IT-Code-News: IT News HeadLines (InfoWorld) 01/02/2009

UAC fix in Windows 7 creates security hole, blogger says

A change that Microsoft made in Windows 7 to improve its controversial UAC (User Account Control) security feature has left the new OS less secure, according to a blogger who follows Microsoft closely.

Microsoft made the change to UAC, a feature that was introduced with Windows Vista, to make it more user-friendly in Windows 7. But the change has allowed for "a simple but ingenious override" that disables UAC without any action on the part of the user, according to the I Started Something blog written by longtime Microsoft watcher Long Zheng.

[ Test Center: Windows 7 benchmarks unmasked. ]

Microsoft added UAC to Vista in an effort to improve its security and give people who are the primary users of a PC more control over its applications and settings. UAC prevents users without administrative privileges from making unauthorized changes to a system. But because of how it was set up in Vista, UAC sometimes prevents even authorized users from being able to access applications and features they should normally have access to.

It does this through a series of screen prompts that ask the user to verify privileges, and it may require them to type in a password to perform a task. This can interrupt people's workflow, even during some mundane tasks, unless they are set as Local Administrator. The UAC prompts became so problematic that Apple even spoofed them in a television commercial, and Microsoft vowed to improve the feature in Windows 7.

Windows 7 is still in beta and not expected to ship until late this year or early next. Microsoft released the beta earlier this month and outlined the changes to UAC on the Engineering Windows 7 blog.

The changes revise the UAC's default setting, and that is where the security risk lies, according to Zheng.

As he explained in his post, UAC's default setting in Windows 7 is to "Notify me only when programs try to make changes to my computer" and "Don't notify me when I make changes to Windows settings."

UAC distinguishes between a third-party program and a Windows setting with a security certification, and control-panel items are signed with this certificate so they don't issue prompts if a user changes system settings, he wrote.

However, in Windows 7, changing UAC is considered a "change to Windows settings," according to Zheng. This, coupled with the new default UAC security level, means a user will not be prompted if changes are made to UAC, including if it was disabled.

With a few keyboard shortcuts and some code, Zheng said he can disable UAC remotely without the end-user knowing.

"With the help of my developer side-kick Rafael Rivera, we came up with a fully functional proof-of-concept in VBScript (would be just as easy in C++ EXE) to do that -- emulate a few keyboard inputs -- without prompting UAC," he wrote. "You can download and try it out for yourself here, but bear in mind it actually does disable UAC."

Zheng also posted what he said is a workaround for the problem on his blog.

Microsoft said on Friday through its public relations firm that it was looking into the problem and did not have an immediate comment.

Citrix slashing head count

Citrix plans to cut 10 percent of its staff, or about 460 employees, the company said after posting disappointing earnings this week.

The move continues a rash of layoffs affecting the IT industry, with such companies as Sprint, Intel, Microsoft, EMC and IBM axing thousands of jobs.

[ Get sage advice on IT careers and management from Bob Lewis in InfoWorld's Advice Line blog and newsletter. ]"

Citrix is a prominent player in the application delivery market and its Xen-based hypervisor is one of the chief competitors to virtualization market leader VMware. Citrix reported year-end financial results on Wednesday: Revenue rose 14 percent for the year to $1.58 billion and 4 percent in the fourth quarter to $416 million vs. the year-ago quarter, while earnings for the year fell about 17 percent to $178 million and dipped year-over-year for the fourth quarter from $63 million to $60 million.

Citrix CEO Mark Templeton claimed to be pleased with the results, "especially in the face of an extraordinary worldwide environment." But the company said it would consolidate facilities and reduce its global workforce head count, which had been at 4,620 employees as of September.

Citrix said the restructuring is designed to reduce annual employee-related expenses by $50 million, although the employee reduction will result in a charge of $19 million to $23 million, primarily in the first quarter.

With global IT spending expected to decline, the company predicted its revenue would drop 5 percent in the first quarter, which ends March 31. An earnings press release issued by Citrix did not say how long the restructuring will take or how the company's head count will be reduced.

Network World is an InfoWorld affiliate.

Top 10: Singing the financial blues, again

We could just about cut and paste from last week (and the week before), change a few names and figures here and there, and call it a day. Thankfully, quarterly financial reporting is just about wrapped up for a while, and for (American) football fans the annual rite of the Super Bowl is Sunday (scoring it a Top 10 entry because there are, of course, some IT angles).

1. NEC to lay off 20,000 as economy bites and Wall Street Beat: No let up in IT earnings mayhem: NEC is slashing 20,000 employees from its payroll and getting out of some of its business areas as the economy continues to batter IT companies, along with everyone else. This was a big week for quarterly financial reports to roll out, so NEC was far from alone -- Wall Street Beat gives the synopsis for those with the fortitude to check out the link.

[ Video: Catch up on the week in tech news with the World Tech Update. ]

2. Google delivers offline access for Gmail: Google is rolling out offline access for Gmail, a long-awaited feature of the popular webmail application. PC World checked out offline Gmail and offered up an assessment that was largely positive.

3. Fannie Mae engineer indicted for planting server bomb: Former Unix engineer Rajendrasinh Babubhai Makwana, 35, was indicted by a U.S. federal court on a charge of computer intrusion related to allegedly planting malicious code on the corporate network at the Federal National Mortgage Association, also known as Fannie Mae. The code allegedly devised and planted by Makwana, who was a contract employee, was meant to "destroy and alter" all data on Fannie Mae servers this Saturday, according to an affidavit filed in the case against him.

4. Click fraud shoots up in Q4, driven by botnets and Google dismisses click-fraud report: Click fraud rose in the fourth quarter of last year to a record high as scammers increasingly -- and in more sophisticated ways -- use botnets, according to Click Forensics. What caught our attention about the first story is that it made note that Click Forensics has had a rancorous relationship with Google. Google has accused Click Forensics in the past of faulty methodology and misleading results that make click fraud seem like a bigger issue than it really is, while Click Forensics has shot back that Google trivializes the problem. But the two companies have seemed to get along better recently. Lo and behold, the day after that story Google publicly took Click Forensics to task for its latest figures.

5. Internet hits major milestone, surpassing 1 billion monthly users: The number of worldwide Internet users topped 1 billion for the first time last month, according to comScore. "Surpassing one billion global users is a significant landmark in the history of the Internet," said comScore President and CEO Magid Abraham. "It is a monument to the increasingly unified global community in which we live and reminds us that the world truly is becoming more flat. The second billion will be online before we know it, and the third billion will arrive even faster than that, until we have a truly global network of interconnected people and ideas that transcend borders and cultural boundaries."

6. Senate votes to delay DTV transition and Chairman: FCC has no coherent plan for DTV: The U.S. Senate voted to delay the transition from analog to digital TV broadcasting across the nation, pushing back the date from Feb. 17 to June 12. The House has yet to vote, but is expected to approve a measure to extend the transition, and the new administration also supports the delay. Millions of TV viewers could be affected by the transition, with some possibly losing broadcast TV signals as a result. A program to provide coupons to help people pay for converter boxes for their TVs ran out of money. Otherwise, the transition has been on the wrong track for a long while, according to acting Federal Communications Commission Chairman Michael Copps, who is running the FCC now that Barack Obama is president. The FCC has no "coherent and coordinated plan" for the transition, Copps charged.

7. With economic slump, concerns rise over data theft: IT decision makers are fretting about the possibility of a surge in data thieves because laid-off employees pose the greatest security challenge. With so many being laid off during the recession, the security threat is expected to rise. (Warning: The next two stories are also related to the woeful economy, though we'll keep the synopses short; for better news skip ahead to 10.)

8. IT pay takes a hit: Salaries for certified and noncertified IT workers dipped at the end of last year and are expected to decline this year as well because of economic doldrums.

9. Silverlight adoption hampered by economic crisis: Tight budgets are cutting into Silverlight adoption, with those in charge of IT budgets less likely to adopt new technologies at times such as these.

10. Tampa preps for Super Bowl with BI tools and Super Bowl XLIII: Tech vendors pass on $3M ad spots: Football fans in colder climes can tune in to the Super Bowl on Sunday in Tampa and enviously watch those lucky enough to have tickets soaking up the warmth of an early February day in Florida. The thousands of people -- many of them sans tickets -- who will jam the city will be tracked by law-enforcement and emergency officials, prepared for worst-case scenarios, using business intelligence tools and specialized software. That's not the only tech angle to the game between the Pittsburgh Steelers and the Arizona Cardinals -- a big part of the Super Bowl fun for TV viewers is checking out the advertisements, but coming up with pithy ads for things such as BI software, for instance, presents a challenge.

AMD set to release DDR3-capable processors

AMD will soon introduce processors that are capable of supporting DDR3 memory, earlier than the company had anticipated.

The company in the next few weeks will launch new processors targeted at desktops that will include DDR3-capable memory controllers, said John Taylor, an AMD spokesman.

[ Stay ahead of advances in hardware technology with InfoWorld's Ahead of the Curve blog and newsletter. ]"

Taylor declined comment on specific processors being launched, though a leaked road map suggests the launch of new Phenom II and triple-core processors.

The support for DDR3 memory comes earlier than anticipated. Late last year the company said it aimed to add DDR3-capable Phenom II processors by the middle of 2009, but could push that up depending on factors including pricing of the memory.

Compared to current DDR2-capable processors, the new DDR3-capable chips will allow information from the memory to be communicated to a CPU faster, which translates to better PC performance. To run DDR3-capable processors, the company will introduce the AM3 socket for motherboards.

"The people who want the latest and greatest will want to use DDR3 memory," Taylor said.

AMD's decision to switch to DDR3 memory is to make CPUs faster so it can effectively compete with Intel in the high-end PC and server markets, said Dean McCarron, president of Mercury Research, a market analysis firm.

"When we make changes in PC architecture, it is because it's either faster or cheaper," said McCarron. For AMD, the decision was technical rather than financial, but the enhanced competitiveness could yield a financial benefit to AMD in the long run, McCarron said.

Intel's Core i7 processor for gaming systems, launched in November, already supports DDR3 memory. Intel is also adding DDR3 support to chips for portable products like laptops.

However, given AMD's inherent price advantage compared to Intel's products, price-sensitive buyers may initially oppose the high prices of DDR3 memory modules, McCarron said. As of early January, a 1GB DDR3 memory module running at 1333MHz was priced at $35, versus $12 to $14 per unit for a 1GB DDR2 unit.

"This is completely normal for technology. As the volume ramps, [DDR3 memory prices] will come down," McCarron said.

Motherboard companies like Asus have already announced AM3-compatible motherboards, setting the stage for AMD to launch its new DDR3-capable processors, which could include new Phenom II processors. The new CPUs will include a DDR2- and DDR3-capable memory controller, allowing it to work with older motherboards with DDR2 memory.

AMD earlier this year launched new quad-core Phenom II processors, which the company called its "highest-performing" CPUs to date. Aimed at high-end desktop PCs, the chips ran at speeds of up to 3GHz and included 8MB of cache.

However, the Phenom II chips are capable of even faster clock speeds under certain circumstances. For example, the processors have been overclocked to run at speeds of up to 6.5GHz on liquid-cooled systems and up to 4GHz on air-cooled systems.

AMD remains on track to transition to DDR3 memory support for servers with the Maranello platform in 2010, Taylor said. The Maranello platform includes the six-core Sao Paulo and 12-core Magny-Cours chips.

Microsoft: Next step for Windows 7 is a release candidate

The head of Microsoft's Windows development confirmed Friday that Windows 7 will take the unusual path of moving straight from a single beta, which was launched earlier this month, to a release candidate.

However, Steven Sinofsky, the senior vice president in charge of the Windows engineering group, declined to spell out a timetable for the rest of the Windows 7's development. "This is in no way an announcement of a ship date, change in plans, or change in our previously described process," said Sinofsky in a long entry to a company blog early Friday.

[ Test Center: Windows 7 benchmarks unmasked. ]

Although Microsoft said last year at several hardware conferences that it would jump from a public beta to an RC (release candidate), Friday Sinofsky fleshed out the plan, and hinted that just as there would be no Beta 2, the company would also not provide a RC2 build.

"At this milestone, we will be very selective about what changes we make between the Release Candidate and the final product, and very clear in communicating them. We will act on the most critical issues," he said. "The point of the Release Candidate is to make sure everyone is ready for the release and that there is time between the Release Candidate and our release to PC makers and manufacturing."

Microsoft usually runs its operating systems through multiple betas and multiple release candidates. It delivered two betas and two release candidates for Windows Vista, for example, during that OS's trouble-plagued development.

But Microsoft has been adamant about speeding up the development process. CEO Steve Ballmer, for instance, famously promised in early 2007 that the company would never again take five years -- the time between Windows XP and Vista -- to roll out a new OS. Company execs have also repeatedly said that Microsoft would deliver Windows 7 within three years of the general availability of Vista, which most analysts have interpreted as no later than early 2010.

The release candidate will, like the beta, be offered to the public, Sinofsky hinted. "We expect, based on our experience with the Beta, a broad set of folks to be pretty interested in trying it out," he said.

While Microsoft last week extended the download deadline of Windows 7's beta by two weeks, interest in the preview was significant enough to overload the company's servers on the originally-scheduled debut date of Jan. 9.

Sinofsky sidestepped any discussion of a delivery date for Windows 7's release candidate, although he sounded optimistic about it. "We're on a good path and we're making progress," he said. "We are taking a quality-based approach to completing the product and won't be driven by imposed deadlines."

As is its practice, Microsoft will not offer the final version -- dubbed RTM, for "release to manufacturing" -- immediately upon announcing that it's wrapped up Windows 7. The delay, Sinofsky explained, is to give computer makers an opportunity to install the OS on new PCs, then get those machines into stores. "We know many folks would like us to make the RTM software available right away for download, but this release will follow our more established pattern," he said.

It took nearly three months for Microsoft's hardware partners to get Vista systems stocked in stores. Although the company announced Vista's RTM in early November 2006 -- and delivered it to volume license customers later that month -- Vista PCs and retail copies of the new OS didn't hit shelves until Jan. 30, 2007.

Computerworld is an InfoWorld affiliate.

Rails 2.3 preview eyed for Sunday

A release candidate for version 2.3 of the popular Ruby on Rails Web application development framework is being targeted for release this Sunday, the founder of the project, David Heinemeier Hansson, said on Friday.

General release of the platform probably will follow a few weeks later, he said.

Rails 2.3 features Rack integration, enabling Rails to work together more easily with other Ruby frameworks; refreshed support for Rails Engines, which are Rails applications that can be embedded within other applications; and nested transactions for Active Record and unified rendering, for easier rendering. More efficient routing also is featured as is Rails Metal, for authoring parts of an application directly in Ruby to boost performance.

A release candidate for the ambitious Rails 3 release, which merges Rails with the Merb Web framework, has been expected this May.

Microsoft charges ex-employee with spying

Microsoft has filed a lawsuit against a former employee, charging him with taking a job at the software giant in order to steal information that would be helpful in his patent infringement case against the company.

When Miki Mullor applied for a job at Microsoft in 2005, he said that he had been an employee of a company called Ancora that had gone out of business when in fact the company was still running and Mullor was its CEO, Microsoft alleges in the suit.

[ Keep up on the latest tech news headlines at InfoWorld News, or subscribe to the Today's Headlines newsletter. ]

Once employed by the software giant, he downloaded confidential documents unrelated to his job about technology that Microsoft offers to computer makers, according to the suit, filed in the King County Superior Court in Washington. The technology lets end-users forgo the Windows operating system activation process on PCs that come preloaded with the Windows software.

Then in June of last year, while Mullor was still employed at Microsoft, his company, Ancora, filed a suit accusing Microsoft of infringing on a patent related to the technology.

Ancora's lawsuit, filed in the U.S. District Court for the Central District of California, is against Dell, Hewlett-Packard, and Toshiba, but because the technology in question was provided by Microsoft, the PC makers have asked the software maker to defend them against the claims.

Microsoft also alleges that Mullor ran programs on his laptop in an effort to wipe any evidence that would show he had downloaded the files. The software giant was able to detect which programs he ran and was able to recover some of the documents that he downloaded, according to the suit.

Also, Microsoft says it has e-mail evidence that in 2004, before Mullor applied for a job at the software company, he was already planning to file the patent infringement suit.

Microsoft contends that Mullor committed breach of contract for failing to disclose his continued involvement in Ancora, stole confidential documents, and failed to disclose his intentions regarding the patent infringement suit. The company also believes that it is entitled to a royalty-free license for Ancora's patent in part because Mullor didn't tell Microsoft that he knew of the patent even while he knew that Microsoft was still developing its own similar technology.

The company also accused him of fraud, misappropriation of trade secrets, and unjust enrichment.

Mullor is listed as chairman and founder of Ancora on its Web site, which as of midday on the West Coast appeared to be offline. His biography included his time working for Microsoft and said that he once served in the Israeli Military Intelligence and has a law degree from an Israeli university.

Mullor did not respond to a voicemail request for comment about Microsoft's suit.

SonicWall introduces management appliance

SonicWall is putting its Global Management System software onto an appliance to make the platform easier to deploy.

Called EM 5000, the appliance contains GMS 5.1 software, which has all the features of the latest GMS version plus software necessary to deploy it on the appliance, the company says.

[ Get the latest on storage developments with InfoWorld's Storage Adviser blog and Storage Report newsletter. ]

The company says it plans eventually to sell additional software for the device to expand its functionality, such as two-factor authentication or NAC.

GMS has traditionally been deployed on Windows servers, but the appliance takes away the need for customers to have to provide the hardware and load the software, SonicWall says. GSM is designed for businesses to manage multiple SonicWall security appliances that range from firewall/VPN gear to unified threat management boxes to backup and recovery appliances.

The EM 5000 hardware is based on SonicWall's CDP 5040 backup and recovery appliance with more memory and four hard drives that provide 2.25TB of storage in a RAID 5 array. This gives it enough horsepower for future software functionality, the company says.

EM 5000 is available at the end of February and pricing starts at $6,995 for the device and licenses to manage 10 SonicWall appliances.

Network World is an InfoWorld affiliate.

Microsoft warns that Vista, XP upgrade blockers will expire

Microsoft is warning customers that tools for blocking automatic upgrades to the newest service packs of Windows Vista and Windows XP will expire in the coming months.

In a note on a company blog aimed at enterprise IT professionals, Microsoft said the Vista Service Pack 1 (SP1) blocking tool expires on April 28, while the one for XP SP3 expires May 19.

[ Get the analysis and insights that only Randall C. Kennedy can provide on PC tech in InfoWorld's Enterprise Desktop blog. And download our free Windows performance-monitoring tool. ]

The tools, which were released in December 2007, prevent service packs from reaching PCs via Windows Update, Microsoft's default update service, and are primarily used by corporations that have not yet tested or approved the newest upgrades.

Microsoft's policy is to let users block service packs for up to 12 months after general availability. That, however, doesn't necessarily mean users can block upgrades for a full year after the company has flipped the switch on automatic downloads.

The April 28 expiration date for the Vista SP1 blocking tool, for example, is almost exactly a year after April 23, 2008, when Microsoft triggered automatic upgrades. But it will give Windows XP users just over 10 months of blocking when it kills that operating system's tool in May; Microsoft began automatically upgrading Windows XP to SP3 in early July 2008.

The blocking tools, which are still available on Microsoft's site for downloading, are composed of an executable, a script and a group policy template.

Microsoft regularly issues such tools when it rolls out major updates to its operating system software and to its Internet Explorer (IE) browser. Earlier this month, for instance, it posted a tool to bar IE8, which just launched in release candidate form, from PCs.

The Vista/XP toolkit that is available now will continue to block Vista SP2 installations for approximately a year after that service pack is released. According to recent reports, Vista SP2 is expected in final form sometime before mid-May .

Computerworld is an InfoWorld affiliate.

Dell to make Google and Microsoft phones – really?

Just when you thought there are enough not-so-good looking and overrated phones out there, Dell is said to announce two iPhone and Blackberry competitors sometime next month. Code named MePhone (hopefully not the final name), the phones will run on Google Android and Microsoft Windows Mobile.

Following rumors going back as far as July 2007, the Wall Street Journal announced this morning that Dell will introduce in February at the Mobile World Conference in Barcelona two new mobile phones, set to go head to head with market leaders Apple and Research In Motion.

[ See how the iPhone compares to the BlackBerry when it comes to reliability | And get the latest on mobile developments with InfoWorld's Mobile Report newsletter. ]

One of the phones will be touchscreen-only while the other will feature a slide-out keyboard, similar to the T-Mobile G1. It is not known which of the models will feature Windows Mobile and which will run on Android and other technical specifications are not available as of yet either. Also, no partnership with any U.S. wireless carries has been announced.

Now, if we are to take this rumor seriously, Dell's MePhone is supposed to go on sale on September 9 this year. WSJ's report also mentions that the Dell phones' focus will be on "customization", but it doesn't say whether it's software or hardware customization - so nothing clear on this front either.

We need to keep in mind is that apparently no final decision has been made regarding the launch of these MePhones. Dell's mobile devices can be called off at any time before launch, just as it happened last November with the company's effort to launch a new iPod competitor.

Still, would you buy a Dell smartphone? What kind of features should MePhone have in order to convince you to chose it over an iPhone, Blackberry or T-Mobile G1? Please let me know in the comments.

PC World is an InfoWorld affiliate.

Cloud computing and compliance: Be careful up there

Using the cloud for data processing and storage may have its advantages in terms of simplicity and cost, but ensuring regulatory compliance will not be nearly so simple.

What it all comes down to, ultimately, is that the user organization is responsible for figuring out who is doing what to its data and requiring assurances about the data staying in compliance.

[ Also check out the analysis "What if your storage cloud turns stormy?" and its related sidebar: Tips for safe cloud storage | Also: Can you trust your data to storage cloud providers? | Learn more about What cloud computing really means | And follow the cloud with InfoWorld's Cloud Computing blog ]

"In certain cases, compliance will be impossible," predicted Jim Haskin, senior vice president at Websense , a security services vendor in San Diego. "It is difficult to take full responsibility for who can access data, who sees it and how it is stored, since the premise of the cloud is that customers don't necessarily need to know or care where their data is," he added.

"As enterprises start to run their entire networks on the cloud, existing certifications [such as Gramm-Leach-Bliley, etc.] start to break down," added Jonathan Bryce, co-founder of Mosso, the cloud division of Rackspace , a hosting firm in San Antonio. "The certifications assume that the enterprise controls everything, and it's all located within their office building."

But some observers make the point that the cloud doesn't necessarily complicate compliance issues. "The concept of auditing is to track everything that goes on, whether it's across the cloud or across multiple data centers of the same firm -- tracking is no different no matter where the various components are," said Mike Karp , senior analyst at Enterprise Management Associates, an enterprise IT consultancy based in Boulder, Colo.

In fact, various sources agreed that regulatory compliance is often possible with cloud computing, although it takes special effort. As noted by Chris Day, senior vice president at Terremark Worldwide , a cloud service in Miami that offers what it claims is a fully compliant cloud, "There is no magic solution." The basis of Terremark's compliance is that Terremark claims to know where the client's data is and what parts of the network it passes through, even if that complexity is invisible to the client.

That said, each separate compliance environment requires specific attention, Day added.

Compliance environments that experts cite as important for cloud computing included auditing-related standard SAS 70, Payment Card Industry Data Security Standards (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA.)

SAS 70
SAS 70 refers to "Statement on Auditing Standards 70: Service Organizations," issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). According to Judith Sherinsky, manager of audit and test standards at the AICPA in New York, "SAS 70 applies when an audited entity sends data to a service organization, which does something to that data and sends it back to the user, who uses that data in its financial statements." An example is if corporate inventory data is sent to a cloud-based data center where a total valuation will be assigned to it -- a valuation that will later show up in the corporation's annual report.

Compliance with SAS 70 is fairly involved. It requires the following components, Sherinsky explains. Whichever vendor or entity is managing the cloud has to be able to describe what is happening, where the information comes in, what the vendor does when it gets the information, how it gets back to the users, the controls over the processing of the data and, most importantly, what is happening to the data when it gets to the cloud.

So, the basis of SAS 70 cloud compliance, Sherinsky explains, is that if there are material numbers coming from data that has been stored or in any way acted upon by a cloud vendor, there needs to be a full understanding of what's going on and who's doing what. "Ultimately, we say that the management of the user entity is responsible for their data, and they need to know what is going on with their data, or hire somebody who does."

With SAS 70, "you are building a control framework that your auditor feels is appropriate," added Day at Terremark. "For instance, SAS 70 does not talk about encryption, but I can make encryption part of my audit framework, and SAS 70 will show that I am doing it."

Bryce at Mosso noted that compliance with Sarbanes-Oxley (concerning corporate financial controls) and Gramm-Leach-Bliley (concerning, among other things, banking privacy) can be incorporated into SAS 70 compliance.

Additionally, "one of the benefits of having SAS 70 is that it is seen as an operational certification to help satisfy HIPAA requirements," Day said. "As a HIPAA-regulated organization, you have to ensure that all your business partners are also HIPAA compliant. They like to see SAS 70, since it checks a lot of things on the list."

PCI DSS
Compliance with PCI DSS is complicated by the fact that part of the processing of credit card transactions must take place within the merchant's point-of-sale system, even if the rest takes place in the cloud.

"There are two components, ours and the customers'," Day said. "We go through annual audits to make sure that we meet all service provider criteria for PCI compliance, but that does not mean that the customer is PCI compliant. The customer is starting ahead by using us, but they still have to add their own controls and technology."

PCI responsibilities of the cloud provider include firewalls, intrusion detection, disaster recovery, physical controls and appropriate segmentation of staff duties, Day noted. Servers handling PCI data should be in a separate room with solid walls and a monitored door, rather than being placed in the main floor of the datacenter with the other servers, he indicated.

However, the customer-side application has its own requirements, including storing identifying card information no longer than is necessary to process the transaction. "But if you do those things and you are on [Terremark's] baseline, you're going to get to compliance in a relatively straightforward manner," Day said.

"We can certify that the memory is cleared out," said Bryce at Mosso. "But the specification also says that the place where the data is stored can only be accessed by you, and servers that you control are locked down." But in the cloud environment, servers may be shared by multiple clients, and even if they are not, there remains the question of whether the client or the cloud vendor controls them, he noted. "It's a gray area," Bryce said.

HIPAA
"HIPAA is a big monster, with a lot of facets," noted Day at Terremark. "I have to be able to warrant to customers that they are in a HIPAA-compliant environment, that the environment is suitably secure both physically and logically, that the data is protected, and that we have controls in place to keep people from walking in and picking up a hard drive containing patient data.

"But customers still have an obligation to encrypt the data and ensure that the data is handled properly," Day added.

Day noted that encryption is not absolutely required under HIPAA, but if there is no encryption, then there must be other mitigating controls such as physical security to prevent unauthorized access. Personal data sent over public networks must be encrypted, however. It is also necessary to log access and validate who has access, and do periodic reviews to make sure that those people who do have access have a good reason to be viewing the data, Day noted.

"The biggest violations result from people getting sloppy as to who can access patient records," he noted.

Paul Horvath, chief technology officer at TC3 Health LLC in Costa Mesa, Calif., said he was able to put together a HIPAA-compliant cloud application that looks for fraud and billing errors in backlogs of health care insurance payment claims. He said he chose to use Amazon's cloud service to avoid investing in the amount of hardware it would take to analyze 20 million claims at a time. But to ensure HIPAA compliance, he strips out all "protected health care information" before uploading the data, so that only transaction data reaches the cloud.

"But we also encrypt the data, and we would have been compliant just from doing that," he said. Horvath said that he saved $500,000 over the cost of acquiring the necessary hardware, licenses, power and cooling, by using the cloud.

A huge piece of work
Whatever regulatory environment is targeted, cloud-based compliance is nearly always a nontrivial task.

For instance, "first we document everything," said Martin Dubois, chief counsel at Taleo Corp. , a vendor in Dublin, Calif., that offers cloud-like human resources services. "Whatever we do -- be it encryption, access controls or separation of duties so that no one individual can control the process from beginning to end -- it is documented. When we code an application, we make sure that the one who wrote the code is not the one who reviews the code. Every week, we have several compliance audits by customers. With SAS 70 reports, they can see the compliance for themselves."

But some forms of compliance may remain elusive in the cloud. "It does not work where you have artificial restraints imposed by legislation," said Alistair Croll, analyst at Bitcurrent, a research firm in Montreal. "France, for instance, insists that certain types of records stay within France, so you cannot use Amazon in that situation, since you cannot guarantee where your data will be stored."

As more companies turn to the cloud to save money and gain flexibility, there's no doubt these and other compliance issues will continue to be raised.

Lamont Wood is a freelance writer in San Antonio. Computerworld is an InfoWorld affiliate.

8 apps that help you chat across IM services

The world of instant messaging is crowded and becoming even more so. It began with ICQ (does anybody use it today?), which was closely followed by AIM, MSN Messenger, and Yahoo Messenger . More recently, this trio is being challenged by other IM chat protocols, like Google Talk, and even by social networks like MySpace and Facebook , which have their own instant messaging features.

What this all adds up to is ... a huge mess. To use any of these IM services in their native formats, you have to download and install a different chat program.

[ Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

That's where instant messaging applications like Digsby, Pidgin, or Trillian come in. These chat apps -- which can be described as cross-platform or multiprotocol IM apps -- support more than one instant messaging network. Instead of having the AIM and Yahoo Messenger chat programs running on your computer at the same time, you can use just one application to access your accounts from these two IM networks.

All of these multiprotocol IMs have been developed independently, most without the official support of any of the companies that own the IM networks. Perhaps as a result, the eight multiprotocol IM services covered here are very different from one another in terms of functionality and user interface experience.

In addition, these are all free apps -- at least, for individuals. A couple have "pro" or enterprise-level versions, in which case the free version is a good way to test it out first.

Note that almost none of these multiprotocol IMs (with the exception of Trillian) support the webcam/video chat functionality of the major IM networks (which include AOL , Yahoo, and Microsoft). The companies behind these IM networks keep their video chat technologies proprietary, so it's a challenge for the developers of unofficial, third-party IM clients to reverse-engineer this feature.

What follows is a quick (and opinionated) rundown of eight of these instant messaging applications. In the end, which one you will want to use depends on how you feel about using an instant messaging system, and what you use it for.

Adium
The quick rundown: Until recently (when VoxOx appeared), this was the sole multiprotocol instant messaging choice for Mac users. Like Pidgin and Miranda, Adium is open source. But, just as Miranda is only for Windows, Adium is exclusive to OS X. Along with the most popular IM protocols, Adium supports messaging through Apple's MobileMe service and Bonjour network technology.

Quality of user interface: Of course, being a Mac-only application, Adium was designed by its developers from the start to mesh with OS X. The buddy list and chat windows of Adium fit right in with the standard OS X scheme, yet its layout will be familiar to anyone who uses an IM app on another operating system platform.

What sets it apart: Like the other two open-source instant messaging systems, users can customize Adium. The appearances of the buddy list and chat windows can be separately changed. Users have created a slew of AppleScripts that can be installed onto Adium. Most do trivial things such as randomly generating sayings by author Douglas Adams or cartoon character Homer Simpson, but some of these AppleScripts actually provide useful functionality, like language translation or controlling iTunes from Adium.

There are a couple of plug-ins that you can install as well, but nothing really stands out. (One plug-in imports your Skype contact list, so you can type-chat with them through Adium instead of having to use Skype.)

Final verdict: Although it supports several messaging protocols (including the corporate environment networks Novell GroupWise and Lotus Sametime), Adium lacks webcam conferencing. (Video chatting is a feature that the developers of Adium and Pidgin are both working on to add, since their applications share the same underlying software for messaging.)

Still, if you're planning to switch to a Mac, Adium should definitely be on your list of applications to download and install. It's also recommended for offices that use Macs, because of its support of GroupWise and Sametime.

Digsby
The quick rundown: Released toward the end of 2007, Digsby, from dotSyntax LLC, gained a following throughout 2008 among devotees of multiprotocol instant messaging systems. It's apparent why: Digsby not only brings together your accounts with the major IM services, but also those you have on the popular social networks (Facebook, MySpace, LinkedIn, Twitter), Webmail services (Gmail, Yahoo Mail, Hotmail, AOL Mail) and your POP or IMAP e-mail.

Quality of user interface: Surprisingly, despite combining your accounts from a multitude of IM, social and e-mail services, Digsby's interface is clean and very intuitive to navigate. Skin choices include changing color and the layout of messaging windows, but the default skin is good enough the way it is.

What sets it apart: Digsby sets icons on your Windows notification tray to represent your social network and e-mail accounts. It allows you to manage your social network accounts without needing to visit the corresponding Web sites, by alerting you when things happen. So you can keep up with the status of your friends on, for example, Facebook by clicking the Facebook notification tray icon to pop open a news feed. When you receive a message on your account, the notification tray icon tells you by listing how many unread messages there are. Clicking the icon will switch you to your Web browser and log you into your Facebook account message in-box.

Similarly, you can manage your e-mail in-box through Digsby without directly going to your e-mail (or Webmail) account. When new e-mails arrive, a small pop-up window appears over the notification tray and includes a snippet from each message. By clicking the e-mail notification icon, you can then mark each of your unread messages as read, delete it or report it as spam.

Like the Web-based Meebo, Digsby lets you embed a widget on your Web site so visitors can chat with you through your site.

Final verdict: Digsby is simply the best choice right now among the other multiprotocol messengers. It's a well-designed, stable balance between features and user experience. However, it's only available for Windows. (The developers say they are working on OS X and Linux versions.)

Instan-t
The quick rundown: Instan-t, from Interactive Networks Inc., has been around for a couple of years, but still remains somewhat unknown. That's surprising considering this multiprotocol IM features a nifty virtual conference room with video and audio chatting. Instan-t is available only for Windows. There are several server-based and hosted enterprise-level editions.

Quality of user interface: Most major settings can be accessed and adjusted directly from the buddy list window. For example, you can quickly sort your buddies -- grouping them together by the network service they are on, or show the names of those who are offline -- by easily clicking appropriate icon buttons.

However, there are a number of quirks that, while each may be minor on its own, add up. For example, Instan-t lacks conveniences to help you manage your buddy lists and make your overall IM experience better. You can add friends, but there doesn't appear to be a way to delete them. The size of text in both the buddy list and chat windows looks small, particularly if you're using Instan-t on a high-resolution screen, yet the font size cannot be adjusted. The layout format of the chat windows cannot be changed either.

Instan-t is also available in Web site form as Instan-t Express. While similar to Meebo, its interface isn't as versatile. For example, you can't pop out the buddy list and chat boxes into their own Web browser windows. And, bafflingly, there's no "sign/log off" button to be found. If you're looking for a Web site-only IM solution, stick with Meebo.

What sets it apart: Instan-t has a Flash-based multiperson chat room feature. You can invite any person on your buddy list to take part in it, regardless of which IM network they are using, so long as they have a Web browser with Flash installed on it. This virtual conference room also includes video and audio chat. It all works remarkably well -- the audio quality is on par with, if not better than, Skype's -- and manages to do a capable job of showing the webcams of many people at once.

Final verdict: Its user interface is limited, but the virtual conferencing helps Instan-t stand out among the many multiprotocol IMs you can use for free. If you need to hold virtual business meetings that require video or voice, with people who are on incompatible IM network services, Instan-t can conveniently bring everybody together.

Meebo
The quick rundown: Meebo is a multiprotocol IM that runs entirely through a Web site. It launched in September 2005.

Quality of user interface: You sign up for a free account at meebo.com, log in, and add the usernames and passwords of your instant messaging accounts. Then, thanks to the wizardry of Meebo's proprietary JavaScript technology, an instant messaging app listing your buddies appears within your Web browser. You can make the app pop out of the browser and into its own window on your desktop.

While the look of the interface is basic, the overall experience feels very much like what you would expect from a "real," stand-alone IM program. Meebo's engineers even managed to implement video conferencing through its service (between Meebo users).

What sets it apart: Obviously, since Meebo runs on the Web, you don't need to download or install any software. All you need is your Web browser with JavaScript enabled.

Besides this novel concept, Meebo distinguishes itself further by letting you embed an instant messaging widget on your Web site. Thus, you can chat with anyone who visits your site. (Digsby also has a similar widget feature.)

And Meebo make special adjustments for smart phone owners. It offers an interface customized for the iPhone, while owners of the T-Mobile G1 can install a "Meebo for Android" app.

You can start or join group chat rooms, but users on different IM protocols cannot enter the same room. When you start a chat room under, say, the AIM network protocol, you can only invite your buddies who are also on AIM -- a Yahoo Messenger buddy cannot cross over.

Final verdict: Meebo is best suited for when you're stuck using a computer other than your own. Instant messaging through Meebo feels flawless, with nary a hiccup, but its overall performance depends on, of course, how much of a load you're subjecting your Web browser to. And it can become easy to forget that you have Meebo running (especially if you've got a bunch of open Web browser tabs), and accidentally close your IM session.

To partly address this, the developers of Meebo provide a Firefox add-on that places the Meebo app as a sidebar to the browser (and includes some enhanced functionality). Yet this seems to kind of defeat the whole purpose of Meebo being Web-only: If you feel the need to install this add-on, why not just use a self-standing IM application instead?

Miranda
The quick rundown: The developers of this open-source instant messaging system put a heavy emphasis on minimalism in form and function. But it still supports the basic messaging features of five popular IM protocols, and throws in old-school chatting via IRC and the obscure (at least, in English-speaking countries) Gadu-Gadu . Miranda is available for Windows only.

Quality of user interface: What you get with Miranda is the absolute bare-bones minimum. Graphics are sparse. In the default version, there aren't even user icons to represent your online friends on the buddy list.

If you prefer your instant messaging system to look more bulked up, hundreds of skins, themes and other customizations created by users can be downloaded and installed. The Miranda mod scene community appears to be more active than that of other multiprotocol instant messaging programs that allow for user-created content.

What sets it apart: Let's reiterate -- Miranda is all about simplicity. Its sparse interface will either be its major selling point or a "thanks, but I'll pass on this one" for you.

It's an open-source project, but runs only on Windows, which makes it a bit different (in that most open-source applications are compatible with Linux). So it distances itself from the other open-source multiprotocol IM, Pidgin, which has versions for Windows and Linux distributions.

Like Pidgin, Miranda allows for plug-ins. Unfortunately, most of the plug-ins created by the Miranda user community are technically esoteric (one generates a crash report ... thrilling). The most exciting and useful ones provide weather information or tell your buddies what music you're listening to.

Final verdict: Frankly, Miranda seems to have been created for people who disdain the very idea of instant messaging -- but who have to use them for one reason or another (i.e., work, too many friends bugging them to use one, maintaining an online relationship, etc.). So if this describes you, then Miranda might make your IM-ing bearable. The buddy list window is small -- tiny, actually, on most screen sizes -- that you'll easily forget it's running. Plus, Miranda takes up fewer system and memory resources compared to the other multiprotocol IMs.

Pidgin
The quick rundown: Originally called GAIM before AOL raised a stink because of the trademark of its own AIM instant messaging service, Pidgin has been in constant development for 10 years (beginning in 1999). Its developers helped pioneer and fine-tune the idea of bringing multiple IM user accounts together under one app. It runs on Windows and several Linux distributions.

Quality of user interface: Pidgin's interface is generally unobtrusive, sporting a basic, no-frill look. It works well, but even the default set of emoticons is limited. Pidgin's staid skin selection may be because this IM relies on the GTK+ tool kit to run its graphical UI. (GTK+ is mostly used for Linux applications and is known for its no-nonsense and direct approach to presenting user interfaces.)

Mark Doliner, one of the developers of Pidgin, jokes that his messenger's simple interface "should blend in well with other office software, so it might not be immediately obvious that you're talking to friends when you're supposed to be doing work."

What sets it apart: Pidgin is an open-source project, and, like Firefox, it has a community of users who have written lots of plug-ins , which add features to the app or enhance its interface. Notable plug-ins include instant messaging through your Facebook account, Twitter update notification, encrypted messaging and telling your online friends what music you are currently listening to.

Pidgin also supports a whole lot of languages. Basically, if there's a spoken language anywhere on the planet, this multiprotocol IM probably supports it.

Final verdict: Despite its age, Pidgin has evolved into a highly regarded and popular IM app. A few stability issues seem to crop up (at least with the Windows version, perhaps because of GTK+), but such occurrences are usually rare. If security and privacy are priorities for you (like on an office or public network), or you just want to know what's running under the hood, Pidgin is the one to check out.

Trillian
The quick rundown: Named after the character from The Hitchhiker's Guide to the Galaxy , Trillian, from Cerulean Studios, was released back in 2000, making it one of the grand-daddies of multiprotocol IMs. Throughout the early years of its development, Trillian sparked the ire of AOL, which tried many times to block Trillian users from connecting to AOL's AIM network. But the developers of Trillian were renowned for quickly updating their IM to circumvent AOL's blocking. Trillian is only available for Windows.

Quality of user interface: The default skin is colorful, though nothing special, with just enough flash to be interesting without coming across as confusing. Trillian gives you a bunch of emoticons, too, which even includes cartoony animal faces and an icon of a VW bug. While these are fun to use, most of them are incompatible with the emoticon sets of the other instant messaging services. So if you IM a grinning monkey face emoticon to a friend who is not using Trillian, he may see gibberish instead.

For those of you who like to keep a neatly laid-out desktop, the Trillian app can be docked to either the right or left side of the screen.

What sets it apart: Unlike the other multiprotocol IMs, Trillian supports the video chat capabilities of the major IM services (AIM, MSN, Yahoo). However, you'll have to pay to activate webcam functionality if you want to literally see your IM buddies. (The Pro version of Trillian will set you back $25.)

Final verdict: Trillian is a solid IM product, but in recent years has been showing its age. The free Basic version only supports four IM protocols (AIM, ICQ, MSN and Yahoo); for other protocols you need up upgrade to Pro. If you want to use the webcam feature of the major instant messaging system, then it might be worth paying for the upgrade. But besides this, the pay version of Trillian doesn't add much more that you can't get from other apps.

And it may be best to wait: The developers are moving away from the current version of their product and onto a next-generation Trillian, named Astra, which as of this writing is in private beta testing. Astra will support more IM protocols, and incorporate your e-mail and social network accounts, and will come in the form of a self-standing application, Web site front-end client, with versions for OS X and the iPhone.

VoxOx
The quick rundown: This is the newest entry in the multiprotocol instant messaging field, which was released in November 2008. Like Digsby, VoxOx, from TelCentris Inc., brings together your IM, e-mail and social network accounts, but it takes things another step further by throwing in office-level phone capabilities and other professional communications features. The current beta is free to download and is available for Windows and OS X, with a Linux version forthcoming.

Quality of user interface: Where Miranda is an example of extreme (and frankly bland) minimal UI design, VoxOx packs in a lot of layers of usability under its default skin -- which looks like the illegitimate child of the iPhone/iPod Touch user interface and the Xbox 360 color scheme.

What sets it apart: VoxOx has a stronger emphasis on the business user. It's being developed by an enterprise VoIP company, TelCentris, with the goal to sell an expanded professional product later this year that's geared for the office environment. For now, the beta is free and still includes helpful business features like voice mail, conference calling, fax and video conferencing.

A particular function that was designed for office use is VoxOx's ability to route your calls when you are away from your desk. It also offers an automated personal assistant voice that can reply to missed phone calls.

Final verdict: You know those infomercials hawking a kitchen gadget that claim it can do everything and conveniently? VoxOx is kind of like that.

VoxOx's interface might not feel comfortable if you're accustomed to the standard layout of a typical IM. Ultimately, VoxOx feels less like an instant messaging system and more like Skype with multiprotocol IM features added. (TelCentris plans to also make money from VoxOx by selling VoIP talk time through it.)

Another consideration is most of the extra communication features (the office-oriented ones) only work when you're communicating with other VoxOx users. So whether or not these are useful depends on how popular VoxOx becomes.

Nonetheless, if 2008 was the year when Digsby established a name for itself, VoxOx could be the next multiprotocol instant messaging system to keep an eye on throughout 2009.

Conclusions
In the end, which multiprotocol IM app you choose can be boiled down by asking yourself a few questions. If you don't like having to use an instant messaging system, or you use one infrequently, the minimally designed Miranda may be best for you. Meebo is the best option when you're stuck using somebody else's, or a publicly accessible, computer. Instan-t's conferencing features make it a possibility for businesses that need to hold virtual meetings with video and/or audio.

For the most part, Mac users only have Adium, but it's still an excellent instant messaging system, since it was built for OS X. The other multiprotocol OS X-capable IM client, VoxOx, is the newest entry on the list. But it's such a bleeding-edge product that its UI may feel unfamiliar if you're more accustomed to the layout of a standard IM program.

Digsby wins out as the most easy to use, especially because it incorporates your social network and e-mail accounts into its interface. It's for users who use IM on a regular basis to keep in touch with people. The way it allows you to check and maintain your e-mail, without needing to go directly to your account's in-box, makes this multiprotocol instant messaging system a truly multipurpose one, too. I eagerly await the release of the Linux and OS X versions of Digsby.

Howard Wen reports for several technology publications. He can be found at his Web site www.howardwen.com . Computerworld is an InfoWorld affiliate.

Mozilla delays Firefox 3.1 again

Mozilla has delayed the third beta of Firefox 3 .1 for the second time this month, a company executive said Thursday, citing troublesome bugs in the browser's new JavaScript engine as the reason.

It's not yet clear if the latest delay will affect the delivery of Firefox 3.1's final version, which Mozilla has said several times would appear this quarter. "I can't tell you that we're 100 percent confident that we will hit Q1," Mike Beltzner , director of Firefox, said Thursday morning.

[ Check out the InfoWorld Test Center's review "How secure is Firefox?" and its guide to browser security. | Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

After a Firefox 3.1 status meeting Wednesday, Mozilla noted that there are 18 bugs that still need fixing before it can move ahead with Beta 3. "At this time, we don't have a good estimate for when we'll be done," meeting notes read. "Many of the bugs are proving to be tricky and complicated to fully resolve."

Beltzner expanded on that theme. "The TraceMonkey team has 15 things that are priority 1 blockers," he said, referring to the JavaScript engine that Mozilla introduced last year in Firefox 3.1. A Priority 1 blocker is a bug that, if unfixed, would prevent the release of Beta 3.

Saying that TraceMonkey developers needed to "get a good handle on the problem," Beltzner said a revised schedule might be posted within a few days. "We'll check back with [the TraceMonkey team] in a couple of days, and see where they're at," he said.

There has been no talk of yanking TraceMonkey from Firefox 3.1, Beltzner said. "We really believe in the TraceMonkey engine," he confirmed. "It's twice as fast [at rendering JavaScript] as Firefox 3.0, and more than nine times faster than Firefox 2.0. People who are using the nightlies and Beta 2 just can't go back to the slower browsers," he said.

Mozilla has made much of TraceMonkey, and the performance boost it gives Firefox, since it introduced the new JavaScript engine last summer.

Firefox 3.1 has been pushed back several times. Two weeks ago, Mozilla announced that Beta 3 would ship on Feb. 2, a week later than previously scheduled . Last November, Mozilla inserted the third beta into its timetable to give more testing time to several features, including TraceMonkey.

Firefox 3.1 Beta 2 , still the newest public release of the browser, debuted in early December 2008.

"The TraceMonkey bugs seem quite containable," said Beltzner. "They're the sort of instability bugs that don't affect a lot of people a lot of the time -- we're talking crashes that are affecting a small percentage of the Web [sites] -- but we don't want to crash on any."

Mozilla faces renewed pressure from Microsoft, which is working on the next version of its Internet Explorer browser. On Monday, Microsoft issued IE8 Release Candidate 1 (RC1). According to Computerworld 's tests, IE8 RC1, while still considerably slower than the current production version of Firefox, has closed much of the JavaScript performance gap that existed as recently as last month.

Computerworld is an InfoWorld affiliate.

Microsoft delivers Vista SP2 RC to testers, reports say

Microsoft has delivered a preliminary release candidate for Windows Vista Service Pack 2 (SP2) to testers and is again on track to offer another public preview next month, according to several reports on the Web.

Just last week, a Malaysian Web site, TechARP, claimed that Vista SP2 had been pushed back a month. Wednesday, however, TechARP, which has accurately predicted Windows delivery dates in the past, revised its estimate, saying that Microsoft had "brought forward their release schedule" and would be issuing an "escrow" build no later than Friday.

[ Related: Microsoft delays Vista SP2 | See how Windows XP, Windows Vista, and Windows 7 fared on multicore systems in "The generation gap: Windows on multicore" | Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

Wednesday, reports surfaced that testers had been told by Microsoft that the escrow build of Vista SP2's release candidate was available for downloading. ZDNet blogger Mary-Jo Foley, for example, cited a section of the e-mail notification, which told testers that the company was not interested in feature feedback, but only reports on "SP2 regressions and confirmation of fixes we've made."

An "escrow" build is a version on which development has stopped but that is handed to developers and testers, who are asked to shake out the code one final time to make sure there are no show-stopping bugs.

TechARP's revised timetable claims that Microsoft will deliver a full-fledged release candidate to the public during the week of Feb. 16-20, not in March as the site said last week. That will be followed by a release-to-manufacturing (RTM) build sometime in the first half of the second calendar quarter -- in other words, before mid-May.

Previously, TechARP had said Vista SP2 would reach RTM -- a milestone at which the service pack is officially finished, and sent to computer makers and duplicators for retail copies -- as late as June.

Vista SP2 will be released for download from the Web at an undetermined date after Microsoft slaps the RTM label on the service pack. In the past, Microsoft has waited to post service packs anywhere from just two weeks after RTM to more than six weeks after.

But with the recent appearance of the first public beta of Windows 7, the follow-up to Vista, already in users' hands, some have dismissed Vista SP2 as irrelevant.

"Who cares now with Windows 7?" asked a user identified as Luis Mazza on a message thread discussing Vista SP2 at the Windows enthusiast Web site, Neowin.net.

"I could care less as I just got rid of Vista and I'm now only running 7 beta," added "smooth3006" on the same thread.

One analyst, however, disagreed.

"Service packs always matter," said Michael Cherry, an analyst at Directions on Microsoft, a research firm. "Because service packs make it more efficient to update PCs, they increase the chances that people do deploy fixes and patches."

Microsoft has previously declined to comment on TechARPs Vista SP2 schedule, and has instead reiterated its general timetable for delivering Windows Vista SP2 sometime in the second quarter of 2009.

Computerworld is an InfoWorld affiliate.

IBM expands SaaS ecosystem

IBM on Friday detailed a new ISV partnership, a move which, on the heels of cloud-related agreements penned last week with several universities, advances Big Blue's cloud and SaaS realm.

"The grand vision is about helping these partners to enable solutions to be delivered in an SaaS model," explained Dave Mitchell, IBM's director of strategy and emerging business for ISVs and developer relations. "We're looking to build out our ecosystem by providing partners more ways to work with us."

[SaaS and cloud-based services are all the rage, but what if your cloud turns stormy? For the definitive primer, read InfoWorld's What cloud computing really means.]

To that end, Big Blue on Friday announced an agreement with iEnterprises that enables the latter to offer its CRM software SaaS-style to customers in the construction, pharmaceutical, legal, and other vertical industries, the companies say.

Mitchell said it is the latest in a growing number of partners that IBM has recruited. "We added more partners to our SaaS program last year than we had in the previous three years."

Last week, IBM outlined partnerships with six universities around the world to enhance projects and research initiatives by tapping into cloud infrastructure provided by IBM.

Dr. Willy Chiu, vice president of IBM's Cloud Labs, explained that these are paying customers. One such customer, Carnegie Mellon University in Qatar, will open its cloud infrastructure to local businesses.

Although the announcements are vertical niche- and university-centric, Chiu said that commercial companies large and small face similar challenges -- namely the need to do more with fewer resources such as virtualization, SaaS, and cloud services.

"Academic institutions do tend to be hard up for money and resources so they have that in common, for sure," said Gary Barnett, an analyst with the Bathwick Group. "Generally, the more people playing around with cloud and SaaS, the more quickly it will develop and mature."

Indeed, Evans Data last week issued the results of two distinct surveys concluding that nearly half of developers intend to create SaaS applications in 2009 and that almost half of developers working on open source applications plan to provide them via the cloud model.?

Sunday, February 1, 2009

IT News HeadLines (InfoWorld) 01/02/2009

No comments: