joi, 29 noiembrie 2007

Should you buy an iPhone this holiday season?

The iPhone is the Tickle Me Elmo of this year's shopping season. Should you cave in and buy one or stay strong and wait 'til later (or never)?

I have a problem. Maybe you have the same one? Somebody in my house wants an iPhone this holiday season. Real bad. Like "don't get me a single other thing, it's the only present I want" bad. That kind of bad.

While I'm sorely tempted to be able to bypass the gift-boxed golf balls and three-pack of fake cashmere dress socks this year, I also don't want to be played for a fool by everyone's favorite fruit-logo'ed electronics vendor.

As early iPhone buyers who were caught by Apple's unexpected price drop just two months after the phone's release know only too well, the company's plans for the iPhone are, shall we say, still evolving.

Do I really want to watch my beloved unwrap an iPhone on the big day, only to have it look old and clunky when some newer, hotter model hits the shelves?

(The notoriously closed-mouthed Apple won't say anything about its plans, but Macworld, at which the company traditionally makes a raft of important announcements, is scarily close to the holidays, a mere two weeks into the new year.)

Then, too, there's the features list, or as some detractors like to call it, the not-yet-features list. Right now, my loved one is blinded by the iPhone light, but is it truly the best phone for his needs? From G3 to GPS, there are a lot of features missing from the version of the iPhone being hawked for the holidays.

And in the meantime, other almost-as-cool phones have hit the market and won some attention as well. What if the AT&T Tilt or the LG Voyager or the rumored-to-be-upcoming BlackBerry 9000 is actually the better choice?

The service plan could be problematic as well. For reasons too dorky to disclose in public (cough TracFone cough), we don't have any existing wireless service plan in my household, but other iPhone wanters who have current plans with carriers other than AT&T need to decide if they want that Apple unit badly enough to eat whatever is left of their current agreement.

Crowd control?

Finally, there are a couple of practical timing questions. As we all know, it's the Biggest Shopping Month of the Year, which means I'm not the only person out there contemplating an iPhone purchase right now.

If I wait till the last minute, or even the last week, is there a chance Apple will run out of units? (Apple, surprise surprise, officially says no, but declines to comment on how many units have been manufactured or shipped.) If I choose to buy an iPhone in-store, will there be an educated, upbeat Apple employee available to answer any lingering questions, or will it be three-deep at the Genius Bar?

And skipping ahead to the big day, what happens when thousands and thousands of iPhone giftees all rip their phones out of that tasteful Apple packaging and try to activate them in the very same two- or three-hour time slot? Will iTunes be able to handle it? Will AT&T be up to the task?

Representatives for Apple and AT&T both separately swore to me on a stack of greeting cards that they're ready for whatever onslaught ensues, but I'm still worried. Buyers who bought the iPhone in its first couple days of availability reported having problems with activation when transferring an old mobile number over to their new unit. Is that going to happen again?

So many questions! So few buying days left!

As luck would have it, though, I work at Computerworld, which means that instead of wasting hours surfing the blogosphere looking for answers, I get to wander the halls of our (virtual) office and waste the time of my hardworking colleagues instead.

Because journalists and analysts are a slippery bunch that wiggles away from definitive declarations, I resolve to not just gather opinions, but to pin everyone to the mat. Which means that, after hemming and hawing, my homegrown band of experts had to come up with a yes or no answer. The goal? To make my, and perhaps your, holiday iPhone buying decision a little easier.

Stop one: Scot Finnie, Computerworld editor in chief

Finnie's a 20-something-year veteran of the computing industry who garnered a lot of attention (and caught a lot of flak) by very publicly switching from a PC to a Mac. Based on his new devotion to Apple, I suspect I know what his take on the iPhone will be.

Finnie insists he's not much of a gadget freak, and he's happy he waited for the price drop, but yes, he bought an iPhone and yes, he'd recommend that you buy one now.

While he's as concerned as the next guy about the speed of the EDGE network and the usability of the keyboard, Finnie says the iPhone's touch screen and the Safari browsing experience are just too good not to have now. And he feels confident that Apple won't soon drop the price again and embarrass holiday season buyers.

Stop two: Harry McCracken, PC World editor in chief

Next, I hop over the corporate firewall to check in with our sister publication, PC World. Harry McCracken, another editor in chief with a couple of decades of experience behind him, penned a piece back in July titled 13 Reasons Why I'm Not Buying an iPhone -- Yet.

Has he changed his mind -- or his smart phone -- since then?

When I ask him, he takes a moment to call up the file and page through his original list of complaints. Aside from the price cut, McCracken says, the most significant change in the six months since his article was published is that Apple finally announced it will release an iPhone software developer's kit next February.

That should pave the way for third-party developers to write, among other things, applications that can fulfill McCracken's specific business needs, which include more robust note-taking capabilities, support for Lotus Notes and a to-do list.

His other big issues still stand unresolved -- including the slower EDGE rather than the faster 3G network and the nontactile keyboard that some users will never warm to.

"I do want to make it clear that the iPhone's an extraordinary device," McCracken tells me. "And once we see the higher speeds and the third-party apps, I might change my mind. But for now, I'm saying 'wait.'"

Stop three: Ken Mingis, Computerworld online news editor

Back on this side of the wall, I catch up with Ken Mingis, who has covered Apple for Computerworld for five years and takes what can only be described as a devil-may-care stance on my buy/don't buy dilemma.

If you need, or want, an iPhone now, go ahead and get one, Mingis says. (He did, the first weekend the phone went on sale.) Trying to gauge when better or cheaper technology will hit store shelves is always a gamble, he says, and guessing Apple's next move is like trying to read the Kremlin.

Even so, he feels it's unlikely there'll be another price cut soon. "That first cut was an anomaly for Apple, dropping the price so soon after the iPhone's release. It really did throw people for a loop," he says. In his opinion, it's highly unlikely it'll happen again anytime soon.

It's more likely we'll see a thinner iPhone, perhaps with more memory like the 16GB iPod Touch, at some point down the road -- and it's possible such a unit could debut in time for Macworld, he guesses.

Either way, Apple will keep interest in the iPhone high by rolling out features on the software side, which current owners will, of course, be able to access with a simple update.

And if the worst does happen and Apple rushes out a new iPhone midcycle, that doesn't mean your unit will be obsolete, Mingis says. "People always want to have the latest and greatest, but yours will still work," he points out equanimously. It'll just be slightly fatter than the next guy's.

His verdict? There's no reason to wait.

Stop four: Ross Rubin, analyst, the NPD Group

Hankering for a little perspective on that elusive and ever-changing swamp known as the consumer marketplace, I next put in a call to the NPD Group, which specializes in that very geography.

Analyst Ross Rubin gives me his take on Apple and the iPhone. The company's done a notable job of bending many rules of the wireless game with the iPhone -- it's gone against the tide in terms of how handsets are distributed and (via iTunes) of how content, even ring tones, are offered, Rubin says.

And thanks to its wildly successful iPods and computers targeted toward end users, Apple should be well positioned to market the iPhone directly to buyers.

That said, the iPhone landscape is still a volatile place, what with both Macworld and the release of the iPhone API on the horizon. Rubin suggests that users who feel they simply can't live without the iPhone's user interface and Web and media experience could take a look at the iPod Touch, which delivers most of those features along with 8GB or 16GB of storage (just no phone).

Otherwise, he advises iPhone buyers (and would-be gift recipients) to wait and see what the new year brings.

Last stop: Mike Elgan, Computerworld columnist

Oh, dear. Hung jury. I was afraid of this.

For solace, I seek out Computerworld blogger Mike Elgan, who manages to follow Apple and the iPhone closely without actually drinking the Kool-Aid -- or would that be "Apple juice"?

He likes the iPhone very much. He thinks, in fact, it's the best Version 1.0 device he's seen, and he gives Apple props for that accomplishment. But it's still a 1.0 unit after all is said and done, and for that reason, he can't recommend it. Not this year, anyway, and especially not as a gift.

"Six months ago, when there was the novelty factor, this would have made a great gift," Elgan says. "But now we could be more than halfway toward an upgrade for a product that requires an expensive two-year commitment. You'd be giving six months of joy followed by a year and a half of someone feeling like they have something old." So no.

Attention, iPhone shoppers ...

OMG (as the kids say), the iPhone goes down, 3 votes to 2!

On the one hand, I'm overjoyed. I just got a theoretical $399 plus "$60 per month times two years" put back into my wallet, and that feels good during the first week of December.

On the other hand, what am I going to get my guy?

Honey, how about a signed copy of Fake Steve Jobs' new book? Or maybe an iPod Touch and a TracFone? No?

Well, what about something truly classic, something that's timeless, unmoved by development cycles or changing marketplace conditions. Something like golf balls. Or dress socks, maybe cashmere dress socks ...

luni, 26 noiembrie 2007

Windows XP SP3 boasts speed boost, testers claim

Same outfit that dissed Vista SP1 say XP's 'must-have update' 10% faster than SP2

Windows XP Service Pack 3 (SP3), the update scheduled to release next year, runs Microsoft Corp.'s Office suite 10% faster than XP SP2, a performance testing software developer reported Friday.

Devil Mountain Software, which earlier in the week claimed Windows Vista SP1 was no faster than the original, repeated some of the same tests on the release candidate of Windows XP SP3, the service pack recently issued to about 15,000 testers.

"We were pleasantly surprised to discover that Windows XP SP3 delivers a measurable performance boost to this aging desktop OS," said Craig Barth, Devil Mountain's chief technology officer, in a post to a company blog Friday.

Devil Mountain ran its OfficeBench suite of performance benchmarks on a laptop equipped with Office 2007, Microsoft's latest application suite. The notebook -- the same unit used in the Vista/Vista SP1 tests earlier -- featured a 2.0GHz Intel Core 2 Duo processor and 1GB of memory. The results reported a 10% speed increase under XP SP3 when compared to SP2, the service pack released in 2004.

"Since SP3 was supposed to be mostly a bug-fix/patch consolidation release, the unexpected speed boost comes as a nice bonus," Barth said. "In fact, XP SP3 is shaping up to be a 'must-have' update for the majority of users who are still running Redmond's not-so-latest and greatest desktop OS."

According to the Office performance benchmarks, Windows XP SP3 is also considerably faster than Vista SP1. "None of this bodes well for Vista, which is now more than two times slower than the most current builds of its older sibling," said Barth.

While Microsoft was not available for comment over the weekend about XP's performance, it defended Vista SP1 after Devil Mountain's first round of tests. "We appreciate the excitement to evaluate Windows Vista SP1 as soon as possible. However, the service pack is still in the development phase and will undergo several changes before being released," a spokeswoman said in an e-mail.

Microsoft has at times struggled to wean users from the six-year-old Windows XP and get them to migrate to Vista. During 2007, for example, it made several XP concessions, including adding five years to the support lifespan of the Home edition and extending OEM and retail sales of XP through June 2008, as it recognized that customers wanted to hold on to the older OS.

Recently, Forrester Research said that XP remained Vista's biggest rival, and cited survey data that showed American and European businesses would delay Vista deployment, in part because of application incompatibility issues with the new OS. "That's causing a lot of XP shops to take a wait-and-see approach to Vista," said Forrester analyst Benjamin Gray two weeks ago.

New QuickTime bug opens XP, Vista to attack

Security researchers warn that attack code targeting an unpatched bug in Apple Inc.'s QuickTime has gone public, and added that in-the-wild attacks against systems running Windows XP and Vista are probably not far behind.

There was no word as of Sunday whether the Mac OS X versions of the media player are also vulnerable.

The critical bug in QuickTime 7.2 and 7.3 (and perhaps earlier editions as well) is in the player's handling of the Real Time Streaming Protocol (RTSP), a audio/video streaming standard. According to alerts posted by Symantec Corp. and the U.S. Computer Emergency Readiness Team (US-CERT), attackers can exploit the flaw by duping users into visiting malicious or compromised Web sites hosting specially-crafted streaming content, or by convincing them to open a rigged QTL file attached to an e-mail message.

Symantec credited Polish research Krystian Kloskowski with first reporting the zero-day vulnerability on the Web site Friday. By Saturday, Kloskowski and an unnamed researcher identified as "InTeL" had followed up with separate proof-of-concept examples that executed on Windows XP SP2 and Windows Vista machines running QuickTime 7.2 or 7.3.

A successful exploit would let the attacker install additional malware -- spyware or a spambot, say -- or cull the system for information like passwords. An attack that failed would likely only crash QuickTime.

A gaffe by Apple's developers, however, makes attack easier on Vista, said InTeL, who claimed that the QuickTimePlayer binary does not have Address Space Layout Randomization (ASLR) enabled. ASLR is a Vista security feature that randomly assigns data and application components, such as .exe and .dll files, to memory to make it tougher for attackers to determine the location of critical functions or vulnerable code.

Apple's forgetfulness prompted Symantec analyst Anthony Roe to note: "This makes reliable exploitation of the vulnerability a lot easier."

Another Symantec researcher, Patrick Jungles, added that QuickTime vulnerabilities usually draw attackers quickly. "In the past, we have seen a very short period of time between the release of proof-of-concept exploits for QuickTime vulnerabilities and the development of working exploits by attackers," said Jungles in a note to customers of his company's DeepSight threat network. "Popular applications such as QuickTime are strong candidates for exploitation in the wild."

Apple last patched QuickTime less than three weeks ago when it released version 7.3 to fix a number of critical image-rendering and Java-related vulnerabilities. So far in 2007, Apple has issued six QuickTime security-related updates that have fixed a total of 31 flaws.

joi, 22 noiembrie 2007

Update: T-Mobile unlocks iPhone for a (big) price

T-Mobile GmbH will sell unlocked iPhones for $1,482, the German mobile carrier said today, marking the first time Apple Inc.'s smart phone has been officially available unlocked.

Unauthorized hacks, however, have been used for months by customers to unlock their iPhones so they can make calls on multiple networks or use the device in countries where Apple hasn't yet entered the handset market.

In a statement today, T-Mobile said it would immediately start selling unlocked iPhones, and unlock any already-purchased iPhone for no charge. It made both moves in response to a preliminary ruling Monday in a lawsuit brought by Vodafone Group PLC's subsidiary, Vodafone Germany. According to the injunction, which T-Mobile is appealing, Apple's wireless partner must offer the iPhone without a required 24-month contract.

The iPhone, which debuted in Germany on Nov. 9, sells for $592, value-added tax included, and has been offered with three rate plans -- called tariffs in Europe -- priced from $73 to $132 per month.

U.K.-based Vodafone had been among the mobile service providers negotiating with Apple for exclusive rights to the iPhone, but in Germany lost out to the larger T-Mobile, which is owned by Deutsche Telekom.

Vodafone has said it isn't interested in blocking sales of the iPhone in Germany, but wants the courts to level the playing field between carriers. Vodafone did not reach an agreement with Apple in the two other European markets that Apple has entered: Britain and France. Apple's U.K. partner is O2 (UK) Ltd., while Orange, the rebranded France Telecom, won the deal in France, where the iPhone goes on sale on Nov. 29.

"Apple can be profitable just on the hardware," argued Ezra Gottheil, an analyst at Technology Business Research Inc. "More is always better, of course, but by unlocking it for a larger price, Apple gets its money."

Gottheil wasn't surprised by Vodafone's move. "There's a great deal more resistance to locked phones in Europe," he said, noting that Apple has already promised to abide by French law, which bans locked cell phones, when it unveils the iPhone there next week.

"In the end, Apple is a provider of neat devices, and it will always return there," said Gottheil. "If and when it's seriously threatened by a rival, and depending on the duration and terms of its exclusive [contract] with AT&T, I think it would unlock the phone in the U.S. in a second."

But even as T-Mobile promised to abide by the injunction while it appeals the ruling, it also said it would retract the offer if it prevails. T-Mobile is also considering filing a lawsuit against Vodafone seeking unspecified damages, said company spokesman Klaus Czerwinski on Wednesday. "We think the law does not apply to this situation," Czerwinski said from Bonn. "We are still going to court."

T-Mobile will continue to sell iPhones tied to a contract, the company said today. As part of its revised pitch, T-Mobile reminded potential customers that some of the iPhone's built-in features, including Visual Voicemail, which lets users pick and choose messages to listen to, work when connected to its network.

Apple did not respond to a request for comment.

Microsoft confirms that XP contains random number generator bug

Windows XP, Microsoft Corp.'s most popular operating system, sports the same encryption flaws that Israeli researchers recently disclosed in Windows 2000, Microsoft officials confirmed late Tuesday.

The researchers, Benny Pinkas from the University of Haifa and two Hebrew University graduate students, Zvi Gutterman and Leo Dorrendorf, reverse-engineered the algorithm used by Windows 2000's pseudo-random number generator (PRNG), then used that knowledge to pick apart the operating system's encryption. Attackers could exploit a weakness in the PRNG, said Pinkas and his colleagues, to predict encryption keys that would be created in the future as well as reveal the keys that had been generated in the past.

As recently as last Friday, Microsoft hedged in answering questions about whether XP and Vista could be attacked in the same way, saying only that later versions of Windows "contain various changes and enhancements to the random number generator." Yesterday, however, Microsoft responded to further questions and acknowledged that Windows XP is vulnerable to the complex attack that Pinkas, Gutterman and Dorrendorf laid out in their paper, which was published earlier this month.

Windows Vista, Windows Server 2003 and the not-yet-released Windows Server 2008, however, apparently use a modified or different random number generator; Microsoft said they were immune to the attack strategy.

In addition, Microsoft said Windows XP Service Pack 3 (SP3), a major update expected sometime in the first half of 2008, includes fixes that address the random number generator problem.

Microsoft and Pinkas have argued over whether the flaw was a security vulnerability, with the former denying the bug met the definition and the latter claiming it is a serious problem that -- while it needs to piggyback on another, more common kind of exploit -- is far from just a theoretical threat.

Tuesday, even as it conceded that XP also had a weak PRNG, Microsoft continued to downplay the possibility of an attack. "If an attacker has already compromised a victim machine, a theoretical attack could occur on Windows XP," a company spokeswoman said in an e-mail. To exploit the PRNG's flaws, an attacker must have administrative rights to the PC, something that's easily obtained by most run-of-the-mill attacks, Pinkas noted.

Previously, Microsoft had used that prerequisite to reject any claim that Windows 2000 contained the security vulnerability, since Pinkas' proposed attack could not accomplish anything on its own. Microsoft stuck to that position with XP. "Because administrator rights are required for the attack to be successful, and by design, administrators can access all files and resources on a system, this is not inappropriate disclosure of information," the company spokeswoman added.

Newer operating systems, however, are completely in the clear. "Windows Vista, Windows Server 2008 and Windows Server 2003 SP2 are not affected by the type of attack Pinkas describes," said the spokeswoman.

Pinkas applauded Microsoft's decision to patch Windows XP. "We're happy to learn that Microsoft is acknowledging that our attack is indeed an issue, and will fix it in XP SP3."

While Microsoft said it will fix the PRNG in Windows XP, it remained mute about patching the flaw in Windows 2000. The aging operating system, which, according to a recent survey by Forrester Research Inc., still powers approximately 9% of all American and European business computers, is in the last stages of support. In that phase, dubbed "extended support," Microsoft is committed to providing only security updates free of charge.

Because the company has determined that the PRNG problem is not a security vulnerability, it is unlikely to provide a patch.

miercuri, 21 noiembrie 2007

The VA's computer systems meltdown: What happened and why

At times, the bad news coming from the U.S. Department of Veterans Affairs seems unstoppable: D-grade medical facilities, ongoing security and privacy breaches, and a revolving door of departing leadership. In September, during a hearing by the House Committee on Veterans' Affairs, lawmakers learned about an unscheduled system failure that took down key applications in 17 VA medical facilities for a day.

Characterized by Dr. Ben Davoren, the director of clinical informatics for the San Francisco VA Medical Center, as "the most significant technological threat to patient safety the VA has ever had," the outage has moved some observers to call into question the VA's direction in consolidating its IT operations. Yet the shutdown grew from a simple change management procedure that wasn't properly followed.

The small, undocumented change ended up bringing down the primary patient applications at 17 VA medical centers in Northern California. As a result, the schedule to centralize IT operations across more than 150 medical facilities into four regional data processing centers has been pulled back while VA IT leaders establish what the right approach is for its regionalization efforts.

The Region 1 Field Operations breakdown of Aug. 31 exposed just how challenging effecting substantial change is in a complex organization the size of the VA Office of Information & Technology (OI&T). Begun in October 2005 and originally scheduled to be completed by October 2008, the "reforming" of the IT organization at the VA involved several substantial goals: the creation of major departments along functional areas such as enterprise development, quality and performance, and IT oversight and compliance; the reassignment of 6,000 technical professionals to a more centralized management; and the adoption of 36 management processes defined in the Information Technology Infrastructure Library (ITIL).

As part of the reform effort, the VA was to shift local control of IT infrastructure operations to regional data-processing centers. Historically, each of the 150 or so medical centers run by the VA had its own IT service, its own budget authority and its own staff, as well as independence with regard to how the IT infrastructure evolved. All of the decisions regarding IT were made between a local IT leadership official and the director of that particular medical center. While that made on-site IT staff responsive to local needs, it made standardization across sites nearly impossible in areas such as security, infrastructure administration and maintenance, and disaster recovery.

The operations of its 150 medical facilities would relocate to four regional data processing centers, two in the east and two in the west. The latter, Regions 1 and 2, are located in Sacramento, Calif., and Denver respectively, run as part of the Enterprise Operations & Infrastructure (OPS) office.

A difficult day

On the morning of Aug. 31, the Friday before Labor Day weekend, the Region 1 data center was packed with people. According to Director Eric Raffin, members of the technical team were at the site with staffers from Hewlett-Packard Co. conducting a review of the center's HP AlphaServer system running on Virtual Memory System and testing its performance.

About the same time, staffers in medical centers around Northern California starting their workday quickly discovered that they couldn't log onto their patient systems, according to congressional testimony by Dr. Bryan D. Volpp, the associate chief of staff and clinical informatics at the VA's Northern California Healthcare System. Starting at about 7:30 a.m., the primary patient applications, Vista and CPRS, had suddenly become unavailable.

Vista, Veterans Health Information Systems and Technology Architecture, is the VA's system for maintaining electronic health records. CPRS, the Computerized Patient Record System, is a suite of clinical applications that provide an across-the-board view of each veteran's health record. It includes a real-time order-checking system, a notification system to alert clinicians of significant events and a clinical reminder system. Without access to Vista, doctors, nurses and others were unable to pull up patient records.

At the data center in Sacramento, with numerous technicians as witnesses, systems began degrading with no apparent cause.

Instantly, technicians present began to troubleshoot the problem. "There was a lot of attention on the signs and symptoms of the problem and very little attention on what is very often the first step you have in triaging an IT incident, which is, 'What was the last thing that got changed in this environment?'" Raffin said.

The affected medical facilities immediately implemented their local contingency plans, which consist of three levels: the first level of backup is a fail-over from the Sacramento Data Center to the Denver Data Center -- handled at the regional level, and the second level of backup is accessing read-only versions of the patient data. The final level of backup is tapping a set of files stored on local PCs at the sites containing brief summaries of a subset of data for patients who are on-site or who have appointments in the next two days, according to Volpp.

Volpp assumed that the data center in Sacramento would move into the first level of backup -- switching over to the Denver data center. It didn't happen.

According to Raffin, the platform has been structured to perform synchronous replication between the two data centers in Sacramento and Denver. "That data is written simultaneously in both facilities before the information system moves to the next stream or thread that it's processing," Raffin said. "At any instant in time, the same data lives in Sacramento that [lives] in Denver." The systems are built in an autonomous model, he said, so that if something strikes only one facility, the other data center won't be affected.

A failure to fail over

On Aug. 31, the Denver site wasn't touched by the outage at all. The 11 sites running in that region maintained their normal operations throughout the day. So why didn't Raffin's team make the decision to fail over to Denver?

On that morning, as the assembled group began to dig down into the problem, it also reviewed the option of failing over. The primary reason they chose not to, Raffin said, "was because we couldn't put our finger on the cause of the event. If we had been able to say, 'We've had six server nodes crash, and we will be running in an absolutely degraded state for the next two days,' we would have been able to very clearly understand the source of our problem and make an educated guess about failing over. What we faced ... was not that scenario."

What the team in Sacramento wanted to avoid was putting at risk the remaining 11 sites in the Denver environment, facilities that were still operating with no glitches. "The problem could have been software-related," Raffin says. In that case, the problem may have spread to the VA's Denver facilities as well. Since the Sacramento group couldn't pinpoint the problem, they made a decision not to fail over.

Greg Schulz, senior analyst at The Storage I/O Group, said the main vulnerability with mirroring is exactly what Region 1 feared. "If [I] corrupt my primary copy, then my mirror is corrupted. If I have a copy in St. Louis and a copy in Chicago and they're replicating in real time, they're both corrupted, they're both deleted." That's why a point-in-time copy is necessary, Schulz continued. "I have everything I need to get back to that known state." Without it, the data may not be transactionally consistent.

At the affected medical facilities, once the on-site IT teams learned that a fail-over wasn't going to happen, they should have implemented backup stage No. 2: accessing read-only patient data. According to Raffin, that's what happened at 16 of the 17 facilities affected by the outage.

But the process failed at the 17th site because the regional data center staff had made it unavailable earlier in the week in order to create new test accounts, a procedure done every four to six months. From there, medical staff at that location had no choice but to rely on data printed out from hard disks on local PCs.

According to Volpp, these summaries are extracts of the record for patients with scheduled appointments containing recent labs, medication lists, problem lists and notes, along with allergies and a few other elements of the patient record. "The disruption severely interfered with our normal operation, particularly with inpatient and outpatient care and pharmacy," Volpp says.

The lack of electronic records prevented residents on their rounds from accessing patient charts to review the prior day's results or add orders. Nurses couldn't hand off from one shift to another the way they were accustomed to doing it -- through Vista. Discharges had to be written out by hand, so patients didn't receive the normal lists of instructions or medications, which were usually produced electronically.

Volpp said that within a couple of hours of the outage, "most users began to record their documentation on paper," including prescriptions, lab orders, consent forms, and vital signs and screenings. Cardiologists couldn't read EKGs, since those were usually reviewed online, nor could consultations be ordered, updated or responded to.

In Sacramento, the group finally got a handle on what had transpired to cause the outage. "One team asked for a change to be made by the other team, and the other team made the change," said Raffin. It involved a network port configuration. But only a small number of people knew about it.

More importantly, said Raffin, "the appropriate change request wasn't completed." At the heart of the problem was a procedural issue. "We didn't have the documentation we should have had," he said. If that documentation for the port change had existed, Raffin noted, "that would have led us to very quickly provide some event correlation: Look at the clock, look at when the system began to degrade, and then stop and realize what we really needed to do was back those changes out, and the system would have likely restored itself in short order."

According to Evelyn Hubbert, an analyst at Forrester Research Inc., the outage that struck the VA isn't uncommon. "They don't make the front page news because it's embarrassing." Then, when something happens, she said, "it's a complete domino effect. Something goes down, something else goes down. That's unfortunately typical for many organizations."

Schulz concurred. "You can have all the best software, all the best hardware, the highest availability, you can have the best people," Schulz said. "However, if you don't follow best practices, you can render all of that useless."

When the Region 1 team realized what needed to happen, it made the decision to shut down the 17 Vista systems running from the Sacramento center and bring them back up one medical facility at a time, scheduled by location -- those nearing the end of their business day came first. Recovery started with medical sites in the Central time zone, then Pacific, Alaska and Hawaii. By 4 p.m., the systems in Northern California facilities were running again.

But, according to Volpp, although Vista was up, the work wasn't over. Laboratory and pharmacy staffers worked late that Friday night to update results and enter new orders and outpatient prescriptions into the database. Administrative staffers worked for two weeks to complete the checkouts for patients seen that day. "This work to recover the integrity of the medical record will continue for many months, since so much information was recorded on paper that day," he says.

A shortage of communication

During the course of the day, said Volpp, affected facilities didn't receive the level of communication they'd been accustomed to under the local jurisdiction model of IT operation. As he testified to Congress, "During prior outages, the local IT staff had always been very forthcoming with information on the progress of the failure and estimated length even in the face of minimal or no knowledge of the cause. To my knowledge, this was absent during the most recent outage."

Raffin denies this. "There were communications," he said. "There most certainly were." But, he acknowledged, they were not consistent or frequent enough, nor did they inform the medical centers sufficiently about implementing their local contingency plan. "It was," he said, "a difficult day."

Once the team realized what it needed to do to bring the systems back to life, Region 1 began providing time estimates to the medical facilities for the restoration of services.

The rift exposes a common problem in IT transformation efforts: Fault lines appear when management reporting shifts from local to regional. According to Forrester's Hubbert, a major risk in consolidating operations is that "even though we're thinking of virtualizing applications and servers, we still haven't done a lot of virtualization of teams." More mature organizations -- she cited high-tech and financial companies -- have learned what responsibilities to shift closer to the user.

Workforce reshaping

Raffin said that iI was never the intent of the realignment to downgrade the level of service experienced by people in the medical facilities. "The message I send to my folks in my organization is, 'You may work ultimately for me within OI&T, but you absolutely work for the network or facility where you're stationed,'" he said. The goal, Raffin said, was to create "that bench strength we've never had."

As an example, Raffin points to a coding compliance tool, an application that exists at all 33 medical centers in his jurisdiction that all run the same version on the same system. "There was a sliver of a [full-time employee] at every medical center that was supporting this application," he said. "There was no structure [for] maintenance and upgrades, no coordination in how we handled problem management." When a problem surfaced, 33 trouble tickets would be logged, Raffin said.

As part of the reorganization, Region 1 has set up a systems team, which includes an applications group. Two people within that group are now coordinating the management of that particular application. "It's a team approach," he said.

Likewise, similar to the argument made by companies that move employees to a service provider during an outsourcing initiative, Raffin claimed that the reassignment of personnel to an organization dedicated to IT will ultimately result in greater opportunities for them and better succession planning for OI&T.

"The only competing interest I have with regards to training are other IT folks, who need other IT training," he said. "I'm not competing with nursing education or with folks who need safety education because they operate heavy machinery at a medical center."

Along the way, that training includes an education in change management process, one of the ITIL best practices being adopted by OI&T that was "new to our IT folks," said Raffin. "They may have read it, but I'm not sure they got it."

Dr. Paul Tibbits is deputy CIO for Enterprise Development -- one of the newly created functional areas within OI&T. Tibbits pointed out that under the previous management structure, "there would have been a lot of competition for mental energy on the part of a hospital director. Does he get his IT staff to read this stuff or not read this stuff?" Under a single chain of command, that education will most assuredly take place, he said.

Tibbits' organization is taking a different approach from Region 1 in how it develops staff skills in the four ITIL processes under his charge. The three-phased approach he described involves real-time coaching and mentoring for "short-term change"; classes, conferences and workshops for midterm change; and updates in recruiting practices for the long term.

"We're hiring outside contractors to stand at the elbows and shoulders of our IT managers through the development organization to watch what they do on a day-by-day basis," said Tibbits. That effort has just begun, he said, with contractors "just coming on board now."

On the other hand, Region 1 under Raffin's leadership has introduced a three-part governance process. The first part is a technical component advisory council, which meets weekly to discuss and prioritize projects. "That is where a lot of training has occurred," said Raffin. Second, a regional governance board also meets weekly to discuss issues related to IT infrastructure. In addition, Raffin is about to implement a monthly meeting of an executive partnership council that will include both IT people and "business" representatives from the medical facilities being served.

Will bringing people together for meetings suffice to meet the needs of transforming the work habits of the 4,000 people who are now part of OPS -- what Tibbits classifies as a "workforce-reshaping challenge?" And will it prevent the kind of outage that happened on Aug. 31 from happening again somewhere else?

Tibbits sweeps aside a suggestion that the centralization of IT played a role in the outage. "Had the IT reorganization never happened, this error might have happened on Aug. 31 anyway because somebody didn't follow a procedure," he said.

Forrester's Hubbert sees the value in bringing together teams within IT to look at operations more holistically. "That's what change agents need to do -- to lay IT on its side instead of keeping it in silos ... to have that end-to-end picture," she said. Plus, that's an effective way to address shortfalls in process and bring staff along as part of the overall transformation effort, Hubbert adds. "Usually, if you take IT people into the boat and ask them what to fix, if you say, 'Hey, this is the whiteboard. Let's figure it out from there all the way back to the root cause,' they have a real willingness to cooperate," she said. From there, they can develop a process to prevent the same type of problem from surfacing again.

Region 1 Fallout

When an event takes place that impairs the operations of 17 federally funded medical centers, investigations and reviews tend to follow.

n the case of Region 1, that includes an internal review of the regional data processing initiative by both the IT and Oversight & Compliance and Information Protection and Risk Management organizations, which report to Gen. Bob Howard, assistant secretary for OI&T, as well as a review coordinated by an unnamed outside firm. Raffin said he expects those reviews to be concluded early in 2008. And although that review was actually scheduled as part of the OI&T's spending plan, he acknowledged that "it's happening a little earlier than we wanted it to."

Until those results are in, the OI&T has put a "soft hold" on migrating additional medical centers into the regional data center concept, said Raffin. "From Region 1's perspective, we were almost 90% complete and should have been 100% complete by Nov. 9. Our project schedule is going to be a little delayed," he said.

Also, Howard has directed the OI&T development organization to work with the infrastructure engineering organization to design a series of system topologies that would provide varying degrees of reliability, availability, maintainability and speed, "up to and including one option that would be 'zero downtime,'" Tibbits said. "I don't think there's any question in anyone's mind that 128 data centers is too many. One might be too few. But what exactly the optimal topology is, all of that is in play right now. Regionalization of some form is alive and well and will move forward."

Region 1 has experienced a dramatic improvement in compliance, Raffin said, "with folks documenting changes in advance of their occurrence." The next phase of that will be an automated system using tools from CA Inc., which are already in use in the VA's Austin Automation Center. He expects that to be implemented within 90 days.

Region 1 has also modified procedures related to the read-only version of records maintained by Vista, the Level 2 backup plan that wasn't fully available on Aug. 31. Now, Raffin said, those systems are more consistently checked for round-the-clock availability and "any system maintenance ... is properly recorded through our change management procedure."

According to Davoren, the medical director in San Francisco, "before regionalization of IT resources -- with actual systems that contained patient information in distributed systems -- it would have been impossible to have 17 medical centers [go] down." As he told a congressional committee in September, the August system outage was "the longest unplanned downtime that we've ever had at San Francisco since we've had electronic medical records." This was proof to Davoren and others at the individual medical centers that in creating a new structure "in the name of 'standardization,'" support would "wane to a lowest common denominator for all facilities," he said.

Raffin isn't ready to give up. He recognizes that an event like the one that happened on Aug. 31 "casts a long shadow" against what he sees as a number of accomplishments. But he also maintains confidence that Region 1 -- and all of OI&T -- has the ability to pull off its transformation. "For me, it's about making sure we're listening to all of our folks and have our ears to the pavement at the medical centers to make sure we understand what our business requirements are," he said.

Change is hard, especially when it's undertaken on such a massive scale. The difficulty was foreseen early on by VA CIO Howard. "This will not be an easy or quick transformation. There will be a few difficulties along the way, and it's natural for some people to be uncomfortable with change on such a scale. But the prospect of more standardization and interoperability we can harness through this centralization is exciting," Howard said in a webcast speech to the IT workforce of the VA shortly after his confirmation hearings by the Senate Committee on Veterans Affairs.

A question remains whether the VA OI&T is moving quickly enough to keep the confidence of its numerous constituencies -- patients, medical staff, VA executives and lawmakers. As U.S. Rep. Bob Filner (D-Calif.), chair of the House Committee on Veterans' Affairs, stated during that September hearing, "We are heartened by many of the steps the VA has undertaken, but remain concerned that more should be done, and could be done ... faster."

Dian Schaffhauser is a writer who covers technology and business for a number of print and online publications. Contact her at

The holiday shopper's guide to laptops

Looking to buy a laptop this holiday season? The choices can be mind-boggling, with countless models and configurations to choose from.

In fact, though, it's not that tough to figure out which laptop to buy, and then get a great deal on it. Follow our advice, and you won't go wrong.

The most basic decision you'll make, of course, is whether to go with a Mac or a PC. As with religion, this is a personal choice upon which we won't impinge. So we'll start off with advice for a PC, then provide information for buying a Mac laptop. We'll end our guide with tips for finding laptop bargains.

If you buy a Windows laptop

Let's start with the basics -- the processor. It's this simple: Buy a laptop with dual-core processor, such as Intel's Core Duo mobile or Core 2 Duo mobile (the Core 2 Duo is faster than the Core Duo), or the AMD Athlon 64 X2 Dual Core processor or AMD Turion 64 X2 Dual Core processor (the Turion is faster than the Athlon).
For most users, the speed of the processor itself doesn't matter too much as long as it's dual-core. Dual-core processors are faster than single cores -- particularly when multitasking -- and save power as well, so you'll get longer battery life with them.

You may also find laptops with the Intel Core 2 Extreme mobile processor, which has four cores instead of two. As a practical matter, four cores won't make a dramatic difference compared to two cores, considering that applications haven't yet been written to take advantage of four cores. So if a four-core laptop costs a good deal more than a two-core one, it's probably not worth the extra money.

For RAM, consider 1GB a minimum, and get more if you can afford it. A 2GB laptop will have sufficient power for just about anything a typical user will do, although you might want to opt for a 4GB laptop for a hardcore gamer.

Most people overlook one of the most important laptop specs -- graphics processing. Frequently, laptops use an integrated graphics controller rather than a separate graphics card, which can be problematic not only for gamers, but even for those running Windows Vista Home Premium.

Unless you know the recipient is going to stick to computing basics such as e-mail and word processing, it's a good idea to get a notebook with a dedicated graphics controller, which can enhance such activities as managing a photo library or watching videos online. Gamers need a higher-end card, such as the Nvidia GeForce 8700M GT. If your recipient doesn't play games, though, a card such as the Nvidia GeForce 8400M GS will be fine.

As for how much graphics memory you need, you might want 512MB for gamers, while for general computing 256MB or even 128MB will do.

If you expect that your gift recipient's graphics needs will grow and that he might ultimately want to have more than one graphics processor in his laptop, look for machines that have Scalable Link Interface (SLI), which allows the laptop to use multiple graphics chips.

The rest of the laptop specs are fairly straightforward. You'll want as big a hard disk as you can reasonably afford (your recipient can always add external storage later), a DVD burner and a minimum one-year warranty. As a general rule, the larger the screen, the heavier the laptop and the shorter the battery life, so keep that in mind when buying. If your laptop recipient is a road warrior who spends a lot of time on long airplane flights, consider upgrading to a longer-lasting battery.

If possible, look for a laptop with built-in 802.11n wireless capabilities rather than just 802.11g. That way, when the 802.11n standard becomes widely used, the laptop will be able to take advantage of its faster speeds. Similarly, if you can get a Gigabit Ethernet connection built in, opt for that rather than the more common, slower Ethernet connection.

Finally, look for a laptop with as many slots as possible. If you care about expandability, you'll want a PC Card slot, and ideally, an ExpressCard slot as well. Both slots let you connect a wide variety of peripherals. You want not only USB 2.0 ports, but also FireWire (IEEE 1394) if you can get it. And look for card slots for removable media, such as CompactFlash, Secure Digital, SmartMedia, MultiMediaCard and Memory Stick, if you think your recipient will want to transfer photos or other media files to the laptop.

The price range on Windows laptops is considerable, depending on whether you want a low-end model with only the basics or a high-end screamer capable of playing the latest games. Prices do fluctuate, but you can usually find a laptop with a 15-in. screen, no separate graphics processor, an AMD Athlon 64 X2 Dual-Core CPU, 1GB of RAM and an 80GB hard drive for around $550 -- a Dell Inspiron 1501, for example. On the higher end, you can usually get a laptop such as the HP Pavilion dv6675us with a 2-GHz Intel Core 2 Duo Mobile T7200 CPU, 4GB of RAM, an Nvidia GeForce 8400M GS graphics controller with 128MB of memory, a 250GB hard drive and 802.11n wireless for between $1,500 and $1,700.

And if you need a full-bore machine capable of speedy high-end gaming, you'll have to spend a bundle. For example, an Alienware Area-51 m9750 with dual 512MB Nvidia GeForce Go 8700M GT chips with SLI, a 2.3-GHz Intel Core 2 Duo T7600 processor, 4GB of RAM, a 320GB hard drive, 802.11n wireless and a 17-in. monitor will set you back a whopping $3,600.

Going with a Mac

If you go for a Mac, your choices are much simpler than if you go the PC route, simply because there are far fewer Macs, with fewer variations. However, our recommendations for specs to look out for remain the same as with Windows laptops.

You'll choose between two lines: the MacBook Pro, available with 15- or 17-in. screen in a brushed aluminum case, and the smaller, lighter MacBook, which has a 13-in. screen in a white or black plastic case.

Both lines come standard with several of the items in our must-have list for laptop purchases:

  • An Intel Core 2 Duo processor
  • At least 1GB of RAM (MacBook Pros come with 2GB and all models can accommodate up to 4GB)
  • Gigabit Ethernet
  • 802.11n Wi-Fi
  • FireWire and USB 2.0 ports (MacBook Pros also have ExpressCard/34 slots)
  • A one-year warranty

They also include several "nice to haves," such as FireWire ports, built-in webcams, and Bluetooth connectivity, that you might pay extra for with PCs. (On the other hand, you could argue that you're paying for these features on Macs whether you want them or not.)

As general rule, the MacBook Pros tend to have higher-end specs than the MacBooks. For example, the MacBooks come with an integrated Intel GMA X3100 graphics processor with 144MB of RAM. To get a better graphics processor, you'll need to go with a MacBook Pro, which includes a slick Nvidia GeForce 8600M GT graphics processor with dual-link DVI support and either 128MB or 256MB of RAM.

That said, however, even the MacBooks offer a fair number of customization options including processor speed, hard drive size, amount of RAM and so on. MacBooks range from $1,100 to $1,500 before configuration, while MacBook Pros range from $2,000 to $2,800. As with Windows laptops, opting for more memory, a faster processor and/or a bigger hard drive can raise prices considerably.

Where to buy

Now that you've decided what to buy, it's time to put your money down. As a general rule, you'll get your best deals online rather than in a retail store, and you'll have more choice as well.But if you shop online, you won't actually get to put your hands on the laptops, and with laptops -- even more so than with desktops -- hands-on experience is important. So after you've narrowed down your choices, visit some retail stores and try out the laptops.

Next it's buying time. There are plenty of great deals to be had online, but often they only last for a day or so and then vanish. To find them, you need to go to bargain-hunting sites that scour the Internet for special deals and offers.

The best of the bargain-hunting sites is, which every day lists about a half-dozen new deals. Every once in a while, you'll find a great steal here. Dell laptops, in particular, often show up. Recently, for example, I found a Dell Inspiron E1405 Core 2 Duo laptop for $445 less than its normal price.

Keep in mind, though, that often these deals mean that you can't configure a laptop -- they're take-it-as-is-or-leave-it propositions. Other good bargain sites to try include Woot, DealCatcher and Ben's Bargains.

If you're shopping for a specific model rather than looking for a one-time deal at a bargain site, you should check out manufacturer sites as well as online retailers like and, because prices can vary considerably among them.

(This is less true of Macs, by the way, since Apple tends to enforce price uniformity. You can sometimes find rebates or add-ons like a free printer if you buy a Mac online, but you're unlikely to save hundreds of dollars.)

Also make sure to check out a price comparison site like PriceGrabber, which compares prices from multiple online retailers. Happy hunting!

marți, 20 noiembrie 2007

Trojan horse spreads quickly through Microsoft's IM

Compromises 11,000 PCs in first 24 hours, says researcher
A new Trojan horse that started to spread early Sunday via Microsoft Corp.'s instant messaging client has already infected about 11,000 PCs, a security company said today.

The as-yet-unnamed Trojan horse began hitting systems about 7 a.m. EST on Sunday, according to Roei Lichtman, the director of product management at Aladdin Knowledge Systems Ltd. "We still haven't found what it's meant to do, but at the moment, it's creating an army [of bots]," he said. "Eventually, of course, the operator will send commands to do something."

Users of Microsoft's Windows Live Messenger instant messaging program receive a message that includes spoofed Zip files, such as one named "pics" that is actually a double-extension executable in the format "filenamejpg.exe" or a file labeled "images" that in reality is a .pif executable.

"This is really growing rapidly," said Lichtman. Six hours after it first found the Trojan horse, Aladdin put the total number of assembled bots at about 500; three hours later, that had climbed to several thousand. By late today, the botnet had been built out to 12,000 machines.

As with other malware spread through instant messaging software, the messages bearing malicious code appear to come from people on the recipient's IM contact list.

But while its speed in spreading is impressive, Lichtman pointed to another characteristic of the Trojan horse: It can also propagate via virtual network computing (VNC) clients, the generic term for remote control programs used to access one computer's files and desktop from another.

Once the Trojan horse has installed itself on a PC through IM, it can sniff out a VNC client, then use it to infect a remotely controlled system, perhaps one inside a corporation's firewall. "You increase your reach to these PCs as well, as if you infected them," Lichtman said, momentarily taking the hacker's point of view. To his knowledge, the Trojan's use of a VNC vector was a first.

Aladdin will continue to monitor the bot's spread by tapping into the Internet Relay Chat channel being used to command and control the compromised PCs, said Lichtman.

IM-based threats, while still relatively rare compared with those that spread via e-mail or from malicious Web sites, aren't unknown. Neither are vulnerabilities within IM software. In September, for example, Microsoft forced users of its aged MSN Messenger software to upgrade to Windows Live Messenger 8.1 to stymie a vulnerability in the older program.

Hackers poised for Black Friday assault

You know retailers are ready for Black Friday -- but so are hackers poised to launch a slew of Web-based attacks against consumers. Your money and personal information could be at risk.

"The holiday season in general is a huge time for hackers ... [and] Black Friday is typically the start," says Paul Henry, vice president of strategic accounts for Secure Computing. "This year, my biggest concern for consumers is all the Web-borne malware out there."

Black Friday, the day after Thanksgiving, is followed in marketing lingo by Cyber Monday. Both are big days for retailers and online fraudsters. Consumers should watch out for e-mails advertising incredible deals that seem too good to be true. "Freebies may be freebies in the sense that you get free malware," says Jamz Yaneza, a senior threat researcher at Trend Micro.

A common scam is to pick the hot toy of the season and send out a spam e-mail blast offering it for much less than the typical price, Henry says. Victims end up entering credit card information on malicious sites designed to look like well-known, trusted ones. They might also unknowingly download a keylogger that can steal personal information people type in when making any kind of Internet transaction.

"Be leery of sites being advertised [in e-mail that might be spam]. In all likelihood you're being directed to a malware-connected site," Henry says. "Do not click on URLs within e-mails even for well-known public sites."

In an HTML e-mail, it's a trivial task for hackers to hide the real URL a victim is clicking on.

"It might say ',' but you're actually clicking on something entirely different," Henry says.

Online fraudsters have been busy this year. Fraud losses related to U.S. e-commerce will top $3.6 billion in 2007, up 20% from last year, according to a report by the vendor CyberSource this month. The increase in dollar loss is due mostly to growing e-commerce sales, as the percentage of transactions that are fraudulent has held steady.

The run-up to Christmas and tax filing season are the two most dangerous times of the year for online shoppers, Yaneza says.

In addition to being wary of e-mails, be careful when searching for holiday deals or specific products on Google and other search engines. Operators of malicious sites have figured out ways to rise to the top of search listings.

"We've seen instances where the top site that is ranked actually gets there by gaming the Google search algorithm," Yaneza says.

Legitimate Web sites can be dangerous too, when hackers inject code into Web pages redirecting users to malicious sites, Yaneza says. The Dolphin Stadium Web site was attacked in this way prior to this year's Super Bowl in Miami.

Black Friday and Cyber Monday will be a bigger problem for consumers than enterprises, according to Henry, because large businesses tend to have better security. But that doesn't mean there's nothing for IT executives to be leery of.

Cyber Monday is thought to be a big day for online retailers because people return to work en masse after the Thanksgiving break and are sitting in front of office computers all day.

Businesses might also worry about employees using work laptops in unprotected Wi-Fi locations, and getting targeted with a keylogger or other malicious software, says Yaneza.

Yaneza's advice for consumers is simple but often effective: Install all the latest updates and patches for your security software and Web browsers.

Trend Micro offers a free tool called HouseCall that can scan your computer for viruses, spyware and other malware.

Hackers jack, infect job hunters took a portion of its Web site offline Monday as researchers reported that it had been compromised by an IFrame attack and was being used to infect visitors with a multi-exploit attack kit.

According to Internet records, the Russian Business Network (RBN) hacker network may be involved.

Parts of the Monster Company Boulevard, which lets job hunters search for positions by company, were unavailable Monday; by evening, the entire section was dark. Most major American companies are represented on the site -- Google Inc.'s cache of the page that shows only those firms that begin with the letter B, for example, included Banana Republic, Bank of America, Black & Decker, Boeing, Broadcom and Budget Car Rental.

Job seekers who used Monster's by-company directory on Monday before the site was yanked were pounced on by Neosploit, an attack tool kit similar to the better-known Mpack, said Roger Thompson, chief technology officer at Exploit Prevention Labs Inc.

"A typical infective URL was, which is Toyota [Financial's] section]," said Thompson in an instant message exchange Monday night. "Or, which is Best Buy's."

The injection of the malicious IFrame code into the site probably happened Monday, he added. "It was interesting that we got five or so hits in the space of a few hours today, but none before that. I think it happened today."

Like many other IFrame exploits, this one silently redirected the user's browser to another site hosting Neosploit. In the case of at least one of the exploit sites Thompson identified, there's a connection to the notorious RBN, the hacker and malware hosting network that recently shifted operations to China, then mysteriously abandoned the IP blocks it had acquired in China, seemingly vanishing from the Internet.

The IP address of the exploit site is assigned to a server in Australia that is part of the "" domain. That domain, in turn, is registered to a Hong Kong Internet service provider called HostFresh Internet. Both HostFresh and have been linked to RBN activities, including the long-running IFrame Cash scheme, in which RBN pays small site owners a commission for injecting IFrame exploits on other sites.

According to an anonymous blogger who tracks the RBN, other IP addresses were involved in the Bank of India hack in August.

Thompson said he had just started digging into the hack on Monday afternoon. "It is not clear how many pages were affected, but it is likely that the attack was the same for all companies on the site, which might turn out to be a pretty good set of the Fortune 500," he said on his blog.

Maynard, Mass.-based last made security news in August, when the company acknowledged that hackers had looted its database for weeks, perhaps months, then used that information to craft and send targeted e-mails that pitched money laundering jobs or tried to trick recipients into downloading malware. was not available for comment Monday night.

luni, 19 noiembrie 2007

IBM to resell tool that lets .Net programmers build software for WebSphere

IBM signed on Monday an agreement to resell Mainsoft Corp.'s new .Net Extensions for WebSphere Portal product that will allow companies to use .Net to create Java applications for IBM's WebSphere portal.

IBM expects that the tools will help its customers integrate Windows SharePoint Services, Office document libraries, SQL Server Reports and .Net applications into IBM's WebSphere Portal Server without the need for Java developers, the two companies said.

Mainsoft CEO Yaacov Cohen said that the deal is aimed at helping companies that have installed SharePoint portals at the departmental level to leverage the WebSphere enterprise portal.

"Organizations can break the silos of information and take the valuable information from SharePoint sites and make this information able to participate in composite applications," he said. "For the first time, you get composite applications across .Net and Java. The idea is to enable organizations to achieve portal-to-portal interoperability using WebSphere portal as a kind of uber portal, which will federate SharePoint departmental sites."

Healthways Inc., a Nashville-based provider of health care support services, began using the Mainsoft technology in April to build a WebSphere portal for its 27 million customers, said David Jarmoluk, director of enterprise architecture at Healthways. The company wanted to leverage its Microsoft programmers for the portal, but didn't think SharePoint would scale well enough for the job, he said.

So, the company used the Mainsoft's Visual Studio-based .Net Extensions for WebSphere Portal product to allow its Microsoft programmers to develop and put into production dozens of .Net applications in the portal without having to rewrite them in Java, he noted.

Jarmoluk said that developers were able to continue using the Visual Studio environment they best understood, and that the company therefore didn't have to hire any Java programmers. He estimated that the tool set saved the company 30% to 35% in time and costs compared with adding new Java developers, he noted.

"It is all about usability from a developer standpoint and being able to leverage the expertise we already have," he said. "There are a lot of costs and overhead associated with trying to train people and get them up to speed with a new thing. We were able to significantly reduce that by letting our developers continue to use what they already know."

Dell XPS One strips the tease

After teasing the public for a while, Dell on Friday revealed an all-in-one computer that combines the monitor and CPU in one box.

The XPS One will be available as a system with only a widescreen display, a mouse and a keyboard. Processing capabilities and other components will be fixed inside the display.

The systems will be available in four designs with the monikers indicating the target audience: the Essential One, the Music One, the Performance One and the Entertainment One.

All systems will come with 20-inch displays, Intel Core 2 Duo processors, Windows Vista Home Premium, hard drives starting at 250G bytes, 2G bytes of memory, a TV tuner and remote control. The Music One system will come with wireless headphones for music enthusiasts.

The Entertainment One, designed as a home media center, will include a Blu-ray high-definition DVD burner. It will also come with an ATI Radeon HD 2400 Pro graphics card with 256M bytes of memory.

Popularized by Apple's iMac, all-in-one PCs also have been released by Hewlett-Packard and Gateway.

Dell had planned to release the XPS One on Monday but posted details about it early online. The company declined to offer any additional information about the computer on Friday.

An XPS One was visible onstage behind Michael Dell, CEO of Dell, when he addressed an audience at the OpenWorld conference earlier this week. He didn't give details about the product at the time, only saying it would be released next week.

The product is on pre-sale on Dell's Web site.

joi, 15 noiembrie 2007

NASCAR drivers get HPC help with performance extremes

Measuring aerodynamic drag at 190 mph 'drives the engineers to a whole new level'

John Picklo, manager of high-performance computing (HPC) at Chrysler LLC, describes himself simply as an "IT guy" who's also a NASCAR fan. And he will be rooting Sunday for drivers of Dodge cars in the final race of this year's Nextel Cup.

The Chrysler engineers who work on the HPC systems that Picklo manages use the machines to improve race car performance. They work closely with the race car teams, and if one of their vehicles win -- as Dodge drivers Kurt Busch and Juan Montoya have in several Nextel races this year -- the driver and the racing team will be honored, the vehicle noted and congratulations shared around the company.

But no one will know, really, what role the HPC engineering staff had. Did the increase in fuel efficiency help? Or the design changes that improved air flow?

"We can make an improvement and get a couple of more miles per hour out of it, and really help -- and if the driver just skims the wall on lap 67, he can negate what we did," says Picklo.

"It is kind of like a football game -- everybody has to have to a good day. If one guy fumbles the ball, he can mess things up," says Picklo, who spoke at this week's SC07 supercomputing show in Reno, Nev. "We're doing our job, and so are the drivers, the teams and everybody else."

But Picklo, whose systems total 1,650 cores running in clusters in Linux and Unix environments, is certain of one benefit. Because these race cars operate at the extremes of vehicle performance, the HPC engineering work that has gone into them has had the "unanticipated benefit" of helping with vehicle performance for a wide range of vehicles.

"The extreme conditions of racing are teaching lessons that we might not have otherwise learned," says Picklo. Measuring aerodynamic drag for vehicles moving at 190 miles per hour "drives the engineers to a whole new level of skills," he says.

One example, he says, is the drag effect that large eddies of air have at such high speeds. By using computational fluid dynamics on the HPC systems, Chrysler engineers discovered how these eddies worked, their impact on vehicles and how to tune for it. That knowledge went back into their passenger car designs, Picklo says.

When vehicles travel at racing speeds, issues that might not be as pronounced at lower speeds may present themselves. For instance, the computer simulations show that a race car driving behind another vehicle may get restricted air flow, which can impact the engine. When that knowledge was applied to vehicle driving behind a large truck on a highway, engineers saw the same reduced air flow, says Picklo.

This ability "to develop more detailed fluid dynamic models for extreme conditions" has taught engineers a lot, says Picklo: "If you never think about what happens at 190 miles an hour, you might not realize that the same effects translate back into passenger vehicles."

India's powerful supercomputer signals HPC ambitions

The U.S. remains by far the global supercomputing leader. But an India-based company that's part of a major IT offshore services firm has just built the world's fourth most powerful supercomputer, according to the just-released Top500 supercomputer list.

Rankings on that list, which is maintained by academic researchers and updated every six months, can be notoriously short-lived, thanks to the relentless worldwide push to build faster systems. But India's position near the top of this list is a clear signal of its ambitions in information technology.

"We would like to be in the forefront of [high-performance computing] research, services," said Ashwin Nanda, who heads Computational Research Laboratories in Pune, India, which owns the system. The goal is to "basically bring the analytical brainpower of India to solve the supercomputing, HPC-related problems, that we have in the world," he said.

"This is a completely new market for us," said Nanda, who was attending the Supercomputing 07 conference in Reno, Nevada, where the Top500 list was announced.

CRL is a wholly owned subsidiary of Tata Sons Ltd., which is in turn part of a conglomerate that's one of India's largest IT offshore services providers.

Nanda said his company's supercomputer, built with Hewlett-Packard Co. servers using Intel chips with 14,240 processor cores, will be used for government scientific research and product development for Tata, as well as to provide services to U.S. customers. The system went operational last month and achieved performance of 117.9 TFLOPS.

India, China and other countries are increasingly being tapped by U.S. and European firms for research and development. But of the supercomputers powerful enough to make the Top500 supercomputers list, only nine, or just under 2%, are in India. The U.S. is home to 283 of the systems, or nearly 57%. Next runner up is the U.K., with 48 or nearly 10% of the systems powerful enough to make the list.

While India's system ranked high, it's still a distance from the top position. That fastest system, with some 213,000 processing core, is IBM's BlueGene/L System, a joint development of IBM and the Department of Energy's National Nuclear Security Administration. It achieved a benchmark of 478.2 TFLOPS.

Horst Simon, associate laboratory director of computing sciences at the Lawrence Berkeley National Laboratory in Berkeley, Calif., and one of the Top500 list authors, said it was exciting to see India's entrance into the top 10 and said the country has "huge potential" as a supercomputing nation.

"India is very well known for having great software engineers and great mathematicians, and having a [HPC] center there is a catalyst for doing more in the high-performance computing field," said Simon, who said it brings "a whole new set of players into the supercomputing world."

Tech for Teens

Camps use cool gadgetry to attract middle-schoolers to future tech careers.

Faced with dwindling enrollments in university computer science and IT programs, the Society for Information Management has taken a novel approach to engaging America’s youth in potential IT careers: It is partnering with public libraries and other organizations to create technology camps for teenagers.

The first such summer camp, which Chicago-based SIM organized three years ago with the Memphis Public Library, “connects SIM to the next generation of technology users,” says Terrice Thomas, who works at the Memphis Public Library & Information Center.

The weeklong Teen Tech Camps, which target 12-to-15-year-olds, give kids a chance to learn about BSOs — “big, shiny objects” such as iPhones, digital cameras and other gadgets — says John Oglesby, director of IT strategy at Memphis-based ACH Food Cos. and former president of the Memphis SIM chapter.
The gadget sessions, conducted by employees of SIM Memphis member companies, are intended to appeal to teen campers while teaching them how technology can be applied in a work environment. For instance, one instructor demonstrated how tablet PCs can be used in hospitals, “and that surprised some of the kids,” Thomas says.

The high-tech gadgets also benefit the library’s staffers, who are learning about emerging technologies and receiving training on the devices used at the camp, she says.

The Memphis camps, which have drawn 12 to 18 teenagers per session, require applicants to obtain a referral letter from a teacher and to write a short essay to gauge their interest in the program, according to John Lloyd, the business and sciences librarian.

The first session was so popular that “we’ve had kids try to sneak into the camp” each of the past two years, says Betty Anne Wilson, assistant director for library advancement.

This past summer, campers produced their own webcasts.

Officials from SIM’s Memphis chapter and the Memphis Public Library worked closely to develop the camp program. “One of the reasons it worked so well is that John [Oglesby] and I talked a lot about the missions of both organizations,” Wilson says. The library has “a lot of experience with teens and had done a lot of programs with them,” she adds.

Expansion Plans

SIM officials are so enthusiastic about the Memphis camp that they’re “trying to find ways to incorporate this into other SIM chapters,” says Stephen Pickett, chairman of the SIM Foundation and vice president and CIO at Penske Corp. in Bloomfield Hills, Mich.

For instance, SIM has created a set of software templates from the Memphis project that other SIM chapters can use to develop their own Teen Tech Camps with libraries and other community organizations. The software, which includes a budget template, marketing timelines and permission forms, will be available for download from SIM’s home page in the near future, Pickett says.

SIM’s Philadelphia chapter has launched a similar program, starting with a school system and more recently partnering with a nonprofit organization, he says.

“We’re actively working on selling this” to other chapters, Pickett says. “We’re hoping to have 29 more [camps] up and running next year.”

Women in IT: A Lopsided Pay Scale

According to Computerworld’s annual Salary Survey, male IT professionals continue to outearn their female counterparts.

At the highest level of IT, male CIOs and vice presidents made on average $179,026 in total compensation this year, while women in the same jobs took in nearly $6,000 less, at $173,052. The pay differences between middle managers and technical workers are similarly unequal.

This salary inequity between men and women in IT is a longstanding issue, but it could have short-term consequences for companies that pay female IT workers less, according to Umesh Ramakrishnan, vice chairman of CTPartners, an executive recruiter in New York.

“The pay package is what it is for the best executive,” regardless of gender, says Ramakrishnan. “It’s a rather shortsighted view if you’re paying a female executive less. You’re not going to hold onto that person very long.”

Ramakrishnan says while he hasn’t seen a difference in compensation packages between the male and female IT executives he has helped place, he has seen pay inequities between men and women in lower levels of the IT organization. In many workplaces, the inequity is the result of longstanding differences in pay that have yet to be corrected, he says.

For women who feel that they are underpaid, Ramakrishnan offers this advice: Find out what your peers are earning at similar companies, and present your findings to a supervisor or human resources representative to illustrate your market value.

“It lets the company know you’re thinking about it, and it lets them know whether you’re well paid or underpaid,” he says.

Karen Piper, a business intelligence analyst at Ball Corp., a Broomfield, Colo.-based maker of food and beverage containers, says she believes that the salary gap between men and women has narrowed in recent years. But she doesn’t think the IT landscape is necessarily a level playing field.

“Men don’t have to work as hard as women to get promoted,” says Piper, a 20-year IT veteran. Female IT workers “have to go above and beyond” to advance, she says.

Others aren’t sure there’s a correlation between gender and pay. Didi Raizen, an IT applications manager at Flatiron Construction Corp. in Longmont, Colo., says she doesn’t think she earns less than her male peers at other companies. “Women have demonstrated their value in the IT realm,” she says.

Tammy Wicks, a business applications analyst at FedEx Freight Corp. in San Jose, says she, too, is unsure whether there’s salary inequity between men and women in IT. But she says she does know this: “My salary still outweighs my husband’s.”

miercuri, 14 noiembrie 2007

MySpace, Facebook ad plans violate privacy, groups tell FTC

Two consumer advocacy groups have asked the Federal Trade Commission to investigate whether new advertising initiatives announced last week by social networking sites MySpace and Facebook adequately protect consumer privacy.
In a Nov. 12 letter to FTC Chairman Deborah Platt Majoras, the Center for Digital Democracy and the U.S. Public Interest Research Group claimed that the "ambitious new targeted advertising schemes" launched by and Facebook Inc. "make clear the advertising industry's intentions to move full-speed ahead without regard to ensuring consumers are protected."
Jeffrey Chester, founder and executive director of the Center for Digital Democracy, said that by launching the advertising plans, MySpace and Facebook are "thumbing their noses at the FTC and consumer privacy rights" by allowing marketers to customize advertisements based on data provided by users in their profiles on the social networking sites.
"MySpace and Facebook are like the digital data equivalent of Fort Knox for Madison Avenue marketers," he said. "It is a kind of one-stop data shop for marketers. They know your interests, your politics and what movies you like. It is a much more rich array of content that marketers simply should not have automatic access to."
Chester said that consumers must be offered a complete opt-out option, and that the social networks must fully disclose how they intend to use their personal information.
The letter goes on to note that since both MySpace and Facebook are working with fast-food advertisers, the FTC should include their plans in its ongoing review of advertisements that may promote obesity among youths.
Several attorneys and privacy advocates last week questioned whether it is legal for the social networks to tell a user's friends about his or her purchases or likes without the user's written consent.
In a statement e-mailed to Computerworld, MySpace said it is "firmly committed to protecting user privacy and adher[ing] to a strict policy." In addition, MySpace noted that by the end of this year, users will be able to opt out of MySpace programs that use their preferences to help advertisers create customized ads.
"Our ad targeting platform is designed to work with user-expressed information from profile pages to create a more-relevant advertising experience," the statement said. "Users who are not interested in participating will have the ability to 'opt out' of the targeting platform."
Facebook did not immediately respond to a request for comment.
This week's letter was a follow-up to a report the two groups sent to the FTC in early November urging it to launch an investigation into new threats to privacy from the behavioral targeting and profiling of users -- especially youth -- by social networks and other online sites.

Microsoft fixes WSUS malfunction in time for Patch Tuesday

For the second time in less than three weeks, Microsoft Corp. has had to apologize for blunders made by the application that enterprise administrators rely on to deploy the software vendor's security patches and other updates.
Late yesterday, Bobbie Harder, a senior program manager with Microsoft's Windows Server Update Services (WSUS) group, confirmed the latest gaffe in a posting to a company blog.
"Sunday evening, Microsoft renamed a product category entry for Forefront to clarify the scope of updates that will be included in the future," Harder said. "Unfortunately the category name that was used included the word Nitrogen in double quotes (appearing as "Nitrogen"). A double quote is a restricted character within WSUS, which created an error condition on the administration console. This issue occurred on many WSUS servers that synchronized with Microsoft servers between 5 p.m. Sunday and 11 a.m. Monday, Pacific time."
Monday morning, network administrators at Microsoft user companies began posting messages to WSUS support forums after they arrived at work to find the patch delivery software's management console reporting an error, essentially blocking them from retrieving updates.
The timing couldn't have been worse, as Microsoft is scheduled to deliver its monthly security fixes later today.
Harder said the glitch was fixed Monday afternoon and would be propagated to each WSUS server the next time it synchronized with Microsoft's update servers. She also provided instructions for administrators who have set WSUS to sync manually, with separate steps for WSUS 2.0 and WSUS 3.0.
Allen Moore, a systems administrator at DeKalb Memorial Hospital in DeKalb, Ill., said he didn't wait for Microsoft yesterday, but instead used SQL queries posted in a support forum to bring back WSUS. "I applied the two SQL queries to manually fix the tables yesterday, and was able to get back into WSUS without any errors," he said in an e-mail today. "I [also] just checked our WSUS 2.0 server and it appears to be working correctly after updating this morning."
Harder said her team would add new checks to curb errors like this. "We are also improving our publishing tools to make sure that issues like this are caught during the publishing process, before they impact customers," she said.
She said much the same thing, however, less than three weeks ago after admitting that recycling an update package had force-fed Windows Desktop Search (WDS) to client PCs which had been told to ignore the application. "We are also working on improving our internal publishing processes to ensure this does not happen again in the future," Harder said then.
Some users seemed to be unhappy with the trend in WSUS problems. "Thanks, Microsoft, it's great having things like this happen when I'm already too busy!!!" said someone identified as stormforce5 on a WSUS support forum yesterday.
As she did in the wake of October's WSUS snafu, Microsoft's Harder said she was sorry: "We sincerely apologize for any inconvenience this may have caused to our customers."
Anyone still having problems with WSUS should contact Microsoft support, Harder added.