant of the [Conficker] malware, will begin to use a new algorithm to determine what domains to contact," an e-mail from Symantec explained. "No other actions have been identified to take place on April 1."

Microsoft is telling Enterprise IT administrators that if they previously delayed installing the Conficker patch issued in October, and if their systems are not infected, then they should patch their Windows operating systems immediately.

Chenxi Wang, security and risk management analyst at Forrester Research, said that enterprise IT pros should both patch and remain vigilant as Conficker.C differs from the original virus. The C version includes new infection methods using peer-to-peer networking to disable even the most effective security tools.

"If you have not done so already, you should apply Microsoft Security MS08-067 patch on every Windows system as soon as possible," Wang warned. "If you do not install the patch before April 1, researchers claim that the virus, once [it] infects your system, will prevent the patch from being installed afterwards. You will have to manually remove the virus and then apply the patch. This can be a labor-intensive and also risky approach."

Group efforts to battle the worm have made some progress. One such effort is a consortium called the Honeynet Project, which just released an enterprise-class Conficker scanner that detects the presence of the worm. The scanner can be downloaded here.

Kaminsky collaborated with his peers on the Honeynet Project. Such collaboration doesn't happen every day, but Kaminsky noted that that it has been five years since this type of remote code execution malware has been so widespread.

"So my thinking is that if we can't get more information about what's going to happen, let's make it less expensive and less vulnerable to detect infections on networks," Kaminsky said. "To that end what we did with this working group of companies is unheard of, but it's called for."

Adobe Issues Critical PDF Reader Patch
March Security Bulletin Issued Without Excel Fix
Kristen Stewart And Dakota Fanning: New ‘Twilight’ BFFs?
Robert Pattinson’s ‘How To Be’ To Make TV Debut

Microsoft Releases ASP.NET MVC

More than a year after its first community technology preview was released, ASP.NET Model View Controller (MVC) has finally shipped.

Microsoft Corporate Senior Vice President Scott Guthrie announced the release of ASP.NET MVC 1.0 in his opening day keynote address at the MIX09 event in Las Vegas last week. The MVC tooling is available for download from the Microsoft Web site here.

Running atop the ASP.NET 3.5 runtime, ASP.NET MVC allows Visual Studio 2008 developers to take advantage of design patterns that enable a clear separation of concerns among underlying data (model), user interface (view) and application logic (controller) roles. The resulting approach isolates application behaviors, enabling adoption of test-driven development (TDD) and yielding more maintainable and reusable code. ASP.NET MVC includes templates for Visual Studio 2008 that developers can use to start work on MVC-enabled Web applications.

Bola Rotibi, principal analyst for U.K.-based research firm Macehiter Ward-Dutton, said ASP.NET MVC promises to yield better applications. "MVC is an important, if long-awaited release, and will enable developers to really apply separation of concern practices, making applications easier to maintain and reuse."

The final version of ASP.NET MVC was expected to arrive in the MIX timeframe, despite the surprise release of a Release Candidate (RC) 2 version in early March. RC2 cleaned up some bugs and updated jQuery support to version 1.3.1, among other changes.

Roger Jennings, principal at OakLeaf Systems and a frequent contributor to Visual Studio Magazine , expects MVC to quickly gain traction, picking up 25 to 30 percent of the ASP.NET developers over the next year.

Rotibi agrees that the release could kick-start adoption of the MVC architectural pattern among .NET developers. "While it is true that model view controller principles are not always well-understood or practiced widely within the development community, the support of it within the widely adopted ASP.NET will help further its understanding and use," she said.

Microsoft offers ASP.NET MVC design guidance and sample apps here.

‘Watchmen’ Guards Box-Office #1
Microsoft Releases Silverlight 3 Beta with Key New Features
Juan Antonio Bayona To Direct ‘Eclipse’?

Saturday, March 28, 2009

Windows 7 Release Candidate Arriving in May?

Microsoft may be trying to send a message that the next release of Windows 7 will happen in May of this year.

A TechNet Web page titled, "Windows 7 Release Candidate," briefly appeared on the Internet showing a May publish date on it, even though Microsoft has not publicized its release plans.

Currently, Windows 7 is being tested at the beta stage, with the beta set to expire on August 1. The release candidate is the next test version that follows the beta. After that, a release-to-manufacturing (RTM) stage happens, giving equipment manufacturers time to image and install the OS on new PCs.

A screenshot of the TechNet page was captured by Ars Technica and published on Thursday. The page plainly states that the Windows 7 Release Candidate "will be available at least through June 2009," expiring on "June 1, 2010."

Microsoft has since replaced the page, and it now reads, "Welcome to the Windows 7 Beta Customer Preview Program."

The TechNet post may be a mistake or an intentional leak, but the usual description from Microsoft officials has typically pegged the RTM date for Windows 7 as happening sometime in early 2010. However, a representative for a PC manufacturer told last month that Windows 7 should appear in September or October of this year.

Microsoft's OS release cycles depend heavily not just on the internal bug fixes, but also on Microsoft's hardware and software partners, who are currently testing the interoperability of their products with Windows 7.

This point was underscored in January by Steven Sinofsky, Microsoft's senior vice president of the Windows and Windows Live engineering group. He noted the need for both internal and external readiness in an Engineering Windows 7 blog post.

The Microsoft executives who started the Engineering Windows 7 blog let it be known in their first post that Microsoft would keep some Windows 7 information fairly close to the vest. The blog was started by Sinofsky, along with Jon DeVaan, Microsoft's senior vice president of the core operating system division.

Since that time, the Engineering Windows 7 blog has been filled with detailed posts on just about everything but the Windows 7 release schedule. The blog hinted at the reason.

"We, as a team, definitely learned some lessons about 'disclosure' and how we can all too easily get ahead of ourselves in talking about features before our understanding of them is solid," the authors wrote on August 14.

The blog may be referring to a disaster that happened with Windows Vista. Presumably, Microsoft's partners planned for the wrong features or got confused by Microsoft's communications. The result: early Vista users described a lack of driver support, which soured Vista's reputation.

So far, Windows 7 has been getting good reviews, even as a beta release. It uses the same code base as Vista and the new OS has even been referred to as an "incremental update to Windows Vista" by a Gartner analyst. Microsoft even claims that Windows 7 can run some apps that previously would not run on Vista.

‘Twilight’ DVD Sells More Than 3 Million Copies On First Day
Windows 7 Getting Fine Tuned, Features Added
Zac Efron Signs On For New (Non-Musical) Film
Windows 7 Is ‘Rescuing’ Apps, Microsoft Says

Microsoft Promoting Touch in Windows 7

Microsoft has devised a Windows Touch Logo Program for its hardware and software partners that are integrating products with Windows 7. The company described some of the details in an announcement issued this week.

The aim of the program is to assure consumers that applications will work with touch-screen hardware using Microsoft's Windows Touch platform. Microsoft claims that Windows 7 will provide a rich platform to support touch on laptop, tablet and mobile devices.

Windows 7, currently in beta, features high DPI (dots per inch) resolution support to make buttons, links and navigational tools easier to access with touch gestures, according to Microsoft. The operating system's taskbar and on-screen touch keyboard are "optimized for touch."

Just three machines now support the current Windows 7 Beta build with touch capabilities, although they require the latest multi-touch beta drivers. Those machines are the HP TouchSmart All-in One PC (IQ500 Series and IQ800 Series), HP TouchSmart tx2 Tablet PC and the Dell Latitude XT or XT2 Tablet PC.

Computer devices bearing the Windows Touch logo need to pass a set of 43 tests designed by the Microsoft team. The company also has a component-level certification program to help original equipment manufacturers select hardware components for their products.

Several of Microsoft's hardware partners have already submitted devices and drivers for testing at Microsoft's in-house facility, according to Redmond's announcement.

Partners developing applications that will use the touch interface have access to three levels in Microsoft's platform, enabling good, better and best touch experiences. The "good" level is free for developers and is designed for touch-unaware applications. The "better" level adds direct gesture support. Finally, the "best" level is for developers who want to go beyond Microsoft's core toolset by creating custom gestures and custom controls.

Microsoft also offers a "COM version" for two of its Surface APIs -- "Manipulations" and "Inertia." Surface is Microsoft's table-like device that enables touch experiences.

Windows 7 is planned for release to manufacturers in early 2010, but rumors have suggested an earlier release is possible, perhaps sometime this year. The actual RTM date may depend, in part, on the overall readiness of Microsoft's partners.

Windows 7 Is ‘Rescuing’ Apps, Microsoft Says
‘Twilight’ Actress Nikki Reed Won’t Dye Her Hair For ‘New Moon’
‘Twilight’ Actress Reveals The Real Robert Pattinson

Friday, March 27, 2009

IE 8 Bugs Squashed, Claims Microsoft

In response to Internet Explorer 8 being compromised at a hacker's contest last week in Vancouver, Microsoft has tinkered with IE 8 and is now claiming a resolution to vulnerabilities amid a firestorm of chatter surrounding the browser's release last week.

The episode began when hackers found a hole, in a matter of minutes, at the Pwn2Own contest during the CanSecWest security conference. A previous contest -- uTest's Bug Battle browser contest held in December -- had found a beta version of IE 8 to have the fewest bugs of the browsers tested.

Speaking on the most recent controversy, Microsoft Security Response Center engineer Jonathan Ness said in a blog post that "no browser is 100 percent secure, but we are hoping if we keep adding defenses, they will be harder and harder to exploit."

At the heart of the hack at CanSecWest was an exploit that made short work of Microsoft's data execution prevention (DEP) function in IE 8 as well as its address space layout randomization (ASLR) technology. Both of these functions were, up until last week, untested -- yet highly touted among IE 8's features.

Ness pointed out that the software giant has heeded the call to action and taken the threats and proofs of concept seriously and has made adjustments to its .NET, DEP and ASLR functions.

"We heard from security researchers and exploit writers at both CanSecWest last week and SOURCE Boston the week before that," Ness wrote. "Writing exploits for Windows Vista is 'very, very hard' with all these mitigations to work around. We expect that blocking the .NET DEP+ASLR bypass will make it even harder."

Many security experts, such as Jason Miller, data team manager at Shavlik Technologies, laud Microsoft for going back to the drawing board quickly and successfully. Nonetheless, Miller said, Redmond might have been premature in its prelaunch assertions that IE 8 was nearly impervious to hackers.

"This is not the first time Microsoft has claimed their software is virtually vulnerability proof," he said. "When Microsoft released Windows Vista, they had claimed it was the safest and most secure operating system available. Within months, the first security patches were released for Windows Vista that fixed major security vulnerabilities. If you look at this latest case, Internet Explorer 8 was hacked within hours on the day it was released."

On the whole, experts were not surprised. IE 8 and its accompanying features have been public for a lengthy amount of time and gave hackers the opportunity to dig for exploits in the code.

Heavy Is the Head With the Crown
That IE 8 is getting the most scrutiny and criticism isn't necessarily because it's the worst browser. Attackers always target browsers with biggest user base. For that reason, IE represents a prime target over Mozilla's Firefox, Google's Chrome and Apple's Safari, among others.

That said, the latest IE 8 security improvements come at a critical juncture for Microsoft as it fends off the competition. Chrome, for example, was the only browser at the CanSecWest confab not to be hacked.

So who takes the title for the most secure browser? The answers are mixed, but among many security experts, IE is not at the top of the list. That realization may light a fire under Redmond's researchers to respond early and often to security threats.

"Google Chrome takes that title for the moment, due to its built-in sandbox architecture," said Wolfgang Kandek, chief technology officer of security firm Qualys. Kandek added that as for Microsoft, it will be an uphill battle. "As IE 8 turns mainstream, it will become a more attractive target for exploitation, and attackers will focus their attention on it. [Microsoft's] attention and resources will now have to be divided among three major browser versions, resulting in more, not less, work."

IE and the Security Ecosystem
Security issues aside, there remain questions of interoperability, migration from older versions and enterprise adoption that must be addressed as part of Microsoft's overall aims, said David Harley, director of malware intelligence at ESET.

"For Microsoft and IE, it's going to take several months of seeing what vulnerability researchers come up with; more time finding out why the application hasn't taken off as expected irrespective of security issues," he said, "[and] a lot more consideration of how it will work with what comes after Windows 7."

Harley added that what's happened with IE 8 lends credence to the overall issue of Microsoft "learning from its over-confidence in Vista security" and recognizing that careful coding and ideas that look good can go a long way instead of rushing out products.

Others suggest that given the early success of Redmond's Security Development Lifecycle initiative that the popular browser application should be integrated into the software giant's larger security push. After all, there are smidgens of good news, including a recent NSS Labs study claiming that said IE 8 outstrips its counterparts with a 69 percent catch rate on Web-based malware incursions.

"I'd like to see IE 8 more integrated with the entire Windows endpoint security strategies," said Chenxi Wang, principal analyst for security and risk management at Forrester Research. "There is a lot IE 8 can do in terms of shielding end users from the greater Internet threats. For instance, IE 8 can connect to some sort of Web reputation system that has information on Web sites, which can, in turn, yield a more secure browsing experience for end users."

Seth Rogen Says He Never Got A Call From Lindsay Lohan
Windows 7 Is ‘Rescuing’ Apps, Microsoft Says
‘Watchmen’ Easter Eggs: Our Favorite Blink-And-You’ll-Miss-’Em Moments

Microsoft Exec Reacts to 'Open Cloud Manifesto'

A Microsoft official took umbrage on Thursday to an "open standards" initiative proposed by a coalition of cloud computing technology providers.

The dispute involves a so-called "Open Cloud Manifesto" that the Cloud Computing Interoperability Forum (CCIF) plans to announce on Monday. The CCIF, which is a new group, currently lists 13 sponsors, with companies such as Cisco Systems, Intel and Sun Microsystems on the roster.

Missing from the list was notable cloud computing technology provider, Microsoft, which rolled out its Windows Azure cloud computing platform in October. Not only is Microsoft not a CCIF participant, it's a critic.

Steve Martin, Microsoft's senior director of developer platform product management, complained on Thursday that the CCIF's process wasn't an open one. He questioned the motives of the organization.

"Very recently we were privately shown a copy of the [CCIF] document, warned that it was a secret, and told that it must be signed 'as is,' without modifications or additional input," Martin wrote in a blog. "It appears to us that one company, or just a few companies, would prefer to control the evolution of cloud computing, as opposed to reaching a consensus across key stakeholders (including cloud users) through an 'open' process."

In response, CCIF Instigator Reuven Cohen called Microsoft's response "unfortunate." Cohen is founder and chief technologist at Toronto-based Enomaly Inc., an enterprise cloud computing technology provider.

"Microsoft was among the first to review the manifesto," Cohen wrote in his blog. "Their 2:28 AM pre-announcement of the manifesto was a complete surprise given our conversations."

Martin seemed to complain mostly about the process and suggested that Microsoft could be on board if participation were more open and transparent. He also mentioned that the process should not be vendor dominated. Finally, he suggested that cloud computing was still new and standards would "take some time to develop."

Standards Fight Brewing?
Microsoft currently has "tens of thousands of developers" using the Windows Azure platform, according to Martin. Cloud computing represents a potential big play for Microsoft. Could the CCIF standardization push merely be a market distraction aimed at companies like Microsoft? It's possible, according to Matt Rosoff, research vice president at Directions on Microsoft, an analyst firm.

"In my experience, these organizations are usually created primarily for public relations purposes, and their main goal is usually to stall or confuse the market in order to prevent a competitor from dominating a market," he wrote in an e-mail.

Rosoff cautioned that words like "open" need definition, since restrictive license agreements can still be involved. He noted a recent Wall Street Journal article, which indicated that even the definition of "cloud computing" is up for grabs.

Following a definition proposed by Forrester Research, cloud computing providers currently form a short list. True cloud computing platforms, according to Forrester, include Amazon Elastic Compute Cloud 2 (EC2), (part of and Google AP Engine. However, many other companies claim to have cloud computing platforms or plan to roll them out. IBM has its Blue Cloud. Sun Microsystems is planning its Sun Cloud platform for later this year. There are many other smaller cloud computing players as well.

One of those smaller players is GoGrid, which formed its own alliances around cloud computing standards, and even has its own cloud computing definition. The company works with its competitors and customers to drive a standard around "cloud infrastructure provider APIs," according to Randy Bias, GoGrid's vice president of technology strategy. Data portability and identity management are other important items on GoGrid's list for cloud computing standardization, he added in an e-mail.

Open Platforms or Vendor Lock-In?
Microsoft typically describes its Azure Services Platform as an open platform. Martin even gave an example, citing a demonstration at Microsoft's recent MIX09 Web developer event.

"At MIX, we highlighted the use of our Identity Service and Service Bus with an application written in Python and deployed into Google App Engine which may have been the first public cloud to cloud interop demo," he wrote.

However, Bias disagreed a bit about the openness of Microsoft's platform.

"Windows Azure is not currently an open platform," Bias wrote in his e-mail. "Most platform-as-a-service (PaaS) services, by their nature, have a tendency to create a closed system that does not make it easy for customers to move between them. This is not necessarily an intention of the PaaS providers so much as a mark of the immaturity of the market place."

Could vendor lock-in to certain cloud computing platforms become a possibility? Rosoff thinks that's almost certain to be the case. Different cloud computing platforms could end up requiring specific developer know-how.

"There will have to be ways to exchange data between cloud-based applications -- this is where technologies like REST come in to play -- but developing for each one will almost certainly require different skills and knowledge sets," Rosoff explained.

At this point, much is at stake for the cloud computing technology providers. Still, a standards movement could actually delay the commercial rollout of cloud computing platforms, much as it has done with service-oriented architecture, explained David Linthicum, a SOA expert and Blue Mountain Labs founder, in a podcast.

Rather than have 150 standards confusing everyone, Linthicum suggested going with a recognized standards organization. He added that standards should be driven by the rank-and-file, not necessarily by technology providers.

Zac Efron Signs On For New (Non-Musical) Film
Microsoft Rolling Out Windows Azure Improvements
Forrester: Businesses Adopting Virtualization

Windows Home Server Gets Powered Up With PP2

Microsoft's Windows Home Server (WHS) got a boost this week with the release of Power Pack 2 (PP2), which became available to Microsoft Developer Network (MSDN) subscribers on Monday.

PP2 fixes "known issues" in the server, according to Microsoft, and adds enhancements for small office/home office users. It includes more than 100 add-ons addressing antivirus protection, system performance, server security and more, according to the updated product Web site.

WHS was released in July 2007 and marketed as "the world's first stay-at-home server." The offering, however, has not been without bugs and criticism. Several early problems were related to data corruption, mostly associated with saving Microsoft applications. PP1, released in July of 2008, addressed most of those bugs, but some functionality, configuration and media-sharing issues remained unaddressed until this week with the release of PP2.

According to the WHS Team Blog, PP2 adds remote access configuration and content streaming support for machines running Windows Media Center and Windows Media Center Extenders.

The integration with Windows Media Center represents a change in plans for Microsoft. Previously, Microsoft had contended that WHS was for "everyday files," while storage of large files (video and multimedia) should be on Windows Media Center, according to an article in BetaNews . Prior to PP2, Media Center could not stream content to the WHS.

WHS has been a work in progress. However, it's also a product in search of a niche, according to Matt Rosoff, research vice president at Directions on Microsoft.

"The problem with WHS is that it was marketed to home users with multiple networked computers," Rosoff explained in an e-mail. "[It was designed for] users with lots of data to be backed up and who are technically savvy enough to add and maintain a server on their home network. I'm not even sure such a market exists."

Users have cost-effective, and even free, storage alternatives, such as USB drives and online services such as Microsoft's own SkyDrive, Rosoff indicated.

"There are plenty of quicker, simpler and cheaper solutions for casual backup, and I don't think most consumers understand why they should pay $500 and more for full backup and restoration," Rosoff said.

"In my opinion, WHS is what we at Directions sometimes call a 'Redmond Lifestyle' product -- a product that makes sense to Microsoft employees, but that most consumers would regard with a shrug at best."

The new Power Pack is available for download by MSDN subscribers here.

PP2 also will be automatically available to WHS users through Windows Update, provided that PP1 is installed. Users of the English version can get it automatically on March 24. Other language versions will be available through Automatic Update at the end of April.

System Center Virtual Machine Manager 2008 R2 Beta Now Available
Microsoft Rolls Out New Commerce Server
‘Twilight’ DVD Sells More Than 3 Million Copies On First Day

Thursday, March 26, 2009

Microsoft Eyes SMB Market in Partner Survey

A Microsoft-sponsored report on the small to medium business (SMB) market found that SMBs could represent an opportunity for future sales of IT software and services, despite the current economic downturn. The report is based on the opinions of Microsoft's SMB partners in six countries, who were polled in February.

Still, the backdrop to the "2009 Microsoft SMB Insight Report," published on Wednesday, is quite grim. Nearly half (45 percent) of Microsoft's small business partners predicted that SMBs would spend less for IT purchases in 2009.

The study's respondents predicted how SMBs would cut costs during the current economic downturn, including staff cuts (67 percent) and "reducing IT costs" (64 percent). However, 22 percent of the partner respondents also indicated that "investing in IT" could be an SMB strategy to weather the economic storm.

SMBs have few staff available to handle IT concerns, even though they expect IT to "help manage costs and increase productivity," according to the report's analysis. If SMBs do spend on IT technology as a cost-cutting measure, they likely will choose virtualization (25 percent) or IT consolidation (25 percent) solutions, according to Microsoft's partners polled in the study.

The prospect of using Software as a Service (SaaS) to cut costs was thought to be a viable strategy for SMBs by just 10 percent of Microsoft's partner respondents. The partners said that 34 percent of their customers were currently using some form of SaaS.

Unified communications was predicted by Microsoft's partners to be the top productivity tool that SMBs will want in the future. Survey respondents also predicted a demand for CRM or ERP solutions, Web hosting solutions, content management systems and productivity suites. The top Microsoft Software plus Services offering of interest to SMBs will be Silverlight, the respondents predicted, followed by Office Communications Online, Microsoft Office Live, CRM Online, SharePoint Online and Exchange Online.

Microsoft's study was conducted by the TNS market research firm, which polled 603 Microsoft Small Business Specialist partner organizations located in Brazil, Canada, France, India, the United Kingdom and United States.

The "2009 Microsoft SMB Insight Report" can be downloaded here (Word file) for free.

Microsoft Touts Managed Services for Hosting Partners
Jim Carrey, Sean Penn And Benicio Del Toro Cast As Three Stooges
Forrester: Businesses Adopting Virtualization
‘Race To Witch Mountain’ Conjures Box-Office #1

Sun Releases Virtual Desktop Infrastructure 3

Sun has released Virtual Desktop Infrastructure Software 3, a major update to the company's virtualization management suite. The new version includes expanded VMware support, Open Storage integration and Active Directory support, among other enhancements.

Sun VDI Software 3 is a virtualization management solution built on a variety of open source technologies, including MySQL, OpenSolaris, Open Storage, and VirtualBox. It supports the deployment of a range of guest operating systems to desktop systems (including Macs) and thin clients, and it works with VMware Infrastructure, Sun's built-in virtualization capabilities, or a combination of the two.

Version 3 has new features, such as Open Storage integration and integration with Solaris ZFS, Sun's local file system. It expands its VMware support, adding VMware ESX server 3.5 and VMware VirtualCenter 2.5. The product comes with a single installer for core components and it supports RDP devices without the need to install additional software. It also features Active Directory support.

"I am really impressed with Sun VDI Software 3," said Richard Toeniskoetter, technology director for the W. A. Franke College of Business at Northern Arizona University, in a statement released on Tuesday. "The open architecture will provide us with a broad choice of client device, virtualization host and virtual desktop OS. That's really important to us at NAU because flexible access to Windows and Unix desktops, some of which have been in production for over seven years, maximizes our IT utilization and simplifies our management."

The university reported that it has saved 95 percent of its electrical costs associated with computing by switching to Sun Ray thin clients.

Sun VDI Software 3 is available now, with subscription options starting at $40 per user per year. Free trial software is available here. Further information can be found here.

‘Watchmen’ Easter Eggs: Our Favorite Blink-And-You’ll-Miss-’Em Moments
Virtualization Standard Released

Microsoft's FAST Strategy Shift

Microsoft last year picked up best-of-breed search technology with its acquisition of Norwegian search specialist Fast Search & Transfer ASA (FAST). Since then, users have been keen to find out precisely what Microsoft plans to do with FAST's search know-how.

Last June, the SharePoint team unveiled four new Web Parts it said would permit developers to quickly embed FAST's search capabilities in SharePoint applications. Microsoft's FAST strategy took still another turn last month, when it announced several revisions to its FAST road map, starting with the immediate availability of FAST ESP for SharePoint, a fast track option that gives customers the option of purchasing FAST's search technology today, ahead of its productization (in the Office 14 timeframe) as part of SharePoint Server.

In addition, Microsoft last announced FAST Search for SharePoint, a new offering -- slated to ship with Office 14 -- that will mark the official marriage of ESP and SharePoint Server. On top of that, Redmond announced FAST Search for Internet Business, an offering designed to power search-driven Web sites. FAST ESP buyers also get a "defined licensing path" for another new deliverable, to FAST Search for SharePoint when it becomes available.

Notwithstanding FAST's troubles -- and prior to its acquisition by Microsoft the Norwegian company had had plenty of trouble, including management and accounting scandals -- few dispute that it was the proprietor of estimable search expertise. With its new SharePoint-centered FAST strategy, analysts say, Microsoft plans to recast FAST's high-end search know-how as an end user-friendly play.

"Offering FAST as an element of the SharePoint platform will attract a significant proportion of enterprises that seek search, especially for the increasingly popular SharePoint, from a reliably viable and large vendor," wrote Whit Andrews, a vice president and distinguished analyst with Gartner Inc., in a research note. "Microsoft wants to capture any search business oriented toward employee productivity or other 'ordinary' search applications."

One rub, of course, is that Microsoft already has a search product: its SharePoint-centered Search Server Express. That product isn't going to go away, analysts say, although its positioning will change.

"[Search Server Express] is offered for free to capture the attention of workers developing low-volume, limited-value projects. Microsoft will incorporate the FAST technology into the search products elsewhere in the Office family as of its next...release date," Andrews said. "For now, Microsoft sells a more independent product, FAST ESP for SharePoint, which it will transform into the FAST Search for SharePoint product when the latter becomes available. Greater scale and functional flexibility are key elements of the FAST product."

Neither the FAST acquisition nor Microsoft's roadmap tweaking will threaten search champion Google, Andrews predicted, although Redmond could make things uncomfortable for other search players. "Microsoft's product plan confronts but will not defeat Google's stable of extremely successful search products," Andrews said. "Other vendors emphasize specific applications, and this announcement will push them to redouble their efforts either in that direction or in other directions, such as alternative delivery models."

Microsoft Rolls Out New Commerce Server
The Best ‘Twilight’ Cast Performances You Haven’t Seen
Forefront Security for Microsoft OCS Unveiled

Microsoft To Make NASA Content Available Through WorldWide Telescope

Microsoft announced this week that it's partnering with NASA to develop and deploy technology to deliver planetary images and data over the Internet. According to Microsoft, the partnership will allow space information to be housed on the company's WorldWide Telescope, an online virtual telescope that incorporates Web 2.0 technologies.

"This collaboration between Microsoft and NASA will enable people around the world to explore new images of the moon and Mars in a rich, interactive environment through the WorldWide Telescope," said Tony Hey, corporate vice president of Microsoft External Research, in a statement released Tuesday. "WorldWide Telescope serves as a powerful tool for computer science researchers, educators and students to explore space and experience the excitement of computer science."

According to the terms of the arrangement, NASA's Ames Research Center will "process and host more than 100 terabytes, or 20,000 DVDs, of data. WorldWide Telescope will incorporate the data later in 2009 and feature imagery from NASA's Mars Reconnaissance Orbiter (MRO)," as well as images from the Lunar Reconnaissance Orbiter, which is scheduled to launch in May on a year-long mission to collect data on the lunar surface to support later human exploration.

"Making NASA's scientific and astronomical data more accessible to the public is a high priority for NASA, especially given the new administration's recent emphasis on open government and transparency," said Ed Weiler, associate administrator for NASA's Science Mission Directorate in Washington, in a statement released Tuesday.

‘Watchmen’: Behind The Masks, By Kurt Loder
The Best ‘Twilight’ Cast Performances You Haven’t Seen
Dynamics Freebies Unveiled at Convergence 2009
Microsoft Touts Managed Services for Hosting Partners

Virtualization Standard Released

The Distributed Management Task Force (DMTF) has released the first finished version of the Open Virtualization Format (OVF), a set of metadata tags that can be used to deploy a virtual environment across multiple virtualization platforms.

DMTF President Winston Bumpus announced the version 1.0 release of OVF at the Cloud Interoperability Workshop, a track of the Object Management Group technical meeting, being held this week in Washington.

Initiated last fall, OVF sprang from the DMTF's Virtualization Management (VMAN) working group, which investigates ways to manage the use of virtualization applications and the platforms they can spawn.

With OVF, users can download a virtualized instance of some application, along with the supporting operating system, and run it "in the hypervisor of their choice," Bumpus said. A software vendor could place a demo of an application in a virtual machine, package it with OVF and allow users to test it within their own virtual infrastructure, instead of using the platform that the virtual machine was originally created for.

OVF could enable what Bumpus called virtual appliances. In IT parlance, appliances are computers dedicated to running a single application, an approach that minimizes the headaches of running the application within the organization's own operating system of choice. In a similar way, a virtualized appliance is one that can be set up on any virtualization platform, such as VMware or Xen.

With this first version, the VMAN group concentrated on developing a set of descriptive tags that could instruct the virtual platform on how to start and stop a virtual machine. Despite its name, OVF is not a format per se. Rather it is a set of metadata that describes the characteristics of the virtualization container being used.

Using OVF, the virtual platform can translate the virtual machine into its own environment. Since many virtual platforms can already translate virtual machines created by other competing virtual platforms, the group decided the first task would be to develop the metadata standard to describe the virtual machine, rather than develop an entirely new virtual machine format. Both VMware and the Citrix, which offers a commercial version of Xen, supports OVF.

OVF can also be used to manage a number of virtual machines as a single group. For instance, if a series of virtual machines need to be started in a particular sequence, OVF can be used to designate the order in which virtual machine is fired up. Bumpus said that additional management capabilities will be added to subsequent versions of the standard.

In addition to the standard, the DMTF VMAN site also offers a white paper and a demonstration to further explain how OVF works.

Natasha Richardson Remembered With Dimmed Broadway Lights
Sun Releases Virtual Desktop Infrastructure 3

Wednesday, March 25, 2009

Gartner Outlines Windows 7 Deployment Strategy

IT departments should depart from the usual Service Pack 1 (SP1) milestone when deciding when to deploy Windows 7, according to a Gartner analysis published this month.

Many IT pros believe you should wait for the first service pack before organization-wide deployment of any new Windows operating system release. However, that conventional wisdom no longer applies to Microsoft's OSes, starting with Windows 7, according to Michael A. Silver, Gartner's vice president and distinguished analyst.

Silver described Windows 7 as an "incremental update to Windows Vista." He explained that while Wiindows 7 is not much of a leap from Vista, independent software vendors (ISVs) developing applications for Windows 7 may take "12 or more months" to get their applications ready for the new OS.

When those apps are ready for Windows 7, IT organizations should expect to spend about three to six months testing applications and building images before beginning widespread deployment of the OS, Silver recommended.

As a rule of thumb, Windows 7 deployment should happen "12 to 18 months from the time Windows 7 is released," Silver advised. Coincidentally, that's when SP1 may appear. Silver suggested that IT orgs could save time by deploying Windows 7 and SP1 at the same time.

Microsoft has not yet said when Windows 7, currently in beta, will be released to manufacturing. Rumors suggest it might be available as early as the third quarter of this year.

SP1 isn't the milestone it used to be for IT organizations because Microsoft has changed how it develops its software products. Bugs are tested early because Microsoft uses a security development lifecycle (SDL) procedure -- something not done with Windows XP and earlier Microsoft operating systems.

Silver also cited an improvement in Microsoft's beta testing program as a reason not to time OS deployments based on the SP1 release. Microsoft has "five times as many" Windows 7 beta testers compared with those who tested the Windows 95 beta, he explained. Moreover, Microsoft now uses automated tools to get user feedback, which wasn't the case with Windows 95.

Service packs are increasingly becoming "an artificial construct," Silver contended, mostly because Microsoft has a monthly automatic update cycle to fix things.

Mickey Rourke, Scarlett Johansson Reportedly In ‘Iron Man 2′
Windows 7 Is ‘Rescuing’ Apps, Microsoft Says

Enterprises Hanging on to Legacy Microsoft Apps

A Forrester Research study found that enterprises predominantly use Windows and Internet Explorer, but they're currently sticking with the older Microsoft technologies. The report is based on a sample of nearly 52,000 visitors to the Forrester Web site in the second half of 2008.

More than 96 percent in the study ran some version of Windows. However, enterprises preferred the older Windows XP (87.7 percent) over Microsoft's current flagship Windows Vista (10.5 percent) operating system.

Vista operating system use in the enterprise hit the double-digit mark in November, representing a relatively slow adoption rate. Meanwhile, enterprises have been anticipating the release of Windows 7, currently at beta.

For that reason, Windows 7 could prove to be "the nail in the coffin" for Vista, according to Thomas Mendel, Forrester analyst and the report's coauthor.

Other operating systems lagged in the enterprise. The Macintosh OS grabbed a 3.3 percent market share in December, up from 2.7 percent in July. However, the report's authors advised software vendors to be pragmatic about providing platform support and to "forget about Macs" unless aiming for a specific business vertical.

Enterprise users have also been clinging to Microsoft's legacy Web browser. For instance, while Internet Explorer held 78 percent of the enterprise browser market share in December, the majority (60.2 percent) used the older IE 6 version.

For that reason, Microsoft's lack of support for IE 6.0 "is bordering on insanity" for enterprise users, the report's authors suggested.

The Firefox browser took a small bite into IE's enterprise market share. Firefox use increased from 16.9 percent in July to 18.2 percent in December.

The bite was even smaller with Google's Chrome browser, which was introduced last September. Chrome use increased from 1.6 percent at the time of its introduction to 2 percent at the close of the report period. Chrome finished ahead of Apple's Safari (1.4 percent) and Opera (0.2 percent) browsers, according to the report.

Flash and Java continue to dominate the functionality side of Web browsing, with both winning "universal acceptance" in the enterprise. Flash and Java are making their way into conservative enterprise architectures to complement business applications as developers focus on providing rich user experiences, according to the report.

Forrester's report, "Enterprise Platform Trends, H2: 2008," is designed to aid independent software vendor decision-making. In addition to data on OS and browser market share, it provides data on screen-resolution and color-depth trends in the enterprise.

Windows 7 Is ‘Rescuing’ Apps, Microsoft Says
‘Twilight’ Star Robert Pattinson Talks About Nude Scenes In ‘Little Ashes’
‘Race To Witch Mountain’ Conjures Box-Office #1
IE Market Share Has ‘Stabilized,’ Study Finds

Microsoft Broadens IE 8 Bug Hunt

Microsoft continues to squash bugs in its new Internet Explorer 8 Web browser, which was released last week for Windows-based PCs.

Bugs that didn't get fixed in the final version of IE 8 are currently under review by Microsoft's Internet Explorer team. The team plans to address those glitches based on user rankings. To better prioritize those bugs, Microsoft announced on Monday that it has opened its IE 8 bug database to the general public.

Microsoft particularly wants to know about any "regression" problems -- that is, cases where something worked fine in the beta but failed in the final or "release to Web" (RTW) version. Top-ranked bugs include one associated with setting opacity in the browser, as well as script tags that cause alignment problems, users say.

If a user can't find a particular bug listed in the Microsoft Connect bug database, they can submit them for verification by Microsoft's Internet Explorer team. New bug reports get reviewed by the team at Microsoft's Internet Explorer discussion group here.

Microsoft also published a compendium of knowledgebase articles associated with IE 8 here, including how to remove IE 8.

In the next two months, Microsoft plans to release a new feedback form. Currently, the team relies on user-submitted bug reports, automated feedback from the browser and a new IE add-on called the "Report a Webpage Problem Tool."

The Report a Webpage Problem Tool, which can be downloaded here, adds a button on IE's toolbar. The button takes a screenshot of a Web site when pressed, and users have the option or not of sending the image to Microsoft.

The IE team also said on Monday that it submitted new test cases to a W3C committee that works on cascading style sheet recommendations. Microsoft has so far submitted 7,201 cases to the CSS 2.1 Working Group.

"We believe that IE8 has the first complete implementation of CSS 2.1 in the industry and it is fully compliant with the current CSS 2.1 test suite," wrote Jason Upton, test manager for Internet Explorer, in the team's blog. He urged other browser makers to submit test cases to the W3C too.

The IE team claimed that at least 11 of the W3C's CSS 2.1 tests were fixed as a result of Microsoft's feedback.

Still, compliance with W3C recommendations doesn't necessarily mean that problems disappear. A Register article noted that IE 8 currently fails the Acid3 test, which tests a browser's HTML rendering capabilities. IE 8 trailed other leading browsers in Acid3.

Other browser makers, such as Opera Software, have also touted W3C spec compliance, noting how a lack of compliance makes life tough for Web developers. An Opera blog even took credit for driving Microsoft to embrace standards.

Lately, Microsoft has drawn criticism for IE 8's speed, particularly in executing JavaScript. The company earlier published its benchmarking criteria for measuring browser speeds and claimed that many of the common tools to measure JavaScript speed are inadequate.

Surprisingly, Opera's blog agreed with that later point. For instance, the blog described Apple's SunSpider as an "artificial" JavaScript benchmark.

"And I actually agree," the blog's author wrote concerning Microsoft's complaint. "Artificial JavaScript benchmarks do not reflect real-world usage. They are nice marketing tools for browsers optimized specifically for those benchmarks, of course."

Disney Gives ‘High School Musical 4′ The Green Light
IE 8 Fastest Browser, Microsoft Says
‘Twilight’ Actress Reveals The Real Robert Pattinson

Monday, March 23, 2009

New Study Highlights Data Losses from Employee Turnover

It's no surprise that when employees leave a firm, some data may go with them. Whether from enterprise-instituted layoffs or employees voluntarily changing jobs, these changes can put a company at risk for a data breach if employees leave with sensitive or confidential material. A new national survey conducted by Ponemon Institute quantifies that exposure -- and the numbers may be a wake-up call for every enterprise.

Sponsored by Symantec, the report Data Loss Risks During Downsizing found that of the 945 U.S. adult participants, 59 percent who left a firm (voluntarily or not) steal company data. Of these, 79 percent admit that such action was against company rules.

Nor are employees reluctant to use the information they take. Two-thirds (67 percent) of respondents "used their former company's confidential, sensitive or proprietary information to leverage a new job." Almost 7 in 10 (68 percent) plan to use the data, including e-mail lists (taken by 65 percent of respondents), non-financial business information (45 percent) and customer contact lists (39 percent), a data breach that puts customer and enterprise information at risk.

The report sheds light on the type of information stolen, how it is used, and how employees justify their actions. For example, employees who are terminated or who are disgruntled -- and thus have unfavorable views of the employer -- are more likely to commit a data breach. Trust is a key issue: "employees who do not trust their former employer to act with integrity and fairness are more likely to take the data." In fact, 61 percent of respondents who had negative perceptions about their employer stole data; only 26 percent of those who viewed their employer favorably did so.

Sixty-four percent took old e-mails; 62 percent took history and hard copy files with them. Of least interest: PDF files (9 percent), Access files (8 percent), and source code (3 percent). Most employees take hard copy data (that is, paper documents); the next most popular media are CDs and DVDs (53 percent) and small USB drives (42 percent). Over a third (38 percent) sent the data as e-mail attachments to their personal accounts.

When justifying data theft, the most popular reasons include "everyone else is doing it, the information may be useful to me in the future," "I was instrumental in creating this information," "the company can't trace the information back to me," and "the company does not deserve to keep this information."

Only 16 percent say they were permitted to keep sensitive, confidential or proprietary information, but the report questions respondents' reasoning. For example, the top two reasons given were that other laid-off employees kept this information when they left the company (54 percent used this to justify their behavior) and "no one checked their belongings when they left the company (which half of respondents used)." Over a tenth of respondents (11 percent) said that "their former supervisor said it was permissible to keep this information."

Enterprise Inaction
The survey indicates that companies are not actively doing much to thwart the problem. For example, only 15 percent of companies "conducted a review or performed an audit of the paper and/or electronic documents" employees took. Even those companies that did conduct audits received low marks; respondents rated company efforts as "not complete" (45 percent) or "superficial" (29 percent). A director, supervisor, or manager conducted the review according to 41 percent of respondents, but nearly 89 percent said that their exit procedure did not include an electronic scan of electronic data-storage devices such as thumb drives.

Researcher Dr. Larry Ponemon explained that exit interviews can be valuable for an enterprise's learning, but "we know from experience that these often take very little time at all. The employee sits down, is asked 'Do you have any questions?', there's a handshake, and it's over."

Exit interviews shouldn't be the time when an enterprise determines whether information is leaving the company. "When you look at how people are transferring data, the enterprise doesn't know if employees are sending data to their personal e-mail account unless you have the right tools monitoring this activity all the time. Checking for this at the exit interview -- by then it's really too late." By having those tools in place, you will also be able to shorten the duration of an in-depth and appropriate interview.

Data thefts can continue long after an employee has left the physical premises according to nearly a quarter of respondents, who said that access to data continued after they left the enterprise. In over one-third of these cases (35 percent), a former employee had access to the system for one week or longer. In some cases, that may be the company policy; 51 percent reported that their supervisor said they "would have access to the company's system, e-mail, or network for a specified period of time. More than 44 percent continued to receive e-mail on their company's account."

The report recommends that companies "immediately assess the potential data loss from former employees who had access to sensitive and confidential data as part of their job." Among its other recommendations:

Make sure policies and procedures "clearly state former employees will no longer have access to sensitive and confidential information they used in their jobs." The policy should cover data stored on laptops and other devices as well as on paper. The policy should state what kinds of data are sensitive and proprietary.

Companies should monitor employee access to network and system resources to ensure no sensitive and confidential data is downloaded or included in a message to an employee's personal e-mail account.

Companies must ensure access to resources is terminated when the employee leaves the firm.

During the exit interview, a manager or IT staff member should "conduct a thorough review and audit of the employee's paper and electronic documents. This includes checking electronic devices as well as paper documents."

Dr. Ponemon says the last recommendation is a tricky one. "If you're a large organization like General Motors and you have a big layoff, you probably don't have enough people in your human resources department to be able to conduct a good exit interview and audit."

The potential for data thefts highlighted by the survey cannot be overemphasized, but risks can be mitigated. Shun Chen, director of product management at Symantec Data Loss Prevention Solutions, points out that in audits/risk assessments Symantec conducts for clients, generally one out of every 400 e-mails sent from a company contains confidential information. "What you want to do is be proactive up front. You need to have the network monitoring to know exactly what users are doing and reinforce any of your confidential data policies. You need to tell your employees about your policies, but you need the enforcement in place so, for example, a notice pops up so users immediately know when they've violated a policy."

‘Race To Witch Mountain’ Conjures Box-Office #1
Forrester: Businesses Adopting Virtualization
‘Miss March’: Apatow Lite, By Kurt Loder

Saturday, March 21, 2009

'Vista Capable' Plaintiffs Lose Again

Microsoft won another round in a lawsuit over its "Vista Capable" practices after the federal judge overseeing the case dismissed a key plaintiff contention.

U.S. District Judge Marsha Pechman issued an order on Friday that denied the plaintiff's request for summary judgment on whether or not a hardware requirement in Windows Vista deceived consumers. A story by Todd Bishop noted the decision.

The issue concerns Microsoft's Vista marketing and hardware certification practices. A Vista Capable sticker was placed on new PCs capable of running the operating system, although the Home Basic edition of Vista could not run the operating system's new Aero graphical user interface.

Microsoft's hardware partners had to meet the requirements of Microsoft's Windows Device Driver Model (WDDM) to get Vista Capable certification. However, Microsoft later dropped that requirement based on a request from Intel, which could not get its 915 graphics chipsets compatible with WDDM in time for new PC shipments

Pechman ruled against the plaintiffs on a single element in the case: "the issue of whether Microsoft's decisions regarding the WDDM requirement were unfair or deceptive acts under the CPA [Consumer Protection Act for the state of Washington]." The plaintiffs cannot prove this point, she explained.

The trial has so far dredged up a number of unflattering internal Microsoft memos that made it seem as if Microsoft had removed the WDDM requirements to help Intel unload its 915 graphics chipsets. One memo alluded to an Intel executive thanking Microsoft's CEO Steve Ballmer for the help.

However, the judge noted that such internal company communications "do not establish that Microsoft's actions, as a matter of law, had a capacity to deceive a substantial portion of the public." Moreover, the communications predated "any public Vista Capable campaign."

Last month, the judge denied class-action status for the case. Today's order represents another big setback for the plaintiffs in the case, Kelley et al. v. Microsoft .

IE8 Will Be Removable from Windows 7
Windows 7 Is ‘Rescuing’ Apps, Microsoft Says
Natasha Richardson Dies After Skiing Accident

Microsoft To Release Open Source Security App

To help developers identify mechanisms that lead to system crashes or have other security implications, Microsoft will unveil its !exploitable (pronounced "bang exploitable") Crash Analyzer on Friday at the CanSecWest conference in Vancouver. The open source tool will be available as a free download at the Microsoft Security Engineering Center's Web site.

The tool is designed to help developers classify, assess and ultimately prevent program crashes, especially as they relate to exploits running loose in enterprise processing environments.

!exploitable is a plug-in for the Windows debugger that classifies different crash scenarios, grouping them into what it calls "hashes." Based on information discovered on "major" and "minor" hashes, the tool isolates crashes and correlates them with bugs to determine the frequency of bug-related crashes or shutdowns caused by the same exploit.

The tool is also diagnostic in the sense that it can estimate the exploitability of any given vulnerability with a rating system that ranges from "Exploitable," "Probably Exploitable," "Possibly Exploitable" and "Unknown."

Observers tout the tool's release as useful because it helps reduce the attack surface of the whole enterprise stack, not just Microsoft's own software.

"As a tool, it can save developers time and effort," said Roger Kay, president of Endpoint Technologies Associates Inc. "A number of apparently different crashes can actually be caused by the same code. The analyzer isolates the offending block and essentially says, 'Here, all these different crashes are actually the same failure, and it's an important one that you ought to fix right away because it presents an open attack surface,' or 'This other one isn't harmful, so then you can fix it when you have time.'"

!exploitable is the latest bell-and-whistle technology designed to drive home the concept of a security development lifecycle (SDL) to Microsoft technology partners and Windows enterprise professionals. Under SDL, security would be both an integral and integrated part of application development in non-Windows and Windows processing stacks alike. The goal is to put the onus on development managers and IT policy makers to create benchmarks and criteria for reducing IT risk.

"You can measure functionality, dependability and viability in any environment, but security is a bit more difficult to track over time," said Dan Kaminsky, director of penetration testing at security firm IOActive Inc. "What Bang Exploitable does is create a scenario that is asymmetrically better for the good guys. It answers the question of how you release tools without actually helping the attackers."

Furthermore, Kaminsky said, the tool's ease of use will be a boon for non-security personnel and junior developers and testers, giving them the leeway to paint various scenarios of what could happen so that it doesn't.

"We know for sure that at one point or another, a system is going to crash," Kaminsky said. "But I think having the weight of a Microsoft behind you and being able to say, hey, we know this was an operational thing and not a security thing or the other way around is a positive step for the whole IT ecosystem."

Adobe Issues Critical PDF Reader Patch
T.I. Says Chris Brown Won’t Be Removed From ‘Takers’ Marketing Campaign
The Best ‘Twilight’ Cast Performances You Haven’t Seen

Microsoft Beefs Up Web Platform Tools

Developing and managing Web sites may have gotten a little easier with new tools announced by Microsoft this week as part of its MIX09 Web developer conference.

Those tools include Microsoft's Web Platform Installer (Web PI) 2.0 Beta, plus new or updated extensions to Microsoft's IIS 7 (Internet Information Services 7) Web server. Microsoft also made more general improvements in its Web platform, according to IIS Product Unit Manager Mai-lan Bukovec.

Bukovec said in a TechNet video that her team has been working on a "nuts and bolts rehaul" of Microsoft's Web platform for more than a year. She added that the new Web platform contains functionalities that make managing runtime requests, dynamic routing and database management "a whole lot easier."

Web PI 2.0 Beta, which can be downloaded here, has a new feature that lets users install various Web applications. Those applications include wikis, blogs and others available through Microsoft's Web Application Gallery. The installer's main function is to support Microsoft's Web platform components, including IIS 7, Visual Web Developer 2008 Express Edition, SQL Server 2008 Express Edition and the .NET Framework.

Some of the new IIS extensions that Microsoft announced this week include FTP Service 7.5, a Smooth Streaming Beta for Silverlight, an Advanced Logging Beta for client-side metrics and an IIS Administration Pack. The IIS Administration Pack provides a management user interface for ASP.NET authorization, request filtering and FastCGI setup. The IIS 7 extensions can be downloaded here.

Also announced on Wednesday were release candidate versions of the IIS 7 Web Deployment Tool and Database Manager, a beta of Application Request Routing V2, and Media Services 2.0.

Access to all of these new Web tools is facilitated through Microsoft's Web PI software.

What Makes ‘Watchmen’ Such A Gutsy Movie?
Jonas Brothers’ Next Stop: Comic-Con?
Microsoft Releases Silverlight 3 Beta with Key New Features

Friday, March 20, 2009

Microsoft Rolling Out Windows Azure Improvements

Microsoft on Wednesday described three Windows Azure improvements designed to assist developers using its cloud-based operating system.

The new Windows Azure additions include geolocation, FastCGI and .NET full trust. The geolocation addition will help optimize applications hosted on the Windows Azure platform. FastCGI assists with porting native code to Window Azure. The .NET full trust feature helps with .NET library support for code.

Windows Azure is currently being tested as part of a community technology preview (CTP). However, Microsoft expects to announce the commercial availability of Windows Azure-based services in November, close to its Professional Developers Conference (PDC) in Los Angeles, according to Steve Yi, product manager for the Microsoft Azure Services Platform.

"We will continue to be in a CTP mode through the majority of calendar-year 2009," Yi explained. "And we'll be updating and unveiling new features every couple of months leading up to that."

The geolocation option for Windows Azure is designed for users who want to keep their applications and data together to improve performance. This feature will be available in the next couple of weeks, Yi said.

Microsoft currently has two Windows Azure datacenters in the United States, one in the Northwest and one in the South. When developers deploy their applications to the Windows Azure cloud, they'll be able to specify the geography and the datacenter at which the applications will run, Yi explained.

Geolocation will help with legal requirements for data residency and mobility when Microsoft rolls out its international datacenter. That international rollout is planned for the end of February, Yi said.

Microsoft also added support in Windows Azure for FastCGI, which is a protocol is used to connect applications to external Web servers. Developers can use "Visual Studio Tools for Windows Azure" to package these apps. The FastCGI addition reflects Microsoft's policy of supporting programming languages other than .NET-based ones in Windows Azure, such as PHP, Python and Ruby.

Lastly, Windows Azure now supports .NET full trust, which enables the full use of the .NET library and provides a bridge to the cloud for existing code assets, according to Yi. It facilitates the ability of developers to take managed code assets and redeploy them in Windows Azure, he explained. However, a Microsoft blog warned CTP testers utilizing .NET full trust that they face some registry modification restrictions on Windows Azure.

Microsoft is providing redundant code support for CTP testers after a Friday 13th incident that caused some Windows Azure services to fail. Microsoft's servers began to slow and fail after "a routine operating system upgrade" was performed, company officials explained.

"For all of our CTP users, we realized that this issue would not have happened if there were actually redundant instances for users deploying to Windows Azure," Yi said. "So, for all our CTP users, they will [now] have at least two instances available to deploy their applications."

Many users perhaps would like to run Windows Azure on their own server farms. However, that's not in Microsoft's plans, Yi explained.

"What we described as Windows Azure will not be a SKU for enterprise customers to try to create their own cloud and it's not something that we would be licensing to hosters," Yi said. Doing so wouldn't be practical because of Microsoft's hardware design for "massive multitenancy," he added.

However, Microsoft does envision closer integration of Windows Azure with Windows Server. "Over time, there [will be] shared innovation and shared features…between Windows Azure and Windows Server," Li said.

Microsoft is also planning to deliver "a full relational database in the cloud" via SQL Services that will be available in the "second half of 2009," Li said. Microsoft is currently shifting its strategy in response to customer preferences. Customers want the hosted version of SQL Server to work like the on-premises installed version.

"On March 10, we announced an updated roadmap to SQL Data Services," Yi said. "So the current model for SQL Services that we announced at PDC we will be transitioning to offering a full relational database that offers a lot more compatibility with what you see with an on-premises SQL Server database."

Microsoft currently offers two online database services. SQL Services runs on Windows Azure, while SQL Data Services is a second Microsoft cloud-based service.

For blob data, Windows Azure Storage is the best place to store the data, Yi said. For purely relational data, SQL Data Services is the place to put it right now, he added.

Microsoft has migrated only a few of its online applications to the Windows Azure platform since its October debut, according to a recent Ars Technica article. Steve Martin, Microsoft's senior director of developer platform product management, is quoted in the article as saying that "only Live Meeting, Live Mesh, and a select few other infrastructure technologies are currently running off of Azure."

‘Terminator Salvation’ Trailer, Shot By Shot: Meet The Cyborg
Windows 7 Is ‘Rescuing’ Apps, Microsoft Says
Microsoft Touts Managed Services for Hosting Partners

Thursday, March 19, 2009

Microsoft Releases Final Internet Explorer 8 Product

Internet Explorer 8 will be released to the Web as a final product on Thursday, according to Microsoft. The announcement marks an end to engineering fixes at the Release Candidate 1 stage, which Microsoft has been working on since January.

Some RC1 testers and Web developers had hoped to see an RC2 version of the Web browser released first, but Microsoft's Internet Explorer engineering team took a different view.

"In the case of IE 8, we were very much focused on quality all along the way," explained Amy Barzdukas, senior director of Internet Explorer, in a phone interview. "By treating the RC like it was a final release, we were able to bring out an RC that was much more complete in many ways."

IE 8 has been designed to be compatible with W3C recommendations, particularly the CSS 2.1 spec. Web developers can test IE 8 in its default "standards mode," but if there are problems, browsers can be compelled to use the "compatibility mode," which parses code like IE 7. Developers just need to add a bit of code to the Web site or page to specify the default mode.

Barzdukas noted that standards generally are "moving targets" with room for interpretation. Consequently, she said that Microsoft has submitted more than 7,200 test cases to the W3C to support the CSS spec and make it easier for developers to test to that standard.

Internet Explorer's track record on standards compliance has been a bone of contention for Web developers. Some Web developers have explained that they designed their sites to work with Internet Explorer, rather than standards, out of sheer frustration. However, Barzdukas claimed that "Internet Explorer 8 passes more of the CSS standards tests than does any other shipping browser."

IE 8 includes some new features that facilitate Web browsing tasks. For instance, "accelerators" provide menu options when a user selects text. Also, a "Web slices" feature let users track content in Web pages as that content gets updated in real time. However, as features get added to browsers, they can challenge the limits of what older browsers can do, Barzdukas said.

Enterprises typically need to determine if customized browser-based applications that ran on older versions of Internet Explorer will run on IE 8, so as to not break those applications. Barzdukas explained that it's a not problem if IE 7 already works in an enterprise. 

"If the enterprise is running IE 7 today, they're in great shape, because IE 8 renders intranet zone apps in IE 7's rendering engine by default," she said. "So it automatically converts to compatibility mode in intranet settings." IT pros can also override that behavior by using group policy settings, of which IE 8 has more than 1,400, Barzdukas said.

The real test for enterprises is determining if IE 8 will work with IE 6-based applications.

"If you are running IE 6 in the enterprise, then you do need to do some investigation to ensure that both the third-party line of business apps, the home-grown apps and any third-party apps that have been modified beyond recognition [will] work," Barzdukas explained. "And to that end, we have published on TechNet and MSDN a host of tools to help IT administrators be able to measure compatibility and provide guidance for how to bring any compatibility issues up to date."

Microsoft also recently provided a checklist for developers on compatibility issues at its IE blog here.

Reasons to move to IE 8 include speed, security and reliability. Barzdukas said that IE 8 is "70 to 80 percent faster than IE 7 and significantly faster than IE 6." She added that IE 8's malware protection "is really unrivaled by any other browser." Those protections include measures to thwart cross-site scripting attacks, clickjacking and an extended "SmartScreen" filter. SmartScreen, which was introduced in IE 7 as an anti-phishing measure, now helps protect users from known malware sites in IE 8, she said.

The new IE 8 release-to-Web browser runs on Windows Vista and Windows XP operating systems, as well as Windows Server editions from 2003 and beyond. The general public can download the IE 8 final version here.

Windows 7 Beta testers should use the version of IE 8 that came with the beta, as Microsoft customized that browser to work specifically with Windows 7 features.

Windows 7 Is ‘Rescuing’ Apps, Microsoft Says
‘Twilight’ Actress Reveals The Real Robert Pattinson
Microsoft Reveals Strategy for Mobile Developers

Current Web Security Standards Not Enough, Study Finds

Application security company Cenzic's recent report on Web security trends relayed a damning assessment of the IT security landscape that's prompting some to suggest the government should step in to give enterprises and individuals guidance on how to protect themselves.

One notable finding in Cenzic's "Web Application Security Trends Report," released Wednesday, is that the number of vulnerabilities reported in Q3 and Q4 of 2008 increased by 10 percent from the first half of the year to 2,835. Of those bugs, "a staggering 80 percent" pertain to Web applications, Cenzic said.

The report identifies 10 major vulnerabilities on the Web affecting Microsoft, Mozilla, Adobe and others, as well as the most common "vulnerability types," which include cross-site scripting holes, buffer overflows, orphan accounts, subpar session management and bad application configuration management.

Most of these vulnerabilities should be covered in the management-level mandates under Sarbanes-Oxley, HIPAA and Payment Card Industry (PCI) security standards. But each of these compliance objectives has been criticized in one form or another. PCI, for instance, came under criticism after a security attack last year at Hannaford Bros. and another one in January at Heartland Payment Systems. Both of those organizations were PCI standards-compliant -- and got hit anyway.

Mandeep Khera, chief marketing officer at Cenzic, said in an e-mail that Internet-based application weaknesses represent a virtual "gold mine" for hackers. The big problem, he contended, is the lack of centralized oversight of the national cybersecurity matrix.

"Perceived leniency from regulatory compliance bodies, coupled with lack of awareness about tools to prevent it, have allowed Web application vulnerabilities to become a blind spot for many organizations," Khera said.

Phil Lieberman, president of Los Angeles-based security vendor Lieberman Software, agreed that the current security environment warrants more unifying legislation that would allow individuals and organizations to fight back against those who attack their systems in real-time.В 

"In effect, we need the creation of the concepts of self-defense, castle laws, as well as Good Samaritan laws for those that push back criminals and those that attempt to disrupt commerce and communication on the Internet," he said. "These would be laws that cover all civilian users of the Internet. As it now stands, civilians are prohibited from taking any action to stop attackers, and so are ISPs. We are all told to buy better firewalls, anti-virus, anti-malware, intrusion detection devices, and just take the punishment."

Pointing to Cenzic's findings that more than 75 percent of security attacks happen over the Web and over 80 percent of Web sites are severely vulnerable, Khera added, "We as a nation have to question our cybersecurity priorities."

Kid Cudi Has ‘Eureka’ Moment With ‘Transformers’ Trailer
Adobe Issues Critical PDF Reader Patch
March Security Bulletin Issued Without Excel Fix

Reactions Mixed over IBM's Possible Sun Acquisition

Reports on Wednesday that IBM is in talks to acquire Sun Microsystems drew mixed views as to what Big Blue would gain from absorbing the struggling supplier of servers, open source software and Java.

Sun's stock rose 79 percent on Wednesday following a Wall Street Journal report that said a deal was in the works and could come together this week (but could also fall apart). An IBM spokesman said the company does not comment on rumors.

"It doesn't make sense," said Dana Gardner, principal analyst with Interarbor Solutions LLC, a Gilford, N.H. consultancy. "I don't see the logic, for hardware or software or services or IP or chip architectures -- IBM's got all of the above. If it's just about market share, IBM's been taking market share along with HP and Dell from Sun over the past five to seven years."

While IBM would gain some key assets, including the Java brand, Gardner points out that IBM and Oracle have both made much more money from Java than Sun. "I don't think there would be any real ripple affect in the Java community other than it will continue on its trajectory as open source under a variety of licenses and the community process continues whether it would be under Sun, IBM or anyone else. It shouldn't make much difference," Gardner said.

But not everyone thinks IBM acquiring Sun would be such a bad move. IBM is perhaps one of the few companies that could absorb Sun in its entirety, said RedMonk analyst Michael Cote. If IBM acquired Sun, it could potentially broaden the adoption of Java, he said.

"I would think it would more generalize the IBM developer base, rather than narrowing down the Java code base," Cote said. "Java is used for all sorts of applications whereas IBM's software is typically used for enterprise and big computational systems."

Yaacov Cohen, CEO of IBM partner Mainsoft Corp., agreed. "They have pretty much standardized their whole software business on Java," Cohen said. "It would be combining the technology leadership of Sun and the business savvy of IBM."

Five Secrets Of The ‘Watchmen’ Universe
Jonas Brothers’ Next Stop: Comic-Con?
Microsoft Reveals Strategy for Mobile Developers
Microsoft Reveals Strategy for Mobile Developers