Harvard academic refutes Google carbon footprint story
A Harvard researcher said on Tuesday that a British newspaper misquoted his research covering the carbon footprint caused by running Web sites.
The Sunday Times wrote that a search query on Google releases seven grams of carbon dioxide (CO2) gas, about half as much as boiling a kettle for a cup of tea. The figure was attributed to a forthcoming research paper authored by Alex Wissner-Gross, who is a fellow at Harvard's Center for the Environment.
[ For more on the inexact science of carbon neutrality and to keep up on green IT trends, check out InfoWorld's Sustainable IT blog and Green Tech newsletter. ]
Google quickly contested the estimate, writing that its own research put the figure at 0.2 grams of CO2.
Wissner-Gross said his research paper, which The Sunday Times never saw, concerns methodologies for measuring how much carbon is released by Web sites by looking at the carbon released by a network, servers and client PCs. The paper is still being finalized but contains no data on Google and does not specify a seven gram figure, Wissner-Gross said.
Wissner-Gross said he did discuss Google with the newspaper in broad generalizations, in that Google uses energy, and that the generation of that energy would cause CO2 to be released.
However, Wissner-Gross said one of The Sunday Times writers seemed eager to confirm the seven-gram figure and link it to Google. The researcher said he did not do so. Wissner-Gross said he saw a draft of the story before publication and suggested some changes, but those edits were not made.
Efforts to reach the writers at The Sunday Times were unsuccessful.
Wissner-Gross said there is a positive angle to the incident, given the wide publicity of the story. "I think that the [mainstream public] has actually woken up and discovered green IT," he said.
Read More ...
Debunking the Patch Tuesday hype machine
A familiar pattern reared its ugly head in my e-mail inbox Tuesday afternoon. And while I mean no disrespect toward my PR friends, it's starting to annoy me.
The second Tuesday of each month has become something of a holiday for PR firms whose clients include all the big security software vendors -- Patch Tuesday, when Microsoft releases security updates for the latest attack-prone flaws in Windows, Internet Explorer, etc.
[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
The e-mails I get tend to play up the latest flaws as if the apocalypse is at hand. Patch immediately, their clients warn, or doom will almost certainly befall your company computer networks. This past Tuesday was no exception, when Microsoft rolled out a fix for three bugs in its Windows Server Message Block (SMB) file and print service.
To make the tone graver still, Oracle and Research In Motion released critical security updates Tuesday as well.
My PR friends will probably get angry as they read this. My response: I know you're just trying to do a job, and I even believe you when you say the goal isn't to stir up FUD, but to simply raise awareness and ensure companies install security patches quickly. That's an admirable goal, and there's no doubt such a message is necessary on the consumer side, where the not-too-tech-savvy masses are tearing up the Internet on laptops, PCs and mobile devices with no thought about security.
But my observation in the business world is much different, making the need for alarmist Patch Tuesday announcements unnecessary.
I've visited a lot of IT shops in recent years, including those at Children's Hospital, the Papa Gino's pizza chain and the Boston Celtics. The purpose of the Children's Hospital visit was specifically to observe their monthly patching procedures. At the other places, the mention of Patch Tuesday sparks the same response: They have a standard patching procedure that stretches over seven days from the initial patch release. It's all a routine for them. No butterflies in the belly.
The first day is for evaluating the patch load and which ones are most important for the organization to install first. The order of importance is not the same from place to place. Next comes a few days of putting the patches on test machines to see if they break other programs on the network. Patching ASAP is not useful if the patch causes critical business applications to misfire and grind to a halt. Usually about a week in, after those glitches have been tweaked, the patches are rolled out. Thanks to Microsoft's automatic update machinery, the process is as straightforward as clicking on boxes next to the patches you want.
If it's all so routine for these people, why all the grave warnings from security vendors each month?
My IT sources usually don't understand why vendors are yelling at them to patch immediately. For the reason described above, they can't rush the process. Meanwhile, they are not too worried about fresh flaw exploits because they have a multi-layered array of security tools and policies to keep out any malware that may target the latest Microsoft holes while the patches are being tested and tweaked.
Like I said, the alarm-bell approach is probably necessary for the consumer crowd. But much less so on the business side.
So, PR friends, if I don't bite on your Patch Tuesday e-mails, don't take offense. It's just that our core audience wants us to be focusing on other things.
About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to bbrenner@cxo.com. CSO is an InfoWorld affiliate.
Read More ...
Update: Microsoft updates free tool to remove persistent worm
Microsoft has updated its free security tool to remove a persistent worm that is targeting a now-patched but severe vulnerability that affects several server products.
The latest update to the Malicious Software Removal Tool (MSRT) can now remove infections of Conficker, a worm that infects a server and then tries to download other malicious software, according to a company blog.
Conficker targets a flaw in Windows Server Service. Microsoft thought the flaw was so severe that it issued an out-of-cycle patch on Oct. 23 for Windows 2000, XP, Vista, Server 2003 and Server 2008.
Microsoft has observed a new variation of the worm, called Win32/Conficker.B, that has been infecting servers. Systems become infected when a hacker constructs a malicious Remote Procedure Call (RPC) to an unpatched server, which then allows arbitrary code to run on a machine.
Conficker.B uses other methods to spread, including trying to copy itself to other shared network machines by guessing passwords, wrote Cristian Craioveanu and Ziv Mador, on the Microsoft Malware Protection Center blog. It can also spread via removable media.
Conficker uses several tricks to avoid detection. It uses a technique called polymorphism, a mechanism that can use compression and encryption to make the code appear different to antivirus software and more difficult to detect. It also makes its files hard to detect and changes key access rights, Microsoft said.
The outbreak of Conficker.B is mostly affecting customers who are running large networks. Countries with affected systems include the U.S., Mexico, France, Spain, Canada, Italy, Brazil, South Korea, Germany, Malaysia and the Czech Republic, Microsoft said.
The company's MSRT is a simple security tool that scans a PC and can remove some malicious software. It is far short of a full antivirus suite, but Microsoft has invested in supporting the tool to help remove some of the most flagrant and nagging malicious software affecting Windows PCs and servers.
The company is recommending that administrators make the passwords for shared networks stronger and then run a MSRT scan.
Infected computers, however, may not be able to access Windows Update, the built-in update tool for Windows. Microsoft has given instructions for how to download the MSRT with a clean machine and then distribute MSRT.
Many companies throughout Europe have seen Conficker rapidly spread on their networks over the last few weeks, said Mikko Hypponen, chief research officer for the Finnish security company F-Secure.
F-Secure has analyzed the malware and found it contains an algorithm that generates domain names for command-and-control servers. The malware authors can then turn one of those domain names into a live Web site where the infected PCs report to for updated malware or instructions, he said.
The technique has been used by other botnets, such as Mebroot. It's very difficult to shut down the command-and-control Web sites, since it's hard to know which ones of hundreds could potentially go live, Hypponen said.
"It's a pretty nasty mechanism," Hypponen said.
F-Secure has registered some of those domain names generated by the algorithm to try to get an estimate of how many computers may be infected. On Tuesday, the number stood at more than 2.5 million. On Wednesday, Hypponen said F-Secure has seen more than 3.5 million machines polling the registered domain name for instructions. But F-Secure analysts think the real number of infected machines could be much higher.
Other than infecting computers, Hypponen said F-Secure hasn't seen other malicious activity from Conficker.B's network of computers. However, those machines form a massive botnet that could be used for other havoc.
An earlier version of Conficker tampered with PC's DNS (Domain Name System) settings. That can cause a computer to visit a different Web site than the one shown in a browser's address box.
Hypponen said in those instances, Conficker redirected users from Google.com to Russian Web sites stuffed with advertisements. The tampering also caused advertising pop-ups to appear. In both examples, Conficker's controllers could be directing masses of traffic on those advertisements in order to generate fraudulent revenue, he said.
F-Secure also undertook difficult engineering and created its own tool for removing Conficker, which F-Secure has dubbed "Downandup."
Read More ...
Flaw found in Safari for Windows
A flaw in Apple's Safari browser for Windows could be exploited by hackers in a bid to steal personal information from Web surfers, says an open source software developer.
According to Brian Mastenbrook, the flaw can only be exploited when Safari interacts with RSS feeds.
[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
"Safari ... is vulnerable to an attack that allows a malicious web site to read files on a user's hard drive without user intervention," Mastenbrook said in a blog.
Mastenbrook, who also says that Mac OS X 10.5 users are also affected, even if they are not using the Safari browser, advises users to switch browsers until Apple issues a release for the bug.
PC Advisor is an InfoWorld affiliate.
Read More ...
Researchers aim for cheap peer-to-peer zero-day worm defense
Shutting down zero-day computer attacks could be carried out inexpensively by peer-to-peer software that shares information about anomalous behavior, say researchers at the University of California at Davis.
The software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behavior, says Senthil Cheetancheri, the lead researcher on the project he undertook as a grad student at UC Davis from 2004 to 2007. He now works for SonicWall. (Learn more about intrusion detection and prevention products.)
[ Keep up on the latest networking news with our Networking Report newsletter. And discover the top-rated IT products as rated by the InfoWorld Test Center. ]
The software would share this data with randomly selected peer machines to determine how prevalent the suspicious activity was, he says. If many machines experience the identical traffic, that increases the likelihood that it represents a new attack for which the machines have no signature.
The specific goal would be to detect self-propagating worms that conventional security products have not seen before.
"It depends on the number of events and the number of computers polled, but if there is a sufficient number of such samples, you can say with some degree of certainty that it is a worm," Cheetancheri says. For that decision, the software uses a well-established statistical technique called sequential hypothesis testing, he says
The detection system is decentralized to avoid a single point of failure that an attacker might target, he says.
The task then becomes what to do about it, he says. In some cases, the cost of a computer being infected with a worm might be lower than the cost of shutting it down, in which case it makes sense to leave it running until a convenient time to clean up the worm, he says.
In other cases, the cost to the business of the worm remaining active might exceed the cost of removing the infected machine from the network, he says.
That cost-benefit analysis would be simple to carry out, he says, but network executives would have to determine the monetary costs and enter them into the software configuration so it can do its calculations he says.
End users would not program or modify the core detection engine, he says. "We don't want to have humans in the loop," he says.
He says he and his fellow researchers have set up an experimental detection engine, but it would have to be modified to run on computers in a live network without interfering with other applications and without being intrusive to end users, Cheetancheri says.
So far no one he knows of is working on commercializing the idea.
The software would be inexpensive because it would require no maintenance other than to enter the cost of each computer being disconnected from the network.
Network World is an InfoWorld affiliate
Read More ...
Google unwraps Apps partner program
Google on Wednesday detailed a new program under which resellers can now offer Google Apps to businesses -- effectively meaning that companies considering the alternative to Microsoft Office don't have to go it alone. But the search giant has yet to prove its strength in supporting a partner ecosystem that could bring enterprises much needed assurances.
"This is a natural evolution of where Google Apps is," says Stephen Cho, director of Google Apps channels. In the two years since Google launched its productivity applications, Cho continues, Google has made progress with enterprise features and SLAs and gotten more than 1 million businesses aboard.
[ Google Apps and other hosted suites are getting enough attention that InfoWorld's Tom Kaneshige asks, "Can Google Apps move up market?" ]
With the new program, Google intends to offer the resellers training, support, and tools for integrating Google Apps into customers' infrastructures, including APIs for tasks such as directory synchronization, migration, reporting, and single sign-on. Resellers, in turn, can bundle in their own services and support and maintain a direct relationship with customers.
Cho explains that this partner program was built from the ground up, SaaS style, so Google hosts all the tools resellers can use. He also points to Google's acquisition of Postini, which already had a robust channel in place. "We've taken lessons from that to bring this new reseller program into play."
But Philbert Shih, analyst with Tier1 Research, is skeptical. "Google does not have a lot of experience working with partners. I've not seen the groundwork, a foundation, for keeping them up to date," Shih says. "Will the resellers have expertise in Google products? I don't think Google can just hand off support and services."
What's more, "part of the appeal of Google is the no-install proposition and the fact that the apps are pretty intuitive," explains Jim Murphy, research director at AMR Research.
That said, Murphy expects that down the line, companies tapping Google Apps will look to partners for help employing and integrating processes, particularly those that interact with Microsoft Office. "Enterprises need reassurance about things such as privacy and security," qualities that signing on with a reseller can bring.
Of the large-enterprise customers Murphy speaks with on a daily basis, in fact, many are currently discussing a five-year plan for collaboration, a gradual evolution that often begins with Gmail and eventually includes other Google Apps. "For some companies, the SaaS model is a way of isolating that move from the unpredictable costs of being able to support all this stuff. Going with Google, which provides the infrastructure, can relieve those headaches," Murphy explains, adding that "it could also stifle the growth of Microsoft Office."
Microsoft, for its part, is simultaneously working on packaged and hosted editions of Office, the next tentatively dubbed Office 14. Although officials have offered little detail, Microsoft did say that Office 14 will include lightweight Web versions of Excel, PowerPoint, and Word offered via its Office Live Workspace service. Sources this week speculated that Office 14 will not ship in accordance with Windows 7 and may not become available until 2010.
In the meantime, Web-based applications not only from Google but also Adobe, IBM, and Zoho, among others are gaining purchase in small businesses. However, they have failed thus far to gain enterprise adoption, according to a report Forrester Research put out last week: "Companies use Word out of habit, not necessity."?
Google's U.S. partners consist of SADA Systems, Excel Micro, Horizon Info Services, Cloud Sherpas, and others, including providers from 25 countries. The company is also working to sign up Capgemini, which is already a partner in another Google program. "There are other recognizable names we're in advanced discussions with," Google's Cho says.
Read More ...
IT learns to do less with less, Gartner survey says
Forget "doing more with less" -- that's the IT mantra of yesteryear. Now IT departments are making better use of their resources, and though they're not necessarily doing more things, they are going about their tasks differently, according to findings from a Gartner survey released today. "They're working smarter, not harder," says analyst Mark McDonald.
Gartner surveyed more than 1,500 CIOs through December 2008 to find out how they're rising to the financial challenges of 2009. The key finding is that IT budgets largely will remain flat, which makes sense; because the average IT budget is 4 percent of sales, a 10 percent cut in IT spending doesn't save very much, McDonald says. But if the IT budget is used to restructure the other 96 percent of revenue, savings can be much higher.
[ Learn more about how the financial crisis is affecting IT and the high-tech industry, plus what IT can do to help, in InfoWorld's special report. ]
A shakeup in IT priorities
That's why CIOs are now shaking up IT resources, instead of trying to squeeze out a little more than before. The Gartner survey found that in 2008, CIOs had spread resources across all divisions, so they could deliver something to everyone. But now, many CIOs are concentrating on only a couple of projects that deliver results quickly, such as retiring old systems, consolidating duplicate CRM or reporting systems, and changing the cost structure within IT processes, per quarter.
If this strategy change means some divisions won't receive benefits for a while, so be it. "If I try to pursue five or six initiatives simultaneously in this environment, chances are conditions will change and render half of them irrelevant," McDonald says.
Projects that take priority are also ones with an internal focus, such as reducing costs and improving business processes. External-facing projects such as attracting and retaining customers and creating new products or services -- formerly top IT priorities -- are less important. "With companies' ability to predict revenues increasingly challenged, the best thing you can do is get strong operational control," McDonald says.
Companies are reprioritizing projects around certain technologies, such as storage, cloud computing, virtualization, security, and niche analytics. The Gartner survey finds that CIOs are looking closely at using technology they already have rather than evaluating new technology to purchase.
However, they are also looking at cheap Web 2.0 tools to fill collaboration gaps and even free up middle management's time. "The collaboration, coordination, and discussions that can happen via Web 2.0 normally would have been done in facilitated group meetings with middle management connecting people together," McDonald says.
CIOs not willing to support their IT staff's skills
Because resources for discretionary projects likely will be reallocated, IT staff members on those projects face some risk. While the Gartner survey didn't ask about staff reductions, IT staff represents about a third of the budget -- "and, in some regards, it's the easiest part to change," admits McDonald.
With so much change going on, an IT staff needs to be like a well-tuned SWAT team: adaptive, fast, and able to handle uncertainty. Yet the Gartner survey shows many CIOs don't see the need to help their teams act this way. Improving the skills of their staff is only the eighth-highest priority among surveyed CIOs, falling from their third-highest priority in 2008. "We think CIOs are making a significant mistake in believing that they can achieve the kind of results they're looking for without investing in their people," says McDonald.
Read More ...
Engine Yard powers SOA for the cloud
Engine Yard, which has specialized in Ruby on Rails application-hosting, is introducing Wednesday a platform to extend SOA to the cloud. The company also is extending its Rails stack to the Amazon Web Services (AWS) cloud platform, for quicker deployment of Engine Yard customer applications.
Technologies being unveiled include Vertebra, an open source SOA platform for developing and managing secure cloud applications, and Solo, a deployment service to run the Engine Yard Rails stack on Amazon's system.
[ InfoWorld's Test Center examines the trend of more and more services entering the cloud through Amazon in "Can Capgemini convince enterprises to trust the cloud?" | See also: Burton Group analyst Anne Thomas Manes wrote an "obituary" for SOA. ]
Vertebra is intended to orchestrate communication and coherent operations among autonomous agents in many clouds, the company said. The service "future-proofs" for the clouds of tomorrow, according to Engine Yard. Featured is a framework for building cloud-specific applications.
"Vertebra is a way of breaking down applications into small components that can run across many, many servers, and the work can be dispatched across those servers," said Tom Mornini, CTO at Engine Yard. Applications can be sent to servers responsible for the data related to those applications, he said.
Distributed, real-time applications can be built via Vertebra, Engine Yard said. The platform can embrace differences of many clouds and automate processes and application management. The service is initially built to manage customer applications running on the Engine Yard cloud.
Features include XMPP (Extensible Messaging and Presence Protocol) infrastructure, which supports instant messaging (IM). Also highlighted are a security and discovery agent to manage security policy and a process automation agent to orchestrate operational tasks involving machines and people.
An analyst lauded the IM technology in Vertebra.
"I think [Vertebra is] very innovative and it's an interesting use of IM for machine-to-machine communication," said Jay Lyman, open source analyst at The 451 Group. The open source nature of Vertebra also could help it, he added. Engine Yard said it is using XMPP for distributed communications.
Other features include a system provisioning registry for applications to become self-organizing and a federated design enabling applications to operate seamlessly similar to e-mail. Distributed auditing/logging and job control are offered as well.
Vertebra initially supports Ruby and Erlang, but other languages will be added. An early release of Vertebra is available for download on Wednesday, licensed under the Lesser GNU Public License. Engine Yard intends to offer commercial management tools for Vertebra.
With Solo, users can access Engine Yard's capabilities for deploying Ruby on Rails applications and Amazon's cloud infrastructure. While Solo deploys applications on a single virtual machine, a planned follow-up tentatively named Flex would expand deployments to additional virtual machines. Solo enables Engine Yard to deploy applications faster; it is priced at $129 per month for a single virtual machine.?
Currently, the Engine Yard stack runs on Engine Yard's own stack and has more than 400 customers.
"On Wednesday, we are allowing our customers to choose to use [the] Engine Yard Rails stack and a new fully automated deployment model based on AWS resources," Mornini said.
"[Amazon has] a lot more scale than we do and can provide more resources at a lower cost point than we can internally," he said. But customers still can leverage the Engine Yard stack for Ruby on Rails deployments, Mornini explained.
Engine Yard's Ruby on Rails capabilities include Web site functionality around application deployment as well as support. Featured is an application-centric viewpoint that accommodates dependencies on other applications, such as PHP applications.
While Engine Yard offer customers perhaps 100 virtual machines, Amazon can offer thousands, Mornini said.
Solo will be available on the Amazon Elastic Compute Cloud (EC2) on January 28 for $129 pre month as the starting price. Plans call for eventually extending the offering to other cloud platforms also.
Read More ...
Microsoft issues first Windows 7 beta patch
Microsoftissued its first patch for the just-released Windows 7 beta on Tuesday, but it passed on plugging a hole in an important file-sharing protocol that it fixed in older versions of the operating system.
Earlier Tuesday, Windows Update, Microsoft's primary update service, began delivering the first patch to Windows 7 since the company struggled to launch the public beta last Friday. The update fixes a flaw that shaves several seconds of audio from any MP3 file that's edited, including files modified automatically as users connect to the Internet.
[ Special report: Early looks at Windows 7 ]
"Without action on your part, all MP3 files that have large headers in your Windows Media Player and Windows Media Center libraries are likely to lose some audio," Microsoft said in the support document it published Saturday, several days after it first posted the fix to its MSND and TechNet subscription services.
Before Tuesday, users who wanted to apply the fix had to find it, download it manually and install it themselves.
Microsoft also recommended that users back up all MP3 files before doing an upgrade to Windows 7 from Windows Vista, and that they set all of them to "read-only" status by right-clicking each file in Windows Explorer and then clicking the General tab and selecting the "Read-only" box. Failing that, users should disable metadata automatic updates in Windows Media Player, Microsoft said.
At the same time, it quashed the MP3 bug, however, Microsoft ignored a vulnerability in the Server Message Block (SMB) protocol that affects every version of Windows, including Windows 7.
Microsoft explained why the flaw went unfixed. "We provide security updates for beta versions of Windows through Windows Update for Critical issues only," said Christopher Budd, a spokesman for the Microsoft Security Response Center (MSRC), in a post to the group's blog Tuesday. "So the vulnerability will be addressed in the next public release for Windows 7."
Of the three bugs patched by the MS09-001 security update today, just one is pertinent to Windows 7, Budd added. That vulnerability, designated as CVE-2008-4114, is a denial-of-service bug rated "moderate," the second step in Microsoft's four-level scoring system.
The remaining two vulnerabilities -- both labeled "critical" by Microsoft -- affect Windows 2000, XP and Server 2003; one of them also affects Windows Vista and Server 2008.
Windows 7 beta, which was released Saturday, will be available for download through at least Jan. 24.
Computerworld is an InfoWorld affiliate.
Read More ...
Microsoft patches 'super nasty' Windows bugs
Microsoft Corp. on Tuesday patched three vulnerabilities in the company's Server Message Block (SMB) file-sharing protocal, including two that could make "swiss cheese" out of enterprise networks, according to one researcher.
"This is super nasty," said Eric Schultze, the chief technology officer at Shavlik Technologies LLC, who also called today's update "super critical" as he rang the alarm. "Expect to see a worm on this one in the very near future, [because] this is Blaster and Sasser all over again."
[ In other Microsoft news, the Windows 7 beta is now available. Find out the early reactions to it in InfoWorld's special report. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
Those two worms, 2003's Blaster and 2004's Sasser, wreaked havoc worldwide as they spread to millions of Windows machines.
Of the three bugs outlined in the MS09-001 security bulletin, two were rated "critical," the most serious ranking in Microsoft's four-step scoring system, while the third was pegged "moderate."
The pair pegged as critical are extremely dangerous because attackers can exploit them simply by sending malformed data to unpatched machines, Schultze continued. "These flaws enable an attacker to send evil packets to a Microsoft computer and take any action they desire on that computer [with] no credentials required," he said. "The only pre-requisite for this attack to be successful is a connection from the attacker to the victim over the NetBIOS ports, TCP 139 or TCP 445. By default, most computers have these ports turned on."
Much the same situation led to Blaster and Sasser, Schultze noted. "More people have blocked those ports, and more personal firewalls block them by default, but they are typically left open in a corporate network."
Amol Sarwate, manager of Qualys Inc.'s vulnerability lab, agreed. "The ports are always open [in the enterprise] and no user intervention is needed," he said. "This is nasty."
Today's update affects all currently supported versions of Windows, including Windows 2000, XP, Server 2003, Vista, and Server 2008, Microsoft noted, although the newer editions -- Vista and Server 2008 -- are immune from one of the two critical vulnerabilities. The second critical bug, also wormable from Schultze's and Sarwate's perspectives, is rated as moderate for Vista and Server 2008 because those two operating systems have file sharing disabled by default.
That, and other mitigating circumstances, must be why Microsoft gave the three bugs its lowest exploitability index rating, even though two carried critical severity rankings, said Andrew Storms, director of security operations at nCircle Network Security Inc.
"This might be the first time that Microsoft has labeled a critical vulnerability all the way down to '3' on the exploitability index," said Storms, talking about Microsoft's relatively new practice of predicting the likelihood of attackers coming up with successful exploits in the coming month. Microsoft tagged all three of today's bugs with a "3" on its exploitability index. According to the company, a "3" means "functioning exploit code is unlikely."
"I'm guessing that they determined that the default configuration [of the software] and the default configuration of the [Windows] firewall are going to mitigate a huge amount of any potential exploitation," said Storms.
This is not the first time in recent memory that Microsoft has patched the SMB protocol. In November, it fixed an SMB flaw that had been first disclosed more than seven years earlier. And in October, it patched a less dangerous buffer overflow bug in SMB.
"That's three in four months," said Storms, "and points to a pattern." He speculated that researchers who reported this month's vulnerabilities used information disclosed in the last two SMB updates to find these newest flaws.
Some researchers paid nearly as much attention to what Microsoft did not patch today as what it fixed.
"I definitely expected a patch for SQL Server by now," said Wolfgang Kandek, Qualys' chief technology officer. "I'm not sure what's happening here, but until last week, we were all geared up for that fix."
Last month, Microsoft acknowledged a critical vulnerability in older versions of its widely used SQL Server database software, and said attack code had been released. It has not fixed the flaw, however.
A day later, Microsoft confirmed that it started work on the SQL vulnerability in April 2008, but declined to say whether it has had a patch ready since September, as an Austrian security researcher alleged.
"I think there's certainly the potential for Microsoft to go 'out-of-band' on this," said Schultze from Shavlik, referring to the rare practice where Microsoft issues a security update outside of its once-a-month schedule. "Microsoft's getting enough heat about it for that to happen."
But his more immediate concern remained the SMB bugs Microsoft patched today. "If a worm is released, and that worm makes it into a corporate network, it will make swiss cheese of that network relatively quickly," Schultze said.
Computerworld UK is an InfoWorld affiliate.
Read More ...
Satyam fraud has ramifications for outsourcers
The financial fraud perpetrated by Satyam Computer Services executives could trigger near-term disruptions across the outsourcing and IT industries. Ramalinga Raju, the company's founder and chairman, resigned last week. He has admitted to inflating Satyam's cash balances and the credit amounts it was owed while understating its liabilities. This scandal has many ramifications for Satyam's customers as well as those of other outsourcing companies.
[ InfoWorld bloggers Ephraim Schwartz and Martin Heller weigh in -- with differing opinions -- on what the Satyam debacle means for the future of outsourcing. | Keep up on the latest tech news headlines at InfoWorld News, or subscribe to the Today's Headlines newsletter. ]
1. The challenges of transitioning Satyam's services to new vendors
As of this writing, the viability of business-continuity efforts under way at Satyam (including a government takeover of the company's board and rumors of a bailout) remains highly uncertain. Following last week's announcement of the fraud, some Satyam customers have started shifting engagements to other outsourcing vendors. However, the inherent challenges of transferring processes between vendors -- a complex undertaking under ordinary circumstances -- will be compounded by the following potential conditions:
-- Transition timelines that are inordinately compressed because of Satyam's questionable longevity
-- Contractual disputes regarding the exercise of termination rights
-- Inaccessibility to a legacy vendor preoccupied with its preservation
Accordingly, customers should prepare for exceptional disruptions to steady-state services during vendor transition, particularly if Satyam had been the single source for such services. These challenges may be compounded further if Indian vendors observe recent requests from the influential trade organization Nasscom to refrain from hiring Satyam employees.
2. The emergence of build-operate-transfer programs in response to challenges with captive entities
Satyam customers that currently operate captive entities in India may wish to have these entities hire the Satyam personnel engaged on their accounts. However, such efforts may run afoul of the customers' contractual nonsolicitation obligations to Satyam, and renegotiations of these provisions, if protracted, would not be feasible.
Furthermore, Satyam customers that do not currently operate captive entities in India are likely to find that there is insufficient time to create such operations. In response to these limitations, the industry may turn to "build-operate-transfer" agreements, under which new outsourcing vendors would hire the Satyam employees (in a manner that does not breach their customers' nonsolicitation obligations) to operate the outsourced services for a defined period, after which the outsourced operations may be transferred to captive entities of the respective customers.
3. Disruptions to customers of other outsourcing vendors
The disruption of outsourced services will not be limited to Satyam's customers: Current customers of other outsourcing vendors can also expect near-term impacts on their outsourced operations. Apart from the inevitable strains to these vendors' infrastructures as they accommodate business from Satyam, customers may see the most experienced and skilled personnel on their engagements reassigned to the transition of former Satyam accounts. In addition to vigilantly monitoring service-level agreements, existing customers may mitigate such disruptions by exercising their contractual protections regarding personnel experience requirements, skill sets and attrition rates.
4. Opportunities for multinational vendors
Apprehensions regarding the financial standards of "India Inc." might benefit multinational outsourcing vendors, which are positioned to proffer outsourced services from India free of negative perceptions regarding that country's financial controls. Following Satyam's announcement, Indian vendors have taken measures to dispel customer concerns, and in the long term, the scandal may benefit India's outsourcing industry by accelerating the maturation of financial controls. However, in the immediate aftermath of the scandal, the likes of IBM, Accenture, Oracle, and SAP appear well positioned to acquire work from Satyam as well as newer customer opportunities.
5. Re-evaluation of Sarbanes-Oxley compliance by outsourcing customers
The Satyam developments may raise concerns for public-company filers regarding their compliance with Sarbanes-Oxley Act provisions pertaining to outsourced operations. Under guidance from the SEC and the Public Company Accounting Oversight Board (PCAOB), customers have generally relied upon SAS 70 reports prepared by the vendors' auditors in order to attest to the financial controls over the outsourced operations. The apparent failure of Satyam's internal controls may raise uncertainty regarding continued reliance on such reports, and with 10-K season approaching, outsourcing customers may seek further guidance from the SEC. It remains to be seen if these developments will, in the longer term, trigger a reassessment of the SAS 70 standard and reliance on same by the PCAOB and/or SEC.
6. The potentially misleading "admission" letter may raise unwarranted concerns regarding the financial viability of offshore outsourcing
Apprehensions have been voiced regarding whether the Satyam scandal is a "one-off" or a precursor to future failures of outsourcing vendors. In his letter of resignation last week, Raju claimed that he inflated Satyam's earnings in order to conceal margins that were dramatically below industry norms. However, as many commentators have observed, there is reason to believe that this "admission" itself is misleading and that Satyam's cash shortfall will be traced not to any deficiencies in the company's revenue model, but rather to self-dealing. Accordingly, for all of the gratuitous disruptions it has caused to the outsourcing industry, it does not appear that the Satyam scandal will discredit the industry's financial viability.
Shaalu Mehra is a partner at law firm Perkins Coie LLP and chairman of the firm's outsourcing and India practices. He can be reached at SMehra@perkinscoie.com.
Computerworld is an InfoWorld affiliate.
Read More ...
Obama set to tap Julius Genachowski for FCC head
According to reports in the Wall Street Journal and other major media outlets, President-Elect Barack Obama is set to name Julius Genachowski, a Harvard classmate and top technology campaign advisor, as chairman of the FCC.
Genachowski was chairman of the Obama committee that created the campaign's Technology and Innovation Plan, which makes a direct call for network neutrality.
[ Related: Net neutrality advocates have been calling on Obama to act quickly to prevent broadband providers from blocking access to Internet content. ]
"Barack Obama strongly supports the principle of network neutrality to preserve the benefits of open competition on the Internet," according to the report.
Unfortunately, even the definition of net neutrality is mired in controversy, with some proponents of the concepts saying any form of QoS (Quality of Service) fees from ISPs and carriers is discriminatory, giving only those who can afford to pay higher access fees the right to full broadband access. Opponents say QoS is required to accommodate multimedia technologies that include video and television content, which hogs bandwidth and slows down access for the majority of Web users.
The innovation plan, as designed by Genachowski and his group, appears to address some of these issues:
"Barack Obama supports the basic principle that network providers should not be allowed to charge fees to privilege the content or applications of some web sites and Internet applications over others.
Other components of the plan call for encouragement of diversity in media ownership by "promoting the development of new media outlets for expression of diverse viewpoints."
The plan also calls for giving parents tools to prevent viewing of programming they might find objectionable.
In addition, the plan states that it supports protection of privacy through "restrictions on how information may be used and technology safeguards to verify how the information has actually been used."
Before working for the Obama campaign, Genachowski was a co-founder of VC firms LaunchBox Digital and Rock Creek Ventures. He also served on the boards of The Motley Fool, Website Pros, and Mark Ecko Enterprises.
During the Clinton administration, Genachowski served as a general counsel to the chairman of the FCC.
Read More ...
Microsoft brings fault-tolerant technology to Windows
Microsoft and Marathon Technologies last week unveiled a partnership and a joint development agreement to bring fault-tolerant options to companies running Windows Server 2008 and Hyper-V.
Microsoft is moving to create a more highly available Windows environment by offering a selection of options to protect business-critical applications.
[ Discover the winning hardware and software products in InfoWorld's 2009 Technology of the Year Awards. ]
Marathon offers a fault-tolerant platform that supports Windows called everRun. The vendor will offer support for Windows Server 2008 before the end of June and for a version of Hyper-V that will ship in a future edition of Windows Server. Microsoft officials would not confirm if it would be the next version after the Windows Server 2008 R2 version, which went into beta last week.
Marathon and Microsoft officials said integration with System Center management tools also are in development.
Marathon's everRun has its own management component.
Windows Server 2008 includes failover clustering, but Marathon adds a level of fault tolerance that includes options for minimal downtime or none at all.
The two companies plan to combine development efforts in building a platform so fault tolerance and high availability can be built on Hyper-V.
"That provides the platform element that other partners could [build on]," says Mike Schutz, director of product management for the Windows server division at Microsoft.
Marathon supports Citrix Xen Hypervisor and the company said once the Hyper-V support ships, everRun will work across both platforms to create a single fault-tolerant environment.
The fault tolerance will come in three levels: the failover clustering shipping in Windows Server 2008; a component-level fault tolerance via everRun that protects storage and system components with little or no down time; and an everRun system level setting that ensures availability, including memory for applications that require zero downtime.
Network World is an InfoWorld affiliate.
Read More ...
No comments:
Post a Comment