Daniel Osburn

Verizon turns up the hype for Friday Droid launch

2010-02-20T01:05:00.001-08:00

Verizon Wireless will open many of its 2,000 retail stores early on Friday for first day sales of the Droid smartphone, adding to the marketing hype already begun for the Android 2.0 device from Motorola Inc. The QWERTY keyboard slider device sells for $200 after a rebate and a new two-year contract. Some stores will open at 7 a.m. and others at 8 a.m. A list of stores is available on Verizon's Web site although the site doesn't say which will open earlier and advises calling the store in advance to be sure.

Also, with Droid sales, Verizon is coordinating an unusual Times Square event in New York City this month to allow nearby voice callers to control two large digital billboards there, with some of their voice search results for nearby restaurants and attractions displayed on Google Maps on those billboards. It's fair, then, to wonder whether first-day-of-sale hoopla and other creative (and expensive) advertising are becoming what's required to do well in the competitive smartphone world. Google Inc., Motorola and the Verizon, the nation's largest wireless carrier, started the Droid campaign with an unusual TV ad that belittled missing features, such as a physical keyboard and multitasking, in its chief rival, the iPhone. Or maybe this kind of campaign is what's required by carriers and manufacturers who dare to attempt to catch up with the iconic Apple iPhone, which has been on the market for more than two years and is in its third version. "No, you don't have to conduct this kind of Droid campaign to sell a new smartphone," said Ramon Llamas, an analyst at market research firm IDC today. "Look at BlackBerry, which has had some success for its devices without all the hype. It's uncertain whether the early TV ads and other hype will generate interest and crowds on Friday, or whether the Android operating system, with its open source allure might have drawn some crowds anyway. But I'd say if you want to plant a stake in the ground, you do this kind of [Droid] campaign." In a sense, Motorola has the most at stake with the Droid launch, since it has pinned so much of its smartphone future on the Android platform and a variety of new devices in coming months. "For Motorola, this is one of the ways they get back in the game," Llamas said.

Llamas said he expects some crowds for sales of the Droid on Friday. "The reaction has been very positive already," he said. "It's interesting to see how much hype they are generating. It might help that Apple has fewer stores than Verizon, but the iPhone is also on sale at AT&T stores, which are also plentiful. When they open the doors, I would bet you'll see lines from buyers and also people who are curious and close to the end of a contract and want a demonstration." While early hours and other gimmicks might steal a little from the slick methods of Apple Inc.'s marketers, Llamas said there's nothing wrong with "taking a page out of the playbook of somebody who's been successful." Apple has attracted hundreds, and even thousands of customers to its stores for launches of its three iPhones, although successive versions have resulted in fewer numbers. Still, even AT&T hasn't attracted the first-day crowds of Apple stores, where customers have said they feel they get more personal attention. One man stood overnight at the Toledo, Ohio, store to get the original Storm, with its touchscreen display. "We're prepared for crowds for Droid," Pica said in a telephone interview. "The buzz with Droid has been bigger than the first Storm." Pica said the "Droid Does Times Square" digital billboard event in Times Square will allow a passerby to call from any phone to a toll-free number, asking through voice commands for a nearby location, such as the nearest pizza shops. Verizon spokeman Tom Pica said he couldn't predict how big Verizon's crowds will be on Friday, but noted that when the BlackBerry Storm went on sale Nov. 21, 2008, there were lines in advance of the opening.

The results of that search will be displayed on Google Maps on the large Nasdaq and Reuters signs in Times Square several times a day for most of November with advertising for the Droid included. It's kind of fun in a recession to have that kind of hype. Llamas said the marketing for smartphones, including Droid, might almost seem "strange" but could be just the kind of fun that consumers respond to in a recessionary time. "Smartphone releases aren't just releases anymore," Llamas said. "They have become full-fledged events and I'd say a pretty good thing to have. It's like getting ready for a new Star Wars movie."

Wipro, other Indian outsourcers expand in the US

2010-02-14T16:00:00.001-08:00

Wipro, India's third largest outsourcer, is expanding its development center in Atlanta from 350 to 1,000 staff, reflecting a growing trend for Indian outsourcers to expand and hire locally in the U.S. market. India's largest outsourcer Tata Consultancy Services (TCS) said earlier this month that it was expanding its business alliance with The Dow Chemical Company, including setting up a services facility near the site of Dow's global headquarters in Midland, Michigan. The company said that 80 percent of its current 350 employees were hired locally, and includes recent graduates from reputable academic institutions in Atlanta, experienced professionals and retired army personnel. TCS also announced that it was expanding a software services delivery center in the Cincinnati suburb of Milford, Ohio.

Indian outsourcing companies are expanding both in India, and in the U.S., their key market, in anticipation of a pick up in business. Infosys BPO, the business process outsourcing subsidiary of outsourcer Infosys Technologies also said this month that it would acquire McCamish Systems, a BPO company in Atlanta focused on the insurance and financial services market. Employing staff in the U.S. is expected to go over well with the local community and politicians because of resentment in the U.S. about companies moving jobs to India and other countries, analysts said. Political considerations are evidently a factor for Indian outsourcers to expand in the U.S., said Siddharth Pai, a partner at outsourcing consultancy firm Technology Partners International (TPI) in Houston. U.S. Senators Bernie Sanders, an Independent from Vermont, and Chuck Grassley, an Iowa Republican, last week introduced legislation, called the Employ America Act that would prohibit firms that lay off 50 or more workers from hiring guest workers.

U.S. companies do not also want to be seen sending jobs abroad, he added. Certain types of work even in BPO, such as development of technology platforms for services delivery, and analytical work, require proximity to customers, he added. But there are also strong business considerations that require Indian companies to set up operations in the U.S., according to Pai. Indian outsourcers have to start looking like global players, Pai said. Japanese car makers, for example, manufacture all over the world, because some customers would like to buy locally produced goods, he added.

Microsoft patches 12 bugs, including IE8-only flaws

2010-02-09T06:04:00.001-08:00

Microsoft today patched 12 vulnerabilities in Windows, Office and Internet Explorer (IE), including three critical bugs in the company's newest browser, IE8. Of the 12 flaws fixed in Tuesday's six security updates, seven were rated "critical," the highest severity ranking in Microsoft 's four-step scoring system. It trumps the bunch." Richie Lai, the director of vulnerability research at security company Qualys, echoed Storms. "MS09-072 affects IE, which is a big attack surface," said Lai, "and the vulnerabilities are primed to be exploited by classic drive-by attacks." "Definitely take a look at that one," chimed in Jason Miller, the security and data team manager for patch management vendor Shavlik Technologies. "Browser attacks are the most prevalent of all attacks." One of the five fixes included in the IE update addressed the zero-day vulnerability that Microsoft confirmed last month after sample attack code that exploited a flaw in IE's layout parser went public. Four of the remaining flaws were pegged as "important," one step lower on the scale, while the final vulnerability was labeled "moderate." Security researchers unanimously voted MS09-072 , the five-patch update for IE, as the one that demands immediate attention. "That's certainly the one to watch," said Andrew Storms, the director of security operations at nCircle Network Security. "You can't focus enough attention on the IE update.

Storms applauded Microsoft's speed in quashing the bug. "That was record time for Microsoft, to patch in just two weeks," he said, adding that it usually takes the company a month or more to ready a fix. "The holiday online shopping season had to increase the pressure to patch, but then again, it looks like Microsoft already knew about the bug," said Storms, referring to the credit that Microsoft gave to VeriSign iDefense for reporting the flaw. But the fact that two are IE8-only makes us wonder if Microsoft's Security Development Lifecycle is working." Security Development Lifecycle, or SDL, is the term Microsoft's given to a development process that stresses security testing as a piece of software is being written. "[The flaws] could be in new code or old code, but we don't know where they were brought into the process," Storms said. But the big news today, said Storms, Lai and Miller, was the fact that of the five IE vulnerabilities in MS09-072, three affect the newest edition of the browser, IE8. Two of those three affect IE8 only; Microsoft's other browsers were immune. "You can bet that engineers at Microsoft are as depressed about these bugs as much as we are," Storms said of the IE8 vulnerabilities. "The question is why they're there," Storms continued. "It would be easier to explain if both IE8 and IE7 were vulnerable, as is the case with one of the vulnerabilities. Even so, Storms, Lai and Miller all bet that the fault lay in new code Microsoft crafted for IE8. "I'd say it was in new features," said Lai. "Microsoft made a lot of HTML updates to IE8 to reach standards compliance, so I'm pretty sure the bugs are in the new code base." "New features means more code to be reviewed, and more likelihood of something slipping through," Storms noted. "Old code, you would expect has been reviewed more than once already." "Sometimes code is dropped [from a program] and new code is used instead," said Miller. "They're in the brand-new code and the new technologies in IE8." Attackers will likely come up with working exploits for the IE vulnerabilities patched today, Microsoft said, giving four of the five bugs an exploitability index rating of "1." That means reliable attack code will probably appear in the next 30 days. Lai's colleagues at Qualys didn't agree with Storms. " MS09-070 needs attention," said Amol Sarwate, the manager of Qualys' vulnerability research lab, pointing to the bulletin that patched two vulnerabilities in Microsoft's Active Directory, a critical component within enterprises. The remaining five security updates, which patched an additional seven vulnerabilities - just two of them considered critical - are also-rans in Storms' mind. "All the rest of them have some kind of mitigation," he said, ranging from a requirement to have authenticated access to a wireless-only attack vector.

Wolfgang Kandek, Qualys' chief technology officer, added MS09-073 to the list of apply-now updates. Although an exploit won't exactly be easy, [attackers] won't have trouble finding out how to do it." The bright spot on this Patch Tuesday was the immunity of Microsoft's newest operating system, Windows 7 , to any of today's updates, said the researchers. "Except for the IE8 bugs, there were none for Windows 7," said Miller. "So that's a good sign." But it's too early to call Windows 7 a resounding security success, Miller cautioned. "Remember, Vista was much the same when it came out," he said. The bulletin patches WordPad, the minimalist text editor included with all versions of Windows, and the text converters used by Microsoft's Office suite to parse Word 97 documents. "File format vulnerabilities tend to be downplayed," acknowledged Kandek, "but everyone has WordPad. Microsoft also released a pair of security advisories today that spelled out additional tactics for users and company administrators to further protect Windows against attacks already disclosed, or that have actually been used in the past. This month's security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Oracle profits rise but sales fall in Q1

2010-02-03T21:00:00.001-08:00

Oracle's first-quarter net income rose by 4 percent year-over-year to US$1.1 billion, but revenue fell by 5 percent to $5.1 billion, the company said Wednesday. New software license sales fell 17 percent year-over-year to $1 billion, indicating that customers are still reluctant to make new software investments amid the ongoing recession. Earnings per share were $0.22. Excluding one-time charges, Oracle reported earnings per share of $0.30, partly meeting the expectations of analysts polled by Thomson Reuters, who had on average predicted earnings of $0.30 per share and $5.25 billion in revenue.

Oracle managed to increase profits even as revenue fell by "substantially improving" its operating margins, company President Safra Catz said in a statement. Associated expenses were just $226 million, meaning the profit margin for this part of Oracle's business was greater than 90 percent. Oracle's results were also bolstered by growth in revenue for software license updates and support, which jumped 6 percent to $3.1 billion. Oracle blamed the dip in new license sales partly on weak business at other software vendors. "They sold less of their applications, and so they drive less database with them," Catz said in a conference call. Oracle announced plans to acquire Sun earlier this year, but the acquisition is being held up by an antitrust review by European authorities.

The earnings report comes a day after Oracle announced a new Exadata data warehousing and OLTP (online transaction processing) appliance jointly developed with Sun Microsystems. Oracle executives offered no new details about the deal Wednesday, but said integration planning work is proceeding. The company is well-positioned to compete against IBM with its recently updated database and middleware products, he said. During the call, CEO Larry Ellison repeatedly targeted IBM, who Oracle will soon be battling in both software and hardware markets. Oracle shares were down $0.78 in after-hours trading to $21.35.

The scourge of complexity

2010-01-29T06:04:00.001-08:00

While the definition of cloud computing is at best a bit fuzzy, the goal of cloud computing is extremely clear. As will be explained in this newsletter, complexity is the enemy of cloud computing. 11 cloud computing companies to watch In a recent article, Geir Ramleth the CIO of Bechtel stated that he benchmarked his organization against some Internet-based companies. That goal is to make a significant improvement in the cost effective, elastic provisioning of IT services. According to that article, "Bechtel operates 230 applications, and it runs 3.5 versions per application.

When you look at Salesforce.com, not only are they running one application, but they are running one version and they are only running it in one location," Ramleth says. That means it maintains approximately 800 applications at any given time. We don't see how Bechtel or any other IT organization will be able to fundamentally reduce cost and become more agile if it continues to offer a highly complex set of services. If his organization wants to make a change to some component of the IT infrastructure that supports one of the 230 applications they operate, they have to devote additional time to quality assurance to test how the change impacts each version of the application. In the example that Ramleth gave, his organization will incur significant extra cost in part because it has to allocate resources to support on average 3.5 versions of each application. Bechtel is not the only IT organization that supports a complex environment.

We believe that any IT organization that is serious about cloud computing has to get serious about simplifying the services that it provides. Many IT organizations utilize multiple WAN providers, develop a lot of custom applications, perform extensive customization of third-party applications, and have multiple systems for functions such as enterprise resource planning or supply chain management. What do you think? Is any effort being made to simplify that environment? Do you work in a highly complex IT environment? Write to us and let us know.

If you have a few minutes to fill out the survey, it will help us to cut through the hype and understand what IT organizations are actually doing relative to cloud computing. Also, we are performing a survey to help identify the concrete steps that IT organizations are taking to implement cloud computing.

No space bombs, NASA takes ice hunt Earth-bound

2010-01-23T21:00:00.001-08:00

While NASA is crashing into the moon to look for ice, it's also looking for the frozen stuff here on Earth, only in a much more conventional way. The flights are part of what NASA calls Operation Ice Bridge, a six-year project that is the largest airborne survey ever made of ice at Earth's polar regions. The space agency said on Oct. 15 it will start a series of 17 flights to study changes to Antarctica's sea ice, glaciers and ice sheets. Network World Extra:10 NASA space technologies that may never see the cosmosTop 10 cool satellite projects Researchers will work from NASA's DC-8, an airborne laboratory equipped with laser mapping instruments, ice-penetrating radar and gravity instruments.

NASA said data collected from the flights will fill in data gaps between the agency's Ice, Cloud, and Land Elevation Satellite, known as ICESat, which has been in orbit since 2003, and NASA's ICESat-II, scheduled to launch no earlier than 2014. ICESat is nearing the end of its operational lifetime, making the Ice Bridge flights critical for ensuring a continuous record of observations, NASA stated. Data collected from the mission will help scientists better predict how changes to the massive Antarctic ice sheet will contribute to future sea level rise around the world, NASA stated. The payload on the DC-8 includes the Airborne Topographic Mapper, a laser altimeter that can produce elevation maps of the ice surface. The Laser Vegetation Imaging Sensor maps large areas of sea ice and glacier zones. Other instruments flying include the Multichannel Coherent Radar Depth Sounder which measures ice sheet thickness and the varied terrain below the ice. A gravimeter will give scientists their first opportunity to measure the shape of the ocean cavity beneath floating ice shelves in critical spots of Antarctica.

Because airborne observations lack the continent-wide coverage a satellite provides, mission planners have selected key targets to study that are most prone to change. A snow radar will measure the thickness of snow on top of sea ice and glaciers, NASA stated. Sea ice measurements will be collected from the Amundsen Sea, where local warming suggests the ice may be thinning. According to NASA, the Antarctic continent may be remote, but it plays a significant role in Earth's climate system. Ice sheet and glacier studies will be flown over the Antarctic Peninsula and West Antarctica, including Pine Island Glacier, an area scientists believe could undergo rapid changes. The expanse is home to glaciers and ice sheets that hold frozen about 90 percent of Earth's freshwater - a large potential contribution to sea level rise should all the ice melt.

Compared to the Arctic, where sea ice has long been on the decline, sea ice in Antarctica is growing in some coastal areas. How and where are Antarctica's ice sheets, glaciers, and sea ice changing? Snow and ice have been accumulating in some land regions in the east. West Antarctica and the Peninsula, however, have seen more dramatic warming and rapid ice loss, NASA stated.

22 stories underground: Iron Mountain's experimental Room 48

2010-01-18T11:03:00.001-08:00

Down a road that winds through the rolling hills of western Pennsylvania, just across from a cow pasture, the bucolic scenery of Butler County is interrupted by a high chain-link fence topped with razor wire. A short distance beyond the security point, the road disappears into a gaping hole in a cliff face. Cars entering the compound are channeled into gated lanes before being searched by a guard. The hole is sealed off by the thick, steel bars of a tall sliding gate controlled by guards carrying semiautomatic pistols.

Behind steel doors Among dozens of red steel doors inserted in the rock face along corridors that create an elaborate subterranean honeycomb, you'll find Room 48, an experiment in data center energy efficiency. They are protecting a 25-foot-high passage that leads 22 stories down to Iron Mountain's main archive facility, which takes up 145 acres of a 1,000-acre abandoned limestone mine. Open for just six months, the room is used by Iron Mountain to discover the best way to use geothermal conditions and engineering designs to establish the perfect environment for electronic documents. The HVAC system uses the cool water of an underground lake hundreds of acres in size. Room 48 is also being used to devise a geothermal-based environment that can be tapped to create efficient, low-cost data centers. (For information on more companies using geothermal conditions to improve data center efficiency, see "Riding the geothermal wave.") There is no raised floor in Room 48. Instead, networking wires are suspended above rows of server racks and cooled both by the limestone walls and vents attached to ceiling-mounted red spiral ducts 36 inches in diameter. Outside light is beamed into the main aisle of the room through a long ceiling tube to reduce heat.

Facts on molecular chemistry and mineral properties roll off 61-year-old Doughty's tongue. Rows of server racks are encased in rectangular metal containers that trap electrical heat and force it up through perforated ceiling tiles, allowing the 55-degree limestone roof to absorb heat that otherwise would build up in the 4,100-square-foot room. "Limestone can absorb 1.5 BTUs per square foot," Charles Doughty, the vice president of engineering at Iron Mountain, said during a recent tour of the facility by Computerworld. He has worked as a technologist and archivist in the tunnels of the one-time mine for 37 years, studying thermodynamics in an ever-evolving effort to create the perfect environment for storing paper and electronic records. The furniture and carpeted floors contrast sharply with a rough-hewn wall of prehistoric rock. An underground office Doughty's underground office is adorned with dark wood furniture that's upholstered in the type of rich leather befitting his executive status. The office sits just off a larger room filled with cubicles that also butt up against rock walls, which are painted white to better reflect light and suppress any limestone dust.

Like the other 2,700 workers here, Doughty traverses miles of roadways and tunnels in golf carts. The Underground, as the mine is called by employees, has its own cafe and a fire department with three engines. Iron Mountain employs just 155 people in The Underground, the rest work for companies renting space in the facility. He calls it "the best job in the world. An endurance kayaker who owns a working 30-acre farm and is training for an iron-man competition, Doughty is an idea man in a subterranean environment. I only get to create ideas.

And during a 100-million-year period, billions of tiny crustaceans died, their skeletons settling to the ocean floor, fossilizing and creating layer upon layer of limestone. Other people do the work to make it happen. " From mine to storage Four hundred million years ago, a teeming ocean covered this area. In 1902, U.S. Steel began blasting out that limestone for use in the production of metal for skyscrapers, railways and the rest of the nation's booming infrastructure. The company quickly saw a business opportunity in renting out mine space to other companies and to the U.S. government for vital-records archiving. By 1950, U.S. Steel ceased mining operations and began using the man-made caverns to protect its corporate records from the Cold War-era threat of atomic bombs. Thus was born in 1954 the National Storage Company.

There, in 1951, Herman Knaust opened the Iron Mountain Atomic Storage Corp. More than four decades later, in 1998, it was bought by Iron Mountain, which had itself started under similar circumstances in an iron ore mine in upstate New York. While the Iron Mountain facility in Pennsylvania may best be known as the home to the photographic collection of Bill Gates' Corbis Corp. venture, it also houses the records of countless corporations and highly sensitive government agencies in its array of tunnels. One of his latest ideas is to drill a shaft from the hillside down to the mine's lake and allow winter air to turn it into a slushy mix that can be used during summer months to dissipate heat in the mine's data centers. Doughty is focused on creating the most naturally efficient data center. Unlike other limestone mines which are normally covered in layers of porous sandstone, The Underground was blessed with a roof of shale, which acts as natural umbrella.

The subterranean lake is an anomaly created by groundwater that moves by osmosis into caverns at the low point of the mine where, at depths of four to eight feet, it spans hundreds of acres. Water is absorbed into the ground around the mine, instead of through its ceiling. For now, Iron Mountain uses the lake water in a motorized chiller tower from Krack Corp. to cool hot air coming from data center ducts. While there are four other data centers in the mine, the subterranean facility's dehumidified air and cooler temperatures were initially only seen as advantageous to storing paper, photos, film and microfiche, which under the right conditions could last 2,000 years, according to Doughty. But Doughty believes the 50-degree water could eventually be circulated to the data center and back to the lake to naturally expel heat, eliminating the need for any HVAC system. "We'd like to get to the point where we expend no energy for cooling," Doughty explained. The mine's natural environment wasn't used to disperse heat and reduce energy consumption in data centers - until Room 48 opened.

It creates its own wind through the use of alternating hot-air and cold-air server rack aisles. Room 48 Room 48 is starkly quiet compared to typical data centers. There's no need for fans in the room, since the high static air pressure differential between the aisles separating rows of server racks naturally causes cold air to drop and hot air to rise through the perforated ceiling tiles and vents that run parallel along air ducts. That move also freed up about 30% more space, Doughty said. Iron Mountain also removed power distribution units and cooling transformers - common in other data centers - from inside the data center and located them outside to further reduce heat.

By setting the room's return air temperature to 75 degrees, Iron Mountain cut energy consumption for cooling by between 10% and 15% compared with the company's traditional data centers. The natural cooling also allowed Iron Mountain to boost power in the room to 200 watts per square foot, more than 50% above the 125 watts per square foot used in the other data centers located in the mine. They operate between 70 and 72 degrees. Room 48 also cost about 30% less to build than they did because the design favored efficiency and cost reduction over specialty equipment. Iron Mountain also installed low-energy T8 fluorescent lamps enclosed in tubes to reduce convection, although most of the time the room is dark because lights are controlled by motion sensors in each aisle. For example, instead of buying expensive electrical equipment designed specifically for data centers, Iron Mountain went to the same electrical supply stores any electrician would frequent to purchase K-rated transformers or electrical load centers. "Anything you buy for a computer room is expensive," Doughty said.

While the mine's water isn't yet being used to directly cool server racks, Doughty said that will be incorporated into future design changes. And he expects that geographical positioning using locations where natural cooling or energy resources can be exploited for efficiency will be the future of new data center construction. He's convinced that all data centers will shift toward water-cooled racks. Riding the geothermal wave Iron Mountain is just one of several such experimental efforts under way using geothermal conditions to power or improve the cooling efficiency of data centers. The ACT operation has a 4,000-square-foot raised-floor data center cooled by a geothermal "bore field." The bore field consists of holes drilled into the earth and a closed-loop piping system filled with water or coolant that uses the cool underground conditions to exchange heat. In February 2008, American College Testing (ACT) in Iowa City, Iowa was the first data center in the U.S. to be awarded the Platinum certification in the Leadership in Energy and Environmental Design (LEED) program, a voluntary rating system for energy efficient buildings overseen by the U.S. Green Building Council.

ACT isn't alone; other companies approved for Platinum status include Citigroup data center in Germany and Advanced Data Centers in Sacramento. The technology, called Enhanced Geothermal Systems, replicates naturally occurring pockets of subterranean steam and hot water by fracturing hot rock and using the resulting steam to produce electricity. Google is hot on the technology as well and has invested more than $10 million in three companies developing geothermal energy systems. And in July, Microsoft opened a 700,000-square-foot data center in Northlake, Ill., that uses outside air as part of the cooling system. People who can leverage the geographic location or a subterranean location will achieve the greatest benefit." Interest in geothermal technology isn't surprising, said Doughty. "Energy costs are increasing exponentially so that the cost to operate the data center is becoming the greatest cost.

Hackers find a home in Amazon's EC2 cloud

2010-01-13T02:00:00.001-08:00

Security researchers have spotted the Zeus botnet running an unauthorized command and control center on Amazon's EC2 cloud computing infrastructure. They got onto Amazon's infrastructure by first hacking into a Web site that was hosted on Amazon's servers and then secretly installing their command and control infrastructure. This marks the first time Amazon Web Services' cloud infrastructure has been used for this type of illegal activity, according to Don DeBolt, director of threat research with HCL Technologies, a contractor that does security research for CA. The hackers didn't do this with Amazon's permission, however.

DeBolt declined to say whose Web site was hacked to get onto Amazon's cloud, but the Zeus software has now been removed, he said. Variants of this malware have been linked to more than US$100 million in bank fraud in the past year. Zeus is a password-stealing botnet. He thinks the hackers may have just stumbled on a Web site with a security vulnerability - they may have hacked the site's software or simply stolen an administrative password from a desktop computer to get on the site. "I think it's more a target of opportunity than a target of choice," he said. Although this didn't happen in this case, law enforcement officials worry that criminals might start using stolen credit cards to purchase cloud-based computing services from companies such as Amazon. In the past few years, law enforcement takedowns and bad publicity have made it harder for many criminals to host their back-end infrastructure in legitimate or even semi-legitimate data centers, so they have moved to Web based services.

In August, security vendor Arbor Networks spotted a botnet that used Twitter to issue commands to hacked computers. Security experts say that criminals will probably seek out new Web services to use in 2010.

A $30 Billion US census?

2010-01-04T18:06:00.001-08:00

The number seemed staggering, but there it was. That was the conclusion of the Government Accountability Office in a report issued this week on the status of some of the Census Bureaus key systems. The cost of conducting the census has, on average, doubled each decade since 1970. If that rate of cost escalation continues into 2020, the nation could be looking at a $30 billion census. NetworkWorld Extra: Seven advanced car technologies the government wants now "Rigorous planning and perhaps even a fundamental reexamination of the census might be required because the current approach to the national enumeration may no longer be financially sustainable," the repot stated.

Problems with accurately estimating the cost of address canvassing are indicative of long-standing weaknesses in the Bureau's ability to develop credible and accurate cost estimates for the 2010 Census. While the GAO report was generally positive on current plans for next year's census, it was critical of the Bureau's cost estimating ability. Accurate cost estimates are essential to a successful census because they help ensure that the Bureau has adequate funds and that Congress, the administration, and the Bureau itself can have reliable information on which to base decisions, the repot stated. The GAO noted that automation and IT systems will play a critical role in the ability of the Bureau's ongoing work to extract address lists, maps, and provide other geographic support services. The GAO noted that the Bureau's estimate lacked detailed documentation on data sources and significant assumptions, and was not comprehensive.

But the GAO said the database and other software testing critical to such systems was incomplete. Based on the expected mail response rate, the Bureau estimates that over 570,000 workers will need to be hired for that operation. The GAO noted to that one of the Bureau's largest cost will come from the census field operation next summer that looks to gather data from people who didn't respond to the census questionnaire. The FBI currently charges the Census Bureau $17.25 per person for each background check for these employees.

Cyber-Ark unveils tool for managing Windows, Unix systems

2009-12-29T19:00:00.001-08:00

Cyber-Ark Software Inc. this week released an enhanced version of its Privileged Identity Management Suite, with new features designed to give IT officials a single tool for managing privileged accounts across both Windows and Unix environments. Adam Bosnian, vice president of product, strategy and sales at Cyber-Ark, said the new offering can help large companies more easily manage multi-operating system environments that generally require separate tools for each OS. There's a growing demand for tools that can manage manage, control and audit of privileged accounts across the enterprise, said Mark Diodati, an analyst with the Burton Group in Midvale Utah. The upgraded product adds support for managing so-called Unix 'superusers' who typically have a full range of rights and permissions to everything on a system. He cited the growing need meet state and federal compliance and governance requirements and growing concerns about the security risks posed by insiders with access to privileged accounts. "One of the things that is driving demand is that auditors are getting smarter," Diodati said. "They have figured that this thing about privileged access management is crucial." The demand for such tools has attracted the attention of a variety of vendors, including BeyondTrust, which last month unveiled what it termed the first first privileged account management product for heterogeneous IT environments, along with CA, Quest Software and Novell.

For example, in July a former computer support technician at Quantum Technology Partners (QTP) in Miami, was sentenced to a year in jail for illegally using his administrator account and password to shut down the company's servers from his home computer. The security concerns follow a string of highly public incidents where users holding administrator accounts created IT havoc for a variety of reasons. Lesmany Nunez also changed the passwords of all the IT systems administrators at the company and deleted files that made data restoration from backup tapes more difficult for the company. Perhaps the most sensational example of abuse by a privileged user came when Terry Childs , a former systems administrator at the City of San Francisco, allegedly locked access to a crucial city network for days by changing key network passwords. His actions resulted in more than $30,000 in damages to QTP. And in January, a Fannie Mae engineer was indicted for planting a logic bomb on the corporation's network that could have destroyed and altered all data on the company's servers.

NASA: Astronauts use robotic arm to inspect shuttle heat shield

2009-12-29T17:00:00.001-08:00

After blasting off Monday afternoon, the crew of the space shuttle Atlantis is using a robotic arm to inspect the shuttle for damage while getting ready to dock with the International Space Station tomorrow. On the second day of the mission, the astronauts used the shuttle's 50-foot-long robotic arm , along with its 50-foot-long orbiter boom sensor system, to take pictures of Atlantis's wings and nosecap for any damage that might have occurred during takeoff. Loaded up with 27,250 pounds worth of spare parts for the space station, the shuttle lifted off from Kennedy Space Center in Florida yesterday on schedule at 2:28 p.m. The 11-day mission is focused on getting the station stocked up with equipment like gyroscopes, two nitrogen tank assemblies and parts for the onboard robotic system before the space shuttle fleet is retired and these kinds of shipments are much more difficult to make.

According to NASA, the astronauts running the inspection, which takes about five hours, will use a suite of cameras and lasers designed to give them 3-D views of the shuttle's heat shield. NASA noted that the astronauts also are inspecting their spacesuits today. The images will be sent back to ground control, where engineers will inspect them for any problems with the shuttle's thermal protection system, which will be needed to protect the craft during the blazing temperatures it will encounter during re-entry into the Earth's atmosphere. And in preparation for tomorrow's docking with the space station , they're extending the shuttle's Orbiter Docking System ring and going over their rendezvous tools. The equipment that needs to go up is being delivered in order of highest priority. The equipment being delivered during this mission is considered highly critical to the operation of the space station, according to NASA. At this point, there are only six flights left for the space shuttle fleet before it's scheduled to be retired.

Since this is the first mission to deliver what scientists hope will turn into a trove of spare parts, they're taking up the most important pieces. The astronauts are expected to make three space walks to unload the parts from the shuttle and connect them to the sides of the station's truss .

HP to buy 3Com in networking, data center bid

2009-12-24T06:05:00.001-08:00

Hewlett-Packard has agreed to buy 3Com for about US$2.7 billion, pushing forward the giant IT vendor's strategy for combining computing, storage, services and networking under one roof. HP is offering $7.90 per share for 3Com, about $2 per share above the stock's price of $5.69 at the close of trading on Wednesday. The deal has been approved by both companies' boards of directors and is expected to close in the first half of next year. U.S. and foreign regulatory approvals will be required, the companies said. 3Com will add to HP's Ethernet switching portfolio, which is already a growing competitor to Cisco Systems, and add routing products to its lineup. "Companies are looking for ways to break free from the business limitations imposed by a networking paradigm that has been dominated by a single vendor," said Dave Donatelli, executive vice president and general manager, Enterprise Servers and Networking, at HP, in a prepared statement. "We will enable customers to build a next-generation network infrastructure that supports customer needs from the edge of the network to the heart of the data center." The acquisition will also give HP access to a research and development team and strong sales channels in China, where 3Com operates the H3C subsidiary it originally formed as a joint venture with Huawei Technologies.

As data centers are centralized and virtualized, the largest IT vendors are pursuing data-center strategies that span all parts of what is increasingly a single infrastructure of networks, storage, computing and software. The deal would also bring in 3Com's TippingPoint line of intrusion prevention products. Cisco's introduction of servers earlier this year made it a more direct competitor to HP as well as IBM. HP's own ProCurve networking line has already gained ground on Cisco in enterprises over the past few years. 3Com has trailed the dominating Cisco in the networking arena since the late 1990s and has pursued several different strategies to find its place in the market. Its TippingPoint acquisition gave it a strong position in intrusion prevention, and the company has also focused on networking gear for small and medium-sized businesses.

xGestures updated for Snow Leopard

2009-12-18T21:00:00.001-08:00

Brian Kendall has released an updated version of xGestures for Snow Leopard, which allows you to drive your Mac with "mouse gestures"-a particular combination of mouse movements that triggers a menu item, keystroke, or AppleScript. Users of recent MacBooks with multi-touch trackpads may also want to check out Macworld's recent review of Jitouch, which does similar things with multi-touch gestures. For example, I'm constantly hitting the wrong function key on my MacBook when I try to view all Spaces; with xGestures, I can hold the control key and flick up and down on my trackpad, and xGestures will zip me into the all Spaces view.

xGestures installs as a preference pane and, unlike Jitouch, you have to define all of your gestures from scratch. xGestures requires a mouse button or keyboard press to start listening. Getting started with xGestures was a bit frustrating; you have make sure that "Enable xGestures" is checked under Options and then click the "Start xGestures" button on the same pane. I used the Control-Shift keys along with "hold down key while gesturing" since this combination doesn't conflict with any of my other utilities. You can also set xGestures to change the mouse pointer and draw a line on the screen when it's active, both of which I recommend for testing out the software.

The Command or Option keys, though, could easily trigger a gesture when I don't wish to. Once you're set up, you can define either global gestures or specific gestures for each application. xGestures provides a drop-down menu of actions which a gesture can trigger; the most useful of these are probably "Perform Keystroke" and "Choose Menu Item." (Note: to assign a keystroke, you may need to turn it off first. For my testing, I made my Spaces actions global, but I set up different gestures for Web-browsing which were specific to Safari. Assigning F8 to my Spaces gesture didn't work so long as Spaces was intercepting it.) Be sure to click on "Apply Settings" whenever you set up a new gesture-skipping this led to some frustrating moments during my testing.

I'm on the fence about it, but if I find myself using gestures frequently in two weeks, the price makes this a no-brainer purchase. xGestures requires Mac OS X 10.3 or higher, and costs $5 after a 15-day free demonstration period.

Adobe bends, a little, on eBook DRM

2009-12-13T11:03:00.001-08:00

Responding to criticism that its anti-piracy mechanisms could slow the growth of the eBook industry, Adobe Systems Inc. plans to liberalize its approach toward Digital Rights Management (DRM) with eBooks. Seemingly minor, the move is important both because of Adobe's growing behind-the-scenes importance in the burgeoning eBook industry, but also in how it moves ahead with content protection. The next major version of its Content Server software will give book publishers, authors and libraries the option to protect encrypted eBooks with a password. The current Adobe Content Server 4 software lets publishers choose whether or not to encrypt their eBooks.

That number is meant to give owners flexibility to move purchased eBooks among various devices. It also lets eBook buyers choose up to 12 devices - six desktop and six handhelds, including eBook readers or smartphones - on which they can read eBooks protected by encryption. But what if people want to share their eBooks with a relative, close friend or colleague? Users would then enter in a username and password to open up and read a book on any device or PC. On the flip side, that means a cracked Adobe ID and password could be distributed and used to let pirates read an eBook, just as stolen license keys are used to enable the installation of pirated software. Content Server 5 will allow that by letting owners link eBooks to an Adobe ID account. That possibility is why publishers want Adobe to provide the option for weak or strong encryption, said Nick Bogaty, senior business development manager for digital publishing at Adobe. "I think it's legitimate concern on publishers' part to make it somewhat difficult to mass copy their files, and that's what our DRM does," he said. "Their business is copyrights, and if they don't have that, they don't have a business anymore." Some critics point out that Adobe, by promoting its flavor of encryption on top of the open ePub standard, is promoting a version of vendor lock-in.

Critics also say that DRM measures remain confusing and unnatural for consumers. "Publishers always feel better if things are locked down, but consumers can't stand it," says David Rothman, editor of the eBook-focused blog, TeleRead. Users will be forced to rely on Adobe's eBook-reading software - either Digital Editions for PCs, or Adobe Mobile Reader on smartphones, E-Ink devices and tablets - to read their eBooks. Rothman is an advocate of "social DRM" techniques, such as watermarking eBooks with the owner's name and address, rather than preventing their redistribution. "It's using the forces of peer pressure in a good way. And that could stunt the eBook market, which remains small. But Adobe keeps wanting to think in terms of encryption," he said. Wholesale trade in eBooks in the U.S. for the first three quarters this year totaled $110 million , according to the International Digital Publishing Forum (IDPF). While that is up more than three-fold from last year, it remains a fraction of the paper-based publishing market.

Adobe's Bogaty, the former executive director of IDPF, is skeptical that such a revenue model would work in the book publishing business. "Until I see a book reading fill up Madison Square Garden, or a bunch of kids wearing Tom Wolfe t-shirts, I just don't see a big ancillary market for publishers," he said. Rothman and others point to the music industry, where some artists and record companies and retailers are starting to favor audio watermarks over DRM, employ P2P networks to give away songs for radio-like promotion , or substituting CD sales with concert tours and merchandise sales.

No harm, no foul, says judge in data breach case

2009-12-08T02:00:00.001-08:00

A federal court in Missouri has thrown out a class-action lawsuit that was brought against pharmacy benefits company Express Scripts over a 2008 data breach in which millions of customer records were believed to have been illegally accessed. In a 22-page ruling last week, Buckles said that the plaintiff in the case, John Amburgy, failed to show how the data breach caused him any direct injury or even put him in imminent danger of any injury. "Abstract injury is not enough to demonstrate injury-in fact," Buckles wrote. "The injury or threat of injury must be concrete and particularized, actual and imminent; not conjectural or hypothetical." The $22 billion Express Scripts in October 2008 disclosed that extortionists were threatening to publicly release millions of patient records that they had accessed from the company's databases unless the company paid an undisclosed amount of money. In dismissing the lawsuit, Magistrate Judge Frederick Buckles reiterated a position that has been taken by other judges in similar cases: Without any actual harm done, there can be no damages sought. St. Louis-based Express Scripts said it had received a letter with the names, birth dates, Social Security numbers and some prescription information for 75 patients, with the threat that more would be released if it did not pay up.

In his lawsuit, Amburgy accused Express Scripts of negligence in its duty to protect customer records. As of November, Express Scripts said it had notified about 700,000 individuals that their information may have been compromised in the incident. He accused the company of breach of contract, breach of implied contract and violations of data breach notification laws in various states. He claimed that he and others similarly affected had to spend time and money monitoring their credit accounts and reports, prescription records and other financial accounts. Amburgy claimed that as a result of Express Scripts' failure to maintain adequate security measures, he and others affected by the breach were at increased risk of identity theft fraud and extortion. But like other judges in similar cases , Buckles brushed aside those contentions and said Amburgy failed to show that he was directly affected by the breach and that his claims relied on too many "ifs." "Plaintiff alleges that he would be injured 'if' his personal information was compromised, and 'if' such information was obtained by an unauthorized third party, and 'if' his identity was stolen as a result, and 'if' the use of his stolen identity caused him harm." These multiple "ifs" put his claims in the realm of the hypothetical, the judge noted.

In October, for instance, a U.S. District Court judge in Maine asked the state's highest court to weigh in on the question of whether the time and effort spent in mitigating the fallout from a data breach constituted a cognizable injury under Maine law. Though other cases have ended the same way, some courts have begun to show a willingness to at least hear the sort of claims raised by Amburgy. The question stemmed from a motion filed by plaintiffs in a data breach lawsuit involving supermarket chain Hannaford Bros. In September, a federal court in Illinois allowed a couple's whose bank account had been depleted by cyber thieves to go ahead with their lawsuit against Citizens Financial Bank. The judge had previously thrown out all other claims in the case. The judge in the case noted the couple had shown there was a reasonable basis for arguing that the bank had failed in its duty to protect the couple's money.

Hackers exploit year's fourth PDF zero-day

2009-12-02T16:06:00.001-08:00

For the fourth time this year, Adobe has admitted that hackers were using malicious PDF documents to break into Windows PCs. The bug in the popular Reader PDF viewer and the Acrobat PDF maker is being exploited in "limited targeted attacks," Adobe said yesterday. Adobe promised to patch the vulnerability on Tuesday, Oct. 13, the same day that Microsoft plans to issue its biggest-ever collection of security updates . The bug exists in Reader and Acrobat versions 9.1.3 and earlier on Windows, Mac OS and Linux, said Adobe in a security advisory published Thursday, but as far as the company knows, it is being exploited only to hijack Windows PCs. "There are reports that this issue is being exploited in the wild in limited targeted attacks," said Adobe. "The exploit targets Adobe Reader and Acrobat 9.1.3 on Windows." Adobe will plug the hole next week as part of its quarterly security update for Reader and Acrobat. That phrasing generally means hackers are sending the rigged PDF documents to a short list of users, oftentimes company executives or others whose PCs contain a treasure trove of confidential information.

Last June, Adobe announced it would follow the lead of companies like Microsoft and Oracle, and release regular security updates for Reader and Acrobat. It said more than a month ago that it would instead push the patch date into October. Originally, Adobe was to post patches last month, but a scramble during July to fix several flaws, including some introduced by Microsoft in a code "library" used by its own developers, as well as those in other companies, wreaked havoc on Adobe's schedule. Until a patch is released next week, Windows Vista and Windows 7 users can protect themselves by enabling Data Execution Prevention (DEP), a security feature designed to stop some kinds of exploits - buffer overflow attacks in particular - by blocking code from executing in memory that's supposed to contain only data. Windows XP users should disable JavaScript in Reader and Acrobat, added Adobe.

Instructions on how to enable DEP are available on Microsoft's support site. That wouldn't block all possible attacks, but will stymie the exploit now in the wild. In March, the company quashed a PDF bug that attackers had been using for more than two months . It again patched Reader and Acrobat in May to block another zero-day . In July Adobe fixed a Flash PDF-related flaw that was being used by hackers. Adobe has struggled this year to stay ahead of hackers. Next Tuesday's Reader and Acrobat updates will also patch a unknown number of other vulnerabilities, Adobe said.

SCO fires CEO McBride as it tries to emerge from bankruptcy

2009-11-27T07:00:00.001-08:00

Unix software vendor SCO, struggling through bankruptcy and a Unix copyright trial involving Novell, has fired president and CEO Darl McBride. McBride had been CEO and president of SCO since June 2002. The move and a restructuring come after an operations and cost analysis performed by Edward Cahn, SCO's Chapter 11 Trustee. SCO "has eliminated the Chief Executive Officer and President positions and consequently terminated Darl McBride," the company reported last week in a filing with the Securities and Exchange Commission.

Since the CEO position was eliminated, the SCO management team now consists of COO Jeff Hunsaker, CFO Ken Nielsen and general counsel Ryan Tibbitts. A "modest reduction in SCO's workforce" and other changes will help improve SCO's financial position, the company says. The SEC filing says these three executives "will continue to work closely with the Chapter 11 Trustee and his advisors to implement the restructuring plan, move the intellectual property litigation [against Novell] forward … and emerge from Chapter 11 bankruptcy." SCO says it will finalize details of the restructuring and reach "cash flow breakeven for core operations" within a month. SCO is attempting to raise additional funding and sell "non-core assets." "These actions, while difficult, are essential to SCO becoming a more agile and efficient company, not just for this year, but for years to come," Hunsaker says in the SEC filing. "This restructuring plan reinforces SCO's ability to continue to sell and support its products while servicing the needs of our customers and partners on a worldwide basis through the stabilization of our financial situation." SCO filed for Chapter 11 bankruptcy protection on Sept. 14, 2008. The company is also involved in an ongoing legal battle against competitor Novell over the rights to Unix technology. As a result, Novell and SCO are heading to a trial. In 2007, a U.S. District Court judge ruled that Novell was the owner of Unix and UnixWare copyrights, but that decision was http://www.networkworld.com/news/2009/082409-sco-unix-copyright-decision... ">overturned in August of this year.

In 2003, SCO attempted to sue IBM for $1 billion in another Unix-related matter. Perhaps tellingly, last week's filing with the SEC says that SCO plans to "pursue litigation against, among others, IBM and Novell." Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin The case was closed in 2007 but may be reopened after SCO emerges from bankruptcy.

Opera delivers Unite beta, touts in-browser P2P

2009-11-21T19:05:00.001-08:00

Opera Software today released the beta of Opera Unite, a platform for authoring peer-to-peer (P2P) and Web server-based applications that it's promised will reinvent the Web. Opera 10 launched in final form more than a month ago. In June, Opera touted Unite as a collaborative technology that would "enable every single computer to be a two-way street on the Internet." Four months ago, Opera delivered an alpha version of Unite with a preliminary edition of Opera 10, its next-generation browser.

Today, Opera delivered the Unite beta embedded in the preview of Opera 10.10. It's not given up on the idea that Unite will dramatically change the Internet. "We invite developers all over the world to use their creativity and imagination to push the boundaries of what is possible with Opera Unite," Jon von Tetzchner, Opera's CEO, said in a statement Wednesday. "We are moving closer to our goal of reinventing the Web." Opera's pitching Unite to developers, who it hopes will come up with new applications and Web-based services for sharing, collaboration and social networking. That last turns any Unite-equipped computer into a server, letting users host an already-created Web site via a special URL that Opera assigns. The beta of Unite includes a half-dozen Opera-made services that include file sharing, a media player, photo sharing, a Facebook-style "wall" dubbed "Fridge" where users can leave notes and a Web server. So far, Opera has had little luck in convincing developers to commit time and resources to crafting Unite applications and services. The most popular third-party Unite application is a music-streaming service, which has been downloaded approximately 12,000 times. Of the 21 Unite applications now available , 10 come from Opera itself.

Some security experts, however, have questioned Unite's security and wondered whether it was smart to put a Web server on every desktop. "Bad guys always need Web servers," SecureWorks research Don Jackson told IDG News last June . "Anything that runs a Web server is prone to attack." Although Opera 10 is needed to run Unite and its peer-to-peer (P2P) and server-style services, any browser can access the shared content. According to the most recent data from Web metrics company Net Applications, Opera accounted for just 2.2% of all browsers used last month. Although Opera has led development of some browser features - it was the first major Web browser to institute tabs, for instance - the program's share of the desktop market has remained small. Google's Chrome, which has been available for just over a year and only on Windows, held a 3.2% share in September. That case appeared to near a resolution last week when the EU said it had asked for and obtained changes to Microsoft's proposed "ballot screen," which will let European users of Windows to choose which browser they install on their PCs. Opera Unite is available with Opera 10.10, which can be downloaded for Windows, Mac and Linux from the Opera site. The company has received more attention lately as the instigator of the complaint against Microsoft that led European Union (EU) antitrust regulators to charge the U.S. firm with illegally bundling its Internet Explorer with Windows.

Gmail, Yahoo Mail join Hotmail; passwords exposed

2009-11-16T10:00:00.001-08:00

Google's Gmail and Yahoo's Mail were also targeted by a large-scale phishing attack, perhaps the same one that harvested at least 10,000 passwords from Microsoft's Windows Live Hotmail, according to a report by the BBC. Microsoft , for its part, said late yesterday that it had blocked all hijacked Hotmail accounts, and offered tools to help users who had lost control of their e-mail. The BBC also said it has seen a list of some 20,000 hijacked e-mail accounts; the list included accounts from Gmail, Yahoo Mail, AOL, Comcast and EarthLink. Gmail was the target of what Google called a large-scale phishing campaign, the company told the BBC . "We recently became aware of an industry-wide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts," a Google spokesperson told the news network. The latter two are major U.S. Internet service providers. "As soon as we learned of the attack, we forced password resets on the affected accounts," the Google spokesperson also told the BBC. "We will continue to force password resets on additional accounts when we become aware of them." Neither Google's or Yahoo's U.S. representatives responded to e-mails from Computerworld seeking confirmation that their Gmail and Yahoo Mail services were targeted by phishers, or answers to questions about how many accounts had been compromised and what the firms are doing to help users.

Late Monday, Microsoft said it was blocking access to all the accounts whose details had been posted on the Web last week. "We are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts," the company said on its Windows Live blog . Microsoft posted an online form where users who have been locked out of their accounts can verify their identity and reclaim control, and also pointed users to a support page from October 2008 that spells out steps users can take if they think their accounts have been hijacked. Neowin.net, the site that first reported the Hotmail account hijacking early Monday, today added that it had seen the same list of compromised accounts as the BBC. "Neowin can today reveal that more lists are circulating with genuine account information and that over 20,000 accounts have now been compromised," said the Windows enthusiast site . "[The] new list contains e-mail accounts for Gmail, Yahoo, Comcast, EarthLink and other third-party popular Web mail services." Microsoft has acknowledged that log-on credentials for "several thousand" Hotmail accounts had been obtained by criminals, probably through a phishing attack that had duped users into divulging their usernames and passwords. After a slump earlier this year, phishing attacks are on the upswing, according to the Anti-Phishing Working Group (APWG). Its most recent data - for the first half of 2009 ( download PDF ) - noted that the number of unique phishing-oriented Web sites had surged to nearly 50,000 in June, the largest number since April 2007 and the second-highest total since the industry association started keeping records. Yesterday, Dave Jevans, the chairman of APWG, called the Hotmail phishing attack one of the largest ever, but cautioned that the usernames and passwords may have been harvested over several months, and not by a single, defined attack.

Microsoft, Red Hat seal the deal on interoperability

2009-11-11T00:04:00.001-08:00

Eight months after announcing they would make their virtualization wares interoperable, Microsoft and Red Hat delivered the goods Wednesday on their first major collaboration. Evans emphasized there was no financial arrangement, patent licensing or other deals. "It is straightforward interoperability testing," he said, hinting at other deals Microsoft has cut with Sun and Novell. The two companies announced they have completed testing and validation and that they now fully support virtualization environments that combine Microsoft Windows Server 2008 and Red Hat Enterprise Linux 5.4. "It was a fairly big deal [in February 2009], there had never been an interoperability agreement between Microsoft and Red Hat," said Mike Evans, vice president of corporate development for Red Hat.

But cooperation on the virtualization front has become the order of the day as virtualization has established itself as an integral part of data centers. Red Hat already supports VMware, while Microsoft has a support deal with Novell and its Suse Linux platform. The work by the duo helps expand support on both platforms. In July, Microsoft shocked the industry by contributing virtualization device drivers to the Linux kernel. Microsoft's Mike Neil, general manager of Windows Server and server virtualization, said in a blog post that the cooperation goes beyond the operating system and both companies "have select applications that would receive technical support when running on certified server virtualization software." Neil said the Microsoft applications include BizTalk Server, Exchange Server, SharePoint server and others.

The completed certifications include: Validation of Red Hat Enterprise Linux 5.4 using the Kernel Virtual Machine (KVM) hypervisor with Windows Server 2003, 2008 and Windows Server 2008 R2 guests; and certification of host platforms running Windows Server 2008 Hyper-V, Microsoft Hyper-V Server 2008, Windows Server 2008 R2 Hyper-V and Microsoft Hyper-V with Red Hat Enterprise Linux 5.2, 5.3 and 5.4 guests. On the Red Hat side, users can run JBoss Enterprise Middleware within a virtual machine guest on Hyper-V and receive coordinated technical support. Microsoft customers without agreements can purchase support per incident. Evans said the agreement grants support to any customer with a valid Red Hat Enterprise Linux subscription, while Microsoft customers with support agreements for Windows Server 2008 are eligible for support. Evans said Red Hat is not discussing how it will support Windows Server 2008 guests within its management tools.

Red Hat also will ship a stand-alone hypervisor called Red Hat Enterprise Virtualization Hypervisor that will also support Windows guests. He said there would be more information on that at year-end when Red Hat ships Red Hat Enterprise Virtualization Manager, a set of management tools for desktops and servers. Microsoft supports Red Hat Enterprise Linux version 4.x and 5.x on its System Center Operations Manager 2007 R2, but will need to update its Virtual Machine Manager software to manage Red Hat guest operating systems on Hyper-V. Follow John Fontana on Twitter: twitter.com/johnfontana

SAP, Siemens ink new support pact

2009-11-05T15:00:00.001-08:00

SAP said Wednesday that Siemens has signed a three-year renewal of its software maintenance agreement, an announcement that would seem to quell widespread speculation that the global engineering and electronics company was considering dumping vendor-provided support in favor of lower-cost alternatives. It will use SAP's SRM (supplier relationship management) application in support of procurement efforts around the world. In addition, Siemens has expanded its use of SAP software, according to the announcement.

Siemens' new maintenance agreement includes SAP's high-end MaxAttention service. An SAP spokesman said last month that the rumors about Siemens dropping support created "an inaccurate portrayal about the SAP-Siemens relationship" and that the vendor was "currently working with Siemens to deepen the relationship in a multitude of areas." On Wednesday, an SAP spokesman wouldn't discuss whether the company provided Siemens any sort of discount or other special accommodation in order to sign the new agreement, but said, "this was at usual costs for large SAP customers." If an SAP customer as big as Siemens had chosen to drop vendor maintenance, the high-profile example could have provided a boost to the third-party maintenance market. SAP is also going to provide support for some internally developed applications that are integrated with SAP, the announcement said. But some observers treated the rumors with skepticism. The specter of third-party maintenance has loomed large around SAP since its controversial decision last year to move customers to a fuller-featured but pricier Enterprise Support service.

Right now, there are few third-party SAP support companies, and the best-known one, Rimini Street, probably couldn't handle the job, analyst Josh Greenbaum said in a blog post last month. "I don't see how they can gear up to provide comprehensive maintenance and support ... for what is either the world's largest or the world's second largest SAP installation (Nestle is the other contender)," he wrote. "It would take something more than a Rimini to handle a customer of this size, despite their track record in third party maintenance." In addition, large systems integrators such as IBM would likely be unwilling to take on the project, for fear of alienating SAP, Greenbaum said. After a protracted public debate, SAP and the SAP User Group Executive Network (SUGEN) agreed to work out a set of KPIs (key performance indicators) meant to show the value provided by Enterprise Support. SAP has agreed to hold off on an incremental price increase schedule for Enterprise Support "until the targeted improvements measured by the SUGEN KPI Index are met."

4 Tips for Writing a Great Social Media Security Policy

2009-10-31T06:04:00.001-07:00

Facebook now claims 300 million active users. Naturally, social media growth has also been seen in the workplace, both with regard to employee use as well as functioning as a communication and/or marketing tool for some companies. And Twitter, the micro-blogging site that was almost unheard of at the beginning of 2008, is now one of the internet's 50 most popular sites, according to Alexa Internet Inc.'s web traffic statistics. And according to a survey recently conducted by IANS, a Boston-based research company that focuses on information security, regulatory compliance and IT risk management, the number of enterprises with a social media policy in place has jumped dramatically, too, in just twelve months.

The take away, according to Phillips, is that social media is front and center now in organizations and the discussion is taking place not only among the security team, but within marketing, sales, human resources and even executives. Also see The Seven Deadly Sins of Social Networking Security Jack Phillips, IANS co-founder and CEO, said when IANS conducted the same survey in 2008, the majority of respondents did not have a social media policy. "They really hadn't done the hard thinking," said Phillips. "But then jumping forward to 2009 we saw about a third of the audience now has something in place and another large percentage is considering these kinds of policies." Specifically, just under ten percent of respondent enterprises said their social media policy was fully implemented and communicated in 2008. That jumped to 34 percent in 2009, with another third responding that they had either created or implemented a policy for social media use. Phillips believes this is an opportunity for security folks to raise their profile and take part in an important issue from its inception. Instead, said Phillips, use this as an opportunity to draw attention to existing policies. "Most purists will say: This stuff isn't really new. He shared with CSO four things he thinks organizations should consider when putting together policies and practices for use of Facebook, Twitter, Linked In and other social media within an organization. 1. Don't start from scratch The media landscape is so dynamic that if you create policy for today's hot technology, tomorrow it will be obscure.

It should be part of our HR and acceptable use policies," said Phillips. "The same sort of norms apply to this new world that has applied to the world before today." (See How to Write an Information Security Policy for more on the basics of effective policy.) Phillips noted most of the organizations IANS polled with a social media policy already in place said they had not named specific medias because of changing pace of new media. "It's Twitter today, but it may be something else tomorrow," he said. 2. Use social media policies to raise security awareness "This issue is an opportunity for info sec leaders to refocus attention on information security and risk management, said Phillips. For instance, when compliance regulations came into play, savvy security teams were able to create new policies to comply, while also letting employees know why they were important. IANS is dispelling what Phillips says is age-old advice for enterprises when it comes to adapting to change. Same holds true this time around, said Phillips. "We are finding some innovative awareness tactics that focus on these technologies because they are front and center. The percentages are so low in terms of success of awareness campaigns, this is an opportunity to jump in." 3. Use social media access to raise security's positive profile within the organization While the initial security reaction to new media is often to block, Phillips said most organization now need to consider that not only may allowing access be necessary, but also useful from an info sec perspective. A Twitter campaign, or a Facebook campaign, a Linked In campaign, can all have real impact in terms of receptivity.

Also see Security Awareness Programs: Now Hear This! "The advice we have given is, instead of just knee-jerk blocking everything, we find that this as an opportunity to record usage and activity among the employee base," said Phillips. "When the original data-loss-protection technologies were introduced, they were not in blocking mode, but in monitoring mode." Phillips believes the new technology of social media gives information security what he calls "an interesting opportunity" to see how critical these technologies are to the enterprise. "That kind of information is quite useful to other functions of the enterprise," he said "Sales, marketing, HR are all going to be interested and that raises information security's profile among management." 4. Be prepared for the next phase As social media platforms come and go, some will ultimately become commonplace and integral to an enterprise. As it stands now, he said, he finds his clients are more comfortable with some mediums and with others; not so much. While creating entire new policies around social media doesn't make sense right now, at some point, said Phillips, it will become necessary for policies to be more specific. Most organizations find Linked In to be the most controllable and with the least potential for damage. Particularly, said Phillips, because many employees are not respecting that line between personal and enterprise. "Because these technologies are so different, it is at some point we expect policies are going to have to get granular," he said. "Our sense is high-performing teams will have to create unique Facebook, Twitter, Linked In and Google Docs policies.

But Facebook, with its security vulnerabilities, and the nature of its content, still makes many uncomfortable. And they are going to have to get that granular about what is appropriate and inappropriate with each tool. "We will end up with an open environment, but we will end up with some asterisks that say, it's open, but not 100 percent open. For example, some might say: 'It is not appropriate to use the company's name on your Facebook profile.'

FBI warns of social networking fraud, malware escalation

2009-10-25T21:00:00.001-07:00

Fraudsters are targeting social networking sites with increased frequency and users need to take precautions, the FBI warned. Clearly, the Data Snatchers have found a way to automate the creation of Facebook accounts, which means they've found a way to bypass the Facebook Capcha (the image of letters which are required for a new account, which are supposed to ensure that a human is involved)," said Thompson. Just today Roger Thompson, chief of research at AVG Technologies, blogged about an automated rogue spyware attack using Facebook in which hackers create new Facebook pages. "We're seeing rather a lot of these, all from different profiles, but with the same picture and link. Network World Extra: 12 tips for safe social networking The FBI meanwhile states that fraudsters continue to hijack accounts on social networking sites and spread malicious software by using various techniques.

Other spam entices users to download an application or view a video. One technique involves the use of spam to promote phishing sites, claiming there has been a violation of the terms of agreement or some other type of issue which needs to be resolved. Some spam appears to be sent from users' "friends", giving the perception of being legitimate. Another fraudster favorite involves applications advertised on social networking sites, which appear legitimate; however, some of these applications install malicious code or rogue anti-virus software, the FBI stated. Once the user responds to the phishing site, downloads the application, or clicks on the video link, their computer, telephone or other digital device becomes infected, the FBI stated. Other malicious software gives the fraudsters access to your profile and personal information.

Symantec's Zulfikar Ramzan wrote in a recent CSO article that there's no question that online social networking continues to rise in popularity due to the numerous conveniences and opportunities it provides. These programs will automatically send messages to your "friends" list, instructing them to download the new application too, the FBI stated. There's also no question that social networking provides phishers with a lot more bait than they used to have. Games, links and notifications are the low-hanging fruit for phishers to use as they lead people into dangerous territory. Threats can come from all sorts of avenues within a social networking site.

As society picks up one end of the social networking stick, it finds that it inevitably picks up the security problems on the other end, he stated. Some networking sites have provided useful options to assist in adjusting these settings to help protect your identity.•Be selective of your friends. The FBI recommended the following basic tips to help prevent most nefarious activities: •Adjust Web site privacy settings. Once selected, your "friends" can access any information marked as "viewable by all friends."•You can select those who have "limited" access to your profile. Users should consider how they want to use the social networking site.

This is for those whom you do not wish to give full friend status to or with whom you feel uncomfortable sharing personal information.•Disable options and then open them one by one such as texting and photo sharing capabilities. If it is only to keep in touch with people then perhaps it would be better to turn off the extra options which will not be used.•Be careful what you click on. If you want to report an incident, the FBI says to file a complaint at its Internet Crime Complaint Center (IC3). Just because someone posts a link or video to their "wall" does not mean it is safe.

Senate kills bid to make White House czars accountable

2009-10-19T17:06:00.001-07:00

A proposed amendment that would have given Congress more oversight over the White House cybersecurity czar and at least 17 other czars appointed by President Obama was shut down in the U.S. Senate today. Susan Collins (R-Maine), sought to restrict federal funds for the expenses of White House-appointed czars unless two conditions are met. The amendment, proposed by Sen.

One of them was to require the president to agree that every czar would respond to "reasonable requests" to testify before Congress on matters related to the office. The proposed amendment was in an Interior Department environmental appropriations bill on the Senate floor. The other required White House-appointed czars to issue a report to Congress twice a year. In a statement , Collins said the amendment was needed to ensure greater transparency and accountability. The amendment however was ruled "non-germane" to the pending bill in the Senate this afternoon and will not move forward, a spokesman for Collins said in an e-mail. "The amendment fell," following an objection by Sen. She had claimed that direct White House appointees were largely insulated from congressional oversight and often duplicated or diluted the statutory authority and responsibilities of Cabinet-level appointees who had been vetted by Congress.

Dick Durbin (D-Ill.), he said. At a committee hearing in May on strategies for securing cyberspace, Collins had said that putting the White House in charge would make it harder for Congress to exercise oversight over critical cybersecurity policies and budgets. Collins, who is the ranking minority member of the Senate Homeland Security and Governmental Affairs Committee, had raised similar concerns previously, especially with regard to Obama's plans to appoint a White House cybersecurity czar, or agency coordinator. Collins proposed instead that the government consider adopting the model used in setting up the National Counterterrorism Center (NCTC). The NCTC, which was established in August 2004 on the recommendations of the 9/11 Commission, works in the Office of the Director of National Intelligence (ODNI), a setup that allows for greater congressional oversight, she had said. The president announced the position in May and stressed the need for a national strategy for securing U.S. interests in cyber space. The developments come amid a delay by the White House in naming a new cybersecurity coordinator.

The delay in making the appointment has fueled speculation about the likely candidates and the nature of the job . Earlier this month, the Reuters news service. quoting an unnamed source with "direct knowledge" of the matter, said the front runner for the post was Frank Kramer , an assistant defense secretary under President Bill Clinton.

Scientists refute online rumors on moon bombing

2009-10-14T08:00:00.001-07:00

In the days leading up to NASA's crashing of two halves of a space probe into the moon, doubters turned to the Internet to express fears that the lunar bombing would have negative effects on the Earth. In a quest to find out if there's water on the moon , NASA sent two separated halves of a spacecraft crashing into a permanently dark crater on the south pole of the moon this morning. Scientists and astronomers were quick to step forward to refute any rumors and quell concerns, but rumors are still circulating online. The crashes were meant to send up a huge debris plume that could be measured and analyzed for evidence of water ice hiding in the cold, dark crater.

But detractors were quick to post online warnings about possible negative effects of the experiment. With NASA still hopeful to one day create a viable human outpost on the moon , it would be helpful for anyone there to find water rather than haul it up from Earth. Amy Ephron, an author and screenwriter, wrote an article for the Huffington Post earlier this week, questioning NASA for taking the risks associated with sending two spacecraft crashing into the surface of the moon. "Who did the risk assessment? Ephron was far from alone in her concerns. I mean, what if something goes wrong?" asked Ephron. "I could say something scientifically lame and ask, 'What if it gets thrown off its axis?' or something funny and suggest something (that I actually sort of believe), like, 'What if it somehow throws off the astrology?' Or that we're not risking - as we have the earth with continued experiments of this kind - sending the solar system out of balance. The Chicago Surrealist Movement posted an online petition , which was signed by 560 people, calling for NASA to halt the bombing of the moon.

Faith Vilas, director of the MMT Observatory , said she's been amazed by such negative reactions to the mission. And people against the LCROSS mission started their own Twitter presence with @helpsavethemoon . While some people said they felt NASA's plan was simply too aggressive an attack on the Earth's orbiter, some claimed that the impacts would change the Earth's tides, throw the moon off its axis or even affect women's menstrual cycles. There's simply no danger, she added. "The moon is impacted by nature and meteors all the time," said Vilas. "Nature has done much more damage to the moon than we just did. What we did was nothing. We were not likely to have any effect on the moon at all. We didn't have much of an impact at all." Bruce Betts, director of projects at The Planetary Society , said in an email to Computerworld that this morning's crashes will have no negative impact on the moon or the Earth. "The spacecraft are far too tiny compared to the moon, in fact, to have any significant effect on the moon's orbit or dynamics," he added. "The impact might be likened to a gnat hitting the windshield of a truck."

Microsoft's Ballmer finds wallet a little lighter

2009-10-08T21:05:00.001-07:00

Microsoft CEO Steve Ballmer received a 5.5% decrease in his overall compensation last year as the company suffered through its first-ever drop in overall revenue, according to documents filed with the SEC Tuesday. Elop joined the company in January 2008 moving from Silicon Valley to the Seattle area. CEOs still getting big perks despite pay backlash The documents also reveal that Microsoft paid Stephen Elop, who heads Microsoft's business division, a hefty $4.1 million in relocation expenses.

Ballmer and three of the other executives named in the report – CFO Chris Liddell, COO Kevin Turner and Entertainment and Devices Division head Robbie Bach – also saw their 2009 overall compensation decrease. Overall, compensation for all Microsoft executives was down 29%. Ballmer's base salary actually rose from $640,833 to $655,833, but his cash incentives payments were down $100,000 to $600,000 in 2009. Ballmer since becoming CEO in January of 2000 has not taken any stock compensation. Elop was the only one of the five executive's listed who saw his compensation rise in fiscal year 2009. Elop's comparable figure for fiscal year 2008, however, only reflects six month's salary as he joined the company half way through the fiscal year. He already owns more than 400 million shares, which gives him ownership of 4.5% of the company. Turner's base salary rose $21,000 to $641,667, but his overall compensation dropped 37% from $8.6 million to $5.4 million.

Liddell, saw his salary increase by $20,000 to $561,667, but his overall compensation dropped 26% from $4.7 million to 3.5 million. Bach's base salary also rose $21,000 to $641,667, but his overall compensation dropped 24% from $8.2 million to $6.2 million. Turner was the lone exception as he also suffered a loss in his cash incentive payment of $47,981. The number likely won't brighten in fiscal year 2010, which started July 1 for Microsoft. All the executives suffered their losses based on drops in the fair market value of their stock awards at the time they were granted. The company decided in January 2009 to eliminate merit-based salary increases for fiscal year 2010. The decision also includes freezing base salaries for executive officers at their 2009 levels for fiscal year 2010. The report also lists the evaluation the Board put forth on Ballmer's performance in 2009 and his merit for compensation via the companies incentive plan.

This amount was recommended by the Compensation Committee to the Board based on his performance appraisal by the independent members of the Board and other information deemed relevant, including Mr. Ballmer's performance against his individual commitments, the Company's progress in key product development areas such as Windows and online search, his leadership in expense management which helped to offset the declines in revenue due to the economic downturn, and the financial performance of the Company relative to the 25 largest technology companies (measured by operating income). The independent members of the Board of Directors considered the recommendation of the Compensation Committee and approved Mr. Ballmer's Incentive Plan award." Follow John on Twitter. The evaluation states: "For fiscal year 2009, Mr. Ballmer's Incentive Plan award was $600,000 which was 90% of his base salary.

Broadband will connect 20% of households worldwide this year, Gartner projects

2009-10-02T01:00:00.001-07:00

Research firm Gartner is projecting that 20% of households worldwide will be connected to the Internet through a broadband connection by year-end. Following behind South Korea in broadband penetration rate are the Netherlands (80%), Denmark (75%), Hong Kong (72%), Canada (69%) and Switzerland (69%). Gartner says that the United States lags behind many developed countries with a 60% broadband penetration rate, although this still ranks the United States ahead of countries such as Japan (58%), Germany (55%), Australia (55%) and Sweden (54%). Over the next four years, however, Gartner expects broadband penetration in the United States to rise rapidly, as it is projected to add 27 million new connections and hit a penetration rate 78% by 2013. If the United States is successful in adding these new connections, Gartner projects that it will leapfrog several countries that it now trails in terms of broadband penetration rate, including New Zealand, the United Kingdom and Norway. WiMAX changes lives in rural Thailand In all, Gartner projects that 422 million households worldwide will have a fixed broadband connection by the end of this year, an increase of 10.5% from the 382 million households that had a fixed broadband connection at the end of 2008. Looking further down the road, Gartner projects that 580 million households worldwide will have a fixed broadband connection, an increase of 37% over the number projected to have broadband by the end of 2009. South Korea is currently the leader in household broadband penetration, Gartner reports, as 86% of South Korean households have broadband connections. South Korea is still projected to be the king of broadband penetration, however, as Gartner predicts that 93% of South Korean households will be connected to the Web via broadband in 2013. Gartner also predicts that developing countries will add 135 million new broadband connections over the next four years, with Brazil, Russia, India and China accounting for more than two-thirds of new connections in the developing world and nearly half of all new connections worldwide.

FCC's Net Neutrality Plan Draws Fast Fire

2009-09-26T13:04:00.001-07:00

Federal Communications Commission Chairman Julius Genachowski announced Monday, that the FCC would prevent broadband carriers from limiting your access to high speed Internet for things like Internet-based voice calls, video streaming, and legal file sharing (that carriers might wish to block or at least charge extra for). In a speech to the Brookings Institution in Washington, D.C. on Monday, Genachowski said the FCC will begin to formalize net neutrality rules in the United States. This is particularly important with the emergence of data-intensive smartphone handsets, 3G netbooks, and wireless broadband cards. Genachowski also wants to have a public discussion about how net neutrality regulations would apply to mobile broadband providers. As expected, not everyone is happy with Genachowski's concept of what a free and open Internet should be.

To keep the Internet neutral, Genachowski wants the FCC to formally adopt six principles, four of which have been employed by the FCC on a case-by-case basis since 2005. 1. Consumers are entitled to access the lawful Internet content of their choice. 2. Consumers are entitled to run applications and use services of their choice, subject to the needs of law enforcement. 3. Consumers are entitled to connect their choice of legal devices that do not harm the network. 4. Consumers are entitled to competition among network providers, application and service providers, and content providers. Here's what's going on: The FCC's Four Freedoms Grow to Six On Monday, Genachowski described the Internet as a "blank canvas" that has inspired "innovation and ubiquitous entrepreneurship." He cited online success stories like Netscape, Facebook, and eBay, arguing that businesses like these could not have been successful without a free and open Internet. The two additions: 5. Broadband providers cannot block or degrade lawful traffic over their networks, favor certain content or applications over others and cannot "disfavor an Internet service just because it competes with a similar service offered by that broadband provider." 6.Broadband providers must be transparent about the service they are providing and how they are running their networks. In a blog post entitled "Does the Internet Need More Regulation? Don't force us to be free While the principle of net neutrality has been embraced for years by many Internet advocates including Craig Newmark of Craig's List, Google, and Microsoft; broadband providers and mobile operators aren't so sure about Genachowski's plan.

FCC to Decide," David L. Cohen, executive vice president of broadband for Comcast - one of the largest broadband providers in the United States - points out that net neutrality debates have been going on for years. Wired's Dylan F. Tweney has an interesting take on the FCC's net neutrality moves, arguing that intervention will actually stifle your Internet access. During that time, however, the "Internet has enjoyed immense growth... [and the] Internet in America has been a phenomenal success." With that in mind, says Cohen, it is "fair to ask whether increased regulation of the Internet is a solution in search of a problem." Despite Cohen's questions about government intervention, he says Comcast is committed to working with the FCC on this issue. Tweney's three-point argument suggests that broadband providers may be forced to give up on flat-rate Internet service in favor of bandwidth caps. Tweney believes formal net neutrality will cause problems in broadband that we've already seen with iPhone users' inconsistent service from AT&T. Enforcement may also be difficult for the FCC to carry out, according to Tweney, because it will be hard to prove when a service provider has run afoul of neutrality regulations. Bandwidth, Tweney argues, is not unlimited - especially for mobile providers - and therefore must be managed.

Tweney also says an open and free Internet has already won out over closed networks, and points to the failures of services like AOL and CompuServe as examples. However, the FCC Chairman did say he wanted the regulatory body to "analyze fully the implications of the principles for mobile network architectures and practice." Cell phone companies were not too thrilled to hear about this. "We are concerned the FCC appears ready to extend the entire array of net neutrality requirements to what is perhaps the most competitive consumer market in America , wireless services," AT&T said in a statement. Mobile Provider Backlash In his speech, Genachowski didn't lay out any specifics for how net neutrality would apply to mobile providers. Verizon also spoke up, saying the FCC should not start regulating the Internet and arguing net neutrality would "limit customer choices and affect content providers, application developers, device manufacturers and network builders," according to the BBC. Republicans Move Against Net Neutrality Reacting to the FCC's announcement, Senator Kay Bailey Hutchinson from Texas, who is the ranking Republican on the Senate Commerce Committee, attached an amendment to an appropriations bill that would deny the FCC any funding for "developing or implementing new Internet regulations," according to Eweek. The amendment was co-sponsored by four other Republicans. Republican objections to the FCC proposal include concerns that government intervention would stifle innovation.

What's next for the FCC Genachowski said he wants to initiate a public discussion about net neutrality that is "fair, transparent, fact-based, and data-driven." The FCC Chairman says nothing is predetermined, and will schedule public workshops as well as online discussion. Watch Julius Genachowski's Introduction to OpenInternet.gov: To that end, the FCC has launched a new Website called OpenInternet.gov, where, you can submit comments, view Genachowski's speech, and connect with the FCC through social networks and new media like Twitter, Facebook and YouTube.

Gonzalez pleads guilty to TJX, other data heists

2009-09-21T04:00:00.001-07:00

The man described by federal authorities as the mastermind of the massive data thefts at TJX Companies Inc., Heartland Payment Systems and other retailers today pleaded guilty to charges in a 19-count indictment that include conspiracy, wire fraud and aggravated identity theft. That case was being prosecuted separately in New York but was merged with the case in Boston under a plea agreement negotiated with prosecutors a few days ago. Albert Gonzalez, 28, of Miami, also pleaded guilty to one count of conspiracy to commit wire fraud related to a data theft at Dave & Buster's restaurant chain. Gonzalez is scheduled to be sentenced Dec. 8 by U.S. District Court Judge Patti Saris in Boston.

Under the plea agreement, Gonzalez will serve between 15 and 25 years for both cases and will be fined as much as $250,000 for each of the charges. He faces a maximum of 25 years in prison for the charges in Boston and 20 years for the case in New York. Gonzalez will also forfeit more than $2.7 million in cash as well as multiple pieces of real estate and personal property, including a condominium in Miami, a BMW and several Rolex watches that he is alleged to have acquired through his ill-gotten gains. Gonzalez was arrested in Miami in 2008 along with 10 other individuals on charges relating to the thefts at TJX, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. In August, federal authorities in New Jersey indicted Gonzalez on charges involving breaches at Heartland Payment Systems, Hannaford, 7-Eleven Inc. and two other unnamed retailers. About $1 million of the money being forfeited was recovered from a container buried in Gonzalez' back yard, according to a statement released today by the U.S. Department of Justice. Prosecutors alleged that Gonzalez, along with two unnamed Russian conspirators, stole more than 130 million credit and debit cards from the five retailers.

It is not clear if Gonzalez was the leader of a worldwide criminal gang or merely acting at the behest of powerful crime gangs based in Russia and East Europe. Today's plea brings to an end, for the moment, to the career of a hacker who federal authorities say has been the mastermind of the biggest data thefts in U.S. history. But his actions, which his lawyer has claimed stemmed from a computer addiction , have caused millions of dollars in losses to his victims. In addition, some of the companies that were Gonzalez's victims have had to pay fines to Visa and the other card brands for being noncompliant with the credit card industry's Payment Card Industry Data Security Standard and to spend more money to revamp their security controls. TJX has publicly estimated that costs to the company from the data breach will touch $200 million . Heartland has already spent or set aside more than $12 million and is facing numerous lawsuits from affected institutions.

Report: Deutsche Telekom eyeing purchase of Sprint

2009-09-15T11:06:00.001-07:00

Every year it seems that some foreign telecom company is in the running to purchase Sprint and this year is no exception. Hottest tech M&A deals of 2009 Deutsche Telekom is the parent company of U.S. wireless carrier T-Mobile USA, meaning that any purchase of Sprint would probably mean a merger of the two carriers. According to a report in the U.K.-based Telegraph newspaper, German carrier Deutsche Telekom is interested in purchasing Sprint and could submit an offer that will likely at least match the $10.6 billion that the company is estimated to be worth.

Sprint is the third-largest wireless carrier in the United States with an estimated 48.8 million wireless subscribers, while T-Mobile is the fourth-largest carrier with an estimated 33.5 million wireless subscribers. Deutsche Telekom was rumored to be interested in Sprint last year, when the company's credit rating was downgraded to junk status by Standard and Poor's. South Korean carrier SK Telecom was also rumored to have an interest in purchasing Sprint. A merger between the two companies would help T-Mobile match the subscriber numbers fielded by wireless giants AT&T, which has approximately 78 million subscribers, and Verizon, which has approximately 86 million subscribers. In 2007, Sprint nixed a $5 billion investment offer from SK Telecom and buyout firm Providence Equity Partners that also would have installed former Sprint chairman Tim Donahue as Sprint's CEO. SK Telecom and Providence Equity partners had proposed the investment to Sprint earlier in the month in a letter written to the telco in tandem to Donahue. Sprint's competitors, meanwhile, all seemed to extend their advantages over the beleaguered carrier.

Sprint has taken a major hit to its finances and market share in recent years, as the carrier not only posted an annual loss of $2.8 billion in 2008 but also lost more than 4 million wireless subscribers and wound up laying off 8,000 workers this past January. Buoyed by the release of the iPhone 3G, AT&T added nearly 7 million wireless subscribers in 2008 while posting earnings of $12.9 billion for the year, a 7.7% increase over its 2007 earnings. Verizon, meanwhile, added 6.3 million wireless customers while posting a net income of $6.4 billion, a 16.4% increase from 2007.

TransferJet wireless data gadgets coming next year

2009-09-08T05:04:00.001-07:00

TransferJet, a data transfer technology that allows information to be exchanged between gadgets by simply bringing them close to each other, should begin appearing in products next year.

Both Sony and Toshiba are demonstrating the technology at this week's IFA electronics fair in Berlin and said products should be available in early 2010.

TransferJet works over a distance of a few centimeters and users will see speeds of up to 375Mbps. It's designed for data exchange between a user's gadgets and uses radio spectrum around 4.5GHz, which is available for unlicensed applications in most countries, so worldwide use should be possible.

"The idea of TransferJet is not to compete with technologies like WiFi. It can be viewed as a connector replacement," said Chris Clifton, chief technology officer at Sony UK's Semiconductor and electronic solutions division. "So instead of looking for the USB cable or the hassle of trying to connect from one device to another, just touch and go and transfer data in a few seconds."

The products will follow the completion of version 1.0 of the TransferJet standard, which is due next month, said Clifton.

Sony originally developed the technology but work was handed over to a consortium last year. It counts 40 major consumer electronics companies among its members, including Samsung, Toshiba, Kodak, Canon, Nikon, Panasonic, Sharp, Olympus, Pioneer and Sony Ericsson.

Details of the first products are not available but as many of the major digital still camera, video camera and cellular telephone companies are among the early supporters it's likely that it will appear in these products first.

At IFA Sony was demonstrating data transfer from a Walkman to a cell phone and from a cell phone to a digital picture frame, and also downloading of movies from a retail kiosk. Toshiba was using TransferJet to send photos from a cell phone to a laptop computer.

TransferJet's short range brings several advantages, said Clifton.

It uses a low power to transmit data so doesn't have the same problems with interference that other wireless technologies can suffer, and has a lesser impact on battery life. It also means that set-up can be made easier without all of the pairing and security in systems like Bluetooth. Because it works over a few centimeters it typically would require a user to be in possession of the gadgets being used.

TransferJet was first unveiled by Sony at the Consumer Electronics Show in Las Vegas in January 2008. A prototype system transferred pictures from a digital camera to a television. The technology was again demonstrated at this year's CES when Toshiba showed a prototype PDA with the technology.

After links to cybercrime, Latvian ISP is cut off

2009-08-05T09:06:00.001-07:00

A Latvian ISP linked to online criminal activity has been cut off from the Internet, following complaints from Internet security researchers.

Real Host, based in Riga, Latvia was thought to control command-and-control servers for infected botnet PCs, and had been linked to phishing sites, Web sites that launched attack code at visitors and were also home to malicious "rogue" antivirus products, according to a researcher using the pseudonym Jart Armin, who works on the Hostexploit.com Web site. "This is maybe one of the top European centers of crap," he said in an e-mail interview.

"It was a cesspool of criminal activity," said Paul Ferguson a researcher with Trend Micro.

The ISP was disconnected from the Internet by its upstream provider, Junik, on Monday, after its provider, TeliaSonera told it to stop servicing Real Host or face sanctions Armin said.

Real Host was considered a "bullet proof" hosting provider, that would allow customers to remain online even after they had been linked to malicious activity. It had been linked to the Zeus botnet-making software.

This isn't the first time this type of hosting provider has been knocked offline. In the past year, at least three U.S. ISPs: Atrivo, McColo and 3FN have been unplugged after security researchers built cases against them. Atrivo and McColo were also taken offline by their upstream providers. 3FN was shut down by the U.S. Federal Trade Commission.

But according to Armin, this may be the "first time an international group has achieved this across borders and in Eastern Europe."

In the past, these takedowns have had a serious affect on spam. And while some observers reported a noticeable drop in spam over the weekend, security experts say that this was probably not attributable to the Real Host takedown.

Observers expect to see the criminal activity linked to Real Host resume soon, but they say that the takedown puts some pressure on the bad guys and the networks that provide service to them. "The precedent that's being set right now is that you need to take some responsibility for your network," said Lawrence Baldwin, owner of security research firm Mynetwatchman. "There actually are some consequences now for allowing an obviously heavy concentration of criminal activity on your networks. It's just not going to be accepted anymore."

Analyst: Microsoft's Windows 7 license numbers misleading

2009-07-16T15:00:00.001-07:00

A former Microsoft employee and prominent analyst warned the financial community not to be misled by Microsoft's claims about early corporate adoption of Windows 7.

Microsoft said this week at its annual Worldwide Partner Conference that it has already licensed 51 million desktops for Windows 7, which won't be available to business customers through its volume-licensing program until Sept. 1.

However, Rob Horowitz, the founder and CEO of analyst firm Directions on Microsoft and who worked at the company for eight years, said that many of those corporate licenses are likely tied to its existing enterprise-agreement contracts with customers and don't represent any specific interest in the new OS.

"When Microsoft says it has 51 million seats already for Windows 7, that's probably 51 million PCs covered by enterprise agreements," he said, speaking to financial analysts on a conference call hosted by Citibank.

On the call, Horowitz discussed the mechanics of Microsoft's volume-licensing, enterprise agreement (EA) and Software Assurance (SA) programs, which large corporate customers use to purchase Microsoft software.

The SA program provides software updates and other extras to corporate customers that purchase software in high volumes. Companies that want the enterprise version of the Windows client OS must purchase SA to get it, and SA is a part of EAs, which cover all the licenses needed to deploy Windows and Office across corporate desktops.

Though companies do get automatic software upgrades through SA, the update program is not the main draw for customers to purchase EAs, Horowitz said.

Rather, companies sign EAs to avoid any complexity later if Microsoft decides to audit them to ensure they're paying for every desktop using its software, he said.

"It's a huge pain to show you have enough licenses to cover your use," Horowitz said. With an EA, customers need merely to count their desktops each year, tell Microsoft how many they have and then pay for those desktops, he said.

In fact, many customers don't even update their desktops to the latest software they receive through SA, even if they get it under the terms of their contracts, Horowitz said. This was certainly the case with Windows Vista, which was not popular with many enterprises, which opted to continue using Windows XP instead.

It's hard to tell how Windows 7 will fare with corporate customers beyond those who get the product through an SA contract, which doesn't necessarily mean they will use it.

Early reports have mixed projections for how well Windows 7 will do in its early days. Research firm IDC is predicting 177 million Windows 7 PC shipments by the end of the year, but that represents a mix of corporate and consumer users. Following its September release to volume licensing, the OS will be available to everyone on Oct. 22.

Another report published Monday predicts adoption by businesses could be sluggish. A survey based on feedback from 1,000 IT administrators and conducted by ScriptLogic found that nearly 60 percent of businesses don't currently plan to adopt Windows 7. ScriptLogic provides network administration software for Windows-based networks.

A representative at Microsoft's external public-relations agency said she would look into issues regarding Windows 7 adoption that Horowitz raised. No one was otherwise immediately available to comment.

.Eu Web addresses can be written in Cyrillic, Greek letters

2009-06-27T07:00:00.001-07:00

The .eu TLD (top-level domain name) for Web sites allows non-ASCII characters in its Web addresses, after it opened up the TLD to addresses written in Cyrillic and Greek letters, the European Commission said Friday.

Currently, all TLDs, including .com, .org and the like have to be written in ASCII characters, which include the Roman alphabet and numerals.

However, three European Union countries don't use the Roman alphabet: Greece and Cyprus use modern Greek script while Bulgaria shares the Cyrillic alphabet with the non-E.U. country Russia.

It is "only natural that the domain names chosen by Europeans be permitted to be as diverse as Europe itself," Commissioner for the Information Society Viviane Reding said in a statement, announcing the decision to expand .eu beyond ASCII characters.

Some E.U. languages such as Czech, Polish and Lithuanian have the odd letter in their alphabets that steps beyond the ASCII character list. Even more use accents attached to Roman letters - those include French, Spanish and Danish. Users of these languages will also be able to write TLDs using their full alphabets from now on, the Commission said in a statement.

The Internet Corporation for Assigned Names and Numbers is also looking into stretching other TLDs so they can use non-ASCII characters.

No one was immediately available at ICANN to say when these internationalized domain names will become available but ICANN is understood to be working on expanding the choice of characters to include Chinese, Japanese and Arabic characters.

The number of .eu Web sites has reached just over 3 million, the Commission said. But the rate at which people and firms have been signing up for an .eu Web address has slowed after an initial rush to register Web sites in 2006, the TLD's first year in existence.

The number of new .eu Web sites last year and in 2007 was around 300,000 each year, while in 2006, 2.5 million .eu TLDs were registered.

The .eu TLD is now the ninth most-used top-level domain name in the world, ahead of .biz but still way behind TLDs such as .com, .ge (Germany), .net, .org and .nl (Holland). Germany has registered the biggest number of .eu Web site addresses with just under 1 million. Next comes the Netherlands with 415,000, followed by the U.K. with around 378,000.

The management of .eu is entrusted to EURid , an independent nonprofit organization.