Stiri-On-Line : The latest IT NEWS

IPAD

2010-02-10T17:42:00.002+02:00

The best way to experience the web,email,photos and video.

Safari

The large Multi-Touch screen on iPad lets you see web pages as they were meant to be seen — one page at a time. With vibrant color and sharp text. So whether you’re looking at a page in portrait or landscape, you can see everything at a size that’s actually readable. And with iPad, navigating the web has never been easier or more intuitive. Because you use the most natural pointing device there is: your finger. Scroll through a page just by flicking your finger up or down on the screen. Or pinch to zoom in or out on a photo. There’s also a thumbnail view that shows all your open pages in a grid, to let you quickly move from one page to the next.

Mail

See and touch your email in ways you never could before. In landscape, you get a split-screen view showing both an opened email and the messages in your inbox. To see the opened email by itself, turn iPad to portrait, and the email automatically rotates and fills the screen. No matter which orientation you use, you can scroll through your mail, compose a new email using the large, onscreen keyboard, or delete messages with nothing more than a tap and a flick. If someone emails you a photo, you can see it right in the message. You can also save the photos in an email directly to the built-in Photos app. And iPad works with all the most popular email providers, including MobileMe, Yahoo! Mail, Gmail, Hotmail, and AOL.

Photos

With its crisp, vibrant display and unique software features, iPad is an extraordinary way to enjoy and share your photos. For example, the Photos app displays the photos in an album as though they were in a stack. Just tap the stack, and the whole album opens up. From there, you can flip through your pictures, zoom in or out, or watch a slideshow. You can even use your iPad as a beautiful digital photo frame while it’s docked or charging. And there are lots of ways to import photos: You can sync them from your computer, download them from an email, or import them directly from your camera using the optional Camera Connection Kit.

Video

The large, high-resolution screen makes iPad perfect for watching any kind of video: from HD movies and TV shows to podcasts and music videos. Switch between widescreen and full screen with a double-tap. Because iPad is essentially one big screen, with no distracting keypad or buttons, you feel completely immersed in whatever you’re watching.

YouTube

The YouTube app organizes videos so they’re easy to see and navigate. To watch one, just tap it. When you’re watching in landscape, the video automatically plays in full screen. And with its high-resolution display, iPad makes the latest HD YouTube videos look positively amazing.

iTunes

A tap of the iTunes icon lets you browse and buy music, TV shows, and podcasts — or buy and rent movies — wirelessly, right from your iPad. Choose from thousands of movies and TV shows (in both standard and high definition), along with thousands of podcasts and millions of songs. Preview songs before you buy them. Or just sync iPad with the content you already have in your iTunes library on your Mac or PC.

iPod

With the iPod app, all your music is literally at your fingertips. Browse by album, song, artist, or genre with a simple flick. To play a song, just tap it. iPad even displays album art at full size. Listen to your music with the powerful built-in speaker or with wired or Bluetooth wireless headphones.

App Store

iPad runs almost 140,000 apps from the App Store. Everything from games to business apps and more. And new apps designed specifically for iPad are highlighted, so you can easily find the ones that take full advantage of its features. Just tap the App Store icon on the screen to browse, buy, and download apps wirelessly, right to the iPad.

iBooks

The iBooks app is a great new way to read and buy books.¹ Download the free app from the App Store and buy everything from classics to best sellers from the built-in iBookstore. Once you’ve bought a book, it’s displayed on your Bookshelf. Just tap it to start reading. The high-resolution, LED-backlit screen displays everything in sharp, rich color, so it’s easy to read, even in low light.

Maps

Finding your way is a completely new experience on iPad. Tap to view maps from above with high-resolution satellite imagery, up close with street view, or with topography in a new terrain view — all using Google Services. Search for a nearby restaurant or landmark, then get directions from your current location.

Notes

With its expansive display and large, onscreen keyboard, iPad makes jotting down notes easy. In landscape view, you see not only a note-taking page but a list of all your notes. iPad even circles the current note in red, so you can see where you are at a glance.

Calendar

iPad makes it easy to stay on schedule by displaying day, week, month, or list views of your calendar. You can see an overview of a whole month or the details of a single day. iPad even shows multiple calendars at once, so you can manage work and family schedules at the same time.

Contacts

The Contacts app on iPad makes finding names, numbers, and other important information quicker and easier than ever before. A new view lets you see both your complete contacts list and a single contact simultaneously. Need directions? Tap an address inside a contact and iPad automatically opens Maps.

Should you buy an iPhone this holiday season?

2007-11-29T14:58:00.000+02:00

The iPhone is the Tickle Me Elmo of this year's shopping season. Should you cave in and buy one or stay strong and wait 'til later (or never)?

I have a problem. Maybe you have the same one? Somebody in my house wants an iPhone this holiday season. Real bad. Like "don't get me a single other thing, it's the only present I want" bad. That kind of bad.

While I'm sorely tempted to be able to bypass the gift-boxed golf balls and three-pack of fake cashmere dress socks this year, I also don't want to be played for a fool by everyone's favorite fruit-logo'ed electronics vendor.

As early iPhone buyers who were caught by Apple's unexpected price drop just two months after the phone's release know only too well, the company's plans for the iPhone are, shall we say, still evolving.

Do I really want to watch my beloved unwrap an iPhone on the big day, only to have it look old and clunky when some newer, hotter model hits the shelves?

(The notoriously closed-mouthed Apple won't say anything about its plans, but Macworld, at which the company traditionally makes a raft of important announcements, is scarily close to the holidays, a mere two weeks into the new year.)

Then, too, there's the features list, or as some detractors like to call it, the not-yet-features list. Right now, my loved one is blinded by the iPhone light, but is it truly the best phone for his needs? From G3 to GPS, there are a lot of features missing from the version of the iPhone being hawked for the holidays.

And in the meantime, other almost-as-cool phones have hit the market and won some attention as well. What if the AT&T Tilt or the LG Voyager or the rumored-to-be-upcoming BlackBerry 9000 is actually the better choice?

The service plan could be problematic as well. For reasons too dorky to disclose in public (cough TracFone cough), we don't have any existing wireless service plan in my household, but other iPhone wanters who have current plans with carriers other than AT&T need to decide if they want that Apple unit badly enough to eat whatever is left of their current agreement.

Crowd control?

Finally, there are a couple of practical timing questions. As we all know, it's the Biggest Shopping Month of the Year, which means I'm not the only person out there contemplating an iPhone purchase right now.

If I wait till the last minute, or even the last week, is there a chance Apple will run out of units? (Apple, surprise surprise, officially says no, but declines to comment on how many units have been manufactured or shipped.) If I choose to buy an iPhone in-store, will there be an educated, upbeat Apple employee available to answer any lingering questions, or will it be three-deep at the Genius Bar?

And skipping ahead to the big day, what happens when thousands and thousands of iPhone giftees all rip their phones out of that tasteful Apple packaging and try to activate them in the very same two- or three-hour time slot? Will iTunes be able to handle it? Will AT&T be up to the task?

Representatives for Apple and AT&T both separately swore to me on a stack of greeting cards that they're ready for whatever onslaught ensues, but I'm still worried. Buyers who bought the iPhone in its first couple days of availability reported having problems with activation when transferring an old mobile number over to their new unit. Is that going to happen again?

So many questions! So few buying days left!

As luck would have it, though, I work at Computerworld, which means that instead of wasting hours surfing the blogosphere looking for answers, I get to wander the halls of our (virtual) office and waste the time of my hardworking colleagues instead.

Because journalists and analysts are a slippery bunch that wiggles away from definitive declarations, I resolve to not just gather opinions, but to pin everyone to the mat. Which means that, after hemming and hawing, my homegrown band of experts had to come up with a yes or no answer. The goal? To make my, and perhaps your, holiday iPhone buying decision a little easier.

Stop one: Scot Finnie, Computerworld editor in chief

Finnie's a 20-something-year veteran of the computing industry who garnered a lot of attention (and caught a lot of flak) by very publicly switching from a PC to a Mac. Based on his new devotion to Apple, I suspect I know what his take on the iPhone will be.

Finnie insists he's not much of a gadget freak, and he's happy he waited for the price drop, but yes, he bought an iPhone and yes, he'd recommend that you buy one now.

While he's as concerned as the next guy about the speed of the EDGE network and the usability of the keyboard, Finnie says the iPhone's touch screen and the Safari browsing experience are just too good not to have now. And he feels confident that Apple won't soon drop the price again and embarrass holiday season buyers.

Stop two: Harry McCracken, PC World editor in chief

Next, I hop over the corporate firewall to check in with our sister publication, PC World. Harry McCracken, another editor in chief with a couple of decades of experience behind him, penned a piece back in July titled 13 Reasons Why I'm Not Buying an iPhone -- Yet.

Has he changed his mind -- or his smart phone -- since then?

When I ask him, he takes a moment to call up the file and page through his original list of complaints. Aside from the price cut, McCracken says, the most significant change in the six months since his article was published is that Apple finally announced it will release an iPhone software developer's kit next February.

That should pave the way for third-party developers to write, among other things, applications that can fulfill McCracken's specific business needs, which include more robust note-taking capabilities, support for Lotus Notes and a to-do list.

His other big issues still stand unresolved -- including the slower EDGE rather than the faster 3G network and the nontactile keyboard that some users will never warm to.

"I do want to make it clear that the iPhone's an extraordinary device," McCracken tells me. "And once we see the higher speeds and the third-party apps, I might change my mind. But for now, I'm saying 'wait.'"

Stop three: Ken Mingis, Computerworld online news editor

Back on this side of the wall, I catch up with Ken Mingis, who has covered Apple for Computerworld for five years and takes what can only be described as a devil-may-care stance on my buy/don't buy dilemma.

If you need, or want, an iPhone now, go ahead and get one, Mingis says. (He did, the first weekend the phone went on sale.) Trying to gauge when better or cheaper technology will hit store shelves is always a gamble, he says, and guessing Apple's next move is like trying to read the Kremlin.

Even so, he feels it's unlikely there'll be another price cut soon. "That first cut was an anomaly for Apple, dropping the price so soon after the iPhone's release. It really did throw people for a loop," he says. In his opinion, it's highly unlikely it'll happen again anytime soon.

It's more likely we'll see a thinner iPhone, perhaps with more memory like the 16GB iPod Touch, at some point down the road -- and it's possible such a unit could debut in time for Macworld, he guesses.

Either way, Apple will keep interest in the iPhone high by rolling out features on the software side, which current owners will, of course, be able to access with a simple update.

And if the worst does happen and Apple rushes out a new iPhone midcycle, that doesn't mean your unit will be obsolete, Mingis says. "People always want to have the latest and greatest, but yours will still work," he points out equanimously. It'll just be slightly fatter than the next guy's.

His verdict? There's no reason to wait.

Stop four: Ross Rubin, analyst, the NPD Group

Hankering for a little perspective on that elusive and ever-changing swamp known as the consumer marketplace, I next put in a call to the NPD Group, which specializes in that very geography.

Analyst Ross Rubin gives me his take on Apple and the iPhone. The company's done a notable job of bending many rules of the wireless game with the iPhone -- it's gone against the tide in terms of how handsets are distributed and (via iTunes) of how content, even ring tones, are offered, Rubin says.

And thanks to its wildly successful iPods and computers targeted toward end users, Apple should be well positioned to market the iPhone directly to buyers.

That said, the iPhone landscape is still a volatile place, what with both Macworld and the release of the iPhone API on the horizon. Rubin suggests that users who feel they simply can't live without the iPhone's user interface and Web and media experience could take a look at the iPod Touch, which delivers most of those features along with 8GB or 16GB of storage (just no phone).

Otherwise, he advises iPhone buyers (and would-be gift recipients) to wait and see what the new year brings.

Last stop: Mike Elgan, Computerworld columnist

Oh, dear. Hung jury. I was afraid of this.

For solace, I seek out Computerworld blogger Mike Elgan, who manages to follow Apple and the iPhone closely without actually drinking the Kool-Aid -- or would that be "Apple juice"?

He likes the iPhone very much. He thinks, in fact, it's the best Version 1.0 device he's seen, and he gives Apple props for that accomplishment. But it's still a 1.0 unit after all is said and done, and for that reason, he can't recommend it. Not this year, anyway, and especially not as a gift.

"Six months ago, when there was the novelty factor, this would have made a great gift," Elgan says. "But now we could be more than halfway toward an upgrade for a product that requires an expensive two-year commitment. You'd be giving six months of joy followed by a year and a half of someone feeling like they have something old." So no.

Attention, iPhone shoppers ...

OMG (as the kids say), the iPhone goes down, 3 votes to 2!

On the one hand, I'm overjoyed. I just got a theoretical $399 plus "$60 per month times two years" put back into my wallet, and that feels good during the first week of December.

On the other hand, what am I going to get my guy?

Honey, how about a signed copy of Fake Steve Jobs' new book? Or maybe an iPod Touch and a TracFone? No?

Well, what about something truly classic, something that's timeless, unmoved by development cycles or changing marketplace conditions. Something like golf balls. Or dress socks, maybe cashmere dress socks ...

Windows XP SP3 boasts speed boost, testers claim

2007-11-26T12:18:00.000+02:00

Same outfit that dissed Vista SP1 say XP's 'must-have update' 10% faster than SP2

Windows XP Service Pack 3 (SP3), the update scheduled to release next year, runs Microsoft Corp.'s Office suite 10% faster than XP SP2, a performance testing software developer reported Friday.

Devil Mountain Software, which earlier in the week claimed Windows Vista SP1 was no faster than the original, repeated some of the same tests on the release candidate of Windows XP SP3, the service pack recently issued to about 15,000 testers.

"We were pleasantly surprised to discover that Windows XP SP3 delivers a measurable performance boost to this aging desktop OS," said Craig Barth, Devil Mountain's chief technology officer, in a post to a company blog Friday.

Devil Mountain ran its OfficeBench suite of performance benchmarks on a laptop equipped with Office 2007, Microsoft's latest application suite. The notebook -- the same unit used in the Vista/Vista SP1 tests earlier -- featured a 2.0GHz Intel Core 2 Duo processor and 1GB of memory. The results reported a 10% speed increase under XP SP3 when compared to SP2, the service pack released in 2004.

"Since SP3 was supposed to be mostly a bug-fix/patch consolidation release, the unexpected speed boost comes as a nice bonus," Barth said. "In fact, XP SP3 is shaping up to be a 'must-have' update for the majority of users who are still running Redmond's not-so-latest and greatest desktop OS."

According to the Office performance benchmarks, Windows XP SP3 is also considerably faster than Vista SP1. "None of this bodes well for Vista, which is now more than two times slower than the most current builds of its older sibling," said Barth.

While Microsoft was not available for comment over the weekend about XP's performance, it defended Vista SP1 after Devil Mountain's first round of tests. "We appreciate the excitement to evaluate Windows Vista SP1 as soon as possible. However, the service pack is still in the development phase and will undergo several changes before being released," a spokeswoman said in an e-mail.

Microsoft has at times struggled to wean users from the six-year-old Windows XP and get them to migrate to Vista. During 2007, for example, it made several XP concessions, including adding five years to the support lifespan of the Home edition and extending OEM and retail sales of XP through June 2008, as it recognized that customers wanted to hold on to the older OS.

Recently, Forrester Research said that XP remained Vista's biggest rival, and cited survey data that showed American and European businesses would delay Vista deployment, in part because of application incompatibility issues with the new OS. "That's causing a lot of XP shops to take a wait-and-see approach to Vista," said Forrester analyst Benjamin Gray two weeks ago.

New QuickTime bug opens XP, Vista to attack

2007-11-26T12:17:00.000+02:00

Security researchers warn that attack code targeting an unpatched bug in Apple Inc.'s QuickTime has gone public, and added that in-the-wild attacks against systems running Windows XP and Vista are probably not far behind.

There was no word as of Sunday whether the Mac OS X versions of the media player are also vulnerable.

The critical bug in QuickTime 7.2 and 7.3 (and perhaps earlier editions as well) is in the player's handling of the Real Time Streaming Protocol (RTSP), a audio/video streaming standard. According to alerts posted by Symantec Corp. and the U.S. Computer Emergency Readiness Team (US-CERT), attackers can exploit the flaw by duping users into visiting malicious or compromised Web sites hosting specially-crafted streaming content, or by convincing them to open a rigged QTL file attached to an e-mail message.

Symantec credited Polish research Krystian Kloskowski with first reporting the zero-day vulnerability on the milw0rm.com Web site Friday. By Saturday, Kloskowski and an unnamed researcher identified as "InTeL" had followed up with separate proof-of-concept examples that executed on Windows XP SP2 and Windows Vista machines running QuickTime 7.2 or 7.3.

A successful exploit would let the attacker install additional malware -- spyware or a spambot, say -- or cull the system for information like passwords. An attack that failed would likely only crash QuickTime.

A gaffe by Apple's developers, however, makes attack easier on Vista, said InTeL, who claimed that the QuickTimePlayer binary does not have Address Space Layout Randomization (ASLR) enabled. ASLR is a Vista security feature that randomly assigns data and application components, such as .exe and .dll files, to memory to make it tougher for attackers to determine the location of critical functions or vulnerable code.

Apple's forgetfulness prompted Symantec analyst Anthony Roe to note: "This makes reliable exploitation of the vulnerability a lot easier."

Another Symantec researcher, Patrick Jungles, added that QuickTime vulnerabilities usually draw attackers quickly. "In the past, we have seen a very short period of time between the release of proof-of-concept exploits for QuickTime vulnerabilities and the development of working exploits by attackers," said Jungles in a note to customers of his company's DeepSight threat network. "Popular applications such as QuickTime are strong candidates for exploitation in the wild."

Apple last patched QuickTime less than three weeks ago when it released version 7.3 to fix a number of critical image-rendering and Java-related vulnerabilities. So far in 2007, Apple has issued six QuickTime security-related updates that have fixed a total of 31 flaws.

Update: T-Mobile unlocks iPhone for a (big) price

2007-11-22T14:26:00.001+02:00

T-Mobile GmbH will sell unlocked iPhones for $1,482, the German mobile carrier said today, marking the first time Apple Inc.'s smart phone has been officially available unlocked.

Unauthorized hacks, however, have been used for months by customers to unlock their iPhones so they can make calls on multiple networks or use the device in countries where Apple hasn't yet entered the handset market.

In a statement today, T-Mobile said it would immediately start selling unlocked iPhones, and unlock any already-purchased iPhone for no charge. It made both moves in response to a preliminary ruling Monday in a lawsuit brought by Vodafone Group PLC's subsidiary, Vodafone Germany. According to the injunction, which T-Mobile is appealing, Apple's wireless partner must offer the iPhone without a required 24-month contract.

The iPhone, which debuted in Germany on Nov. 9, sells for $592, value-added tax included, and has been offered with three rate plans -- called tariffs in Europe -- priced from $73 to $132 per month.

U.K.-based Vodafone had been among the mobile service providers negotiating with Apple for exclusive rights to the iPhone, but in Germany lost out to the larger T-Mobile, which is owned by Deutsche Telekom.

Vodafone has said it isn't interested in blocking sales of the iPhone in Germany, but wants the courts to level the playing field between carriers. Vodafone did not reach an agreement with Apple in the two other European markets that Apple has entered: Britain and France. Apple's U.K. partner is O2 (UK) Ltd., while Orange, the rebranded France Telecom, won the deal in France, where the iPhone goes on sale on Nov. 29.

"Apple can be profitable just on the hardware," argued Ezra Gottheil, an analyst at Technology Business Research Inc. "More is always better, of course, but by unlocking it for a larger price, Apple gets its money."

Gottheil wasn't surprised by Vodafone's move. "There's a great deal more resistance to locked phones in Europe," he said, noting that Apple has already promised to abide by French law, which bans locked cell phones, when it unveils the iPhone there next week.

"In the end, Apple is a provider of neat devices, and it will always return there," said Gottheil. "If and when it's seriously threatened by a rival, and depending on the duration and terms of its exclusive [contract] with AT&T, I think it would unlock the phone in the U.S. in a second."

But even as T-Mobile promised to abide by the injunction while it appeals the ruling, it also said it would retract the offer if it prevails. T-Mobile is also considering filing a lawsuit against Vodafone seeking unspecified damages, said company spokesman Klaus Czerwinski on Wednesday. "We think the law does not apply to this situation," Czerwinski said from Bonn. "We are still going to court."

T-Mobile will continue to sell iPhones tied to a contract, the company said today. As part of its revised pitch, T-Mobile reminded potential customers that some of the iPhone's built-in features, including Visual Voicemail, which lets users pick and choose messages to listen to, work when connected to its network.

Apple did not respond to a request for comment.

Microsoft confirms that XP contains random number generator bug

2007-11-22T14:24:00.000+02:00

Windows XP, Microsoft Corp.'s most popular operating system, sports the same encryption flaws that Israeli researchers recently disclosed in Windows 2000, Microsoft officials confirmed late Tuesday.

The researchers, Benny Pinkas from the University of Haifa and two Hebrew University graduate students, Zvi Gutterman and Leo Dorrendorf, reverse-engineered the algorithm used by Windows 2000's pseudo-random number generator (PRNG), then used that knowledge to pick apart the operating system's encryption. Attackers could exploit a weakness in the PRNG, said Pinkas and his colleagues, to predict encryption keys that would be created in the future as well as reveal the keys that had been generated in the past.

As recently as last Friday, Microsoft hedged in answering questions about whether XP and Vista could be attacked in the same way, saying only that later versions of Windows "contain various changes and enhancements to the random number generator." Yesterday, however, Microsoft responded to further questions and acknowledged that Windows XP is vulnerable to the complex attack that Pinkas, Gutterman and Dorrendorf laid out in their paper, which was published earlier this month.

Windows Vista, Windows Server 2003 and the not-yet-released Windows Server 2008, however, apparently use a modified or different random number generator; Microsoft said they were immune to the attack strategy.

In addition, Microsoft said Windows XP Service Pack 3 (SP3), a major update expected sometime in the first half of 2008, includes fixes that address the random number generator problem.

Microsoft and Pinkas have argued over whether the flaw was a security vulnerability, with the former denying the bug met the definition and the latter claiming it is a serious problem that -- while it needs to piggyback on another, more common kind of exploit -- is far from just a theoretical threat.

Tuesday, even as it conceded that XP also had a weak PRNG, Microsoft continued to downplay the possibility of an attack. "If an attacker has already compromised a victim machine, a theoretical attack could occur on Windows XP," a company spokeswoman said in an e-mail. To exploit the PRNG's flaws, an attacker must have administrative rights to the PC, something that's easily obtained by most run-of-the-mill attacks, Pinkas noted.

Previously, Microsoft had used that prerequisite to reject any claim that Windows 2000 contained the security vulnerability, since Pinkas' proposed attack could not accomplish anything on its own. Microsoft stuck to that position with XP. "Because administrator rights are required for the attack to be successful, and by design, administrators can access all files and resources on a system, this is not inappropriate disclosure of information," the company spokeswoman added.

Newer operating systems, however, are completely in the clear. "Windows Vista, Windows Server 2008 and Windows Server 2003 SP2 are not affected by the type of attack Pinkas describes," said the spokeswoman.

Pinkas applauded Microsoft's decision to patch Windows XP. "We're happy to learn that Microsoft is acknowledging that our attack is indeed an issue, and will fix it in XP SP3."

While Microsoft said it will fix the PRNG in Windows XP, it remained mute about patching the flaw in Windows 2000. The aging operating system, which, according to a recent survey by Forrester Research Inc., still powers approximately 9% of all American and European business computers, is in the last stages of support. In that phase, dubbed "extended support," Microsoft is committed to providing only security updates free of charge.

Because the company has determined that the PRNG problem is not a security vulnerability, it is unlikely to provide a patch.

The VA's computer systems meltdown: What happened and why

2007-11-21T15:45:00.000+02:00

At times, the bad news coming from the U.S. Department of Veterans Affairs seems unstoppable: D-grade medical facilities, ongoing security and privacy breaches, and a revolving door of departing leadership. In September, during a hearing by the House Committee on Veterans' Affairs, lawmakers learned about an unscheduled system failure that took down key applications in 17 VA medical facilities for a day.

Characterized by Dr. Ben Davoren, the director of clinical informatics for the San Francisco VA Medical Center, as "the most significant technological threat to patient safety the VA has ever had," the outage has moved some observers to call into question the VA's direction in consolidating its IT operations. Yet the shutdown grew from a simple change management procedure that wasn't properly followed.

The small, undocumented change ended up bringing down the primary patient applications at 17 VA medical centers in Northern California. As a result, the schedule to centralize IT operations across more than 150 medical facilities into four regional data processing centers has been pulled back while VA IT leaders establish what the right approach is for its regionalization efforts.

The Region 1 Field Operations breakdown of Aug. 31 exposed just how challenging effecting substantial change is in a complex organization the size of the VA Office of Information & Technology (OI&T). Begun in October 2005 and originally scheduled to be completed by October 2008, the "reforming" of the IT organization at the VA involved several substantial goals: the creation of major departments along functional areas such as enterprise development, quality and performance, and IT oversight and compliance; the reassignment of 6,000 technical professionals to a more centralized management; and the adoption of 36 management processes defined in the Information Technology Infrastructure Library (ITIL).

As part of the reform effort, the VA was to shift local control of IT infrastructure operations to regional data-processing centers. Historically, each of the 150 or so medical centers run by the VA had its own IT service, its own budget authority and its own staff, as well as independence with regard to how the IT infrastructure evolved. All of the decisions regarding IT were made between a local IT leadership official and the director of that particular medical center. While that made on-site IT staff responsive to local needs, it made standardization across sites nearly impossible in areas such as security, infrastructure administration and maintenance, and disaster recovery.

The operations of its 150 medical facilities would relocate to four regional data processing centers, two in the east and two in the west. The latter, Regions 1 and 2, are located in Sacramento, Calif., and Denver respectively, run as part of the Enterprise Operations & Infrastructure (OPS) office.

A difficult day

On the morning of Aug. 31, the Friday before Labor Day weekend, the Region 1 data center was packed with people. According to Director Eric Raffin, members of the technical team were at the site with staffers from Hewlett-Packard Co. conducting a review of the center's HP AlphaServer system running on Virtual Memory System and testing its performance.

About the same time, staffers in medical centers around Northern California starting their workday quickly discovered that they couldn't log onto their patient systems, according to congressional testimony by Dr. Bryan D. Volpp, the associate chief of staff and clinical informatics at the VA's Northern California Healthcare System. Starting at about 7:30 a.m., the primary patient applications, Vista and CPRS, had suddenly become unavailable.

Vista, Veterans Health Information Systems and Technology Architecture, is the VA's system for maintaining electronic health records. CPRS, the Computerized Patient Record System, is a suite of clinical applications that provide an across-the-board view of each veteran's health record. It includes a real-time order-checking system, a notification system to alert clinicians of significant events and a clinical reminder system. Without access to Vista, doctors, nurses and others were unable to pull up patient records.

At the data center in Sacramento, with numerous technicians as witnesses, systems began degrading with no apparent cause.

Instantly, technicians present began to troubleshoot the problem. "There was a lot of attention on the signs and symptoms of the problem and very little attention on what is very often the first step you have in triaging an IT incident, which is, 'What was the last thing that got changed in this environment?'" Raffin said.

The affected medical facilities immediately implemented their local contingency plans, which consist of three levels: the first level of backup is a fail-over from the Sacramento Data Center to the Denver Data Center -- handled at the regional level, and the second level of backup is accessing read-only versions of the patient data. The final level of backup is tapping a set of files stored on local PCs at the sites containing brief summaries of a subset of data for patients who are on-site or who have appointments in the next two days, according to Volpp.

Volpp assumed that the data center in Sacramento would move into the first level of backup -- switching over to the Denver data center. It didn't happen.

According to Raffin, the platform has been structured to perform synchronous replication between the two data centers in Sacramento and Denver. "That data is written simultaneously in both facilities before the information system moves to the next stream or thread that it's processing," Raffin said. "At any instant in time, the same data lives in Sacramento that [lives] in Denver." The systems are built in an autonomous model, he said, so that if something strikes only one facility, the other data center won't be affected.

A failure to fail over

On Aug. 31, the Denver site wasn't touched by the outage at all. The 11 sites running in that region maintained their normal operations throughout the day. So why didn't Raffin's team make the decision to fail over to Denver?

On that morning, as the assembled group began to dig down into the problem, it also reviewed the option of failing over. The primary reason they chose not to, Raffin said, "was because we couldn't put our finger on the cause of the event. If we had been able to say, 'We've had six server nodes crash, and we will be running in an absolutely degraded state for the next two days,' we would have been able to very clearly understand the source of our problem and make an educated guess about failing over. What we faced ... was not that scenario."

What the team in Sacramento wanted to avoid was putting at risk the remaining 11 sites in the Denver environment, facilities that were still operating with no glitches. "The problem could have been software-related," Raffin says. In that case, the problem may have spread to the VA's Denver facilities as well. Since the Sacramento group couldn't pinpoint the problem, they made a decision not to fail over.

Greg Schulz, senior analyst at The Storage I/O Group, said the main vulnerability with mirroring is exactly what Region 1 feared. "If [I] corrupt my primary copy, then my mirror is corrupted. If I have a copy in St. Louis and a copy in Chicago and they're replicating in real time, they're both corrupted, they're both deleted." That's why a point-in-time copy is necessary, Schulz continued. "I have everything I need to get back to that known state." Without it, the data may not be transactionally consistent.

At the affected medical facilities, once the on-site IT teams learned that a fail-over wasn't going to happen, they should have implemented backup stage No. 2: accessing read-only patient data. According to Raffin, that's what happened at 16 of the 17 facilities affected by the outage.

But the process failed at the 17th site because the regional data center staff had made it unavailable earlier in the week in order to create new test accounts, a procedure done every four to six months. From there, medical staff at that location had no choice but to rely on data printed out from hard disks on local PCs.

According to Volpp, these summaries are extracts of the record for patients with scheduled appointments containing recent labs, medication lists, problem lists and notes, along with allergies and a few other elements of the patient record. "The disruption severely interfered with our normal operation, particularly with inpatient and outpatient care and pharmacy," Volpp says.

The lack of electronic records prevented residents on their rounds from accessing patient charts to review the prior day's results or add orders. Nurses couldn't hand off from one shift to another the way they were accustomed to doing it -- through Vista. Discharges had to be written out by hand, so patients didn't receive the normal lists of instructions or medications, which were usually produced electronically.

Volpp said that within a couple of hours of the outage, "most users began to record their documentation on paper," including prescriptions, lab orders, consent forms, and vital signs and screenings. Cardiologists couldn't read EKGs, since those were usually reviewed online, nor could consultations be ordered, updated or responded to.

In Sacramento, the group finally got a handle on what had transpired to cause the outage. "One team asked for a change to be made by the other team, and the other team made the change," said Raffin. It involved a network port configuration. But only a small number of people knew about it.

More importantly, said Raffin, "the appropriate change request wasn't completed." At the heart of the problem was a procedural issue. "We didn't have the documentation we should have had," he said. If that documentation for the port change had existed, Raffin noted, "that would have led us to very quickly provide some event correlation: Look at the clock, look at when the system began to degrade, and then stop and realize what we really needed to do was back those changes out, and the system would have likely restored itself in short order."

According to Evelyn Hubbert, an analyst at Forrester Research Inc., the outage that struck the VA isn't uncommon. "They don't make the front page news because it's embarrassing." Then, when something happens, she said, "it's a complete domino effect. Something goes down, something else goes down. That's unfortunately typical for many organizations."

Schulz concurred. "You can have all the best software, all the best hardware, the highest availability, you can have the best people," Schulz said. "However, if you don't follow best practices, you can render all of that useless."

When the Region 1 team realized what needed to happen, it made the decision to shut down the 17 Vista systems running from the Sacramento center and bring them back up one medical facility at a time, scheduled by location -- those nearing the end of their business day came first. Recovery started with medical sites in the Central time zone, then Pacific, Alaska and Hawaii. By 4 p.m., the systems in Northern California facilities were running again.

But, according to Volpp, although Vista was up, the work wasn't over. Laboratory and pharmacy staffers worked late that Friday night to update results and enter new orders and outpatient prescriptions into the database. Administrative staffers worked for two weeks to complete the checkouts for patients seen that day. "This work to recover the integrity of the medical record will continue for many months, since so much information was recorded on paper that day," he says.

A shortage of communication

During the course of the day, said Volpp, affected facilities didn't receive the level of communication they'd been accustomed to under the local jurisdiction model of IT operation. As he testified to Congress, "During prior outages, the local IT staff had always been very forthcoming with information on the progress of the failure and estimated length even in the face of minimal or no knowledge of the cause. To my knowledge, this was absent during the most recent outage."

Raffin denies this. "There were communications," he said. "There most certainly were." But, he acknowledged, they were not consistent or frequent enough, nor did they inform the medical centers sufficiently about implementing their local contingency plan. "It was," he said, "a difficult day."

Once the team realized what it needed to do to bring the systems back to life, Region 1 began providing time estimates to the medical facilities for the restoration of services.

The rift exposes a common problem in IT transformation efforts: Fault lines appear when management reporting shifts from local to regional. According to Forrester's Hubbert, a major risk in consolidating operations is that "even though we're thinking of virtualizing applications and servers, we still haven't done a lot of virtualization of teams." More mature organizations -- she cited high-tech and financial companies -- have learned what responsibilities to shift closer to the user.

Workforce reshaping

Raffin said that iI was never the intent of the realignment to downgrade the level of service experienced by people in the medical facilities. "The message I send to my folks in my organization is, 'You may work ultimately for me within OI&T, but you absolutely work for the network or facility where you're stationed,'" he said. The goal, Raffin said, was to create "that bench strength we've never had."

As an example, Raffin points to a coding compliance tool, an application that exists at all 33 medical centers in his jurisdiction that all run the same version on the same system. "There was a sliver of a [full-time employee] at every medical center that was supporting this application," he said. "There was no structure [for] maintenance and upgrades, no coordination in how we handled problem management." When a problem surfaced, 33 trouble tickets would be logged, Raffin said.

As part of the reorganization, Region 1 has set up a systems team, which includes an applications group. Two people within that group are now coordinating the management of that particular application. "It's a team approach," he said.

Likewise, similar to the argument made by companies that move employees to a service provider during an outsourcing initiative, Raffin claimed that the reassignment of personnel to an organization dedicated to IT will ultimately result in greater opportunities for them and better succession planning for OI&T.

"The only competing interest I have with regards to training are other IT folks, who need other IT training," he said. "I'm not competing with nursing education or with folks who need safety education because they operate heavy machinery at a medical center."

Along the way, that training includes an education in change management process, one of the ITIL best practices being adopted by OI&T that was "new to our IT folks," said Raffin. "They may have read it, but I'm not sure they got it."

Dr. Paul Tibbits is deputy CIO for Enterprise Development -- one of the newly created functional areas within OI&T. Tibbits pointed out that under the previous management structure, "there would have been a lot of competition for mental energy on the part of a hospital director. Does he get his IT staff to read this stuff or not read this stuff?" Under a single chain of command, that education will most assuredly take place, he said.

Tibbits' organization is taking a different approach from Region 1 in how it develops staff skills in the four ITIL processes under his charge. The three-phased approach he described involves real-time coaching and mentoring for "short-term change"; classes, conferences and workshops for midterm change; and updates in recruiting practices for the long term.

"We're hiring outside contractors to stand at the elbows and shoulders of our IT managers through the development organization to watch what they do on a day-by-day basis," said Tibbits. That effort has just begun, he said, with contractors "just coming on board now."

On the other hand, Region 1 under Raffin's leadership has introduced a three-part governance process. The first part is a technical component advisory council, which meets weekly to discuss and prioritize projects. "That is where a lot of training has occurred," said Raffin. Second, a regional governance board also meets weekly to discuss issues related to IT infrastructure. In addition, Raffin is about to implement a monthly meeting of an executive partnership council that will include both IT people and "business" representatives from the medical facilities being served.

Will bringing people together for meetings suffice to meet the needs of transforming the work habits of the 4,000 people who are now part of OPS -- what Tibbits classifies as a "workforce-reshaping challenge?" And will it prevent the kind of outage that happened on Aug. 31 from happening again somewhere else?

Tibbits sweeps aside a suggestion that the centralization of IT played a role in the outage. "Had the IT reorganization never happened, this error might have happened on Aug. 31 anyway because somebody didn't follow a procedure," he said.

Forrester's Hubbert sees the value in bringing together teams within IT to look at operations more holistically. "That's what change agents need to do -- to lay IT on its side instead of keeping it in silos ... to have that end-to-end picture," she said. Plus, that's an effective way to address shortfalls in process and bring staff along as part of the overall transformation effort, Hubbert adds. "Usually, if you take IT people into the boat and ask them what to fix, if you say, 'Hey, this is the whiteboard. Let's figure it out from there all the way back to the root cause,' they have a real willingness to cooperate," she said. From there, they can develop a process to prevent the same type of problem from surfacing again.

Region 1 Fallout

When an event takes place that impairs the operations of 17 federally funded medical centers, investigations and reviews tend to follow.

n the case of Region 1, that includes an internal review of the regional data processing initiative by both the IT and Oversight & Compliance and Information Protection and Risk Management organizations, which report to Gen. Bob Howard, assistant secretary for OI&T, as well as a review coordinated by an unnamed outside firm. Raffin said he expects those reviews to be concluded early in 2008. And although that review was actually scheduled as part of the OI&T's spending plan, he acknowledged that "it's happening a little earlier than we wanted it to."

Until those results are in, the OI&T has put a "soft hold" on migrating additional medical centers into the regional data center concept, said Raffin. "From Region 1's perspective, we were almost 90% complete and should have been 100% complete by Nov. 9. Our project schedule is going to be a little delayed," he said.

Also, Howard has directed the OI&T development organization to work with the infrastructure engineering organization to design a series of system topologies that would provide varying degrees of reliability, availability, maintainability and speed, "up to and including one option that would be 'zero downtime,'" Tibbits said. "I don't think there's any question in anyone's mind that 128 data centers is too many. One might be too few. But what exactly the optimal topology is, all of that is in play right now. Regionalization of some form is alive and well and will move forward."

Region 1 has experienced a dramatic improvement in compliance, Raffin said, "with folks documenting changes in advance of their occurrence." The next phase of that will be an automated system using tools from CA Inc., which are already in use in the VA's Austin Automation Center. He expects that to be implemented within 90 days.

Region 1 has also modified procedures related to the read-only version of records maintained by Vista, the Level 2 backup plan that wasn't fully available on Aug. 31. Now, Raffin said, those systems are more consistently checked for round-the-clock availability and "any system maintenance ... is properly recorded through our change management procedure."

According to Davoren, the medical director in San Francisco, "before regionalization of IT resources -- with actual systems that contained patient information in distributed systems -- it would have been impossible to have 17 medical centers [go] down." As he told a congressional committee in September, the August system outage was "the longest unplanned downtime that we've ever had at San Francisco since we've had electronic medical records." This was proof to Davoren and others at the individual medical centers that in creating a new structure "in the name of 'standardization,'" support would "wane to a lowest common denominator for all facilities," he said.

Raffin isn't ready to give up. He recognizes that an event like the one that happened on Aug. 31 "casts a long shadow" against what he sees as a number of accomplishments. But he also maintains confidence that Region 1 -- and all of OI&T -- has the ability to pull off its transformation. "For me, it's about making sure we're listening to all of our folks and have our ears to the pavement at the medical centers to make sure we understand what our business requirements are," he said.

Change is hard, especially when it's undertaken on such a massive scale. The difficulty was foreseen early on by VA CIO Howard. "This will not be an easy or quick transformation. There will be a few difficulties along the way, and it's natural for some people to be uncomfortable with change on such a scale. But the prospect of more standardization and interoperability we can harness through this centralization is exciting," Howard said in a webcast speech to the IT workforce of the VA shortly after his confirmation hearings by the Senate Committee on Veterans Affairs.

A question remains whether the VA OI&T is moving quickly enough to keep the confidence of its numerous constituencies -- patients, medical staff, VA executives and lawmakers. As U.S. Rep. Bob Filner (D-Calif.), chair of the House Committee on Veterans' Affairs, stated during that September hearing, "We are heartened by many of the steps the VA has undertaken, but remain concerned that more should be done, and could be done ... faster."

Dian Schaffhauser is a writer who covers technology and business for a number of print and online publications. Contact her at dian@dischaffhauser.com.

The holiday shopper's guide to laptops

2007-11-21T15:38:00.000+02:00

Looking to buy a laptop this holiday season? The choices can be mind-boggling, with countless models and configurations to choose from.

In fact, though, it's not that tough to figure out which laptop to buy, and then get a great deal on it. Follow our advice, and you won't go wrong.

The most basic decision you'll make, of course, is whether to go with a Mac or a PC. As with religion, this is a personal choice upon which we won't impinge. So we'll start off with advice for a PC, then provide information for buying a Mac laptop. We'll end our guide with tips for finding laptop bargains.

If you buy a Windows laptop

Let's start with the basics -- the processor. It's this simple: Buy a laptop with dual-core processor, such as Intel's Core Duo mobile or Core 2 Duo mobile (the Core 2 Duo is faster than the Core Duo), or the AMD Athlon 64 X2 Dual Core processor or AMD Turion 64 X2 Dual Core processor (the Turion is faster than the Athlon).
For most users, the speed of the processor itself doesn't matter too much as long as it's dual-core. Dual-core processors are faster than single cores -- particularly when multitasking -- and save power as well, so you'll get longer battery life with them.

You may also find laptops with the Intel Core 2 Extreme mobile processor, which has four cores instead of two. As a practical matter, four cores won't make a dramatic difference compared to two cores, considering that applications haven't yet been written to take advantage of four cores. So if a four-core laptop costs a good deal more than a two-core one, it's probably not worth the extra money.

For RAM, consider 1GB a minimum, and get more if you can afford it. A 2GB laptop will have sufficient power for just about anything a typical user will do, although you might want to opt for a 4GB laptop for a hardcore gamer.

Most people overlook one of the most important laptop specs -- graphics processing. Frequently, laptops use an integrated graphics controller rather than a separate graphics card, which can be problematic not only for gamers, but even for those running Windows Vista Home Premium.

Unless you know the recipient is going to stick to computing basics such as e-mail and word processing, it's a good idea to get a notebook with a dedicated graphics controller, which can enhance such activities as managing a photo library or watching videos online. Gamers need a higher-end card, such as the Nvidia GeForce 8700M GT. If your recipient doesn't play games, though, a card such as the Nvidia GeForce 8400M GS will be fine.

As for how much graphics memory you need, you might want 512MB for gamers, while for general computing 256MB or even 128MB will do.

If you expect that your gift recipient's graphics needs will grow and that he might ultimately want to have more than one graphics processor in his laptop, look for machines that have Scalable Link Interface (SLI), which allows the laptop to use multiple graphics chips.

The rest of the laptop specs are fairly straightforward. You'll want as big a hard disk as you can reasonably afford (your recipient can always add external storage later), a DVD burner and a minimum one-year warranty. As a general rule, the larger the screen, the heavier the laptop and the shorter the battery life, so keep that in mind when buying. If your laptop recipient is a road warrior who spends a lot of time on long airplane flights, consider upgrading to a longer-lasting battery.

If possible, look for a laptop with built-in 802.11n wireless capabilities rather than just 802.11g. That way, when the 802.11n standard becomes widely used, the laptop will be able to take advantage of its faster speeds. Similarly, if you can get a Gigabit Ethernet connection built in, opt for that rather than the more common, slower Ethernet connection.

Finally, look for a laptop with as many slots as possible. If you care about expandability, you'll want a PC Card slot, and ideally, an ExpressCard slot as well. Both slots let you connect a wide variety of peripherals. You want not only USB 2.0 ports, but also FireWire (IEEE 1394) if you can get it. And look for card slots for removable media, such as CompactFlash, Secure Digital, SmartMedia, MultiMediaCard and Memory Stick, if you think your recipient will want to transfer photos or other media files to the laptop.

The price range on Windows laptops is considerable, depending on whether you want a low-end model with only the basics or a high-end screamer capable of playing the latest games. Prices do fluctuate, but you can usually find a laptop with a 15-in. screen, no separate graphics processor, an AMD Athlon 64 X2 Dual-Core CPU, 1GB of RAM and an 80GB hard drive for around $550 -- a Dell Inspiron 1501, for example. On the higher end, you can usually get a laptop such as the HP Pavilion dv6675us with a 2-GHz Intel Core 2 Duo Mobile T7200 CPU, 4GB of RAM, an Nvidia GeForce 8400M GS graphics controller with 128MB of memory, a 250GB hard drive and 802.11n wireless for between $1,500 and $1,700.

And if you need a full-bore machine capable of speedy high-end gaming, you'll have to spend a bundle. For example, an Alienware Area-51 m9750 with dual 512MB Nvidia GeForce Go 8700M GT chips with SLI, a 2.3-GHz Intel Core 2 Duo T7600 processor, 4GB of RAM, a 320GB hard drive, 802.11n wireless and a 17-in. monitor will set you back a whopping $3,600.

Going with a Mac

If you go for a Mac, your choices are much simpler than if you go the PC route, simply because there are far fewer Macs, with fewer variations. However, our recommendations for specs to look out for remain the same as with Windows laptops.

You'll choose between two lines: the MacBook Pro, available with 15- or 17-in. screen in a brushed aluminum case, and the smaller, lighter MacBook, which has a 13-in. screen in a white or black plastic case.

Both lines come standard with several of the items in our must-have list for laptop purchases:

An Intel Core 2 Duo processor
At least 1GB of RAM (MacBook Pros come with 2GB and all models can accommodate up to 4GB)
Gigabit Ethernet
802.11n Wi-Fi
FireWire and USB 2.0 ports (MacBook Pros also have ExpressCard/34 slots)
A one-year warranty

They also include several "nice to haves," such as FireWire ports, built-in webcams, and Bluetooth connectivity, that you might pay extra for with PCs. (On the other hand, you could argue that you're paying for these features on Macs whether you want them or not.)

As general rule, the MacBook Pros tend to have higher-end specs than the MacBooks. For example, the MacBooks come with an integrated Intel GMA X3100 graphics processor with 144MB of RAM. To get a better graphics processor, you'll need to go with a MacBook Pro, which includes a slick Nvidia GeForce 8600M GT graphics processor with dual-link DVI support and either 128MB or 256MB of RAM.

That said, however, even the MacBooks offer a fair number of customization options including processor speed, hard drive size, amount of RAM and so on. MacBooks range from $1,100 to $1,500 before configuration, while MacBook Pros range from $2,000 to $2,800. As with Windows laptops, opting for more memory, a faster processor and/or a bigger hard drive can raise prices considerably.

Where to buy

Now that you've decided what to buy, it's time to put your money down. As a general rule, you'll get your best deals online rather than in a retail store, and you'll have more choice as well.But if you shop online, you won't actually get to put your hands on the laptops, and with laptops -- even more so than with desktops -- hands-on experience is important. So after you've narrowed down your choices, visit some retail stores and try out the laptops.

Next it's buying time. There are plenty of great deals to be had online, but often they only last for a day or so and then vanish. To find them, you need to go to bargain-hunting sites that scour the Internet for special deals and offers.

The best of the bargain-hunting sites is slickdeals.net, which every day lists about a half-dozen new deals. Every once in a while, you'll find a great steal here. Dell laptops, in particular, often show up. Recently, for example, I found a Dell Inspiron E1405 Core 2 Duo laptop for $445 less than its normal price.

Keep in mind, though, that often these deals mean that you can't configure a laptop -- they're take-it-as-is-or-leave-it propositions. Other good bargain sites to try include Woot, DealCatcher and Ben's Bargains.

If you're shopping for a specific model rather than looking for a one-time deal at a bargain site, you should check out manufacturer sites as well as online retailers like Buy.com and Newegg.com, because prices can vary considerably among them.

(This is less true of Macs, by the way, since Apple tends to enforce price uniformity. You can sometimes find rebates or add-ons like a free printer if you buy a Mac online, but you're unlikely to save hundreds of dollars.)

Also make sure to check out a price comparison site like PriceGrabber, which compares prices from multiple online retailers. Happy hunting!

Trojan horse spreads quickly through Microsoft's IM

2007-11-20T16:31:00.000+02:00

Compromises 11,000 PCs in first 24 hours, says researcher
A new Trojan horse that started to spread early Sunday via Microsoft Corp.'s instant messaging client has already infected about 11,000 PCs, a security company said today.

The as-yet-unnamed Trojan horse began hitting systems about 7 a.m. EST on Sunday, according to Roei Lichtman, the director of product management at Aladdin Knowledge Systems Ltd. "We still haven't found what it's meant to do, but at the moment, it's creating an army [of bots]," he said. "Eventually, of course, the operator will send commands to do something."

Users of Microsoft's Windows Live Messenger instant messaging program receive a message that includes spoofed Zip files, such as one named "pics" that is actually a double-extension executable in the format "filenamejpg.exe" or a file labeled "images" that in reality is a .pif executable.

"This is really growing rapidly," said Lichtman. Six hours after it first found the Trojan horse, Aladdin put the total number of assembled bots at about 500; three hours later, that had climbed to several thousand. By late today, the botnet had been built out to 12,000 machines.

As with other malware spread through instant messaging software, the messages bearing malicious code appear to come from people on the recipient's IM contact list.

But while its speed in spreading is impressive, Lichtman pointed to another characteristic of the Trojan horse: It can also propagate via virtual network computing (VNC) clients, the generic term for remote control programs used to access one computer's files and desktop from another.

Once the Trojan horse has installed itself on a PC through IM, it can sniff out a VNC client, then use it to infect a remotely controlled system, perhaps one inside a corporation's firewall. "You increase your reach to these PCs as well, as if you infected them," Lichtman said, momentarily taking the hacker's point of view. To his knowledge, the Trojan's use of a VNC vector was a first.

Aladdin will continue to monitor the bot's spread by tapping into the Internet Relay Chat channel being used to command and control the compromised PCs, said Lichtman.

IM-based threats, while still relatively rare compared with those that spread via e-mail or from malicious Web sites, aren't unknown. Neither are vulnerabilities within IM software. In September, for example, Microsoft forced users of its aged MSN Messenger software to upgrade to Windows Live Messenger 8.1 to stymie a vulnerability in the older program.

Hackers poised for Black Friday assault

2007-11-20T16:30:00.000+02:00

You know retailers are ready for Black Friday -- but so are hackers poised to launch a slew of Web-based attacks against consumers. Your money and personal information could be at risk.

"The holiday season in general is a huge time for hackers ... [and] Black Friday is typically the start," says Paul Henry, vice president of strategic accounts for Secure Computing. "This year, my biggest concern for consumers is all the Web-borne malware out there."

Black Friday, the day after Thanksgiving, is followed in marketing lingo by Cyber Monday. Both are big days for retailers and online fraudsters. Consumers should watch out for e-mails advertising incredible deals that seem too good to be true. "Freebies may be freebies in the sense that you get free malware," says Jamz Yaneza, a senior threat researcher at Trend Micro.

A common scam is to pick the hot toy of the season and send out a spam e-mail blast offering it for much less than the typical price, Henry says. Victims end up entering credit card information on malicious sites designed to look like well-known, trusted ones. They might also unknowingly download a keylogger that can steal personal information people type in when making any kind of Internet transaction.

"Be leery of sites being advertised [in e-mail that might be spam]. In all likelihood you're being directed to a malware-connected site," Henry says. "Do not click on URLs within e-mails even for well-known public sites."

In an HTML e-mail, it's a trivial task for hackers to hide the real URL a victim is clicking on.

"It might say 'ebay.com,' but you're actually clicking on something entirely different," Henry says.

Online fraudsters have been busy this year. Fraud losses related to U.S. e-commerce will top $3.6 billion in 2007, up 20% from last year, according to a report by the vendor CyberSource this month. The increase in dollar loss is due mostly to growing e-commerce sales, as the percentage of transactions that are fraudulent has held steady.

The run-up to Christmas and tax filing season are the two most dangerous times of the year for online shoppers, Yaneza says.

In addition to being wary of e-mails, be careful when searching for holiday deals or specific products on Google and other search engines. Operators of malicious sites have figured out ways to rise to the top of search listings.

"We've seen instances where the top site that is ranked actually gets there by gaming the Google search algorithm," Yaneza says.

Legitimate Web sites can be dangerous too, when hackers inject code into Web pages redirecting users to malicious sites, Yaneza says. The Dolphin Stadium Web site was attacked in this way prior to this year's Super Bowl in Miami.

Black Friday and Cyber Monday will be a bigger problem for consumers than enterprises, according to Henry, because large businesses tend to have better security. But that doesn't mean there's nothing for IT executives to be leery of.

Cyber Monday is thought to be a big day for online retailers because people return to work en masse after the Thanksgiving break and are sitting in front of office computers all day.

Businesses might also worry about employees using work laptops in unprotected Wi-Fi locations, and getting targeted with a keylogger or other malicious software, says Yaneza.

Yaneza's advice for consumers is simple but often effective: Install all the latest updates and patches for your security software and Web browsers.

Trend Micro offers a free tool called HouseCall that can scan your computer for viruses, spyware and other malware.

Hackers jack Monster.com, infect job hunters

2007-11-20T16:29:00.000+02:00

Monster.com took a portion of its Web site offline Monday as researchers reported that it had been compromised by an IFrame attack and was being used to infect visitors with a multi-exploit attack kit.

According to Internet records, the Russian Business Network (RBN) hacker network may be involved.

Parts of the Monster Company Boulevard, which lets job hunters search for positions by company, were unavailable Monday; by evening, the entire section was dark. Most major American companies are represented on the site -- Google Inc.'s cache of the page that shows only those firms that begin with the letter B, for example, included Banana Republic, Bank of America, Black & Decker, Boeing, Broadcom and Budget Car Rental.

Job seekers who used Monster's by-company directory on Monday before the site was yanked were pounced on by Neosploit, an attack tool kit similar to the better-known Mpack, said Roger Thompson, chief technology officer at Exploit Prevention Labs Inc.

"A typical infective URL was http://company.monster.com/toyfs/, which is Toyota [Financial's] section]," said Thompson in an instant message exchange Monday night. "Or http://company.monster.com/bestbuy, which is Best Buy's."

The injection of the malicious IFrame code into the Monster.com site probably happened Monday, he added. "It was interesting that we got five or so hits in the space of a few hours today, but none before that. I think it happened today."

Like many other IFrame exploits, this one silently redirected the user's browser to another site hosting Neosploit. In the case of at least one of the exploit sites Thompson identified, there's a connection to the notorious RBN, the hacker and malware hosting network that recently shifted operations to China, then mysteriously abandoned the IP blocks it had acquired in China, seemingly vanishing from the Internet.

The IP address of the exploit site is assigned to a server in Australia that is part of the "myrdns.com" domain. That domain, in turn, is registered to a Hong Kong Internet service provider called HostFresh Internet. Both HostFresh and myrdns.com have been linked to RBN activities, including the long-running IFrame Cash scheme, in which RBN pays small site owners a commission for injecting IFrame exploits on other sites.

According to an anonymous blogger who tracks the RBN, other myrdsn.com/HostFresh IP addresses were involved in the Bank of India hack in August.

Thompson said he had just started digging into the Monster.com hack on Monday afternoon. "It is not clear how many pages were affected, but it is likely that the attack was the same for all companies on the site, which might turn out to be a pretty good set of the Fortune 500," he said on his blog.

Maynard, Mass.-based Monster.com last made security news in August, when the company acknowledged that hackers had looted its database for weeks, perhaps months, then used that information to craft and send targeted e-mails that pitched money laundering jobs or tried to trick recipients into downloading malware.

Monster.com was not available for comment Monday night.

IBM to resell tool that lets .Net programmers build software for WebSphere

2007-11-19T19:10:00.001+02:00

IBM signed on Monday an agreement to resell Mainsoft Corp.'s new .Net Extensions for WebSphere Portal product that will allow companies to use .Net to create Java applications for IBM's WebSphere portal.

IBM expects that the tools will help its customers integrate Windows SharePoint Services, Office document libraries, SQL Server Reports and .Net applications into IBM's WebSphere Portal Server without the need for Java developers, the two companies said.

Mainsoft CEO Yaacov Cohen said that the deal is aimed at helping companies that have installed SharePoint portals at the departmental level to leverage the WebSphere enterprise portal.

"Organizations can break the silos of information and take the valuable information from SharePoint sites and make this information able to participate in composite applications," he said. "For the first time, you get composite applications across .Net and Java. The idea is to enable organizations to achieve portal-to-portal interoperability using WebSphere portal as a kind of uber portal, which will federate SharePoint departmental sites."

Healthways Inc., a Nashville-based provider of health care support services, began using the Mainsoft technology in April to build a WebSphere portal for its 27 million customers, said David Jarmoluk, director of enterprise architecture at Healthways. The company wanted to leverage its Microsoft programmers for the portal, but didn't think SharePoint would scale well enough for the job, he said.

So, the company used the Mainsoft's Visual Studio-based .Net Extensions for WebSphere Portal product to allow its Microsoft programmers to develop and put into production dozens of .Net applications in the portal without having to rewrite them in Java, he noted.

Jarmoluk said that developers were able to continue using the Visual Studio environment they best understood, and that the company therefore didn't have to hire any Java programmers. He estimated that the tool set saved the company 30% to 35% in time and costs compared with adding new Java developers, he noted.

"It is all about usability from a developer standpoint and being able to leverage the expertise we already have," he said. "There are a lot of costs and overhead associated with trying to train people and get them up to speed with a new thing. We were able to significantly reduce that by letting our developers continue to use what they already know."

Dell XPS One strips the tease

2007-11-19T19:09:00.001+02:00

After teasing the public for a while, Dell on Friday revealed an all-in-one computer that combines the monitor and CPU in one box.

The XPS One will be available as a system with only a widescreen display, a mouse and a keyboard. Processing capabilities and other components will be fixed inside the display.

The systems will be available in four designs with the monikers indicating the target audience: the Essential One, the Music One, the Performance One and the Entertainment One.

All systems will come with 20-inch displays, Intel Core 2 Duo processors, Windows Vista Home Premium, hard drives starting at 250G bytes, 2G bytes of memory, a TV tuner and remote control. The Music One system will come with wireless headphones for music enthusiasts.

The Entertainment One, designed as a home media center, will include a Blu-ray high-definition DVD burner. It will also come with an ATI Radeon HD 2400 Pro graphics card with 256M bytes of memory.

Popularized by Apple's iMac, all-in-one PCs also have been released by Hewlett-Packard and Gateway.

Dell had planned to release the XPS One on Monday but posted details about it early online. The company declined to offer any additional information about the computer on Friday.

An XPS One was visible onstage behind Michael Dell, CEO of Dell, when he addressed an audience at the OpenWorld conference earlier this week. He didn't give details about the product at the time, only saying it would be released next week.

The product is on pre-sale on Dell's Web site.

NASCAR drivers get HPC help with performance extremes

2007-11-15T14:12:00.000+02:00

Measuring aerodynamic drag at 190 mph 'drives the engineers to a whole new level'

John Picklo, manager of high-performance computing (HPC) at Chrysler LLC, describes himself simply as an "IT guy" who's also a NASCAR fan. And he will be rooting Sunday for drivers of Dodge cars in the final race of this year's Nextel Cup.

The Chrysler engineers who work on the HPC systems that Picklo manages use the machines to improve race car performance. They work closely with the race car teams, and if one of their vehicles win -- as Dodge drivers Kurt Busch and Juan Montoya have in several Nextel races this year -- the driver and the racing team will be honored, the vehicle noted and congratulations shared around the company.

But no one will know, really, what role the HPC engineering staff had. Did the increase in fuel efficiency help? Or the design changes that improved air flow?

"We can make an improvement and get a couple of more miles per hour out of it, and really help -- and if the driver just skims the wall on lap 67, he can negate what we did," says Picklo.

"It is kind of like a football game -- everybody has to have to a good day. If one guy fumbles the ball, he can mess things up," says Picklo, who spoke at this week's SC07 supercomputing show in Reno, Nev. "We're doing our job, and so are the drivers, the teams and everybody else."

But Picklo, whose systems total 1,650 cores running in clusters in Linux and Unix environments, is certain of one benefit. Because these race cars operate at the extremes of vehicle performance, the HPC engineering work that has gone into them has had the "unanticipated benefit" of helping with vehicle performance for a wide range of vehicles.

"The extreme conditions of racing are teaching lessons that we might not have otherwise learned," says Picklo. Measuring aerodynamic drag for vehicles moving at 190 miles per hour "drives the engineers to a whole new level of skills," he says.

One example, he says, is the drag effect that large eddies of air have at such high speeds. By using computational fluid dynamics on the HPC systems, Chrysler engineers discovered how these eddies worked, their impact on vehicles and how to tune for it. That knowledge went back into their passenger car designs, Picklo says.

When vehicles travel at racing speeds, issues that might not be as pronounced at lower speeds may present themselves. For instance, the computer simulations show that a race car driving behind another vehicle may get restricted air flow, which can impact the engine. When that knowledge was applied to vehicle driving behind a large truck on a highway, engineers saw the same reduced air flow, says Picklo.

This ability "to develop more detailed fluid dynamic models for extreme conditions" has taught engineers a lot, says Picklo: "If you never think about what happens at 190 miles an hour, you might not realize that the same effects translate back into passenger vehicles."

India's powerful supercomputer signals HPC ambitions

2007-11-15T14:11:00.000+02:00

The U.S. remains by far the global supercomputing leader. But an India-based company that's part of a major IT offshore services firm has just built the world's fourth most powerful supercomputer, according to the just-released Top500 supercomputer list.

Rankings on that list, which is maintained by academic researchers and updated every six months, can be notoriously short-lived, thanks to the relentless worldwide push to build faster systems. But India's position near the top of this list is a clear signal of its ambitions in information technology.

"We would like to be in the forefront of [high-performance computing] research, services," said Ashwin Nanda, who heads Computational Research Laboratories in Pune, India, which owns the system. The goal is to "basically bring the analytical brainpower of India to solve the supercomputing, HPC-related problems, that we have in the world," he said.

"This is a completely new market for us," said Nanda, who was attending the Supercomputing 07 conference in Reno, Nevada, where the Top500 list was announced.

CRL is a wholly owned subsidiary of Tata Sons Ltd., which is in turn part of a conglomerate that's one of India's largest IT offshore services providers.

Nanda said his company's supercomputer, built with Hewlett-Packard Co. servers using Intel chips with 14,240 processor cores, will be used for government scientific research and product development for Tata, as well as to provide services to U.S. customers. The system went operational last month and achieved performance of 117.9 TFLOPS.

India, China and other countries are increasingly being tapped by U.S. and European firms for research and development. But of the supercomputers powerful enough to make the Top500 supercomputers list, only nine, or just under 2%, are in India. The U.S. is home to 283 of the systems, or nearly 57%. Next runner up is the U.K., with 48 or nearly 10% of the systems powerful enough to make the list.

While India's system ranked high, it's still a distance from the top position. That fastest system, with some 213,000 processing core, is IBM's BlueGene/L System, a joint development of IBM and the Department of Energy's National Nuclear Security Administration. It achieved a benchmark of 478.2 TFLOPS.

Horst Simon, associate laboratory director of computing sciences at the Lawrence Berkeley National Laboratory in Berkeley, Calif., and one of the Top500 list authors, said it was exciting to see India's entrance into the top 10 and said the country has "huge potential" as a supercomputing nation.

"India is very well known for having great software engineers and great mathematicians, and having a [HPC] center there is a catalyst for doing more in the high-performance computing field," said Simon, who said it brings "a whole new set of players into the supercomputing world."

Tech for Teens

2007-11-15T14:08:00.000+02:00

Camps use cool gadgetry to attract middle-schoolers to future tech careers.

Faced with dwindling enrollments in university computer science and IT programs, the Society for Information Management has taken a novel approach to engaging America’s youth in potential IT careers: It is partnering with public libraries and other organizations to create technology camps for teenagers.

The first such summer camp, which Chicago-based SIM organized three years ago with the Memphis Public Library, “connects SIM to the next generation of technology users,” says Terrice Thomas, who works at the Memphis Public Library & Information Center.

The weeklong Teen Tech Camps, which target 12-to-15-year-olds, give kids a chance to learn about BSOs — “big, shiny objects” such as iPhones, digital cameras and other gadgets — says John Oglesby, director of IT strategy at Memphis-based ACH Food Cos. and former president of the Memphis SIM chapter.
The gadget sessions, conducted by employees of SIM Memphis member companies, are intended to appeal to teen campers while teaching them how technology can be applied in a work environment. For instance, one instructor demonstrated how tablet PCs can be used in hospitals, “and that surprised some of the kids,” Thomas says.

The high-tech gadgets also benefit the library’s staffers, who are learning about emerging technologies and receiving training on the devices used at the camp, she says.

The Memphis camps, which have drawn 12 to 18 teenagers per session, require applicants to obtain a referral letter from a teacher and to write a short essay to gauge their interest in the program, according to John Lloyd, the business and sciences librarian.

The first session was so popular that “we’ve had kids try to sneak into the camp” each of the past two years, says Betty Anne Wilson, assistant director for library advancement.

This past summer, campers produced their own webcasts.

Officials from SIM’s Memphis chapter and the Memphis Public Library worked closely to develop the camp program. “One of the reasons it worked so well is that John [Oglesby] and I talked a lot about the missions of both organizations,” Wilson says. The library has “a lot of experience with teens and had done a lot of programs with them,” she adds.

Expansion Plans

SIM officials are so enthusiastic about the Memphis camp that they’re “trying to find ways to incorporate this into other SIM chapters,” says Stephen Pickett, chairman of the SIM Foundation and vice president and CIO at Penske Corp. in Bloomfield Hills, Mich.

For instance, SIM has created a set of software templates from the Memphis project that other SIM chapters can use to develop their own Teen Tech Camps with libraries and other community organizations. The software, which includes a budget template, marketing timelines and permission forms, will be available for download from SIM’s home page in the near future, Pickett says.

SIM’s Philadelphia chapter has launched a similar program, starting with a school system and more recently partnering with a nonprofit organization, he says.

“We’re actively working on selling this” to other chapters, Pickett says. “We’re hoping to have 29 more [camps] up and running next year.”

Women in IT: A Lopsided Pay Scale

2007-11-15T14:07:00.000+02:00

According to Computerworld’s annual Salary Survey, male IT professionals continue to outearn their female counterparts.

At the highest level of IT, male CIOs and vice presidents made on average $179,026 in total compensation this year, while women in the same jobs took in nearly $6,000 less, at $173,052. The pay differences between middle managers and technical workers are similarly unequal.

This salary inequity between men and women in IT is a longstanding issue, but it could have short-term consequences for companies that pay female IT workers less, according to Umesh Ramakrishnan, vice chairman of CTPartners, an executive recruiter in New York.

“The pay package is what it is for the best executive,” regardless of gender, says Ramakrishnan. “It’s a rather shortsighted view if you’re paying a female executive less. You’re not going to hold onto that person very long.”

Ramakrishnan says while he hasn’t seen a difference in compensation packages between the male and female IT executives he has helped place, he has seen pay inequities between men and women in lower levels of the IT organization. In many workplaces, the inequity is the result of longstanding differences in pay that have yet to be corrected, he says.

For women who feel that they are underpaid, Ramakrishnan offers this advice: Find out what your peers are earning at similar companies, and present your findings to a supervisor or human resources representative to illustrate your market value.

“It lets the company know you’re thinking about it, and it lets them know whether you’re well paid or underpaid,” he says.

Karen Piper, a business intelligence analyst at Ball Corp., a Broomfield, Colo.-based maker of food and beverage containers, says she believes that the salary gap between men and women has narrowed in recent years. But she doesn’t think the IT landscape is necessarily a level playing field.

“Men don’t have to work as hard as women to get promoted,” says Piper, a 20-year IT veteran. Female IT workers “have to go above and beyond” to advance, she says.

Others aren’t sure there’s a correlation between gender and pay. Didi Raizen, an IT applications manager at Flatiron Construction Corp. in Longmont, Colo., says she doesn’t think she earns less than her male peers at other companies. “Women have demonstrated their value in the IT realm,” she says.

Tammy Wicks, a business applications analyst at FedEx Freight Corp. in San Jose, says she, too, is unsure whether there’s salary inequity between men and women in IT. But she says she does know this: “My salary still outweighs my husband’s.”

MySpace, Facebook ad plans violate privacy, groups tell FTC

2007-11-14T14:53:00.002+02:00

Two consumer advocacy groups have asked the Federal Trade Commission to investigate whether new advertising initiatives announced last week by social networking sites MySpace and Facebook adequately protect consumer privacy.
In a Nov. 12 letter to FTC Chairman Deborah Platt Majoras, the Center for Digital Democracy and the U.S. Public Interest Research Group claimed that the "ambitious new targeted advertising schemes" launched by MySpace.com and Facebook Inc. "make clear the advertising industry's intentions to move full-speed ahead without regard to ensuring consumers are protected."
Jeffrey Chester, founder and executive director of the Center for Digital Democracy, said that by launching the advertising plans, MySpace and Facebook are "thumbing their noses at the FTC and consumer privacy rights" by allowing marketers to customize advertisements based on data provided by users in their profiles on the social networking sites.
"MySpace and Facebook are like the digital data equivalent of Fort Knox for Madison Avenue marketers," he said. "It is a kind of one-stop data shop for marketers. They know your interests, your politics and what movies you like. It is a much more rich array of content that marketers simply should not have automatic access to."
Chester said that consumers must be offered a complete opt-out option, and that the social networks must fully disclose how they intend to use their personal information.
The letter goes on to note that since both MySpace and Facebook are working with fast-food advertisers, the FTC should include their plans in its ongoing review of advertisements that may promote obesity among youths.
Several attorneys and privacy advocates last week questioned whether it is legal for the social networks to tell a user's friends about his or her purchases or likes without the user's written consent.
In a statement e-mailed to Computerworld, MySpace said it is "firmly committed to protecting user privacy and adher[ing] to a strict policy." In addition, MySpace noted that by the end of this year, users will be able to opt out of MySpace programs that use their preferences to help advertisers create customized ads.
"Our ad targeting platform is designed to work with user-expressed information from profile pages to create a more-relevant advertising experience," the statement said. "Users who are not interested in participating will have the ability to 'opt out' of the targeting platform."
Facebook did not immediately respond to a request for comment.
This week's letter was a follow-up to a report the two groups sent to the FTC in early November urging it to launch an investigation into new threats to privacy from the behavioral targeting and profiling of users -- especially youth -- by social networks and other online sites.

Microsoft fixes WSUS malfunction in time for Patch Tuesday

2007-11-14T14:53:00.001+02:00

For the second time in less than three weeks, Microsoft Corp. has had to apologize for blunders made by the application that enterprise administrators rely on to deploy the software vendor's security patches and other updates.
Late yesterday, Bobbie Harder, a senior program manager with Microsoft's Windows Server Update Services (WSUS) group, confirmed the latest gaffe in a posting to a company blog.
"Sunday evening, Microsoft renamed a product category entry for Forefront to clarify the scope of updates that will be included in the future," Harder said. "Unfortunately the category name that was used included the word Nitrogen in double quotes (appearing as "Nitrogen"). A double quote is a restricted character within WSUS, which created an error condition on the administration console. This issue occurred on many WSUS servers that synchronized with Microsoft servers between 5 p.m. Sunday and 11 a.m. Monday, Pacific time."
Monday morning, network administrators at Microsoft user companies began posting messages to WSUS support forums after they arrived at work to find the patch delivery software's management console reporting an error, essentially blocking them from retrieving updates.
The timing couldn't have been worse, as Microsoft is scheduled to deliver its monthly security fixes later today.
Harder said the glitch was fixed Monday afternoon and would be propagated to each WSUS server the next time it synchronized with Microsoft's update servers. She also provided instructions for administrators who have set WSUS to sync manually, with separate steps for WSUS 2.0 and WSUS 3.0.
Allen Moore, a systems administrator at DeKalb Memorial Hospital in DeKalb, Ill., said he didn't wait for Microsoft yesterday, but instead used SQL queries posted in a support forum to bring back WSUS. "I applied the two SQL queries to manually fix the tables yesterday, and was able to get back into WSUS without any errors," he said in an e-mail today. "I [also] just checked our WSUS 2.0 server and it appears to be working correctly after updating this morning."
Harder said her team would add new checks to curb errors like this. "We are also improving our publishing tools to make sure that issues like this are caught during the publishing process, before they impact customers," she said.
She said much the same thing, however, less than three weeks ago after admitting that recycling an update package had force-fed Windows Desktop Search (WDS) to client PCs which had been told to ignore the application. "We are also working on improving our internal publishing processes to ensure this does not happen again in the future," Harder said then.
Some users seemed to be unhappy with the trend in WSUS problems. "Thanks, Microsoft, it's great having things like this happen when I'm already too busy!!!" said someone identified as stormforce5 on a WSUS support forum yesterday.
As she did in the wake of October's WSUS snafu, Microsoft's Harder said she was sorry: "We sincerely apologize for any inconvenience this may have caused to our customers."
Anyone still having problems with WSUS should contact Microsoft support, Harder added.

Microsoft patches URI bug, ancient DNS flaw

2007-11-14T14:51:00.000+02:00

Microsoft Corp. today released two security bulletins that fixed a pair of flaws in Windows, including a vulnerability that had been the root of a monthslong debate over patching responsibility.
One of the updates was rated critical, Microsoft's highest threat ranking, while the other was pegged as important, the next-lowest notch in the company's four-step scoring system.
MS07-061 patched the Uniform Resource Identifier (URI) protocol handler bug in Windows XP and Windows Server 2003 that Microsoft admitted was its job to fix only after months of denying that a vulnerability existed in its software. In a security advisory posted Oct. 11, Microsoft owned up to the flaw.
The vulnerability has been exploited in the wild for weeks, most recently by a wave of attacks using rigged PDF files.
Although only PCs running XP or Server 2003 that were also equipped with IE 7 have been shown to be at risk, Microsoft pushed the patch to all users of those operating systems, no matter which browser they had installed. "Microsoft has not identified any way to exploit this vulnerability on systems using Internet Explorer 6," the security bulletin said, "[but] as a defense-in-depth measure, this security update is made available to all customers using supported editions of Windows XP and Windows Server 2003, regardless of which version of Internet Explorer is installed."
Andrew Storms, director of security operations at nCircle Inc., applauded the proactive move. "Microsoft's saying that even though it's unable to exploit [the URI protocol handler bug] for IE 6, the bug still exists, and someone else may come along and figure out an exploit," he said.
According to Eric Schultze, the chief technology officer of Shavlik Technologies LLC, Microsoft is simply following protocol. "They're giving the patch regardless of the SKU of XP or Server 2003, because they can't deliver it as an IE patch," he said. The flawed component, the "shell32.dll" file, is part of Windows, not Internet Explorer.But although the fix should put an end to URI protocol handler exploits which rely on IE -- or, as Storms put it, "at least until the next attacks" -- other applications that register buggy handlers will still have to patch their own code. Microsoft's security experts, including Mark Miller, the director of the Microsoft Security Response Center (MSRC), and Mike Reavey, the operations manager for the group, made that clear in an interview a month ago.
The other bulletin issued today, dubbed MS07-062, patches a DNS cache poisoning vulnerability in Windows 2000 SP4, and Windows Server 2003 SP1 and SP2.
"This is a classic, a nostalgic man-in-the-middle kind of vulnerability," said Storms, who also knocked Microsoft for taking so long to fix the flaw. "This is something that other DNS [Domain Name System] vendors, like BIND, have known about and fixed years ago." Storms, in fact, was quickly able to dig up reports of the DNS vulnerability from as far back as 2002.
"It's not an easy thing to take advantage of, but I'm willing to bet that there's still some script-kiddie code out there that can be modified for this vulnerability," Storms said. An attacker would probably partner an exploit with a phishing e-mail that would entice the recipient to a trusted Web site, say eBay. The exploit, however, would redirect the user to a fake site to plunder personal or financial information.
"This sort of vulnerability has impacted other DNS servers in the past and has been well understood by attackers for a long time," said Chris Valasek, a researcher with IBM Corp.'s X-Force, in an e-mail. "Now that Microsoft DNS Server's susceptibility has been disclosed we may see renewed attacks of this sort."
The only surprise in this month's patches, said Schultze, was the omission of a fix for a bug in third-party anti-piracy software that's bundled with Windows. The vulnerability in Macrovision Corp.'s SafeDisc digital rights management software was confirmed last week.
"I'm guessing that Microsoft wasn't able to wrap the updated [Macrovision] driver in its own installers in time," Schultze said. "Maybe we'll see it as an out-of-band release."
The two bulletins' patches are available via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).

Why telecommuting stinks

2007-11-11T22:48:00.000+02:00

Here are the eight biggest drawbacks to working from home -- even if you do get to stay in your pajamas

Sim Zacks remembers the day when he realized that he hated telecommuting. It was July 6, 2006. Hizballah forces had been shooting hundreds of missiles a day onto his Israeli town along the border of Lebanon. So Zacks, the director of IT for CompuLab, moved his family temporarily to Jerusalem, where a friend offered him a basement office to work out of.

But every time he'd settle in at the computer, he would get distracted. Sometimes the distractions came from phone calls from his wife, who was wandering the city with their four kids. "I'm sitting in the office, answering phone calls, telling them where they have to go, what's going on," Zacks explains. "And while I'm sitting there, I have the need to check the news, then check what I'm supposed to be doing. I really feel that telecommuting is very difficult to do."

Those were exceptional circumstances, of course -- most people don't have to deal with incoming missiles. But Zacks doesn't believe it was simply the situation of being under siege that turned him against telecommuting. Rather, it's the whole idea of working out of a home office and dealing with home issues during work hours, something that may be much more familiar to teleworkers.

Says Zacks, "My experience with telecommuting in general has been more like, I'd sit down in front of the computer. The baby goes to sleep. My wife says something like, 'Oh, the baby is sleeping. Do you mind if I go out and get some groceries?' If I say, 'Yes, I mind,' then she is going to sit there glaring at me while the baby sleeps for a few hours. If I say, 'No, go ahead,' as soon as she closes the door, the baby starts crying, and I can't get work done while I walk around with the baby."

Zacks isn't the only person who sees a downside to physically being outside a traditional business environment. As any manager who has ever said, "How will I know they're really working?" will attest, telecommuting, teleworking, Web working or just plain mobile working has its downsides.

Downside No. 1: You can never get away from the work.

The fact is that although Zacks, a manager, prefers his office environment in Haifa -- where he has others around him, he can take breaks for socializing, he can have lunch with his co-workers, and "different things are happening" -- that's not true for everybody. Therefore, some of his staff occasionally work from home.

But one quality-control manager who has begun telecommuting reported to Zacks that he can't get away from the job. "Whenever he sits down at his computer, whether it is his business hours or not, he sees that he has new e-mails from the job and feels pressured to complete tasks," says Zacks. "Now he's complaining that there is way too much work for him and he's working much more then a normal day."

So the company is working with the manager to set more concrete work times. Also, they've set him up with a portable USB key that includes Mozilla's Thunderbird e-mail application to use with his PC, so that during nonwork hours he can pull out the key and not see the work that's stacking up for him. "This should separate home and work life so he can put control back into his life," says Zacks.

Downside No. 2: You can't just call for a tech support person desk-side.

Cathy Moore, a musician and e-learning content developer and designer in Bloomington, Ind., figured out early on that she was never meant to be in the same office a full 40 hours a week. So since the late 1980s, she has never held a full-time job. Sometimes she works on-site for clients, and other times she works out of a home office. For that reason, she doesn't consider herself a telecommuter. "Most of my clients don't care what time zone I'm in," she says. "My current clients are in Malta and Australia, so there's no time zone that would please everybody."

But even after describing the joy of working out of a sunny, south-facing office with only her dog for company, and going into town with her laptop for a change of scenery, she still complains about having to be her own tech support person. "I have a [technically proficient] geek that I can hire for major stuff," Moore says. "But I have a problem that a lot of self-employed people do -- where I think I have to be able to do it myself."

Most recently, that included debugging graphics problems that mysteriously appeared in her blog, "Making change," having to evaluate software without input from anybody else and searching for alternative broadband options during cable outages.

Downside No. 3: Who will handle the paperwork?

Sometimes the problems with working outside a company are simply aspects of running a business, which is what a lot of people who want to work from home end up doing.

Rob Sullivan finally gave up on his boss ever really following through on promises to set up a telecommuting program for the staff at the search engine marketing firm where he worked. So he quit and opened up PurposeDrivenPromotion Inc., a search engine marketing business, in a basement office in Coloma, British Columbia.

But that solution has had its barriers to happiness. For one, Sullivan hates selling himself and his business. Plus, he's not a "big paperwork person," so invoicing gets put off. Likewise, it was a shock to him in his first year of business when he hit major dry cycles and nobody was buying his services. "From the middle of July, it seemed everybody was on a holiday," Sullivan says. "All of a sudden, the work dried up for a month and I was really scrambling to keep the money rolling in."

Downside No. 4: You can get lonely.

Although most of the people interviewed for this story cited a lack of camaraderie among co-workers as a disadvantage, isolation no longer has to be the burden of the remote worker -- at least, not if the virtual form of socializing will do. Marina Martin, who runs Sufficient Thrust, a corporate efficiency consulting company, turns to social networking tool Twitter whenever she needs a faux co-worker fix. In fact, it has also become her lifeline, the place where she can post her problem-of-the-moment in the hopes that one of her followers will offer up a solution.

Recent fixes include directions for upgrading Martin's MacBook memory after she complained that it was running too slowly; referrals for some Web design work she needed to have done; and "a mnemonic device for remembering how to say 'almond.' "

But Martin, who's based in Vancouver, Wash., misses the luxury of corporate accounting and IT programming services. "I know that outsourcing is the new big thing -- the whole Tim Ferriss four-hour workweek," she says. [Note: Ferris is the author of a book titled The 4-Hour Workweek that purportedly includes advice on "How to outsource your life."] "I've tried it in every area of my life. The only one I've found it to be satisfying in is basic data entry. But if it's not an American I can have a conversation with over the phone and pay a significant salary to, I'm not getting quality back."

Downside No. 5: You can have too much company.

Mike Gunderloy, a Ruby on Rails developer in Evansville, Ind., and longtime home-based worker, actually spent three years plying his coding craft from a 28-foot RV that traversed the country.

Gunderloy, who says he has a "low tolerance for BS," will never work in a traditional office again. "I'm not real good at structured environments. I've gotten far too used to being able to play on my own, take frequent breaks and do whatever the heck I want. No boss is going to give me that sort of flexibility."

Gunderloy admits that he thrives on the chaos of a home life that includes a Web worker wife and four home-schooled kids. He says interruptions don't bother him, "but if you're the sort of person who doesn't interrupt and pick up again, then that's deadly."

While closing the door to keep the work life separate from the home life may be an obvious solution, it's not always the most satisfying, Gunderloy says. "You get this dream, 'I'm going to work at home and see my kids.' Then you realize you can't work in that environment, and you have to put up a door and keep it closed for eight hours, and you didn't see your kids -- and you didn't see anyone else, either."

Downside No. 6: Forget about cost savings and that corner-office promotion.

Home-based work presents unique challenges, as Gunderloy has explored extensively on Web Worker Daily, a blog site dedicated to exploring the work and lives of mobile, connected people. "There are expenses you don't have when you're in an office," he says. "People always point out you're saving money on gas, you don't have to eat out and all that, which is true. But then you have to add back in your own costs of telecom -- unless someone else is paying. You've got to worry about business insurance and covering whatever equipment you've got at home.

"Second, you're not in there doing your part in office politics to protect your job and get the next promotion and slit the throat of somebody who would get it instead of you," he says. "For people in a large, traditionally structured corporation, that's an issue."

Downside No. 7: You have to be savvier about communication.

When people who work geographically apart need to meet, much can be lost in the translation. The inability to read body language or follow what's being sketched out on a whiteboard can result in misunderstandings and lost productivity.

According to Jack Penkoske, director for manpower, personnel and security at the Defense Information Systems Agency (DISA), staff had to be trained to know when they should be on-site for meetings and when phone conferencing would work. "If it's a standard type of meeting -- where it's a status report thing, where you're updating on things -- they're very conducive to that e-collaboration type of setup," says Penkoske. "If it's a strategy discussion or you're getting into a lot more dialogue on issues and concerns and brainstorming, sometimes you find you go back to wanting to have face-to-face meetings for those."

Of the federal agency's 5,000 civilians and 1,600 to 1,700 military personnel, he says, about 40% telework, either weekly or on an ad hoc basis.

Another area where some DISA workers needed education was in the concept of what it means to be "out of the office." "It may sound intuitive," says Penkoske, "but if you're teleworking, you don't put an 'out of office' [message] on e-mail or [say] that you can't be reached by telephone."

Downside No. 8: Your manager may never really know you are working.

Penkoske says that as DISA's teleworking program has evolved, some managers have expressed concern that they have no way to measure staff productivity. His response to them: "'How do you measure it when they're there for eight hours?' When employees are in their traditional offices, most of that should transfer to another location. If you have good [measurement criteria] in place now, you can continue to measure it."

Chuck Wilsker, president and CEO of The Telework Coalition, has a more pointed response when managers tell him they know their people are working because they're in the office: "That's bull----. What's one of the busiest online shopping days? The first Monday after Thanksgiving, when everybody goes back to work. How many people are checking their stocks, doing their e-mail...streaming March Madness from ESPN.com?"

The problem, he says, is twofold. First, managers who have finally earned their corner offices did it by managing hands-on. "Now they have to do things differently," Wilsker explains. Second, most organizations don't have adequate metrics to measure people based on their productivity.

"Go into an office building and walk around," Wilsker says. "I challenge you to find half the people at their desks. Where are they? They're in meetings, conferences, traveling. They're doing all this kind of stuff. How do you manage them?"

And that may ultimately be the biggest telecommuting downside of all: Other than the lack of a daily commute and the ability to wear the same clothes today that you wore yesterday, you may discover that your job hasn't changed one iota. Wilsker says he often asks organizations, "What do you call this when people can work anywhere? Their response: 'We call that work.' "

How to troubleshoot Windows Home Server problems

2007-11-09T14:06:00.000+02:00

Things don't always go according to plan when using any networking hardware or software, and Windows Home Server (WHS) is no exception. If you run into trouble installing or using WHS or the Windows Home Server Connector and Console, check out these tips (and be sure to read my review of WHS.

Getting Windows Home Server Connector and Console to work

If all goes well, installing the Windows Home Server Connector (which also installs the Console) will be a breeze -- insert the CD, follow the prompts, and you're ready to go.

If all doesn't go well, though, you may end up pulling out your hair trying to track down the source of the problem. Could be your PC, your version of Windows, your home network, the home server software, your home router ... when it comes to network troubleshooting, the possibilities, unfortunately, are endless. So if you get a screen like one pictured below, you need

f you find that Windows Home Server Connector won't install, the problem may be a relatively simple one -- NetBIOS over TCP/IP isn't turned on in your network or on your PCs. WHS uses NetBIOS over TCP/IP to identify devices on your network and to communicate among them. If NetBIOS over TCP/IP isn't working properly, you're out of luck.

In Windows, there are three settings for NetBIOS over TCP/IP -- turn it on, turn it off or get the settings from your router. By default, Windows XP and Windows Vista are set up to use the NetBIOS setting from your home router.

If you're having trouble installing or running WHS, check your NetBIOS over TCP/IP settings to make sure that they're not turned off. This varies slightly in Windows Vista and Windows XP.

In Windows Vista:

1. Select Control Panel --> Network and Internet --> Network and Sharing Center --> Manage Network Connections. A screen appears, showing your network connection.

2. Right-click your network connection and choose Properties. The Local Area Connection Properties screen, like the one pictured below, appears.

3. Highlight Internet Protocol Version 4 (TCP/IP) and choose Properties, then click the Advanced button.

4. Click the WINS tab. The screen, shown below, appears. At the bottom, you'll see the NetBIOS setting. Make sure that Default is selected. Click OK, and keep clicking OK until all the screens disappear. You may need to reboot for the new setting to take effect.

In Windows XP, right-click My Network Places, then right-click your network connection and choose Properties. Then select Internet Protocol (TCP/IP), click Properties, click the Advanced button and follow Step 4 above.

If that doesn't fix the problem, the issue may be with your router. If your home router doesn't support NetBIOS over TCP/IP, or supports it improperly, you can run into problems. Unfortunately, there's no list of routers that support it, so there's no simple way to confirm whether your router does.

Your best bet is to update the router's firmware. Check your manufacturer for information on how to do that. I have a Linksys WRT54GX4 and initially couldn't install the Windows Home Server Console. However, once I upgraded the firmware, it worked like a charm.

If upgrading your router doesn't do the trick, go back to the NetBIOS setting screen and select Enable NetBIOS over TCP/IP and keep clicking OK until all the screens disappear. You may need to reboot for the new setting to take effect.

Getting remote access to work

One of WHS's most powerful features is remote access. From anywhere with Internet access, you can connect remotely to WHS to get access to files and folders. Even better: You can take control of any PC on your network remotely as well, as long as you've enabled remote access on that PC.

However, there are several "gotchas" along the way that might make it impossible for you to connect. In the rest of this article, I'll cover how to fix them. Note that I won't offer step-by-step instructions on how to make the connection, because that's beyond the scope of this article; turn to your WHS documentation for that information. Instead, I'll only cover how to fix problems you might run into.

If you have trouble making a connection, you may have to change your router settings to get it to work right with WHS. So you'll have to check your router's documentation for specific details. In this article, I'll show you how to do it with a Linksys WRT54GX4. The instructions will be similar or identical for other Linksys routers. For other brands, the concepts will be the same, but the screens will differ.

Before you start, you'll need to understand a little about your home router, home server and their IP addresses. Your router is assigned a dynamic IP address by your Internet provider, for example, 66.32.43.98. That's your network's external IP address -- the IP address that the Internet sees. Because it's dynamic, it can change at anytime.

Your router uses Network Address Translation to share that single, external IP address among all the computers on the network. But each computer also has its own internal IP address, such as 192.168.1.100, 192.168.1.101 and so on. The router has a built-in Dynamic Host Configuration Protocol server that assigns the internal IP address to each PC. These internal IP addresses allow the PCs to communicate with each other and to connect to the Internet. With those facts as background, it's time to do some troubleshooting.

Troubleshooting your remote connection setup

After you enable a particular user account to connect remotely, you'll have to tell WHS to allow remote connections. That's where you may run into trouble.

Run the Windows Home Server Console, connect to your WHS, then select Settings --> Remote Access. You'll see a screen like the one pictured below.

If the Web Site Connectivity button isn't already turned on, click Turn On next to it. Then, in the Router section, click the Setup button. A screen will appear telling you that WHS is going to configure port forwarding for your router. With port forwarding, when you make a remote connection to your router, your router will forward those requests to your WHS machine. Without port forwarding, you won't be able to reach your server remotely.

Here's where your troubles may begin. WHS can only automatically configure your router if the router uses Universal Plug and Play (UPnP). If you get an error message saying that your router doesn't support UPnP, first check to see if in fact your router does support it -- many routers support it, but turn it off by default. Check your router's documentation for details.

In the Linksys WRT54GX4, log into your router by going to 192.1681.1 in your browser, leaving the user name blank and typing admin into the Password box. (If you've changed the password, use your new password instead.) Then click Administration. You'll see a screen like the one shown nearby. Scroll down to the UPnP section, select Enable, then click Save Settings. Now go back into the Router section on WHS and click the Setup button. It should be able to do the automatic configuration now.

Even if you turn on UPnP, WHS may not be able to configure port forwarding. If it doesn't, you're going to have to go mano a mano with your router and configure port forwarding yourself.

When you configure it yourself, you tell all incoming traffic for specific ports to be forwarded to your WHS. More specifically, when you make a remote connection to WHS, you connect to three ports -- 80, 443 and 4125. We're going to tell your router to forward traffic from those ports to your WHS.

First you need to find out the IP address of your WHS. On any PC on your network, in Windows XP, open up a command line box by clicking Start --> Run. Type CMD into the text box and click OK. If you use Windows Vista, type CMD on the Start Search line. In either instance, when the command line box opens, type net view and press Enter. After you do, you'll see something like the following:


C:UsersPreston>net view

Server Name            Remark

-------------------------------------------------------------------------------
\PRESTONSERVER
\VISTA-DESKTOP
\VISTA-LAPTOP
The command completed successfully.

Look for the name of your WHS, the name you gave it when you first set it up or that came as part of the default setup. In our instance, it's PRESTONSERVER. Now at a command line, issue the ping command, followed by the name of your home server, like this:


ping PRESTONSERVER

The results will look something like this:


C:UsersPreston>ping PRESTONSERVER

Pinging PRESTONSERVER [192.168.1.103] with 32 bytes of data:

Reply from 192.168.1.103: bytes=32 time<1ms TTL=128
Reply from 192.168.1.103: bytes=32 time<1ms TTL=128
Reply from 192.168.1.103: bytes=32 time<1ms TTL=128
Reply from 192.168.1.103: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.103:
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
   Minimum = 0ms, Maximum = 0ms, Average = 0ms

Note the IP number after the router name. That's your router's IP address on your network. Write it down; you'll need it to configure port forwarding. In this case, it's 192.168.1.103.

Next, you'll need to tell your router to forward all connections from ports 80, 443 and 4125 to the IP address 192.168.1.103. In the Linksys WRT54GX4, log into your administrator's screen. Choose Applications & Gaming --> Port Range Forwarding. Fill in the form you see, as shown in the nearby figure. For the application name, use something like Home Server; it doesn't really matter what name you give it. For the first line, in both Start and End, type in 80 and select BOTH from the drop-down list. For IP address, type in 103 at the end. Check the Enable box. Do the same for two more lines, one for port 443 and one for port 4125. Click Save Settings. You're done; port forwarding will now work.

Note the IP number after the router name. That's your router's IP address on your network. Write it down; you'll need it to configure port forwarding. In this case, it's 192.168.1.103.

Once you've done that, head back to your Windows Home Server Console, to the Remote Access Settings screen outlined earlier in this article and finish configuring remote access, by clicking Setup next to Domain Name.

Now follow the normal instructions for getting remote access to WHS and controlling any PC on your network. The nearby figure shows a PC being controlled via WHS remote connection.

One final note

If the internal IP address of your WHS changes for any reason, you'll have to reconfigure port forwarding, using the new IP address. Why would the IP address change? If you restart your router, for example, the IP address will change. To get around this problem, you might want to assign your WHS a static IP address. For details on how to assign a static IP address to a computer, see your computer's documentation.

AMD takes aim at stream processing with new chip

2007-11-08T15:13:00.000+02:00

Advanced Micro Devices Inc. says it plans to release early next year a high-end chip intended to speed up application performance. The FireStream 9170 could find uses ranging from scientific research to face recognition in security systems.

The chip is called a General Purpose General Processing Unit (GP GPU). It traces its origins to video cards, which process data sequentially -- in a straight stream, so to speak, hence the name stream processing. This processing approach also works well for certain types of mathematical computations. The GP GPU operates as a co-processor to a CPU -- an Opteron, for instance.

AMD released its first processor in this line, FireStream, a year ago. But the company said it didn't push the initial chip in a widespread way, and focused initially on attracting developers. But with the FireStream 9170, AMD says it is aiming at what it sees as a potentially large market, initially among high performance computing users and, in time, for general business users.

AMD is releasing a software development kit along with the processor, so developers can adapt their applications to work with the accelerator. It has also given the FireStream chip 64-bit double-precision floating point capability. AMD says it is the first chipmaker in the industry to introduce the greater capability.

Patricia Harrell, director of stream computing at AMD, believes that with the right kind of application, the FireStream chip can deliver up to a 10x performance gain without any special application tuning, and a greater gain with tuning.

FireStream technology may be appealing for high-performance computing (HPC) situations such as financial analysis, seismic processing in oil and gas exploration, or life sciences research, as well as in security contexts such as face-recognition or image-matching systems. "This technology has really broad uses across other markets," she said.

Not just throwing CPUs at speed problems

The approach that most HPC users take to improve application performance is to add more microprocessors, said Addison Snell, vice president Tabor Research in San Diego, an HPC market research firm. But he said HPC users are beginning to pay more attention to accelerators such as the GP GPU.

Snell noted, however, that there are challenges with effective GP GPU integration. One of those concerns programmability of applications running with an accelerator -- rather than writing things for a standard processor, developers are trying to get various computational elements to go off the usual chip to a different part of the computer that can do the processing faster, he said. "The other challenge is gaining enough acceleration from doing so that you overcome the latency ????????? the time lag from going off one chip on to another chip," he said.

The software development kit AMD is releasing along with the chip itself should help developers address those programming issues, said Snell.

AMD said its FireStream chip will be released in the first quarter and priced at $1,999.

Visa's security best practices to become payment industry standard

2007-11-08T15:12:00.001+02:00

The PCI Security Standards Council, the body managing the Payment Card Industry data security initiative, on Wednesday announced that it will anoint a set of best practices developed by Visa International as the new security standard for third-party application software in the payment industry.

The new standard is called the Payment Application Data Security Standard (PA-DSS) and is based on Visa???s Payment Application Best Practices (PABP).

Over the next few months, the PCI Security Standards Council, together with participating organizations, security auditors, and vulnerability scanning vendors, will offer their comments and suggestions relating to the PA-DSS.

The security council will then incorporate this feedback and publish a final version of the application security standards in the first quarter of 2008, said Bob Russo, general manager of the security standards council.

The application security standards are designed to address growing security concerns related to the third-party payment applications used by retailers and other companies accepting credit card transactions. Many of these applications are old and lack many of the security controls mandated by the credit card companies under PCI.

For instance, older payment application software products are designed to capture and store certain kinds of cardholder data by default, even though the practice is explicitly banned under PCI. Similarly, legacy payment applications seldom have the transaction logging capabilities that are required by PCI.

Visa, which has been by far the most aggressive among the credit card associations in pushing PCI, has for some time now tried to address such issues by leaning on software vendors to adopt its set of payment application best practices. Though Visa cannot contractually require the software vendors to adopt these best practices, it has been pressuring them into doing so anyway, by making it mandatory for merchants to use only PABP-compliant third-party payment software.

Just two weeks ago for instance, it announced formal schedules for companies to ensure that all their third-party payment applications are PABP-compliant.

With yesterday???s announcement, the PCI council has taken Visa???s requirements and forged it into a broader industry-wide mandate -- meaning that soon it won???t be just Visa that???s pressurizing payment software vendors to adopt security controls, but MasterCard, Discover, American Express and JCB as well.

China abandons plans to sell Olympics tickets online

2007-11-06T15:26:00.000+02:00

Crush of buyers overwhelmed system

Organizers of the 2008 Olympics in Beijing gave up on plans for online ticket sales, admitting defeat after a crush of eager buyers crashed the ticketing system last week.

The Beijing Organizing Committee for the Olympic Games (BOCOG), which had promised to host a "high-tech games," will instead offer tickets through a lottery system. Ticket applications will be accepted from Dec. 10 until Dec. 30, but organizers have not said how many tickets each person will be allowed to purchase or when the lottery will be held.

The ticketing fiasco was a blow to preparations for the 2008 Olympics, which have otherwise proceeded with relative smoothness thanks to strong government and popular support.

But that popular support proved to be the undoing of the ticketing system built to handle domestic tickets sales for the games. The system crashed shortly after ticket sales began Oct. 30.

During the first hour of operation, the Web site for ticket sales received 8 million page views, with an average of 200,000 ticket requests filed every minute. Designed to handle 1 million visits per hour and a maximum of 150,000 ticket requests per minute, the system could not cope with demand.

Attempts made on the afternoon of Oct. 30 to reconfigure the system to handle heavier traffic loads did not succeed, and organizers later announced the sale of tickets had been suspended.

Hackers exploiting bug in DRM shipped with Windows

2007-11-06T15:21:00.000+02:00

Microsoft promises to patch third-party anti-piracy software in XP, Server 2003

Microsoft Corp. Monday said it would patch a vulnerability in third-party anti-piracy software bundled with Windows after it acknowledged that hackers are already exploiting the bug.

According to the researcher who first reported the flaw, Microsoft has known of the vulnerability for at least three weeks.

In a security advisory issued late Monday, Microsoft said it would issue a fix for a vulnerability in an older edition of "secdrv.sys" -- a file also also known as Macrovision Security Driver -- that's part of the SafeDisc copy-protection scheme that Macrovision licenses to game publishers.

"The driver, secdrv.sys, is a dispatch driver developed by Macrovision and shipped on supported editions of Windows Server 2003, Windows XP, and Windows Vista," Microsoft said in the advisory. "This vulnerability does not affect Windows Vista."

Computerworld confirmed that secdrv.sys is present on stock installations of both Windows XP and Vista, but that the file creation dates -- Feb. 28, 2006 and Nov. 1, 2006, respectively -- differ, with the newer version included in Vista.

Microsoft also said that attacks were in progress. "We are aware of limited attacks that try to use the reported vulnerability," the advisory continued. "Microsoft will take the appropriate action [which] will include providing a security update through our monthly release process." Until then, Windows XP and Server 2003 users can download a more recent version of the driver -- marked with a creation date of Sept. 13, 2006 -- from Macrovision's Web site.

The bug first surfaced three weeks ago, when Symantec Corp. researcher Elia Florio said an undocumented vulnerability in fully-patched XP and Server 2003 machines, was being exploited in the wild. Although he did not disclose the flaw, Florio's write-up gave several hints about the flawed file. He also reported that when notified, Microsoft said it was already aware of the problem.

"At the moment, it's still not clear how the driver is used by Windows because this file does not have the typical Microsoft file properties present in other Windows system files," Florio wrote in a posting to the Symantec security blog on Oct

16.

Within 24 hours, other researchers, using Florio's clues, had focused on secdrv.sys, found the vulnerability, and posted proof-of-concept code. "Despite there is no patch available, at the momment [sic], we are disclosing this information since an exploit has been caught in the wild so we see no reason to hide information that can be useful for administrators and researchers," said someone identified only as Rubén on the Bugtraq security mailing list Oct. 17. [A corrected version of the Bugtraq message was posted the next day, Oct. 18 -- Ed.]

Florio classified the vulnerability as a local privilege elevation bug -- meaning that an attacker would need local or authorized access to the PC before successfully running an exploit -- but some researchers cautioned that it was dangerous nonetheless. An advisory posted by eEye Digital Security, for instance, said it could be paired with another attack. "The most common exploit scenario would be to couple an exploit for this vulnerability with a user-based exploit (file-format, client-side)," said the eEye alert. "This allows the attacker to launch a remote attack (web-page, email) to execute code that would then launch this attack."

eEye rated the vulnerability as "medium," and warned that attacks might become widespread.

It was not known late Monday why Microsoft bundles the Macrovision driver with Windows. The company was not available for comment, and its security advisory was mum on the subject.

Macrovision pitches its SafeDisc digital rights management (DRM) software to PC game publishers, and touts such characteristics as Automatic Asymmetric Code Blending as part of the package. "Without using a developer's time or resources, automatically intertwine as many as hundreds of Secure Data Types (SDTs) with game code, making it extremely difficult for hackers to remove the security components without essentially crashing the game," Macrovision says on its Web site.

Microsoft did not specify a timetable for patching the Macrovision driver -- or simply pushing the newer version to Windows XP and Server 2003 users -- but its next regularly-scheduled security update is next Tuesday, Nov. 13.

1-800-Flowers.com hopes for blooming mobile sales

2007-11-05T12:49:00.000+02:00

1-800-Flowers.com started life (as their name might remind you) as a florist-by-phone service. It hit the Internet in 1992 to retail flowers, and has since expanded to sell candy, popcorn and other items as well as marketing itself as a provider of "content about celebrations" such as birthdays and anniversaries. Now the service is returning to its origins, after a fashion: Its next move is to reach customers over the wireless Internet, founder and CEO Jim McCann told reporters and analysts here on Friday.

At a press event, McCann announced that 1-800-Flowers.com soon will expand an existing communications services relationship with Verizon Business, a division of Verizon Communications Inc., to include another unit, Verizon Wireless. "Customers are accessing us with the wireless device," but often that customer is in the 30-and-over age group, he said.

According to McCann, to reach potential customers aged 15 to 30 -- a group that more commonly uses mobile services -- 1-800-Flowers.com's wares have to sell at a lower price and the purchase has to be made more immediate. But that's doable. "We can change our business radically," he said.

1-800-Flowers.com already spends about $25 million a year on IT, one-fourth which goes to Verizon Business for communications products and services. In light of the company's interest in working with Verizon Wireless, McCann said he has talked to Verizon officials about making its services to him "more cohesive" than in the past, bringing together divisions between the wireless units and wire-line and business units.

And it's not just the online floral service that's encouraging Verizon to pool its resources. Several Verizon officials at the corporate level said they see the need to have its various products and services marketed in a combined way, and the company is making efforts to accomplish that. For example, John Stratton holds a corporate chief marketing officer position overseeing Verizon's business, wireless and wire-line operations. Also, Nancy Gofus, the chief marketing officer for the business division, said Verizon is exploring ways to offer services for companies that have home-based workers needing helpdesk support for consumer DSL and other services.

Google to unveil mobile platform; target: iPhone?

2007-11-04T23:12:00.000+02:00

Google negotiators this weekend continue to hammer out agreements with wireless carriers, handset makers, software developers and hardware providers, as the company prepares to announce on Monday an ambitious platform for creating mobile applications.

Although Google has declined to comment for months on its rumored move into the mobile space, sources said the company will make an announcement Monday at 11 a.m. EST, and that details of the plan are being finalized this weekend.

Google will announce an open source development platform for mobile applications that will contain a full set of components, including an operating system, a set of common APIs, a middleware layer, a customizable user interface and even a mobile browser, sources said. Instant messaging standard protocols will also be supported.

The platform is intended to simplify the process of creating and deploying mobile applications, so that an application can be built once and be compatible with multiple phones.

On the partner side, well over 30 industry heavyweights are already on board, including Intel, Qualcomm, Broadcom, Nvidia, Sprint Nextel, T-Mobile, China Mobile, Telefonica, NTT DoCoMo, LG Electronics and HTC, the sources said.

With negotiations expected to continue through the weekend and into Monday morning, it's possible that the list could exceed 40 partners. Among those not supporting the announcement at this time are Nokia, Verizon and Apple.

The development platform will be freely available to anyone who wants to use it, and, aside from a common core, will provide a lot of flexibility for modifications and extensions.

The ultimate goal is to lower the costs and simplify the creation of mobile applications and spur innovation that, as Google sees it, has been hampered by technical fragmentation. As such, the Google offering will rival existing mobile platforms from Microsoft and Symbian.

For Google, the benefit will come indirectly from an acceleration in improvements to mobile phone interfaces, which the company reasons will make it easier for people to access online services, like search engines, and applications, from their mobile phones. The intent is to bridge the gap between the Internet and mobile phones.

As usage of Google online services increases on mobile devices, so will the advertising revenue the company generates.

Mobile advertising is a tiny market but is expected to grow quickly in coming years. According to Opus Research, mobile advertising spending in North America and Western Europe will reach a combined $5.08 billion by 2012, up from an estimated $106.8 million at the end of this year. This represents a compound annual growth rate (CAGR) of 116 percent.

Opus Research, which released the forecast last week, said that improving the mobile user experience will drive ad revenue growth, which will prompt more people to spend more time using the Internet via their cell phones.

In addition to Google, all other major providers of online services, like AOL, Yahoo and Microsoft, are busy tweaking their Web sites and Web applications for use via mobile phones.

As the Google deal takes its final shape, it appears more and more likely that it might pit Google against its traditional ally Apple, and align it with carriers that have been hurt by the success of the iPhone.

Although the platform will be available to anyone, including Apple, it could indirectly accelerate the pace at which competing handsets catch up with the iPhone's user experience innovations.

A few weeks ago, Apple announced it will release a software development kit so that third-party developers can build applications for the iPhone. It expects to make it available in February.

If Apple is absent from the partner list in Monday's announcement, it could signal that Steve Jobs's company views the Google platform as a negative development in the mobile market, an interesting situation, considering Google's CEO Eric Schmidt sits on Apple's board.

The intensity of this weekend's negotiations is not surprising, but rather reflective of the bold undertaking Google has assumed in the notoriously complicated world of dealmaking in the wireless market.

As has been reported previously, the components of the Google platform will not be delivered until at least mid-2008. At some point, the effort might even yield a Google-branded phone, sources said.

Apple to allow Mac OS X Server virtualization

2007-11-02T16:14:00.001+02:00

Apple Inc. has relaxed the licensing of its server software and will now allow users to run it in virtual machines, a sign that the company may focus more attention on the business market, said one of the companies developing virtualization software for the Mac.

The change in Apple's end-user licensing agreement (EULA) for Mac OS X Server 10.5 Leopard, first noticed by a system engineer at the University of Wisconsin-Madison, permits OS X Server to run in a virtual machine (VM) as long as each VM is stocked with a different license and the physical system is Apple-made. The new rules don't apply to the client edition of Apple's operating system, which is still barred from being virtualized.

"You may also install and use other copies of Mac OS X Server Software on the same Apple-labeled computer, provided that you acquire an individual and valid license from Apple for each of these other copies of Mac OS X Server Software," the new EULA reads (download PDF). "You agree not to install, use or run the Apple Software on any non-Apple-labeled computer, or to enable others to do so."

"This is the first time they've changed their EULA to allow virtualization," said Ben Rudolph, the director of communications at Parallels Inc., maker of Parallels Desktop for Mac. "We've known for a long time that it was technically feasible to implement OS X in a VM." But Parallels -- like its rival in the Mac virtualization market, VMware Inc. -- was leery of entering the market without a green light from Apple.

This is that green light, said Rudolph.

"Will it take some time? Yes. Are we working closely with Apple on it? Absolutely," he said. A beta, which will be publicly available but will require registration at the Parallels Web site, will be released "sometime in the next month or two," he noted.

Pat Lee, a VMware senior product manager, wouldn't commit to any timetable for his company's support of Mac OS X Server virtualization but said he too was thrilled about the change. "I'm really excited about this," he said today. "There are lots of things to think about, but I can't comment at the moment on future products."

Apple, which didn't announce the EULA change or respond to a request for comment, has traditionally been a tougher sell in the business market, particularly among large organizations. But the virtualization of Mac OS X Server, said Rudolph, is a sign that the vendor is refocusing its efforts.

"Apple's selling into all sizes of business now," he said, "and I think it's mainly because of Mac OS X's ability to run Windows on the Mac. The flexibility of the Intel platform, and the access to critical applications has opened the door [to the corporate market]. It makes sense to look at the server side, too."

Lee concurred. "We've been hearing from customers who would love to be able to run multiple instances of Mac OS X on Xserve, as well as other operating systems, including Windows and Linux. Others want a simpler way to move [Mac] apps from one physical server to another. Virtualization lets them do that."

The requirement that all VMs running Mac OS X be hosted on a physical box built by Apple also points to a tweaked strategy. "The Xserve is a great piece of hardware," said Rudolph, "and virtualization of Mac OS X Server makes Apple's hardware a viable choice now to everyone who wants to run multiple instances on the same box. But if you thought you could run Mac OS X on a Dell, you're out of luck."

Lee, on the other hand, noted that the power of the Apple's quad-core Xserve hardware is largely wasted without virtualization, because few applications take advantage of the multiple cores to run parallel processes for faster performance. "But virtualization parallelizes those apps that aren't meant to be parallelized," he said. Allowing multiple instances of Mac OS X on one Xserve box, however, makes the machine more attractive to Apple's corporate customers.

"This makes [Mac OS X] more flexible and users more open to virtualization," Lee said.

Parallels will focus on delivering a server-based VM that will run Mac OS X, as well as other already-supported guest operating systems -- including various flavors of Windows and Linux -- targeting small- and medium-size businesses. "We want to do something that has the features they need but at the price they can afford," said Rudolph. "VMware has great technology, but for small business, it's prohibitively expensive." Parallels hasn't talked price for a server side VM product, but Rudolph said it would be higher than the desktop software's $80 price tag, but "in a similar pricing structure."

Lee declined to commit to any product or schedule, citing the need to reach out to customers for feedback.

Apple sells Mac OS X 10.5 Leopard in single-license editions that support up to 10 client machines for $499 and an unlimited number of clients for $999.

IBM to let customers sell server energy savings on carbon markets

2007-11-02T16:13:00.000+02:00

BM will announce Friday a program that will make it possible for its customers to document server energy savings -- and even trade them for cash, if they want, on emerging carbon markets.

IBM says it's the first in this industry to offer such a program, and though it's initially making it available only for its mainframes, the company plans to extend it to all its server lines and storage systems as well.

How it works: IBM says that if you take distributed systems -- for instance, x86 servers -- and consolidate them on a mainframe, the move will result in an energy savings. Those savings can be calculated based on reference data, a task that will fall to Neuwing Energy Ventures, an independent firm verifying and trading in energy efficiency certificates.

More specifically, IBM say its ongoing consolidation of 3,900 distributed systems onto 33 mainframes will eventually save the company 119,000 megawatt hours annually. The megawatt hours of savings that Neuwing will calculate will include the total savings to power and cool the data center. One energy efficiency certificate is issued for each megawatt hour saved per year.

Those certificates, in IBM's example, would have an estimated value of between $300,000 and $1 million based on market conditions, said Rich Lechner, IBM's vice president of IT optimization. Those certificates can be issued for each year of the life of the project.

"The value of these certificates is minute to the real energy savings and the real operational savings that you re going to realize," said Lechner.

Savings are the real draw

Indeed, energy efficiency certificates may prove mere frosting on the layers of punishments and incentives already pushing data-center managers to save energy. Unrelenting server growth, rising power bills, insufficient cooling and even power availability have turned power and cooling issues into the number-one data center headache. The U.S. Environmental Protection Agency, which was asked by Congress last year to study power consumption by data centers, reported in August that it expects computer and data center power consumption to double over the next five years.

IBM isn't alone in providing a financial incentive for energy efficiency. Pacific Gas & Electric, for instance, is working with major utilities to expand a program that pays a company between $150 and $300 per server removed from service. The utility has been encouraging its customers to adopt virtualization to increase server utilization.

Under IBM's program, a company could keep its energy certificates and use them simply as proof of corporate responsibility. But other companies might sell these certificates on one of the emerging carbon markets.

If you are operating a data center in the center of London, your data center "is a huge percentage of your total power consumption and thereby your CO2 emissions," said Lechner. "If you don't achieve the savings yourself, you acquire it from a third party," he said, which is this case would be mean buying energy savings certificates.

Existing mainframe users can also claim credits based on increased computing requirements. To the degree that you demonstrate that you are growing on an efficient platform, and avoiding costs such as lightly utilized x86 servers, you can project savings, said Lechner.

Samsung unveils 64Gbit flash memory chip

2007-10-31T12:28:00.001+02:00

Company expects technology to appear in its storage cards by 2009

Samsung Electronics Co. today announced that it has built a 64Gbit NAND flash memory chip.

The new flash storage device utilizes 30-nanometer processing technology and was developed using Samsung's self-aligned double patterning technology (SaDPT), said Samsung officials.

The company said it plans to start manufacturing 30-nm 64Gbit NAND flash devices during 2009. Samsung has already applied for as many as 30 patents for the new flash memory chip, officials said in a statement.

By combining a total of 16 separate 64Gbit flash devices, businesses can create a 128GB flash storage device capable of holding up to 80 DVD movies or 32,000 MP3 music files, noted Samsung.

While some analysts have forecasted of somewhat sluggish NAND demand in 2007-2008, Gartner Inc. has predicted that sales of 64Gbit NAND flash and other higher density flash storage devices could reach $20 billion by 2011.

Joseph Unsworth, an analyst at Stamford, Conn.-based Gartner, called Samsung's achievement "impressive" but openly questioned the company's ability to mass produce the technology with good yields. "Samsung has had a difficult time adhering to its timelines for mass production due to the complexity of MLC architectures and ever shrinking process geometries," remarked Unsworth.

Samsung said that its new double-pattern technology creates a wider-spaced circuit design of the target process in the first pattern transfer and fills in the spaced area more closely with its second pattern transfer on the chip.

Although NAND already has a strong grip on multimedia handsets, Unsworth said vendors must find ways to cut its price and provide more compelling benefits in terms of boot up speed, reliability and power efficiency to make a significant impact on computing capacity.

Samsung said it has also designed and constructed a 32Gbit NAND flash storage chip using the same technology as its new 64Gbit offering.

SanDisk introduces video download device, service

2007-10-31T12:24:00.002+02:00

SanDisk's Fanfare adds to the growing number of iTunes rivals, including Amazon.com's "Unbox" service

SanDisk Corp. introduced on Monday a service for downloading free and advertising-supported video from the Internet, which could compete with Apple Inc.'s iTunes.

SanDisk said its new system, called "Fanfare," serves as a companion to the Sansa TakeTV PC-to-TV Video Player, a pocket-sized memory module which it also introduced on Monday. The device lets users save videos downloaded onto a personal computer and move them to a traditional television.

Fanfare, now in the early "beta" stage, will be launched as a full version early next year.

SanDisk's device and online service arrive as consumers are exercising more control over when they watch TV programs, with many viewing shows on computers or portable media players.

Apple remains dominant in video and audio downloading, but it is expected to face a tougher time filling its iTunes store with TV shows and movies as big media companies gird against repeating the music industry's mistakes by giving away content at cheap prices.

Fanfare adds to the growing number of iTunes rivals, including Amazon.com's "Unbox" service.

"The overall vision of Fanfare is to enable users to draw from a rich catalog of free and paid video content from a single location for playback on a wide variety of portable devices in the future," SanDisk said in a statement.

The only major U.S. network affiliated with the service at launch is CBS Corp.'s CBS and its pay-tv unit, Showtime Networks, with shows such as "CSI" and "Dexter." Fanfare will also have videos from Smithsonian Networks, The Weather Channel and TV Guide Broadband.

Federal judge delays decision on Microsoft antitrust oversight

2007-10-31T12:24:00.001+02:00

New Jan. 30, 2008 deadline gives all sides more time to argue the case

A federal judge today gave Microsoft Corp., state regulators and the Department of Justice (DOJ) more time to argue whether the company should be held to its antitrust settlement until 2012.

U.S. District Court Judge Colleen Kollar-Kotelly approved a motion filed by Microsoft, the DOJ, 17 states and the District of Columbia that pushed the extension decision out as far as Jan. 31, 2008. Originally, Kollar-Kotelly was expected to rule next Tuesday on whether major sections of the consent decree that Microsoft and regulators signed in 2002 would expire Nov. 12.

"It would not be practical for the parties fully to brief the Motions, and for the court to consider the Motions and render a ruling, prior to the current expiration of the Final Judgments," Kollar-Kotelly said today in a ruling.

"This temporary extension is procedural in nature and not a ruling on the merits of the motions," cautioned Jack Evans, a Microsoft spokesman, in an e-mail Tuesday afternoon. "[This] will give Microsoft and the other parties a bit more time to file their briefs and the court more time to issue a ruling."

Although most of the consent decree was to expire in under two weeks, several states have been pressing for another five years of oversight, saying that Microsoft still has a monopoly on the desktop operating system market and could stymie attempts by Web-based applications to break that hold. Earlier this month, California and New York, each leading a different group of states, filed motions with Kollar-Kotelly asking her to watch Microsoft until November 2012.

"The threat that these [Web-based] technologies pose to Microsoft's Windows monopoly through their ability to erode the applications barrier to entry depends, in large part, on Microsoft's willingness to maintain [Internet Explorer] as a standards-compliant browser and to continue supporting cross-platform implementations," the California group said in its filing.

Under the new schedule, Microsoft will have until Nov. 6 to submit its response to the California and New York requests for further oversight. U.S. antitrust regulators have until Nov. 9 to file a brief explaining why the DOJ doesn't want an extension, and the states will have until Nov. 16 to reply.

Kollar-Kotelly did not set a date for her ruling, saying only that it would come before the Jan. 30 deadline. She has given no hint as to how she will rule, but antitrust experts said as recently as last week that it would be a long shot to expert her to add another five years to the decree. "She is going to have to have some evidence that the decree hasn't done what it's supposed to to extend," Herbert Hovenkamp, an antitrust scholar from the University of Iowa College of Law, said then. "She'll need more than what she's heard."

Microsoft has maintained that the 2002 agreement has served its purpose, and will presumably argue that point in its filing next week.

The Google phone: Has a wireless upheaval begun?

2007-10-31T12:22:00.000+02:00

Questions remain, but analysts expect a Google phone by mid-2008

The Google phone is inching closer to reality, with wireless handhelds running Google Inc. applications and operating software expected in the first half of 2008, several industry analysts said today.

Some see Google's model as revolutionary in the U.S., where nearly all customers buy their cellular phones from a wireless carrier and are locked into a contract with that carrier. But Google's entry could signal a more open system where a customer buys the Google phone and then chooses a carrier, they noted.

The Wall Street Journal today cited unnamed sources and said that Google is expected to announce software within two weeks that would run on hardware from other vendors. The Google phone is expected to be available by mid-2008. The company did not comment.

Last week at the semiannual CTIA show in San Francisco, several analysts said they had heard rumors that Google would be offering software to Taiwan-based device maker High Tech Computer Corp. (HTC) for the Google phone.

Today, Gartner Inc. analysts Phillip Redman said the rumor was still that the Google phone "is coming from HTC for next year, [with] 50,000 devices initially."

HTC could not be reached for immediate comment.

Lewis Ward, an analyst at Framingham, Mass.-based market research company IDC, said Google is clearly working on software for a phone, but after making a presentation at CTIA on emerging markets last week, he said, "It didn't sound like it was on HTC after all."

Unlike several analysts who said that Google could face a fight from carriers opposed to open networks and open devices, Ward and Redman said some carriers will cooperate with Google. "It's possible some carriers will work with Google," Ward said. "AT&T seems to be more open already with its iPhone support and other things, while T-Mobile and Sprint Nextel may be more open than Verizon Wireless."

Redman said that Google's "brand is attractive, so I think there will be takers" for building hardware and for providing network support.

At CTIA, Ward said a Google phone would make a wireless portal out of what Google already provides on a wired network to a PC, such as maps, social networking and even video sharing.

"This is about Google as a portal," Ward said last week. "This is fundamentally about wireless and wire-line converging."

Ward said Google's plans for its phone software are still up in the air. "What's unclear also is whether it will be a Linux free and open [operating system] running on top of the hardware, with applets and widgets and search and all the advanced stuff that Google has done in the past."

Jeffrey Kagan, an independent wireless analyst based in Atlanta, said many questions are raised by Google's proposition, including what the phone could be named. "Will it be a regular phone, or will it be more like the Apple iPhone? How will customers pay for it? Will it be different from the traditional way we use and pay for wireless phones? There are so many questions," Kagan said.

Like Apple Inc. with the iPhone, "Google could be very successful if they crack the code." Kagan added. "The cell phone industry ... is going through enormous change and expansion. Many ideas will be tried. Some will work, and some will fail."

Excel 2007 flunks some math problems

2007-10-30T12:53:00.000+02:00

Microsoft confirms spreadsheet returns 100,000 when it should show 65,535

Microsoft Corp. yesterday confirmed that Excel 2007, the newest version of its market-leading spreadsheet, returns incorrect calculation results in some cases.

The math bug first surfaced Saturday on Microsoft's own Excel support newsgroup when a user named Molham Serry reported that when he multiplied 850 by 77.1, Excel 2007 returned 100,000 rather than the correct 65,535. Others on the newsgroup quickly took up the standard, eventually posting more than 120 messages to the thread. Among their findings: Other calculations claimed 100,000 was the correct answer.

Yesterday, the Excel team offered a mea culpa posting to a Microsoft company blog. "The majority of reports were focused on multiplication, but our testing showed that this really didn't have anything do to with multiplication," said David Gainer, lead project manager for Excel. "It manifested itself with many, but not all calculations in Excel that should have resulted in 65,535. Further testing showed a similar phenomenon with 65,536 as well."

Only Excel 2007 is a math dummy. Earlier versions of the spreadsheet, including its immediate predecessor, give the correct answers.

Gainer said that the bug isn't in Excel's calculations, but in code that takes values and formats them to be displayed in the worksheet. To prove that Excel knows its multiplication tables, he suggested entering 850*77.1 in Excel 2007 -- yielding the incorrect 100,000 -- then multiplying the result by 2. The spreadsheet will return the right value, 131,070, not 200,000.

Excel displays the wrong result in an even dozen cases, Gainer added, all involving six floating-point numbers around 65,535 and 65,536. "All other calculation results are not affected," he said.

A fix for Excel -- and for SharePoint's Excel Services, which also sports the bug -- is in the works, Gainer said. He didn't set a date for the bug fix release, saying only that "we expect [it] to happen very soon." The patch will be posted for downloading, presumably to Microsoft's download site, and will also be pushed to users via a future Windows Update and a Windows Server Update Services offering. A Microsoft spokeswoman, however, said a date had not been set for the fix, or for its appearance on WU and WSUS.

Microsoft's next scheduled security patch day is Oct. 9.

Microsoft rebuts OneCare auto update accusations

2007-10-30T12:48:00.000+02:00

But it should better spell out user settings changes, says adware expert

Microsoft Corp. confirmed that its OneCare consumer security software modifies Windows' overall patch options during installation but said that the tool tells people that their settings may be changed.

"When you first install Windows Live OneCare, setup informs you that if you choose to proceed, your computer settings will be changed to automatically download and install important updates from Microsoft Update," an unidentified member of the OneCare team blogged late last Thursday.

Earlier that same day, a popular Windows newsletter reported that OneCare altered Automatic Updates (AU) in Windows XP and Vista without telling users or getting their approval. According to Scott Dunn, an editor of the "Windows Secrets" newsletter, OneCare sets AU to full-automatic mode and even switches a pair of services back on if they have been manually disabled by the user. Dunn speculated that the behavior might explain two-week-old reports of patches being installed and systems rebooting without permission.

"This behavior is by design and is not unique to the latest version of OneCare," the Microsoft blog post continued. "It helps ensure that your computer continues to receive important updates as soon as possible after they are released."

The post included a screenshot of the first installation dialog that users see. Text in that dialog reads, "By using OneCare you agree to let Microsoft make changes to your system, such as enabling features that keep your system up to date and make it safer for you to browse the Internet." The disclaimer does not specifically say that AU's settings will be changed and, contrary to the statement in the OneCare blog post, it does not mention the Microsoft Update patch service.

A researcher noted for his work in dissecting questionable install disclosures said that OneCare fumbles when it comes to adequately informing users.

"Microsoft uses a lengthy multiparagraph statement in an installer screen, and the affirmative button is labeled simply 'Next' (not 'I agree' or similar)," said Harvard Business School assistant professor Ben Edelman, who has investigated adware installation disclosure policies and language. "This design means some users will inevitably 'consent' and receive updates without fairly understanding what will occur."

Edelman called on Microsoft to clearly state what it will do to users' PCs before it installs OneCare. "[They] ought to do more to alert users to the significance of the text on that screen, both by emphasizing what's most important and by assuring that the continue-install button alerts users to the fact that they're not just going on to the screen, but that they're actually indicating agreement to have their computer modified as Microsoft sees fit," he said.

The OneCare team hinted that it might do just that but stopped short of promising changes. "We are evaluating user feedback and will be revisiting how we communicate the installation details of Windows Live OneCare," the blog said.

A OneCare user commenting to the Microsoft blog called for more information during installation. "I see no practical reason you cannot post a warning label on that same initial notice that all updates for the OS on which OneCare is being installed will be set to 'Install updates automatically,' and give an opt-out option," said someone identified as Uncfudd.

Dunn, the "Windows Secrets" editor who first reported on OneCare's AU changes, reacted Monday to Microsoft's rebuttal. "It isn't apparent that this [disclosure] refers to updating your entire system via AU or just updating virus definitions," he said in an e-mail. "A better way to go would be to ask a question as part of the installer, with the default being to not change the user's current settings.

"Microsoft used to be an innovator in user interface research," he added. "Surely this isn't too hard for them to figure out."

After a Data Breach: Navigating the tangle of state notification laws can be exasperating -- and costly

2007-10-30T12:44:00.000+02:00

There are already more than 30 different notification requirements on the books

Bananas.com was caught off guard last year. The musical instrument sales site suffered a data breach that was followed swiftly by a double whammy of consequences.

Roughly 250 customer records were exposed, likely after an individual stole an administrative password by accessing systems remotely. (Site owner Bananas at Large has since put additional security procedures in place to prevent a recurrence.)

After the breach, the 25-person company scrambled to comply with the many state laws requiring customer notification. It alerted only the affected customers, either by mail or e-mail. Because its own resources were limited, Bananas referred victims to large credit-reporting agencies to monitor for subsequent financial damage from the breach.

Despite its efforts, Bananas apparently failed to meet all the various state notification requirements and was subsequently slammed with fines and fees by major credit companies. “They did not specifically provide a reason for the fees other than saying that we had not met all of the terms in our agreements with them,” says Bananas President J.D. Sharp. “They’ll fine the pants off you,” he adds.

The Bananas experience provides a hint of the turmoil a company can face as it tries to cope with disclosure requirements in the wake of a data breach. With more than 30 state data-disclosure notification laws now on the books, officials at many companies doing interstate business are hoping that cohesive national legislation will smooth out the nuances among differing statutes. But so far, federal legislation that would unify corporate disclosure rules is merely inching forward.

With no imminent legislative relief in sight, corporations sometimes resort to blanketing customers with notifications after a breach — lobbing disclosures even in those states that don’t require them, simply to cover all bases. But this practice can have “unintended detrimental consequences,” says Robert Scott, managing partner at the Dallas office of Scott & Scott LLP, a law and IT services firm.

Studies have shown that most customers would take their business elsewhere if they received two or more security breach notices, says Scott. “When faced with a security incident, businesses should carefully determine who has been impacted, review their breach notification laws in the relevant states, and devise a breach notification strategy that satisfies the legal obligations and properly notifies affected consumers,” he says.

Many organizations are integrating the efforts of IT, Legal and other departments to come up with strategies to comply with state regulations and ultimately weather worst-case scenarios.
Others are stepping up encryption efforts, since many states don’t force companies to disclose security incidents if the compromised data was encrypted.

Companies as varied as Microsoft Corp., Bank of America Corp. and Verizon Communications Inc. have all taken steps to address the issue with specific teams and processes to handle disclosure in the event of a breach. In large companies, disclosure activity often involves multiple jurisdictions, such as the offices of the chief auditor, the chief compliance officer, the chief privacy officer and the chief technology officer or the CIO, says Joseph Rosembaum, a partner at New York law firm Reed Smith LLP.

The lack of a central authority can create problems.

“Where responsibilities are partitioned across a diverse set of functions, each office may have the ability to provide greater focus on individual issues, but the challenge of coordination across multiple disciplines is more difficult,” Rosembaum notes.

Moreover, it takes corporate vigilance to keep pace with so many differences in state disclosure laws — variations that start with notification triggers. Some states require notification only if a breach is likely to harm individuals. Others force companies to cast a wider net.

“For some states, any breach that compromises the security or confidentiality of covered personal information triggers the obligation to notify the affected individuals,” notes Thomas Smedinghoff, a partner at Chicago law firm Wildman, Harrold.

The timing on triggers also varies. “Some states require that consumers be notified when their information is lost. Other states will allow the breached entity to perform some analysis to determine the degree of risk to consumers,” says Jorge Rey, information security and audit manager at independent accounting firm Kaufman Rossin Co. in Miami.

Notification triggers aren’t the only differences among state laws. For example, although one state might allow exemptions for compromises of encrypted data, “another state without such an exception would require a notice, even though the data was unreadable,” says Geoff Gray, a privacy and data security consultant at the Cyber Security Industry Alliance in Arlington, Va.

And as Bananas.com learned, the high cost of notification compliance doesn’t stop with the resources it takes to coordinate a response and alert customers. “Enterprises may face potential litigation and fines,” says Scott.

Damage Control

The team at ChoicePoint Inc. knows all too well the complexities of navigating state disclosure laws.After a data breach two years ago, the Alpharetta, Ga.-based company dashed out notices to about 163,000 people. “We expanded upon legislation that only existed at the time in California and opted to make nationwide notification of potentially affected consumers, without any state or federal law requiring us to do so,” says Christopher Cwalina, ChoicePoint’s assistant general counsel and vice president for compliance.

The company’s woes made headlines, but the incident also prompted it to codify breach management plans and assemble a response team. Its policy now “lists all enacted state data breach notification laws, as well as the unique requirements of each law,” Cwalina says.

In addition, ChoicePoint leans heavily on its government affairs team and legal department to track the laws and monitor compliance in the event of a breach.

Large or small, companies should plan ahead to lessen the burden of notification in the event of a data breach. “Encryption is the single most effective way to avoid the negative business impact of data breaches,” says Scott. “Under most privacy statutes, if you have encryption, you get a free pass from notification.”

But with or without encryption, it’s wise to devise a strategy for disclosure in the event of a breach. Companies should have a team in place that can assess the scope of damage and meet the demands of state regulators and credit card companies.

The goal, says Cwalina, is to “act quickly, investigate thoroughly and notify promptly.”

Google launches IMAP support for Gmail

2007-10-27T18:53:00.000+03:00

Users can sync Gmail with their e-mail clients

Google Inc. has launched a new IMAP (Internet Message Access Protocol) service for Gmail that will allow users to sync Gmail with their e-mail clients.

"It keeps the same information synced across all devices so that whatever you do in one place shows up everywhere else you might access your e-mail," said David Murray, associate product manager, in a blog post. "For example, I can read an e-mail in Gmail, then move it to the 'Starred' folder on my iPhone, then archive it by moving it to 'All Mail' in Thunderbird, then see all of those changes on my BlackBerry or any of [these] devices for that matter."

Previously, Google offered only POP (Post Office Protocol) access, for Gmail, which meant if users made changes on other devices, those changes weren't seen in Gmail when they logged back in. Users then had to re-read and re-sort all their e-mails. The IMAP feature means all user e-mails will be stored on the server, so users can sync their data across a wide variety of devices.

Murray said users can use Gmail at work, in the car or anywhere on any device. He added that the actions users take will automatically sync with Gmail on the Web and anything users do on the Web will be seen on their phones or their e-mail clients.

To use the new service, users should click on the "Forwarding and POP/IMAP" tab in their Gmail Settings and turn it on.

Rain doesn't stop Leopard from roaring in NYC

2007-10-27T18:52:00.000+03:00

Even pouring rain and gusty winds didn't stop the Mac faithful from turning out for the release of Apple's Mac OS X "Leopard" at the Apple Store in New York's SoHo neighborhood Friday night.

The sidewalk in front of the store and around the corner was a sea of colored umbrellas as about 200 people lined up to be among the first to purchase Leopard in North America. Those who hadn't prepared for the weather hunched under pieces of cardboard or just got wet, as people bustled past on busy Prince Street and wondered aloud what all the fuss was about.

The New York launch was part of a worldwide rollout of Leopard, which went on sale at 6 p.m. local time around the world Friday, beginning in Australia and New Zealand. Rain also plagued the Leopard launch in Tokyo, which marked the first place the OS went on sale at an official Apple Store, but didn't deter users from lining up ahead of the time there, either.

A New York Mac enthusiast named Adam was first in line outside the SoHo store, saying he arrived at 2 p.m. and was joined about a half hour later by other Mac enthusiasts. Strangely enough, Adam, who owns three Mac computers and frequents Apple Stores when the company launches new products, was not there to buy Leopard. He merely wanted the free T-shirt Apple was giving out to people waiting in line to purchase the OS.

"They're difficult to get unless you live in Cupertino and can go to the Apple store," he said, adding that he would purchase Leopard in about six months after Apple had "worked out the kinks."

Unlike Adam, others shivering in line said they were there to be among the first to get their hands on Leopard. Still, it wasn't just the OS that inspired people to wait in the rain. Douglas Packer, also of New York, said that although he was looking forward to using Leopard -- particularly its new Time Machine and Spaces features -- he was also was there "for the experience."

"Everyone's more excited about it, and being here with other people waiting makes it more fun than just a piece of software," said Packer, who works in video production.

Time Machine is a new feature in Leopard that allows for automatic back-up of files, while Spaces enables the user to create and manage virtual desktops.

Another user waiting to purchase Leopard who gave props to Time Machine was Evan Herman, also of New York. But he also said he was "probably the only person in line" excited about the Back to My Mac feature of Leopard, which makes it easy for users to set up the ability to remotely log in to a Leopard machine from anywhere.

Herman said this feature will make it easy for him to help troubleshoot problems on his parents' Mac, which he finds himself doing often enough on the phone anyway.

Herman switched from Microsoft Windows to a Mac three years ago when he left a position providing desktop support to PCs. He said he regularly joins the queue for major Apple releases and has stood in line for both the Tiger release of OS X and the iPhone.

Leopard is the first major upgrade Apple has made to its OS in two and a half years. The software will now be installed on all new Apple computers, or costs $129 for an upgrade for those running its predecessor OSes. Apple has said the vast majority of Macs sold over the past four years will be able to run Leopard, as well as some older machines, depending on their configuration.

Mozilla rushes to fix regression bugs in Firefox

2007-10-24T16:05:00.001+03:00

Mozilla Corp. will rush another version of Firefox to users as early as next week, the company's user interface designer said Tuesday, to fix five bugs it introduced in last Wednesday's security update.

Firefox 2.0.0.8 patched ten vulnerabilities, including three critical flaws, but also shipped with five regression bugs -- problems unintentionally introduced when code was changed to plug other holes.

"Most users won’t see any difference or experience any problems," said Mike Beltzner of Mozilla in a posting to the company's development center blog. "We’re working fast to understand and fix these problems, and will shortly be issuing a 2.0.0.9 update to address them."

According to notes from a weekly Mozilla meeting on Firefox, the regression reports began accumulating over the weekend. Firefox 2.0.0.8 was posted for download late Wednesday, Oct. 17. Three of the five problems were limited to Windows, but two page rendering issues affected all versions of the browser, including those for Mac OS X and Linux.

The Windows-specific bugs included one that disables Firefox extensions after updating. The problem doesn't affect every copy of 2.0.0.8 on Windows -- one user said it had hit just one of his four PCs -- and can be remedied by deleting a trio of files from the hard drive. Programmers are still working on a fix.

Another under the microscope, however, has no workaround. Firefox 2.0.0.8 crashes on startup on some Windows XP and Vista systems, a listing in Mozilla's bug reporting database said, and although developers quickly came up with a test to reproduce the crash, they seemed unsure whether they were on the right track. "This seems to have been fixed on trunk (regarding the test case) between 2007-08-21 and 2007-08-22," said Martijn Wargers.

"Hmm. I wonder whether we're hitting EM restart weirdness here or something," replied another developer, Boris Zbarsky.

Beltzner said Mozilla hoped to put a new Firefox, version 2.0.0.9, into the pipeline next week.

This isn't the first time that the open-source developer has scrambled to set things right. In March, it release Firefox 2.0.0.3 and 1.5.0.11 to fix several regressions that slipped into the prior versions, which hit the street the month before.

AT&T sues Vonage for patent infringement

2007-10-21T14:10:00.000+03:00

AT&T claims that Vonage is willfully using patented technology allowing VoIP calls to be made with standard telephone equipment
AT&T filed a lawsuit against VoIP provider Vonage on Friday seeking damages for alleged patent infringement.

The lawsuit comes just days after Vonage settled a patent-infringement lawsuit with telecom provider Sprint Nextel.

In a filing with the U.S. District Court for the Western District of Wisconsin, AT&T alleged that Vonage wilfully infringed an AT&T patent related to telephone systems that allow people to make VoIP calls using standard telephone devices.

In the legal filing, AT&T said it tried to reach an agreement with Vonage to license the patent, but failed, which forced the lawsuit.

Vonage announced on Oct. 8 that it settled its suit with Sprint Nextel for $80 million. As part of that agreement, Vonage agreed to license VoIP patents from Sprint, including more than 100 patents covering technology for connecting calls from a traditional phone network to an IP network.

Vonage is also in the process of resolving a patent infringement dispute with Verizon. Earlier this year, a court found Vonage infringed on Verizon patents and ordered an injunction that could have prevented Vonage from signing up new customers. Vonage won an injunction staying the order and is appealing the original infringement ruling. Vonage in August said it was close to rolling out workarounds for two of the three patents Verizon claimed.

Vonage is one of the largest independent VoIP providers in the U.S. with nearly 2.5 million customers.

Microsoft: Google gets undue credit for ad conversions

2007-10-19T14:25:00.000+03:00

Microsoft is developing 'conversion attribution' technology that it says will track users' viewing trail and give advertisers a more balanced view of the value of their online ads

Google undeservedly has gotten all the credit for many clicks on the online ads it delivers via its search engine, but Microsoft wants to put a stop to that.

So said Brian McAndrews, senior vice president of Microsoft's Advertiser Publisher Solutions Group during a panel discussion at the Web 2.0 Summit in San Francisco Thursday.

Currently, systems for tracking ad conversions and analyzing online marketing campaigns focus on the last ad a user viewed or clicked on, he said. This gives all credit to that last publisher and not to others the user may have been at before and influenced the user to seek more information about the advertiser, McAndrews said.

In particular, this situation has unfairly benefitted Google because many times someone will see a display ad on a site and go to Google, search for the vendor's name, and then click on the vendor's text ad served by Google, he said.

But Microsoft is developing a technology called "conversion attribution" that will track the trail of ads seen by a user, so that advertisers get a more complete understanding of how effective their marketing campaigns are, he said.

Along the way, advertisers will get a more balanced view of the value of their ads across a wider trail of Web sites and via a variety of ad formats, not just the last ad displayed by the last publisher, which is often Google, he said.

"We'll introduce conversion attribution to give [more publishers] credit and it will devalue search [advertising]," McAndrews said.

Search advertising is the largest online ad format, accounting for about 40 percent of total ad spend. Google has built its empire on these pay-per-click ads, which the company matches to the content of queries on its search engine and to the content of third-party Web sites on its ad network.

While search has been the main driver of the blistering growth of online advertising in the past five years, that won't be the case in the coming five years, McAndrews said.

In addition to the "conversion attribution" technology, the shift away from search ads will be fueled by the increased spending in online ads from large companies which prefer display and rich media advertising designed to boost their brands, and for which pay-per-click text ads are less effective, he said.

Google didn't have any representatives participating in the panel. The company didn't immediately respond to a request for comment.

Microsoft didn't immediately respond to a request for clarification on the availability of the "conversion attribution" technology.

McAndrews, who came to Microsoft recently via its $6 billion purchase of aQuantive, of which he was the CEO, shared the stage with other ad executives in a panel titled "Edge: The Advertising Model" moderated by conference chair John Battelle.

MySpace will use Skype for VOIP in social network

2007-10-17T19:21:00.000+03:00

Deal with Skype will enable MySpace members to engage in free voice chats via the new MySpace instant messaging service

MySpace will give its millions of members the ability to engage in free voice chats via the MySpace instant messaging service, thanks to a partnership with VOIP provider Skype.

News Corp.'s MySpace and eBay subsidiary Skype will announce the beta version of the service, called MySpace IM with Skype Wednesday at the Web 2.0 Summit in San Francisco.

MySpace, the world's largest social network, has about 110 million monthly active users, while Skype has about 220 million registered users, the companies said.

MySpaceIM with Skype will mesh MySpace's IM service, which has an installed base of 25 million users, with Skype's Internet voice communications services, the companies said.

MySpaceIM with Skype will be released generally in November, along with the ability to let people also link their MySpace profiles with their Skype accounts.

The voice chat service will let MySpace users call others in the social network as well as Skype users. MySpaceIM with Skype will not require users to download any additional Skype software.

MySpace will launch the voice chat service in 20 countries where it has "localized" communities. Meanwhile, Skype will allow its users to link their accounts to their MySpace profile worldwide except in Japan, China, and Taiwan.

Beyond the free voice chat service, MySpace users will also get the option of buying other premium Skype products, such as SkypeOut for generating calls from Skype to outside lines, as well as SkypeIn for receiving calls from outside lines.

Smart security testing on the cheap

2007-10-16T20:57:00.000+03:00

A pragmatic open source testing methodology, and an abundance of excellent free tools, help you plug security holes without busting the budget

You don't need to be paranoid to be a chief information security officer, but it helps. Whether certifiably paranoid or, as the Woody Allen joke goes, just keenly observant, the chief security officer must tune into threats that others can't see, quantify risks that others can't fathom, and uncover weaknesses -- in the company's networks, systems, and business processes -- that want to remain hidden.It's a big job that requires a comprehensive plan, strong skills, and a good set of tools.

The time and skills necessary for effective security assessment will never be free, but a terrific plan and excellent tools are readily available at no cost, courtesy of the open source community. I'm a big believer in tapping open source solutions whenever possible, but there is a catch. Open source is free in cost, but not free in time. Be prepared to spend time learning how to use open source tools and techniques properly.

An open source method
The open source testing framework I recommend is called the Open Source Security Testing Methodology Manual (OSSTMM). The brainchild of Pete Herzog and his legion of dedicated security testing professionals, this project is well supported by the open source community, and it continues to impress me with its documentation and approach. Providing specific testing objectives and procedures, the OSSTMM is the cookbook for using your tools, in what order and at what time.

The OSSTMM is not simply a penetration testing approach but a methodological framework. The methodology helps guide the planning of the security audit project and properly quantifying the results, and provides the rules of engagement for those performing the audit. It relies on best practices and a threats database as well as knowledge of the target organization to provide a broad view of the risks posed to the infrastructure of the enterprise. Most testing frameworks, such as ISO 27001 (formerly 17799), OCTAVE, COBIT, and ISM3, take an organizational approach to assessment and evaluation. The OSSTMM takes an operational view of enterprise risk.

The OSSTMM contains six testing modules, covering information security, process security, internetworking, communications systems, wireless networks, and physical security. Together, they offer testing methodology and guides to measuring risk to intellectual property, private information, and paper documents, to social engineering attacks, to routers, switches, and firewalls, to PBX's, voicemail, and faxes, to WLAN sniffing and surveillance, and to environmental dangers to buildings and the locks on the doors.

The OSSTMM manual provides a wide range of template documents for the conduct of tests involved in each of the six modules. This set of templates negates the need for supporting software in completing other testing frameworks such as ISO 27001 or COBIT. However, you may need training from ISECOM (OSSTMM's parent organization) in the best use of the templates and modules.

In this authors estimation the true worth of this approach lies in the new "risk assessment values" (RAV) spreadsheet provided by the community. The spreadsheet is divided into the six operational areas and breaks down risk in each of these areas into a numerical value. All of these risk values are aggregated to provide an overall risk profile for the organization. Thus the OSSTMM provides an easy to use, consistent process that leads you toward meaningful results that can be compared over time. I am always comfortable approaching management with the numbers produced from my OSSTMM tests and the RAV spreadsheet. Though based in Spain the ISECOM organization provides global training courses and certifications. Just as the ISO 27001 and COBIT processes allow for test report validation, your OSSTMM reports may also receive certification.

A complete security testing toolbox
We've discussed the framework for conducting your penetration testing, now we move onto the basic toolbox for your testing. The tools below cover the information security, network and wireless modules of the OSSTMM. You'll need tools for testing servers and workstations, switches and routers, network protocols, wireless access points, applications, Web servers, and passwords, to name but a few. Because simple scanning does not meet the OSSTMM's requirement for thoroughness, you'll need exploit tools to verify potential vulnerabilities as well. My list of preferred tools is loosely based on the list of Top 100 Network Security Tools provided by Insecure.org. Compiled through a global poll of professional security testers, this list is reviewed and updated every two years, and I've come to rely on it as the basis for my personal toolbox.

Although each tool in this set is important, it is ranked according to the Sectools.org list. The Sectools.org list shows whether the tool is either *nix, Windows based and whether it is open source or commercial software. When possible I like to use Windows tools. Don't get me wrong, I love Linux and use it all the time. I'm just lazy. If I don't have to switch between operating systems to conduct my testing, I'm happier. My management has an easier time understanding my reports if I can speak using an operating system they are familiar with.

Google and Google Hacking Database
Google is a great tool for finding all kinds of information on the Web -- including information that shouldn't be there. In the context of the information security portion of the OSSTMM process, Google is used for both the competitive intelligence and privacy scans of your assets. Johnny Long made this method famous with his Google Hacking Database (GHD).

Using Google to find vulnerable machines attached to our network is always an eye-opening experience. Imagine finding a printer attached directly through your firewall to the Internet. Well, this happens far more often than you might believe. Johnny Long's Web site is the easiest place to learn how this process is done. Simply redirect the queries in the GHD to your IP address range. Then massage the queries to match your particular routers, switches, printers, and Web servers. Granted, this is tedious work in the beginning but will save you many hours of penetration testing time in the long-term.

The same techniques are used to find privacy data of your employees that may have leaked to the Internet from your network. This process is well refined for any network infrastructure and systems that face the Internet. Where it becomes really interesting is in finding your corporate intellectual property on the Internet... but that is a story for another day. This is the first tool my team uses as it offers high risk results first. A vulnerability that faces the Internet and is known by Google is one that requires immediate attention.

Nessus security scanner
The open source Nessus Project was begun in 1998 by Renaud Deraison to compete with the available commercial vulnerability scanners. Nessus is no longer open source, but remains available in a free version that rivals the best commercial alternatives. As a result, Nessus is found in the toolbox of both the well funded and cash strapped security organizations. The difference between the free product and the licensed commercial version of Nessus is how often vulnerability signatures are updated. If you want up-to-the-minute vulnerability updates then opt for the commercial license. If you don't mind waiting seven days for those same updates, then the free product will serve you well.

Nessus has both a *nix version and a new Windows version (see screen image). The Nessus system consists of a Nessus server, a client, Nessus plug-ins and the knowledge base. The Windows version provides all these items in a single package though using it in this fashion is not required.

Nessus tests all aspects of a target including the operating system, ports, services, applications to name but a few. Thus the reports may be lengthy but are comprehensive. You'll need to validate the findings as

Nessus, like other network scanners, is prone to false positives.

Wireshark packet analyzer
Formerly known as Ethereal, Wireshark is an exceptionally powerful protocol analyzer. It runs a wide range of operating systems and allows for live capture of network traffic and analysis of traffic captured from external sources. It offers a wide range of default protocol decoders and can parse out traffic threads with ease. The screen is broken into four main sections: the menu bar, the packet list (color coded area, see screen image), packet details (protocols and protocol fields), and lastly the packet bytes showing the raw data stream in both hexadecimal and ASCII formats.

Wireshark's graphical analysis tools provide a clear picture when troubleshooting problems or looking for weaknesses during a penetration test. This example shows the handshake (communication initiation) process between various hosts on the network.

TCPDump network debugger
TCPDump and its Windows-based brother WinDump are the original packet capture utilities. They are identical in capability and are both actively supported. Both tools allow for the creation, injection, and capture of packets during a security test. Both are command line driven. The information provided is similar to that of Wireshark, and in fact the two may be used interchangeably (TCPDump data in Wireshark or the other way around).

TCPDump comes as a default installation with most *nix operating systems. WinDump requires the use of the Winpcap software for Windows to allow for packet capture. The Pcap software now allows for use with wireless capture as well. This is an old warhorse tool that continues to grow and change with the needs of the testing community.

Netcat network explorer
Netcat is known as the network Swiss army knife of testing tools. Netcat is a command line tool that's provides for reading and writing data across TCP and UDP connections. It creates nearly any connection needed including the acceptance of incoming connections. This makes it invaluable for exploring a network, server... during penetration testing. It is a perfect tool for setting up back doors and may be called from other programs. Thus your use of the tool may be automated or scripted. A wide range of Netcat derivatives now exist for specialized applications such as SSL or portable thumb drive based use.

Kismet wireless sniffer
Kismet is a powerful 802.11 (layer 2) wireless detection program. Unlike other wireless sniffers Kismet uses any wireless card that uses rfmon (raw monitoring) mode. This offers flexibility over other solutions. Kismet is capable of capturing both beaconing and nonbeaconing networks. The interface is neat and clean and allows for easy drill down for advanced information on a particular network. Its most interesting feature may be the ability to use Kismet with a GPS system to create maps of wireless networks.

Aircrack WLAN cracker
Aircrack is a password cracking program for use with both WEP and WPA networks. It needs a large enough database of packets from the target network for password cracking to begin. The four modules of this suite include airodump, a wireless packet capture utility; aireply, which performs packet injection for security testing; aircrack, which does password cracking using brute force and cryptographic methods; and airdecap, which decrypts WEP and WPA packet streams once the passwords are cracked.

Two new tools have been added to suite recently that allow for encrypted packet creation and virtual tunnels. Aircrack may also be installed in a virtual machine.

Aircrack supports a wide range of wireless cards though a new driver or patch may be required for your card. The interface is a combination of both Windows GUI and command line interfaces though they are easy to navigate This is another tool that requires some time to master but given the reliance of wireless networks in today's enterprise may prove invaluable to your team.

Cain and Abel password cracker
Cain and Abel is the top ranked Windows specific password cracking tool for security testers. This tool is well documented and supported by the community. It has a clean interface and provides for the cracking of a wide range of password types including Cisco, VNC, remote desktops, and many many more. It can do its cracking on the local machine or sniff passwords off the network via specific capture filters. Cain and Abel supports standard dictionary and brute force attacks as well as cryptanalysis attacks. It continues to evolve with the addition of VOIP and wireless password crackers. This tool has proved invaluable to my team for everything from a forgotten workstation password to forensic analysis.

Wikto Web server scanner
Wikto is similar to the better-known Nikto Web server assessment tool. Both are well supported by the open source community with Wikto adding some extra functionality. For example, Wikto always starts with a Web scanning wizard (see screen image).

Wikto also makes full use of the Google Hacking Database. The Wikto spider crawls the target Web site and maps its directory structure, while the vulnerability scanner reviews possible security weaknesses. For vulnerability assessment, Wikto uses the Nikto vulnerability database. The one minor weakness is the use of the CSV format for exporting reports. CSV was never known as an easy way to view report data, though it gets the job done.

Metasploit exploit framework
Released in 2004, Metasploit is another must-have in your toolbox. Essentially a framework for building security tools and the exploits to launch with those tools, Metasploit is the easiest way to verify that a vulnerability identified by Nessus or Wikto is truly a security hole. Metasploit contains a module launcher to customize both the exploit and payload intended for a particular target. If the penetration is successful the tester is provided a shell to interact with the payload on the target system. There are around 350 different modules to choose from covering a wide range of hosts and operating systems. If the Metasploit repository doesn't already have a canned exploit for the vulnerability in question, you can create one.

The true power of the framework is the ease of creation of new modules. Modules may be exploits, payloads, encoders, and no-ops. You can define an entirely new module or create variations of preexisting modules. Documentation and forum support is broad, detailed, and comprehensive. Be prepared to spend some time learning the framework, but it will be time well spent.

A plan of action
Penetration testing is an invaluable process in assessing business risk via IT infrastructure. To make the process cohesive and efficient, however, you must put it in an organized system. I highly recommend using the OSSTMM framework to organize your testing and help you interpret the results. The OSSTMM covers several operational areas and provides templates and valuation of risk for each one.

Once the testing framework is in place you will need a wide range of tools for your toolbox. Vulnerability scanners, protocol analyzers, and wireless tools are but a few of the areas to consider. I have learned to trust the list at Sectools.org to provide most of the tools in my toolbox. Lastly, don't forget about researching the target before the test. Using search engines, you can develop important insight into a target with fairly little effort. The information gained here may save you countless hours testing operating systems and applications that don't exist in the target area.

10 IT security companies to watch

2007-10-15T21:04:00.000+03:00

New companies have to be brash to enter the network security market, given that the industry has witnessed an explosion in creativity over the past five years and considering that big players such as Microsoft and IBM increasingly are throwing their weight around in security. Nonetheless, anyone who takes the time to listen to what IT managers say they would like to see from the security industry can't walk away without the impression that there is plenty of room for the new.

For example, Ryan Bagnulo, vice president and head of software architecture and innovation at Wachovia, says he'd like to see more industry action on automating security-policy administration based on the Organization for the Advancement of Structured Information Standards' eXtensible Access Control Markup Language.

Sometimes entire groups of users stand up and declare they need something new. The Jericho Forum wants to see a new generation of products and services designed for the world of e-commerce, where traditional firewall-edge boundaries are vanishing.

User demand will have the final say about whether security startups pan out as the successes their founders envision -- or end up as brief footnotes in the epic of networking. Here are our selections for 10 security newcomers worth watching:

Whatever happened to last year's 10 security companies to watch?

2Factor
Founded: 2006
Headquarters: Maumee, Ohio
Funding: $1.6 million in first-round financing
CEO: David Burns

What the company offers: Real Privacy Management (RPM) software that offers continuous, two-factor user authentication and data encryption based on a patented, real-time algorithm that limits the opportunity for intrasession hack attacks and threats.

Why it's worth watching: Authenticating users has become a security best practice, but once is not enough. Methods such as public-key infrastructure (PKI) authenticate the user at first logon but leave the session open to hacker attacks thereafter. By performing continuous mutual authentication and encryption during every transmission between client and server, 2Factor reduces the potential for data theft and fraud by closing the window of opportunity for hackers.

How the company got its start: After working in cryptography for many years, founder and chief scientist Paul McGough saw the need for a simpler, more nimble and more effective alternative to PKI and other security technologies. The company claims RPM is based on provable mathematics, is as much as 100 times faster than PKI, and can be deployed quickly and easily in any type of software, chip or device.

Where the company got its name: A reference to two-factor security, where the first factor is "what you know" (typically a user name and password) and the second factor is "what you have" (typically some type of card or token).

Customers: The company says it's in discussions with several major financial institutions, plus mobile phone operators, digital media companies, government agencies and large healthcare institutions -- but won't name names.

NetWitness
Founded: 2006
Headquarters: Herndon, Va.
Funding: $7.5 million from undisclosed angel investors
CEO: Amit Yoran

What the company offers: NextGen, a security product that monitors and analyzes inbound and outbound traffic and stores and analyzes it based on users, applications and content.

Why it's worth watching: Business and government agencies are under pressure to boost network security and comply with numerous regulatory requirements to show they're meeting security policies. Thus, there's growing demand for tools to do this.

How the company got its start: Amit Yoran, former National Cyber Security Director at the U.S. Department of Homeland Security and also founder of security-services firm Riptech, was familiar with the version of NetWitness developed by CTX for national-intelligence agencies. Yoran last year led the buyout of ManTech's product assets, acquired when that company bought CTX.

Where the company got its name: It "witnesses" network traffic.

Customers: Washington, D.C.-area law-enforcement and intelligence agencies for which NextGen was developed originally. The latest commercial version, developed for broader use, was released in September.

Palo AltoNetworks
Founded: 2005
Headquarters: Alviso, Calif.
Funding: $28 million from Globespan Capital Partners, Greylock Partners and Sequoia Capital
CEO: Dave Stevens

What the company offers: The PA-4000 Series network devices, introduced in June, which use a so-called App-ID application-classification technology to inspect about 450 applications traversing the PA-4000 hardware and apply security rules to these applications.

Why it's worth watching: Enterprises are frustrated with their traditional perimeter firewalls, because firewall ports increasingly are opened up to allow business traffic, particularly over Port 80. The PA-4000 line is offered as a transitional technology that works behind traditional, port-based firewalls to monitor applications and apply security rules to them.

How the company got its start: CTO Nir Zuk worked on some of the earliest firewalls at Check Point Software and later founded OneSecure, which was acquired by NetScreen Technologies, later acquired by Juniper Networks. Over time, Zuk observed that the relationship between ports and applications was diminishing, and he devised a method to look at the content itself through a new type of firewall he had invented.

Where the company got its name: Zuk, who selected it, reportedly lives in Palo Alto, Calif.

Customers: Constellation Energy and Mercy Hospital in Baltimore, and the city of Seattle.

Provilla
Founded: February 2005
Headquarters: Mountain View, Calif.
Funding: $10 million in private funding; investors include Hitachi Systems
CEO: Antonio Espinosa

What the company offers: The LeakProof data-leak prevention product, released in January 2007.

Why it's worth watching: LeakProof isn't the first product to prevent the unauthorized transmission of sensitive content. However, Provilla's founders, who hail from Chinese universities but are developing the product in the United States, think they've come up with a better mousetrap: their DataDNA fingerprinting technology that scans file servers to create a signature for each document. Cosmopolitan in its outlook, Provilla's software supports the Japanese, Chinese and French languages in addition to English, as the founders look to building an international customer base.

How the company got its start: Co-founder Fei Huang was principal engineer at Sygate (later acquired by Symantec), which designed one of the earliest host-based network-access-control products. Huang teamed with Liwei Ren, a mathematician specializing in algorithms and pattern-matching, to come up with a desktop agent to detect unauthorized use of sensitive data.

Where the company got its name: "Pro" stands for protecting, and "villa" is Latin for village, so the name indicates that the company's technology protects a community of people.

Customers: Orchard Supply Hardware, Richard Fleishman & Associates, Sony-Ericsson Chinese joint venture. Distribution agreement with BigFix and Reconnex.

Robot Genius
Founded: 2005
Headquarters: Oakland, Calif.
Funding: $2 million from Kingdon Capital and Venio Capital Partners
CEO: Stephen Hsu

What the company offers: Syberus behavior-based malware-detection client software, an antimalware browser plug-in and the RGcrawler Web-crawling technology that looks for malware executables on the Internet.

Why it's worth watching: Although signature-based antivirus technology has a venerable history defending against known threats, the security industry is looking at other methods, such as behavior-based defenses that identify and block threats based on behavior. Robot Genius has come up with its own approach to malware detection to determine unsafe executables, and it could get picked up by the larger industry under a licensing plan.

How the company got its start: Hsu and CTO James Hormuzdiar teamed on start-up SafeWeb, sold it to Symantec for $26 million in 2003, and decided to continue working together to found another company to develop a new way to protect against malware.

Where the company got its name: Implies the technology's ability to replicate automatically the downloading and testing of executables off the Internet.

Customers: Not disclosed.

SailPoint
Founded: 2005
Headquarters: Austin
Funding: $14 million from venture capital firms including Austin Ventures, Lightspeed Venture Partners, Origin Partners and Silverton Partners
CEO: Mark McClain

What the company offers: Compliance IQ, identity risk-management software to help enterprises reduce business risk and become compliant by better understanding identity data. The software provides business context to the information generated by IT systems that report on which users have access to what data, offering sophisticated reporting and analytics for decision support.

Why it's worth watching: The company's product attempts to make sense of the reams of identity data generated by IT systems and applications; it's one thing to know what users are doing, it's another to combine that information with data about what they are allowed to do. Companies that combine the two stand a better chance of identifying fraud, theft and misuse. IDC estimated in 2006 the market for identity and access-management compliance will grow by 25 percent per year until it reaches $2 billion in 2010.

How the company got its start: McClain and SailPoint co-founder Kevin Cunningham stayed on at WaveSet when Sun acquired it in late 2003, but not for long. In 2005 with $5 million in funding behind them, the pair left Sun and began developing the technology behind Compliance IQ, which launched at Network World's DEMO 07 conference last January.

Where the company got its name: "Sailpoint" or "point of sail" is a term used to describe a sailboat's course in relation to the wind. To reach a destination, sailpoints must be adjusted continuously to harness the wind as efficiently as possible and to maintain safe control of the boat -- the company believes the same is true of enterprise IT governance.

Customers: Financial services and manufacturing firms, which the company declined to identify.

Sentrigo
Founded: 2006
Headquarters: Kfar Saba, Israel; U.S. office in Woburn, Mass.
Funding: $3.5 million from Benchmark Capital
CEO: Nathan Shuchami

What the company offers: Database security monitoring tool, Hedgehog, released in June for the Oracle database.

Why it's worth watching: The Hedgehog software can be used in monitoring or blocking mode to warn security administrators about attempted SQL injection or buffer-overflow attacks. Because Hedgehog also looks at larger database actions, it also watches what insiders are doing, based on set policies.

How the company got its start: CTO Slavik Markovich, an expert in database architecture, sensed an opportunity on the security front and headed up basic product design and development. Sentrigo just added Guy Rinat as vice president of R&D, an activity formerly managed by Markovich, who will devote more time to new-product development and customer interaction.

Where the company got its name: They focused on the word "sentry" and came up with Sentrigo.

Customers: N.E.W. Customer Service Companies

Venafi
Founded: 2004
Headquarters: Salt Lake City
Funding: $20 million in venture capital from Foundation Capital, Origin Partners, and UV Partners.
CEO: Trell Rohovit

What the company offers: Systems management for encryption at the client and server levels. Client Encryption Manager and Server Encryption Manager automate many of the manual tasks associated with administering encryption technology -- including keys and certificates --such as making sure that installed software with optional encryption settings has them turned on. The company plans to add encryption-management products for storage, backup systems, network devices and infrastructure in the near future.

Why it's worth watching: Venafi focuses on making encryption more accessible for enterprises by lessening its associated administrative headaches. The company says this promotes compliance, data security and risk mitigation.

How the company got its start: Spun out of IMCentric, a custom-engineering company that was automating encryption for a Fortune 500 company. The custom product that was developed turned into Venafi's offering.

Where the company got its name: Comes from the Latin root "vena," meaning vein or root, and "fides," Latin for trust or faith. Venafi says it manages the root of trust.

Customers: The company claims 10 of the world's top financial-services companies are customers, as well as three telecommunications giants.

Veracode
Founded: 2007
Headquarters: Burlington, Mass.
Funding: $19.5 million from venture capital firms 406 Ventures, Atlas Venture and Polaris Venture Partners
CEO: Former Symantec executive Matt Moynahan

What the company offers: SecurityReview is an automated service that does security testing and remediation of in-house and commercial applications. Enterprises submit the applications they would like reviewed to Veracode, which uses patented binary and Web-scanning technology to find flaws and suggest fixes.

Why it's worth watching: According to Gartner, 70 percent of all enterprise vulnerabilities reside in the software that organizations buy and run. Veracode's team of application-security experts are trained to spot such weaknesses, and can do so because the company's service examines binary code instead of source code to avoid trade-secret concerns. By reviewing an application's binary code the service can analyze not just the program but also third-party libraries it may call, as well as its interactions with other software.

How the company got its start: Its founders' ambition was to reduce the number of software vulnerabilities in the world. They call their approach the "democratization of security" because usually only companies with very deep pockets have the time and money to spend on checking and remediating software security flaws. The technology behind Veracode's service was first developed by @stake (since acquired by Symantec) in 2002.

Where the company got its name: "Ver," from the Latin "truth," was added to "code" to describe how the company looks for the "truth" in software.

Customers: Cisco, Digivera, Telus.

WebLOQ
Founded: January 2004 (in stealth mode until the service launched in September)
Headquarters: Monterey, Calif.
Funding: More than $3 million from high-net-worth individuals, no venture capital
CEO: Neal Smith

What the company offers: Virtual Private Community (VPC), a private communications service that forms virtual business communities whose members can send and receive encrypted e-mail, documents and other exchanges safely. The service sets up a private domain name for each user and gives them a related e-mail address reserved for private communications with other WebLOQ users. VPC is available as a hosted service, with a version that companies can run internally slated for release early next year.

Why it's worth watching: Instead of trying to protect communications at the edges of corporate networks, WebLOQ secures the transit channel itself. By having encrypted communications only with other members of a community, users are freed from spam, viruses, phishing, and other e-mail Internet threats. However, such secure communications requires that both parties use the service. The company hopes to bring the concept of online community to the business world while ridding e-mail of the many threats plaguing it today.

How the company got its start: Chairman, CTO, and former ISP head George Sidman became intrigued with the idea of securing Internet communications. He formed a team at his ISP to begin working on the problem in 2003 and launched the service in 2007.

Where the company got its name: Sidman was amazed that no one had trademarked "LOQ" (pronounced "lock") as a brand. The company now has trademarked the terms WebLOQ and LOQ, intending to launch a brand around the latter.

Customers: Database vendor Objectivity. Company says some major banks, law firms and police agencies are testing the service.

Student who disclosed security breach to campus paper barely escapes expulsion

2007-10-12T17:31:00.000+03:00

A student at Western Oregon University who accidentally discovered a file containing personal data on a publicly accessible university server and then handed that data over to the student newspaper has narrowly escaped being expelled for his actions.

But a contracted adviser to the newspaper has been dismissed for allegedly mishandling the data and for failing to properly advise the students on the university's policies relating to handling of personally identifiable data.

Brian Loving, a student at WOU, stumbled upon a file containing the names, Social Security numbers and grade point averages of between 50 to 100 students on a publicly accessible university server in June. Loving downloaded a copy of what he discovered and handed it over to the Western Oregon Journal, the campus newspaper.

After making a copy of the file, the newspaper's editor and Loving then informed the university about the security breach. Though the paper's final publication date for the academic year had already passed, it decided to publish a four-page special report with an article describing Loving's discovery. No names of any of the students were published in the article.

The episode triggered an internal investigation at WOU. It also prompted campus officials to send IT staffers into the paper's closed newsroom and search newsroom computers for copies of the file that may have been stored in those systems.

Two months into the investigation, Loving -- who is now a staffer with the newspaper -- was found to have broken a university computer use policy that prohibits unauthorized people from accessing confidential files that may have been inadvertently placed in a publicly accessible location. On Sept. 28 he faced a disciplinary hearing over the incident.

Mark Weiss, the university executive vice president of finance and administration, on Wednesday cited student confidentiality and refused to describe the outcome of the hearing. But he denied that Loving had ever been expelled as a consequence for his action, as some local media outlets suggested.

Adviser adieu

Weiss also confirmed that Susan Wickstrom, who had been an adviser to students working at the newspaper, is no longer in that position since the university chose not to renew her contract. He did not say if the reason for the non-renewal had anything to do with Loving's security breach incident report.

A source at the university who wished to remain anonymous said that Wickstrom's contract was not renewed because of her failure to advise students against making copies of the exposed file and for her failure to advise them about the school relevant computer use policies.

"This was not a freedom of the press issue at all," Weiss said. The school newspaper should be able to write on any topic it wants to, he said. Similarly, "the issue is not that the student discovered a file that contained confidential information. For that we are grateful," said Weiss who also expressed gratitude to Loving for discovering a vulnerability the university had not been aware of up to that time.

Rather, the problem had to do with the manner in which the information was handled after it had been discovered, Weiss said.

"Once confidential information is discovered, we don't expect people to be downloading copies of that information and giving it to other people," he said. "He mishandled copies of the file," Weiss said of Loving. "People who know this shouldn't be done should be advising students on what the right thing to do is," he said in an apparent reference to Wickstrom.

Weiss also defended the university's decision to send IT staffers to search for copies of the file on newsroom computers at a time when the newsroom was locked. "The last issue of the student newspaper had already been printed. We asked [newspaper staffers] for the files that were copied to be returned," Weiss said. When the newspaper did not respond, IT staffers went in to retrieve any files that might have been copied and stored on newsroom computers, he said. At the time when the IT staff went in the newspaper offices had been shut down for the summer, he explained.

He also maintained that the university had a right to look for the files on newsroom computers because the systems were owned by the university. "We considered whether or not it was appropriate to enter, look for and take those files that were taken from our systems and we concluded that it was appropriate," Weiss said.

Weird times for whistleblowers

The incident is similar to others in which individuals who discover or publicly disclose data braches at their places of work end up being in trouble themselves. Just last month, a former IT employee again working in Oregon but with Providence Health System, filed a wrongful termination lawsuit against the organization claiming he was fired in Feb 2006 simply because he reported a data theft to local law enforcement.

Even more recently, a St. Louis-based IT worker for The Boeing Co. claimed he was fired by the company for speaking with a Seattle newspaper about ongoing information security challenges at the company. A report in the Seattle Post-Intelligencer quoted a Boeing spokesman as saying that company had clear guidelines regarding the release of information outside the company and every employee was expected to follow those guidelines.

In yet another similar incident, a New Mexico jury awarded $4.3 million in damages to Shawn Carpenter a former network security analyst at Sandia National Laboratories. Carpenter had filed a wrongful termination lawsuit against Sandia after he was fired from the lab for disclosing details of an internal security breach with the FBI and others.

Oracle makes $6.7B offer for BEA Systems

2007-10-12T17:28:00.000+03:00

Oracle Corp. announced today that it has offered to buy middleware vendor BEA Systems Inc. for $6.66 billion, or $17 per share, in cash.

Oracle said it had written to BEA's board of directors on Tuesday to make the offer, which represents a premium of 25% over BEA's closing share price yesterday. The Wall Street Journal valued the offer at $6.66 billion.

BEA was a pioneer in the market for Java application server software used to deploy business applications, competing with products like IBM's WebSphere. It has been rumored to be an acquisition target on numerous occasions but has managed to retain its independence.

"This proposal is the culmination of repeated conversations with BEA's management over the last several years," Oracle President Charles Phillips said in a statement. "We look forward to completing a friendly transaction as soon as possible."

However, BEA executives were not quoted in the statement, and there was no indication early today as to whether the company is open to being acquired.

Oracle said the acquisition would help it to beef up its own middleware suite, an important area for the company that links several families of business applications it has acquired.

The company said it would protect the investments of BEA customers if the deal were to go ahead.

"Our continuing support commitment has been amply demonstrated with all of our previous acquisitions, including PeopleSoft and Siebel. BEA will be no different," Phillips said.

Opinion: Why Apple's 'new Newton' will rule

2007-09-29T16:09:00.000+03:00

They can send a man to the moon (or at least they could 40 years ago). Why can't they make a tiny computer people want to buy?

Cell phone, laptop and desktop PC markets are all well established, with dominant players in each category raking in billions in sales. But in the world of mobile computers, the field for laptops that are bigger than cell phones but smaller than regular laptops is still wide open. A shockingly large number of companies have invested millions of dollars developing products in this category. They've shipped dozens of gadgets hyped as the Next Big Thing. But the buying public has responded with indifference.

Many observers blame this indifference on problems with the category itself. What's the appeal of a mobile computer too big for your pocket and too small for a full screen and keyboard?

But I disagree. There are many scenarios -- airplanes, restaurants, meetings, around the house -- where tiny mobile computers are ideal. The problem is price, performance and user experience. To date, products have been way too expensive, slow, clunky and awkward to use.

Eventually, somebody is going to get it right. And when they do, the tiny computer market will get huge.

Since Microsoft announced the "Origami" project way back in March of last year, the category has been going nowhere. But, suddenly, everything has changed.

Events in the past 30 days lead me to conclude something unthinkable just one month ago: Apple -- yeah, I said it -- Apple! will ship the first ever successful small computer. Call it the Newton on Crack (or, more accurately, on Mac).

Here's what happened in September.

Palm Foleo

Everyone seems to think that Palm's Foleo project has been canceled. But this isn't true.

The original Foleo concept was a Linux-based, low-power clamshell device that worked exclusively with Palm's Treo line of smart phones.

What is true is that Palm CEO Ed Colligan announced earlier this month that the company plans to discontinue the use of Linux as an operating system. This companywide strategic change will delay the Foleo, which will come out eventually on a new OS platform the company is now working on. The new operating system will be finished next year.

So just to be clear: The Palm Foleo project has not been canceled. It has been given a new operating system and delayed.

The Foleo is still a dark horse candidate. If the company's new platform is great, if the company can survive long enough without real innovation on the phone side, if they can get the price down far enough -- a lot of "ifs" here -- then Palm has a shot at selling a few of these to existing Treo owners.

The Foleo has zero chance of dominating the coming boom in tiny mobile computers.

Nokia

The Federal Communications Commission recently approved a new minitablet, nonphone device from Nokia that supports Bluetooth, WLAN and GPS. The approval was branded as "confidential," so only the sketchiest of details are available on the product, which will almost certainly ship this year.

I'm not sure Nokia has the "right stuff" to compete in the nonphone market. For starters, the company has trouble focusing on individual products and tends to scatter its energy and resources across its massive line of devices. The future king of tiny mobile computers is going to need vision and focus.

Go ahead and take Nokia off the list of contenders.

The UMPCs

The ultramobile PC (or UMPC) platform, originally developed by Microsoft, Intel and Samsung, is designed for small, low-voltage computers with pen-based touch screens and, optionally, QWERTY keyboards. UMPCs can run Windows XP Tablet PC Edition 2005, Windows Vista Home Premium Edition or Linux.

Intel announced last week that it would slash the power on its UMPC chip sets in an upcoming chip set code-named Moorestown and add hot features like WiMax, 3G and others.

The Intel announcement is the best news to ever hit the UMPC space. The future of UMPCs has potential, but so far nobody in the space has achieved the right combination of price, performance and overall user experience. The manufacturers are trying, however, and just this month have announced wide-ranging updates.

Asus announced yesterday major updates to its R2E UMPC. The new version uses Intel's 800-MHz A110 processor instead of a Celeron, which should improve battery life. The device sports a few impressive specs, including 1GB of RAM, 802.11g wireless and integrated GPS and a webcam. The R2E, however, is simply too expensive to succeed at over $1,500, and it doesn't have a keyboard.
Fujitsu recently announced its appealing LifeBook U1010 in Asia, which is sold as the U810 in the U.S. The device is for business professionals who also want to watch movies and play games. It even has a fingerprint scanner for security. Of all the UMPCs that are shipping, the Fujitsu has the most promise. It's both a tablet and a clamshell. It has a nice big keyboard. And it has a relatively low price: $1,000. Unfortunately, the UMPC runs Windows Vista, and some users report serious performance issues. If Fujitsu could make the U810 a lot faster and a little cheaper (say, under $700), they'd have a category buster. But they can't, so they don't.
Sony recently updated the hardware on its VAIO UX-Series UMPC. The computer has a screen that slides up to uncover an unusable keyboard. The company will need to completely overhaul the design for better usability if it wants leadership in the coming minicomputer space. I would think Sony could do better than this.
OQO's recently updated 02 UMPC is optimized for media, and has a small, awkward keyboard. The device is both too small -- very close in size to a large smart phone -- and too expensive -- at $1,300, it costs as much as a laptop.
HTC recently announced that it plans to jump on the Vista bandwagon with the company's Shift UMPC -- and also use Windows Mobile. The device uses Microsoft's cell phone operating system to collect e-mail while the computer is in sleep mode. The Shift has a nice, big keyboard and screen, but it's too expensive ($1,500), suffers from poor battery life (three hours!) and is a little on the fat side.

These are just the UMPCs updated during September. There are more than a dozen other devices out there on the Origami platform. Every single UMPC device that has been shipped or announced suffers from lousy usability, high prices, poor performance, ill-conceived user interfaces, or any combination of the above. And far too many of these companies are jumping on the Vista bandwagon. If Vista can't deliver good performance on a brand-new desktop PC, how can it function well enough on a low-powered handheld device with a touch screen?

Can anyone create the right combination of usability, performance and price? Yes: Someone can.

Apple

Two things happened in the Applesphere in September that changed everything. First, of course, is that Apple CEO Steve Jobs announced Sept. 5 the iPod Touch.

The second is that AppleInsider said this week that Apple is working on an updated Newton MessagePad -- basically a big iPod Touch with additional PDA functionality. The Mac OS X Leopard-based mobile minitablet PC will be 1.5 times the size of an iPhone, but with an approximate 720 by 480 high-resolution display. The site estimates that the new device will ship in the first half of 2008.

If true (and some believe it isn't), this rumor is very good news. If Apple ships an iPod Touch, but with good PIM (personal information manager) functionality, an optional wireless keyboard and good battery life for under $1,000, they win.

But even if this particular rumor is false, I still believe Apple will dominate this category with another project. As I've said before in this space, Apple's iPhone user interface is a glimpse of the future, not only of future Apple mobile computers, but desktops and the future of all PCs as well. It's inevitable that Apple will ship a tablet Mac that works like the iPhone. And, just as in the iPod space, the company will likely round out the category with a "mini" version.

Of course, everything could change again in October. But right now, the only company with a prayer of succeeding in the small computer space is also the only company that hasn't even shown a prototype -- Apple.

iPhone's Bluetooth bug under the hacker microscope

2007-09-29T15:56:00.000+03:00

Almost lost in the hubbub over Thursday's iPhone firmware update and whether it would "brick" unlocked phones was the fact that Apple Inc. patched 10 vulnerabilities -- twice the number of fixes issued since the phone's June debut.

The iPhone 1.1.1 update, which like previous upgrades is delivered through Apple's iTunes software, fixes seven flaws in the built-in Safari browser, two in the smart phone's Mail application and one in its use of Bluetooth, the short-range wireless technology.

The seven Safari vulnerabilities include several cross-site scripting (XSS) flaws, one that can disclose the URL of other viewed pages -- an online banking site, say -- and another that lets attackers execute malicious JavaScript in pages delivered by the SSL-encrypted HTTPS protocol. One of the Safari flaws, and an associated vulnerability in Mail, involve "tel:" links, which can be exploited by hackers to dial a number without the user confirming the call.

But it was the Bluetooth bug that got the attention of security researchers. Symantec's DeepSight threat network team pointed out the vulnerability in an advisory to customers today. "Reportedly, the Bluetooth flaw occurs when malicious Service Discovery Protocol (SDP) packets are handled; any attacker that is within Bluetooth range can exploit it remotely," wrote DeepSight analyst Anthony Roe in the alert. "Successful exploits are reported to allow the attacker to execute arbitrary code."

According to Apple's security advisory, the Bluetooth bug was discovered and reported by Kevin Mahaffey and John Hering of Flexillis Inc., a Los Angeles-based company that specializes in mobile security development and consulting. Flexillis may be best known for its reverse engineering of the exploit used to hack into several celebrities' T-Mobile cell phone accounts in 2005, include Paris Hilton and Vin Diesel.

The Bluetooth bug may prove to be dangerous to iPhones, Roe speculated, since the potential range of the technology is much greater than most people think. While Bluetooth's potential range -- and thus the maximum distance between attacker and victim -- is about 400 feet, "Several proof-of-concept Bluetooth antennas have intercepted Bluetooth signals at almost a mile," he said.

Roe also pointed out that HD Moore, the driving force behind the Metasploit penetration framework, had recently demonstrated that shellcode could be run on an iPhone. Moore, said Roe, proved that "exploiting security vulnerabilities affecting the iPhone is by no means out of reach." n a post to his blog -- and to the Metasploit site -- on Wednesday, Moore said that because every process on the iPhone runs as root, and so has full privileges to the operating system, any exploit of an iPhone application vulnerability, such as Safari or Mail or Bluetooth, would result in a complete hijack of the device. Moore also announced that he would add iPhone support to Metasploit, which would make it much easier for hackers to access a vulnerable phone.

Moore acknowledged that he's looking at the Bluetooth vulnerability. "The Bluetooth SDP vulnerability is the only issue I am focusing on," he said in an e-mail Friday.

He also hinted that locating vulnerable iPhones wouldn't be a problem. "The Bluetooth MAC [media address control] address is always one less than the Wi-Fi interface's MAC address," he said. "Since the iPhone is always probing for or connected to its list of known access points, the presence of the iPhone and its Bluetooth MAC address can be determining by using a standard Wi-Fi sniffer.

"Once the Bluetooth MAC address is obtained, the SDP issue can be exploited by anyone within range of the Bluetooth chip, or within range of the attacker's antenna, which can be up to a mile away in some cases," he said.

If Moore manages to craft an exploit and add it to Metasploit, it's probable that criminal hackers will quickly follow. "Once we see something in Metasploit, we know it's likely we'll see it used in attacks," Alfred Huger, vice president of engineering with Symantec's security response group, said in a July interview.

Jarno Neimela, a senior researcher with F-Secure Corp., a Helsinki-based security vendor, also hit the alarm button, but for a different reason. In a posting to his company's blog today, Neimela pointed out that there's no security software available for the iPhone, thanks to Apple's decision to keep the device's inner workings a secret.

"The amount of technical information [available about the iPhone] makes it likely that sooner or later someone will create a worm or some other malware," Neimela said. "This will create an interesting problem for the security field as the iPhone is currently a closed system and it's not feasible to provide anti-virus or other third-party security solutions for it.

"So if someone were able to create a rapidly spreading worm on the iPhone, protecting users against it would be problematic."

Although iPhone owners will be automatically notified in the next week that the new patches are ready to download and install, a large number of those who have modified or unlocked their phones will probably forgo the fixes, since the 1.1.1 update apparently also disables unlocked phones and wipes unauthorized third-party applications that have been added with various hacks.

Poltergeist

2007-09-26T15:50:00.000+03:00

The problem may not rival the movies Poltergeist or The Amityville Horror for sheer terror, but CIOs and data center managers are still well advised to deal decisively with so-called ghost servers. Like celluloid zombies, these forgotten pieces of equipment are dead when it comes to improving the bottom line, but they are very much alive when it comes to eating up IT budgets.The unproductive -- and usually undocumented -- servers take up valuable real estate, consume increasingly expensive electricity and, in some cases, absorb ongoing maintenance and lease payments. "You can find ghost servers in a lot of enterprises," says John Phelps, an analyst at Gartner Inc. "And the larger and more diverse the company, the harder it can be to have a single group or technology platform that provides control over all corporate assets." Sun Microsystems Inc., through case studies of two large corporate data center operations and anecdotal analysis of efforts with many customers, believes that 8% to 10% of all servers in large corporations have no identifiable function. In the two data center studies, 150 ghost servers were found in an installation of 1,800 servers, and 354 ghost servers were found in an installation of 3,500 servers. One of the companies studied was Sun itself. Sun used system performance tools to monitor CPU utilization and I/O and network traffic, collecting the data over the course of a month, and sorted out machines with zero utilization. Sun removed the questionable servers from operation for 90 days to determine any impact. At the end of the period, it found that 60% of the servers could be permanently decommissioned, says Mark Monroe, director of sustainable computing at Sun. The company now conducts quarterly reviews of utilization rates. "It's hard to get people to admit they have unused infrastructure," Monroe says. "It's expensive, wasteful, and having a CIO admit he's got millions of dollars of idle assets lying around could get a guy fired. I think we can remove some of the stigma by talking about the facts, and having people realize it's worse just to leave them lying around." Corporations need to admit "they are like everyone else" and try to reduce the number of idle machines to 3% or less, "which is three times better than the industry average," he says. The cost of running a server for three years exceeds its original acquisition cost, so keeping the ghost servers around has an easily measured effect in energy savings. Identifying and eliminating wasted resources are key components of green or "eco-computing," Monroe says. The good news: Advances in asset management and configuration software can help businesses find and shut down these useless machines. And more companies are being proactive when it comes to adopting policies in this area. A survey of more than 300 businesses in the U.S. and Europe conducted by Gartner in 2006 found that 74% of respondents said they have a formal software and hardware asset management program. More advanced autodiscovery capabilities and more efficient, effective and accurate search engines mean "there has recently been more focus on discovering the lost and unidentified equipment, especially in industries where security concerns are growing," says Richard Ptak, analyst at Ptak, Noel & Associates. "Every major company I've ever dealt with has had the problem to some level."
When BlueCross BlueShield of Florida (BCBSF), which provides insurance services for nearly 9 million people, decided to build a new data center in 2005, the company also felt it was time to get a comprehensive look at its asset inventory, says Paul Stallings, senior manager for provisioning services. In addition to the new and existing data centers, BCBSF also has about 10 smaller server rooms in various locations around the state. The server room equipment was being managed by different departments within the insurance provider, and each had a different way of tracking and documenting assets, Stallings says. Using Aperture Technologies Inc.'s VISTA tool beginning in late 2005, BCBSF began documenting its IT resources under a single umbrella. "There were definitely undocumented assets," Stallings says. "When you have seven or eight teams managing the hardware, each using a different process, there was really no way to get a systemwide understanding of what we had in our various data centers." By getting a complete view of its asset inventory, BCBSF has been able to create a formal decommissioning process. When a system needs to be retired, a workflow ticket is automatically generated. The IT department can then start to reclaim floor space, remove cabling and place old servers in pool of equipment that can be either redeployed or completely removed from the environment. As one of largest IT services providers in the world, Fujitsu Services operates seven Fujitsu-owned data centers in the U.K. with more than 200,000 sq. ft. of floor space, and manages 11 customer-owned facilities. As a result of its outsourcing business, the company has acquired data center facilities and IT equipment from a variety of sources, and much of the equipment came with no asset or configuration management process in place, says Mark Scott, global data center delivery manager at Fujitsu Services. The company had previously used a configuration cataloging system that recorded only the location of equipment on the floor, but it did not provide any insight into specific use of the equipment. In attempt to get a comprehensive inventory and create an asset management strategy that would allow it to maximize existing data center space and continue to grow, Fujitsu Services began working with Aperture to deploy its VISTA data center resource management system in 2005, and the company began to see a variety of issues that were wasting resources. "We found we had IT equipment on the floor that people within the company had thought we had gotten rid of years ago," he says. "We looked deeper and found out we were also still paying lease and maintenance on the equipment. We even found that we were paying lease and maintenance on equipment that been removed from our data centers." By extending the asset management systems across its entire U.K.-based data center operation, Fujitsu Services has reduced its operational costs and then passed the savings on to customers, Scott says. Since customers are generally charged for the floor space they use within the data centers, the removal of unproductive equipment has allowed Fujitsu Services to reduce specific hosting charges for those customers. So, for example, if Fujitsu can reduce the footprint by 10%, Scott says that 10% savings can be passed along to the customer. The company is also developing the ability to invoice for the actual power required by individual customer installations, versus the current practice of invoicing for power based on the floor space used by the servers. "We also found lots of badly installed equipment," Scott says. The poor installation processes had led to what he characterized as vulnerabilities that meant his company had difficulties meeting customer uptime requirements. "The result was really that we had actually built vulnerabilities into the operation. It was a real wake-up call. We now have a complete vulnerability check and can control installations from the beginning to end." Alticor Inc., the parent company for such businesses as Amway Corp., Quixtar Inc. and Access Business Group LLC, handles IT demands for affiliates all over the world, says Randy Gast, supervisor of server technology at Alticor. The company uses a combination of management tools to keep track of its software and hardware assets, including BMC Software Inc.'s Remedy service management and Hewlett-Packard Co.'s Systems Insight Manager. Using the software, Alticor early last year found that more than 200 servers, or about a third of its 650 x86 processor-based servers, were running at utilization rates of 10% or less, Gast says. Even scarier, these underused servers had accumulated without IT knowledge, over the previous three years as new equipment was bought to handle individual applications or affiliate requirements. Working with virtualization specialist VMware Inc., Alticor has embarked on an effort to consolidate the unproductive system and increase overall utilization rates to between 60% and 70%, Gast says. To date, Alticor has consolidated 150 of the unproductive servers onto seven servers using virtualization software. Alticor has donated the majority of the servers it has taken out of operation during the consolidation effort to charitable organizations. Servers that were too old to be used by groups such as local schools and churches have been sold for scrap. "Using Remedy, we can track the lease agreements for our hardware, when they start and expire, and use it to have automatic triggers that let us know we need to consider replacing certain equipment," Gast says. That said, there is generally a great deal of inefficiency regarding how customers get rid of old gear. "A lot of businesses don't have a disposition strategy, primarily because it's easier to buy" new servers than dispose of the old ones, says Daniel Ransdell, general manager of IBM's Global Asset Recovery Solutions business unit. "Even if you've unplugged the equipment and stuck it in some closet or corner, the business is losing the opportunity to recoup value. Servers aren't like fine wine. They don't get better with age." Energy cost is the major issue that is changing attitudes inside corporations. In August, the Environmental Protection Agency published a report that documented data center power usage. According to the report, data centers in the U.S. consumed about 60 billion kilowatt-hours in 2006, or about 1.5% of total electricity consumption in the country. The EPA points out that data center energy use has doubled in the past five years, and is expected to double again in the next five years to an annual cost of about $7.4 billion. The EPA says existing technologies and strategies could reduce typical sever energy use by 25%, and even greater savings are possible using more advanced technologies. Rockwell Bonecutter, head of data center technology and operations at Accenture Ltd., believes that a large percentage of the ghost server problem was alleviated when most businesses engaged in extensive Y2k efforts within their infrastructure. In the intervening years, however, there has been a significant growth of systems that operate at 5% utilization or less, often because of poor communication and asset management within the company. "When it comes to servers that nobody knows about that are sitting for years and nobody has touched, there are probably examples in every IT environment, but it's obviously impossible to measure what you don't know exists," Bonecutter says. "What we have found is that it is not unusual to find that 40% of all servers on a floor could be consolidated and virtualized out of the environment." Consolidation through virtualization has also led to the new phenomena of virtual ghost servers. The ease and quickness with which virtual servers can be created can often leave servers cluttered with numerous poorly documented virtual machines created for short-term or abandoned projects. With tools allowing businesses to get a more holistic view of their assets and policies in place to guide a formal decommissioning process, businesses can now reduce the risk and associated costs of ghost servers, without the need to call on the aid of another great Hollywood institution, Ghostbusters.

Happy Birthday, Sputnik! (Thanks for the Internet)

2007-09-24T15:29:00.000+03:00

Fifty years ago, a small Soviet satellite was launched, stunning the U.S. and sparking a massive technology research effort. Could we be in for another "October surprise"?

Quick, what's the most influential piece of hardware from the early days of computing? The IBM 360 mainframe? The DEC PDP-1 minicomputer? Maybe earlier computers such as Binac, ENIAC or Univac? Or, going way back to the 1800s, is it the Babbage Difference Engine?
More likely, it was a 183-pound aluminum sphere called Sputnik, Russian for "traveling companion." Fifty years ago, on Oct. 4, 1957, radio-transmitted beeps from the first man-made object to orbit the Earth stunned and frightened the U.S., and the country's reaction to the "October surprise" changed computing forever.
Although Sputnik fell from orbit just three months after launch, it marked the beginning of the Space Age, and in the U.S., it produced angst bordering on hysteria. Soon, there was talk of a U.S.-Soviet "missile gap." Then on Dec. 6, 1957, a Vanguard rocket that was to have carried aloft the first U.S. satellite exploded on the launch pad. The press dubbed the Vanguard "Kaputnik," and the public demanded that something be done.
The most immediate "something" was the creation of the Advanced Research Projects Agency (ARPA), a freewheeling Pentagon office created by President Eisenhower on Feb. 7, 1958. Its mission was to "prevent technological surprises," and in those first days, it was heavily weighted toward space programs.
Speaking of surprises, it might surprise some to learn that on the list of people who have most influenced the course of IT -- people with names like von Neumann, Watson, Hopper, Amdahl, Cerf, Gates and Berners-Lee -- appears the name J.C.R. Licklider, the first director of IT research at ARPA.
Armed with a big budget, carte blanche from his bosses and an unerring ability to attract bright people, Licklider catalyzed the invention of an astonishing array of IT, from time sharing to computer graphics to microprocessors to the Internet.
But now, the special culture that enabled Licklider and his successors to work their magic has largely disappeared from government, many say, setting up the U.S. once again for a technological drubbing. Could there be another Sputnik? "Oh, yes," says Leonard Kleinrock, the Internet pioneer who developed the principles behind packet-switching, the basis for the Internet, while Licklider was at ARPA. "But it's not going to be a surprise this time. We all see it coming."
The ARPA WayLicklider had studied psychology as an undergraduate, and in 1962, he brought to ARPA a passionate belief that computers could be far more user-friendly than the unconnected, batch-processing behemoths of the day. Two years earlier, he had published an influential paper, "Man-Computer Symbiosis," in which he laid out his vision for computers that could interact with users in real time. It was a radical idea, one utterly rejected by most academic and industrial researchers at the time. (See sidebar, Advanced Computing Visions from 1960.)
Driven by the idea that computers might not only converse with their users, but also with one another, Licklider set out on behalf of ARPA to find the best available research talent. He found it at companies like the RAND Corp., but mostly he found it at universities, starting first at MIT and then adding to his list Carnegie Mellon University; Stanford University; University of California, Berkeley; the University of Utah; and others.

Advanced Computing Visions from 1960 Nearly a half-century ago, a former MIT professor of psychology and electrical engineering wrote a paper -- largely forgotten today -- that anticipated by decades the emergence of computer time sharing, networks and some features that even today are at the leading edge of IT.
Licklider wrote "Man-Computer Symbiosis" in 1960, at a time when computing was done by a handful of big, stand-alone batch-processing machines. In addition to predicting "networks of thinking centers," he said man-computer symbiosis would require the following advances:
Indexed databases. "Implicit in the idea of man-computer symbiosis are the requirements that information be retrievable both by name and by pattern and that it be accessible through procedures much faster than serial search."
Machine learning in the form of "self-organizing" programs. "Computers will in due course be able to devise and simplify their own procedures for achieving stated goals."
Dynamic linking of programs and applications, or "real-time concatenation of preprogrammed segments and closed subroutines which the human operator can designate and call into action simply by name."
More and better methods for input and output. "In generally available computers, there is almost no provision for any more effective, immediate man-machine communication than can be achieved with an electric typewriter."
Tablet input and handwriting recognition. "It will be necessary for the man and the computer to draw graphs and pictures and to write notes and equations to each other on the same display surface."
Speech recognition. "The interest stems from realization that one can hardly take a ... corporation president away from his work to teach him to type."
Licklider sought out researchers like himself: bright, farsighted and impatient with bureaucratic impediments. He established a culture and modus operandi -- and passed it on to his successors Ivan Sutherland, Robert Taylor, Larry Roberts and Bob Kahn -- that would make the agency, over the next 30 years, the most powerful engine for IT innovation in the world.
Recalls Kleinrock, "Licklider set the tone for ARPA's funding model: long-term, high-risk, high-payoff and visionary, and with program managers, that let principal investigators run with research as they saw fit." (Although Kleinrock never worked at ARPA, he played a key role in the development of the ARPAnet, and in 1969, he directed the installation of the first ARPAnet node at UCLA.)
From the early 1960s, ARPA built close relationships with universities and a few companies, each doing what it did best while drawing on the accomplishments of the others. What began as a simple attempt to link the computers used by a handful of U.S. Department of Defense researchers ultimately led to the global Internet of today.
Along the way, ARPA spawned an incredible array of supporting technologies, including time sharing, workstations, computer graphics, graphical user interfaces, very large-scale integration (VLSI) design, RISC processors and parallel computing (see DARPA's Role in IT Innovations). There were four ingredients in this recipe for success: generous funding, brilliant people, freedom from red tape and the occasional ascent to the bully pulpit by ARPA managers.
These individual technologies had a way of cross-fertilizing and combining over time in ways probably not foreseen even by ARPA managers. What would become the Sun Microsystems Inc. workstation, for example, owes its origins rather directly to a half-dozen major technologies developed at multiple universities and companies, all funded by ARPA. (See Timeline: Three Decades of DARPA Hegemony.)
Ed Lazowska, a computer science professor at the University of Washington in Seattle, offers this story from the 1970s and early 1980s, when Kahn was a DARPA program manager, then director of its Information Processing Techniques Office:
What Kahn did was absolutely remarkable. He supported the DARPA VLSI program, which funded the [Carver] Mead-[Lynn] Conway integrated circuit design methodology. Then he funded the SUN workstation at Stanford because Forest Baskett needed a high-resolution, bitmapped workstation for doing VLSI design, and his grad student, Andy Bechtolsheim, had an idea for a new frame buffer.
Meanwhile, [Kahn] funded Berkeley to do Berkeley Unix. He wanted to turn Unix into a common platform for all his researchers so they could share results more easily, and he also saw it as a Trojan horse to drive the adoption of TCP/IP. That was at a time when every company had its own networking protocol -- IBM with SNA, DEC with DECnet, the Europeans with X.25 -- all brain-dead protocols.
Surprise?The launch of the Soviet satellite Sputnik shocked the world and became known as the "October surprise." But was it really?
Paul Green was working at MIT's Lincoln Laboratory in 1957 as a communications researcher. He had learned Russian and was invited to give talks to the Popov Society, a group of Soviet technology professionals. "So I knew Russian scientists," Green recalls. "In particular, I knew this big-shot academician named [Vladimir] Kotelnikov."
In the summer of 1957, Green told Computerworld, a coterie of Soviet scientists, including Kotelnikov, attended a meeting of the International Scientific Radio Union in Boulder, Colo. Says Green, "At the meeting, Kotelnikov -- who, it turned out later, was involved with Sputnik -- just mentioned casually, 'Yeah, we are about to launch a satellite.'"
"It didn't register much because the Russians were given to braggadocio. And we didn't realize what that might mean -- that if you could launch a satellite in those days, you must have a giant missile and all kinds of capabilities that were scary. It sort of went in one ear and out the other."
And did he tell anyone in Washington? "None of us even mentioned it in our trip reports," he says.
DARPA TodayBut around 2000, Kleinrock and other top-shelf technology researchers say, the agency, now called the Defense Advanced Research Projects Agency (DARPA), began to focus more on pragmatic, military objectives. A new administration was in power in Washington, and then 9/11 changed priorities everywhere. Observers say DARPA shifted much of its funding from long-range to shorter-term research, from universities to military contractors, and from unclassified work to secret programs.
Of government funding for IT, Kleinrock says, "our researchers are now being channeled into small science, small and incremental goals, short-term focus and small funding levels." The result, critics say, is that DARPA is much less likely today to spawn the kinds of revolutionary advances in IT that came from Licklider and his successors.
DARPA officials declined to be interviewed for this story. But Jan Walker, a spokesperson for DARPA Director Anthony Tether, said, "Dr. Tether ... does not agree. DARPA has not pulled back from long-term, high-risk, high-payoff research in IT or turned more to short-term projects." (See sidebar, DARPA's Response.)
A Shot in the RearDavid Farber, now a professor of computer science and public policy at Carnegie Mellon, was a young researcher at AT&T Bell Laboratories when Sputnik went up.
"We people in technology had a firm belief that we were leaders in science, and suddenly we got trumped," he recalls. "That was deeply disturbing. The Russians were considerably better than we thought they were, so what other fields were they good in?"
Farber says U.S. university science programs back then were weak and out of date, but higher education soon got a "shot in the rear end" via Eisenhower's ARPA. "It provided a jolt of funding," he says. "There's nothing to move academics like funding."
Farber says U.S. universities are no longer weak in science, but they are again suffering from lack of funds for long-range research.
"In the early years, ARPA was willing to fund things like artificial intelligence -- take five years and see what happens," he says. "Nobody cared whether you delivered something in six months. It was, 'Go and put forth your best effort and see if you can budge the field.' Now that's changed. It's more driven by, 'What did you do for us this year?'"
DARPA's budget calls for it to spend $414 million this year on information, communications and computing technologies, plus $483 million more on electronics, including things such as semiconductors. From 2001 to 2004, the percentage going to universities has shrunk from 39% to 21%, according the Senate Armed Services Committee. The beneficiaries have been defense contractors.
Meanwhile, funding from the National Science Foundation (NSF) for computer science and engineering -- most of it for universities -- has increased from $478 million in 2001 to $709 million this year, up 48%. But the NSF tends to fund smaller, more-focused efforts. And because contract awards are based on peer review, bidders on NSF jobs are inhibited from taking the kinds of chances that Licklider would have favored.
"At NSF, people look at your proposal and assign a grade, and if you are an outlier, chances are you won't get funded," says Victor Zue, who directs MIT's 900-person Computer Science and Artificial Intelligence Laboratory, the direct descendent of MIT's Project MAC, which was started with a $2 million ARPA grant in 1963.
"At DARPA, at least in the old days, they tended to fund people, and the program managers had tremendous latitude to say, 'I'm just going to bet on this.' At NSF, you don't bet on something."
Farber sits on a computer science advisory board at the NSF, and he says he has been urging the agency to "take a much more aggressive role in high-risk research." He explains, "Right now, the mechanisms guarantee that low-risk research gets funded. It's always, 'How do you know you can do that when you haven't done it?' A program manager is going to tell you, 'Look, a year from now, I have to write a report that says what this contributed to the country. I can't take a chance that it's not going to contribute to the country.' "
A report by the President's Council of Advisors on Science and Technology, released Sept. 10, indicates that at least some in the White House agree. In "Leadership Under Challenge: Information Technology R&D in a Competitive World," John H. Marburger, science advisor to the president, said, "The report highlights in particular the need to ... rebalance the federal networking and IT research and development portfolio to emphasize more large-scale, long-term, multidisciplinary activities and visionary, high-payoff goals."
No Help From IndustryThe U.S. has become the world's leader in IT because of the country's unique combination of government funding, university research, and industrial research and development, says the University of Washington's Lazowska. But just as the government has turned away from long-range research, so has industry, he says.
According to the Committee on Science, Engineering and Public Policy at the National Academy of Sciences, U.S. industry spent more on tort litigation than on research and development in 2001, the last year for which figures are available. And more than 95% of that R&D is engineering or development, not long-range research, Lazowska says. It's not looking out more than one product cycle; it's building the next release of the product," he says. "The question is, where do the ideas come from that allow you to do that five years from now? A lot of it has come from federally funded university research."
A great deal of fundamental research in IT used to take place at IBM, AT&T Inc. and Xerox Corp., but that has been cut way back, Lazowska says. "And of the new companies -- those created over the past 30 years -- only Microsoft is making significant investments that look out more than one product cycle."
Lazowska isn't expecting another event like Sputnik. "But I do think we are likely to wake up one day and find that China and India are producing far more highly qualified engineers than we are. Their educational systems are improving unbelievably quickly."
Farber also worries about those countries. His "Sputnik" vision is to "wake up and find that all our critical resources are now supplied by people who may not always be friendly." He recalls the book, The Japan That Can Say No (Simon & Schuster), which sent a Sputnik-like chill through the U.S. when it was published in 1991 by suggesting that Japan would one day outstrip the U.S. in technological prowess and thus exert economic hegemony over it.
"Japan could never pull that off because their internal markets aren't big enough, but a China that could say no or an India that could say no could be real," Farber says.
The U.S. has already fallen behind in communications, Farber says. "In computer science, we are right at the tender edge, although I do think we still have leadership there."
Some of the cutbacks in DARPA funding at universities are welcome, says MIT's Zue. "Our reliance on government funding is nowhere near what it was in 1963. In a way, that's healthy, because when a discipline matures, the people who benefit from it ought to begin paying the freight."
"But," Zue adds, "it's sad to see DARPA changing its priorities so that we can no longer rely on it to do the big things."

Can IBM save OpenOffice.org from itself?

2007-09-20T14:52:00.000+03:00

OpenOffice.org's biggest foe may be Microsoft Office, but critics say the open-source organization has, from its inception, also been one of its application suite's own worst enemies -- a victim of a development culture that differs radically from the open-source norm. Observers now wonder if IBM's entry into OpenOffice.org can make the necessary changes.
Though spun out by Sun Microsystems Inc. in 2000, OpenOffice.org remains almost totally under the control of Sun employees working full-time on the project.
There is also a free, native Aqua version of OpenOffice called NeoOffice that was created by open-source developers unaffiliated with OpenOffice.org. NeoOffice has received positive reviews and the latest version, 2.2.1, includes support for Mac OS X Spellchecker and Address Book, as well as experimental support for opening Open XML files created by Excel 2007 and PowerPoint 2007. It was released late last month and is available for download.
That includes virtually all of OpenOffice.org's lead programmers and software testers, most of whom are based in Sun's Hamburg, Germany office, as well as OpenOffice.org's overall boss, Louis Suarez-Potts, who is the community's equivalent to Linux's Linus Torvalds.
"I think Sun developers have worked hard to open up the process at OpenOffice.org, and to my mind it has shown positive results," said Bruce D'Arcus, a lead developer at OpenOffice.org who has blogged about his dissatisfaction. "But there's a fundamental contradiction between having a vibrant open community and having the process controlled by a single party."
That tight control, combined with a bureaucratic culture, has hurt OpenOffice.org's ability to roll out new features quickly and otherwise keep pace technically with Microsoft Office, say insiders. For instance, OpenOffice's current (non-Aqua) Mac version lacks rich graphics, there is no e-mail module, and the software cannot yet open or read files in the Office Open XML document format used by Office 2007.
As a result, OpenOffice and its commercial cousin, StarOffice, still own just a small slice of the office software market, though the former has been downloaded more than 96 million times. The most recent version, OpenOffice 2.3, was released Monday as the organization prepared for its worldwide developer conference in Barcelona this week.
Is Sun missing the cultural point?
There are "enough developers frustrated by both the technical and the organizational infrastructure at OpenOffice.org" that it is "a real problem that is weighing on the project," said D'Arcus, a university geography professor who participates in the project.
Or as another OpenOffice developer, Michael Meeks of Novell Inc., blogged last week: "Question for Sun mgmt: at what fraction of the community will Sun reconsider its demand for ownership of the entirety of OpenOffice.org?"
That has long hurt OpenOffice.org's attempts to recruit and, moreover, keep contributors that are not paid by Sun or other leading backers such as Novell or Google Inc. to work on OpenOffice.org.
"OpenOffice.org has a very central business process of controlling what comes into the source base and by that very system misses the point of Open Source development," said Ken Foskey, an Australian open-source developer who volunteered for OpenOffice.org for three years. He left in 2005 after becoming "increasingly frustrated" with the organization's bureaucracy.

Scott Carr, a community member of OpenOffice.org, acknowledges he has lost two key members of his already-small documentation team.
"I understand where some of [the criticism] is coming from," he said.
Enter IBM, accompanied by Symphony
So does IBM Corp., which is joining OpenOffice.org and creating its own free version called Lotus Symphony, aimed at its enterprise and government customers.
"We think that there's a broad-based consensus that some governance and structural changes are in order that would make the OpenOffice project more attractive to others," Doug Heintzman, director of strategy for IBM's Lotus Software, said in an interview last week. "It's no secret that this has been an issue for us for some time, and we haven't viewed OpenOffice.org as being as healthy as it might be in this respect."
Besides committing 35 China developers to OpenOffice.org, IBM plans to make its voice heard -- immediately and loudly. IBM will "work within the leadership structure that exists," said Sean Poulley, vice president of business and strategy in IBM's Lotus Software division. "But we will take our rightful leadership position in the community along with Sun and others."
In e-mailed comments, Heintzman said his criticisms about the situation have been made openly.
"We think that Open Office has quite a bit of potential and would love to see it move to the independent foundation that was promised in the press release back when Sun originally announced OpenOffice," he said. "We think that there are plenty of existing models of communities, [such as] Apache and Eclipse, that we can look to as models of open governance, copyright aggregation and licensing regimes that would make the code much more relevant to a much larger set of potential contributors and implementers of the technology....
"Obviously, by joining we do believe that the organization is important and has potential," he wrote. "I think that new voices at the table, including IBM's, will help the organization become more efficient and relevant to a greater audience.... Our primary reason for joining was to contribute to the community and leverage the work that the community produces.... I think it is true there are many areas worthy of improvement and I sincerely hope we can work on those.... I hope the story coming out of Barcelona isn't a dysfunctional community story, but rather a [story about a] potentially significant and meaningful community with considerable potential that has lots of room for improvement...."
Suarez-Potts did not return repeated requests for comment. But Erwin Tenhumberg, community development and marketing manager for OpenOffice.org and a Sun employee in its Hamburg, Germany office where OpenOffice / StarOffice development is centered, acknowledged the criticism.
"There's a long tradition at Sun of not paying attention to outside contributors because there weren't many for a long time," said Tenhumberg, who estimated that 90 percent of the programming in OpenOffice 2.0, the last major release from two years ago, was done by Sun employees.
Alexandro Colorado, who helps run a project to create a Spanish-language version of OpenOffice, said while many of the criticisms leveled OpenOffice.org's management are valid, "there are other sides of the story than [just] pure bashing."
He blamed "exponential" growth in OpenOffice's code base, a situation that has been partly corrected after the group began to limit development in the core OpenOffice code and ask developers to build new features in the form of "extensions," a model successfully used by the Firefox web browser.
"So far we have exciting extensions like Google Docs integration with OpenOffice.org," Colorado wrote in an e-mail. "This would have taken ages to integrate into the code base and now it's available in a matter of weeks."

Another OpenOffice.org community developer, Charles H. Schulz, says that much of the criticism is simply misplaced.
"Unfortunately, some Novell engineers' behavior and vision of what the OpenOffice.org project should be and should [not be] leave me and others appalled by their misunderstanding of what a community really is," he said. "I think the real issue with Novell now has more to do with individual egos and agendas than anything else."
Convincing the mouse to roar again
Another problem with Sun is that it has taken an increasingly passive position in the past several years against OpenOffice.org's chief rival, Microsoft. Out is ex-CEO Scott McNealy, who was famous for his scripted put-downs of Microsoft, and in is Jonathan Schwartz, whose tenure has been marked by an increasing cooperation with what once was Sun's symbolic bogeyman.
For instance, Sun abstained from voting for or against ratifying the Office Open XML document format as a standard in the ISO vote earlier this month. And the one time it did weigh in, it was to express its conditional support for Open XML.
One observer close to OpenOffice.org links the change in tone to the terms of a $1.6 billion settlement paid by Microsoft to Sun in 2004 that has also resulted in technical and marketing cooperation.
IBM led the opposition against Open XML's approval. The observer expects IBM, which plans to inject 35 China-based developers into the OpenOffice.org process, to take over the role of being OpenOffice.org's public champion.
And he thinks that will be a good thing. "They'll be able to say some of the things that Sun can't," he said.
Moreover, says IBM's Poulley, "we bring our credibility and prowess in enterprise software, which has less been the forte of Sun."
But will Sun be willing to relinquish some or most of its control over OpenOffice.org? Poulley thinks the transition has already begun. Simply "by virtue of our joining, OpenOffice.org becomes a lot less Sun-dominated," he said.
And that process can't happen fast enough, if the software hopes to make any dent into Office's dominance, says another expert.
"As much as people like open formats, they won't buy an inferior product," said Andy Updegrove, a Boston lawyer who represents open-source organizations and blogs about the same topics. With IBM "betting big on OpenOffice, in two and a half years we could be looking at another Mozilla situation, where Firefox has 15 percent of the market. That could lead to Microsoft modifying Office or changing its licensing or prices, which benefits the entire market."

Get a life: 10 tips for achieving a better work/life balance

2007-09-19T14:24:00.000+03:00

As president of Encompass, a 16,000-member user group for business customers of Hewlett-Packard, Buik comes in contact with a wide variety of technology professionals who all seem to log a lot more than the traditional 40-hour workweek. "I rarely talk to anyone putting less than 60 hours a week into their jobs," says Buik, who is also senior vice president of MindIQ Corp., a Norcross, Ga., designer of technology-based training materials.

Buik herself has managed to forge a different path. She has let her staff know that once she's done for the day, that's it. They shouldn't contact her for routine issues and should text-message her only for true emergencies.

"If our Web site goes down, I need to be contacted, because our entire organization functions from our Web site," Buik explains. "If there's a simple power failure, we have backup for that, so I don't need to know immediately."

As companies increasingly look to technology to help them do more while spending less, technologists like Buik, and the IT workers she manages, are clearly feeling the squeeze.

It's pressure that hits at all levels. Some IT positions, such as help desk jobs, still tend to follow a traditional eight-hour shift, but such employees are often scheduled for evening and weekend work as well as the usual 9 to 5. Meanwhile, higher-level managers are racking up the hours at work as they try to meet tight deadlines and respond to those they serve.

Now, at all levels, IT professionals are beginning to give voice to their desire to have some time for personal pursuits. In other words, they want at least some semblance of what's known as work/life balance.

Pie in the sky?

Given the nature of IT work and the economic realities of the marketplace, achieving that kind of balance can be a tall order.

"IT workers do seem to work longer hours. Fifty hours is an average," says Lily Mok, who analyzes work/life balance in IT for Gartner Inc.

"IT work often requires [employees] to work different shifts and to be on call 24/7. And especially in recent years, as IT organizations became leaner after downsizing and outsourcing, people are required to do more work and take on more responsibilities."

According to the U.S. Department of Labor's Bureau of Labor Statistics, the average full-time worker in the U.S. puts in 9.3 hours a day. IT staffers work considerably more than that, other statistics show.

One study (download PDF), for instance, found that the average workweek for software programmers, engineers and technicians ranges from 43 to 62 hours.

While those numbers might seem dire, recent developments at the corporate level have improved IT professionals' lives as companies add work/life benefits in order to attract top talent. Flexible schedules, job sharing, condensed workweeks and telecommuting are some of the options now available to technologists, says Mok.

IT people have a better work/life balance today than they did when Leo Collins started in the field about 20 years ago. Collins, CIO at Lions Gate Entertainment Corp., points out, for instance, that employees don't always have to physically be in the office to do their work nowadays.

In fact, in a study released in July by Robert Half Technology, a Menlo Park, Calif.-based IT staffing company, 44% of CIOs surveyed said their company's IT workforce is telecommuting at a rate that's the same as or higher than it was five years ago. They cited improved retention, better morale and increased productivity as the greatest benefits of telecommuting.

While that's a step in the right direction, the industry still has a long way to go. Reluctant managers and a domineering corporate culture can influence how effectively work/life benefits are implemented in an organization and how willing employees are to seek them out, Mok points out.

And Collins acknowledges that for all the progress, IT workers at his company still tend to log some serious overtime. "The norm is a lot closer to 50 to 60 hours," he admits, "but you don't always physically need to be there." Either way, "we try not to have a crisis attitude," he says. "So if you need to take care of [personal] things, we can adjust priorities and move tasks around."

How can you find ways to better balance your professional and personal time -- even if you're at a company that's less progressive on the issue? Work/life coaches, IT executives and experienced tech professionals share their strategies for finding the right balance, with these 10 tips:

1. Establish and enforce your own priorities.

Many people who want to make a change in their lives fail to first reflect on exactly what it is they want to do differently, says Kathie Lingle, director of the Alliance for Work-Life Progress in Scottsdale, Ariz.

Step 1 should always be to set your priorities, she says. "Get those straight in your mind, and [then] act on them," Lingle suggests.

Whether your goal is to be active in your community or nurture personal relationships, it's likely you'll need to make time for those priorities by limiting your hours at work -- even if that means saying no to overtime or extra projects, or to a promotion.

Brian Schultz, information assurance practice lead at the Battelle Memorial Institute in Columbus, Ohio, undertook this exercise when working as a manager with the computer risk management practice at the former Arthur Anderson LLP. He didn't want to follow the same track as the executives he knew who sacrificed fulfilling personal lives to work 60-hour weeks.

"Early on, I established a priority list: God, family, country, community and company," Schultz explains. "The company is last. If you take that strictly, of course, you'd be living on the street, so there's a definite balance between those commitments. But to be fulfilled, you need that balance."

It wasn't an empty exercise. Schultz left Arthur Anderson in 2000 because he wasn't willing to put in the 14-hour days and weekend time needed to reach the next level. Instead, he found a position with another company that offered challenging work yet still respected the work/life balance he sought.

Now at Battelle, where he works an average of 45 hours a week, Schultz says he doesn't have to sacrifice career aspirations for personal time. Unless there's a looming deadline or an after-hours client meeting, Schultz doesn't work on Sundays, and weekdays he's usually home for dinner with his family.

2. Communicate.

You've set your priorities. Now let your co-workers know about them.

"Boundaries are often invisible. No one knows they're there but you. If you don't articulate [your boundaries], then how will other people know they're crossing them?" asks Lisa Martin, founder and president of coaching and training company Briefcase Moms in Vancouver, British Columbia.

It's crucial to be clear about what you want, what you can do and what you can't do, she says. It's equally crucial, of course, to take a business approach to this step, Martin emphasizes. Find opportune times to discuss such matters, and use a neutral voice to address missteps.

If, for instance, you've negotiated the ability to leave nightly by a certain time but your boss still keeps you late, state the problem neutrally ("This is the seventh time in two months I've worked late on a Friday") and remind her of your initial boundary ("We'd agreed to a firm leaving time.")

For some employees, this step might not come naturally, especially when speaking to a supervisor, but "you've got to take your 'boundaries vitamins,' " Martin maintains. "You have to keep fortifying [your position]. "It gets easier with practice," she promises.

Lingle suggests sharing not only your established priorities but also select details of your personal life with your co-workers.

It's an approach that Bob Keefe, senior vice president and CIO of Mueller Co.'s Mueller Water Products division and president-elect of the Society for Information Management, has seen put to good use firsthand.

While working at another company, his team encountered a serious error during an electronic data interchange. The team had to contact a colleague for information, although they knew he was out because his wife was heading into surgery.

"He was the kind of person who, if we made that phone call, he'd be back in the office, so we told him the program just 'ab ended,' " knowing that an abnormal end to a program wasn't serious enough to make him feel he needed to return to work, Keefe explains. Because they knew about his personal situation beforehand, the team took the trouble to glean the necessary information from their colleague without calling him back into the office.

3. Build a business case for your better life.

Savvy professionals are increasingly willing to asking for flexible schedules as part of their compensation packages when offered new jobs, Mok says.

"People with hot skills have more leverage in getting this kind of special treatment," she says, but that doesn't preclude others from negotiating additional vacation time, limited overtime hours or flexible start and end times before signing on with a new company. You can use the same strategy to negotiate benefits from your existing employer, too, Mok suggests.

Just approach the situation as you would any other business proposal: by building a business case for what you need. "You need to demonstrate, based on your previous performance, that you will be able to deliver the same results," Mok explains.

If you want to telecommute, for example, you should explain how you already successfully work without direct supervision -- making sure to include specific examples -- and how you can accomplish more without frequent office interruptions. Moreover, you should point out that a home setup is in line with your company's disaster recovery plans because it allows you to work even if the main office is empty due to, say, bad weather.

4. Take advantage of corporate policies and programs.

A survey conducted last year by OfficeTeam, a Menlo Park, Calif., staffing service, found that 53% of workers and 45% of executives said their employers were "very supportive" of efforts to achieve work/life balance. Another 37% of workers and 50% of executives said their employers were "somewhat supportive."

But work/life benefits, whether they're on-site child care, flextime or job sharing, can't help you if you don't take advantage of them. Learn what programs your company offers and consider when and how they can benefit you, Mok says.

Look at Schultz's case. His round-trip commute takes at least two hours, so he takes advantage of Battelle company policy and telecommutes when he has a daytime appointment close to home. "It's a huge relief of pressure, and it saves a great deal of time," he says.

5. Seek out a mentor.

"Look to people who you feel who have a good work/life balance and ask them, 'How did you accomplish this?' " advises Katherine Spencer Lee, executive director of Robert Half Technology.

Brian Abeyta, vice president of IT at insurance provider Aflac Inc. in Columbus, Ga., remembers admiring a supervisor who was gifted at managing both her executive-level job and her life as a mom.

"It forced me to appreciate very disciplined time management," he says, noting that his superior was very good about dedicating her time and focus to the task at hand. "She set a schedule and committed to that. Wherever she was, she was at that place and wasn't thinking about where she had to be next," he observes.

That kind of focus and discipline, both from the Aflac executive and from professionals Abeyta had known at previous companies, helped him and his co-workers learn how to honor their own personal priorities while still fulfilling their job requirements. "It showed that we could respect for each other's time, and that we need to respect each other's lives," Abeyta says.

6. Work more efficiently.

Seasoned tech workers know when they need to rush back to the office and when they can dial in and troubleshoot remotely, says Natalie Gahrmann, a work/life expert at N-R-G Coaching Associates in Hillsborough, N.J.

She points to her husband, an IT director, and his own work habits as an example: He recently drove to his company's New Jersey backup site rather than to his Manhattan office to handle an off-hours problem, saving precious personal time in the process.

Another way to work more efficiently: Tap the expertise of a professional group, Buik suggests. "You become more efficient with your time at work when you can share issues with others," she says. "That's less time dealing with certain problems, which means all of a sudden you have more time at home."

One of Buik's colleagues, for example, recently researched details on HP C-Class blade servers through the Encompass user group and was able to make a purchasing decision based on that interaction, which saved him from conducting hours of research on his own.

7. Share your knowledge.

It's often fulfilling to be an expert on a specialized program, but Keefe warns against being the only one in the know.

"In the cases when you're a de facto expert, you want to pull teammates in and train them," even if you have to take the initiative to make that training happen, he explains. "You want to share that knowledge, because if you have an on-call structure, then you won't have to always be the only one on call."

8. Use your gadgets.

There's no doubt that Keefe is a fan of gadgets because he, like many others, can use mobile devices to get work done whenever, wherever.

Moreover, he says, mobile devices can be tied into the office network, allowing employees to not only receive automated messages about potential problems but also to troubleshoot from wherever they are.

"IT professionals have invented everything that lets people work from wherever, [so] no one in IT should be enslaved to a particular place," Lingle adds.

9. Use your gadgets wisely.

Consider this statement: "Devices like BlackBerry chain you to work more than they liberate you." In the Digital Life America survey released in February 2007 by Solutions Research Group, one-third of respondents agreed with that statement -- and they were themselves all users of BlackBerries, Palm Treos and other smart phones.

It doesn't have to be that way -- if you're willing to put your foot down about how much of your attention such devices can demand.

When Steve Davidek, a systems administrator for the city of Sparks, Nev., got a BlackBerry about a year ago, he quickly found himself dealing with e-mails at all sorts of times and places. He reassessed his situation and decided to stop checking e-mails during off-hours. Instead, colleagues know to reach him via phone to relay news of problems that truly needed his immediate attention. "I need a cell phone; I don't need a leash," he explains.

10. Maintain perspective.

It's easy to feel your life is out of whack when a looming deadline or major systems failure has everyone in overdrive. Before you panic or throw in the towel and quit, take a deep breath, the experts advise.

"You're going to have blips; that's just life," Briefcase Moms' Martin says.

Martin suggests that instead of focusing on how tough you have it at any particular moment -- or, worse yet, making decisions based on short-term problems -- you should take a long-term perspective and consider how you're working to achieve your work and life goals.

She remembers coaching one working mother who had worked hard to develop highly specialized skills that were in high demand and yet "felt like she was chasing her tail all the time and felt her only solution was to find a different job."

When Martin asked her client to consider what she liked about her career and what she wanted from her job and personal life, the woman realized she liked her work; she just didn't like the hours. In the end, rather than walking away from a job she liked, the woman negotiated a four-day workweek that allowed her the extra time at home that she wanted.

"Sometimes this is difficult," Martin says, "but work/life balance is about being clear about what your boundaries are and then communicating them."

Google calls for global online privacy standard

2007-09-15T14:32:00.000+03:00

Search giant Google Inc. will propose on Friday that governments and technology companies create a transnational privacy policy to address growing concerns over how personal data is handled across the Internet.

Google's global privacy counsel, Peter Fleischer, will make the proposal at a United Nations Educational, Scientific and Cultural Organization meeting in Strasbourg, France, dealing with the intersection of technology with human rights and ethics.

Fleischer's 30-minute presentation will advocate that regulators, international organizations and private companies increase dialog on privacy issues with a goal to create a unified standard.

Google envisions the policy to be a product of self-regulation by companies, improved laws and possible new ones, according to a Google spokesman based in London.

"We don’t want to be prescriptive about who does that and what those standards are because it should be a collaborative effort," the spokesman said.

Other organizations have already made progress on privacy standards, he said. For example, Asia-Pacific Economic Cooperation (APEC) created a nine-point Privacy Framework designed to aid countries without existing policies.

However, the framework has been criticized for vagueness and only been partially implemented by APEC members, said David Bradshaw, principal analyst at Ovum PLC.

E.U. privacy regulations are already more stringent than the APEC's recommendations, which highlights the difficulty in creating a global standard that meets existing regulatory requirements in various geographic areas, he said.

"From Google's viewpoint, they can't expect the E.U. and those nations that have higher privacy standards to level down to the APEC standards," Bradshaw said.

Google's increasing power in search, Internet commerce and software services has place its privacy policies under scrutiny.

In June, Google Inc. said it would delete the data it stores about end users anonymous in its server logs after 18 months, part of an effort to deflate concerns about privacy raised by a European Union (E.U.) working group composed of data protection officials from 27 countries.

Google took a further battering after it acquired DoubleClick Inc., an online advertising company that uses technology to track user trends in order to serve them targeted ads. The technology, also used by many other Internet advertising companies, has raised privacy concerns.

A European consumer group, Bureau Européen des Unions de Consommateurs asked the European Commission in July as well as other authorities to investigate how the DoubleClick deal would impact consumers.

The focus on privacy by governments and individual Internet users has resulted in localized legislation, causing a fragmentation in privacy regulations, Google's spokesman said.

That can make it difficult for e-commerce businesses, as an increasing amount of data is routinely crossing international borders through credit card transactions, he said.

"We really hope that this sparks a sustained, thoughtful creative debate, he said.

Update: SCO files for Chapter 11 bankruptcy protection

2007-09-15T14:29:00.000+03:00

The SCO Group Inc. today filed for Chapter 11 bankruptcy protection, just a month after losing several key court rulings in its legal fight against Novell Inc., IBM and others over what it asserts is the company's Unix intellectual property.

In an announcement today, Lindon, Utah-based SCO said it filed a voluntary petition for reorganization, as well as for its subsidiary, SCO Operations Inc.

"The board of directors of The SCO Group have unanimously determined that Chapter 11 reorganization is in the best long-term interest of SCO and its subsidiaries, as well as its customers, shareholders and employees," the company said in a terse press release late today.

The company said its normal business operations will continue throughout the bankruptcy proceedings.

"We want to assure our customers and partners that they can continue to rely on SCO products, support and services for their business critical operations," Darl McBride, the company's CEO and president, said in a statement. "Chapter 11 reorganization provides the company with an opportunity to protect its assets during this time while focusing on building our future plans."

On Monday, SCO is expected to be in court in a trial that will determine how much money SCO might have to pay to Novell for Unix licensing revenues collected by SCO over the last several years.

Dan Kusnetzky, an analyst at the Kusnetzky Group in Osprey, Fla., said the bankruptcy filing by the company was not unexpected.

"It seemed to be a very odd strategy to go -- and before they even had established a court precedent -- to attack IBM with litigation and go after Novell and go after customers," he said. "I don't believe that at any point that they made it clear what they thought the [Unix code] infringement was."

Kusnetzky called the bankruptcy filing "an interesting move when they are facing a court battle where almost every single one of their [legal] pillars has been pulled out."

Kusnetzky said SCO "believed that IBM would pay them a lot of money to shut up" after SCO sued IBM in March 2003 in what became a $5 billion lawsuit alleging that IBM had illegally contributed some of SCO's Unix code to the Linux open-source project. "Instead, they got an IBM that wanted to fight them.

"I didn't think they could win and I think this is evidence that that's true," he said.

Al Gillen, an analyst at IDC in Framingham, Mass., said the move today was not a shock because of the steady decline in SCO's financial performance since it began its legal battles four years ago.

"SCO had a tough problem on their hands -- even if you date back six years ago -- about what they were going to do with Linux," which was invading parts of its Unix customer base, Gillen said. By filing lawsuits against IBM and Novell, SCO "risked alienating customers and partners. I'm not sure if that's why they're in Chapter 11 now, but it couldn't have helped."

Rival Sun Microsystems Inc. has faced similar market challenges in recent years, but took a different way to adjust, Gillen said, including moving key products like Sun Solaris to open source. "What's clear is that going after this from a litigation approach [as SCO did] wasn't going to work for Sun."

SCO will now have to see how the bankruptcy filing affects its recent mobile software initiatives, Gillen said. "From a bigger picture, some of their mobile applications are looking interesting, if they can stay alive to market it."

SCO and Novell have been fighting over who legally owns the rights to Unix and UnixWare since 2003. That's when SCO sued IBM in what became a $5 billion lawsuit, alleging that IBM illegally contributed some of SCO's Unix code to the then-fledgling Linux open-source project. SCO sued Novell directly in 2004; Novell filed counterclaims that disputed SCO's case.

Last month, U.S. District Court Judge Dale A. Kimball in Salt Lake City undercut much of SCO's case in a ruling that declared Novell the owner of the Unix and UnixWare copyrights. As a result, a bench trial that begins Monday will determine how much money SCO might now have to pay Novell for Unix licensing revenue it received from Sun Microsystems and Microsoft Corp.

Earlier this month, in an interview with Computerworld, SCO CEO Darl McBride said his company will continue to fight its legal case, despite recent setbacks.

The battle between SCO and IBM is not expected to start until next year and is expected to be affected by the results of the SCO-Novell fight.

Microsoft downplays stealth update concerns

2007-09-14T15:56:00.000+03:00

Microsoft Corp. today essentially called the concerns over undercover updates to Windows XP and Windows Vista a tempest in a teapot, saying that silent modifications to the Windows Update (WU) software have been a longtime practice and are needed to keep users patched.

"Windows Update is a service that primarily delivers updates to Windows," said Nate Clinton, program manager in the WU group on the team's blog today. "To ensure ongoing service reliability and operation, we must also update and enhance the Windows Update service itself, including its client-side software."

Microsoft was moved to respond after the popular "Windows Secrets" newsletter looked into complaints that WU had modified numerous files in both XP and Vista, even though users had set the operating system to not install updates without their permission. In many cases, users who dug into Windows' event logs found that the updates had been done in the middle of the night.

Windows gives users some flexibility in how their PCs retrieve and install updates and patches from the company's servers. In Vista, for example, users can turn off Automatic Updates entirely; allow the operating system to check for, but neither download or install, any fixes; or allow it to download files but not install them.

Clinton tackled the stealth install issue in some detail. "One question we have been asked is why do we update the client code for Windows Update automatically if the customer did not opt into automatically installing updates without further notice? The answer is simple: Any user who chooses to use Windows Update either expected updates to be installed or to at least be notified that updates were available."

Failing to do so, he argued, would have ultimately run counter to what a user wants and needs. "Had we failed to update the service automatically, users would not have been able to successfully check for updates and, in turn, users would not have had updates installed automatically or received expected notifications." The result, he said, would be to leave users at risk to attack via vulnerabilities Microsoft has patched. "That would lead users to believe that they were secure, even though there was no installation and/or notification of upgrades."

In fact, the practice has been going on for some time, Clinton claimed. "The Windows Update client is configured to automatically check for updates anytime a system uses the WU service, independent of the selected settings for handling updates. This has been the case since we introduced the Automatic Update feature in Windows XP. In fact, WU has autoupdated itself many times in the past," he said.

That would be news to the majority of people who filled several threads on Microsoft's own support newsgroups starting in late August. "I found this information by myself, checking the Windows directories," griped someone identified as Frank. "But the point is that I didn't allow the update (Automatic Update properties on 'notify') and there is no information about this update on Microsoft [Web pages]. Why [didn't] Microsoft publish any information about this update?"

Clinton also disputed user accounts of stealth updates to WU even when they had completely disabled the automatic update feature in the operating system. "WU does not automatically update itself when Automatic Updates is turned off, this only happens when the customer is using WU to automatically install upgrades or to be notified of updates," said Clinton.

He did issue a mea culpa -- of sorts. Although he stopped short of apologizing for the lack of information, he said Microsoft is considering changes. "[This] is not to suggest that we were as transparent as we could have been," he admitted. "To the contrary, people have told us that we should have been clearer on how Windows Update behaves when it updates itself. We are now looking at the best way to clarify WU's behavior to customers so that they can more clearly understand how WU works."

That's crucial for both end users and companies, said Andrew Storms, director of security operations at nCircle Network Security Inc., a security and compliance vendor. "The question is, why haven't users been more clearly educated that this is the way [WU] updates work?" Storms asked. "I'm glad to see software updated, but the better tack would have been to fully explain this.

"Frankly, this surprises me a bit. Microsoft's making an effort to provide us with more information, especially in the last year."

Microsoft didn't completely address one question Storms had, however: In corporations, where system integrity is not only demanded, but often crucial, how is Microsoft handling these kinds of updates to the WU client files on machines patched through Windows Server Update Services (WSUS), the server-side update manager?

Microsoft's Clinton mentioned WSUS in passing. "[For] enterprise customers who use WSUS or Systems Management Server, [the now-obsolete predecessor to WSUS], all updating, including the WU client, is controlled by the network administrator, who has authority over the download and install experience."

Microsoft's own technical documentation is unclear as to exactly what control administrators have over Automatic Updates. In a page headlined "Automatic Updates client self-update feature," WSUS administrators are told much the same as consumers, in some of the same language Clinton used in his blog. "Each time Automatic Updates checks the public Web site or internal server for updates, it also checks for updates to itself. This means that most versions of Automatic Updates can be pointed to the public Windows Update site, and they will automatically self-update," the document reads.

That's exactly how the process works for users not connecting to a WSUS-equipped server.

Even the alternative -- "You can also use the WSUS server to self-update the client software," the document said -- doesn't spell out what oversight administrators have over the modifications. In fact, this approach relies on the Internet Information Services (IIS) component of Windows Server to ping the same public servers Microsoft uses to push WU updates to anyone not using WSUS.

IIS, according to another support document, feeds the updates to a virtual directory named "Selfupdate" under the Web site running on port 80 of the WSUS server. Dubbed the SelfUpdate Tree, this folder contains the WSUS-compatible Automatic Updates software, said Microsoft.

The company did not provide more information on how, or whether, silent updates are processed by WSUS.

"This could be a very big deal to enterprises," said Storms, depending on exactly what happens in a WSUS environment. "You just don't want unknown files installed or changed."

And it's the not-knowing that bothers him. "What's really interesting here is that we don't know, do we?" said Storms. "We're looking for a more holistic view of what WU does. And Microsoft hasn't given it to us."

Help wanted: IT workers with server virtualization skills

2007-09-14T15:50:00.000+03:00

SAN FRANCISCO – As more organizations adopt server virtualization software, they're also looking to hire people who have worked with the technology in live applications. But that experience is hard to find, as Joel Sweatte, director of IT at East Carolina University's College of Technology and Computer Science, recently discovered when he advertised for an IT systems engineer.

Sweatte received about 40 applications for the job at the Greenville, N.C.-based college, but few of the applicants had any virtualization experience, and he ended up hiring someone with none. "I'm fishing in an empty ocean," Sweatte said.

To give the new employee a crash course in virtualization, Sweatte brought him to market leader VMware Inc.'s annual user conference here this week. "That's a major expenditure for a university," Sweatte said of the conference and travel costs. "[But] I wanted him to take a drink from the fire hose."

Sweatte isn't the only one who has had trouble finding IT workers with virtualization skills. VMware said VMworld 2007, which ends today, drew more than 10,000 attendees -- up from about 7,000 at last year's event. But in interviews at the conference, it was common to find attendees who were new to virtualization and largely self-taught on the technology.

For instance, Jeff Perry, IT manager at HealthBridge, a not-for-profit organization in Cincinnati that electronically connects area hospitals and other medical facilities so doctors can exchange patient data, began deploying virtualization software six months ago. He came to VMworld to pick up some more technical skills and said he plans to spend a lot of time teaching himself about virtual systems.

The conference was a good starting point for learning about the technology, Perry said, "but there is so much research that you have to do after this."

And there's no question in Perry's mind that virtualization has become a critical IT component. "Hardware right now is so underutilized," he said. "To carve out spaces for virtual machines is the wave of the future."

IT professionals can certainly train themselves to work with virtualization software, VMworld attendees said. But, they added, it helps to have a broad base of data center skills beforehand.

"In the old days, you really just needed to understand the server –- now you have to understand not just the server, but the command lines of the Linux operating system, networking, how switches work, storage and fiber connections," said Kirk Marty, a senior systems engineer at Minneapolis-based Jostens Inc., which makes class rings, yearbooks and other products.

Michael Youngers, a lead systems administrator for the storage and storage-area networking groups at Carter & Burgess Inc. in Fort Worth, Texas, said that when the engineering and consulting firm decided to adopt virtualization about six months ago to improve its disaster recovery capabilities, he taught himself how to use the software. "I stumbled into it," he said.

But after seeing how virtualization has led to server consolidation, the removal of old hardware and lower power and cooling costs at Carter & Burgess, Youngers is convinced that it's a need-to-know technology for IT workers. "You are going to have to get on board," he said.

Peter Marx, chief IT architect at Knorr-Bremse Gmbh, a Munich-based manufacturer of truck and railroad components, has been involved in x86 server virtualization for several years, making his company a relatively longtime user. When Knorr-Bremse started out with the technology, Marx couldn't hire anyone with virtualization skills. Such people "simply weren't available then," he said.

Workers at the company attended some training programs, Marx said. But mostly, "they simply did it," he added. "It's more of a German-type approach."

Macs on the network: Time to panic?

2007-09-14T15:46:00.000+03:00

They're coming. Gleaming all-in-ones, metallic slimline notebooks and hand-size "mini" machines.

For network admins, the Macintosh has always been the purview of advertising agencies, entertainment companies, educators and home computer users. Mac OS X is merely a minor support issue in a Microsoft-dominated organization.

Yet as the consumer market begins to meld with the corporate world even more, and employees expect to use their preferred gadget (and operating system) for work and home life, the Mac could make inroads at large corporations.

The facts reveal a coming resurgence. Apple sold 36% more Macs in the second quarter than the same quarter last year. The company has sold more than 1 million iPhones and 110 million iPods to date. There also just seems to be "something in the air" -- or at least the blogosphere -- suggesting a Mac resurgence. Blogs such as Engadget.com post about Apple constantly, and even IT analyst firms that have usually downplayed the Mac as "niche" are talking about the platform in the corporate world again.

"We expect that much of today's IT infrastructure is going to be turned upside down by the invasion of consumer technologies," said Andrew Jaquith, an analyst at Yankee Group Research Inc. in Boston. "Consumerization is going to make IT's job harder, and platforms like the Mac are going to become increasingly common, in many cases in spite of the wishes of management."

Minimal changes or maximum stress?

For the most part, connecting a Mac to a corporate LAN doesn't have a world-shattering effect on performance or support. According to William Green, director of networking at the University of Texas in Austin, the Mac has had a minimal impact on the school's infrastructure.
"All OSs behave differently; if you have a multivendor environment, you have to deal with the differences," said Green. "There have not been any special problems related to Macs."

Green did mention a few bugaboos, however, among his generally positive comments about the Mac. He said his group has seen more support issues related to the Cisco VPN for Mac than the version for Windows XP, although they have fewer support calls for the native VPN client for OS X.

"There have been problems with OS patches affecting wireless connectivity for a small portion of Mac laptops in the past -- specifically related to 802.1X," he said. "Those appear to have been corrected. We have found the Mac OS X client much easier for users to configure for wireless and 802.1X. It has been a benefit not having to deal with all the third-party drivers that come from the PC/XP world since this has caused a lot of problems for XP users during our 802.1X wireless rollout."

Yankee's Jaquith mentioned another pitfall. Admins have found they can turn on the outbound firewall in Windows XP SP2 for each network adapter independently through the GUI. With OS X, however, admins have to use a command-line parameter in the OS X IPFW tool to enable the feature, turn on logging and enable stealth mode so the Mac doesn't reply to network pings.

Computer consultant Bryan Bowers at Bowers Technologies Inc. in Rancho Santa Margarita, Calif., said his clients have had problems with strong network security working with the Mac, likely related to signed server message block connections. Jaquith downplayed this glitch, noting that most corporations probably don't have server security protocols set so high that the Mac operating system would have trouble accessing shares.

Bowers also mentioned his clients have trouble connecting to network printers from a Mac, and that e-mail server configuration can sometimes prove problematic, because the servers must be reconfigured to support Internet Message Access Protocol and Post Office Protocol 3 for inbound mail and Simple Mail Transport Protocol for outbound traffic.

The fact that Microsoft hasn't updated its Entourage client for the Mac in several years suggests that its OS X support is waning, although a new Office 2008 version for the Mac with a new e-mail client is due in January.

Jaquith mentioned that network backup support for the Mac platform could pose a problem for admins, because corporate backup tools often don't support the platform. "Some admins use a Unix command called 'rsync' to back up Mac hard drives on a scheduled basis," he said. "There are also some Mac-specific tools, like EMC's Retrospect, that I've heard work well."

For remote management, the Mac provides the Remote Management tool that works in the OS X GUI and allows admins to run AppleScripts remotely to change client settings.

Will the Macs invade?

Even with OS X-specific support tools, good compatibility with the network layers in a company and a wide range of desktop applications, the one "gorilla in the room" for widespread Mac adoption in bigger companies is the fact that many customized corporate applications won't work on the Mac.

Some companies get around this conundrum by using virtualization software from SWsoft Parallels or VMware Fusion, or by loading Apple Boot Camp on Mac computers so that end users can boot into OS X or Windows.

Jaquith also noted that companies are hesitant to introduce the Mac because they want to focus on as few operating systems as possible and, he said, "favor a monoculture in which all machines are the same." Most corporations are continually looking for ways to manage their infrastructure more consistently and measure network performance, and the Mac (and, for that matter, Linux) just introduces another variable. Many companies also prefer the "old familiar technology" that Windows XP provides.

Another common argument against the Mac is that Apple is the only hardware vendor, although many companies choose one primary hardware vendor, such as HP or Dell, to gain consistency in the environment.

Apple itself seems uncomfortable with the corporate world and doesn't actively advertise to the corporate market, suggesting the company is happy continuing life as a consumer darling and has no plans to compete with Microsoft.

If Jaquith and others are right, it's the consumer who will bring the platform into the corporate world and, it seems, force network managers to support the operating system.

8 'hidden gems' in data protection software

2007-09-13T15:17:00.000+03:00

Every storage administrator has an application or utility that stands out from the crowd as being unusually useful, easy to use or just plain effective in helping them do his job. These tools may or may not be cutting-edge, and they may or may not be backed by big advertising budgets or established vendors. What distinguishes them is that real users are finding them useful in their everyday lives.

Here, based on a totally unscientific survey of storage administrators, industry analysts and users at small and midsize businesses, are some "hidden gems" in storage and storage-related software.

Web-based backup and recovery: One of the better-known services is Carbonite Inc., which charges $49.95 for a 12-month subscription for one system. David Hill, a principal at Mesabi Group, a Minneapolis-based IT consultancy, says enterprises might also "find this a good way to protect multiple devices." He says that installation was simple, "and I don't have to do a thing, as it works in the background." Carbonite is available for both Windows and Macintosh clients.

Berkeley Data Systems Inc. offers similar capabilities through its MozyHome and MozyPro services. MozyHome costs $4.95 per month for unlimited backup, while MozyPro costs $3.95 per system per month, plus 50 cents per gigabyte of storage per month, and includes features such as 128-bit Secure Sockets Layer encryption and near-continuous data protection. MozyHome supports Windows 2000, XP and Vista, and Mac OS X 10.4. MozyPro supports Windows 2000, 2003, XP and Vista.

Local backup and recovery: When Jeff Pieper, the president of Pieper and Associates Inc., a Torrance, Calif.-based marketing design firm, began looking for a backup and recovery application, he wanted a program that he could set and forget. "I also wanted something that made it easy to get the info if and when I needed it," he says, adding that SmartSync Pro fit the bill perfectly. "All I had to do was set it up once -- five or six clicks -- and I was off to the races," Pieper says. "It was cheap, easy and seems to work consistently."

Hill recommends $39.99 DriveClone from FarStone Technology Inc. as another good option for backing up laptops and desktops locally (such as to an external hard drive) rather than over the Internet.

Protection against data corruption and deletion: Anyone who has ever upgraded a piece of hardware or installed a software patch knows how easy it is to corrupt a database or turn a perfectly functioning system unusable.

There are hundreds, if not thousands, of system-rollback utilities on the market, including some within popular operating systems such as Windows XP and Vista. But Hill recommends $69 RollBack RX from Horizon DataSys Inc. It runs on any Windows client up to Windows Vista. The company claims that the application can "restore a completely crashed system to any snapshot in seconds" and supports multiboot systems and VMware.

On a more personal note, Hill says he recently used Rollback RX "to restore from Outlook's blowing away my PST file."

Disaster Recovery: Have you ever tested your data recovery setup to see if it really can recover all your data? Neither had I, and I paid for it big-time recently when a hard-drive upgrade went south. Hill calls RecoverGuard from Continuity Software Corp. "a very important product" that storage and system administrators should consider.

RecoverGuard costs $2,000 per protected server. It continuously scans a customer's storage, server, database and replication infrastructure and compares what it finds to a knowledge base of hundreds of potential risks and vulnerabilities, such as unprotected databases or replication configurations that aren't compliant with the target protection goal. Once a risk is detected, a ticket is opened in the system, and the operator is alerted to take immediate action and remediate the risk. RecoverGuard supports a variety of server operating systems, including Windows Server 2000 and 2003, Sun Solaris 9 and 10, and Red Hat Linux Versions 3 and 4. Supported storage environments include EMC Corp.'s Symmetrix and DMX Series, EMC's Clariion and Network Appliance Inc.'s OnTap 7 operating system.

Continuous Data Protection (CDP) for Exchange: Today's users can't stand to be without functioning e-mail for more than a few minutes. Neither can the corporate counsel or (even worse) an outside regulator looking for e-mail evidence of possible wrongdoing by your CEO. If you need CDP for your Microsoft Exchange Messaging servers, Hill recommends DigiVault from Lucid8, which the company says continuously backs up changes to e-mail, scheduling, contacts and other Exchange-related data as they occur.

Among other features, the company says, are compression, which reduces the volume of data which must be transferred and stored by as much as 80%, and the ability to protect data both in motion and at rest with 256-bit encryption. DigiVault starts at $695 for a one-time license to protect 25 mail boxes, with a mandatory support license of $139 per year .

CDP for BlackBerry e-mail: Mobile users also want e-mail access wherever and whenever they need it. For organizations that send e-mail to remote users through Research In Motion Ltd.'s BlackBerry Enterprise Server (BES), Charles King, a principal analyst at Pund-IT Inc., recommends Neverfail for RIM BlackBerry. IT costs about $20,000 for a 500-user environment, and King says that it's the only product he knows of "that offers both robust backup and quick recovery for Blackberry networks/devices." Neverfail for BES, he says, "is designed to support the end-to-end BlackBerry delivery platform including BES, e-mail, related files and applications, and Internet connectivity."

The product requires Microsoft Windows client and server operating systems, Microsoft SQL Server 2000 Standard or Enterprise and BlackBerry Enterprise Server Version 3.6.

File synchronization in Unix environments: IDC analyst Laura Dubois recommends rsync, a free Unix program that synchronizes files and directories from one location to another while minimizing data transfer using delta encoding (that is, copying only changes) when appropriate. Besides being easy to set up, she says, it "offers compression on the fly, further saving you file-transfer time and reducing the load on the network." Wayne Davison, who maintains the utility, points out, "This program comes installed on most modern Linux/BSD/MacOS/etc. systems, so chances are you may already have it."

Backup tracking and analysis: When you're running a very large, very complex backup environment, how do you track the health and performance of each component and make sure every critical backup gets done? For Emilio Griman, vice president of operations at managed storage service provider Arsenal Digital Solutions Worldwide Inc., the answer was to purchase WysDM for Backup from WysDM Software Inc. Griman praises WysDM for Backup's ease of use, the detail it provides in its reports and the fact it works with most popular backup applications, including HP DataProtector, IBM Tivoli Storage Manager, EMC/Legato's NetWorker, NetApp's SnapVault and Veritas BackupExec. WysDM for Backup also supports Sun Solaris, Microsoft Windows and Red Hat Enterprise Linux operating systems.

"We run close to 100,000 backup jobs per month," Griman says, and WysDM alerts him whenever a scheduled job fails to run. Its analytic engine also helps him find and eliminate performance bottlenecks and address capacity planning. Pricing begins at $15,000 for a 50-client environment.

2007-09-11T18:49:00.000+03:00

As managing director of shipment data capture at FedEx, Martha Carr had plenty of challenges and ample professional fulfillment. But she wanted new perspectives, more exposure and bigger opportunities. “I felt like I needed an external U.S. experience,” Carr says.

Although international positions don’t come up often, Carr’s bosses gave her the experience she was looking for: They let her temporarily swap jobs with Roger Van Beeck, FedEx Express Corp.’s Brussels-based director of application and architecture for Europe and Africa. “It was the best learning experience I had,” Carr says.

She was able to get it because Memphis-based parent company FedEx Corp. has a formal program for rotating IT managers. The goal is to give workers the experience and visibility they need to advance their careers, says Sherry Aaholm, executive vice president of FedEx Services, which houses most of FedEx’s IT organization. “We want people to know that having broader exposure is what makes you valuable,” she says.
But the rotation program benefits the company as well as the individual participants Aaholm says. Rotations have helped to knock down silos in IT, spread best practices throughout the organization and create opportunities for subordinates to step up.

Employee rotations came out of IT’s “6x6” transformation initiative, which is aimed at making the department more agile, fluid and responsive to business needs. (The name comes from FedEx’s IT governance program, which established six initiatives to be completed by 2006.) Aaholm says that because she and CIO Rob Carter came from outside of FedEx and had moved through different areas of IT, they understood the importance of being exposed to different technologies, disciplines and divisions. They wanted FedEx employees to have the same opportunities to grow professionally.

So FedEx set up a program that allows IT managers at some point in their careers to take a six-month rotation, essentially swapping jobs with someone else. Some swap positions through an international program; others swap domestic positions, and some high-potential workers participate in the yearlong leadership-building Purple Pipeline Program, which includes a six-month job swap.
And now managers are looking at extending the program down the chain so that lower-tiered workers among the 7,000 IT staffers can also take part, Aaholm says.

FedEx doesn’t know exactly what it costs to rotate its employees, but it calculates the total annual cost of its Purple Pipeline Program, in which 16 workers participate each year, at less than $15,000.

As for an exact return on investment, Aaholm says, “there are a lot of intangibles that we’re not out there measuring.”

But she says that the payback is clear. “It’s extremely difficult if you stay in one siloed area to get the perspective [you need] for FedEx,” she explains. “That is by far the greatest value of rotating employees: having them get that broad business knowledge.”

New Perspectives
Mary Gonzales’ experience is a case in point. She has no doubt that her rotation has produced unmeasurable returns.

As manager of tech services for customer field support in Los Angeles, Gonzales oversees an eight-member team that works with business customers, helping them integrate FedEx applications. She switched jobs with Philip Rencher, who oversees a team of 10 as the Memphis-based manager of corporate headquarters systems. Gonzales says stepping into her new role in January “was a 180 from my whole experience out in the field.”

In California, she says, “I work with customers and I have customer issues coming at me. [In Memphis], I had to step back and take a systematic approach to my day. There was a process, and I had to learn to work within that.”

Gonzales says her role forced her to learn more about systems development. She also had to learn how to navigate a new political landscape — understanding which managers and teams had what knowledge and responsibilities. Her rotation, which ended in June, has changed how she manages. “Now, instead of rushing forward, I take a step back and evaluate the situation. I get a clearer picture of the entire process,” she says.

As for working in the corporate headquarters hierarchy, Gonzales says she has learned from that, too. “It really taught me to have a strong network, to know where to go,” she says. “In the field, you’re kind of in a silo, but having a broad network allows you to break down those silos and go to the right person to resolve any issue that comes up.”

Rencher, who had worked in a back office for his entire career, likewise had to stretch his skills. “One thing that was different: In Memphis, my team sits right outside my door.
I walk to their desks, I ask questions, I have meetings in the pod. In L.A., I was thrown into the field. The team works from home, and I had to learn to manage in a new environment,” he says.

For example, managing by e-mail and phone was new to Rencher. “It gave me a different experience and prepared me for the future, where I might have remote staff,” he says.

International Lessons
Carr and Van Beeck also pushed their skills into new territories when they swapped jobs last year. Carr, who had a staff of 45, was responsible for capturing shipment documents worldwide. About 70 people in six countries reported to Van Beeck, who oversaw about 70 more in India. His work focused on application management for clearance operations, sales and marketing, human resources, finance/billing, supply chain services and transportation management.

Through the rotation, Carr says she gained a greater understanding of working in a regional office, where evening conference calls to accommodate U.S. work hours were the norm. She says she also saw “how difficult Roger’s job is in clearance; almost every country over there has a different [customs] clearance, and he has to pull that together in one system.”

Carr also had to improve her communication skills and adapt to cultural differences, even though English is the primary language in the Brussels office. “I’m used to the U.S. culture, where people give you pretty frank feedback. But in Europe, most people didn’t give you frank feedback,” she says, explaining that she learned to ask specific questions to get the information she needed.

Such lessons helped Carr. She is now vice president of Latin America, Caribbean and FedEx Express IT solutions.

Selling the Benefits
Aaholm says no projects have gone down the tubes because of FedEx’s rotation program, but that’s not to suggest that these swaps are effortless.

She says that IT has had to work hard to win over some business partners who were concerned about having to build new relationships with rotated IT workers after they had established trust with their existing IT contacts.

And despite the successes to date, Aaholm says some managers are still concerned that their projects will slip if they rotate a key employee, so she has to “challenge” them to enable the rotations.
Aaholm says that when she pushed for employee rotations, she saw the program not only as a way to strengthen the skills of the participants, but also as a way to bring best practices, insights and fresh perspectives from one division to another.

And despite the challenges, workers are realizing that vision.

When Beth Galetti, an IT director based in Colorado Springs, was planning for her rotation two years ago, she was overseeing a team implementing a new system to handle some of FedEx’s clearance business processes. The system worked technically, but it wasn’t meeting all of the business unit’s needs. Enter Terry Pavey, director of IT at FedEx Express in Canada. When he and Galetti traded jobs, he could see what Galetti couldn’t — that her team was struggling with the project because it didn’t have clearly defined requirements and strong buy-in from the business unit.

Galetti says that when she heard Pavey’s assessment, “it was really one of those ‘aha’ moments.” As a result, in consultation with Galetti, Pavey decided to get the IT team and the business partners together, air their differences and develop a plan to solve the problems bedeviling the project.

Pavey says Galetti’s perspective had an effect on both him and his team. “One of my managers here in Canada who has been a manager for some time is a talented person, but [Galetti] found that this person was excelling in ways I didn’t see,” Pavey says. As a result, Pavey later decided to groom that individual as his successor.

Others agree that teams working for rotating managers can find new opportunities as a result of the program.

Walt Abercrombie, vice president of IT at FedEx Express Operations, was Carr’s boss at the time of her rotation. He discussed the six-month swap with Carr’s direct reports, explaining that her absence would give them a chance to demonstrate their leadership abilities.

“They got to walk a little more in the shoes of their boss. They attended meetings and interacted with senior management, increasing their visibility and giving them critical skills to make the next career move,” Abercrombie says. “From my standpoint, it really helped strengthen the bench.”