Friday, April 17, 2009

VMware to Announce Cloud Computing Vision Tuesday

April 21 promises to be the biggest day of the year for virtualization giant VMware. On Tuesday, the company takes the wraps off of vSphere, the next generation of its infrastructure suite currently known as VMware Infrastructure (VI).

VMware is positioning vSphere as its effort toward "bringing cloud computing to the datacenter." VMware first announced the broad details of its vision during last September's VMworld conference. At that time, VMware called the technology a "Virtual Datacenter Operating System", or VDC-OS.

The idea behind VDC-OS was to make all datacenter components, like processors, memory and storage, one big pool of resources that could be drawn upon as necessary. In the cloud computing vision, those internal clouds will connect with external clouds, providing levels of efficiency, scalability and disaster recovery capability never before seen.

Although VMware has kept the details of most of the new functionality private, it has previewed several key parts in the past. One of the most significant upgrades in vSphere will be VMware Fault Tolerance, which will increase application availability for mission-critical apps. VMware CTO Stephen Herrod, in his presentation at last September's VMworld that VMware Fault Tolerance will keep an exact copy of an application on a mirrored server, for automatic failover in the event of a server crash.

Another long-expected new technology is VMsafe, which will provide an application programming interface (API) for third-party vendors to build security products to work with vSphere. That will be especially important in cloud computing scenarios, where private and sensitive data will cross traditional security boundaries like firewalls.

VMware CEO Paul Maritz will officially unveil vSphere, including details about pricing and availability, during a live Webcast starting at 9 a.m. PT Tuesday.

VMware Pledges Savings Guarantee on Server Hardware Costs
‘Observe And Report’: Officer Down, By Kurt Loder

'Stirling' Beta 2 Unveiled for Enterprise Security

Microsoft on Thursday announced the beta 2 release of "Stirling," which is the code name for an integrated suite of enterprise security solutions based on the company's Forefront products. The beta can be accessed at Microsoft's TechNet site here.

The actual planned release of the Stirling product was delayed by Redmond until at least the first half of 2010, according to the Forefront team.

In addition to the Stirling beta, Microsoft announced a new marketing concept for enterprise security called "business ready security." The concept has three parts, according to Douglas Leland, general manager of Microsoft's Identity and Security Business Group, in a Microsoft-published Q&A. It entails system-wide data and identity security. Next there is simplified compliance management. The last part concerns extending interoperability with non-Windows systems.

Figuring prominently in the business ready security concept is Microsoft's user access technology, code-named "Geneva," according to Leland. Formerly known as "Zermatt," Geneva is an identity-management technology that Microsoft first unveiled in October.

Leland also touted the security development lifecycle methodology used to create Microsoft's software products as part of Redmond's overall enterprise security push.

On top of the Stirling announcement, Microsoft also launched Forefront Online Security for Exchange on Thursday. Leland described it as "the first of our Forefront Online services" being rolled out.

Microsoft has scheduled part of the Stirling suite to appear in the fourth quarter of 2009. Those products will include "Forefront Server Security for Exchange and Threat Management Gateway (the next generation of ISA Server)," according to the Forefront team. Other parts of the suite, such as the management console and client security, have been pushed to the first half of 2010.

The overall delay for Stirling may have been caused, in part, by the sheer scale of the project, according to Don Retallack, research vice president for systems management and security at Directions on Microsoft.

"[Stirling] is an ambitious project that is supposed to be something that's going to tie client as well as server security together and allow them to compete with the top dogs in the antivirus game -- the Symantec's and the MacAfee's, who obviously aren't on that list of third-party collaborators," Retallack said.

Microsoft's current third-party collaborators include RSA, Juniper Networks, Brocade, Kaspersky, TippingPoint, Imperva, StillSecure, Q1 Labs, Guardium and Sourcefire. Those vendors are supporting a "security assessment sharing" feature in Stirling. Security assessment sharing captures data from third-party applications through the Forefront management console.

The whole third-party question, Retallack said, could have been one of the reasons for Stirling's delay, along with user concerns about local control of Microsoft's "real-time dynamic response" for security updates.

‘Observe And Report’: Officer Down, By Kurt Loder
‘Star Trek’ Reboot Garners Positive Reviews, Excitement From Actors
Zend Releasing Enterprise-Grade PHP Server

SP2 for Office 2007 and MOSS Arriving April 28

On April 28, Microsoft plans to release Service Pack 2 (SP2) for Microsoft Office 2007, along with SP2 releases for some of its server products.

Two of the servers that will get SP2 updates are Microsoft Office SharePoint Server (MOSS) and Windows SharePoint Services 3.0. In addition, the Office 2007 SP2 will include "updates for Project desktop and Project Server 2007," Microsoft explained on Thursday.

Some of the changes that will be enabled with the SP2 releases are described by Microsoft here.

The most notable SP2 changes affecting Office 2007 will be added support for various document formats. SP2 will enable OpenDocument Format (ODF) files to be opened, edited and saved using Microsoft Word, Excel and PowerPoint. ODF typically has been used in competing business productivity products, such as Sun Microsystems' free suite.

Other file formats supported in SP2 include Adobe PDF and XPS, which no longer have to be installed as add-ins. XPS, or "XML Paper Specification," is a Microsoft-developed format based on XAML that's used for document rendering and printing.

Office 2007 SP2 will work with Microsoft's latest Web browser release, Internet Explorer 8, Microsoft explained. It will also be compatible with "Windows Vista SP2, Windows Server 2008 SP2, Windows 7 and Windows Server R2."

Microsoft plans to release a Microsoft Service Pack Uninstall Tool that can remove client updates in Office 2007. However, this tool will be available as a separate download from SP2.

On the server front, Microsoft's SP2 releases will update MOSS and Windows SharePoint Services 3.0. Mostly, the SP2 releases are designed to improve application performance on server farms, according to a Microsoft SharePoint announcement.

IT pros accessing SharePoint via a server farm will be able to check if that server farm is ready for an upgrade to "the next version of SharePoint," according to the announcement. A new test to check for that capability will be part of the Stsadm command-line utility.

The SP2 release will also have added Web browser support for SharePoint. The SharePoint team explained that "Internet Explorer 8 will be added into browser support matrix as level one, and Firefox 2.0 and 3.0 as level two."

And in case anyone missed it, Microsoft also announced forthcoming 2010 products on Wednesday, including Exchange Server 2010 (now available in beta), Office 2010, SharePoint 2010, Visio 2010 and Project 2010. With the new SharePoint coming, Microsoft plans to drop the "O" (for "Office") in the MOSS acronym, the company explained.

For those looking for help with the new Exchange Server 2010 beta, Microsoft announced free training. The beta can be either downloaded or tried online.

Microsoft’s 2010 Brand: Details on Office, SharePoint
‘Harry Potter And The Half-Blood Prince’ Release Pushed Up Two Days
Exchange Server 2010 Beta Now Available

Wednesday, April 15, 2009

Microsoft's 2010 Brand: Details on Office, SharePoint

Microsoft on Wednesday branded some of its best-selling products to come with the "2010" stamp, beginning with the debut of Exchange Server 2010 beta.

Many of the forthcoming 2010 editions -- including Microsoft Office, Exchange and SharePoint 2010 -- are being positioned as unified communications (UC) solutions. In addition, Microsoft announced that other 2010 software products (Office Web applications, Project and Visio) will be coming.

These new products are expected to be available in "the first half of 2010," Microsoft announced, although Exchange Server 2010 will arrive a little sooner, during "the second half of 2009."

Microsoft released few details on the new 2010 products, except for Exchange Server. However, the company did say that a technical preview of Office 2010 will start in "the third quarter of 2009."

In addition, Office 2010 will be available in both 32-bit and 64-bit versions, according to an Ars Technicastory, citing a Microsoft source. Microsoft has generally been moving away from 32-bit solutions, starting with Windows Server 2008. Even Exchange Server 2010 will only be available as a 64-bit product, Microsoft said.

Another Office tidbit associated with the new 2010 branding is that MOSS, or Microsoft Office SharePoint Server, will be losing its "O." The SharePoint team explained the change by saying that people just associate Office with Office, and not with SharePoint.

The loss of the MOSS acronym doesn't imply any denigration in functionality, however.

"No one should worry that SharePoint doesn't work great with Office 2010 since we removed Office from the name, just like people didn't worry whether SharePoint was a great portal product when we removed Portal from the 2007 name," the SharePoint team explained.

And don't call Microsoft SharePoint Server 2010 by the "MSS" acronym either, because that belongs to Microsoft Search Server, the team added.

Meanwhile, Microsoft Office users on the Apple Mac platform now have an offer from Microsoft to try Office 2008 for free over 30 days' time. The trial version of Office 2008 will run alongside any other Mac-based Office versions that may be installed, so it's easy to test it.

‘Hannah Montana’ Tops Box Office With Record-Breaking Haul
Exchange Server 2010 Beta Now Available
Microsoft Partner Phase 2 Adds IBM’s Hosted Apps

Exchange Server 2010 Beta Now Available

Microsoft released a public beta version of Exchange Server 2010, the company's newest e-mail server, which is being rolled out a part of the company's renewed focus on the unified communications market.

The beta of Exchange Server 2010, previously code-named "E14," can be downloaded here. Microsoft expects the server to be available as a product "in the second half of 2009."

The company is also touting its "Software plus Services" option for customers. Exchange Server 2010 can be installed at the customer's premises or it can be accessed online as a service provided by Microsoft or its partners. Microsoft claims Exchange Server 2010 will be the first product in a line of new servers that are "built from the ground up" with inherent Software plus Services capability.

Exchange Server 2010 supports a number of convenience features for end users, including a new voicemail text preview. Users can scrap their current phone-based voicemail systems since voicemail is accessible through Microsoft Outlook. You can also now group e-mail messages and ignore certain e-mail threads. Also, you can do instant messaging in Outlook via a right-mouse-button click.

Probably the most convenient feature for travelers and telecommuters is that remote e-mail access is now fully supported using the Firefox and Safari Web browsers, not just Internet Explorer. This capability was enabled because Exchange Server 2010 "integrates Office Outlook Web Access with Office Communicator Web Access," according to Chris Capossela, senior vice president of Microsoft's information worker product management, in a released statement. The integration also unifies the e-mail interface, making it similar across the Outlook client, Web browser and mobile phone.

Some new features also double as corporate compliance measures. For instance, a "mailtips" function in Outlook warns users before they send e-mails to groups. However, this feature can also be set to warn users when they try to send e-mail outside the company.

Storage capability has been enhanced with Exchange Server 2010, according to Microsoft's announcement. For instance, personal file storage using .PST files goes away, replaced by an easier-to-search "integrated archive." IT pros can also use cheaper direct-attached storage to archive e-mails. Exchange Server 2010 uses a version of the Microsoft JetDB extensible storage engine that's been improved for "high availability, performance and database mobility," according to a TechNet forum post.

The integrated archive makes it easier query e-mail messages across the entire organization, which helps them better address "legal and e-discovery concerns," according to Microsoft's announcement. Exchange Server 2010 features role-based access control. IT pros can delegate e-mail access privileges to specific users, such as HR personnel, using the roles feature.

Additionally, IT pros can set Windows rights management services polices directly in Exchange Server 2010 for compliance based on each user. User mailboxes can be moved without incurring employee downtime.

Microsoft has already opened a TechNet forum for Exchange 2010, which can be accessed here.

According to the forum, there is no 32-bit production version of the server planned. Microsoft also isn't providing virtual hard disk image to test the beta. IT pros have to run the beta on their own test stations. Also, Exchange Server 2010 won't run on the Windows Server 2008 core, which is a stripped-down version of Windows Server.

Exchange Server 2010 supports migration from Exchange 2003 and Exchange 2007, according to the TechNet forum, which references a Microsoft "Transitioning to Exchange 2010" support document. However, it's not an upgrade. You have to move the database, uninstall the earlier version of Exchange, install Exchange 2010 and then mount the database.

Microsoft is planning other releases associated with its unified communications product family. For instance, Microsoft Office 2010 is expected to be released to manufacturing in the "first half of 2010," with a technical preview happening in the "third quarter of 2009," according to Microsoft's announcement.

That same timeline applies for "Office Web applications, SharePoint Server 2010, Visio 2010 and Project 2010," according to Capossela.

‘Hannah Montana’ Tops Box Office With Record-Breaking Haul
Microsoft’s 2010 Brand: Details on Office, SharePoint
Miley Cyrus Aims For ‘Smarter’ Image

Botnets on the Rise, Despite Aggressive Law Enforcement

The number of compromised computers actively being used in botnets to launch attacks on any given day last year was about 75,000, according to a new report on Internet threats from security firm Symantec Corp.

"That number actually went up about 31 percent from 2007," said Zulsikar Ramzan, technical director for Symantec. That was due largely to aggressive action against botnet operators by the FBI in 2007, he added. "What we're seeing is a long-term game of whack-a-mole," in which operators knocked down in one place quickly reappear somewhere else.

The figures appear in Symantec's 2008 Government Internet Security Threat Report, culled from the company's broader annual Internet threat report. Data for the reports were gathered from Symantec's global network of 250,000 network sensors.

The report paints a picture of a fluid world in which people who launch attacks -- which can include hackers, as well as organized criminal syndicates and possibly even nation-states using their services -- adapt to changing conditions to stay at least a step ahead of security companies and law enforcement.

Law enforcement is becoming better educated in dealing with online crime and international cooperation appears to be improving, Ramzan said. However, there still is room for improvement; better public awareness is also needed as attacks become stealthier.

"The threats we're seeing today are much more silent but much more deadly," Ramzan said. Persons whose computers are being exploited often are not aware of the compromise.

The overall number of threats is increasing quickly. Ramzan said that the number of signatures for malicious code maintained by Symantec for more than 20 years doubled in 2008. Surprisingly, only 3 percent of code exploits identified in 2008 exploited vulnerabilities in IT systems, down sharply from 2007. Most malicious code relied on social engineering or was downloaded from a command-and-control server onto an already compromised computer.

Malicious online activity usually is being driven now by an increasingly sophisticated underground economy in which specialized services, malware and botnets of compromised computers are offered for sale, and the resulting stolen information is wholesaled and retailed on underground servers. Credit card information is the most common commodity being offered for sale, accounting for 32 percent of the total last year, up from 21 percent the year before. Two-thirds of the stolen accounts were from the United States.

Government networks accounted for 20 percent of breaches of personally identifiable information in 2008, in second place behind the educational community with 27 percent. The average cost of a data breach was estimated at $6.7 million, and by the end of the year 44 states and the District of Columbia, Puerto Rico and the U.S. Virgin Islands had data breach notification laws.

Despite the profit motives, the most common attack against government systems last year was denial of service, accounting for 48 percent. Attacks against e-mail servers accounted for 18 percent and against Web servers 11 percent. The Domain Name System accounted for just 4 percent of attacks, but because DNS underlies so much Internet activity that is a particularly sensitive area. The U.S. government is in the process of implementing DNSSEC within the .gov top-level domain this year.

China was identified as the top source of attacks against government systems in 2008, accounting for 22 percent of the total, up from just 8 percent in 2007.

"The United States ranked second in 2008 for attacks targeting government, with 12 percent of the total, a decrease from 20 percent in 2007," the report said. "This drop is likely due to the shutdown of two ISPs in September and November 2008, which resulted in a dramatic drop in both bot [command and control] servers and bot-infected computers."

The origin of attack is determined by the IP address of the computers being used to deliver the attacks, Ramzan said. Because the person controlling those computers could be anywhere in the world, it is difficult to know how much importance to give to country-of-origin figures.

"The origin of the attacks might not be the same as the origin of the attacker," Ramzan said, and source figures might say more about the country as a victim of attacks rather than as a perpetrator.

IE Settings Can Enable Intranet Attacks, Report Says
Mel Gibson’s Wife Robyn Files For Divorce

IE Settings Can Enable Intranet Attacks, Report Says

Default security settings in Microsoft's Internet Explorer browser could open a company's intranet to hacking attacks, according to a recent security white paper.

The report, posted last week by Argentina-based security consultancy Argeniss, defined the issue based on Microsoft's scheme of using five security zones in Internet Explorer. In particular, the Local Intranet Zone has a more relaxed security setting by default than the Internet Zone. The white paper outlines a proof-of-concept attack based on that lowered security setting.

Someone with inside information about the appearance of the company's intranet interface could use that information in combination with phishing techniques to harvest passwords and gain access to workstations, according to the report's author, Cesar Cerrudo. The report focused on IE 7, but it can apply to IE 8 too.

Cerrudo notes that it's possible to get to the intranet, with its lower default security setting, through the Internet. Another issue is that Microsoft's cross-site scripting filter is disabled by default in IE. Consequently, an attacker just needs to lure the victim to a Web site controlled by him where script code opens a password login box that looks like the one used in the company's intranet. It's a scenario that requires inside information.

To prevent such a phishing scenario, Cerrudo recommends disabling two options that might allow the construction of such a fake login box: "allow script-initiated windows without size or position constraints" and "allow websites to open windows without address or status bar." He also recommends turning on the "enable XSS filter" setting on the Local Intranet Zone.

The report also mentions how SQL injection attacks could be carried out due to default security settings in IE. Cerrudo recommends turning on the "prompt for user name and password" setting on the Local Intranet Zone to help prevent such attacks.

Microsoft, when contacted about the report, stressed that such exploits are possible in "an untrustworthy internal environment."

"It's important to understand that the report outlines scenarios where the internal network cannot be trusted due to a breakdown in other security controls," a Microsoft spokesperson explained by e-mail." Every attack that Cesar Cerrudo outlined requires that an internal server has a vulnerability or that security controls be relaxed enough so that unauthorized users are able to take inappropriate actions against internal servers."

Still, the Microsoft spokesperson said that the report "outlines viable security options for operating Internet Explorer" in such untrustworthy environments. The spokesperson recommended that IT pros change IE's default security settings in accord with organizational security policy.

Some additional IE 8 security tips are referenced in Microsoft's team blog here, as well as at the Microsoft enterprise IE 8 site.

The report, "Opening Intranets to attacks by using Internet Explorer," can be accessed at Argeniss' Web site here (PDF).

‘Observe And Report’ Stars Seth Rogen, Anna Faris Recall Their Mallrat Days
April Patch Arrives, With Critical Fixes and More
Five ‘Critical’ Patches Planned for Tuesday

April Patch Arrives, With Critical Fixes and More

Microsoft rolled out eight fixes today in its monthly security release, addressing some 23 vulnerabilities.

The volume of security bulletins in the April patch marks this release as another historic Patch Tuesday event. Five items are deemed "critical" and two are labeled "important." Finally, Microsoft rounded out the slate with a "moderate" fix.

"Since Microsoft started providing exploitability information, this is the first time we've seen as many six vulnerabilities being exploited in the wild at the time the corresponding bulletins were released," said Don Leatham, director of solutions and strategy at Lumension. "This is definitely putting pressure on IT Teams to get these patches tested in their environments and out to the endpoints in their organizations."

This month's security update touches on a wide array of Windows applications and services. The usual suspects -- Internet Explorer, Excel and Word -- all get fixes this time.

Items associated with remote code execution attacks by hackers get the critical status. The important fixes are designed to stave off two instances of elevation-of-privilege exploits. The moderate item is supposed to stop a denial-of-service attack.

Critical Items
The first critical fix is said to remedy "two publicly disclosed vulnerabilities and two privately reported vulnerabilities in Microsoft WordPad and Microsoft Office text converters." Affected operating systems include Windows 2000, Windows XP and Windows Server 2003.

The second critical fix affects every known and supported Windows OS in circulation. The item up for patching is Microsoft Windows HTTP Services, a URL coding mechanism used in loading Web pages and transmitting data over the Internet. The fix addresses one publicly reported bug and two privately disclosed vulnerabilities.

Critical fix No. 3 in this month's slate hits on a privately disclosed vulnerability that could allow remote code execution. The attack can happen if a user opens a specially crafted MJPEG file via Microsoft's DirectShow, which is an API function. This vulnerability is also present in DirectX versions 8.1 and 9.0 running on Windows 2000, Windows XP and Windows Server 2003. Vectors for attack are multimedia activities, such as gaming, as well as video and audio through Windows Media Player.

The fourth critical fix will probably be the most important one in the slate. It affects Internet Explorer versions 5.01, 6 and 7 running on Windows 2000, Windows XP and Windows Vista, as well as Windows Server 2003 and Windows Server 2008.

"This [cumulative patch] has proof-of-concept code available for at least one of its covered vulnerabilities and thus has a high exploitability index of one," said Qualys Inc.'s Chief Technology Officer Wolfgang Kandek. "For IT administrators, this means that their window to patch is rapidly shrinking. Where, before, weeks were an acceptable timeframe [to patch], now days seems more adequate."

According to Redmond, the update resolves four privately reported vulnerabilities and two publicly disclosed vulnerabilities in IE, which has been a target of hacker activity. Users who have updated already to Internet Explorer 8 are not affected by this update.

The last critical fix on the agenda addresses an Excel vulnerability that can occur if a user opens a corrupt spreadsheet file, as outlined in a recent security advisory. It affects various Microsoft Office versions, such as 2000, 2003, 2007 Office System, XP and Office 2004 and 2008 for Macs.

Important and Moderate Items
The first important fix for this month pertains to Microsoft's Distributed Transaction Coordinator (MSDTC), which is a Windows-based administrative tool. It affects every supported Windows OS. MSDTC supports information and commands passed over the network via resource managers, SQL Server databases and various file systems.

"The [security] update addresses the vulnerabilities by correcting the way that Microsoft Windows addresses tokens requested by the Microsoft Distributed Transaction Coordinator, and by properly isolating WMI providers and processes that run under the NetworkService or LocalService accounts," Microsoft stated in the bulletin notes for this particular fix.

The second and final important fix affects Microsoft's Forefront Edge Security platform, as well as its Internet Security and Acceleration (ISA) Server. The ISA Server helps stave off malware and firewall-compromising attacks. This fix plugs a hole where hackers could gain access a network. The exploit can happen if a hacker sends "specially crafted network packages to the affected system," or if a user clicks on a URL for a Web page containing malicious content, Redmond said.

The lone moderate item in the security rollout addresses one publicly reported vulnerability in the Windows SearchPath function that can lead to an elevation-of-privilege attack. A hacker could use SearchPath to increase access after a user downloads a malicious file, Microsoft said. This fix affects all Windows operating systems.

This April patch likely will keep IT pros busy as all eight patches may require restarts.

Microsoft is referring those interested in nonsecurity updates delivered through Windows Update, Microsoft Update and Windows Server Updates to this Knowledgebase article. It links to IE 8 updates, along with junk-mail filter upgrades and malicious software removal tool updates.

‘Star Trek’ Reboot Garners Positive Reviews, Excitement From Actors
Five ‘Critical’ Patches Planned for Tuesday

Monday, April 13, 2009

Windows XP Free Support Ends April 14

Microsoft will end "mainstream support" of Windows XP on Tuesday, April 14, 2009, meaning that there will be no more free per-incident support for that operating system.

XP users will still be able to get security patches automatically through Windows Update. In addition, it doesn't cost to call Microsoft if you have a problem installing Windows XP. However, calling Microsoft about other support incidents will cost the user money.

Microsoft already delivered its last service pack for XP, which is Service Pack 3.

The venerable XP operating system, first released in October of 2001, will enter the "extended support" lifecycle stage on Tuesday. Extended support for XP will last five years, until April 8, 2014. During that time, Microsoft will charge for per-incident support. The company will also charge its Premier Support customers for any nonsecurity requested hotfixes.

XP die-hards need not panic about support slipping away after the 2014 date. If they still want to get support for XP by that time, it will be available as part of Microsoft's "custom support" program -- the third and final stage of Microsoft's lifecycle support cycle.

Microsoft announced in February that it would keep the enrollment fee price for its custom support flat in 2009, meaning that it stays at 2008 prices. The company said it's keeping the price flat as a concession to its customers during the current economic downturn.

The total Microsoft lifecycle support cycle lasts 15 years, with mainstream support, extended support and custom support each lasting five years apiece. More information about Microsoft's lifecycle support policies can be found in this FAQ here.

Those looking to buy a new PC with Windows XP loaded on it can now only get it through exercising Microsoft's downgrade option.

Microsoft extended the availability of the XP downgrade option through May of 2009 for system builders and through July of 2009 for OEMs. However, even those dates to downgrade Vista aren't fixed in stone. Some OEMs, such as HP, expect to have PCs with XP downgrade rights available through 2012.

Mel Gibson’s Wife Robyn Files For Divorce
Windows 7 Will Have an XP Downgrade Option
Miley Cyrus Aims For ‘Smarter’ Image

Survey: IT Pros 'Cautious' on Move to Windows 7

A survey of IT professionals conducted last month for systems management provider KACE found that a majority (84 percent) of respondents expect that they won't deploy Windows 7 in the next year.

Windows 7 isn't expected to be a final product until some time in 2010, according to Microsoft, although rumors have suggested a release-to-manufacturing date as early as this fall.

KACE's survey tapped the views of 1,142 respondents, with about half (46 percent) describing themselves as "hands-on IT professionals." Almost all of the respondents operated some edition of Windows, but only 17 percent had the current Windows 7 beta installed.

The survey found that 83 percent planned to skip the current flagship Windows Vista operating system and migrate to Windows 7 directly in the next 12 months. That route will be a true time-consuming migration, noted Wynn White, KACE's vice president of marketing, because Microsoft is not providing an upgrade path between Windows XP and Windows 7.

Of those planning to migrate to Windows 7 in the next year, the main reason for the move was to avoid Vista, according to 53 percent of the respondents. Only 10 percent expected to upgrade to Vista first and then move to Windows 7.

"Vista probably continues to haunt Microsoft a bit," White said. "While people are probably favorable to Windows 7 [beta], they are taking a cautious approach to the adoption of Windows 7."

He noted that survey respondents reported application compatibility concerns, as well as economic considerations. However, they understand the work involved when it comes to skipping Vista and migrating directly to Windows 7.

"These are savvy individuals who took this survey," White explained. "They are IT hands-on folks. They understand the implications that going from XP to Windows 7 means a lot more work and a lot more headaches for them. And they are making that choice."

XP, released in October of 2001, is a venerable workhorse and runs in 89 to 90 percent of the workstations assessed by KACE's KBOX device, White noted. Microsoft plans to withdraw free mainstream support for XP on April 14, with paid extended support continuing until April 8, 2014. Still, there seemed to be an overall reluctance to part with XP among respondents. The survey participants who were concerned with maintaining XP (28 percent) were far outnumbered by those concerned with the costs of moving to Windows 7 (72 percent).

In addition, 50 percent of respondents were looking at other operating systems as alternatives to Windows. In particular, the Apple Macintosh OS was considered to be the most likely operating system to be deployed over Vista or Windows 7 by 27 percent. Linux systems were also being considered, with Ubuntu experiencing a "surge" of interest this year, White said.

Most of the respondents did not have a tool to automate OS migrations, according to the survey. The Web-based survey was sponsored by KACE, which makes systems management appliances that enable such OS migrations.

A spokesperson for KACE said that the survey would be publicly available on Tuesday, April 14, at KACE's Web site.

Windows 7 Will Have an XP Downgrade Option
Miley Cyrus Says Future Of ‘Hannah Montana’ Is ‘Not Really Up To Me’

Saturday, April 11, 2009

Datacenter Design Leader Leaves Microsoft

A key Microsoft team member involved with the modular design of Microsoft's server farms has joined another company.

Michael Manos joined Digital Realty Trust as senior vice president of technical services. He will oversee the design and construction of the San Francisco-based company's datacenters worldwide, according to an announcement issued by the company on Wednesday.

In addition, Manos will "spearhead the launch of a new professional services offering that the Company will unveil shortly," according to Digital Realty Trust's announcement.

Manos formerly served as Microsoft's general manager of Data Center Services. In one of his last Microsoft blog posts, Manos outlined Microsoft's fourth-generation datacenter design, which is being used to power Microsoft's "Software plus Services" deployments.

The Gen-4 datacenters are built in semi-open spaces using trucks, which unload shipping containers packed with servers. The modular Gen-4 approach is illustrated in this video. In a June interview given at Tech-Ed 2008 in Orlando, Fla., Manos said that Microsoft has "tens of datacenters" built out.

The economic downturn has caused Microsoft to delay some of its datacenter buildout plans in recent months.

For instance, in January, Microsoft postponed a $550 million project to build a datacenter in Des Moines, Iowa. That delay, along with Chicago and Dublin datacenter slow-downs, was noted by James Hamilton, an architect with the Microsoft Data Center Futures team, who left Microsoft to join Amazon in January. Hamilton now works as vice president and distinguished engineer on the Amazon Web Services team.

In addition to losing datacenter team members, Microsoft managed to gain one -- from Yahoo. In March, Microsoft hired Dayne Sampson, formerly vice president of operations for search and advertising at Yahoo. Sampson is now general manager at Microsoft's Global Foundation Services Division.

The Global Foundation Services Division runs the physical infrastructure of Microsoft's datacenters worldwide, led by Corporate Vice President Debra Chrapaty.

Microsoft has picked up other key Yahoo online services personal in recent months, most notably Qi Lu, the former head of Yahoo's Engineering and Advertising Technology Group. In December, Lu joined Microsoft as the president of its Online Services Group.

Zend Releasing Enterprise-Grade PHP Server

Velocity CTP3 Released

Microsoft this week rolled out the next community test version of a distributed cache platform code-named "Velocity" that promises to speed up .NET-based applications.

Velocity CTP3 (Community Technology Preview 3) was published on Tuesday and can be downloaded here. The CTP3 represents pre-beta testing; it's of interest mostly to technical reviewers.

The enhancements in the CTP3 include a new "cache notifications" capability, plus the option to manage cache clusters using SQL Server, according to Microsoft's announcement. Performance and security were also enhanced with this release, the Velocity team indicated. The application programming interfaces were changed to reflect more typical Microsoft namespace conventions.

Microsoft added the cache notifications capability to help avoid retrieving stale data. It also can be used to specify "an event-triggered task" based on when an object is "added, replaced or removed" in the cache, the Velocity team explained.

With CTP3, SQL Server can now be used instead of just the lead hosts for cluster management. Adding SQL Server for cluster management helps ensure that the cluster doesn't go down "due to an insufficient number of (running) lead hosts," according to the Velocity team.

Velocity is a performance improvement utility for .NET-based applications that caches data in memory across machines. Microsoft unveiled the first CTP of Velocity in early June.

The Velocity platform is similar to memcached hash-table technology used to speed up Web sites built on the LAMP (Linux, Apache, MySQL, PHP) stack, according to Dare Obasanjo, a Microsoft program manager for the Contacts team. Velocity instead provides cache support for Web sites using the WISC (Windows, IIS, SQL Server, C#) stack.

Velocity also adds scalability technology to caching. Obasanjo explained that "you can add and remove servers from the cluster and the cache automatically rebalances itself."

Ashley Tisdale Fights Aliens In ‘They Came From Upstairs’
Zend Releasing Enterprise-Grade PHP Server

US-CERT Warns of Conficker Variant

The U.S. Computer Emergency Readiness Team (US-CERT) warns that researchers on April 9 discovered a new variant of the Conficker worm that updates earlier infections via its peer-to-peer network.

The worm, also known as W32.Downadup, also is resuming its scan-and-infect activity, searching for unpatched systems that can be exploited.

"With the discovery of a new variant, it is even more important for users to remain vigilant in detecting the Conficker worm and systematically cleaning systems of these infections to prevent potential, future cyber events," US-CERT warned.

Although Conficker/Downadup has infected upwards of an estimated 10 million computers, it so far does not appear to have been engaged in overt malicious activity. Because the malicious code can be detected and removed, the number of currently infected computers is estimated at several million.

The most recent variant appears to download additional malicious code onto compromised systems, possibly including copies of the Waledac Trojan, a spam tool. This could indicate an interest in using a Conficker botnet for spamming. Waledac has previously spread via e-mail messages that contain malicious links.

The original W32.Downadup.A exploited only the MS08-067 vulnerability in Windows XP SP2 and Windows 2003 SP1 operating systems, for which Microsoft issued an unusual patch outside of its regular monthly patching cycle. The more recent .B variant has added password-guessing and the ability to copy itself to USB drives to its capabilities, giving it a wider dissemination throughout a network once it is inside. The authors of the malware appear to be trying to gather low-hanging fruit in a network.

On April 1 a .C variant was scheduled to become active that would provide additional protection for the worm's command and control network. The worm uses an algorithm to generate a pseudo-random list of domains for its command and control network, which its infected clients check daily for instructions. Symantec analysts who examined the new code said that the variant would use a new algorithm to determine what domains to contact. It went from generating 500 domains a day to 50,000 domains with the new algorithm. Because a command and control server can be a weak spot whose elimination can disable a botnet, this could make Conficker/Downadup more difficult to attack.

One of Conficker's defenses is blocking access to sites providing detection and cleanup tools. This also makes it relatively easy to detect a possible infection. US-CERT advises that a simple test for the presence of Conficker/Downadup infection is to visit security solution Web sites. Detection and removal tools are available for download free from Symantec, Microsoft and McAfee.

"If a user is unable to reach any of these Web sites, it may indicate a Conficker/Downadup infection," US-CERT said. "The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet in the case for home users."

Instructions and information on how to manually remove a Conficker/Downadup infection from a system have been published by several security vendors -- including include Symantec and Microsoft -- which offer free tools to verify the presence of a Conficker/Downadup infection and remove the worm.

You also can call the Microsoft PC Safety hotline at 1-866-PCSAFETY for assistance.

Velocity CTP3 Released

Friday, April 10, 2009

Microsoft Unveils MED-V 1.0

The first version of Microsoft's desktop virtualization tool was announced last week.

The tool, called Microsoft Enterprise Desktop Virtualization (MED-V) 1.0, is not a standalone product, but one of six applications in the Microsoft Desktop Optimization Pack (MDOP). In order to get MED-V 1.0 (along with the whole MDOP 2009 suite), a Software Assurance license is required.

Organizations typically can use MED-V to run older applications on a newer Windows operating system. The "legacy" apps and OS become a virtualized desktop.

"MED-V bridges the application compatibility gap between current versions of Windows and legacy Windows-based applications by allowing enterprises to move desktops completely to newer versions of Windows," explained Steve Thomas, senior support escalation engineer at Microsoft, in a team blog.

Desktop virtualization isn't the same as application virtualization. Desktop virtualization addresses the incompatibility between an application and the operating system.

Application virtualization, on the other hand, deals with the incompatibility between two applications. It lets the two apps run on the same operating system while in virtualized runtime environments. Microsoft's App-V, part of MDOP, enables application virtualization.

MED-V essentially helps IT pros upgrade the Windows OS without interrupting the flow of business. The benefits of MED-V 1.0, according to Microsoft, include:

Central creation, deployment and updating of PC images throughout the enterprise; Provisioning virtual images and user policies by business affiliation and requirements; Accelerating OS upgrades; and Simplifying IT integration by allowing two IT environments to run concurrently.

Subscribers to TechNet or MSDN (Microsoft Developer Network) can evaluate MED-V 1.0, along with Software Assurance licensees. Microsoft volume licensees can get it here.

Zend Releasing Enterprise-Grade PHP Server
Miley Cyrus Aims For ‘Smarter’ Image
Ashley Tisdale Fights Aliens In ‘They Came From Upstairs’

Five 'Critical' Patches Planned for Tuesday

After some comparatively light patch rollouts in past months, Microsoft's April Patch Tuesday promises a fuller slate with eight security bulletins. Five are rated "critical" and two "important," with one rare "moderate" patch.

This month's round of security updates may have the most girth of any since October. The rollout is expected to include hotfixes for Windows programs and services, DirectX, and ubiquitous Microsoft applications such as Internet Explorer (IE), Excel and Word. All of the critical items have remote code execution implications. The important items are designed to stop two instances of elevation-of-privilege incursions. Finally, the moderate patch protects against denial-of-service attacks.

Critical Fixes
The first critical bulletin is described as a Windows fix and affects Windows 2000, XP and Windows Server 2003. Meanwhile, the second critical Windows patch touches on all supported Windows client and server OSes.

The third critical fix deals with the DirectX versions 8.1 and 9.0 running on Windows 2000, XP and Windows Server 2003. DirectX consists of application programming interfaces used for multimedia on Windows-based PCs, including game, video and audio applications.

The fourth critical fix expected on Tuesday will update IE versions 5.01, 6 and 7 running on Windows 2000, XP and Vista, as well as Windows Server 2003 and Windows Server 2008. IE has been at the center of recent hacker activity affecting older versions of the browser, plus the recent IE 8.

The fifth critical bulletin to come will fix Excel, affecting Microsoft Office 2000, 2003, 2007 and XP, along with Office 2004 and 2008 for Macs. Security analysts speculate that this Excel fix could be related to a hole in the popular spreadsheet app for which Microsoft issued a security advisory in February. That advisory warned users that exploits were in the wild, potentially affecting all supported versions of Excel.

Important and Moderate Items
The first important fix for this month will pertain to Microsoft's Distributed Transaction Coordinator (MSDTC). The MSDTC is a Windows-based administrative tool that acts as a conduit for information and commands passed over the network via resource managers, SQL Server databases and various other file systems. This fix updates the MSDTC facility program across every supported Windows OS. It's designed to block hackers from infiltrating a system and upping their administrative privileges to change MSDTC configurations, Microsoft says.

The second important fix will affect Microsoft's Forefront Edge Security platform and the Internet Security and Acceleration (ISA) Server. ISA is a server application deployed to stave off malware and firewall-compromising attacks. This fix is supposed to deflect a denial-of-service onslaught where hackers can change access control parameters and lock enterprise administrators out of these programs.

Finally, the lone moderate item in the rollout will affect all Windows OSes and is designed to circumvent elevation-of-privilege attacks.

All of the eight patches may require restarts.

IT pros interested in nonsecurity updates channeled through Windows Update, Microsoft Update and Windows Server Updates can find support in this Knowledge Base article. It provides guidance on IE 8 system updates, along with junk-mail filter upgrades and malicious software removal tool tweaks.

Zend Releasing Enterprise-Grade PHP Server

Thursday, April 9, 2009

Windows 7 Will Have an XP Downgrade Option

Microsoft will permit Windows 7 Professional edition downgrades to Windows XP Professional, according a report by veteran Microsoft watcher Mary-Jo Foley published on Monday.

A Microsoft spokesperson told Foley that downgrade rights apply to "previous versions of Windows, not just the most recent predecessor" (namely, Windows Vista). The ability to skip editions of Windows actually has been long-standing policy, as described in Microsoft's EULA, a company spokesperson explained to me.

The downgrade rights are restricted to specific OS editions. The present migration scenario is from Windows Vista Business and Windows Vista Ultimate to Windows XP Professional. Those with other Vista editions, such as Home Premium and Home Basic, don't have those downgrade rights. Furthermore, Vista users are restricted to moving to XP Pro, XP Pro x64 or XP Tablet PC editions, a Microsoft document (PDF) explains.

Renewed questions about downgrade rights popped up after an AppleInsider story reported a leaked HP memo that read, "The Win 7 Professional to XP Pro downgrade OS will also discontinue on April 30th 2010." Microsoft would not confirm that date, according to Foley, although the company did confirm that it will be possible to downgrade to XP from Windows 7.

If the date is true, IT pros will be able to purchase new PCs with Windows 7, but downgrade to XP, for another year. It might give some IT departments more time to upgrade their shops from XP.

The policy is somewhat wrapped in confusion because Microsoft's hardware partners typically must provide XP media to their customers wanting to downgrade. The availability of such media determines whether the OEM can fulfill the downgrade rights promise, as noted in a story by Gregg Keizer.

The OEM or the end user can install the OS downgrade, according to the "Windows Vista Downgrade Rights" document. The media (CD or DVD) to install the downgrade comes from "the retail, OEM/System Builder, or volume licensing channels," according to the document.

Microsoft extended the date for OEMs to offer new PCs with downgrades to XP through July 2009. System builders can offer new PCs with downgrades to XP through May 30, 2009.

However, there are apparently loopholes even in those dates. An HP FAQ suggested it might offer XP Pro downgrades through 2012.

"Through HP's PC Customization Service (PCCS) -- HP can install the customer’s XP Professional image on a system with a Vista Business Edition COA/Pre-install for as long as HP continues to offer and pre-install Vista Business Edition (we estimate that to be through 2012)," the FAQ explains.

Technically speaking, the availability of XP on new PCs (other than through Vista downgrades) has ended, except for low-cost netbook PCs running XP Home edition. Microsoft describes its XP license availability here.

HP's FAQ explains that Vista users can only downgrade to a "generic XP Pro" version. A spokesperson from HP explained by e-mail that this version "is the XP image that we always put on our systems and it includes HP drivers, etc." Furthermore, HP doesn't charge extra for providing this downgrade media, the spokesperson added.

However, some OEMs may charge for doing the downgrade or providing the downgrade media. For instance, a lawsuit (PDF) was filed against Microsoft by a Lenovo PC owner who paid $59.25 to downgrade from Vista Business edition to Windows XP Pro.

The tussle over XP downgrade rights comes even as mainstream (free) support for XP is dwindling. Mainstream support will end next week on April 14. Users can still buy extended support for XP, but that extended support offer will end on April 8, 2014, according to a Microsoft support page.

‘Camp Rock’ Star Alyson Stoner Reveals The Real Jonas Brothers
Zend Releasing Enterprise-Grade PHP Server

Zend Releasing Enterprise-Grade PHP Server

Zend Technologies will release its commercial-grade server for PHP applications on Tuesday.

The Zend Server product, previously in beta, is designed to bring high-levels of reliability, performance and security to enterprises running PHP-based Web applications.

"The release of Zend Server marks the culmination of a four-year strategic investment that leverages PHP as an open source, cross-platform development language that hits a sweet spot in the market," said Zend CEO and Cofounder Andi Gutmans in a telephone interview.

Gutmans said that PHP currently holds 35 percent to 40 percent of the Web applications development market share. PHP is the development language of choice for Web 2.0 pioneers such as FaceBook and Yahoo, he added.

It took additional work to move PHP into the Windows world and mainstream enterprise application development. Cupertino, Calif.-based Zend created a new set of development tools, a framework to build applications and collaborated with Microsoft.

Zend has been working with Microsoft since 2006 to make PHP "a first-class citizen on Windows," Gutmans said. That technical collaboration led to Microsoft delivering a FastCGI component for its Internet Information Services (IIS) Server. In addition, Microsoft is now providing a SQL Server for PHP extension, Gutmans noted in his blog.

Zend Server is designed to sit on top of the server stack and provide added functionality to an Apache or Windows IIS server. Performance management, monitoring and security are some of its features, along with automatic hot fixes and PHP upgrades.

PHP, according to Gutmans, has the largest ecosystem of developers, and is less complex and more cost effective than Java or .NET. Popular applications such as Wordpress and wikis are examples of innovative PHP developments, he said.

"We have been evangelists for PHP since we started in1999," Gutmans said. "Our mission was to develop a product that would work across platforms and bring a business-grade PHP to the enterprise that developers could use out of the box."

Zend Technologies offers two PHP servers, which can be downloaded here. Both will be released to general availability on April 7.

Zend Server Community Edition is available as a free download and is designed for lighter noncritical server deployments. Zend Server for enterprise applications is a commercial Web application server and available as a free 30-day trial.

A Zend Server annual product subscription with Silver Level support starts at $1,195, according to a Zend spokesperson.

Microsoft Partner Phase 2 Adds IBM’s Hosted Apps
‘Camp Rock’ Star Alyson Stoner Reveals The Real Jonas Brothers

VMware Pledges Savings Guarantee on Server Hardware Costs

VMware believes it can save you at least half on your server hardware through virtualization. It's so confident of the savings that the company is announcing that it will work for you for free if it can't meet that goal.

The offer was unveiled today by Palo Alto, Calif.-based VMware, the leading virtualization vendor. Under the plan, VMware's Professional Services organization will work with customers to deploy a VMware virtualization solution that saves at least 50 percent on server hardware costs. If it can't do that, VMware's services are free.

John Gilmartin, director of product marketing at VMware, said in an interview that this promotion "raises the bar in the marketplace." The offer is being made because of the recession, he added, and VMware is "recognizing the reality of the economic situation."

The program has a number of limitations. For one, it's originally targeted at U.S. companies only. Second, it's for enterprises with between 200 and 750 servers. Gilmartin added, however, that both of those restrictions could be lifted in the future if the promotion is as successful as VMware hopes it will be. "Think of it as pilot program," he said.

There's also the question of how "50 percent" is defined, and how disagreements between VMware and customers will be resolved. For instance, what if VMware said it achieved 53 percent hardware savings, while the client claims 47 percent hardware savings and says VMware's services are free?

VMware has a "process lined out within the terms and conditions for dealing with that type of situation," Gilmartin said. He doesn't think that situation will happen often, though.

"We think customers can achieve significantly more than 50 percent savings," Gilmartin said, including savings on related items like power and cooling that occur with server reduction.

He added that VMware is adequately staffed to meet the demand that the program could create.

"We've definitely planned for multiple engagements," Gilmartin said. "That's also a reason we've put the initial restriction of [the number of] servers -- to ensure we have the capacity to meet demand." The company also has "VMware Authorized Consultants"-- partners that deliver VMware virtualization services -- on standby to meet any overflow demand.

VMware is frequently cited by the competition -- and sometimes, customers -- as having the most expensive virtualization offerings on the market. Whether this changes that perception awaits to be seen.

VMware confirmed that the program went live on Monday.

‘Camp Rock’ Star Alyson Stoner Reveals The Real Jonas Brothers
Zend Releasing Enterprise-Grade PHP Server
Microsoft Partner Phase 2 Adds IBM’s Hosted Apps

Microsoft Partner Phase 2 Adds IBM's Hosted Apps

Phase 2 International now offers online IBM Lotus applications to small-to-medium businesses (SMBs), adding to its various hosted service offerings, which already include a Microsoft solution stack.

The Honolulu-based company is a Microsoft Gold Certified Partner that provides hosted solutions to SMBs worldwide. With its hard launch of its "Lotus on Demand" solutions on April 8, the company becomes a full-fledged IBM Business Partner too.

"The philosophy of Phase 2 has always been about bringing best-of-breed products to the market, and it's never been a vendor-biased type position," said Kevin Doherty, Phase 2's CEO.

The new hosted IBM solutions include Lotus Notes 8.5 for e-mail and Lotus Sametime, which is a standalone instant messaging/collaboration solution that integrates with Notes. (A plan for integrating Sametime with Microsoft Office Communications Server is in the works for this year, according to IBM.) In addition, Phase 2 offers IBM's Lotus Quickr, a document management platform that's Web 2.0 enabled. Doherty said that Quickr competes with Microsoft's SharePoint, calling it a "very capable platform" and "very simple to use," allowing customizations that don't require developer support.

Finally, the Lotus on Demand suite includes Lotus Connections, which is a social networking portal designed for internal company communications, although Doherty added that it also enables federation with outside organizations.

"We're very excited about the prospects of that product [Connections]," Doherty said. "Specifically, that's what's been the most difficult from a negotiation perspective with IBM because our goal was to bring this product to market for $2.99 a seat per month. They weren't really excited about that. If you wanted to buy single license for this product it's almost $200. So when they sell this project, it's usually a seven-figure project."

Doherty said that Phase 2 began talks with IBM's back in August of last year after IBM approached the company. Initially, Phase 2 was skeptical that it could offer IBM's hosted solutions for its SMB customers, since IBM's products are typically designed for Fortune 50, 100 and 1,000 companies. However, the SMB market is something that IBM is trying to address.

"IBM is very interested in this small segment of the market," Doherty said. "And by 'small' I mean by employee count -- it really encompasses about 80 percent of the businesses across the U.S. Frankly, they don't focus on it. They focus at the top, and we focus basically at the bottom, and that's why there's a synergy between the two companies and the partnership will work out."

IBM's and Microsoft's products do address two different markets, he added, and Phase 2 offers its SMB customers the option to use either. However, Phase 2's main focus is on its customers, who, in many cases aren't experts in software and just have problems that need solving.

"We have a lot of nonprofits," Doherty explained. "A lot of them aren't sophisticated or savvy from an IT perspective."

Offering IBM's and Microsoft's products has meant keeping two technical skill sets going at Phase 2.

"We really have established two firm camps within the company," Doherty said. "And they are two completely different skill sets -- one's .NET, the other's J2EE and Java. It's painful, but we've just got to roll with that."

The product lines have some gaps. IBM Lotus doesn't have a CRM product, whereas Microsoft doesn't really have a corporate social networking product, Doherty said. Still, Phase 2 is satisfied partnering with both companies. Microsoft is a little more advanced partner-wise because it has had its SPLA (Service Providers License Agreement) package available for three or four years. However, Doherty said that IBM "has been very supportive."

IBM launched its LotusLive solutions in January, eliciting critiques from Microsoft officials, including a claim that hosted Notes has scalability limitations. Doherty described how Phase 2 handled it.

"The Lotus Notes platform -- it's very sophisticated," Doherty said. "That can scale pretty good, but it does involve a lot of clustering and a lot of sets of clusters. So you can continue to scale, but does get a little bit complicated. But the same could be said about Exchange and your backend SQL clusters."

Phase 2 hasn't quite hit the wall when it comes to scaling out Lotus Notes.

"I think if we got to point where we were hosting hundreds of thousands or millions of clients, a lot of these problems would become more apparent," Doherty said. "But we're going to have to take a wait-and-see approach and hope we won't have that particular problem."

Phase 2 currently hosts applications for SMBs worldwide from its servers in Hawaii, Chicago and Washington state. Company info is available here.

Zend Releasing Enterprise-Grade PHP Server

Sunday, April 5, 2009

WSJ: IBM, Sun Talks 'Unraveling'

The Wall Street Journal reported Sunday that the proposed $7 billion dollar deal for IBM Corp. to acquire Sun Microsystems virtually collapsed this weekend.

Unnamed sources told the paper that price IBM offered -- ranging from $9.10 to $9.40 per share -- "wasn't the biggest issue." Instead, a combination of concerns, including how committed IBM is to the acquisition, reportedly left Sun's board "split" over the deal, with Sun co-founder and Chairman Scott McNealy in the against camp. This resulted in Sun turning down IBM's offer on Saturday, and IBM formally withdrawing the offer Sunday.

Reporters William M. Bulkeley and Don Clark wrote that the parties are still communicating via telephone, although the talks can be characterized as "confrontational," They also point out that even if successful, any merger could face difficulties from both European and U.S. antitrust regulators.

As of Sunday night, neither IBM nor Sun have commented on the report or the deal itself.

Read the full The Wall Street Journal story here.

Reactions Mixed over IBM’s Possible Sun Acquisition
Kid Cudi Has ‘Eureka’ Moment With ‘Transformers’ Trailer
‘Twilight’ Star Robert Pattinson Talks About Nude Scenes In ‘Little Ashes’

Saturday, April 4, 2009

PowerPoint Security Bug Found in Office 2003

A new zero-day remote code execution vulnerability has come to Redmond's attention, this time affecting Microsoft Office PowerPoint.

On Thursday, the software giant issued a security advisory about the potential exploit, which affects older Microsoft Office versions up through Office 2003. The current flagship Office 2007 product is not vulnerable.

Microsoft said it is only "aware of limited and targeted attacks that attempt to use this vulnerability." Users with fewer administrative rights could be less affected than those who have superuser or carte blanche access to enterprise systems, according to Redmond.

The attacks are triggered by getting users to click on a malicious Office file, either on a Web site or via an e-mail attachment, triggering malware on the user's workstation. To avoid such attacks, IT shops should have "untrusted software" policies in place, explained Paul Henry, security and forensic analyst at Lumension.

"This incident highlights the added value of application control in automatically affording protection by preventing any untrusted software," Henry said. "This [untrusted software] is software that is not explicitly permitted by policy and has been downloaded via the Internet, transferred via a USB stick or installed from a CD/DVD." The policy would prevent untrusted software from executing on a user's PC, he explained.

The PowerPoint flaw was considered "extremely critical" in a separate advisory issued on Friday by Secunia, a Denmark-based vulnerability research shop.  

As a workaround, Redmond suggested that IT shops can modify the FileBlock policy in the registry to block the opening of untrusted Office 2003, and older, binary files. They can also use the Microsoft Office isolated conversion environment. This update works with Office 2003 and Office 2007 products to "more securely open Word, Excel and PowerPoint binary file formats," according to Microsoft. 

Microsoft provides additional technical details on the PowerPoint vulnerability in its Microsoft Malware Protection Center and Microsoft Security Research & Defense blogs.

Microsoft plans to "continue to monitor the situation and post updates as we become aware of any important new information," according to the advisory.

March Security Bulletin Issued Without Excel Fix
Adobe Issues Critical PDF Reader Patch
‘Watchmen’ Guards Box-Office #1

Thursday, April 2, 2009

Windows Server 2008 Foundation Unveiled

Microsoft on Wednesday announced an addition to its Windows Server product family, unveiling a new server specifically designed for very small businesses.

Windows Server 2008 Foundation supports file- and printer-sharing tasks for organizations with up to 15 users. Other functions enabled by the server include running applications, hosting Web sites and remote access. A Microsoft spokesperson said by e-mail that Foundation has the same security as Windows Server 2008 Standard, including BitLocker drive encryption.

Foundation supports Active Directory for managing user accounts and rights on the network. However, with Foundation, "Active Directory is only limited to the head node of a domain," explained Iain McDonald, general manager of Windows Server, in a video.

McDonald also noted that Foundation will not run in a virtualized environment. He explained the overall rationale for launching the product.

"We realized that there are parts of the economy that just aren't doing that well these days," McDonald said. "We also realize that there is a sizeable market out there where people are buying these lower-cost servers from various OEMs, so we created Windows Server 2008 Foundation."

Foundation will be sold pre-installed on machines produced by Microsoft's OEM partners such as Dell, HP and IBM "in the coming months," according to Microsoft's product announcement. A Microsoft blog described these machines as "low-end OEM servers that presently are selling at workstation prices" with a limitation of one socket and 8GB of RAM.

OEMs will set the price for the Foundation server products, and while these servers aren't on the market yet and pricing will vary per country, a Microsoft spokesperson noted that "HP expects a target price of under a thousand dollars."

For the most part, Foundation users will not have to purchase client access licenses (CALs) to run the server. There's an exception for Foundation users who want to run Terminal Services or Windows Rights Management Services. In those cases, users have to purchase standard CAL rights for each of those services.

So, Foundation users with simpler needs get a little break on licensing costs. In contrast, users of Microsoft's Windows Small Business Server (SBS), which supports up to 50 users, are required to purchase CALs.

Foundation lacks the all-in-one solution stack approach that Microsoft took with Windows SBS, which comes with Microsoft Exchange for e-mail, Forefront for security and SharePoint for collaboration -- all on top of Windows Server. However, not every small business needs all of that functionality.

And that's the principal reason why Microsoft came out with Foundation. It plugs a hole in Microsoft's Windows Server marketing, according to Paul DeGroot, senior analyst with Directions on Microsoft.

"SBS used to be simply the cheapest way to buy a copy of Windows Server," DeGroot explained in an e-mail. "It was cheaper to buy SBS, even with Exchange, than to buy Windows Server Standard. So if you are a partner and the customer just wanted a file and print server, you bought SBS and perhaps even ignored Exchange and everything else."

Microsoft subsequently increased the price of SBS, and that caused a rethink among potential buyers, DeGroot said. They now faced buying Windows Server just to get file- and print-sharing support.

"Microsoft created a hole in its product line, and Foundation fills it," he said.

Could small businesses use Microsoft's Windows Home Server (WHS) to meet their server needs, instead of Foundation? DeGroot said that WHS might even be a better solution for small businesses because of its backup feature. However, WHS is not licensed for business use "so Foundation Server provides a legal alternative for something like that."

Natasha Richardson Remembered With Dimmed Broadway Lights
Microsoft Rolls Out New Commerce Server

HP Selling Cloud Assurance to Enterprises

HP rolled out a service suite this week to help enterprise IT departments adopt and manage cloud-based services.

The suite, called HP Cloud Assure, is a turnkey package of services and best practices delivered in the cloud and performed "against the cloud," according to Tim Van Ash, director of product strategies for HP SaaS.

HP developed the software as a service (SaaS) bundle in response to enterprise user questions about cloud-based services, particularly with regard to "security, performance and availability," Van Ash said.

The new SaaS package includes HP Application Security Center, HP Performance Center and HP Business Availability Center, which are existing HP offerings for testing cloud-based services.

HP Cloud Assure is designed to address those functionalities in most cloud platforms, including and Microsoft's Azure Services Platform.

"We can test, validate and monitor user experience in a variety of environments," Van Ash noted. "We monitor environments from more than 80 POPs [points of presence] located around the world, and we deploy load testing that can simulate hundreds of thousands of users."

HP Cloud Assure is subscription based, with modular offerings of one to three months for specific services, or a standard package of 12 months.

Van Ash said that HP "owns and runs" its Cloud Assure solution, which is delivered from a network of 45 large commercial datacenters.

HP's engineers perform assessments, ongoing management of service levels and customer support remotely. The "turnkey" package includes network scans, Web application assessments, load tests, network bandwidth tests and other operations that monitor and measure security, performance and availability, according to Van Ash.

The HP SaaS reseller program has been updated to include a "partner-led delivery option" for HP Cloud Assure.

"Currently, partners can provide the performance and availability components," an HP spokesperson explained. "The security component is currently being delivered directly by HP SaaS due to limited expertise in the marketplace around application security vulnerabilities."

Partners are expected to start delivering those two services by year's end.

HP defines cloud computing as "services that can be delivered and used over the Internet through an as-needed, pay-per-use model," according to HP's announcement.

More information about HP Cloud Assure is available here.

DOA: The Open Cloud Manifesto
Microsoft Rolling Out Windows Azure Improvements
Zac Efron Signs On For New (Non-Musical) Film
‘Gossip Girl’ Star Chace Crawford Auditions For ‘Footloose’

TomTom Settlement Leads to FAT War

Microsoft and TomTom settled a patent dispute late last month that rang alarm bells among the open source Linux community -- and it still does.

The case began when Microsoft sued TomTom, an Amsterdam-based maker of GPS navigation devices for automobiles, in late February. TomTom then countersued. On March 30, Microsoft announced that the litigation was settled, explaining that the case involved patents on Microsoft's File Allocation Table (FAT) technology.

Microsoft's announcement also included an oblique reference to General Public License Version 2, a GNU open source license that permits the modification and sharing of Linux source code.

"The agreement includes patent coverage for Microsoft's three file management systems patents provided in a manner that is fully compliant with TomTom's obligations under the General Public License Version 2 (GPLv2)," Microsoft's announcement stated.

Under the terms of the settlement, "TomTom will pay Microsoft for coverage under the eight car navigation and file management systems patents in the Microsoft case." In addition, Microsoft gets covered under four patents mentioned in TomTom's countersuit, the announcement explained.

The five-year agreement covers past and future sales of TomTom's U.S. products. TomTom gets no payment from Microsoft and will remove FAT LFN technology within two years from its products.

In the wake of the agreement, The Software Freedom Law Center (SFLC) warned that the open source community likely faces future "patent aggression" from Microsoft, even though GPLv2 wasn't violated in the case.

Others chimed in, including Jim Zemlin, executive director of the nonprofit Linux Foundation, who recommended the removal of FAT by software vendors.

"The Linux Foundation is here to assist interested parties in the technical coordination of removing the FAT filesystem from products that make use of it today," Zemlin wrote in his blog.

TomTom may have settled with Microsoft concerning its FAT patents, but the SFLC saw no reason to do so.

"The FAT file system patents on which Microsoft sued are now and have always been invalid patents in our professional opinion," an SFLC statement explained. "We will act forcefully to protect all users and developers of free software against further intimidation or interference from these patents."

‘Watchmen’ Easter Eggs: Our Favorite Blink-And-You’ll-Miss-’Em Moments
Dynamics Freebies Unveiled at Convergence 2009
Despite Criticism, Microsoft Exec Defends Open Source Progress
Five Secrets Of The ‘Watchmen’ Universe

Microsoft Rolls Out Windows Embedded Services

Microsoft on Monday announced a new services capability that's part of its Windows Embedded Server product line. In addition, the company plans to roll out additional support for developers working on embedded systems.

For original equipment manufacturers (OEMs) and partners, Windows Embedded Server now has a "software plus services" capability. This capability currently works with Microsoft's management products, enabling device diagnostics and maintenance support.

For instance, Microsoft's partners can use the Microsoft System Center Operations Manager solution to monitor Windows-embedded devices. In addition, they can use Microsoft System Center Configuration Manager for remote maintenance of those devices.

The software plus services capability in Windows Embedded Server offers options for Microsoft's partners, and possible revenue streams.

"For a lot of OEMs, the trend is they may want to build system network solutions," said John Doyle, Microsoft's group product manager with the Windows embedded business. "Embedded servers can also be used to store data, which can be used to predict failure times or improve business efficiencies," he added.

For instance, OEM partners can monitor robots using Windows Embedded CE in factories. The monitoring and data collection can be used to help prevent those devices from going down, Doyle explained.

Also on Monday, Microsoft announced two upcoming perks for developers of Windows Embedded Server products -- a new Visual Studio subscription option, along with a new update service.

The subscription option, called "MSDN Embedded for Visual Studio Professional 2008," will be offered in July. It's designed to help developers select the right tools for the job, providing access to Microsoft operating systems and technical support specialized for device-development tasks.

The new Visual Studio subscription option represents Microsoft's shift from delivering a "static toolkit" to device software developers, Doyle explained. Certain Visual Studio subscribers will get the new services automatically.

"If you subscribe and you already have an MSDN subscription above the premium level, then the tools will automatically come available to you in the July time frame," Doyle said.

The second perk for developers is expected to appear in the first half of 2010, when Microsoft plans to roll out a Windows Embedded Developer Update Service. The updates will provide partner technology support, device drivers and board support packages.

"With Windows Embedded Developer Update, we will have a client that will reside on the developer machine," Doyle said. "So within the developer experience using Visual Studio, that [client] will connect up to a cloud, a new Microsoft service, where we will present a catalog of information, which includes partners' or Microsoft's updates, new components or advanced components, and also Microsoft- or partner-certified content."

Developers face making a lot of decisions about technologies when programming for embedded devices, Doyle explained, which is why Microsoft is rolling out these two services.

Microsoft offers a number of embedded operating system products, which are described here.

Juan Antonio Bayona To Direct ‘Eclipse’?
Microsoft Promoting Touch in Windows 7

No Serious Threat from Conficker on April 1

The most recent variant of the Conficker worm, also known as W32.Downadup.C, is scheduled to update itself April 1. But analysts who have examined the code say it appears to be an upgrade of its defenses rather than an attack by a widespread botnet compromised by the worm.

"There is no reason to believe that April 1 will be any different from any other day," said Kevin Haley, director of Symantec Security Response.

The worm uses an algorithm to generate a pseudo-random list of domains for its command-and-control network, which its infected clients check daily for instructions. Symantec analysts believe that on April 1 the malware will begin using a new algorithm to determine what domains it will contact.

"It now generates 500 domains every day," Haley said. "It's going to do 50,000" with the new algorithm. Because a command-and-control server is a weak spot whose elimination can disable a botnet, the update could make Downadup more difficult to attack. But it does not mean the worm is more likely to attack others.

"This certainly is an issue of concern, but the probability of a major cyber event taking place on April 1 is really not very likely," said Vincent Weafer, vice president of Symantec Security Response. "In reality, the author or authors of Downadup probably didn't intend for this malware to get as much attention as it has."

The current economic model for criminal hacking calls for a low and slow approach that does not draw attention to activities. Although estimates of Downadup infections range as high as 10 million devices, the current size of the network of available computers is probably a couple million, and so far they do not appear to have been put to work as a botnet.

"It's a good-sized network," Haley said. But "we may never see a big bang" from it.

The worm's success and the interest it has generated stem from the combination of tools it uses to spread and protect itself, although none of the tools is unique.

"This is the most technically interesting worm we've seen because of the way it spreads, as well as the communication mechanism, its encryption types and the methods it uses to contact its command-and-control servers," said Andrew Storms, director of security operations at nCircle, a network security automation company.

"It's good at what it does, and it looks like there is some thought and organization behind it," Haley said.

The original W32.Downadup.A exploited only the MS08-067 vulnerability in Microsoft Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 operating systems, for which Microsoft issued a patch outside its regular monthly patching cycle. The more recent B variant added password guessing and the ability to copy itself to USB drives, giving it a wider dissemination throughout a network once it is inside. The authors of the malware appear to be trying to gather networks' low-hanging fruit.

Its high visibility has made Downadup risky for those who plan to use it.

"This is eerily reminiscent of the major worms of five years or more ago," said Chris Schwartzbauer, senior vice president of worldwide sales and marketing at Shavlik Technologies. The high visibility of worms such as Sasser, Blaster and Code Red prompted networks to protect themselves.

Although the latest Downadup variant could have a more secure communication method, the worm already has the ability to communicate peer-to-peer, and there would be no reason to think it is waiting for April 1 for a major command, Haley said.

The advice of most experts is to stay patched and stay calm. Tools are available to detect and remove the worm, and organizations with up-to-date patches should be safe.

"Most enterprises already are using a patch management process and following industry best practices," Storms said. "They are likely already patched and protected from a Conficker infection."

Spammers Retool for Renewed Assault
April 1: D-Day for the Conficker Worm
Five Secrets Of The ‘Watchmen’ Universe

Wednesday, April 1, 2009

Exchange Tool Tests Remote Connections

Microsoft announced an online service for IT pros that enables them to test incoming e-mail traffic to Microsoft Exchange Server.

The tool, called Exchange Server Remote Connectivity Analyzer, was announced last week as a beta version. However, it's apparently been available as a test version since late last year.

The Microsoft Exchange team on Wednesday pointed to the availability of the beta version. The team's blog includes a video that demonstrates how the tool works, which can be accessed here.

The remote analyzer tool helps IT administrators assess server setup problems, particularly when e-mail clients located outside an organization's firewall are having problems trying to connect. While Exchange Server comes with its own test tools, those tools can only test traffic within an organization's firewall.

The Exchange Server Remote Connectivity Analyzer will test incoming e-mail traffic by simulating three client types, including Windows Mobile clients using Exchange ActiveSync, Outlook clients using Outlook Anywhere and clients that use SMTP.

You can run the tests for Windows Mobile and Outlook with autodiscovery turned either on or off.

The beta still has some usability limitations, and it requires certificates for some tests to work, according to the Exchange team blog. The team plans make those improvements in a future version, along with adding new tests for Exchange Web Services, IMAP, Outlook Web Access and POP.

The Exchange Server Remote Connectivity Analyzer tool, nicknamed "ExRCA," can be accessed for free online here.

System Center Virtual Machine Manager 2008 R2 Beta Now Available
‘Twilight’ Actress Reveals The Real Robert Pattinson

IT Is Hiring, But Just Barely

The IT hiring forecast for the coming quarter isn't all doom and gloom, but it's not a bed of roses either. According to IT staffing specialist Robert Half Technology, a net 2 percent of CIOs anticipate adding IT staff in the coming quarter, compared to a net 8 percent increase in Q1. That's the most striking result from the company's latest IT Hiring Index and Skills Report, which -- like its predecessors -- is based on feedback from more than 1,400 North American CIOs.

Fully 83 percent of IT chiefs expect to maintain their staffing levels. Among those who plan staff reductions, most cite IT budget cuts as the culprit.

On the hiring front, IT pros with help desk/technical support and networking skills continue to be most in demand. Desktop support, in particular, is seeing huge demand, outstripping even network administration, which -- for two quarters running -- held the in-demand top spot.

IT chiefs in the U.S. Mountain region say they're most optimistic about adding new staff; approximately 10 percent anticipate doing so. Not all IT chiefs, however, plan to add new employees on a full-time basis. Fully one-fifth expect to hire a mix of both full-time and contract workers, while nearly one-tenth plan to hire just contract workers, according to Robert Half. Add it all up and the IT staffing outlook is a mixed bag.

"Not surprisingly, companies are being more judicious when hiring in today's economic environment," said Dave Willmer, executive director of Robert Half Technology, in a prepared release. It appears that IT chiefs are getting back to the basics: "Budgets must support critical IT projects, and companies are re-examining their staffing needs accordingly. Among the areas where demand remains stable are help desk and technical support, and networking."

In spite of the unprecedented economic climate, a surprising number of IT chiefs expect to add jobs to meet growth demands. One-quarter of CIOs cited business growth as a key catalyst for IT staff expansion, and nearly 10 percent cited planned growth in their internal IT departments. Other drivers include increased workloads and planned system upgrades, both of which were cited by 8 percent of IT chiefs. Among CIOs who plan staff reductions, 40 percent blamed IT budget cuts, while another one-fifth cited the impact of the worsening financial crisis (specifically as it affects either their company or its primary industries).

Finally, Robert Half reports that about 18 percent of CIOs blamed "IT projects being put on hold and companywide layoffs" for planned job cuts.

What accounts for the surge of hiring activity in the Mountain states? Willmer and Robert Half include both intangible business needs and certain very tangible technology requirements. "The need to maximize efficiency and better utilize existing resources is driving hiring in the Mountain states," Willmer said. "Companies are seeking network professionals as well as those with experience in virtualization, .NET and PHP/LAMP development to help build upon or expand current applications."

Both the New England and West North Central regions should be hotbeds for IT job growth, too: IT staffing levels are expected to expand by 5 percent there.

Robert Pattinson’s ‘How To Be’ To Make TV Debut
Microsoft Eyes SMB Market in Partner Survey
‘Harry Potter’ Actor Robert Knox’s Killer Convicted
Enterprises Hanging on to Legacy Microsoft Apps