Thursday, June 18, 2009

Private Clouds Better for Security, Red Hat CEO Says

By Joab Jackson05/27/2009

A private cloud could offer almost all the benefits of a public cloud, but without the attendant security and privacy headaches, said Jim Whitehurst, president and chief executive officer of enterprise open source software vendor Red Hat.

Moreover, if a company is running more than 1,000 servers, it could save money and become more flexible with its processor resources by building an internal cloud computing infrastructure.

"There is a significant amount of value in a cloud infrastructure for a single entity that is running multiple programs and multiple datacenters," Whitehurst said, speaking at the Federal IT on a Budget Forum held this week in Washington, D.C.

"What are the benefit of a public cloud? For most large agencies...or even medium-sized agencies, there is a not a lot of purchasing cost advantage with going to a third-party cloud," Whitehurst said. "The real benefit is getting high utilization of your existing infrastructure and flexibility around that."

At present, Red Hat has more than 50 enterprise customers with private clouds. "They are seeing huge benefits [by] running clouds themselves," Whitehurst said. He mentioned that one customer he spoke with, a chief information officer of a large organization running 25,000 processors, told him that public cloud services such as's would not provide much of a cost advantage to his organization, as his company could obtain servers at almost the same cost as those providers.

To set up a private cloud, an organization would pool all of its servers and offer the processing power to each department. It could enjoy the economies of scale that clouds could provide, and not worry about the privacy and security concerns that dog public cloud providers, according to Whitehurst. It could also sign agreements with other agencies or organizations whose peak processing times are different from its own in order to have extra computing capacity on hand for those periods with the heaviest workloads.

Whitehurst said that today's public cloud offerings are mostly in the "vaporware" stage, meaning there is not much of use for enterprise users, again due to the outstanding security and privacy issues. Building a private cloud, however, will help agencies get prepared for such time when and if public cloud offerings become an alternative.

In April, IT analyst firm McKinsey & Co. released a report that argued that while small- and medium-sized organizations could save money by using public cloud services, large organizations could actually save money by keeping their processing needs in-house.

Federal Computer Week staff writer Doug Beizer contributed to this report.

Windows 7: Expect 'Modest' Bump in PC Sales, Veghte Says

By Kurt Mackie06/08/2009

Microsoft's Bill Veghte spoke at the UBS Global Technology and Services Conference on Monday, providing a general overview of the Windows 7 business plan.

Veghte, who is Microsoft's senior vice president of the Online Services and Windows Business Group, described the coming Windows 7 product line but he did not reveal any pricing figures, which is Microsoft's next step before releasing the operating system into general availability. Pricing is also a big question among the investment analyst crowd at the conference.

In general, Microsoft sets Windows prices based on developed markets and emerging markets. Those segments are further broken down into enterprise, small-to-medium business and consumer markets. The products are differentiated based on a "good, better, best" experience, Veghte explained.

At the low end, Windows 7 Starter edition will be available as an entry-level original equipment manufacturer offering that's only for netbook-class PCs, Veghte said. Microsoft is planning about six Windows 7 editions, which the company outlined in February.

Veghte offered little hope for those expecting Windows 7 to push new PC sales in the current slumping economy. While he said Microsoft was "incredibly optimistic" about Windows 7, the company expects the bump in new PC sales to be "modest." Veghte added that he's found enthusiasm among CIOs and IT professionals for Windows 7, but his personal opinion is that it will get "drowned by the macro-environment" of the current economic downturn.

Veghte dampened hopes for retail upgrades, telling the crowd that "I worry that some of you have large numbers for that upgrade opportunity." Most OS upgrades will happen as people buy new PCs, he added, and it'll be seen more on the consumer side.

Veghte was asked about Microsoft's plans for working with the ARM chip in netbooks, which are small, low-cost laptop-like devices. He didn't answer the question. Microsoft has worked with ARM in the past, but principally with Windows Embedded CE and Windows Mobile.

Microsoft currently provides Windows XP Home edition for netbooks, where it has gained a "more than 90 percent attach rate," Veghte said. Most of those netbooks use Intel's Atom processor. However, it's thought that the ARM processor could show promise due to its greater power savings. ARM processors could be used in netbook-like mobile devices, and that could pose a potential challenge to the current Wintel netbook market lock.

Microsoft is currently going through an experimental period with netbooks, Veghte said, and the company will "compete vigorously." However, Microsoft sees the world in terms of PCs and phones. For those who want something extremely mobile, there are smartphone devices, he said.

In response to a question, Veghte emphasized that the PC isn't being supplanted by the World Wide Web. It's an "and" opportunity -- not "or," he said. The tie-in for Microsoft is Windows Live, which is a collection of Microsoft's online services. Windows Live is a "key vehicle for connecting the PC and Web," he explained.

Microsoft has previously announced that Windows 7 will ship on Oct. 22. To encourage sales, Microsoft allegedly will start a "technology guarantee program" promising Vista buyers a free upgrade to Windows 7, which will begin on June 26, according to leaked information. However, Veghte did not mention or confirm the program's existence in his talk.

Groove To Get a Name Change

By Kurt Mackie05/14/2009 Microsoft Office Groove 2007 will get a name change next year that's more in tune with the SharePoint side of things.

The client product will be known as "SharePoint Workspace 2010" and will be added, along with OneNote, to the Microsoft Office Professional Plus 2010 product, according to a Microsoft announcement published on Wednesday.

Groove is a collaboration and document-sharing client application, with optional server support, that is designed for small teams of two to 30 people. The client application is currently available as part of the Microsoft Office 2007 Ultimate edition. Groove originally was the brainchild of Ray Ozzie, who now serves as Microsoft's chief software architect.

Groove isn't going away and SharePoint Workspace 2010 isn't considered by Microsoft to be a new product.

"We are not discontinuing Groove, just renaming it to SharePoint Workspace 2010 to better reflect the alignment and integration with SharePoint Server 2010," a Microsoft spokesperson explained by e-mail.

Microsoft has been fiddling around with its product names lately, including SharePoint, which also is a Microsoft collaboration application. Microsoft Office SharePoint Server, or MOSS, is getting a name change for the 2010 edition. Microsoft plans to drop the "Office" part of MOSS, the company explained last month. The rationale is that people think of Office and SharePoint as two different products.

As for the Groove-SharePoint product relationship, a Microsoft blog described it in this way: "Groove is to SharePoint [as] what Outlook is to Exchange."

If that isn't confusing, Microsoft also has another document-sharing and collaboration service for Microsoft Office 2007 called Office Live Workspace, but it's just a free extension to Office. The Groove news has nothing to do with Office Live Workspace.

Another Microsoft service that seems kind of similar is Microsoft Live Mesh, which is another Ozzie brainchild. Live Mesh was announced back in April of 2008.

"People on the Live Mesh development team have an affinity for many of the things Groove does well, but Groove is focused on a different set of Office-specific scenarios for the enterprise," the Microsoft spokesperson explained. "The architectures are also fundamentally different; the Groove architecture is based on decentralized peer technology that doesn't rely on cloud services."

Microsoft announced last week that SharePoint 2010 will be a 64-bit only application when rolled out. It will play well with 64-bit versions of Windows Server 2008 or Windows Server 2008 R2, as well as 64-bit versions of SQL Server 2005 and 2008. It won't work with Internet Explorer version 6.

Microsoft Office Groove 2007 appears to be only a 32-bit app, according to the system requirements. However that will change with the 2010 product.

"Office 2010 Suite products, including SharePoint Workspace 2010, will be available in 32-bit and 64-bit versions," the Microsoft spokesperson explained.

The current Groove product has optional server support. Organizations would typically use Microsoft Office Groove Server 2007 or Office Groove Enterprise Services if they needed centralized management support for the client product, according to Microsoft's FAQ. Otherwise, Groove can be run without the server.

"Groove Server 2007 is not required to run Office Groove 2007 (client app)," the spokesperson explained. "It is an option IT departments can purchase as part of volume licensing if they wish to centrally deploy, manage, and integrate Microsoft Office Groove 2007 across the enterprise."

At the Microsoft Tech-Ed event on Monday, Bill Veghte, Microsoft's senior vice president of Windows business, explained that Microsoft Office 2010 will have a technical preview starting in July. The exception is Tech-Ed attendees and invitees, who already have access to the Office 2010 bits. Other would-be testers face getting on a waiting list, as described here.

Microsoft expects the upcoming Office and SharePoint 2010 products to be available in the first half of next year.

Linux Foundation Takes Over

By John K. Waters05/20/2009

The Linux Foundation last week rolled out a new community portal aimed at providing a central destination for the Linux community to interact with enterprise developers.

The site aggregates news, provides social networking opportunities and showcases original content from each of the Linux community distros. "It will provide original content and easy-to-find resources for Linux users and help those folks surface their skills and technical prowess to potential employers," said Executive Director Jim Zemlin. "What the site becomes over time will largely be up to the users."

The Debian, Fedora, openSUSE and Ubuntu communities will be providing direct contributions, Zemlin said. Visitors to the site can also expect input from community managers and developers, who "will join in conversations to help Linux users understand and use the leading Linux 'distros,'" the press release said.

The Foundation actually took over an existing site in March. The nonprofit consortium re-designed and re-purposed that site in hopes of developing it into the primary touchstone for the Linux community.

But does the world really need another Linux portal? "There's this huge proliferation of Web sites devoted to Linux," said Gartner analyst Mark Driver. "But a lot of them are just fanboy sites. appears to be an attempt by the Linux Foundation to create a professional, well-designed site for this purpose, and to give the Foundation itself a higher profile in the community."

Zemlin said will offer tools that provide not only content but also context to those interested in Linux. "These resources have long existed in a variety of places," he said. " brings them all together into one, central forum. There will always be sites that are tailored best for a specific community; is a great example of that. Unlike, which is used by the Linux kernel community to develop code, is tailored for the Linux user community and will take a much broader view."

That broader view is likely to appeal to enterprise developers and IT management, Driver said. "Most of the Linux converts up until recently were largely already familiar with the technology. If the Foundation does a good job, this site will provide a jumping-off point for all things Linux, which these IT shops will appreciate. It doesn't need to be everything, but it should be the first place a person goes for information on Linux."

Zemlin said reaching out to enterprise users is a key goal. "We want to enable the folks in the enterprise trenches to find out about how to solve technical problems, where to get support or provide peer review of Linux software and hardware. With the focus on Linux users, we're looking to address their specific requirements from a community of peers, both users and developers."

One of the most striking features of the site is its "guru" listing, which the Foundation designed to showcase the skills of top Linux developers. To motivate participation, the site is running an "Ultimate Linux Guru" contest, the winner of which gets a Linux notebook signed by Linus Torvalds. Zemlin said the Foundation will invite the top five contributors to to the annual Linux Foundation Collaboration Summit. And the top 50 Linux gurus will be recognized in a yearly report.

Joe "Zonker" Brockmeier, openSUSE community manager at Novel, welcomed the site. "I'm glad that the site is in the hands of a neutral party that's interested in promoting Linux itself, rather than a specific distro or vendor, and building community," he said. "We need a community watering hole where everyone goes to share information about Linux and learn more about Linux itself and the various vendors and distros."

Brockmeier hopes that as the site evolves, it will include strong white papers and case studies that inform businesses about deploying Linux, as well as more guides for those moving applications to Linux.

"I'd like to see some strong content on what to use to replace popular applications," he said, "and not just a list of 'use application X to replace application Y' but actual guidance on switching to the new apps."

Microsoft's Oslo CTP Includes First Look at Quadrant

By Jeffrey Schwartz05/29/2009

Microsoft this week released a new community technology preview (CTP) of its modeling environment code-named "Oslo." The latest CTP includes a new software development kit (SDK) with runtime and provides the first public look at Quadrant, the tool intended to provide visual browsing of models.

Oslo is the model-driven development platform that runs on a SQL Server 2008 repository under development by Microsoft. The first CTP was released at last year's Professional Developers Conference. Microsoft has since issued two other CTPs. As reported in a March interview with Kris Horrocks, senior product manager for Microsoft's developer platform team, Oslo will be part of Visual Studio 2010, which was also released to beta last week.

"In theory, Oslo will bring programming in one layer of abstraction closer to the user and the user's intent," said Stephen Forte, chief strategy officer at Telerik, who has spent the past few days testing the new Oslo CTP. "It's a great vision and I hope Microsoft completes that vision. They are doing a good job so far."

In addition to some updates to Oslo's "M" language for defining domain models (including domain-specific languages, or DSLs) and productivity fixes aimed at improving how developers work with the language, the first preview of Quadrant is a key component of the new CTP. Quadrant is the data visualization tooling that allows for the browsing of the Oslo repository.

Quadrant effectively is a separate shell, Horrocks said in the interview. "We are working in close concert with our Visual Studio understand what the experience needs to be for our customers who are doing some modeling in the DSL Toolkit and some in Oslo," Horrocks said.

"What's interesting about the tool is now you can put things into the repository and you now have the ability to view them graphically as opposed to just using command lines or SQL statements," Forte said. "It's obviously in an early form but it looks pretty good. You can really work with your application data and metadata much better."

Another noteworthy addition to the CTP is the M editor, called Intellipad, Forte said, because it allows him to compile his DSLs created in M into the image files rather than having to use a command line interface.

"You can actually author M in Visual Studio much easier now with this SDK," Forte said. "You could in the past but integration is even tighter. For example, if you create and end the project in Visual Studio, you can now open that same M project in Intellipad, which you weren't able to do before. So the tooling definitely interoperates nicely."

Microsoft posted release notes at its Oslo Developer Center portal. The CTP is available for download here.

Microsoft's Bing Search Engine Unveiled

By Kurt Mackie05/28/2009

Microsoft announced "Bing" on Thursday, the company's newest search engine technology and brand campaign.

The consumer-oriented Bing search portal will "begin to roll out over the coming days," according to Microsoft's announcement, but it will be available worldwide on June 3 at

Microsoft has been considering various branding alternatives to its current Live Search solution for many months. The Bing name was picked for various marketing reasons, according to Steve Ballmer, Microsoft's CEO.

"I'm not the creative guy, here…short mattered…people like to 'verb up'…works globally, doesn’t have negative connotations," Ballmer explained, in an interview at the All Things D event, which is being held this week in Carlsbad, Calif.

Fevered speculation about the new search brand seemed to center on the "Kumo" name, but that turned out to be an intentional marketing diversion. Even Microsoft's own employees were misled.

"Microsoft employees are redirected to Kumo automatically whenever we opened up a Live Search while connected to the corporate network," a Microsoft blog explained.

Another Microsoft blogger explained the Bing name as based on a so-called recursive acronym. "In my personal opinion, BING = Bing Is Not Google," the blogger wrote.

Google currently holds the No. 1 position in terms of online search engine use, with a 64 percent market share, according to April comScore estimates. Yahoo places second with a 20 percent share, and Microsoft trails in third place with about eight percent search use.

Microsoft's spending on search technology has been showing up regularly in its quarterly reports as an expense drain. Ballmer said at the All Things D event that Microsoft plans to invest "lots" of money on the Bing branding effort. A report by Advertising Age quantified that amount, suggesting that Microsoft would allocate "$80 million to $100 million" on promoting the Bing brand.

Previously, Microsoft had tried to increase its search marketing share by offering to buy Yahoo. Microsoft has since dropped that bid, but Microsoft officials still talk about establishing some sort of search deal with Yahoo. However, the All Things D event failed to generate any such news about an impending deal. Yahoo's CEO Carol Bartz noted at the event that a Yahoo acquisition by Microsoft would only be possible with a "boatload of money."

Bing may turn out to be just one project in Microsoft's overall efforts to catch up with Google on search. Other technologies besides Kumo (now Bing) are under development, according to Mike Nichols, Microsoft's general manager of Live Search.

"We're testing, not just in the Kumo test, but in all kinds of top-secret prototypes that I can't tell you about, all kinds of ways to address these and other opportunities," Nichols said in an interview.

Another change that will happen with the Bing release is that Redmond's online mapping application, Microsoft Virtual Earth, will get rebranded as "Bing Maps for Enterprise," according to a Microsoft blog. The consumer mapping version, called Microsoft Live Search Maps, will be renamed as "Bing Maps."

One user who tested Bing for a week described Bing as a sort of portal page that you stay on after searching. Microsoft's announcement makes the point of calling Bing a "decision engine" rather than a search engine. Some of the features seem to bear out that description. For instance, Bing has an "explore pane" that sits at the left of the screen and provides additional links to help filter search results. A Quick Preview feature lets users hover over a search result to peek at the site's content without actually going there.

Microsoft describes more of Bing's new search features at its portal page. However, in keeping with Bing's consumer focus, Microsoft will continue the "cashback" program that's currently part of Live Search. Cashback provides discounts to buyers when they use the search engine to buy products. Microsoft had hoped to kill off the popularity of Google's search engine with cashback, but Google still leads in search market share by a wide margin.

Despite Hoopla At WWDC, Apple Offers Incremental Extras For Enterprise Developers

By John K. Waters06/09/2009

With Apple Inc. refreshing its iPhone line and Macintosh platform this week at its Worldwide Developer Conference, the company is continuing its incremental efforts to make its offerings appeal to enterprises.

The new iPhones and upgraded Macintosh client and server offerings unveiled at the WWDC in San Francisco on Monday offer some noteworthy, though modest new capabilities for enterprise developers and IT managers. But because of their large consumer appeal -- Apple said it has sold 40 million iPhones -- enterprises cannot ignore what comes from the Cupertino, Calif.-based company.

Perhaps most noteworthy to enterprises, the newest releases offer improved connectivity to Microsoft's Exchange Server. Mac OS X 10.6 Snow Leopard, due in September, will include native support for Microsoft Exchange through ActiveSync. The feature makes it possible to use Apple's Mail client or Microsoft's Entourage client with Exchange 2007 Server without the IMAP restrictions. Because Exchange is the most widely deployed messaging and collaboration platform, enterprises are reluctant to support mobile devices that don't interoperate with it.

Apple added native Exchange support to the iPhone about a year ago, also via ActiveSync. That upgrade also included remote kill capabilities and some other Exchange-oriented management features. When the newly launched iPhone OS 3.0 debuts later this month, it will offer some additional business-oriented security features, including hardware encryption capabilities, and the ability to wipe out all data from a device if it is lost or stolen.

''These are features and capabilities that consumers really don't care about [but IT managers do],'' said Michael Gartenberg, VP of strategy and analysis at Interpret, LLC, a market research firm. ''One of the last complaints from the enterprise has been a lack of good Exchange clients for Mac OS, and they're fixing that with Snow Leopard.''

The company also released a developer preview of Mac OS X Snow Leopard Server, the next major release of its server platform, due in September. It's built on a full 64-bit UNIX server OS, and based on open standards, Apple said. It comes with features aimed at developers, such as Podcast Producer 2, for automating the creation and publication of podcasts, and Mobile Access Server, which provides secure access to firewall-protected network services for iPhone and Mac machines.

Apple's release of an upgraded Macintosh client platform comes as Microsoft is set to release Windows 7, which the company said will be released October 22 . Apple is hoping this will give pause to those enterprises faced with the eventual loss of support for Windows XP. ''The upcoming release of Windows 7 represents a huge inflection point,'' Gartenberg said, ''because Microsoft has said you really can't stay on XP any more. Given the cost of OS migrations in the enterprise, which often represent not just the cost of an operating system, but acquisition of new hardware, I suspect that Apple is hoping that businesses will say, 'if we're going to be pushed off XP as a platform, perhaps it's worth looking at all the platforms that are business friendly.' I think we're going to see Apple targeting those enterprises.''

It's a target few anticipate Apple will hit in a large way. Macintosh-based systems represent a small sliver of computers used by enterprises, and there's no evidence that that will change. What continues to stymie Apple's enterprise goals is good examples of Apple-based enterprise applications, said Bola Rotibi, principal analyst at Macehiter Ward-Dutton,

''Apple is showing some impressive features and capabilities, and some good developer support with SDKs and APIs, to be sure,'' Rotibi said. ''And I agree that the company has got the enterprise in its sights. But the question is: where are the big enterprise apps? Where are the big companies making a commitment to the Mac platform? In the enterprise, we're still talking .NET and Java.''

In an ideal world, businesses would adopt the best machine for a given job, Rotibi said. ''Then I think Microsoft would have something serious to worry about. But that's not what we see, usually. Apple still has a pretty wide perception chasm to get across to impact the enterprise. Which is not to say that they can't cross that gap. But there have been plenty of good technologies that didn't make the jump.''

Still, Gartenberg said, the momentum of iPhone adoption and the subsequent inroads it's making into the enterprise are likely to move Apple's platforms toward greater acceptance by business. ''Once you had the Exchange support for the iPhone, you started to see executives becoming fans of the device,'' said Gartenberg. ''That led to them buying MacBooks and bringing them into the company to do their work. And when a senior vice president of the company brings a MacBook into the office, hands it to the CIO, and says make it work, it's now a business machine whether IT likes it or not. That's going to impact enterprise developers.''

Microsoft To Open Up .NET Micro Framework

By Kurt Mackie05/08/2009 Microsoft has restructured its .NET Micro Framework (MF) team and plans to eventually open up the .NET MF source code for community development.

The restructuring consists of moving the .NET MF team over to the developer division of Microsoft's Server and Tools Division, according to a team blog announcement. The move will align the .NET MF team "with the rest of the .NET groups and tools in building the uniform programming model from the sensors to servers," the blog explained.

The .NET MF is used for small devices such as Microsoft Smart Watches and TV set-top boxes using a Motorola processor.

The restructuring involved an undisclosed number of job cuts among the team. It was part of Microsoft's broad termination plan in which the company cut thousands of jobs, as described on Tuesday.

The details of the restructuring were first reported by veteran Microsoft watcher, Mary-Jo Foley, on Wednesday. A company spokesperson described the business-model changes to Foley as follows:

"Microsoft will eliminate the royalties from the distribution of the .NET Micro Framework product and make the porting kit available at no cost. Microsoft also intends to give customers and the community access to the source code."

No other details were available from Microsoft at press time, although Microsoft released a statement by e-mail clarifying how community support may be enabled.

"We are reviewing all of the .NET Micro Framework with the hopes of delivering all of it into the community as source code," the statement read. "Customers today are asking for support for specific hardware and protocols and in the current model we are not able to accommodate those requests. Opening the source code to the community will remove the bottleneck and gives customers the flexibility they have been asking for."

Plans for the Windows Embedded team to go bowling during Tech-Ed appear to be still on the table.

Microsoft's .NET MF is a common language runtime for small devices that are not supported by Microsoft's .NET Compact Framework or Windows CE. The framework doesn't support a real-time operating system but instead enables memory garbage collection. Processors supported by .NET MF include ARM7 and ARM9, as well as ADI's Blackfin. Programming is currently done in C# using Microsoft Visual Studio only.

Oracle Chief Ellison Anointed 'Next Leader of Java Community'

By John K. Waters06/02/2009

Oracle CEO Larry Ellison made a surprise appearance at the annual JavaOne conference in San Francisco this morning. Ellison joined Sun Microsystems Co-Founder Scott McNealy onstage during the opening keynote in an effort to reassure developers that the Java platform would be in safe in Oracle's hands.

McNealy invited Ellison to the stage, calling him "the next leader of the Java community."

Both execs avoided discussing any details about Sun's future after the acquisition, focusing instead on Java. "I don't think you're going to see a lot of change in Java coming from Oracle," Ellison said. Referring to Oracle's long-standing support for Java and its frequent partnerships with Sun, he added, "If you're curious about what's going to happen in the future, I think you have to look in the past."

Ellison pointed out that Oracle's middleware strategy is "based 100 percent on Java" and that Oracle's Fusion suite of applications is built entirely on Java. "I think we've invested more in Java than anyone else in terms of dollars," Ellison said. "We are going to continue to invest and to accelerate our investment. We see increased investment in Java coming from the Oracle-Sun combination, and an expansion of the overall community."

This was Ellison's first public appearance since the announcement in late April of Oracle's intention to acquire Sun for $7.4 billion.

Ellison said that he has been meeting with different groups inside Sun, talking about the possibility of the OpenOffice group generating JavaFX-based libraries. OpenOffice is an open source office suite created and supported by Sun. The JavaFX platform is Sun's runtime and tools combo for content authors and Web developers building rich Internet applications (RIAs).

"We'd like to see accelerated development based on this exciting new platform: Java with JavaFX," Ellison said. "Going to JavaFX is going to allow us to build fantastic UIs [user interfaces] in Java...We're committed to seeing JavaFX exploited throughout Oracle and throughout Sun."

Given the presence of Adobe's Flash and AIR runtimes, and Microsoft's moves to expand Silverlight, many observers have questioned whether JavaFX will gain critical mass. "I don't think it's surprising that Ellison would like the idea of JavaFX," said James Governor, principal analyst and founder of RedMonk. "Most major ISVs in the business intelligence space now rely on front ends built using the Adobe Flash platform. SAP, for example, is a major consumer of Flash. Meanwhile Microsoft continues its push into richer media with Silverlight. Why would Ellison acquire an end-to-end stack and then double down on it? In the keynote he mentioned rebuilding OpenOffice with JavaFX functionality; clearly Oracle's ERP apps might benefit from some of the same treatment."

In his praise of JavaFX, Ellison included a sharp criticism of AJAX tools, which he said programmers currently "suffer" with. "Ellison's comments about AJAX were pretty off the mark," said industry analyst Neil Ward-Dutton. "If you look at who's building rich Web apps right now, they use AJAX (and Flex, etc.) because it's close to the tech they're used to using," he said. "Interactive-experience designers know Dynamic HMTL, XML, JavaScript, ActionScript; they don't know Java, and they don't want to know Java. JavaFX has some nice features but it's coming from way behind the other alternatives, and the availability of skills and the size of the community are key challenges for it right now."

Ellison also talked up the possibility of increasing the number of Java-based devices. He mentioned Android phones, and suggested that Java-based netbooks might emerge

Governor said he didn't find any of Ellison's remarks surprising, but he was slightly less sanguine about the impact Oracle will have on the Java community. "Historically, Oracle has been more sales- than community-driven," he said, "so it's very hard to predict what impact acquiring Sun will have on that culture. We will have to wait and see."

SP2 Released for Windows Vista and Windows Server 2008

By Kurt Mackie05/27/2009

Microsoft published Service Pack 2 (SP2) on Monday for Windows Vista and Windows Server 2008.

This "release-to-Web" version of SP2 is a more general public release than the "release-to-manufacturing" version (designed for PC hardware builders) that Microsoft announced late last month.

Those eager to get SP2 can grab it today through the Microsoft Download Center or through Windows Update. The service pack is available as both 32-bit and 64-bit versions. However, grabbing the bits directly means handling a fairly large download, ranging in size from 300 MB to 600 MB.

System administrators typically might accept waiting for such a large download because they'll be getting a complete standalone SP2 package. However, average users can get SP2 as a much smaller 43 MB download if they've turned on Automatic Update in Vista and are willing to wait.

Microsoft plans to begin delivering SP2 via Automatic Update in June, and it will gradually be pushed out to users over about two months' time.

Microsoft's business customers needing more preparation time can block Automatic Update from downloading SP2 by using the Windows Service Pack Blocker Tool Kit. They can also control the update by setting the group policy for Automatic Updates and Windows Software Update Services.

SP2 is a single installer for both Vista and Windows Server 2008. However, you need to have Service Pack 1 (SP1) installed first before installing this new service pack. Those using Windows Server 2008 already have SP1 installed, according to Microsoft's "Notable Changes" document.

New features in SP2 include support for VIA Technologies' 64-bit CPU, the addition of Windows Search 4.0 and updates to Wi-Fi wireless and Blu-Ray media support, among many other details described in the Notable Changes document. SP2 also contains all of the updates Microsoft has released since SP1.

The Microsoft Download Center portal provides access to the x86 version of SP2 here, while the x64 version can be accessed here.

IT pros can access the bits or an ISO file at Microsoft's TechNet portal here.

Wednesday, June 17, 2009

Exchange Server 2007 SP2 Arriving This Fall

By Kurt Mackie05/21/2009

Microsoft on Monday alerted users of its Exchange Server 2007 product that Service Pack 2 (SP2) will be coming sometime in the third quarter of this year.

For those who want to make Exchange Server 2007 work with Microsoft's newest e-mail server release -- namely, Exchange Server 2010 -- they will need to apply the SP2 upgrade first.

"Exchange Server 2007 SP2 is required to interoperate with Exchange Server 2010 and to enable the transition of services to the latest version of the product," according to Microsoft's announcement.

Exchange Server 2010 is currently available as a public beta, with product availability slated for sometime in the second half of this year.

IT pros who haven't even applied Service Pack 1 to Exchange Server 2007 have a bit of good news. SP1 isn't required before upgrading to SP2. Ultimately, though, Microsoft is recommending that IT pros install the SP2 upgrade because it will include update rollups with "hotfixes, security and critical updates for the product," the announcement explained.

SP2 will include all fixes in Microsoft's Update Rollup 8 release for Exchange Server 2007 SP1, which Microsoft plans to release "soon."

Microsoft described some new features that will be enabled by SP2. An enhanced auditing feature will create a dedicated log repository in Exchange Server 2007 to make it easier to monitor the server's activities. The Exchange Management Console will support diagnostic logging configurations. IT pros will also be able to create Exchange backups through the Windows Server 2008 backup tool.

There also will be some PowerShell enhancements with SP2. Organizational settings can be centralized using a "new PowerShell option," according to the announcement. SP2 will improve the current PowerShell cmdlets used for quota management. Named property usage per database can be monitored via cmdlets.

Lastly, SP2 will allow property updates to Active Directory schema "to be dynamically deployed."

Microsoft plans to announce additional information about SP2 at its Exchange Server Web site when the service pack is released. The announcement didn't specify an exact date for the release.

Borland Launches Requirements Management Tool

By Michael Desmond06/01/2009

Application lifecycle management (ALM) supplier Borland Software Corp. last week launched a new requirements management package that promises to reduce the number of late and costly changes to software development projects.

Dubbed TeamDefine, the software lets dev teams and analysts visually simulate application models to provide detailed, dynamic mock-ups based on established requirements. The release comes just three weeks after British software company Micro Focus said it is acquiring the Austin, Texas-based Borland.

TeamDefine provides a visual canvas for business analysts to sketch out workflows and logic structures. These workflows can then be attached to visual application mock-ups, allowing dev teams to trial-run requirements and make changes that can be reflected back into the underlying TeamDefine definitions.

"We all know that poorly written or poorly defined requires are the root of all evil," said David Wilby, Borland's vice president of product strategy, in an interview. "The scary thing is, even though it is so well-recognized by the industry, there are very few tools for filling that gap."

TeamDefine will cater to the diverse interests of different stakeholder interests, noted Bola Rotibi, principal analyst at U.K.-based analyst firm Macehiter Ward-Dutton, in an e-mail interview. Rotibi noted that TeamDefine integrates with Borland's CaliberRM requirements management product.

"TeamDefine is part of a new wave of simulation tools that is finally and pragmatically, in my opinion, tackling the requirements capture process for GUI-based applications," Rotibi said. "We are now starting to see the types of tools needed to really support the development of rich Internet/interactive applications, and bring it back into the folds of the software development process and workflow."

The high cost of making late changes to applications provides a compelling ROI pitch for Borland. According to a study by the National Institute of Standards and Technology (NIST), the cost of making a change at the test or production phase of a software rollout is orders of magnitude higher than at the requirements or design phases.

Borland TeamDefine is available immediately. Pricing is set at $3,000 per user, with unlimited reviewer seats supported. More information can be found at Borland's Web site here.

Microsoft Breaks Record With Massive June Patch

By Jabulani Leffall06/09/2009

It only took six months for Microsoft to break its own record for addressing the most vulnerabilities in a single patch.

Microsoft's June security bulletin rollout on Tuesday contains 10 patches -- six of them critical, three important and one moderate. This patch aims to fix more than 31 vulnerabilities. It edges out Microsoft's December 2008 patch, which came close with 28 bugs to fix.

Overall, the fixes include six for Windows operating systems. There's a large cumulative patch for Internet Explorer and three fixes for Microsoft Office. Remote code execution (RCE) exploits are the order of the day for all of the critical items. Other problems addressed in the patch include elevation of privilege and information disclosure considerations.

"I think Microsoft got it right this month by releasing patches for a number of well-publicized security flaws," said Eric Schultze, chief technology officer at Shavlik Technologies.

Critical Items
The first critical item patches two vulnerabilities mainly involving Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode. All told, this fix covers Windows 2000, Windows XP and Windows Server 2008 operating systems.

Critical patch No. 2 is an issue that is patched periodically, involving commands to the print spooler function in the Windows OS. According to the patch abstract, the bugs involved could kick off RCE exploits if an affected server receives a specially crafted remote procedure call (more on RPC later) request to the print spooler. All supported Windows versions are covered in this fix. In addition to applying the patch, Microsoft says that "firewall best practices and standard default firewall configurations can help protect networks from attacks."

The third critical bulletin is a cumulative patch for the Internet Explorer browser, covering IE 6, IE 7 and IE 8 across all OSes. The patch addresses seven vulnerabilities, making this one of the focal points of this month's rollout given the rise in browser-based exploits and hacks.

"[Of the seven total], the four Internet Explorer fixes that address HTML object memory corruption vulnerabilities -- the first ever patch for Internet Explorer 8 being among these -- are of particular interest," said Symantec Senior Research Manager Ben Greenbaum. "These weaknesses actually appear to be quite simple to exploit and we have observed malicious code being offered in malware toolkits that have taken advantage of very similar vulnerabilities."

The fourth critical item on the slate is designed to stave off two known vulnerabilities and covers a wide swath of Microsoft Word versions and components. Office 2000 Service Pack 3, Office XP SP3, and 2007 Microsoft Office System SP1 and SP2 are covered by this fix. Other applications covered include: Office 2004 and 2006 for Mac; Open XML File Format Converter for Mac; and Microsoft Office Word Viewer and Microsoft Office Compatibility Pack for Word, Excel and PowerPoint 2007 file formats.

The same can be said for the cumulative Excel patch, which is the fifth critical bulletin. The problems to be fixed appear widespread. Redmond would only say "several vulnerabilities" and didn't pin down a specific number of bugs to be fixed. The only difference, from an Office components perspective, between this patch and the Word patch is that the Excel hotfix will also cover Office Excel Viewer and Microsoft Office SharePoint Server 2007 SP1 and SP2.

The sixth and final critical item is a cumulative hotfix for Microsoft Works converters. Specifically it's designed to stave off bugs that may pop up in any Works files that are loaded, opened and created on a workstation. The patch touches Office 2000, Office 2002, Office 2003 and Office 2007. Microsoft Works 8.5 and 9.0 versions are also covered.

Important and Moderate Items
Many of the important items in the June slate are of note for two main reasons for enterprise administrators. For one, they have all been critical issues at some point in the past. Secondly, they all have elevation-of-privilege considerations, which would give a hacker write-edit-change access to an infected system.

The first important fix covers every Windows OS version, addressing remote procedure call (RPC) facilities. In October a critical RPC bulletin, known in some circles as the original "Conficker patch," was deployed to make sure server-side commands that allow subroutine code to execute were bug free. For this month's patch, the element to be fixed is the RPC marshalling engine, which is a way station for interprocess commands, data and information on a Windows network.

The second important fix affects every supported OS and is also an issue IT pros have often seen before with the Windows kernel. Redmond said that this security update resolves four bugs in the Windows kernel that could allow an attacker to execute arbitrary code and take complete control of an affected system.

The third important item is designed to patch Internet Information Services (IIS). Affected systems include Windows 2000, XP and Windows Server 2003. Microsoft issued an advisory just last week to address fresh exploits attacking IIS. The patch abstract explained at that time that "vulnerabilities could allow elevation of privilege if an attacker sent a specially crafted HTTP request to a Web site that requires authentication." Left unpatched, hackers could bypass the access control list and authorization gate-keeping mechanisms and gain entry to IIS.

"Anyone running IIS that isn't using the available mitigation steps should jump on this one right away because there are exploits in the wild, and an exploited server can allow attackers to gain unauthorized access to protected resources on your Web site," said Andrew Storms, director of security at nCircle.

Heavy Security Patch Coming on Tuesday

By Jabulani Leffall06/05/2009

June may prove to be a busy month for IT pros, with Microsoft planning to release 10 fixes in its next security patch.

On Tuesday, Redmond expects to deliver six "critical" and three "important" fixes, as well as one "moderate" fix in its monthly patch.

Items slated to be fixed include Windows, Internet Explorer, Word, Excel and the general Microsoft Office suite. All six critical fixes deal with potential remote code execution vulnerabilities. The important fixes are designed to thwart elevation-of-privilege attacks, and the lone moderate patch addresses information disclosure exploits.

Critical Items
The first critical item patches Windows 2000, Windows XP and Windows Server 2008. All supported Windows versions are slated to get patched in the second critical fix.

The third critical bulletin appears to be one of many periodic and cumulative fixes for Microsoft's Internet Explorer browser, covering IE 6, IE 7 and IE 8 across all OSes. Security pros will likely want to focus on this fix, given the rise in browser-based exploits.

Critical fix No. 4 will address Word in the following Microsoft Office suites: Office 2000 Service Pack 3, Office XP SP3, and 2007 Microsoft Office System SP1 and SP2. This wide-ranging fix extends as well to the following applications: Office 2004 and 2006 for Mac; Open XML File Format Converter for Mac; and Microsoft Office Word Viewer and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 file formats.

The fifth critical bulletin will touch on the Excel spreadsheet program. The same Office components apply as described above, and the fix also will cover Office Excel Viewer and Microsoft Office SharePoint Server 2007 SP1 and SP2.

The final critical item is a cumulative Office hotfix. It will address Office 2000, Office 2002, Office 2003 and Office 2007. Microsoft Works 8.5 and 9.0 versions are also covered.

Important and Moderate Items
All of the items deemed important in the June patch have elevation-of-privilege considerations. The first important fix covers every Windows OS version, as does the second important fix.

The third important item will address only Windows 2000, XP and Windows Server 2003, while the fourth important bulletin will only cover Windows XP and Windows 2003. The lone moderate item for this massive June slate is also a Windows OS fix and will only cover Windows XP and Windows 2003.

As usual, Redmond is reminding users interested in nonsecurity updates to visit its monthly knowledgebase article, which lists what Windows users can expect via Windows Update, Microsoft Update and Windows Server Update Services. Those items include a rollup for ActiveX Killbits for Windows, junk e-mail filter and malicious software removal upgrades, plus a cumulative update for Media Center TVPack for Windows Vista.

Microsoft Extends VS 2010 to Azure Cloud

By Kathleen Richards05/29/2009

On Wednesday, Microsoft released the latest Visual Studio (VS) extension preview for building apps that run on its Windows Azure cloud computing operating system and services platform. The Windows Azure Tools for Microsoft Visual Studio May 2009 CTP is the first to support VS 2010 development for the cloud. VS 2010 and .NET Framework 4 Beta 1 technologies were released on May 18.

The Azure SDK, which is installed as part of the Azure Tools for Visual Studio download, has also been updated. The Azure team announced several new features related to blob and table storage. On Friday, the team is also rolling out some changes to the way alerts, analytics and Windows Live ID integration is handled in the Azure Services Developer Portal. Learn more about the latest updates here.

Azure extends Windows to the cloud with an "operating system" that offers compute, management and storage services and an Azure Services Platform that enables developers to use .NET 3.5 SP1 and Visual Studio 2008 SP1 tooling to build Internet-scale apps that run in Microsoft's datacenters. The Azure technology also requires Windows Vista SP1 or Windows Server 2008 with IIS 7.0 enabled, and SQL Server 2005 or above.

.NET developer Roger Jennings, who authors the OakLeaf Systems blog, is writing a book on Azure and has downloaded the May 2009 CTPs. He says using Azure tools for VS 2010 does not offer any particular advantages right now. "Windows Azure doesn't support .NET 4.0 and there's not yet a .NET Services SDK that's compatible with VS 2010," he wrote in an e-mail. The most recent .NET Services SDK, to date, is the March 2009 CTP.

That may soon change, although Microsoft has not announced any timeframe for a compatible .NET Services SDK. The Windows Azure Tools for Visual Studio and Windows Azure SDK May 2009 CTPs follow March 2009 previews.

Windows Azure Tools for Visual Studio include C# and VB project templates, service role configuration tooling, cloud service debugging in the local development fabric, and access to the Azure Services Developer Portal. VS 2008 support is updated in the May release, according to Microsoft, offering improved stability and better integration with the Azure SDK development fabric and cloud-based storage services. You can download the May 2009 Windows Azure Tools for Visual Studio CTP and the May 2009 Windows Azure SDK here and find Windows Azure code samples for VS 2010 here.

Microsoft is expected to announce the commercial release date of Azure and the Azure Services Platform at its upcoming Professional Developers Conference (PDC) in November. The consumption-based pricing model is likely to be announced this summer. Microsoft's cloud computing initiative, which centers on Azure, is less than a year old and was publicly announced during the opening keynote at PDC 2008.

Windows 7 RC Goes Live

By Kurt Mackie05/05/2009

Microsoft announced that the Windows 7 release candidate (RC) is now available to the general public.

Microsoft today announced that the Windows 7 release candidate (RC) is now available to the general public.

The download, which can take a few hours, can be accessed here. The RC will be available through July 2009, according to Microsoft, and unlike the beta release of Windows 7, Microsoft isn't limiting the number of product keys for the RC. An RC of Windows Server 2008 R2 is also available for download by the general public.

The Windows 7 RC is a final test version of Microsoft's newest operating system. It's the same OS (Build 7100, Ultimate edition) that was made available to TechNet and MSDN subscribers last week.

Developers now have access to a new software development kit for Windows 7, which can be downloaded here. Additional developer resources for Windows 7 are listed at this MSDN portal.

For IT pros assessing infrastructure readiness for Windows 7, the company announced on Tuesday that it has upgraded its Microsoft Assessment and Planning Toolkit 4.0 beta program. The toolkit now includes support for Windows 7, Windows Server 2008 R2 and Hyper-V. Interested parties can download the new beta through Microsoft Connect.

The hardware requirements for Windows 7 RC are similar to those of Windows Vista. However, Microsoft's FAQ adds a caveat, stating that "some product features of Windows 7, such as the ability to watch and record live TV or navigation through the use of 'touch,' may require advanced or additional hardware." The FAQ doesn't elaborate, except to say that the listed hardware requirements represent running "average computing tasks, such as Web browsing and word processing."

Microsoft recommends backing up your data before installing Windows 7 RC. You can do an upgrade to Windows 7 RC from Vista, but the company recommends doing a clean install when migrating from Windows XP or Windows 7 beta. IT pros can use Microsoft's User State Migration Tool to move over old files, according to this demo.

Microsoft also has a Windows Easy Transfer tool for consumers to help restore files after a clean installation. It's typically used to move files from an old PC to a new one, but it requires a special USB cable.

Microsoft emphasizes that the RC is still a test version and could have problems with device driver support, file corruption and software that doesn't work. The company recommends running it on a test machine, not your main PC.

Microsoft's release notes for Windows 7 RC already indicate that users will have problems using AppLocker files created in the beta version of Windows 7. Some HP computers may generate an error message on installation. Moreover, some virtual private network applications may not work with the RC.

When the final Windows 7 product arrives, users of the RC will need to do a clean installation to run the new OS, according to Microsoft's FAQ.

Those using the Windows 7 beta (Build 7000) will face an OS that will expire on Aug. 1, 2009. However, the OS will begin shutting down every two hours starting on July 1, 2009. Microsoft says that Windows will notify users two weeks before the shutdowns begin.

Windows 7 RC expires on June 1, 2010, with the OS shutting down every two hours starting on March 1, 2010.

The Windows 7 RC is currently available as 32-bit or 64-bit versions in English, French, German, Japanese and Spanish. Microsoft recommends that after Windows 7 RC is installed, users should turn on Automatic Updates in Windows to keep the OS current.

The next release of Windows 7 will be the release to manufacturing (RTM) version for PC manufacturers. The RTM typically occurs about three to five months after the RC appears. New PCs with Windows 7 could ship as early as this fall , according to some reports.

SAP Launches Data Warehouse Search Tool

By Jeffrey Schwartz05/13/2009

SAP AG, the latest major software vendor looking to bring business intelligence (BI) to the masses, is launching a Web-based search interface that lets individuals query information from large data warehouses and ultimately other enterprise resources.

The company yesterday unveiled BusinessObjects Explorer at its annual Sapphire 2009 conference taking place this week in Orlando, Fla. It is billed as the most significant technology developed by SAP and Business Objects, which SAP acquired last year for $6.8 billion.

"It really delivers something neither portfolio could have done on its own," said Marge Breya, executive vice president and general manager of SAP's Intelligence Platform group, speaking at a press conference that was webcast from Sapphire.

Explorer evolved from a Business Objects-developed tool called Polestar, released in late 2007, which lets individuals conduct searches against data in the SAP BusinessObjects XI 3.1 BI platform. Using a Web-based interface, SAP officials said Explorer will now let any user, regardless of their knowledge of BI, query SAP's NetWeaver Business Warehouse Accelerator (BWA), the company's tooling for creating data warehouses.

Using traditional Web-type searching techniques such as entering key words, the company said users can query millions of records and render information and reports in a matter of seconds, based on in-memory processing technology co-developed by Intel.

As an example, beta customer Molson Coors has used Explorer to determine profitability of specific products in certain regions. Using Explorer, users could query 900 million records in BWA in less than three seconds. "People cannot believe how quickly the data is coming back," said Katrina Coyle, Molson Coors' global information manager, at the launch.

"Basically, Explorer is serving their joint customer base with a highly scalable and fast query accelerator," said Forrester Research analyst James Kobielus, noting the company is striving to build out a full data warehouse platform.

SAP officials emphasized the broad appeal it sees for Explorer's Web-based interface, which also supports Adobe Flash plug-ins. It is designed to let anyone -- from a clerk to a business analyst or executive -- find any kind of information that may be dispersed within an enterprise repository in much the same way they would perform a Google search.

"IT gets the ability to not only have a secure, reliable, scalable environment but also in a way that is actually compliant, controllable, etc.," Breya said. "So users can explore whatever data they are allowed to get access to and the IT organization still can maintain the control of the data, and can maintain that clarity and quality of the data itself."

The initial version, due out this summer, will integrate only with BWA. Later this year, it will be able to query any non-SAP data sources, Breya said, adding that the tooling will also evolve. "I think you will see us opening up our APIs for new visualizations and you will see a lot more machination added to the portfolio and the product here," she said. The company did not disclose pricing.

Microsoft Alert: Big Problem With SharePoint Service Pack 2

By Kurt Mackie05/22/2009

Microsoft on Friday announced that there's a problem for those who applied Service Pack 2 (SP2) to Microsoft Office SharePoint Server 2007 (MOSS 2007) -- namely, it's timed to expire in 180 days.

In addition to MOSS 2007, other products were affected by the service pack problem. Those products include "Project Server 2007, Form Server 2007, Search Server 2008 and Search Server 2008 Express," according to Microsoft's announcement.

Windows SharePoint Services 3.0 is not affected, the announcement added.

Microsoft is currently working on a hotfix and a knowledgebase article to remedy the SP2 problem. Basically, applying the SP2 update resets the product's activation as if the trial version of the software were installed.

IT pros who installed SP2 should check Microsoft's SharePoint Team blog here for details and updates. The knowledgebase article is expected to be available in less than 48 hours. Microsoft plans to describe a workaround solution in its knowledgebase article.

"To work around this issue customers will need to re-enter their Product ID numbers (PID) on the Convert License Type page in Central Administration," the SharePoint team explained in its blog. Users can retrieve their product ID at Microsoft's Volume Licensing Service Center Web page here.

Data aren't affected by the SP2 problem, according to Microsoft. However, the software will cease to work for end users after 180 days if the hotfix or workaround isn't applied.

For those trying to install MOSS or Windows SharePoint Services on Windows Server 2008 R2, you need to use the SP2 versions of those applications, according to this Microsoft blog.

Microsoft first publicly unveiled the availability of SP2 for MOSS 2007 and Office server products toward the end of April. At worst, early installers of SP2 have used up 24 days of the 180-day "trial" period.

Microsoft Issues Security Alert on IIS Web Server

By Jabulani Leffall05/19/2009

Responding to public reports of a wild bug, Microsoft on late Monday issued a security advisory to address a potential vulnerability in its Internet Information Services (IIS) Web server software.

Redmond said that the vulnerability, which has elevation of privilege implications, pertains to IIS versions 5.0, 5.1 and 6.0. The software giant added that it wasn't aware at this time of any "known attacks" against IIS, but is investigating the matter. IIS is the world's most frequently used Web server, after Apache HTTP server.

Independent security researchers first uncovered evidence of the bug late last week. On Monday, the U.S. Computer Emergency Readiness Team (U.S. CERT) confirmed that there were indeed threats to IIS.

In its advisory, Microsoft identified three "mediating factors" that can serve as workarounds for the vulnerability until its own investigation is concluded and a new patch is issued.

First, Microsoft recommends that system administrators maintain file system access control lists (ACL) that are solid and enforceable. With a clamp down on access control security, the elevation of privilege problem is lessened. Microsoft explains that under such conditions, "this vulnerability cannot be used to exceed the level of access granted to the anonymous user account through file system ACLs."

The second workaround involves configuring orphan, anonymous or administrative user accounts to deny write, change or delete privileges by default. That way, an anonymously listed "SECADMIN" or "SYSADMIN" user profile can't be used against an organization.

The final mitigation trick involves disabling Web-based distributed authoring and versioning (WebDAV). Microsoft's advisory says that this workaround particularly works for Windows Server 2003 systems running IIS 6.0. The advisory adds that for IIS 6.0, "WebDAV is not enabled in the default configuration" and unless enabled by an administrator, the system remains relatively unexposed.

Shavlik Technologies' Chief Technology Officer Eric Schultze offered one note of caution for IT pros studying this vulnerability.

"This flaw could enable attackers to read code pages on the Web server, where these pages might include usernames or passwords for applications or databases controlled by the Web server," Schultze said in a prepared statement. "I recommend people running IIS 5 or IIS 6 run the IIS lockdown and URLScan tools from Microsoft. Both of these tools disable WebDAV and will protect your system from this latest zero day."

Such vulnerabilities have appeared and been patched before in IIS. In February of 2008, Redmond issued two patches to address elevation of privilege and remote code execution bugs in IIS. Back then, it was said an attacker could take control of an IIS server by way of the Worker Process Identity application, which is preset with network admin account privileges by default.

Microsoft Links CodePlex to Open Source Repositories

By Jeffrey Schwartz05/21/2009

Microsoft this week took another step to forge ties with the open source community through a pact with Black Duck Software that will feed code and project information from Microsoft's CodePlex into Black Duck's open source code repositories.

Black Duck's KnowledgeBase and code are among a growing base of repositories used by enterprise development managers to search and manage open source code.

Since its founding in 2002, Black Duck said it has already gathered 200,000 open source projects from 4,100 sites. Black Duck said it has added 40,000 new projects since January to KnowledgeBase, the company's searchable database of open source projects and code. is a free searchable engine acquired by Black Duck last year that allows anyone to search for open source code. It hosts more than 2 billion lines of open source code and is growing at a pace of 2,000 projects each month, according to the company. The company said it has 600 customers.

Microsoft's CodePlex hosts primarily Windows and .NET code and data, though it increasingly gathers relevant open source projects, as well. CodePlex currently has 9,000 projects. While Black Duck's KnowledgeBase and had previously gathered some CodePlex content, Microsoft is now providing a direct feed.

"It's never been as complete as it could be in terms of both covering all the projects as well as having access to all of the associated meta data and project information around all of those 9,000 projects," said Peter Vescuso, Black Duck's executive vice president of marketing and business development. "The value of our service hinges on the completeness of the code base and the value of the information we can provide."

The deal does not call for Black Duck to provide a return feed to Microsoft's CodePlex.

A growing number of enterprises are using code repositories like KnowledgeBase to better manage their use of open source code and make sure they are in compliance with any licensing issues, according to Jay Lyman, an analyst at The 451 Group. Black Duck is a leading provider, though there are numerous other players who offer code repositories such as Protocode, Ohlol and OpenLogic, among others. SourceForge and CollabNet are also popular resources, Lyman added.

Lyman said he wouldn't be surprised to see Microsoft involved in further pacts. "It's interesting to see Microsoft contributing to the legitimacy of open source software and the intellectual property behind open source software," Lyman said.

Forrester analyst Jeffrey Hammond added in an e-mail interview that it will help development managers get a better handle on their combined open source and .NET projects.

"The moves that Black Duck has made will make it easier to identify and control the adoption of useful OSS software provided by Microsoft and other parties," Hammond noted. "I view it as yet another step in the maturation of OSS in the .NET world."

Monday, June 15, 2009

Lone Microsoft Patch Fixes PowerPoint Vulnerability

By Jabulani Leffall05/12/2009

As expected, Microsoft rolled out only one patch for this month's Patch Tuesday, a critical bulletin for PowerPoint.

The solo release is said to fix as many as 14 reported remote code execution (RCE) vulnerabilities in the popular graphics and office presentation application.

Eric Schultze, chief technology officer for Shavlik Technologies, said Tuesday's hotfix is considered a client-side update because the RCE attack it addresses can deploy only when a user has opened a corrupt file.

"Typical client-side actions might include opening malicious documents, reading an evil e-mail or viewing an evil Web page. These types of attacks are usually constrained to systems where a user is interactively working on the desktop," Schultze said. "Systems which don't have a lot of user interaction at the desktop, like servers, are usually less susceptible to client-side attacks, though they are just as vulnerable if a user performs one of these actions at the desktop. In most cases, client-side exploits only obtain the same level of access on the system as that of the currently logged-on user."

May's patch, which may require a restart, covers a wide swath of Microsoft Office versions, such as Office 2000 and Office 2003, as well as Office XP and 2007 Microsoft Office Systems. However, there are also key programs the patch does not cover, among them PowerPoint Viewer 2003 and 2007; all supported versions of Microsoft Office Compatibility Pack for Word, Excel and PowerPoint 2007; and Microsoft Works 8.5 and 9.0. Microsoft rated all these programs "important" but will not fix them this month.

Mac users will also have to wait as Microsoft said PowerPoint on Mac won't be covered in this month's patch, either. The Mac programs in question -- all of which are labeled "important" -- are Microsoft Office for Mac (2004 and 2008 versions) and Open XML File Format Converter for Mac. Microsoft said it did not include a Mac fix because it has not seen exploits being executed against Macs, and the company didn't want to delay the rollout given that there were zero-day vulnerabilities already in play for Windows machines.

This month's Patch Tuesday is now the second in a row that Microsoft has fixed zero-day RCE exploits in a relatively expedient manner. For instance, this month's fix comes less than a month after a zero-day PowerPoint RCE vulnerability came to light, and for which the company issued a security advisory.

"For the last two months, users have been battling Microsoft Office zero-day attacks. The first set in February was in Microsoft Excel. The second set, announced on April 2, made users afraid of opening PowerPoint files," said Andrew Storms, director of security for nCircle. "Forty days from bug to bug [for a] fix is a decent turnaround for Microsoft given the vast number of Microsoft Office permutations that need to be quality-tested."

Though this month's Microsoft patch rollout is a light one, security experts say the various third-party security updates released in the last few weeks and slated for release this month need to be a priority.

"IT administrators shouldn't get the wrong impression and breathe easy given the light load. What is important for IT admins to understand is that May's Patch Tuesday isn't just about patching Microsoft's single patch, but rather fixing other security flaws that are non-MS-related in order to stay current and patched," said Paul Henry, security and forensic analyst for Lumension.

For those interested in non-security updates, Microsoft suggests users check out Windows Update, Microsoft Update and Windows Server Updates in this Knowledge Base link.

Windows 7 RC Remote Server Tools Available

By Kurt Mackie05/06/2009 IT pros can now get a package of remote server management tools that work with the new Windows 7 release candidate (RC), which Microsoft released to the public on Tuesday.

The tools are part of Microsoft's Remote Server Administration Tools (RSAT) for Windows 7 RC (Build 7100). Users can download versions for x86- or x64-based systems here.

Microsoft cautions that the tools are just for testing and not designed for production environments.

RSAT lets IT administrators "manage roles and features" on Windows Server 2008 R2 RC via remotely located PCs running Windows 7 RC. The tools support both server core and full installations of Windows Server 2008 R2 RC.

It's also possible to use the tools to remotely manage "some roles and features" in Windows Server 2008 or 2003, according to Microsoft's product description. One exception is that the new tools can't be used with a server core implementation of Windows Server 2003.

Microsoft provides some caveats in its release notes for RSAT. Earlier versions of the tools -- including the Administration Tools Pack for Windows Server 2003 and 2000 and RSAT for Vista -- should be uninstalled before installing this one. IT pros should install just one copy of RSAT per computer, Microsoft warns.

After installing the tools, you may have to turn on "Hyper-V Tools" from the Control Panel in Windows 7 RC, as explained in this blog post by John Howard, senior program manager of the Hyper-V team. You also have to configure the server to enable remote management.

RSAT for Windows 7 RC includes Microsoft's Server Manager plus various role and feature admin tools. IT pros can remotely administer roles for Active Directory, Hyper-V, terminal services, and DHCP and DNS servers. The feature tools include support for BitLocker password recovery, group policy management and Windows resource management.

Microsoft Offers Security Lifecycle Tool for VSTS

By Jabulani Leffall05/28/2009

Teams developing applications using Microsoft Visual Studio Team System 2008 (VSTS 2008) can now better implement Microsoft's security development lifecycle (SDL) process using a new template addition.

On Tuesday, Microsoft released its SDL Process Template for VSTS 2008. The release closely follows the availability of VSTS 2008 beta 1, announced last week, as well as Monday's announcement of Visual Studio 2010 beta and .NET Framework 4.0 beta.

The new SDL Process Template leverages both VSTS 2008 and Team Foundation Server. It supports "auditing for satisfying the security requirements" at organizations developing applications, according to Microsoft's SDL blog. The blog provides a walkthrough showing how the template works.

The new template fulfills a long-awaited need, according to Chenxi Wang, Forrester Research's principal analyst for security and risk management.

"This new release embeds SDL processes inside Visual Studio, which users have been asking for a while now," Wang said. "Other software security vendors have long been producing plug-ins for Visual Studio. But Microsoft had not yet crafted any of their SDL process into Visual studio, and this new announcement represents the beginning of Microsoft doing that."

The embedding of SDL processes also helps because applications increasingly are becoming a security attack vector.

"Attackers are now targeting application vulnerabilities at a much higher rate than vulnerabilities found in the OS or browser," said Rob Sanfilippo, research VP for developer tools and platforms at Directions on Microsoft. "This way, development guidance and tools like those just released by Microsoft can be valuable for ISVs and corporate development teams, even those not using Microsoft's VS development platform."

Microsoft has been publishing its security development guidance based on its internal processes since 2004, Sanfilippo added. He described this latest SDL push "a step forward" but said there are still some enhancements to be made to the process.

"For example, the template doesn't take advantage of new features coming in VSTS 2010 such as modeling and new test features, and the threat model tool could be more tightly integrated with the IDE," he said. "The SDL team releases new offerings approximately annually, so we'll probably see enhancements such as these next year, which should be about six months after VS/VSTS 2010 ships."

The SDL Process Template for VSTS 2008 can be downloaded here.

Visual Studio 2010 and .NET FX 4 Beta Drops Today

By Kathleen Richards05/18/2009

The Visual Studio 2010 and .NET Framework 4 Beta 1 bits are available to MSDN subscribers today. A public beta is scheduled for release on Wednesday.

"We have more work to do in terms of finishing up the feature work for some of the scenarios and getting to the right levels of quality and performance, but we have made enough progress that we wanted to start getting your feedback." said S. "Soma" Somasegar, Microsoft's senior vice president of the Developer Division, in his blog earlier today.

The updated framework offers maturing class libraries, new Parallel Extensions and an updated Common Language Runtime. The .NET 4 CLR is the first major upgrade to the core platform since .NET 2.0, which shipped with Visual Studio 2005.

Visual Studio 2010 debuts a revamped editor, UI and shell built using Microsoft's Windows Presentation Foundation 4.0. Based on early developer feedback, Microsoft has already made some modifications to the new editor. Some changes in Beta 1 include getting rid of the use of triangles, which appeared in the margins in the editor's outlining mode, to collapse or expand code blocks, according to a blog post last week by Jason Zander, the general manager of Visual Studio in Microsoft's Developer Division.

IDE performance is another concern that Microsoft is working to address, Zander said: "For Beta 1 we are making progress on performance but it is not yet where I want it to be. For example the VB/Windows Forms application is actually doing pretty well while the VB/ASP.NET application is slower than VS2008 (similar with C#)."

Visual Studio 2010 beefs up its tooling for Office, SharePoint, Windows 7, C++, Web and Silverlight development. Visual Studio 2010 Team System is a major upgrade that offers a new Architectural Explorer, built-in UML support, and a more complete debugging and test solution.

Beta 1 is also expected to offer the first look at Entity Framework version 2, which adds support for n-tier templates, Plain Old CLR Objects (POCO) and persistence ignorance, among other enhancements.

In .NET 3.5, Microsoft introduced Language Integrated Query and several providers, including LINQ to SQL, which offered a lightweight programming model against SQL Server.

"LINQ is pretty well cast," said Roger Jennings, principal of OakLeaf Systems. "People just use it now as a matter of course -- you are dealing with collections almost all the time and it makes dealing with them so much simpler. You can tell LINQ is a success because so many third parties are LINQ-enabling their products."

.NET 3.5 SP1 introduced the ADO.NET Entity Framework, ADO.NET Data Services (which is a REST framework) and LINQ to Entities. Despite the popularity of LINQ to SQL, Microsoft is focusing its efforts on its higher-end O/RM framework. When some developers realized this strategy, many were caught off guard because LINQ to SQL had only been out for about a year.

"Microsoft is certainly moving in a direction that addresses a lot of people doing development that is not the traditional ADO.NET drag-and-drop and let a designer do everything for you, and I think that's important," said Bill Wagner, founder of SRT Solutions. Wagner was among the developers who expressed concern about the lack of investment in LINQ to SQL. After interacting with the Microsoft ADO.NET team, he now believes that they are working to bring comparable features to EF.

Maturing libraries and evolving tooling may best describe a lot of the functionality in the IDE and framework. "We've had revs of the .NET Framework in the past where we have introduced a lot of new functionality -- components that no one has ever seen before -- that are brand-new into the framework," said Steven Martin, senior director of developer platform product management at Microsoft.

".NET 4 is more about the maturity of the existing capabilities that we have," he said. "I would encourage developers to take a look at the apps they are building, understand clearly the components on which they are taking dependencies, and where they could get value out of the updates to the components that we're shipping as a part of .NET 4."

Palm preDevCamp Postponed for Two Months

By Jeffrey Schwartz06/04/2009

While Palm is set to launch its widely publicized Pre, the developer camps that were scheduled to take place June 13 have been postponed for two months. The camps are now scheduled for Aug. 8.

The organizers of preDevCamp, an independent volunteer effort, had planned to hold the dev camps on the first Saturday following the launch of the Web-based smartphone. However, a rift between preDevCamp and Palm resulted in two of the three preDevCamp founders walking away from the project.

The remaining founder, Dan Rumney, a global support manager with IBM, has agreed to function as the camp's coordinator. Palm has said it will support the events, and Rumney said he has had an improved dialogue with the company over the past week.

Joining as organizers are Lisa Brewster, who is also an organizer of the San Diego BarCamp, and Greg Stevenson, who is based in Irvine, Calif. and has developed a scheduling app for Pre called Runway.

Rumney said in an interview that the decision to postpone the preDevCamps, which are slated for more than 80 cities worldwide, was made because many organizers needed time to find locations, among other organizational issues. "A lot felt they wouldn't be ready," Rumney said. "They didn't think they would have the time to organize an appropriate event."

In the meantime, Rumney said the organizers will put out material to educate developers about Pre's new webOS platform. That will include familiarizing developers with Prototype, a JavaScript framework for building dynamic Web applications. Mojo, the development environment for webOS, is based on Prototype. "A lot of people may not be aware that webOS is based on the Prototype framework. We can talk about that, and introduce people to stuff as it becomes available in the public domain," Rumney said.

The first reviews of Pre were published today, and many described it as a potential rival to Apple's iPhone. However, many reviewers questioned whether it would be able to take any meaningful share from Apple or others in the smartphone market.

Among those questioning Palm's prospects was one of the original founders of preDevCamp, William Hurley. A member of the original iPhone development team, whurley (as he also known) explained in a BusinessWeek column why he believes Pre faces stiff odds.

However, Rumney is optimistic that Palm will support the camp's efforts, though he declined to elaborate. "Right now, we're working to define how that support is going to manifest itself," he said.

Clouds Cast Over Sun on Eve of JavaOne

By John K. Waters06/01/2009

The annual JavaOne conference is about to get under way this week in San Francisco, but with more than the usual local fog hanging over it.

This year's JavaOne represents a changing of the guard for Sun Microsystems, longtime conference sponsor and steward of the Java platform, which is set to be acquired by Oracle. That leaves the fate of this cornerstone conference, not to mention Sun's own product catalog, very much up in the air at a time when the company typically asserts its leadership role in the Java community.

"With the Oracle acquisition hovering over all of this, it's challenging for Sun to really have a very long-term strategy around any product," said IDC analyst Al Hilwa. "So don't expect Sun's people to make any major promises at the conference. Even if they do, you should probably take it with a grain of salt. Everything they announce will be in the shadow of the question, 'What will Oracle do when it takes over?'"

That question could be applied to JavaOne itself. In fact, two questions about the fate of the venerable conference were buzzing around the CommunityOne West open source software event, under way today in conjunction with JavaOne: Is this the last JavaOne? And will it be folded into Oracle OpenWorld?

OpenWorld, Oracle's annual conference, is already operating at capacity, Hilwa pointed out. Last year, the event drew an estimated 40,000 attendees. JavaOne is expected to draw approximately 15,000 attendees this year. "I'm only speculating here, but my guess is that they will hold on to JavaOne," he said. "I think they'll want to leverage that opportunity, and maybe fold some of their middleware into it to spread out attendance. But between the two shows, they'll reach many more people."

Since the first JavaOne conference was held in 1996, the developer-focused trade show has become an annual must-attend event for Java jocks around the world, and an essential product showcase for Sun and its partners. So it's no surprise that conjecture about the fate of the company, the show and Java itself would color the conference.

"This really is one of the most significant acquisitions in our industry, ever," said Gartner analyst Donald Feinberg. "Because it's the first time a software company has bought a major hardware company. We've never seen this. We've seen hardware companies moving into software in bigger and bigger ways -- companies like IBM, Hitachi, Fujitsu and even Sun. But you don't see it going the other way. This is major."

But don't expect to hear any on-the-record speculation from Sun execs at the show, Feinberg said. "I think a lot of people are going to JavaOne expecting Sun to talk about the acquisition," Feinberg said. "But they're not going to. They can't, because of regulatory prohibitions."

To those who are concerned about the fate of Java under Oracle's stewardship, Hilwa is advising them not be overly worried but to be keep their eyes open, nonetheless.

"Oracle sees itself as a leader in the Java space," Hilwa said. "The company has built its entire architecture around it. It matters to them a lot how Java evolves. And they're going to have to resist the temptation to control it. I think the Java community is going to be on watch for that. And my sense is that Oracle will go overboard to show that they will not do that. And they've got a good track record. When they acquired PeopleSoft and Siebel, there was a lot of anxiety among customers. But Oracle moved very dexterously, and it's a real testament to their management. And I think they'll do the same thing with the Java community."

Adding to the awkwardness, if not irony, of this year's JavaOne conference is the inclusion on the keynote roster of Dan'l Lewin, Microsoft's vice president of strategic and emerging business development, and Steve Martin, Redmond's senior director of developer platform product management. Both will be the first-ever Microsoft representatives to keynote the JavaOne event.

At press time, conference organizers would not confirm whether any Oracle execs would be speaking at the show, though Sun CEO Jonathan Schwartz did mention in a recent blog posting that "a special guest or two" may attend.

"I'm guessing they won't be from Oracle," Hilwa said. "Everything is up in the air right now. That's just the nature of acquisitions. Sometimes people don't quite understand that. They hear the announcement of a deal and they think that the two companies are already getting together and making plans. But they can't actually talk to each other, because it's not a done deal yet."

That said, this year's JavaOne will be an important gathering of Java developers, he said. "Attendees come to this conference to learn, get up to speed on things happening in the Java ecosystem, meet vendors and spend some face time with their peers," Hilwa said.

Ozzie Lays Out Microsoft's Vision at J.P. Morgan Event

By Kurt Mackie05/21/2009

Microsoft's chief software architect, Ray Ozzie, fielded questions from financial analysts at the J.P. Morgan Technology, Media and Telecom Conference on Wednesday.

Ozzie's job intersects between the business and technical sides at Microsoft. He also steers the company's overall vision. He provided the number-crunching crowd with a lot of the vision part, but few specific details on how Microsoft actually plans to monetize its strategies.

In general, Ozzie predicts that it will be a "Software plus Services" world, where customers will adopt a hybrid approach of using both on-premises and hosted software. This shift is possible because of technology and high-bandwidth availability. Still, business users will have to assess their requirements. For instance, they may decide to outsource some elements, such as the management of their phone systems, especially if it can be done more efficiently by someone else.

Eventually, every enterprise is going to have some blend of software and services, Ozzie predicted, "and Microsoft is in an extremely good position for this shift," he added. For instance, Microsoft got its engineers together to develop an operating system in the cloud to support these services and Windows Azure is the result, he said.

The opportunities on the enterprise side with services will increase as companies get more comfortable with using hosted applications, Ozzie said. He pointed to Exchange Online and SharePoint Online as the most important elements in supporting this shift. Companies will want to see a choice among competitors before they will buy into a services model, he added.

The Web has also brought about a consumer shift toward using services, he added. Microsoft's connected devices vision includes the integration of "three screens with the cloud," including the phone, PC and TV. While there are "big differences" between providing services to consumers and businesses, Ozzie defended Microsoft's predominant consumer-side investments in online services, which has been a money loser for the company so far. He said that the investments in services technologies on the consumer side are transferring over to the business side.

One example is datacenter investments, where Microsoft has worked to reduce costs through modularization of the datacenter components. Microsoft is currently working on its fourth-generation server technology for datacenters. Some elements, such as power and cooling, can be swapped in or out, as needed, based on this gen-4 design, Ozzie explained.

In response to a question about how Microsoft plans to monetize its vision, Ozzie said that consumer services are really driving the transformation at Microsoft. He pointed to a cloud-based storage system, code-named "Cosmos," as one example. Cosmos is the basis of Windows Azure, Ozzie said. Azure, in turn, helps to enable Microsoft's Exchange Online and SharePoint Online services for business users.

Ozzie didn't elaborate on Cosmos, but long-time Microsoft watcher Mary-Jo Foley has speculated that Cosmos is a "storage/processing framework for Live Search."

Microsoft will heavily depend on its partners to help build out the infrastructure to support its services vision. Redmond cannot build an Internet cloud in every country around the world, Ozzie said. Instead, the company will rely on its partners for some cloud support. About 90 percent to 95 percent of Microsoft's revenues come through its partners, Ozzie explained.

Finally, in response to a question, Ozzie provided a Microsoft mea culpa explanation about the lessons learned with Windows Vista. He said that Microsoft had a vision with Vista that was "larger than we could achieve." Microsoft also failed in communicating with its partners, resulting in drivers that weren't ready for market at the time of Vista's release. In the future, the company needs to give clear dates and milestones to avoid such problems, Ozzie said.

DirectShow Subject to Attacks, Microsoft Warns

By Jabulani Leffall05/29/2009

Microsoft issued a security advisory on Friday describing a newly disclosed bug in Microsoft DirectShow that could enable remote code execution attacks.

In its advisory, the software giant said the vulnerability could be triggered if an unsuspecting user opens specially crafted media file. A hacker successfully deploying this bug could increase his user rights privileges within a Windows-based network. However, accounts configured with fewer administrative privileges aren't as vulnerable, Redmond said.

"While our investigation is ongoing, our investigation so far has shown that Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable," the advisory explained. Currently, Microsoft is aware of "limited, active attacks that exploit this vulnerability."

Users of Windows Vista, Windows 7 RC1 and Windows Server 2008 are not affected by this vulnerability, Redmond said.

Microsoft has rolled out an improved "Software Security Incident Response Process (SSIRP)" to better respond to the issue, the security bulletin explained.

Microsoft DirectShow is a framework that provides an application programming interface for developers working with multimedia files. The framework supplants Microsoft's earlier Video for Windows interface.

Following Dispute, Palm Says It Will Support Dev Camp

By Jeffrey Schwartz05/26/2009

Palm Inc. has said it will support a grassroots effort to assemble independent developers looking to build their own apps for the Pre, the device manufacturer's next-generation smartphone built on a new Web-based platform called webOS.

The company came under fire last week after the organizers of the independent effort, called preDevCamp, said Palm was wavering from earlier indications that it would support developers eager to build apps for webOS.

Interest in webOS, due for release next month, picked up immediately upon its introduction in January. Unlike other mobile platforms, it is designed to let Web developers build mobile apps using straight HTML, JavaScript and CSS.

Using Palm's Mojo SDK, developers can integrate their applications to run as a native program on the webOS-based Pre. The platform has also garnered interest because of its support for multitasking.

The Pre will be offered exclusively in the United States by Sprint. Palm said last month that it will eventually offer a company-branded cloud service that will provide access to applications. The company later this year will launch its XMPP-based publish and subscribe Mojo Messaging Service.

Seeing its appeal as an alternative development platform to Apple's iPhone, Research In Motion's BlackBerry and devices based on Microsoft's Windows Mobile, preDevCamp quickly gained traction. In total, nearly 1,000 organizers have signed on to participate in the camp, which will take place in about 80 cities worldwide on June 13.

Organizers of preDevCamp had indicated that Palm had voiced interest in supporting the event but that they were never able to get a full commitment. The organizers hoped that Palm would provide technical support either live at the events or online, and make devices available for qualified developers. Some developers have complained that obtaining the Mojo SDK, released in early April, has been difficult.

Tensions between preDevCamp organizers and Palm came to a head last week when Palm announced on May 19 that the Pre will ship on June 6. The announcement took the organizers by surprise as they had been set to meet with Palm on May 20 to be briefed on plans to roll out the device. Knowing when the device would be released was critical to the group in order for local organizers to secure meeting locations and other details, they said.

Palm abruptly cancelled the meeting after one of the three preDevCamp camp founders, Giovanni Gallucci, posted a update on Twitter announcing that the group would be meeting with Palm. According to Palm, that act alone was a violation of the non-disclosure agreement (NDA); thus the cancellation.

In a blog posting, Gallucci questioned Palm's interest in supporting the effort. "It appears to me, again my opinion, that the relationship was a ruse from the beginning," Gallucci wrote.

In an interview, Gallucci said his Twitter update didn't reveal anything other than the fact that Palm and the camp organizers were meeting. Gallucci said he believes Palm used it as an excuse to back out of involvement with the group. "I have a bad taste in my mouth just because, in my opinion, they kind of strung us along for a while and then dropped everything," he said.

Palm denied it was looking to cut ties with the group. "We think what they are doing is great, we are fully supportive. But we do have rules around NDAs that we are required to play within the bounds of," said Pam Deziel, Palm's vice president of developer marketing, in an interview.

However, Deziel apologized for the dispute late Friday and said the company fully supports the effort. "We overreacted to the whole disclosure issue," Deziel wrote on the Palm Developer Network Blog. "We've been in stealth and super-secret mode for so long now. We needed a real-world conversation to see how we needed to work things so everybody can operate in their own environment."

The two sides will continue to discuss what resources Palm will provide, Deziel added. "As messy as it feels right now, the passion of the community is incredibly positive," she wrote. "I'm optimistic that we can find a good solution. And we're going to keep talking."

Gallucci and preDevCamp Co-Founder William Hurley (known as "whurley") said they will continue to be available to support any of the organizers but they are withdrawing officially. In an interview, whurley, who was a member of the original iPhone development team and now the chief architect of BMC Software's open source strategy, said he has decided to focus on other efforts. "I think this ship has sailed," said whurley, who spelled out his issues with Palm in his own blog posting.

The remaining founder of preDevCamp, Dan Rumney, a global support manager with IBM, has agreed to function as the coordinator, an effort done outside his role at Big Blue. Rumney said that to date, Palm has shown some interest in preDevCamp but he is hopeful the company will show greater support. A good first step would be making it easier for participants to get the SDK, he said.

"Until there are killer applications and differentiated applications, they are going nowhere," Rumney said. "That's part of what preDevCamp was going to do."

Indeed, Palm -- which has been credited with popularizing handheld computers and ultimately smartphones, as well as with building one of the largest mobile developer ecosystems -- has become a marginal player in recent years; its developer network has dwindled. But Palm showed signs of life following the announcement of the Pre and webOS.

"It's kind of do or die, this has to work for them," said Derek Gathright, lead developer at Catholic Content. Gathright, a user of Palm's Treo, is a preDevCamp organizer in Kansas City where Sprint is based.

Gathright said Sprint has supported the effort and that he is hopeful Palm will increase its support, as well. "Adopting open Web standards is only half of the equation," he said. "We also have to get the community behind those, as well, for it to really be a selling point to developers."