News from December, 2008

by Jeff Williams

Web applications have huge attack surfaces. Most sites have hundreds of URLs, and each function has plenty of parameters, form fields, cookies, and headers for attackers to play with.

One simple way to make your web application more secure is to minimize your attack surface. Let's look at five simple ways to do this.

Tighten up your URL space

The first step is to lock down your webserver, application server, application configuration, and code tree to be sure that you're not supporting any URLs that you didn't expect.

Ditch those hidden fields

Hidden fields are form values that aren't displayed to the user. When the user submits a form, the hidden fields are submitted just like any other form field. Attackers can easily change hidden field values to anything they want with browser tools like TamperData or WebDeveloper. Hidden fields are frequently quite vulnerable to attack because they're often overlooked when implementing validation.

Don't expose your privates

Most applications use parameters or form fields that reference data on the server by its name or ID. Attackers love to try to access unauthorized data by tampering with these "direct" references. For example, imagine a URL that references a file on the server.

Only accept good input

There are hundreds of thousands of Unicode code points and dozens of different encodings. This creates a huge attack surface for your application.

Deny by default

Don't slip into thinking that as long as your web application does what it's supposed to, anything else it does is okay. Instead, think of your application as an API that you're exposing to attackers. What shows up in your user's browsers is irrelevant, since attackers can invoke any method with any parameters.

by Rick Hodgin

There is a significant resistance toward embracing the concept of virtualized computers on the average user's desktop. I can tell you from personal experience that the benefits gained from virtualization are staggering on modern equipment.

While you will see a performance loss on some things, on others you will see the machine moving faster because there is no real hardware to update (just emulated drivers in software).

So, what is virtualization? Virtualization is the process of using your hardware to run a program which allows multiple operating systems to run inside of a single machine. Most people use a small-footprint install of Linux for the host along with VMware's ESX Server for the hypervisor (the thing that lets multiple operating systems run at the same time). However, Windows can also be used as the host - though it consumes more resources leaving less for the "guest machines."

The host can be thought of as a tool which allows multiple guest operating systems to be installed. For example, when Windows and VMware is used as the host, new virtual machines are created and operate within that framework. VMware allows as many operating systems as will fit in memory to run simultaneously, though most users will only run one or two simultaneously.

While running a single virtualized OS inside of a real OS might seem silly, there are significant benefits. For one, the virtualized machine can access all of the machine's resources, including other hard drives, the sound card, etc. And whereas this could as easily be done within the single OS, the guest OS is a disk file. It can be copied, backed up, ZIP'd up and emailed, saved as a restore point, etc., and all without the difficulties of using tools outside of the host OS. In short, Windows features can be used to backup the machine as easily as copying a file.

by Sarah Varney

Kermit the Frog was right - it's not easy being green. But it's easier than it used to be. Enterprise-sized companies, including IBM and The Coca-Cola Co., have taken the lead in making sure their IT operations are as "green" as possible. But what about the green data center of the future? What strategies are in play now to move the data center beyond green?

Analysts agree that there will be no decrease in power demands from data centers. The good news is the 15% to 30% of the yearly increase in operating costs that companies have been experiencing seems to be leveling off. Increasingly, companies will seek "more efficiency using the resources you have" said Greg Clark, global portfolio director, data center services at Computer Sciences Corp. "We won't see a decrease in power usage by data centers in the future. It will be more about balancing power, space, and cooling." The granular details of data center infrastructures will become increasingly important to manage that balance, Clark noted.

There's no question that CIOs at large companies are already taking steps to make the data center more energy efficient. For example, companies have instituted water-cooling capabilities where possible, deployed "cold aisle" heating and cooling methodologies, and consolidated servers using virtualization. As with smaller companies, virtualization has provided a dual benefit: lower hardware costs and lower power bills.

by Dan Goodin

A travel industry group has called on the US government to halt its use of new machinery that remotely reads government issued identification cards at border crossings until the safety of the new system can be better understood.

Monday's call by the Association of Corporate Travel Executives (ACTE) follows similar requests by a chorus of civil liberties and computer researchers. They warn that use of the new long-range radio frequency identification (RFID) scanners could jeopardize the privacy and security of people who pass through US borders.

"ACTE is concerned that unauthorized individuals could either resort to electronic eavesdropping at the border or use similar devices that could extract data from RFID chips at other locations," the group's executive director said in a statement. She asked for the system to be halted pending a comprehensive security review.

In July, researchers with RSA Laboratories and the University of Washington published a paper exposing several risks posed by RFID system used in US passport cards and drivers licenses issued by several states that emit RFID signals. They found the documents were susceptible to cloning, a vulnerability that could allow attackers to assume the identity (at least partially) of others.

The researchers also said it was possible for unauthorized parties to remotely read the RFID information embedded in the documents. Interestingly, drivers licenses issued by Washington state were vulnerable to remote scanning even when placed in protective sleeves, the report found.

by Chris Parkerson

Companies today realize the threats and consequences of data loss and by now most have some sort of data protection in place. But, many companies that were rushed into data protection by the fear of losing precious data may have been too quick to throw together a patchwork quilt of security software, which is now proving costly.

In the rush to get data protection in place, many companies frantically stitched together technology from various vendors and overlooked issues such as software integration and policy. The fear of leaving themselves vulnerable to data loss resulted in a lack of planning and processes for technology implementations, and has left them dealing with the consequences.

Now that technologies are in place, companies are faced with ongoing auditing and the need to prove to auditors that 1) they did enough to protect themselves and 2) they chose the right paths of protection. In fact, despite implementing a slew of security solutions, companies are finding that they may have not done much to actually lower their risk because they didn't actually understand what data needed to be protected in the first place. Furthermore, the mishmash of security solutions is impossible to manage and have greatly increased costs.

To make matters worse, those who haven't yet implemented data protection technology are seeing the spike in costs other organizations face from data protection and are beginning to evaluate a dangerous risk equation. They are willing to run the risk of not protecting their data and face the consequences and costs of a potential data breech as opposed to dealing with implementing what they feel are costly and complicated data protection solutions. Once companies decide that data loss is a more desirable option, there is a big problem.

by Brooke Crothers

Intel will target solid-state drives for server computers in a tie up with Hitachi that was announced Monday night.

Intel and Hitachi Global Storage Technologies (Hitachi GST) said they will "jointly develop and deliver" Serial Attached SCSI (SAS) and Fibre Channel (FC) solid-state drives (SSDs) for servers, workstations, and storage systems.

While Hitachi is a large supplier of hard disk drives, Intel manufactures and sells consumer and enterprise-class solid-state drives. The enterprise-class X25-E Extreme SSDs that Intel offers now are based on Serial ATA (SATA) technology. As are its consumer-class drives.

Solid-state drives are generally faster than hard-disk drives, particularly at reading data.

"The combination of a leading Enterprise drive supplier with a NAND technology and manufacturing leader will produce world-class solutions in terms of reliability, performance and system compatibility," the companies said in a statement.

The agreement is exclusive to the two companies with the first Serial Attached SCSI and Fibre Channel products expected to be available in early 2010. Both Serial Attached SCSI and Fibre Channel are interfaces typically used in servers.

by Peter Sayer

A group of open source software advocates set out a road map for the software industry through 2020 at the Open World Forum conference in Paris on Tuesday.

The authors of the report, "2020 FLOSS Roadmap" (PDF), made a number of predictions about the role of FLOSS (free, libre, and open source software) in 2020, and 80 recommendations for the industry. Their use of the French word "libre" ("free," as in "unfettered") clears up the ambiguity inherent in the English word "free," which can also mean without cost.

They painted a rosy vision of 2020 in which FLOSS will have entered the mainstream of the software industry and contributed to reducing the digital divide between rich and poor. Social networks will rely on ubiquitous, open cloud-computing services and will allow people to interact not just with friends, but also with governments and businesses, they said. CIOs wary of vendor lock-in will champion the use of FLOSS, and such software will be at the heart of green datacenters and other business models with low ecological impacts, they said.

Reaching this computing nirvana, however, will require action – and not just by bearded geeks. Investors, legislators, educators, electors, and even consumers also have a role to play, according to the report's authors.

by Team Register

Another week, another rummage through Reg Whitepapers. This time we delve into enterprise storage for your delectation. Let's kick-off with an ideological onslaught against tape backup for multi-branch operations.

This paper from Double Take Software examines the "high cost, complexity and potentially dangerous shortcomings of a recovery strategy based on traditional tape backup. That's fighting talk, in some parts.

So what's the alternative? According to Double Take, what you need is "continuous data replication to a remote recovery sites over existing WAN connections".So where does that get you?

"Exponentially better remote disaster protection" at no extra cost or complexity and access to new data acceleration technologies that speed up remote recovery performance over the WAN, says Double Take.

You can guess what this company does for a living. The paper contains an overt pitch for Double Take technology and a case study. But there is also a solid exposition of what's wrong with tape backup - And the case for continuous data replication is interesting enough.

by Chris Preimesberger

The installed base of VMs will grow more than tenfold between 2007 and 2011, says Gartner. By 2012, the majority of x86 server workloads will be running in virtual machines. Unix and mainframes also will be using virtualization, but Intel-based open systems will run the bulk of the workloads, Gartner predicts.

LAS VEGAS—Because the virtualization of IT infrastructure now is so pervasive and integral to the daily operation of data centers, it would behoove IT managers to take a look at the next five years and get a projection of where trends in this technology might be heading.

So, Thomas Bittman, a Gartner data center research vice president, on Dec. 2 dared to look into the future and report—based on IT trends of the past—what he believes will happen.

by Jon Brodkin

A new computing fabric to replace today's blade servers and a "pod" approach to building datacenters are two of the most disruptive technologies that will affect the enterprise datacenter in the next few years, Gartner said at its annual datacenter conference on Wednesday.

Datacenters increasingly will be built in separate zones or pods, rather than as one monolithic structure, Gartner analyst Carl Claunch said in a presentation about the Top 10 disruptive technologies affecting the datacenter.

Those zones or pods will be built in a fashion similar to the modular datacenters sold in large shipping containers equipped with their own cooling systems. But datacenter pods don't have to be built within actual containers. The distinguishing features are that zones are built with different densities, reducing initial costs, and each pod or zone is self-contained with its own power feeds and cooling, Claunch says.

Cooling costs are minimized because chillers are closer to heat sources; and there is additional flexibility because a pod can be upgraded or repaired without necessitating downtime in other zones, Claunch said. (Read more about how to reduce cooling costs in the datacenter.)

"Modularization is a good thing. It gives you the ability to refresh continuously and have higher uptime," Claunch said.

by Dan Goodin
Updated Online payment service CheckFree lost control of at least two of its domains on Tuesday in an attack that sent customers to servers run by a notorious crime gang believed to be based in Eastern Europe.

Reg reader Richard D. reported receiving a bogus secure sockets layer certificate when attempting to log in to his Mycheckfree.com account early Tuesday morning. On further examination, he discovered the site was mapping to 91.203.92.63. To confirm the redirection was an internet-wide problem, he checked the site using a server in another part of the US and got the same result.

"I managed to get through to a commercial customer support tech, and reported the problem," Richard wrote in an email sent early Tuesday morning. "He was not aware of any problem."

The account is consistent with results of passive DNS search queries such as this one from bfk.de. Spamhaus shows precisely the same thing here.

Security experts say the 91.203.92.63 IP address has long served as a conduit for online crime. Spamhaus offers this laundry list of alleged dirty deeds that includes running botnet command channels and various drive-by download sites. According to security researcher Paul Ferguson of anti-virus software provider Trend Micro, the IP address was recently observed handing off booby-trapped PDF files that infected those unfortunate enough to open them.

by Michael Calore

On Monday, Facebook announced it will soon roll out its Facebook Connect login system to several high-profile websites, including Digg, Hulu and Discovery.com. The sites, along with a few others, will begin supporting Facebook Connect within a few weeks. The New York Times has the scoop.

The news is sure to be welcomed by Facebook's 120 million users and its potential partners, but it presents a new challenge to proponents of the so-called "open stack" for ID management — OpenID, OAuth and the related technologies that allow users to share data across multiple websites.

Facebook Connect is the company's technology which lets Facebook users participate on other websites using their Facebook IDs. Along with an easy login, the user gets the option of re-broadcasting whatever they do on the third-party site to all of their friends within Facebook.

For example, users who wants to vote on or leave a comment on a Digg story will be able to log in to Digg.com using their Facebook ID and password. They can participate on Digg just like a registered Digg user, voting, commenting and adding friends. As they click around on Digg, the fact that they dugg such-and-such story, or wrote a comment, will show up in their Facebook news feed in the same way it would if they had written on the Wall of one of their Facebook friends. Of course, the company promises there will be privacy controls, so only information approved by users gets re-broadcasted to their Facebook account.

by Rutrell Yasin

As federal and state information technology managers develop strategies and deploy technologies to reduce power consumption in their facilities, they recognize virtualization does not only reduce server sprawl, it can also save energy.

The spotlight was on the benefits of virtualization and its impact on data center and server consolidation this week at The Green Computing Summit. The Summit was held by 1105 Government Information Group, parent company of Government Computer News.

Virtualization can make a single physical resource, such as a server, operating system or storage device, appear to function as multiple resources. Or it can make multiple physical resources appear as a single resource.

Server consolidation is what got Fulton County, Ga., into virtualization, but now the county is reaping benefits in training, testing, high availability/disaster recovery and eventually in virtual desktop infrastructure, said Jay Terrell, chief technology officer and deputy director of IT for the county.

The county has more than 200 Wintel servers, dozens of Unix/Linux systems, midrange and mainframes systems and 6,000 PCs. IT supports about 5,500 end users and 42 departments, he said during a session on virtualization and moving beyond consolidation.

by John Leyden

Virus writers have latched onto the popularity of Firefox with a new variant on the established practice of stealing online banking passwords.

A password pinching Trojan that poses as a Firefox Plugin is doing the rounds, Romanian security firm BitDefender warns. ChromeInject-A is typically downloaded onto Windows PCs already compromised by other strains of malware.

Once installed, the Trojan sits in Firefox's Plugin folder, activating every time the popular browser is started. The backdoor code looks for data exchanged between a compromised machine and a list of pre-programmed banking sites in Europe, Australia and the US.

Harvested login credentials are captured and subsequently posted to a server located in Russia.

More details on the bank sites targeted, along with the general behaviour of the Trojan, can be found in a write-up by BitDefender here.

BitDefender reports that incidents of the malware are "very low", so the attack is more notable for its novelty than its potency. Malware that capitalises on the popularity of Firefox is rare, but not unprecedented.

by Stephen Shankland

As a result of slowing plans for data center expansion, Google has turned down a $4.7 million economic development grant from North Carolina that would have funded computer facility plans in the state, according to report Thursday.

Google was awarded the grant in 2007 for creating 210 jobs and spending $600 million over four years as a result of the data center in Lenoir, N.C., according to a story in the Triangle Business Journal. But the Internet giant withdrew its application Thursday after establishing one data center with 50 employees and putting construction of a second building on hold after completing only its outer shell.

Google didn't like all the terms of the grant, and "recent volatile economic conditions make business planning even more difficult," the company told the state in a letter, according to another report in the News & Observer. A state committee approved Google's withdrawal, that report said.

by Chris Mellor

EMC and NetApp are growing disk storage revenues faster than any other supplier, with IBM the biggest loser, according to IDC's third quarter disk storage tracker report. Dark horse Sun could be catching the leading pack up.

In the IDC Worldwide Disk Storage Systems Quarterly Tracker report, external disk storage systems factory revenues showed an 8.8 per cent year-over-year growth totalling $4.9bn in the third quarter of 2008. In the meantime the total disk storage systems market only grew 1.1 per cent, to $6.6bn in revenues, because of weakening server systems sales, IDC supposes.

Within the external disk storage market any suppliers whose revenues grew less than 8.8 per cent is under-performing the market. Here are the winners and losers:

1. EMC - 23 per cent share ... 16.2 per cent growth

2. IBM - 12.7 per cent share ... -0.3 per cent decline

2. HP - 12.5 per cent share ... 3.3 per cent growth

4. Dell - 9.1 per cent share .. 8.6 per cent growth

5. NetApp - 8.2 per cent share ... 13.8 per cent growth

5. Hitachi - 8 per cent share ... 2.4 per cent growth.

Within the total disk storage systems market, where 1.1 per cent is the market growth bench mark, the revenue share numbers look like this:

1. HP - 19.8 per cent share ... -0.5 per cent decline

2. EMC - 16.9 per cent share ... 16.2 per cent growth

3. IBM - 15.2 per cent share ... -18.1 per cent decline

4. Dell - 10.4 per cent share ... -8.7 per cent decline

5. Hitachi - 6.0 per cent share ... 2.3 per cent growth

5. NetApp - 6.0 per cent share ... 13.8 per cent growth

Although Sun is listed by IDC in the 'Others' category, it grew disk storage system sales 25 per cent in its second consecutive quarter of revenue growth, with 16.1 per cent growth in external disk systems. The company sold more disk storage for Unix servers than any other supplier has done, it claimed, for the past 20 consecutive quarters. If the new Open Storage products take off then it could start approaching Hitachi and NetApp. That would be a noteworthy feat.

by Chris Kanaracus

Commercial open-source CRM (customer relationship management) vendor SugarCRM said Monday it will give customers the ability to plug in feeds from third-party data sources like the business social-networking site LinkedIn.

The new "Cloud Connectors" feature is part of the vendor's new SugarCRM 5.2 release, which will be available worldwide this month.

While users could obviously tap such third-party services separately, SugarCRM created the new integration capability because it keeps users in a CRM context, as well as makes the process more convenient and efficient, said Martin Schneider, director of product marketing.

If you're logging into third-party sites "while you're on the phone with someone, you're going to be hemming and hawing and you're not going to have it at your fingertips," he said. "The idea is to drive adoption and keep people in one space, but also give them unfettered access to bringing content into the CRM system."

Windows, which SugarCRM is calling "Cloud Views," will pop up with relevant information, such as which of a user's LinkedIn connections work at a certain company. Users can also import this information into SugarCRM.

Are you ready for event-driven business? - watch this webcast.
The Cloud Connectors are made possible by a new data services framework that Schneider characterized as "a toolkit for developers or really astute users to bring in any type of data source."

by Jon Oltsik

While no one can predict what will happen to the economy over the next 12 to 18 months, you can bet your bottom dollar that threats to confidential data will increase substantially in that time frame. Why? Malicious code threats are growing exponentially while the cyberunderground becomes ever more sophisticated.

Fortunately, industry players are starting to team up to lower the cost, complexity, and integration effort needed for data-centric security. Last week, EMC's RSA and Microsoft got together to announce that the software giant will integrate RSA's Data Loss Prevention (DLP) into the Windows infrastructure in order to discover and classify data (Word documents, Excel spreadsheets, and so on). Microsoft will also tightly integrate DLP with its Enterprise Rights Management (ERM) Server. Not to be outdone, security bigwig McAfee on Monday announced that it will integrate its DLP data discovery and policy management solutions with a leading ERM solution from Liquid Machines.

Why the activity?

1. DLP solutions need to become more mainstream
While every company that conducts business over the Web needs DLP capabilities, software solutions require customization, sophisticated skills, and lots of dough. Microsoft's data classification integration into Windows should help alleviate this by providing baked-in DLP basics.

2. DLP and ERM are complementary
DLP technology assumes you don't know where sensitive data is so you want to find it, classify it, and keep it confidential. ERM, on the other hand, assumes you know exactly where the data lives and you want granular protection at the user and file level. These announcements demonstrate that the debate between DLP and ERM was misguided--large organizations need both solutions to safeguard known and unknown sensitive data across the network.

3. Entitlement management is the next challenge
While we figured out how to centralize user authentication pretty well, we still leave entitlement management (i.e., user privileges) to each individual application. This method doesn't scale, is full of security vulnerabilities, and is nearly impossible to audit. Liquid Machines, McAfee, Microsoft, and RSA get this as do others like Cisco Systems (through its Securent acquisition) and Rohati. Clearly, these vendors are positioning themselves for this next moneymaking opportunity.

So what's next? While other DLP vendors will form their own cozy relationships, my hope is that the industry comes together in a group hug and defines some meta data standards for classification, policy definition, and enforcement. I know this isn't likely but it would sure go a long way to help us all protect our sensitive data.

by Timothy Prickett Morgan

While it isn't always the case, Sun Microsystems usually likes to wait until it can actually ship products before it sends out a press release. So while Advanced Micro Devices announced the "Shanghai" quad-core Opterons for servers nearly a month ago, Sun is only making its "Galaxy" x64 launch today because it has enough of the chips to start pumping out boxes.

The existing second-generation of Galaxy rack and blade servers, which were created to use the "Santa Rosa" dual-core Rev F Opterons in August 2006 and which also can support the earlier quad-core "Barcelona" processors that were delivered last summer with a bug but only really went volume this spring, support the new Shanghai Opterons by default.

Arvie Martin, group marketing manager for Sun's x64 products, says that Sun has kept its Galaxy server prices the same and any price differential between Barcelona and Shanghai boxes is due to the differences in processor prices from AMD and, in some cases, from a richer base memory configuration on the Shanghai version of the box. The Shanghai chips can plunk down into the X2200 M2, X4600 M2, X4140, X4240, and X4440 rack servers and the Sun Blade X6240 and X6440 blade servers.

The extra memory and pricing adds up. An X2200 M2, for instance, with a 2.3 GHz Barcelona chip and 4 GB of main memory costs $1,995, while a top-end Shanghai machine with a 2.7 GHz processor and 8 GB of memory costs $3,995. A big portion of that extra two grand, if Sun can get customers to go for it, could end up dropping to the bottom line. Sun's blades are also pricey (as are blades made by others) and could have plenty of profits (it is hard to say unless you know Sun's parts and manufacturing costs). A two-socket Sun Blade X6240 using two of the 2.7 GHz Shanghai chips with 16 GB of memory costs $5,160, while a four-socket blade using 2.7 GHz Shanghais with 32 GB of memory, a 16 GB Compact Flash, and a passthrough fabric expansion module costs $17,525.

Martin says that Sun's internal benchmarks show the top-speed Shanghai chips providing about a 30 to 35 per cent performance boost over the fastest Barcelona parts inside the same servers.

by Nathan Eddy

On-demand CRM vendor Salesforce.com announced a partnership with Google to allow its Force.com platform as a service (PaaS) to the Google App Engine application, Google's own cloud-based application development platform. The partnership gives Salesforce developers native access to Google's distributed storage system, Bigtable and allows Google App Engine developers access to the Salesforce platform.

The partnership allows Salesforce.com developers to talk to applications built using the programming language Python. Google and Salesforce teamed up in June of this year, when the companies announced the release of the Force.com Tool for Google APIs, which allowed developers using the Force.com platform to access the data in Google Apps.

"We think that in economic times like these, the advantages of the cloud computing option make more sense," says Salesforce senior director of platform product marketing, Ariel Kelman. "You get fast results, no capital expenditure, and low risk. Kelman says these advantages particularly benefit small and medium-size businesses (SMBs).

"When we talk to our customers in the SMB space, these companies are really looking to leverage the technology investment in these scalable platforms," he says. "The ability for them to take their ideas and run them on a world-wide, secure infrastructure is a huge win," Kelman says.

by Dave Rosenberg

I've been experimenting with Amazon's new CloudFront CDN service since the launch and thus far it's proven to be a good option provided you don't need to update content in anywhere near real-time (you are pretty much looking at 24 hours before content updates hit the full network.)

And while the functionality doesn't match something like Akamai, my best math effort suggests that the service will cost you 10% (or less) than Akamai does for static image serving, which makes the service very compelling.

Paul Stamatiou wrote up a great how-to guide for CloudFront and it shows how setting up the new service is still not for the faint of heart. You still need to be a developer/admin type in order to get everything up and running.

The net result:

I'm pretty happy with Amazon's first CDN offering, CloudFront. It's extremely easy to setup and affordable to boot. I was able to get it running from scratch in under 5 minutes, including CNAME DNS propagation. While it might not be mature enough yet with advanced usage reporting for companies to use in place of Akamai, Limelight or CacheFly, it certainly has potential.

Where CloudFront will start to get really interesting is when it can do real-time video at this low cost. Until then it's a nice option to speed delivery but still not a full-blown commercial CDN.

by Timothy Prickett Morgan

Well, it may be December, but it is time for the OpenSolaris 2008.11 update, the second tweak of the open source variant of the Solaris Unix platform. With the new release today, it's getting some interesting storage enhancements as well as the usual update additions.

The OpenSolaris project launched its first pseudo-commercial release, code-named Project Indiana, in May, with the goal of getting the open source variant of Solaris humming along in binary form and being used by the development community and other cheapskates who like to play with operating systems but who don't want to pay for them.

Linux is popular, in part, because it is not only free, but distributed in a usable form and for the most recent hardware available on the market. So to compete with Linux, and to get an edge on other commercial Unixes (which are not open source or freely distributed), Sun Microsystems is emulating the distribution methods employed by the Fedora and openSUSE development communities, which create the code that eventually becomes the commercially supported releases from Red Hat and Novell, respectively.

The difference is this: Sun will actually support OpenSolaris in a commercial environment through paid support contracts, while neither Red Hat nor Novell do so with their development releases. (Ubuntu has a much more sensible approach, supporting all of its releases and offering long-term support for users who want to install the software and not mess with it much for a couple of years.)

by James Niccolai

Having coined the phrase "the network is the computer" more than a decade ago Sun Microsystems could expect to be leading the march towards cloud computing, but in some ways it is still at the start line.

Nucleus Report: Who's ready for SMB? - read this white paper.

Sun recently pulled the plug on its Grid Compute Utility service, which was launched two years ago and allowed companies to buy computing power from Sun's datacenters at a fixed rate per hour, like a public utility.

The service, which predated Amazon.com's EC2 service , is now "in transition" as Sun prepares to launch some new services, according to its Web site . Sun is still supporting customers who signed up for the Grid service but stopped accepting new customers several weeks ago.

"That was kind of an early attempt at cloud computing. We got some features right and some not right," said Dave Douglas, senior vice president in charge of Sun's Cloud Computing division. "We still think that model totally makes sense," he added.

On Tuesday Sun gathered some press and analysts together to discuss how it will tackle the cloud market moving forward. It talked about its plans only in general terms and said specifics will follow after the New Year.

Thanks partly to its early embrace of the Web, Sun has a formidable list of technologies that it can bring to the cloud market. Besides its servers and storage gear it has its Solaris OS, MySQL database, xVM virtualization software and ZFS file system, to name a few. Most of the software is open source.

The question now is how it will package that technology and persuade service providers and enterprises to let Sun be their vendor of choice for the cloud.

"A lot of the enabling technology is there. It's how they are going to pull it together and take it to market that matters," said Jean Bozman, an analyst at market research company IDC.

CEO Jonathan Schwartz formed Sun's Cloud Computing division a few months ago and it now has several hundred engineers, Douglas said. Sun also hired Lew Tucker, who helped build Salesforce.com's online AppExchange, to be the division's CTO.

Sun sees three levels of cloud computing, Douglas said. At the highest level are software as a service applications such as Salesforce.com's CRM; in the middle are cloud development platforms such as the Google App Engine; and at the bottom are infrastructure services such as Amazon's EC2 (Elastic Compute Cloud).

by Stacey Higginbotham

As cloud computing moves beyond startups and attracts enterprise users, major software vendors are being forced to reckon with a new challenge to their current pricing models. Much like the emergence of software as a service has caused many large software vendors to evaluate existing licensing models that charge a set price for each software package copy running on a machine, the emergence of cloud computing is pressuring top server software vendors Microsoft, Oracle and IBM to adopt a subscription-style type of pricing.

The issue is similar to the battle that raged years ago when corporate customers started buying servers with multiple processors. Prior to that, vendors sold software on a per-core basis, so a customer who paid $20,000 for a copy of Microsoft's software for a single-core machine was hit with a $40,000 licensing cost when he upgraded to dual-core servers. With virtualized servers, where several virtual machines can exist on one server, such math becomes more complex, and can lead to even higher prices.

As Microsoft, Oracle and IBM adapt to the cloud business model, they're likely to see their software licensing revenue drop. How they will manage this is part of a new report out from research firm TechAlpha that looks at how virtualization will affect industries ranging from software to storage. George Gilbert, co-founder and principal at TechAlpha, says Microsoft has been fairly advanced about its licensing efforts in the cloud, while Oracle seems to be lagging.

"The new principles of pricing with the ultimate destination of software in the cloud requires two things: capacity on demand, and something that's divorced from the physical infrastructure," says Gilbert. "The idea that you install software on a box and it lives there for the useful life of the server is increasingly less relevant."

This won't just apply to public cloud providers such as Amazon. Enterprises will undoubtedly build their own clouds of virtualized computing power, in turn making the shift more painful for vendors such as Oracle, which currently has a limited offering on public clouds. Gilbert estimates that about half of Oracle's licensing revenue could be affected by this shift to subscription-based licensing.

by Chris Mellor

EMC has set up a data warehousing/business intelligence competency centre to tie its virtualised servers and desktops, Clariion and Symmetrix storage, to DW/BI application vendors' software.

Recently HP announced a tie-up with Oracle to build the specialised HP Oracle Database Machine for DW and BI apps. Sun has also been working with GreenPlum and other SW vendors in that space to turn its X4500 server/storage product into a scale-out DW/BI storage system.

Several software vendors, such as Netezza, are offering DW/BI appliances saying their dedicated technology performs better than Terradata-type big SW environments on standard servers and storage.

DW/BI is reckoned to account for up to a fifth of enterprise storage by Chuck Hollis, EMC's global marketing chief technology officer, and he wants EMC to sell more kit in that market and not let HP, Sun and the appliance vendors profit at EMC's expense.

by Cade Metz

Sometime in the late sixties, as Douglas Engelbart was preparing what would one day be called The Mother of All Demos, his boss flew to Washington to meet with the money man.

The demo that birthed the modern computer mouse - and so much more - was funded by Bob Taylor, a NASA program manager who would one day take his own place among the titans of modern computing. Engelbart's boss had a single question on his mind as he walked into Taylor's office after a cross-country flight from Northern California's Stanford Research Institute.

"He came from the west coast to see me, which was very unusual," remembers Taylor, also known for cooking up the ARPAnet and Xerox PARC's Computer Science Laboratory. "He came into my office and he said 'I want to talk to you about Doug - Why are you funding this guy?'"

Needless to say, Douglas Engelbart's boss wasn't the only one who questioned the import of the mouse inventor's 1968 interactive-computing demo, which received a 40th anniversary celebration at Stanford University's Memorial Hall yesterday afternoon. Bill Paxton - one of the SRI researchers who participated in the demo - says that 90 per cent of the computer science community thought Engelbart was "a crackpot."

"It's hard to believe now," he explains, "but at the time, even we (Engelbart's fellow researchers) had trouble understanding what he was doing. Think of everyone else out there."

by Lucas Mearian

Solid-state disk (SSD) drive architecture can play a big role in how fast a computer boots up and performs. But how big a role the SSDs play – and how much faster an operating system is – depends as much on the operating system as on the drive. Although none of the mainstream operating systems now in use have been optimized to work better with SSDs, some do natively work more efficiently than others, according to storage experts.

That aging operating system, said Saeed Arash Far, engineering manager at SSD manufacturer Patriot Memory, is markedly faster than Windows XP, Vista , Mac OS X, or Linux when using NAND flash memory. Far said his company's tests showed that Windows 2000 is 5 percent to 8 percent faster over its newer rivals because "Windows 2000 doesn't run any applications in the background.

"We're getting ridiculous numbers with Windows 2000," he said. "When it comes to Vista, it is faster than XP, but with XP, you have the luxury of turning off background applications. ... With Vista, you can't."

According to Far, Mac OS X runs "a little faster than Vista" with an SSD drive, but Linux is "always faster" than Vista or Mac OS X – to the tune of 1 percent to 2 percent – because like Windows 2000, "it never runs anything in the background."

by Chris Mellor

Suddenly the data warehousing sector seems to be hotting up. There's EMC's new competency centre and now Kognitio's in-memory data warehouse which threatens to brush server vendors aside if the idea gets adopted big time. How does that one work?

The story goes like this: Cluster lots of servers together in a shared-nothing architecture and use parallelising data-warehouse SW - WX2 in this case - to treat them as a single but very parallel resource. The servers all execute different threads of queries against the data that is stored in the servers' DRAM as an in-memory database. All other data, such as query results or a fraction of the data warehouse that is not in memory, is stored on disk - the servers' directly-attached disk and not in a networked disk resource such as a SAN or a NAS box.

Generally, with a disk-based data warehouse, only a fraction of the data is stored in memory, and query results executed against this are only looking at a data sample and not the full warehouse. Results from a full-warehouse query are statistically much more likely to be correct.

Roger Gaskell, the chief technology officer of Kognitio, says the firm is currently bidding for a 40TB data warehouse and its bid is less expensive than the installed DW system based on storage arrays and many servers. But how can 40TB memory-based system be cheaper?

by Brooke Crothers

The newest solid-state drives are just starting to hit retail. But would you buy one?
Intel X25-M solid-state drive has received glowing reviews for its performance

Solid-state drives are attractive because they're generally faster than hard-disk drives, particularly at reading data-generally something PC users spend most of their time doing.

But price is still an obstacle, especially to the frugal consumer.

Sunnyvale, Calif.-based OCZ Technology is now offering some of the most competitively priced solid-state drives based the high-speed Serial ATA (SATA) II interface.

OCZ Vertex SSD drives start at $129 for a 30GB SSD. Other capacities include a 120GB drive for $469 and a 250GB SSD for $869. Though $869 may seem pricey compared to a 7200RPM 250GB hard-disk drive that can retail for well under $100, it's relatively cheap for a large-capacity SSD. In the past, SanDisk had sold a 256GB drive through resellers that was priced, almost incredibly, at more than $15,000. Axiom had been selling 256GB solid-state drives priced above $6,000.

OCZ says the Vertex Series of SSDs have a 1.5 million-hour mean time before failure (MTBF), "ensuring peace of mind over the long term." Solid-state drives, since their inception, have been plagued by doubts about write durability. SSD manufacturers such as Intel, Micron Technology, and Samsung say long-term durability is no longer an issue.

by Jim Duffy

Cisco has a number of significant product introductions on tap for 2009 as the company continues to morph from a pure networking player into an overall IT supplier.

Expected next year are internally developed datacenter blade servers, energy efficiency improvements across Cisco's switching portfolio, and a new release of the company's unified communications software for intercompany collaboration.

The product launches are intended to buttress Cisco's strategy to become not just the leading network vendor to corporations and services providers, but to become the leading supplier of overall IT architectures to these constituents.

"The network will enable all forms of communication and IT," said Cisco CEO John Chambers during his keynote address at the company's annual C-Scape analyst conference here last week. "IT is not enabling our strategy, it is our strategy."

Perhaps the most important example of that will be a new Cisco blade server system expected next year. This will take the company into the datacenter compute space, right up against longtime stalwarts – and up to now, Cisco partners – IBM and HP.

Cisco officials interviewed at last week's C-Scape conference would neither confirm nor deny that this system is in development – its code name is "California Server," according to sources – but its impact will be substantial in the market and on its current relationships with compute partners.

"I've seen the product," says Vikram Mehta, CEO of Blade Network Technologies, a supplier of blade server switches to IBM, HP, Dell, and others. "I think I know what Cisco's trying to do. Servers are a $60 billion market. And if you're the size of Cisco – $40 billion – you're looking for the next multibillion dollar market to jump into. There aren't a lot of adjacent markets, so they decided to step on their partnerships and take these guys head-on to get a slice of the server action."

by Chris Mellor

Hitachi Data Systems' customers can now buy flash-based solid state drives (SSDs) for the high-end USP V and VM storage arrays. HDS will also support the coming Hitachi GST SSDs, built by Hitachi GST and Intel.

This leaves IBM's DS8000 as the last enterprise drive array with no flash drive option, as both HP and Sun resell the Hitachi USP product as their high-end drive array. An IBM source hinted that Big Blue could do this earlier in the year. Neither HP not Sun has actually said that they will take USP arrays with the flash option.

HDS is following in the footsteps of EMC which made Enterprise Flash Drives (EFD) available for Symmetrix many months ago. Clariion support was added fairly recently. However, HDS is not adding flash SSD support to its mid-range modular AMS arrays.

The flash drives will be used to satisfy I/O requests from I/O-intensive applications which need low-latency responses from the storage array, responses far faster than 15K rpm Fibre Channel drives can satisfy.

HDS' Storage Command management SW supports flash in this "tier zero" role and HDS says storage administrators can work with a flash-enabled USP as per normal, but with this extra very fast tier of storage to play with.

It is thought that HDS is using STEC's SSD product, STEC being EMC's supplier, although HDS has not confirmed this. The HGST/Intel drives could replace the STEC products when they become available. No prices were revealed.

by Dan Tynan

Odds are, you've committed some venal sins at work – if not mortal ones. Whether it's falling prey to gadget lust, hoarding information, avoiding necessary but onerous chores, coveting thy neighbor's budget, venting anger all over your staff, or letting ego get in the way of the job, we're all guilty of something.

Not surprisingly, most of our transgressions find their foundation in the classics: lust, gluttony, avarice, sloth, envy, wrath, and pride. With apologies to Dante Alighieri, here are the seven deadliest sins IT managers can commit.

(The identities of the sinners have been obscured to protect the guilty. Read and learn from their wicked ways.)

Read. Repent. Repeat. Then go forth and rectify.

IT sin No. 1: Lust for new technology
There are many kinds of lust in the IT universe – lust for power, for position, even (gulp) the physical kind. But believe it or not, the most damaging unbridled desire in the IT workplace might just be gadget lust.

The most common expression of lust in IT is the endless pursuit of new technology for the sole purpose of having new technology, notes James J. DeLuccia, author of IT Compliance and Controls.

by Scott Lowe

If you haven't implemented some kind of virtualization in your data center by this point, you're in the minority. Data center virtualization has become a common way to achieve higher levels of hardware utilization and consolidate servers onto less hardware. Organizations have jumped all over this technology as a way to reduce costs and increase efficiency.

In the data center, hypervisor-based virtualization technology is used to achieve these aims. In these cases, the hypervisor exists to enable disparate operating systems to run on the same hardware. Although some commonality between servers is a good thing, in the data center, the goal is to run workloads necessary to enable the business. This could mean that a mail server running Linux runs on the same hardware as a database server running Windows.

Virtualization in the data center is definitely a good thing for the reasons that I just mentioned. However, from a technical and efficiency perspective, a client hypervisor would be a huge boon, but for different reasons. One of the major challenges in the realm of desktop management lies in image management. For every new batch of computers, a new image is necessary, along with the hope that everything will work just right. Of course, there are other tools out there that can help handle this dilemma, but a client-based hypervisor would be the ultimate solution. A client-based hypervisor would allow an organization to support a single desktop image, regardless of how many desktops or desktop models exist in the organization. As is the case with the server hypervisor, a client hypervisor would abstract the system hardware from the equation, making driver issues a thing of the past as it relates to image management.

by Timothy Prickett Morgan

In a mature IT market, it becomes hard to make any significant changes in hardware architecture or software design without upsetting the installed base of legacy users.

This, of course, makes the evolution of a product somewhat troublesome. Change must fit within the strict confines of compatibility, ensuring both hardware and software vendors do something useful without upsetting the entire apple cart in the data center - or on our desks and in our laps.

To be sure, this is a lot less exciting than having a totally new thing come along, as proprietary minis did in the late 1970s, commercialized Unix did in the mid-1980s, and a decent Windows operating system for desktops and Linux for supercomputers and then regular servers did in the mid-1990s.

These kinds of tectonic shifts are very difficult to imagine in operating systems these days, thanks to the internet where no one particular machine or its operating system is the center of gravity for users and developers.

by Jon Brodkin

A new managed hosting offering targeted at mid-sized businesses lets customers quickly provision and reconfigure servers, storage, and network capacity through a secure Web portal.

Weather.com handles whatever nature serves up - read this white paper.

RagingWire, which spent the last eight years offering co-location to enterprise-class customers from a 200,000-square foot data center in Sacramento, Calif., has announced a new business unit called StrataScale for smaller customers that prefer to offload the burden of managing their own IT resources.

"Customers told us they wanted more services. They wanted us to take over these layers of infrastructure," says Douglas Adams, vice president of sales and marketing.

RagingWire says its high-end enterprise customers are still looking for pure co-location services, in which the customer rents space and brings in its own equipment. By contrast, the new StrataScale service, known as IronScale , offers dedicated, bare-metal servers along with storage, security and network resources. StrataScale has so far resisted using the ubiquitous "cloud computing" buzz-phrase to describe its services, although its offer of flexible computing resources outside the customer data center would seem to fit that industry segment.

"Analysts are pushing us to use (the word 'cloud'), says Yatish Mishra, CTO and founder of RagingWire. "We're a platform that enables cloud. I'm not sure we're a direct cloud player."

With IronScale, customers rent by the month or year, and can design their own server environments through an easy-to-use interface, company officials say. (Compare server products .)

"The concept is it's completely automated," Mishra says. "You log in through a secure portal and you define what you want. You say I want a Linux box, I want 200GB of storage. I want a firewall, and you say 'go.' In three minutes the whole environment is built. We break down all the components in the physical world. We break down the server, the storage, the network, the firewall, security, VPN, and you can assemble them any way you want."

by James Urquhart

As a former employee of Sun Microsystems, I've been fascinated for some time about what the cloud can do for its troubled fortunes. The company has amazing cloud DNA, in terms of technology and talent.

Sun is a company of engineers founded by engineers to engineer for engineers. They've got the technology chops to do something great here, as can be evidenced by some of the interesting things to come out of Sun Labs in the last year or two.

In the last few weeks, Sun finally took direct action for the cloud, and it reorganized its software division to take the cloud challenge head-on. So it was with great anticipation that I listened on Tuesday to a discussion between Dave Douglas and Lew Tucker about Sun's interpretation of the cloud market, and Sun's potential place in it. (The slides are also available.)

This was more of a "placeholder" presentation-certainly not a major announcement-but Douglas and Tucker laid out a foundation of concepts, and then outlined how Sun can work to address the opportunities this market creates.

This, of course, is a little disappointing, though completely understandable. Disappointing because we are seeing the dawn of cloud-computing giants, some created from the elegant artistry of the entrepreneurial engine, some crafted by the brute force from the clay of existing IT giants.

Microsoft reinvented itself in a single event. So did Salesforce.com. There are dozens of start-ups in the space-maybe more, depending on how you define it. So for Sun to simply say, "hold on, we're working on it"-in a simple Web event, for that matter-risks being a bit boring.

It is an understandable position to take at this time, however, considering that the pressure must be on to say something without having all of the details worked out. How do customers approach Sun? As a cloud provider (ala the recently suspended Network.com)? As a systems provider? As a cloud infrastructure provider? This presentation seemed targeted at answering that minimal question for customers, the press, and the general market.

Sun Microsystems announced a new version of Sun xVM VirtualBox, its free and open source desktop virtualization software for developers and enterprise users.

xVM VirtualBox software lets users create "virtual machines" into which they can install their operating system (OS) of choice. As a result, users can access their favorite software using any OS and developers can build, test and run cross-platform, multi-tier applications on a single laptop or desktop computer. xVM VirtualBox software supports popular host OSs, including Windows, Mac OS X, Linux, Solaris and OpenSolaris.

A key component of Sun's desktop-to-datacenter virtualization portfolio, xVM VirtualBox 2.1 software, a 30 megabyte download, features a number of new enhancements, including: accelerated 3D graphics, improved network performance, and storage support. In addition, xVM VirtualBox 2.1 software offers improved support for:

Mac OS X on Intel Virtualization Technology (VT-x), VMware's and Microsoft's Virtualization Formats, Intel Core i7 processor, and 64-bit guest OS on 32-bit host platforms.

by Rik Myslewski

IEDM You call it flash memory. The engineers at this week's International Electron Device Meeting (IEDM) in San Francisco call it non-volatile memory.

According to Stefan Lai of BeingAMC, there's plenty of money to be made in non-volatile memory, whether it's based on the common flash technology or on emerging replacements. A cool $20bn was spent on non-volatile memory in 2008, with $25bn expected next year, financial Armageddon or no financial Armageddon.

There's one big problem, though: Current non-volatile technology is running up against a "natural limit," Lai said during an IEDM talk entitled "Non-Volatile Memory Technologies: the Quest for Ever Lower Cost". And, no, it's not that it is getting harder and harder to make smaller and smaller non-volatile memory chips. Lai says that the lithographic technologies needed to shrink the chip elements are good down to at least 22nm, maybe even further.

No, the problem is much simpler - and more intractable - than that. Memory-cell sizes are getting so small that they soon won't have room for enough electrons to keep the non-volatile memory, well, non-volatile.

"When I started," the veteran memory designer said, "I had a hundred thousand electrons [in a cell], so if I lost one per day, I had no problem." Today, there's a problem. As Lai puts it, in upcoming memory cells, "you're counting tens of electrons."

It doesn't take a statistical genius to see that losing one electron out of tens will be a far bigger deal than losing one electron out of 100,000. The problem will be - do the math - 10,000 times bigger.

Something needs to be done - and it needs to be done cheaply and reliably. Chip elements are now around 1000 times smaller than they were when non-volatile memory started to make its move in the mid-1980s. Prices have shrunk as well - they're now about one two-thousandth of what they were in 1986, said Lai.

According to Lai, the $1-per-gigabyte price threshold is the "tipping point" for flash acceptance - and he made a point of saying "and as those of you in business understand, price and cost are not the same thing." We're at that $1/GBybte point today - and there's no going back.

So how will the non-volatile industry keep things cheap while continuing to expand capacity? Before you read on, be forewarned: The acronyms will come thick and fast.

by Tom Kaneshige

Server virtualization is supposed to save buckets of cash, largely from server reduction. After all, consolidating some 20 physical servers to three host servers means less hardware, power and cooling, and management overhead.

But wait! The math is much trickier than that – and unless you're a large business, there's a good chance it'll cost you more than you save, at least from the outset. "Probably 50 percent of the small- and medium- business virtualization implementations I see are not cheaper than simply replacing the physical servers already there," says Matt Prigge, a virtualization consultant and InfoWorld Test Center contributor.
Let's do the math. If you buy 20 spanking-new servers at $5,000 to grow your datacenter or replace your current boxes the traditional way, that's a $100,000 outlay. Server virtualization's cost equivalent: three powerful host servers with hardware memory chips from the likes of AMD or Intel at $16,000 each; a SAN at $40,000; and assorted costs in staff training, management software, virtualization licenses, and consultants. That'll all run about $100,000 as well. (Operating systems and apps aren't included, but their costs are the same for either approach.)

Shared storage investments and new Intel or AMD servers, along with redundant network connectivity upgrades, constitute the lion's share of the cost of virtualization. Software licenses from vendors such as EMC VMware, Microsoft, and Citrix – though several thousand dollars per host server – pale in comparison with these infrastructure costs, though you do have to factor in ongoing maintenance costs.

by Timothy Prickett Morgan

Over the years, the server virtualization strategy at Sun Microsystems has been spotty, but recently it has been evolving to include a variety of new techniques. Dynamic domains, Solaris containers, logical domains, and on x64 iron, support for Xen and ESX Server hypervisors are all part of the fare now.

Sun bought its way into the desktop virtualization arena this past February, and it is determined to be a player here, too, even if its own desktop - well, workstation - business has pretty much dwindled to nothing.

The 8 million downloads of VirtualBox - half of them since Sun took over German software company Innotek - make Sun a player of sorts in desktop virtualization, which is even greener (in terms of youth, not energy efficiency) than server virtualization. Innotek launched a virtual machine hypervisor for Windows, Linux, and Mac OS X desktops and laptops just a little under two years ago, and oddly enough got its start creating virtualization products for IBM's and Microsoft's jointly developed OS/2 operating system.

The product was rebranded xVM VirtualBox in May when the 1.6 release came out. At that time, Sun gave VirtualBox native Solaris support, which means that Solaris 10 (the commercial version of Sun's Unix) or OpenSolaris (the development version) can act as either a host operating system for the VirtualBox hypervisor or run as guest environments atop the hypervisor, which itself runs on the host OS. (VirtualBox is not what is called a bare metal hypervisor, like VMware's ESX Server, that allows multiple operating systems to run side-by-side while still thinking they own all of the hardware in the box, which they do not.)

VMware Server, the freebie hypervisor, and VMware Workstation, the desktop variant from that company, run atop a host operating system, just like VirtualBox does. The practical difference between the bare metal and host-guest hypervisors is that the guest operating system is a single point of failure for all of the partitions on the machine, while the less-complex hypervisor is (presumably) using less resources and is more rugged, stable, and secure. That's the theory, anyway.

To my way of thinking, a hypervisor has all the same issues as a host operating system and only benefits from its simplicity and obscurity. Like ESX Server, VirtualBox doesn't require the hardware-assisted virtualization electronics in the latest x64 chips (Intel VT on Core and Xeons and AMD-V on Opterons) to work, but it can make use of these features to support ancient operating systems, such as OS/2.

With VirtualBox 2.1, Sun is tapping the Intel VT-x (the variant of VT for x64 chips) to boost the performance of the Mac OS X operating system when it's being used as a host for OS X and other operating systems running the VirtualBox hypervisor. The 2.1 release also providers support for the desktop variants of the "Nehalem" processors, known as Core i7, and their related QuickPath Interconnect.

Sun is also adding experimental support for the OpenGL 3D graphics acceleration for Windows guests running VirtualBox, and this 3D support gets passed through from host operating systems (Windows, Mac OS, Linux, or Solaris) to the Windows guest operating system. Only 32-bit Windows Vista and Windows XP guests can access this OpenGL support, and the Direct3D alternative from Microsoft is slated for a future release.

The OpenGL support will make Google Earth work properly, which is a very important feature (that was sarcasm), and the future Direct3D support will make Microsoft virtual Earth work, too.

The tweaked VirtualBox will also allow a 32-bit host operating system running on 64-bit hardware to support a 64-bit guest operating system; you'll notice this support is experimental, if you read the release notes carefully. Sun also says that it has "improved" support for VMware's VMDK and Microsoft's VHD virtual machine disk formats along with the program's own VDI native VM disk file format.

VirtualBox can also import VMDK and VHD virtual machines (provided the guest OS levels are supported) and do snapshots of the VM files in these three formats. Sun says VirtualBox 2.1 also has tweaks to improve virtual network performance, and sports an iSCSI initiator driver that allows VirtualBox to access VM images stored on iSCSI disk arrays.

You can get VirtualBox 2.1 here, and if you want, you can grab the open source code and play around with it. Sun also offers 24/7 premium support contracts for VirtualBox, which run $30 per user per year.

Interestingly, Sun says that VirtualBox downloads have more than doubled compared with last quarter and that user registration is up 24 per cent. (There are 8 million cumulative downloads of all VirtualBox releases to date, but only 2.5 million registered users. People don't like to fill out forms.)

Sun has given no indication as to how much - or how little - money VirtualBox generates. And the company has yet to explain where VirtualBox will fit into its server virtualization strategy, if at all, in the long term. ®

by Gordon Haff

About this time last year, I took a look back at some of the macro trends that hit their stride during 2007. I thought it would be interesting to see which of those trends are still noteworthy, which new ones are on the radar, and generally how the landscape has changed.

Server virtualization remains perhaps the hottest trend in IT. It may no longer be pegging the hype meter quite as hard, but that's only because server virtualization has moved into the mainstream. It's ever more clearly one of those fundamental developments that touches and transforms all manner of associated technologies, products, and processes.

To be sure, lots of virtualization customers are still using it for relatively straightforward server consolidation, but more and more are also implementing high availability and other services on top of a virtualization foundation. One notable event during the year was the ouster of Diane Greene from VMware's helm, but so far, neither this nor Microsoft's increasingly aggressive virtualization efforts have had a substantial impact on VMware's position as market leader.

This trend continues to gather pace, albeit in a relatively measured way, with security and compliance often the primary driving force. Most major virtualization players have steadily broadened their portfolios to encompass both client-side and server-side virtualization, taking advantage of one with the other.

Power and cooling, or more broadly, "green," remains at the same relatively nascent level as last year, when I wrote that "power and cooling is increasingly something that IT staffs think about-even if, in most cases, they're not the absolute top-of-mind worry that is sometimes suggested."

Intel's resurgence continued in 2008, as it ramped its 45-nanometer processors. For its part, Advanced Micro Devices did take steps to repair the damage caused by its delayed "Barcelona" processors. Its 45nm "Shanghai" processor shipped ahead of schedule, lending credence to company claims that its development and manufacturing processes were back on track.

Open source and open-source licenses certainly didn't go away in 2008. But I don't really view them as a trend at this point any more than programming languages or databases. They're just part of the software landscape--a way to develop and market software.

And that's really the trend that emerged in force this year: "cloud computing," a term that I use to refer broadly to using software services or infrastructure over the network.

To be sure, there's more vendor hype (and consumer use in the guise of Web 2.0) than there is enterprise adoption. And I strongly suspect that will remain the case for quite some time. Part of the reason is that deployments will tend to happen with new applications rather than legacy ones.

However, more broadly, enterprises will want to understand and have the tools to manage attributes such as security, compliance, and portability (including the ability to run applications on-premises, off-premises, or a combination of the two).

Is cloud computing a legitimate trend? Yes. And it will be a long-term trend, so just count this as a start.

by Sam Dean

Slowly but surely, major laptop vendors are taking to the idea of shipping systems with pre-loaded open source operating systems. The latest case in point is Toshiba-one of the longest-standing players in the market for portable computers-and its new plan to pre-install Sun Microsystems' OpenSolaris on its laptops. The machines are supposed to ship in early 2009, and will join several new Linux-based systems that Dell is shipping, and many Linux-based netbooks arriving from various hardware manufacturers. Will this trend continue?

As I see it, a huge part of the trend toward open source operating systems on portable computers is extreme price-consciousness among buyers. For only a little more than you pay for a Linux netbook, you can get a laptop with more hardware resources running Windows. But the fact is, the machines running open source software are cheaper-and cheaper is cheaper in this economic environment.

I'm not so sure how popular laptops running OpenSolaris are going to be. Sun has struggled to gain adoption for the operating system. But one of the reasons Linux-based netbooks are selling so well is that they come pre-installed with lots of useful open source software applications. That's the key one-two punch in the eyes of the buyer: "I save money on the hardware running the open source operating system, and I pay no money for useful applications."

Lenovo and other hardware manufacturers aren't buying into this trend as quickly as others, but as long as people stay so careful with their pennies, market share for portable computers running open source software is going to increase. eWeek has some interesting corroboration of the trend, coming from IBM. The next shoe that is likely to drop will be the availability of more offers like the Acer Aspire One netbooks now available at Radioshack for $99. These require you to sign a monthly broadband contract with AT&T for $60 a month, but the buy-in price for the hardware is low. The Acers run Windows XP, but I won't be surprised to see Linux-based systems offered at rock-bottom prices with these types of contracts as well.

by Chris Mellor

Sun and flash memory vendor Micron have collaborated to extend the life of enterprise flash memory to one million write/erase cycles, higher than any other NAND technology available.

Enterprise flash is a term used to denote flash memory used in servers as a cache or solid state drives (SSD), and storage arrays as SSD replacement hard drives or as controller cache.

Micron says a new single level cell (SLC) NAND technology is involved in this Enterprise NAND, and that production devices are capable of achieving the million cycle mark. Specific write and read speeds of flash using this new technology aren't revealed but SLC flash is inherently faster than multi-level cell (MLC) flash and Micron has announced fast NAND chips recently.

The company spokesperson said: "Read speed is similar to existing SLC NAND. While there is a write-performance penalty for extended-cycling NAND the penalty varies by product and process technology, so I can't provide an actual number. But keep in mind that the applications that will take advantage of this technology will be less sensitive to write performance, because they either write in the background, which doesn't impact system performance, or they have very large arrays that essentially spreads the write delay out among multiple NAND channels (parallelism)."

Brian Shirley, Micron's memory group VP, said: "We expect this technology to revolutionize the enterprise storage hierarchy and be adopted by a wide range of transaction-intensive including solid state drives and storage disk as well as networking and industrial."

Sun has previously worked with Samsung on a similar flash write/erase cycle extension initiative. The write/erase cycle life was extended tenfold in that one which we thought meant about 50,000 cycles.

by Declan McCullagh

When the U.S. Department of Homeland Security was created, it was supposed to find a way to respond to serious "cybercrises." "The department will gather and focus all our efforts to face the challenge of cyberterrorism," President Bush said when signing the legislation in November 2002.

More than six years later, and after spending more than $400 million on cybersecurity, DHS still has not accomplished that stated goal. "We need to have a plan tailored for a cybercrisis," DHS Secretary Michael Chertoff said on Thursday.

Chertoff told a conference in Washington, D.C., that creating such a plan first requires "a clear awareness of exactly what the dimension of the threat was," meaning the ability to detect intrusions in real time, and probably means taking some of the existing plans for physical attacks and "adapt them and some of the basic principles" to electronic threats.

"I do think that we have work to do in figuring out how to tailor something specific for cybersecurity in the same way that we've done it for natural disasters or terrorist attacks or things of that sort," he added.

Because only a few weeks are left in the Bush administration, any further work will be left to the administration of President-elect Barack Obama.

by Ellen Messmer

IT pros are upbeat about virtualization and the benefit of server consolidation, whereas security experts harbor doubts about the security role the hypervisor can play
Does transitioning to virtualization increase security risks within a company? IT managers appear to be at loggerheads with IT security professionals over that question, even while sharing similar opinions on where risks might lie, according to a new survey.

The 2009 Security Mega Trends Survey from research firm Ponemon Institute - which also looked at attitudes on other topics, such as outsourcing and Web 2.0 technologies - shows roughly two-thirds of IT operations staff who responded said they felt virtualization of computer resources did not increase information-security risks. But about two-thirds of information security professionals surveyed felt the opposite way.

A full three-quarters of the survey's 1,402 respondents, all active in U.S.-based private sector firms or government agencies, said their organizations had already implemented virtualization of their computer resources, with about 90 percent in both the IT and security camps saying they were "familiar" or "very familiar" with virtualization.

The survey reflects the often upbeat attitudes about virtualization expressed by experienced IT pros about how the technology, most commonly that of VMware, Microsoft, and Citrix Xen, is bringing them the benefit of server consolidation.

"We started virtualization in a development and test environment, and now the main applications we have using VMware in production instances are file and print servers," says Rich Wagner, director of IT infrastructure at Columbus, Ohio-based Hexion Specialty Chemicals. Wagner says virtualization hasn't raised red flags as far as security requirements. The main concern, he says, is "from a performance standpoint - the CPU and memory and disk I/O - in sharing a large box," with database servers seen as a resource-intensive application that might not be well-suited for virtualization.

There's a far more skeptical view of virtualization security often expressed by seasoned IT security pros, who harbor doubts that vendors on the virtualization front have really sorted out or addressed the risks associated with the underlying hypervisor transformation.

"The security for the virtualization itself is way, way behind," says Nelson Martinez, systems support manager for the City of Miami Beach, who is responsible for IT security in systems used by the city's 2,000 employees. Martinez says the city does make use of VMware for some Web servers, but "I would never host any kind of database or my e-mail server in that environment." There are performance and maintenance issues in running traditional security applications for each VM host application on each physical machine, while the industry still seems to be sorting out the security role the hypervisor can play, Martinez notes.

by Stephen Lawson

The storage story of 2008 was growth: An accelerating explosion of information, much of it in the form of video, led IT administrators to try to make better use of their capacity and staff.

Overall demand for storage capacity is growing by about 60 percent per year, according to IDC. Another research company, Enterprise Strategy Group, pegs the annual growth rate of data between 30 percent and 60 per

"Organizations are having a hard time getting their arms around all that data," said ESG analyst Lauren Whitehouse. Economic woes are making it even harder, with frozen or scaled-back budgets, while the downturn isn't expected to significantly slow data growth next year.

Stuck in that bind, organizations don't want to have to roll out a gigabyte of capacity in their own data centers for every new gigabyte that's created, analysts said.

"What we'll see more of in companies is a focus on efficiency," IDC analyst Rick Villars said. They're seeking to increase the utilization of their storage capacity as well as other IT resources.

A big part of that effort is virtualization of storage, which often goes hand in hand with server virtualization and became a mainstream technology in 2008, according to analyst John Webster of Illuminata. Storage vendors are offering more virtualization products and seeing more demand for them, he said. A virtualization capability such as thin provisioning, which lets administrators assign storage capacity to a new application without having to figure out how much it ultimately will need, helps make better use of resources, Webster said.

But in addition to the trend toward disconnecting logical from physical resources, there were a handful of acquisitions this year that signaled other trends in storage world.

by John Leyden

Crooks are increasingly becoming aware of the possibility that digital evidence might condemn them, raising the likelihood that devices containing potentially sensitive information will wind up being destroyed. For example, data recovery firm Disklabs successfully recovered images from a CCTV camera trashed by an arsonist attempting to cover his tracks following a fight in a nightclub.

"If a suspect has a hard drive/CD/DVD etc that cannot be accessed for any reason, (fire, water, electronic fault etc), then the police/prosecution cannot investigate the evidence," explained Simon Steggles, a director at Disklabs. "Sometimes, it's the digital evidence that is condemning for the suspect. We get the said device and get it working, following all ACPO's guidelines, ensuring evidential continuity and write blocking is used to ensure that the device is not subsequently written too."

Other times, Disklabs has to carry out data recovery after accidents or after a device is abused by a family pet. A YouTube video featuring Disklabs successful work recovering data from a RAID system following a fire at a factory can be found below. This incident was the result of an accident and unconnected to the nightclub fire, which created a separate job for Disklabs. ®

by Brooke Crothers

Intel is now shipping 160GB solid-state drives as it vies with Samsung and Toshiba to deliver high-capacity SSDs that rival hard-disk drives in capacity. Price, however, remains a big obstacle for many consumers.

Intel said Monday that it will add 160GB versions of its X25-M and X18-M Serial ATA (SATA) solid-state drive. To date, Intel has limited shipments to its 80GB versions. Laptop-size 2.5-inch versions of the 160GB drive are shipping now; 1.8-inch models for ultraportable laptops will ship next month, Intel said.

Larger-capacity drives from other SSD suppliers are also on the way. In November, Samsung said it had begun mass production of 256GB SSDs. And Toshiba recently said it would show a 512GB drive at the Consumer Electronics Show in January that would ship in the second quarter of 2009.

Solid-state drives are generally faster at getting data than hard-disk drives (and in some cases, much faster) but pricing is a big hurdle for consumers. Toshiba indicated last week that sample quantities of its new solid-state will range in price from $220 for the 64GB drive to $1,652 for the 512GB drive.

That kind of pricing-even if it's for pricey sample drives-is hard to swallow when a laptop-class 500GB hard-disk drive sells for well under $200.

Pricing for the Intel 160GB solid-state drives wasn't immediately available. Currently, adding an Intel 80GB solid-state drive option to an HP EliteBook 2530p ultraportable laptop adds $659 over the cost of a 5400RPM 1.8-inch 120GB hard disk drive.

Adding a 128GB solid-state drive to an Apple MacBook Air ups the price by about $500.

by Chris Kanaracus

A Sun Microsystems executive has provided a glimpse into the company's future plans for open sourcing JavaFX, its recently released technology for building RIAs (rich Internet applications) for the desktop, mobile devices and other platforms.

Sun's corporate image is grounded in its embrace of open-source software and some components of JavaFX, including the JavaFX compiler and elements of graphic libraries, are now available under the GPLv2 open-source license, according to the official JavaFX FAQ.

But other key components are still proprietary. Sun is now working to change this, according to a recent blog post by Jeet Kaul, vice president of the Client Software Group.

"There are some dependencies on licensed code that cannot be open sourced. We are working towards decoupling the dependencies so that the non-proprietary portions can be open sourced," Kaul wrote. "We will put the core runtime out in the open over time."

Kaul did not spell out the nature of the dependencies. A spokesman for Sun did not immediately respond to a request for more information Tuesday.

Sun will also publish specifications for new file formats associated with JavaFX, "shortly," Kaul said.

Kaul's blog post came in response to those questions and others posted by Java developer Osvaldo Pinali Doederlein.

The Sun executive also provided an updated road map for JavaFX, writing that the mobile platform - now in beta - will be released "by March" and a visual designer tool will be available in the middle of next year.

While JavaFX will compete with a range of other RIA toolsets, such as Adobe's AIR (Adobe Integrated Runtime) and Microsoft's Silverlight, Sun is banking that Java's pervasive market penetration will give it an edge.

by Jon Oltsik

In spite of the global economic recession, information security will continue to be a dominant IT priority in 2009. Why? There are simply too many threats and vulnerabilities creating a perpetual increase in IT risk.

With that, here is my top-10 list (in no particular order) of technologies and trends to watch for in the new year:

1. The evolving definition of endpoint security: Some analysts have declared that, antivirus software is dead. I disagree and submit that endpoint security is simply evolving as a function of the changing threat landscape.

2. More emphasis on cybersecurity: This year began with the establishment of the Comprehensive National Cybersecurity Initiative (CNCI), an effort to strengthen government networks. While well-intended, CNCI has received minimal funding and support.

3. Increasingly stringent privacy legislation: Privacy advocates like the American Civil Liberties Union and the Center for Democracy and Technology are hopeful that the change in administration will finally lead to more comprehensive national privacy legislation in 2009 and beyond.

4. Security in the cloud: While "cloud" has turned into a vague industry security blanket term, I do believe that 2009 will be a strong year for managed security services.

5. Virtualization security: As server and desktop virtualization continues to proliferate, we will need better security tools for things like role-based access control, virtual server identity management, virtual network security, and reporting/auditing. Citrix, Microsoft, and VMware will lead this effort with partnering support from others like IBM (Project Phantom), McAfee, and Q1 Labs.

6. Secure software development: In 2008, the majority of malicious code attacks targeted applications, not operating systems.

7. Information-centric security: The recent Microsoft/RSA announcement is a sign of things to come. Organizations large and small need to be able to discover and classify sensitive information, apply security policies, and then enforce these policies throughout the network.

8. Ubiquitous encryption: Encryption technologies are more often becoming "baked in" rather than "bolted on." Tape drives now contain cryptographic processors as do hard drives from Fujitsu, Hitachi, and Seagate. And Intel will ship a version of its vPro chip set in 2009 that also supports on-board encryption. In 2009, we will start to see multiple layers of encryption technologies running on top of each other. Good for data confidentiality and integrity but this will also highlight the need for enterprise-class encryption key management--another technology on the 2009 "watch list."

9. Entitlement management: Authentication gets you in the network door, while entitlement management governs what you can and can't do. Entitlement management is currently done on an application-by-application basis but this doesn't scale, is ripe for human error, and is nearly impossible to audit for compliance.

10. Business process security: Securing all IT assets across the enterprise is a daunting task--too big for risk-averse business managers. Rather than rely on IT reports and security point tools alone, line-of-business executives will want more visibility and oversight into their exclusive domains with detailed and succinct portals, reports, and auditing systems.

I'm generally an optimist, but I do have one additional, more gloomy prediction. Given the alarming state of disarray, look for some type of security breach in 2009 that exceeds the TJX incident.

On that cheerful note, happy holidays.

by Gavin Clarke

Optimism drives the IT industry and - in particular - Silicon Valley, a place where people look to the future and try to forget the painful past.

Here, then, is The Register's list of the worst, most cringe-worthy and draw-dropping moments from the last 12 months that people would probably prefer to forget about. Nine wags of the finger plus - because it wasn't all bad this year - one tip of the hat, for balance.

Social network attacks own customers

Customer service has yet to hit Web 2.0, where you have to answer your own technical questions, wading through forums or sending emails to people in "support" who never reply. "Maverick" social networking site Faceparty went a step further, though, by rounding on users who dared to expect it deliver on its promises - in this case, free tools. Faceparty threatened to terminate accounts of "every single twat who moaned about their friggin' free cool tools". "Listen this is our HOBBY, not our business," Faceparty said, helpfully reminding everyone it's a "free fucking site" and not to expect anything.

The Web 2.0 cheerleader who turned on the mob

Last year, Facebook chief executive Mark Zuckerberg earned contempt. This year, it was contempt-by-association for author and former BusinessWeek hack Sarah Lacy during a Q&A with Zuckerberg at the South by Southwest (SWSX) festival that saw Lacy bomb, overstate her own importance, and turn on the audience. Lacy set a new low in the staged Q&A format with a series of soft-ball questions to promote Brand Lacy, and that had Zuckerberg blushing and the SWSX audience shouting their own questions. First Lacy got defensive, shooting back on Twitter: "Seriously screw all you guys. I did my best to ask a range of things". Then she turned to self-pity: "Try doing what I do for a living... It's not that easy" followed by regained confidence that it wasn't really her, it was everyone else who was wrong. "I get this constantly: guess what I'm still employed.. my Amazon rank is higher than ever.. it's the price of being high profile.

Microsoft blames Apple for Windows Vista "lies"

After a year and a half of negative publicity Microsoft decided it was time to mount the great Windows Vista fight back. Brad Brooks, corporate vice president of windows consumer products, bullishly evangelized partners at Microsoft's Worldwide Partner Conference saying there's nothing wrong with Windows Vista and everything bad you've heard is a lie propagated by Apple. Evoking the tear-jerking story of his daughter to just tell the truth, Brooks told partners evil little Apple had pulled a Jedi mind trick on the whole industry and customers by convincing them to buy and support Macs when, overwhelmingly, they were actually sticking with Windows XP. Four months later, the truth came out and Microsoft admitted that - yes - there'd been real issues with Windows Vista, problems it is fixing in the successor Windows 7. It was the classic Microsoft tactic of throwing the older version under the bus to evangelize the new.

Yahoo!'s Yang regrets his Microsoft rejection

The problem with opportunity is you need to recognize the knocking sound it makes on your door. Yahoo!'s chief executive Jerry Yang didn't, and turned down Microsoft's generous offer for his company of $33 a share in June. Pity Jerry, then, that the market tanked three months later pulling down Yahoo!'s share price to less than half what Microsoft chief executive Steve Ballmer had offered. Yang isn't the only man that history will record should have zigged when he zagged when making a tough decision, and he won't be the last. Rather than stand by his decision, though, Yang in November made an unconvincing attempt to lure Microsoft back to the table, saying it would be in that company's interests. With the markets crashing, M&A funds drying up, and Ballmer thanking his lucky stars for not going down as the CEO who bought a grossly overpriced dot-com asset, that ship's sailed.

Ellison's package and an "eye-opening" license hike

Oracle's chief executive Larry Ellison notched up a $72m package in 2008, 12 times higher than the median pay of his technology peers. Ellison proposed, and was granted by Oracle, a 38 per cent raise, making him the second best-paid chief executive officer of any U.S. public company. The package came to light as users of BEA Systems brought into the Oracle family through this year's $8.5bn acquisition, were welcomed with a 47 per cent hike in their licensing fees. Eric Savitz, an individual used to the machinations of corporate America reporting for TechTrader Daily, blushingly called this an "eye-opening development".

"Visionary" Michael Dell turns Dell-Boy Trotter

In an industry like IT, if you are billed as a "visionary" before you get up to talk you'd better have something good to offer. Step up Michael Dell, introduced as a "visionary" by Marc Benioff, CEO of Salesforce.com - a Dell customer - at Dreamforce in San Francisco. Dell was introduced in the same breath as Benioff recalled the appearance of Colin Powell at a previous Dreamforce event, and who Benioff also called a visionary. You might remember Powell: a four-star general who served as secretary of state under George W Bush. After opening with the intriguing premise of investing in, rather than cutting spending on, IT during a down economy Dell coupled his thesis to the need to buy. Buy what? You guessed it: Dell equipment. Dell proceeded to invoke the spirit of another great Dell - Dell-Boy Trotter - by wheeling out all manner of goodies to close the sale. The pitch came as Dell pressured workers into taking unpaid leave, to cut costs. No wonder people streamed out of the visionary's keynote.