Recent News

by Team Register

The commoditisation of certain technologies once found only in high-end servers has changed the face of IT. Once upon a time only the most high end systems had the kinds of remote management, live workload transfer, high availability and "sandboxing" that all but the smallest IT shops have started to take for granted.

Not long ago the ability to remote-manage a commodity server outside the OS was a pipe dream. Today the purchase of hardware without such considerations is almost inconceivable. IPKVMs and Lights Out Management (LOM) solutions are increasingly affordable and becoming a standard component in all business class systems. (Think VPro and AMT.)

Virtualization management suites can give you the ability to turn your collection of x86 and x64 servers into something that behaves very much like one big computer. You can fill this "meta computer" with VMs, each of which can serve as a sandbox for a given workload. VMs can be moved from node to node on-the-fly. Neat tricks like mass clone deployment or high-availability are now commonplace.

While all of the above has many consequences, the take-home message here is that the technology available today is enabling any given number of administrators to care for a greater number of servers than ever before. For all intents and purposes the traditional "grunt work" of IT has been largely automated away.

In large organisations this often means IT administration services become concentrated in a central location which no longer has to be physically near a datacenter. Small numbers of "rack monkeys" are left to man the datacenters and swap out the dead bits. As new technologies allow IT departments to become leaner, the altered administrator-to-server ratio merely increases the burden of responsibility placed on each administrator.

For the moment, smaller organisations still cling to "jack of all trades" administrators. Though features like LOM and virtualisation are increasingly common, the management tools to really make them shine are often outside the reach of an SME budget.

A management tool licensing stack costing half again as much as the hardware of your 2-socket server is still finding a hard sell here. Costs of these tools are however dropping, and effective remote management of SME IT services by third-parties is increasingly a viable consideration.

These technologies are inducing a massive change in the demand for skills among administrators. As smaller numbers of specialist administrators are increasingly able to manage larger numbers of more complex systems, the "jack of all trades" administrators have become an endangered species. The commoditisation of server management tools has thus begun a true commoditisation of the various skill sets of administrators.

Adam SalisburyAdam Salisbury
Systems Administrator

The pace at which technology evolves has always led staff across the whole of the IT industry in a perpetual chase for skills, knowledge and experience and just as you've mastered the latest industry development the 'next big thing' is already looming large on the horizon. One technology, largely disregarded until recently is power management technology. The race for the highest performance figures is fast becoming a race for the most efficient performance figures.

While the steady refinement of individual power management puzzle pieces does continue in the form of more efficient hardware and better firmware, there are now entire suites of software being developed to manage the power of entire estates, from out-of-band embedded software reporting on individual server power consumption to advanced IP-aware dynamically adjusted UPS systems able to communicate with one another at branch office level to make better use of the juice. Gone are the days where power management simply meant duplicated mains supplies, generators and batteries.

Even the big server virtualisation players have developed systems which can dynamically shift workloads between hypervisors during periods of low demand and powering down the servers not currently in use, for the small players the onus is normally on one or two system administrators to learn, deploy and manage these technologies whereas for some enterprises such a technology deployed a large scale environment will result in entirely new teams of operations staff being formed to manage what is fast becoming another 'dimension' of IT.

In terms of the impact to staff of these fledging technologies is that like virtualisation for instance, the level of knowledge and skills currently required to make effective use of the technology is fairly low in comparison with other areas. Converting from Active Directory to eDirectory for instance, would present a far bigger issue in terms of knowledge or skills gap than picking up a brand new technology. That said, with all that is currently expected of an average support technician in an average support role it's still a big challenge.

In many cases assessing the impact of new technological requirements upon those who must support them is inherently difficult, not least because knowledge and skills can be somewhat subjective to measure. The majority of a technical workforce is well prepared and equipped to self-learn to an extent, requesting further formal training only when they've achieved all they can on their own.

Currently the vendors of these advanced power management systems do offer training on such products, but more mainstream training is still in the making: no doubt in the future as such technology becomes commonplace and essential rather than merely advantageous as it is now, a world of support and learning will rise up around it.

For now at least, the best way to prevent overwhelming the operations staff is to research, learn and adopt such technology early and thus close as far as is possible, any gap that may exist within the organisation. Be ready to capitalise on the technology when the tools to wield it do become available.

Tony LockTony Lock
Programme Director, Freeform Dynamics

It is correct that many new server and, especially, server virtualisation systems offer the ability to manage systems far more dynamically than ever before. Indeed, it is fair to say that until now the primary mandate adopted by most IT organisations has been "if it is not broken, leave it alone". The capabilities inherent in many systems to move workloads around very quickly or to create and take down virtual servers and their associated workloads in a matter of minutes open the door to new operational modes.

At the heart of the matter is the question of server resource allocation and how to obtain "optimal" benefits from the systems at hand. From a skills perspective there is still the need to be able to monitor and manage the complex systems at all levels of their operations. But the very idea of being able to alter the configurations of systems as a routine part of standard operations will eventually demand that new skills, or at the least operational procedures to be put in place.

Chief amongst these will be some way of selecting what proportion of available resources is allocated to each application in the dynamic infrastructure. Clearly if the infrastructure has more resources than can be consumed under any likely workload scenario, there will not be too many demand clashes to handle.

But if - as is likely - organisations seek to limit the overall size, and hence cost, of the IT infrastructure, there will be times when someone will need to decide how constrained resources are allocated. This will require good "vision" of the likely business consequences of such choices.

Thus the IT department will need to possess the skills and monitoring tools to make such judgments, or put some form of automated policy prioritisation processes in place. Getting hold of either of these will require no small measure of communication and diplomatic skills as well as a good handle on business reporting systems.

Ian BeckinghamIain Beckingham
Manager of the Enterprise Technical Specialist team in EMEA, for Intel.

With new servers and technologies such as virtualisation, data centre skillsets are evolving. The new frontier of cloud is pushing IT departments and Data Centre Staff people to move their skill set from traditional single server, single OS, single application to a new level.

The sharing of resources like computing, networking and storage across different OSes and application have huge impact. Managing such a Dynamic IT Infrastructure requires a new global approach and awareness to the Data Center.

Think back several years - if a user wanted to measure performance on a database, they just needed to lookout the number of transactions per second. To find out a CPU bottleneck it was just enough to have a look at the CPU load.

Nowadays, that same database may be virtualised on a server with virtual networking and virtual storage. Identifying the bottleneck(s) becomes harder.

Although the skillsets are changing, the skillsets of IT staff need to converge as the resources do. People dealing just with servers and OSes in the past need now to know about networking and storage; network administrators will not be able to ignore the storage and the virtual computing environments, and the storage administrators will also need to open to networking and to Computing to fully understand the needs of the modern computer infrastructures.

Intel is helping to make things more transparent and less complicated through technology features in the platform eg Intel Virtualisation Technology. However, this also means that the skillsets of IT staff will need to evolve.

by InfoWorld staff

InfoWorld released today the fifth entry in its "Deep Dive" series of special PDF reports, covering the now-crucial area of server virtualization. InfoWorld, a Web-based publication devoted to emerging technology and hands-on business tech expertise, had previously released "Deep Dive" reports on cloud computing, Windows 7, enterprise iPhone, and next-gen mobile devices, as well as a quick-start guide to Windows 7.

You can download the "Server Virtualization Deep Dive" report from InfoWorld.com at no cost.

The new report features independent InfoWorld Test Center reviews of the two leading server virtualization products, EMC VMware's vSphere and Microsoft's Hyper-V, as well as several articles with expert advice on how to deploy server virtualization, from coming up with the right implementation strategy to reusing old servers after you've migrated to virtualization.

More information on InfoWorld's "Deep Dive" reports and other editorial reports is available at InfoWorld.com. InfoWorld also has a set of interactive tools for users, including a tracker of real-world Windows usage and configuration trends, a smartphone selector tool, and an iPhone apps finder for business and IT apps.

by Don Reisinger

Now that the holidays are upon us, many of us are considering what kind of food we'll be making. Sure, we might start out with the turkey on Thanksgiving, but what about desserts or appetizers? Finding help from online resources is certainly welcome.

That's why I've decided to take a look at several recipe sites. If you're getting together with family over the next month to celebrate a holiday and you plan to cook, this roundup is for you.

Get your cooking on

AllRecipes All Recipes is one of the best places to check out holiday recipes for your family. You can either click on a specific holiday you're planning to cook for or you can sift through its many recipes for regular days. It's a nice site.

The first thing that struck me about AllRecipes was its design. Finding recipes is quick and easy. Plus, thanks to a handy navigation pane both in the left sidebar and in the header, I was able to drill-down into what I was looking for without much trouble. Since I was searching for holiday recipes, I started there.

I was pleasantly surprised by the selection. And thanks to the option of choosing recipes based on ratings (the top-20 tab was my favorite) or when they were added to the site, I was able to find recipes that matched what I was looking for. I really liked AllRecipes. It's well-designed and its recipes are great.

Chow Chow might be best known for providing information on good eating around town, but the site also has a nice selection of recipes.

Chow's selection of recipes won't be as big as other services in this roundup. (It's not dedicated only to recipes, after all.) But what it lacks in quantity, it makes up for in an outstanding selection of really good recipes. What's best about Chow is the way in which you choose recipes. You don't have to just search the site to find what you're looking for. You can find options based on ingredients, the type of cuisine you're in the mood for, or based on tags that are placed on all recipes. You can also pick which course you want to make a meal for.

When I used the site, I found that many of the options were right up my alley. Since I eat Italian food often, I was quite happy with the site's selection. Try out Chow. I think you'll like it.

Epicurious Epicurious has the best holiday grouping of recipes of any site in this roundup. Not only does it provide some favorites that you might have already heard of, the site lists some new recipes that you'll definitely want to try.

Epicurious does the best job of any site in this roundup of organizing content based on what you're looking for. Since I was searching for holiday recipes, I clicked on that. I then chose the holiday I wanted to make something for and I was pleasantly surprised by just how many items the site made available. It included everything from new ways of making stuffing to appetizers I'd never heard of before. Each recipe can be rated by users to help others determine if it's worth using it or not. You can even write a detailed review. Overall, Epicurious is a really decent site.

Food Network Since the Food Network has a television presence, it might be one of the most-trafficked recipe sites on the Web. But it earns that traffic with outstanding recipes for any occasion.

If you're looking for holiday recipes, Food Network is a great place to start. Aside from a grouping of holiday recipes placed prominently on the site's home page, you can also search for specific kinds of recipes. When I searched for recipes, I found thousands of possibilities. It was great. If you're looking for some of the best recipes from outstanding chefs, Food Network is a fine resource.

by Dan Goodin

A bug in Microsoft's Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said.

The documents stored in Adobe's PDF format display the internal disk location where the file is stored, an oversight that can inadvertently expose real-world names and login IDs of users, the operating system being used and other information that is better kept private. The data can then be retrieved using simple web searches.
Click here to find out more!

Google searches such as this one (http://www.google.com/search?hl=en&q=filetype%3Apdf+file+c+%28htm+OR+html+OR+mhtml%29&btnG=Search&aq=f&oq=&aqi=]) expose almost 4 million documents residing on users' C drives alone. Combined with searches for other common drives, the technique exposes more than 50 million files that display the local disk path, according to Inferno, a security researcher for a large software company who asked that his real name not be used.

"If they have those kind of PDFs, somebody can use search engines to find out user names or do more reconnaissance on the operating systems used," he told The Register. "That actually invades the privacy of a user."

The potentially sensitive data is included in PDFs that have been printed using Internet Explorer. The full path location is appended to its contents as soon as the Microsoft browser is used to print the document. Although the data isn't always exposed when the document is viewed with Adobe Reader, it is easily readable when the file is opened in editors such as Notepad, and the text is also available to Google and other search engines.

This PDF (http://wids.matcmadison.edu/10150170.pdf), for example, was stored at C:\Program Files\Wids7\WizardReport.htm at time of printing. The path makes it clear that the file was stored on a Windows machine that has software from Worldwide Instructional Design System installed. Other PDFs give up directory names that reveal authors, projects or other data that may have been designated confidential.

The only way to remove the path is erase the text in an editor and save the document.

All versions of IE suffer from the bug. A Microsoft spokeswoman said company engineers are working to reproduce the reported behavior. "We can confirm that this is not a vulnerability," she wrote in an email. Adobe representatives didn't reply to requests for comment. Inferno's report is here (http://securethoughts.com/2009/11/millions-of-pdf-invisibly-embedded-with-your-internal-disk-paths/). ®

by Paul Krill

Ruby, the popular open source dynamic language, is making headway not only on Java but also on the Windows and Mac platforms.

Appearing at the RubyConf event in Burlingame, Calif., on Friday afternoon, Engine Yard officials offered insights on JRuby, which puts Ruby on the JVM (Java Virtual Machine). JRuby also functions with Windows. Apple personnel at the conference detailed MacRuby, which puts Ruby on Mac OS.

JRuby 1.4.0 was released November 2, featuring a native executable capability for Windows.

"Over the years, we realized that we've been basically ignoring the Windows platform because we don't really like the Windows platform," said Charles Nutter, co-leader of the JRuby project with Thomas Enebo at Engine Yard [3]. Both previously led the project at Sun Microsystems.

But most of the world's developers still run Windows, especially in the Java world, said Nutter. Proponents of JRuby are going to have make sure it can work on Windows, Nutter said. "We finally realized we can't ignore that side of the world," he said.

"I think JRuby may actually be the easiest way to run Ruby on Windows right now," said Nutter. JRuby previously has worked on Windows, but version 1.4.0 cleans up a lot of bugs pertaining to Windows, Nutter said.

Also featured in the JRuby upgrade are more than 300 bug fixes and an embedding API.

Future plans for JRuby include cleaning up performance issues, offering a new optimizing compiler and JVM integration parity with other languages, such as Groovy. Also planned is support of the Java 7 invokedynamic capability, to improve how Ruby does method calls. Code will run faster via this capability.

"JRuby really is the enterprise Ruby," Nutter said. Plans also are moving forward to enable development of JRuby applications via Engine Yard's cloud platform, he noted. JRuby also works on Google's Android platform.

Separately from JRuby, IronRuby exists as a version of Ruby for Microsoft's .Net framework, relying on the Microsoft Dynamic Language Runtime.

In the Mac space, the open source MacRuby project is intended to provide an optimized and integrated version of Ruby for Mac OS X and be compatible with Ruby programs. MacRuby leverages Apple's Cocoa technology, which provides an Objective-C-based programming environment for Mac OS X.

Concurrent programming, for managing multiple threads, is featured in the MacRuby effort via the GCD (Grand Central Dispatch) technology in Mac OS. "I think (GCD) is really going to make Ruby a great language for doing concurrent programming on the Mac," said Ernest Prabhakar, open source product manager at Apple.

Incremental releases of MacRuby have been occurring since March 2008. MacRuby is compiled by default and uses the LLVM (Low Level Virtual Machine) project for just-in-time and ahead-of-time compilation.

by Chris Matyszczyk

I have nothing against smoking, save for the difficult odor that emanates from every part, breath, and piece of clothing belonging to a smoker. I could no more live with a smoker than I could live with a third ear perched off the end of my nose.

However, I am embalmed in a curious sympathy after reading a report from The Consumerist concerning two Mac users whose AppleCare warranties appear to have been voided due to the presence of cigarette smoke in their homes.

One, named Derek, recounts the tale of his overheating black MacBook. He took it into the Apple store in Jordan Creek, West Des Moines.

He told The Consumerist: "Today, April, 28, 2008, the Apple store called and informed me that due to the computer having been used in a house where there was smoking, that has voided the warranty and they refuse to work on the machine, due to 'health risks of secondhand smoke.'"

He continued: "Nowhere in your AppleCare terms of service can I find anything mentioning being used in a smoking environment as voiding the warranty."

Derek's resulting appeal to the office of Steve Jobs bore him no joy, so he resorted to blowing some compressed air at the machine, leading it to restart its wondrous functions.

Then along came Ruth, who took her son's iMac to an authorized repair center. After five days, they apparently told her they couldn't work on it because it was contaminated with cigarette smoke and was therefore a bio-hazard.

When Ruth appealed to Jobs' office, she said she was told by someone named Dena that nicotine was on OSHA's list of hazardous substances.

However, as she wisely pointed out to The Consumerist: "OSHA also lists calcium carbonate (found in calcium tablets), isopropyl alcohol (used to clean wounds), chlorine (used in swimming pools), hydrogen peroxide (also used to clean wounds), sucrose (a sugar), talc (as in powder), etc... as hazardous substances."

One final appeal to Ruth's local Apple store failed, as she was allegedly told that tar from cigarette smoke had made it uneconomical to even attempt a repair. Ruth claims that only one person in her household smokes.

So now might I hand this distinctly painful issue over you, the technically brilliant reader. Perhaps you are even an employee of Apple and have stumbled upon this page in search of a little light relief.

What is the science of all this? And what might be the appropriate commercial response? Should Apple place a clear disclaimer referring to secondhand smoke in the AppleCare terms? Or should Microsoft make a new Laptop Hunter ad in which a very attractive, happy person says, "I'm not cool enough and I smoke, so I would never be able to get a Mac fixed"?

by Rik Myslewski

Intel has announced that it is joining forces with a trio of French institutions to create a European research center focused on the development of supercomputers with exaflop-level performance.

An exaflop - for those of you who skipped that day at university - is 1,000 petaflops.

Intel's contribution to the planned Exascale Computing Research Center will be a somewhat loosely defined "multi-million Euro investment" over a three-year period, according to Wednesday's announcement (http://www.intel.com/pressroom/archive/releases/2009/20091118comp.htm?iid=pr1_releasepri_20091118m). The Center will start small, with about a dozen employees. Current plans are to triple that number "eventually."

Support from Chipzilla will be joined by - francophobes may prefer to skip to the next paragraph - the Commissariat à l'Énergie Atomique, Grand Equipement National de Calcul Intensif, and Université de Versailles Saint-Quentin-en-Yvelines, which will pool their resources to equal Intel's investment. For the French-challenged, those are the country's atomic-energy commission, an HPC center, and a prominent university.

Research at the Exascale Center - part of Intel Labs Europe (http://www.intel.com/corporate/techtrends/emea/eng/labs/index.htm) - will, as its name implies, be directed towards developing computing clusters that will operate at 1,000 times the petaflop speeds achievable by today's top supers (http://www.theregister.co.uk/2009/11/16/top500_supers_nov_2009/). As Intel explains, the research will include the development of new performance-optimization schemes and the integration of multiple petaflop-level systems.

The Center's work will result, according to Intel, in performance improvements in just the type of compute-intensive tasks you might expect: seismology, fluid dynamics, genome research, and climate modeling. And, of course, with one of the Center's main sponsors being the Commissariat à l'Énergie Atomique, and with France being home to 59 nuclear reactors (http://www.world-nuclear.org/info/inf40.html), energy analysis will also be high on the list. ®

by Nicole Lewis

Virtualization is unarguably one of the biggest trends of the past few years, and open-source software has been on the IT radar for a while now. So does that make open-source virtualization twice as much of a good thing?

At least some corporate IT departments think so. They're turning to open-source software as part of their virtualization mix. Sure, savings are a big factor, but so is the ability to tweak the software to suit specific requirements.

Just ask Stan Yazhemsky, manager of IT operations at Legal Aid Ontario (LAO), which uses Citrix Systems' XenServer, a management tool running on the open-source Xen hypervisor.

XenServer's open APIs give him and his team of three Linux engineers better access to and control of advanced functions, especially security, Yazhemsky says.

LAO, a non-profit corporation that provides legal advice and services to low-income individuals, has 200 locations across Ontario and hosts three data centers. Those data centers house 239 Windows servers and 68 Linux servers. Some 95 percent of LAO's servers are running XenServer.

LAO has 154 terabytes of sensitive data such as client/lawyer information, financial files and individual case loads that span everything from burglaries to theft and murder. Security is a key concern.

Yazhemsky says that by building monitoring tools and integrating them with the Xen platform he's been

"If an attack manages to break into the system, our embedded script will shut down the compromised virtual machine immediately and bring another virtual machine up, in real time with no effect on users. That's something that you can't get from any closed-source solution," Yazhemsky says.

As a result, the organization is able to invest less in security than it would otherwise have to, he says. His calculation is that LAO spends about 40 percent less in security software and management costs than it would have otherwise, "because we can script events that proactively search for any changes," Yazhemsky says.

Open-source virtualization - tiny but growing
Despite its fans, the overall market for open-source virtualization is very small indeed, though it is expected to grow.

"Open source is less than 5 percent of the overall server-virtualization revenue market share, but could nearly double by 2012," says Alan Dayley, a Gartner Group research director.

Open-source hypervisors including Red Hat Inc.'s KVM and Xen - used by both Citrix and Oracle Corp. - and the management tools running on top of them are gaining strength in both adoption rates and advanced features formerly found only in the likes of VMware, the virtualization market leader, Gartner says.

Gartner's 2008 figures show that for the hypervisor market - in units, not revenue - Citrix had 2 percent and Virtual Iron held 1 percent. For 2012, Gartner's projections are that Citrix will hold 6 percent of unit share, and Red Hat 2 percent.

Nevertheless, open-source virtualization will likely always remain a small piece of the pie. "While companies like Citrix and Red Hat are going to see great growth, they are not going to take significant market share," says Gartner analyst Phillip Dawson. "Most of the share change will be between Microsoft and VMware."

And that's a shame, says IDC analyst Gary Chen, because open-source virtualization software has a lot to offer. "A lot of people don't really know how good Citrix XenServer 5.5 has become," says Chen.

One potential huge market for open-source virtualization: cloud service providers. "If you're a large service provider and you're building a cloud, you may have very custom specific needs, (and) you may need to modify the source code and you can go with open source," Chen says.

As companies like Amazon.com build out their cloud computing strategy and virtualize literally thousands of servers in their data center, they will be looking at vendors offering cheaper virtualization solutions with well-developed management tools that they don't have time to build, predicts Bill Claybrook, a former Aberdeen analyst who now has his own technology research firm, New River Marketing Research, based in Concord, Mass.

Under this scenario, he says, Citrix's attractiveness will increase. "Citrix is one company out of all of those vendors that could make some money in cloud computing by providing a free Xen hypervisor and marketing its management tools at a reasonable price," Claybrook says.

Oracle's recent acquisitions of Virtual Iron and Sun Microsystems , and their respective virtualization technology, could prove interesting long-term. While most observers expect Oracle's open-source virtualization software to be a hit primarily in existing Oracle shops, Sun's large customer base may give Oracle a chance to penetrate a greater number of corporate IT departments, says Claybrook.

"Oracle will probably end up with the largest open source for virtualization installed base of any one of their competitors," Claybrook predicts.

For its part, the University of Massachusetts is running Oracle VM because it is such a huge Oracle shop in general, says Michael Poole, chief technology officer "It made sense to choose Oracle VM . . . especially with the significant number of Oracle applications we support." He says the university has realized significant performance gains and considerable cost reductions in its operations.

UMass is in the middle of an infrastructure-transformation project that consists of many sub-projects. While planning a new primary data center and a more robust disaster-recovery and testing data center, UMass investigated many options and chose to standardize on open-source Xen Virtualization with Oracle VM and Oracle Unbreakable Linux support. UMass started implementing Oracle VM a little over a year ago.

By next summer - the target date for the infrastructure project's completion - Poole says the university will reduce its physical servers from 500 to fewer than 300. It also expects to save close to $100,000 a year in power and cooling costs alone. And UMass will have totally switched from VMware over to Oracle VM.

The university's IT infrastructure is managed and monitored with Oracle Enterprise Manager, and UMass makes extensive use of Oracle's PeopleSoft ERP, Oracle Enterprise Linux, Oracle DB, Oracle Real Application Clusters RAC and Oracle WebLogic servers. UMass is adding Oracle Business Intelligence Suite and the Oracle Identity Management Suite to its lineup.

"We're a big Oracle shop. It was important to us to buy into the logic that says Oracle is developing and testing all of their applications on the Oracle infrastructure components, including Oracle VM, and getting the kinks out of the system, or at least reducing them before they get into general release," Poole says.

Poole explains that one of the university's biggest successes to date has been the virtualization of its Blackboard Vista learning management system. Through this, professors distribute content, exchange emails and engage in live discussions over the Internet with 63,000 students.

Server virtualization stats
The rising tide of server virtualization use will lift all boats, including the use of open-source software. There are approximately 5.8 million virtual machines in use today, but by 2012 that number will grow to 58 million, a tenfold leap, Gartner says.

Percentage of servers that run virtualization now - 19 percent

Percentage of servers that will run virtualization next year - 28 percent

Percentage of servers that will run virtualization in 2012 - 50 percent

Before it was virtualized, the Blackboard Vista application ran on 40 separate Solaris-based application servers. Today the number of physical servers running the application has shrunk to 5 and performance has quadrupled, Poole says.

By using Oracle VM to virtualize Blackboard Vista, Poole says, We've seen a very significant reduction in hardware while at the same time dramatically improving upon performance and scalability." Poole estimates that the difference in the cost of the hardware alone was nearly $300,000.

But before going with open-source virtualization, it's important to have a staff with the right Linux/Unix background, recommends Richard Cote, systems architect and technical lead at the University of Massachusetts.

"If I were making a decision at a small company that only had Windows-savvy tech administrators I'd probably look at VMware or HyperV if I did not have a Linux or Unix group to support me. If you come from a traditional Unix-savvy staff then you're going to be drawn toward Xen," Cote says.

Small businesses may find much to like
Server virtualization growth is expected to increase in small- to mid-size businesses, and there, too, open source could gain a foothold.

Gartner classifies small business as companies with 20 to 99 employees and less than $50 million in revenue. Mid-size companies have 100 to 999 employees and $50 to $500 million in revenue. "We expect the (SMB) growth rate for virtualization adoption to be higher than the overall market through 2012," Dayley says.

And even companies that are using VMware and/or Microsoft's HyperV may still find a place for open source.

Interactive One, a New York-based division of Radio One, provides Web properties for millions of African Americans and has split its IT infrastructure in two. Its office environment uses VMware to run Microsoft Exchange, Microsoft SharePoint and Windows File Server. On the production side, to power the Web sites, the company has deployed Oracle VM.

"We weren't a good candidate for VMware's advanced functionality because these boxes aren't mission critical, single-point-of-failure systems," says Nicholas Tang, Interactive One's vice president of technical operations. "As a result, we don't do a lot of VM-level clustering and automated failover."

After discussing the possibility of using VMware for the firm's production environment, Tang's assessment was simple: "VMware doesn't do any better job than Xen does for . . . quickly building a virtual environment and efficiently reallocating resources. VMware cost two or three times more than what we paid for Oracle VM, and in the end it wasn't worth it."

Since using Oracle VM, Tang says, he's retired 60 servers, has realized greater utilization of resources and is using open-source tools like Fedora's Cobbler, a network installation tool, and other software like cfengine, a configuration management tool, to build more functionality into the company's virtual server environment.

While analysts continue to speculate, and vendors continue to improve their products, in the end, IT managers will have to make up their minds based on their needs.

"Customers have to do the tests, ask themselves will it work in their IT environment and will it meet their business requirements at the right price and with the right skills," LAO's Yazhemsky says.

by Lance Whitney

Cloud computing is luring more businesses with its promise of minimal maintenance and low costs. But are companies putting their data at risk?

A new, free report released Friday by the European Network and Information Security Agency (ENISA) outlines the benefits and potential pitfalls of cloud computing. Based on an ongoing survey, the 123-page report, "Cloud Computing: Benefits, Risks and Recommendations for Information Security" (PDF), also offers recommendations to businesses on how to minimize the risks of entrusing their data to a cloud provider.

The benefits of cloud computing as described by ENISA are clear. Business content and services are always available. Companies can reduce costs by not overspending on the capacity of their own data centers. They can also scale up or down, depending on the services they use, and pay for those services only as needed. Internal IT is freed up by not having to implement or maintain certain hardware or software.

As more businesses hop onto the cloud, IDC expects worldwide spending on cloud services to hit $17.4 billion, revving up to $44.2 billion by 2013.

But cloud computing poses certain key risks.

"The picture we got back from the survey was clear," Giles Hogben, editor of the ENISA report, said in a statement. "The business case for cloud computing is obvious-it's computing on tap, available instantly, commitment-free and on-demand. But the number one issue holding many people back is security-how can I know if it's safe to trust the cloud provider with my data and in some cases my entire business infrastructure?"

Though cloud-service providers promise 24-by-7 availability, their data centers can go down. Security is out of the hands of the customer, who must place trust in the service provider. Customers become dependent on a single provider and may face challenges if data and services need to be migrated to a different provider. By entrusting data to the cloud, companies could face risks and challenges from regulatory audits. Further, some cloud providers may not fully and properly delete data even if a customer requests it.

In its report, ENISA outlines measures companies can take when dealing with cloud-service providers.

Companies must perform risk assessments, comparing the potential risks of storing data in the cloud with keeping files in an internal data center. Companies must also compare different cloud providers to narrow the list and then obtain service-level assurances from selected providers. Further, customers should clearly specify which services and tasks will be handled by internal IT and which by the cloud provider.

The report includes a checklist and detailed questions that customers can use when shopping for a cloud provider.

With the right provider, data can be safe and secure in the cloud. In fact, security with a cloud provider can be even more robust, flexible, and quicker to implement than when done internally. ENISA Executive Director Udo Helmbrecht noted in a statement: "The scale and flexibility of cloud computing gives the providers a security edge. For example, providers can instantly call on extra defensive resources like filtering and re-routing. They can also roll out new security patches more efficiently and keep more comprehensive evidence for diagnostics."

by Cade Metz

It is a truth universally acknowledged that if Google offers the world a web service, large numbers of people will convince themselves that it's superior to anything else they can get their hands on - and less likely to condemn them to some sort of Redmondian future in which a single corporation has them in a metaphorical vice grip.

So it is with Google App Engine, the 18-month-old service (http://www.theregister.co.uk/2008/04/08/google_unveils_app_engine/) that lets outside developers build and run web apps on the company's very own distributed infrastructure. According to (http://www.theregister.co.uk/2009/10/06/evans_data_developer_cloud_perception_survey/) the market research types at Evans Data (http://www.evansdata.com/research/market_alerts_start.php), developers everywhere are convinced that App Engine will overtake Amazon in the race into the so-called public cloud. They've even decided that the Google cloud is their best bet for avoiding the dreaded "vendor lock-in."

You know the mindset. Google says it's open (http://www.theregister.co.uk/2009/05/13/google_and_openness/), so it must be open. Google says that it has opened up more than one million lines of code, that it's hosting more than 150,000 open source projects, that its web browser is open, and that its mobile OS is open - so its cloud must be open too. Its cloud must be much more accommodating than Amazon's.

Except that it's not.

Google's famously distributed infrastructure is in no way open. Whereas the likes of Facebook and Yahoo! run much of their back-end setup on open source code (http://www.theregister.co.uk/2009/04/09/google_and_hadoop/), Google builds its own proprietary platforms - from the Google File System (GFS) to the number-crunching MapReduce platform to the BigTable distributed database - and these are jealously guarded. Google is reluctant to even talk about them (http://www.theregister.co.uk/2009/10/23/google_spanner/).

What's more, these Googly platforms place extensive restrictions on what you can build atop them. This is true whether you're an internal Google developer or an outsider tapping the App Engine. There's good reason for this. The idea is to fit all applications to predefined templates that can run across the company's worldwide network of data centers, so that performance can scale up (near-)instantly as needed.

"The question is: how do you actually get the applications to use the infrastructure? How do you distribute it? How do you optimize it? That's the hard part. To do that you require an insane amount of force of will," Google senior manager of engineering and architecture Vijay Gill told (http://www.theregister.co.uk/2009/06/27/google_mocks_microsoft_online_infrastructure/) a cloudy conference this summer.

"People are lazy. They say 'I don't want to design my applications into this confined space.' And it is a confined space. So you need a large force of will to get people to do that."
Google, skis, and snowmobiles

For Google App Engine, the result is that Google severely limits the dev tools you can use to build stuff. "With App Engine, you can't use all your favorite open source tools," Sebastian Stadil, founder of the Silicon Valley Cloud Computing Group, tells The Reg. For example, he says, you can't use Drupal, the open source content-management system. "There are libraries you can't use. If the CMS software you want requires such a library, you're stuck."

What's more, it doesn't accommodate many of the most common email libraries. "So if you use an open source component that sends emails, it'll break, and you have to rewrite yourself." Google has a white list (http://code.google.com/appengine/kb/libraries.html) of libraries that its platform likes, and if your libraries aren't on the list, either you can't use App Engine or you have to rewrite.

For this reason, Stadil argues, App Engine isn't something a large number of devs will flock to - at least not anytime soon. "The restrictions it imposes to ensure easy scaling require too much learning, and will take forever to be adopted in the enterprise," he says.

"App Engine is a ski resort that only lets you use skis. No snowboards, no snowmobile. Just skis. Skis are fine, and they can get you downhill, but people might want alternative."

He offers up Ruby on Rails - that web-happy programming language - as an another analogy. "Take Ruby on Rails, which is great for writing applications. It is still lagging in the enterprise, because [it] requires [so much] learning...by IT staffs," he says. But, he adds, "the young Stanford undergrads will love App Engine like they loved Ruby on Rails."

The irony is that you can't use Ruby on Rails with App Engine. It only does Python and Java.
ClosedTable

But the bigger issue is that if you build an App Engine app that makes heavy use of the GFS or BigTable, you're also in for some heavy rewrites if you ever want to move the thing off Google's cloud. Since those platforms are not open sourced, you can't install them on your own cloud - or on anyone else's.

When we brought up this, um, inconvenience at Google's developer conference earlier this year, vp of engineering Vic Gundotra brusquely waved the issue aside. Developers don't code to BigTable, they code to Google's API, he said, arguing that switching to another cloud is a piece of cake.

That may or may not be the case for Google's own developers - people intimately familiar with its proprietary platform - but it's certainly a stretch when it comes to everyone else. "You'll need to change your database to a relational model [if you move off the Google cloud]," says Stadil. "The data model and data processing are different."

Despite what those Evans Data developers are telling themselves, this is what you call "vendor lock-in." Yes, there's a similar problem over on Amazon's cloud, with its proprietary SimpleDB database. But Amazon now offers MySQL as well (http://www.theregister.co.uk/2009/10/27/amazon_mysql_cloud/). And unlike the Google's App Engine, Amazon's cloud is a place where you can use whatever development tools you like.

"So you invest in good skis, and then travel to the Amazon jungle," says Stadil. "There, you can still move around in skis, but it is suboptimal. It would be better to have a snowmobile."

Now, you might argue that because it has opted for a so-called "platform cloud" - as opposed to Amazon's infrastructure cloud - you can scale your apps much more quickly. "Concerns about lock-in and lack of flexibility loom big and large," says Thorsten von Eicken, a distributed-systems guru who now serves as CTO of a cloud-happy outfit (http://www.theregister.co.uk/2009/11/02/new_rightscale_meta_cloud/) called RightScale. "But they're obviously going for large scale. They've had to constrain the environment pretty drastically in order to be able to do this kind of scaling."

But do we really know that App Engine scales any better than Amazon? "That's a good question," says von Eicken. Google says it does, so it must. Right?

Let's say it does scale unlike anything else on the planet. Google is asking you to stomach the dreaded lock-in to ensure that your app can handle becoming ridiculously popular. But if you become ridiculously popular, do you really want Google lock-in?

"In a way, what Google says is bite the bullet for scale on day one, and I find that a bitter pill to swallow," von Eicken says. "Why would I spend the effort to now if I don't even know if my app is going to succeed?"

Certainly, Google is more open than, say, Microsoft. But its core platforms are preternaturally closed. And even an ostensibly open project like Android isn't as open as it might seem (http://www.theregister.co.uk/2009/11/05/google_on_fragmentation/). Google open sources (most (http://www.theregister.co.uk/2009/09/25/google_android_take_down_demand/)) of the Android platform after the fact, but the code that actually ships on big-name handsets is built behind closed doors.

It's something worth remembering as Google readies (http://www.theregister.co.uk/2009/11/18/google_chrome_os_press_event/) another ostensibly open platform: the Chrome OS. Which brings us to another irony. As Google prepares to unveil the openness of the Chrome OS at its Mountain View headquarters tomorrow, it won't even speak to a certain news organization about the possibility of attending the event. A small thing, really - but indicative of something much larger (http://www.theregister.co.uk/2009/05/13/google_and_openness/). ®
Update

Google has phoned to say that it is not able to provide The Reg with an invite to the Chrome OS announcement. The company tells us there's not enough space.

by Jaikumar Vijayan

The number of security flaws being found in Web applications continues to grow and will likely dominate the security agenda for years to come, according to a report by application security vendor Cenzic.

Almost 80 percent of more than 3,000 software security flaws publicly reported so far this year have been in Web technologies such as Web servers, applications, plugins, and Web browsers. That number is about 10 percent higher than the number of flaws reported in the same period last year – and nine out of 10 of the flaws were found in commercial code.

Similar numbers have been reported by others. A mid-year trend and risk report released by IBM showed that Web application threats have become the No. 1 source of security pain for enterprises. Attacks targeting these flaws have also risen sharply, in some cases doubling in less than a year.

The numbers suggest that vendors and Web application owners need to address Web application security issues, said Cenzic CTO Lars Ewe. "We are still stuck in the same situation we have been for a long time," Ewe said.

The kind of "significant muscle" the industry put into dealing with network and perimeter-based software vulnerabilities has been missing when it comes to application security, he said. "This is going to be long-winded process."

Security flaws in the Web application layer can allow attackers to steal data, plant malicious code or break into other internal systems. Some of the most common vulnerabilities include SQL injection and cross-site scripting flaws and authorization and authentication errors. The massive data thefts at Heartland Payment Systems and several retailers recently resulted from SQL injection errors that allowed intruders to insert malicious code into their enterprise networks.

Though the security risks posed by such vulnerabilities have been well understood for years, a large and growing number of companies continue to be exposed to them.

At least part of the growth in vulnerabilities is tied to the rising number of Web applications and Web sites that spring up each year, said Chenxi Wang, a researcher with Forrester Research in Cambridge, Mass.

But buggy Web software products and sloppy in-house development processes continue to be huge issues, too.

Roughly 90 percent of the vulnerabilities analyzed by Cenzic for its report, which was released yesterday, existed in commercial, off-the-shelf software from both big and small vendors. Much of it appears to be the result of a continued emphasis on time-to-market at the expense of secure coding practices, Ewe said. "Engineering organizations are being measured on how fast they can respond to market pressures as opposed to how secure a system they can build," he said.

The same factors have made security an afterthought with most internally developed Web applications, as well, he said. Cenzic's analysis found numerous vulnerabilities in proprietary products outsourced to programming firms in India, China, Russia, and other countries.

by Caroline McCarthy

Former Six Apart executive and well-read blogger Anil Dash has a new gig: he announced at the Web 2.0 Expo here on Wednesday that he will be the director of Expert Labs, a new nonprofit that will take the dot-com incubator model and apply it to new digital tools for the federal government.

"Despite what our ego tends to think in the tech industry, the issue is not that we need to have more tweeting from the White House," Dash said onstage. "(We can) help them learn the lessons that we've seen over the past half decade of Web 2.0's ascendence."

Expert Labs, which is a division of the American Association for the Advancement of Science that's funded by the MacArthur Foundation, will match digital voids and holes in government and policy with the developers who can fill them, with grant money paying for the work. The organization also hopes to host developer competitions, a similar move to some municipal projects like New York's "Big Apps."

It's not a government agency, but the Expert Labs Web site explains that "we've been privileged enough to connect with agencies and departments across the federal government, from the White House on down." Cutting through bureaucracy, needless to say, will still be a challenge. Dash is unfazed.

"If we tap into the expertise of each community, there's enormous potential," he said. "So we're going to ask policymakers for their expertise in defining the questions that we need answered." Then, Expert Labs plans to hook those projects up with technologists who can build the requisite systems, and then to members of the science and academic communities to help solve the issues at hand.

"No matter how smart the policymakers are in our government...there's always going to be more experts outside the Beltway," Dash said. "The tactics thus far have been a closed-door meeting with a half dozen people for an hour."

He asserted, "The Web has changed the way that works."

by Cade Metz

By next year, Google says, its web-happy word processor will be so effective, most enterprises will be able to "get rid of (Microsoft) Office."

Speaking with ZDNet Asia, Dave Girouard - president of Google's enterprise division - admitted that Docs isn't up to snuff at the moment, calling it "much less mature" than Google Mail or Calendar. He acknowledged it's "not perfect" at handling third-party document formats, but insisted it "will get there."

He even went so far as to say that until it improves, he wouldn't actually ask anyone to switch from Microsoft. "We know (Docs is less mature0," he said. "We wouldn't ask people to get rid of Microsoft Office and use Google Docs because it is not mature yet."

But he insists this will soon change. The company has "thirty to fifty" - yes, thirty to fifty - updates planned for its online processor in the coming year. Apparently, these include new features as well as performance enhancements.

These enhancements will allow most enterprises to give Microsoft the boot. But he was kind enough to say that some will refrain from doing so. "I don't think Office will entirely disappear," he said.

But he did say that Office will become some sort of specialized offering for people who need stuff above and beyond the norm. It'll be the Photoshop of word processors, he said. According to Girouard, Microsoft Office is "an overkill tool for most people."

Google did not immediately respond to our request for comment on Gorouard's comments.

by Lucas Mearian

Sun Microsystems today announced upgrades to its Sun Storage 7000 family of disk arrays that double the performance and capacity from a maximum of 288TB to 576TB in a 4U (7-in) space. The company is also now offering high-speed InfiniBand connectivity to its array and RDMA (Remote Direct Memory Access).

Sun said it has doubled the performance of the Sun Storage 7410 Unified Storage System by upgrading it with up to four six-core AMD Opteron processors, twice the DRAM cache - up to 512GB - and new 2 TB capacity drives.

Including Sun's recent announcement of its F5100 Flash Array , which allows users to add solid-state drives into the 7410 Unified Storage System, the company said recent benchmarks showed performance increases of up to 107 percent running common MCAE applications, such as MSC-Nastran and Ansys.

Sun also announced two InfiniBand switches. The Datacenter InfiniBand Switch 72 provides a dense switch fabric in a 1U (1.75-in) space for Sun server clusters up to 72 quad data rate (QDR) InfiniBand nodes. The switch can be used with the Sun Blade 6048 Modular System and the Sun Blade 6048 QDR NEM to scale up to 576 servers and storage systems.

The Sun Datacenter InfiniBand Switch 36 is a 1U, 36-node QDR InfiniBand switch for midrange enterprise applications.

by Dave Rosenberg

With infrastructure services like Amazon EC2, Rackspace, and VMware making it easy to take advantage of the flexibility, portability, and reduced costs of cloud computing, it seems obvious to jump on the cloud bandwagon for new IT projects.

But, developers are generally left on their own to deal with the pain of deploying their apps to the cloud: configuring application servers, libraries, disk partitions, networking, clustering, service connections, and virtual private networks. After they get their app installed they also need to install management agents that run on top of the application layer.

Isaac Roth, co-founder and CEO, webappVM

If you really want to take advantage of the cloud and optimize return on investment, you'll want the on-boarding process to be easy and fast and you won't install that agent. Agent-based solutions are inherently inflexible. Deploying agent-based solutions in a cloud-based environment, which is, by definition, highly flexible, is often like trying to fit a square peg in a round hole. In agent-based solutions, hard-coded agents are installed on every machine to monitor the application. If a change to the application configuration occurs-such as the IT department adds a node or upgrades a component-the agents must be updated as well.

Each agent and management server must be configured separately with management and monitoring solutions generally not portable. When every change to an environment requires installation of multiple agents on each server and configuration of multiple management servers, it becomes a tall order to move an application from a traditional infrastructure to the cloud, or from one cloud infrastructure to another: private to public, public to hybrid, or hybrid to private.

How do you get around this so you can actually capitalize on the benefits of cloud computing? Go virtual. Move application management, including easy on-boarding, from above the application stack into the underlying virtual layer, along with the rest of the cloud infrastructure.

I was recently briefed by webappVM CEO Isaac Roth on how the company is pioneering this new approach. He said the virtual path allows you to actually realize all of the flexibility, portability, and reduced costs that come with the promise of cloud computing.

Using agentless technology eliminates the complexity of deploying an application to the cloud and reduces total cost of ownership. And it works with both public and private clouds.

The application management functionality that was previously provided by agent-based solutions is now built into the virtual layer. There are no agents to deploy, upgrade, or maintain, and no management servers to configure and install. There are also no endless upgrades to the management environment each time the application changes. It requires no integration and does not need to be reconfigured when adding, scaling, or moving applications.

Maybe it's time to ditch that agent and go entirely virtual?

by Chris Mellor

ViON have produced a 100TB DRAM solid state drive, which they claim to be the largest flash memory-based storage box in the world.

The HyperStor-6200 uses both Hitachi Data Systems and Texas Memory Systems technology - think RamSan 6200 (http://www.theregister.co.uk/2009/08/05/tms_ramsan_6200/) - and provides five million I/Os per second (IOPS) with 60GB/sec bandwidth. It is a monster of an SSD.

TMS says it has sold it to a single customer and has worked with ViON to do so. ViON calls it an enterprise eFlash product and says the 100TB of capacity has error checking and correction (ECC), a roughly .072ms average response time, and is RAID-protected. Host servers connect to it by either InfiniBand or Fibre Channel.

ViON and TMS both says this big bucks box is optimised for enterprise, research, and government applications, such as large OLTP systems or data warehouses, real-time video on demand, graphic rendering, geospatial analysis, seismic processing, and high-speed data acquisition.

You can find out more about the ViON view of the box here (http://www.vion.com/content/HyperStor.shtml), and the TMS view here (http://www.ramsan.com/products/ramsan-6200.htm). There is no information about the role of HDS in the sale apart from ViON saying it's involved.

There is no information on price but, generally, six figures of IOPS capability often involves six figures of cash. There is no information about the customer either, but ViON specialises in sales to US government agencies.

So we might surmise the Department of Homeland Security or a similar agency needs lightning low latency responses to tens of thousands of queries a minutes into a massive database of... what exactly? Is the USA building a database of the world's entire travelling and communicating population? What else would need such an extreme of SSD design?

by Patrick Thibodeau

There is a race to make supercomputers as powerful as possible to solve some of the world's most important problems, including climate change, the need for ultra-long-life batteries for cars, operating fusion reactors with plasma that reaches 150 million degrees Celsius and creating bio-fuels from weeds and not corn.

Supercomputers allow researchers to create three-dimensional visualizations, not unlike a video game, to run endless "what-if" scenarios with increasingly finer detail. But as big as they are today, supercomputers aren't big enough - and a key topic for some of the estimated 11,000 people now gathering in Portland, Ore. for the 22nd annual supercomputing conference, SC09, will be the next performance goal: an exascale system.

Today, supercomputers are well short of an exascale . The world's fastest system at Oak Ridge National Laboratory, according to the just released Top500 list, is a Cray XT5 system, which has 224,256 processing cores from six-core Opteron chips made by Advanced Micro Devices Inc. (AMD). The Jaguar is capable of a peak performance of 2.3 petaflops.

But Jaguar's record is just a blip, a fleeting benchmark. The U.S. Department of Energy has already begun holding workshops on building a system that's 1,000 times more powerful - an exascale system, said Buddy Bland, project director at the Oak Ridge Leadership Computing Facility that includes Jaguar. The exascale systems will be needed for high-resolution climate models, bio energy products and smart grid development as well as fusion energy design. The later project is now under way in France: the International Thermonuclear Experimental Reactor , which the U.S. is co-developing.

"There are serious exascale-class problems that just cannot be solved in any reasonable amount of time with the computers that we have today," said Bland.

As amazing as supercomputing systems are, they remain primitive and current designs soak up too much power, space and money. It wasn't until 1997 that the first teraflop system, ASCI Red at Sandia National Lab, broke the teraflop barrier, reaching one trillion calculations per second. In 2008 IBM's Roadrunner at the Los Alamos National Laboratory achieved petaflop speed , or one thousand trillion (one quadrillion) sustained floating-point operations per second.

by Brooke Crothers

Advanced Micro Devices is not the only large Intel competitor to rail against Intel's alleged strong-arm tactics.

Nvidia has also complained loudly for years about Intel business practices in the graphics chip market, where Intel commands about 50 percent of the market.

Nvidia is the world's leading supplier of "discrete," or standalone, graphics chips but takes a distant second place in overall market share to Intel, which supplies "integrated" graphics built into the chipsets that accompany all of its processors. Mercury Research estimates the total market for graphics chips, including integrated graphics, at almost $10 billion in 2009.

In the third quarter, Intel had 53 percent of the graphics chip market, up from the 49 percent share in the same period last year, according to Jon Peddie Research, which tracks the graphics chip market. Nvidia took about 24 percent, down from the 28 percent in the third quarter of last year.

These figures get even more lopsided for Intel when the market is segmented into integrated graphics only. "Put your seatbelt on. They've got 80 percent of the notebook integrated market," said Jon Peddie, president of Jon Peddie Research. Though this is a much smaller and more segmented market than overall PC processor market, which was at the center of last week's $1.25 billion settlement between Intel and AMD, it still shows the level of Intel's dominance, according to Peddie.

Nvidia has taken to lampooning Intel. Here, CEO Paul Otellini is the object of satire on Nvidia's 'Intel's Insides' Web site.
(Credit: Nvidia)

Nvidia claims these latter market share figures reflect Intel's "bundling" tactics-the same carrot-and-stick tactics that AMD has cited for years and that were spelled out in a complaint filed by New York's attorney general earlier this month.

Intel is trying to impede competition on two chipset fronts, according to Nvidia. One front is the burgeoning market for chipsets in Netbooks-tiny, inexpensive laptops that are typically priced around $350. In this market, Nvidia sells its Ion chipset, which competes with Intel's integrated graphics product.

"Intel's tactics with Ion have been the most aggressive we've seen from a competitor. They have offered the Atom [a total of three chips] for $25, but when the one-chip Atom is used with Ion, it sells for $45," Nvidia CEO Jen Hsun Huang said in a statement provided to CNET. "A customer can't even choose to resell the chipset and use Ion instead. What's the point of Nvidia getting an Intel bus license if it's impossible to overcome Intel's pricing bundles?" he asked, referring the licensing fee that Nvidia pays Intel.

"We'll keep growing as a company, but further action needs to be taken to protect consumers," Huang said.

Intel disputes this. "He's playing a trick of numbers, said Intel spokesman Chuck Mulloy. "He's giving you a $45 list price-that nobody pays-for a part and then a negotiated price (which is more realistic). He's mixing apples and oranges. We have scrubbed and continue to scrub our pricing practices as it relates to chipsets and processors. It's all above cost. And that meets the legal standard worldwide."

In Netbooks, Nvidia has made some headway this year; its Ion chipset has been used in Netbooks from Hewlett-Packard and Lenovo, among others-and Huang concedes this. But Peddie said Nvidia still faces a formidable challenge. "They're nibbling away it at. But it's a pretty big hill to climb," Peddie said.

In the second front of Nvidia's most hotly-contested feuds with Intel, the former has halted development of chipsets for Intel's new "Nehalem" processor technology (marketed as the Core i series of chips), following a complaint filed by Intel in February-which Nvidia then countered in March. Intel alleged in its motion for a declaratory judgment that the 4-year-old chipset license agreement with Nvidia does not extend to Intel's future-generation processors with "integrated memory controllers," which includes Intel's newest Nehalem Core i processors.

"It's meant to get Nvidia to cease and desist from citing that they have a license," Peddie said. "That's an interesting tactic because if the court rules in favor of keeping Nvidia from saying they have a license, it also creates the burden on the OEMs (PC makers) of not wanting to get in a crossfire between Nvidia and Intel," he said.

Intel again disputes this. "It's not seeking to prevent them from doing anything. For well over a year and including mediation, we argued with Nvidia about their rights under that agreement. And we tried multiple times to reach an agreement. And we could not," Mulloy said. "We asked the court to tell the parties what the agreement means. At the end of that process, we'll work with them and try to figure out what to do next."

by John Leyden

The creator of the rickrolling iPhone worm has spoken of possible job offers and death threats since the release of the Jesus Phone malware last weekend.

Ashley Towns, 21, from Wollongong, New South Wales, Australia, told local media he received both threats and offers of possible work a day after he was identified as the creator of what's been described as the first strain of iPhone malware. The malicious code created by Towns changed the wallpaper of jailbroken iPhone devices it infected to a picture of cheesy '80s pop star Rick Astley.

Jailbroken phones have been modified so that they are capable of running non-Apple approved applications. Only users on the Optus network in Australia with jailbroken iPhones and SSH installed were hit by the so-called ikee worm created by Towns. Even so, scores or perhaps hundreds were affected.

Towns describes this as an "experiment" that got out of hand: "I didn't really think about legal consequences at the time. I honestly never expected it to go this far."

For the recently graduated network administration student explaining his actions to his friends and parents has been the least of his problems over the last week. "A lot of random people have been making threats and someone even figured out my mobile number and published it online," Towns told a local NSW newspaper, adding the on the plus side an iPhone application developer has offered him a job interview.

Graham Cluley, the senior security consultant at Sophos, was the first to point towards Towns as the likely creator of the worm, based on comment lines in the viral code and an internet search, and he described the mobile worm written by Towns as riddled with bugs. Even leaving aside the ethical problems of creating and distributing malware, Towns was a poor mobile application developer.

"The worm was a buggy piece of code that leaked data by copying across the wallpaper from other peoples' phones during its infection routine," Cluley explained. "It also tried to scan a far wider range of addresses for other devices to infect than intended, judging by comments in the code."

"Judging by other comments, Towns even shafted his own iPhone during the development process," Cluley added.

Although Cluley condemned Towns actions, he said that Towns didn't deserve jail for his efforts. "Towns is not in the same league as financially motivated hackers who are responsible for the majority of the malware we see today," he said.

by Jeremy Kirk

A majority of Web sites have at least one major security issue that could be used by hackers for fraud-related purposes, according to a new survey.

Some 64 percent of 1,300 Web sites run by 250 enterprises have at least one serious vulnerability, said WhiteHat Security, which specializes in finding vulnerabilities in Web applications. The statistics come from WhiteHat's customer base, which lets the company regularly review their sites for problems.

The most prevalent problem is cross-site scripting. There's a 66 percent a Web site will have such a problem, WhiteHat said. A cross-site scripting flaw can allow data or malicious code to be drawn from another a Web site, which can potentially cause a data breach.

Other common problems include information leakage issues, content spoofing, insufficient authorization, and SQL injection.

The danger of Web-site application vulnerabilities is compounded by the slowness with which companies attempt to fix them. In the case of a cross-site scripting problem, the fix is usually just one line of code, Grossman said. The problem in getting it fixed, however, tends to be on the human side.

WhiteHat will usually inform the security department of a company, which then has to pass on the information to the developers of the Web application. The custom code of the Web application can't be modified by the security department.

Management then has to give the OK for developers to work on fixing the code rather than creating revenue-generating features, which usually get priority, Grossman said. Sometimes, it's hard to quantify the risk of Web-application vulnerabilities, which also muddies the waters for how fixing them is prioritized. "A developer's job is to write code," Grossman said. "Security is not a priority when pushing out code."

Surprisingly, a lot of vulnerabilities take a lot time to be fixed, and some never get fixed. WhiteHat took a look at vulnerabilities that were found over a one-year period with its customers.

The company found it took an average of 67 days for a cross-site scripting problem to be fixed. That compared with 78 days for an information leakage problem, 87 days for content spoofing trouble and 62 days for a SQL injection vulnerability. "What we can say with confidence is that IT security and development organizations must coordinate when it comes to dealing with Web-site vulnerabilities to close the time-to-fix gap," the report said.

On average, only 30 percent to 60 percent of the vulnerabilities ever get fixed, Grossman said. The awareness of Web-application problems "has never been higher but it needs to be a lot greater," he said.

by Victoria Ho

SINGAPORE-In a year, most enterprises will have the choice to "get rid" of Microsoft Office if they so choose, suggests Dave Girouard, president of Google's enterprise division.

Girouard said in an interview here with ZDNet Asia that he expects Google's online suite of applications, Google Docs, to reach a "point of capability" next year that it will serve the "vast majority's needs."

He acknowledged that Docs is currently "much less mature" than Google Mail or Calendar. "We know it. We wouldn't ask people to get rid of Microsoft Office and use Google Docs because it is not mature yet," he said.

But this is expected to change in about a year, after the company's introduces another "30 to 50" updates.

by John Leyden

Microsoft has reportedly begun investigating a potentially nasty denial of service vulnerability affecting Windows 7.

A security bug in windows 7 and Windows 2008R2 makes it possible to lock up affected systems. The crash would happen without a Blue Screen of Death or other visible indication that anything was amiss.

The system freeze can be triggered remotely by sending malformed packets to targeted systems - specifically a NetBIOS (Network Basic Input/Output System) header that specifies an incoming SMB packet is either four bytes smaller or larger than it actually is. Server Message Block (SMB) is a network protocol used to provide shared access to files and printers.

Proof of concept code was posted by white hat security researcher Laurent Gaffié in a blog entry on Wednesday. "Whatever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting nbns tricks, [with] no user interaction," Gaffié writes.

Gaffié previously highlighted flaws in Microsoft's implementation of SMB that created an even greater code execution risk back in September.

While it might be used to knock over targeted systems, there's no evidence that the latest flaw lends itself to code injection, a far more serious type of problem. News of the bug broke a day after Microsoft's regular Patch Tuesday updates came and went.

Microsoft's six patches on Tuesday included a fix (MS09-065) for a critical hole in the Windows kernel of Windows 2000, Windows XP and Windows Server 2003. The same update had an "important" (ie lesser risk) patch for Vista and Windows Server 2008. Windows 7 users were not affected by either this or two other Windows-related security updates released earlier this week.

Redmond's security gnomes have reportedly begun investigating the Windows 7 denial of service risk, but Microsoft UK was unable to shed extra light on the issue this morning. We'll update this story as and when new details emerge. ®

by Gregg Keizer

Hackers can exploit a flaw in Adobe's Flash to compromise nearly every Web site that allows users to upload content, including Google's Gmail, then launch silent attacks on visitors to those sites, security researchers said today.

"The magnitude of this is huge," said Mike Murray, the chief information security officer at Orlando, Fla.-based Foreground Security. "Any site that allows user-uploadable content is vulnerable, and most are not configured to prevent this."

The problem lies in the Flash ActionScript same-origin policy, which is designed to limit a Flash object's access to other content only from the domain it originated from, added Mike Bailey, a senior security researcher at Foreground. Unfortunately, said Bailey, if an attacker can deposit a malicious Flash object on a Web site - through its user-generated content capabilities, which typically allow people to upload files to the site or service - they can execute malicious scripts in the context of that domain.

"This is a frighteningly bad thing," Bailey said. "How many Web sites allow users to upload files of some sort? How many of those sites serve files back to users from the same domain as the rest of the application? Nearly every one of them is vulnerable."

Bailey, who demonstrated how attackers could compromise a Web site and attack users in a post today on Foreground's blog , outlined how a hacker would leverage the Flash flaw. "It's relatively simple," he maintained. "All they need to do is create a malicious Flash object, and upload it to the [Web] server."

He used the example of a company that lets users upload content to a message forum to explain the process. "If the user forum lets people upload an image for their avatar, someone could upload a malicious Flash file that looks like an avatar image," Bailey said. "Anyone who then views that avatar would be vulnerable to attack."

Adobe has told Foreground that the flaw is "unpatchable," Murray and Bailey said. Instead, Adobe is trying to educate site administrators to close the hole on their end. But they've not had much success.

"Some of the big Web properties have figured this out," said Bailey. "In a lot of cases, they're hosting user-generated content on another domain, perhaps for performance reasons." Among those site and services that have locked down their servers, Foreground cited Microsoft's Windows Live Hotmail and Google's YouTube. "But very few system administrators are even aware of this," Bailey added.

Even some of Adobe's Web properties are vulnerable to such an attack. "How can Adobe expect others to protect themselves when they can't do it themselves?" asked Murray.

Google's Gmail is also at risk from malicious Flash attack - Gmail lets users upload and download file attachments - although Bailey said that exploiting Google's Web mail service would be "extremely tricky" with "lots of hoops to jump through."

Although Foreground has not detected any in-the-wild attacks using the technique, Murray said that there's evidence hackers are moving toward such tactics. "We're starting to see Flash used in these ways," he said, and cited a recent worm that leveraged a similar vulnerability in Adobe's software, which is pervasive on the Web and on users' machines. "The worst-case scenario is that someone would figure this out, and launch silent attacks against the entire Internet."

by Stephen Shankland

Even for a company as powerful as Intel, with $13 billion in cash on the books, $1.25 billion is a lot of money. So why drop that huge quantity of money in the lap of its biggest rival, Advanced Micro Devices?

The payment is, of course, to settle the antitrust suit AMD brought against Intel five years ago. AMD's stock surged 22 percent Thursday after the chipmakers announced the agreement, but Intel's share price dropped 1 percent, indicating which company the investors thought got the better deal.

AMD does indeed come away with some serious perks-not just the cash, but also a new patent cross-license agreement that removes Intel's objections to AMD spinning off its chip-manufacturing business, enables multiple manufacturers to build AMD's chips, and eliminates the earlier patent agreement's payments to Intel. And it has Intel's agreement not to violate a list of restraints on its business practices.

But Intel gets something out of this, too.

Spend now, save later
Let's start with the money. Sure, shareholders likely frowned when they heard Intel's fourth-quarter expenses are expected to climb from $2.9 billion to about $4.2 billion. But Intel could have been out a lot more money if things had gone south.

In the European Union, Intel is wrestling with an antitrust case that produced a fine of 1.06 billion euros, or $1.6 billion at today's exchange rate. Intel appealed the European Commission fine, but it's a very concrete example of just how severe the Intel punishment could be.

There are other financial factors, too. Intel and AMD were set to begin their jury trial in March, and jury trials are famously unpredictable. Add on top of that risk the fact that antitrust suits can come with triple damages.

"It was a small multiple of the damage that could be awarded in a jury trial," Intel Chief Executive Paul Otellini said of the price tag in a conference call earlier Thursday.

Treble damages of the scale of just the European Commission fine would have been more than $4 billion, Technology Business Research analyst John Spooner observed. Facing that prospect, "Intel chose to control its own destiny and settle up front."

Taking commercial cases to a jury trial is indeed risky, said Richard Brosnick, who's involved in antitrust law at the firm of Butzel Long.

"Any complex commercial case going to the jury phase is challenging, and antitrust, given the economics, is probably more challenging," Brosnick said. "Trial is expensive overall, not in billions, but in terms of the risk you'll be able to explain these issues in a way that will be understood by and persuasive to a jury."

Goodwill in other antitrust cases
AMD's antitrust case isn't the only one Intel faces. It's also got the European Commission fine discussions, a new antitrust lawsuit from New York Attorney General Andrew Cuomo, and an antitrust investigation from the Federal Trade Commission.

The AMD settlement doesn't make those cases evaporate, but Intel hopes it'll help.

"We hope that having this major litigation settled with AMD would be viewed favorably by these regulatory bodies and eventually the cases would be dropped," Intel spokesman Tom Beerman said.

Certainly those regulators won't face as much of AMD's active prodding. Among the terms of the settlement is this, regarding all the regulatory actions AMD is involved in:

AMD agrees to promptly...notify in writing each authority...that except as provided in Section 3.5 AMD has resolved its disagreements with and complaints concerning Intel contained in that Administrative Complaint and believes that this Agreement provides AMD with fair compensation for any and all actual or alleged harm and damages that AMD did or may have suffered in connection with matters discussed in the Administrative Complaint. In addition, AMD agrees that it will not ghost-write or edit any other briefs, pleadings, or "friend of the court" or "friend of the tribunal" materials or briefs in any Administrative Action.

But whether Intel will actually get what it wants isn't certain.

"It's certainly possible that the public agencies will view this as a compromise they can live with, but it's equally possible not," Brosnick said.

One issue is Intel practices described in the section 3.5 mentioned above, where AMD and Intel still disagree. Brosnick said the governmental agencies still might be concerned about any of those practices-called "retroactive discounts," "accused bid bucket," and "accused end-user discounts" in the settlement.

Intel digging in its heels?
Though the agreement didn't preclude those practices as it did some others, it did agree not to defend them as hard as it might in settlement talks with the government organizations.

"Intel agrees that in the event it enters into voluntary settlement discussions with a government authority in the EC litigation, New York litigation, or the FTC investigation, and if such government authority proposes to include in a consent judgment or other governmental order a prohibition against Retroactive Discounts, Accused Bid Buckets or Accused End-User Discounts, Intel will not challenge such a prohibition as a general matter, although it may challenge the scope or specific language of the prohibition," the settlement agreement said.

Just how deeply Intel will dig in its heels in the other cases remains to be seen. Although it settled a big case, Otellini hardly sounded contrite. He reiterated on several occasions his belief that Intel didn't do anything illegal. He said airing the full context of seemingly incriminating e-mail would show Intel in a better light. And he vehemently attacked the New York case.

"We strongly disagree with the New York attorney general case and believe the complaint is entirely without merit," Otellini said. "Discounts and rebates are entirely fair business practices, and it's unfortunate the New York attorney general chose to distort the facts. We would have preferred to engage in a dialog with the New York attorney general."

Then again, Intel spoke in strong terms about the AMD trial. Perhaps Intel's pragmatic side will show in the other cases next.

by Cade Metz

Google has completed testing on "Caffeine," a semi-mysterious overhaul of its back-end search infrastructure, and it will soon roll the new platform behind its live search engine.

In mid-August, Google unveiled a online sandbox where it invited world+dog to test the new infrastructure, but as noticed by Mashable.com, the sandbox has been replaced by a brief message from the Mountain View Chocolate Factory.

"Based on the success we've seen, we believe Caffeine is ready for a larger audience," Google's missive reads. "Soon we will activate Caffeine more widely, beginning with one data center. This sandbox is no longer necessary and has been retired, but we appreciate the testing and positive input that webmasters and publishers have given."

Previously, über-Googler Matt Cutts told The Reg that the new infrastructure was under test in a single data center - though he declined to say which one. A Google spokesman indicates that Caffeine will now be moved to a second data center for live deployment, adding that this will happen "over the next few months."

In typical Google fashion, the company has been coy about the design of Caffeine. But Matt Cutts acknowledged that it's built atop a complete revamp of the company's custom-built Google File System (GFS). Two years in the making, the new file system is known, at least informally, as GFS2.

"There are a lot of technologies that are under the hood within Caffeine, and one of the things that Caffeine relies on is next-generation storage," Cutts said. "Caffeine certainly does make use of the so-called GFS2." Caffeine includes other fresh additions to Google's famously distributed infrastructure, but Cutts declined to describe them.

Speaking with The Reg, Matt Cutts described Caffeine as an overhaul of Google's search indexing system. "Caffeine is a fundamental re-architecting of how our indexing system works," he said. "It's larger than a revamp. It's more along the lines of a rewrite. And it's really great. It gives us a lot more flexibility, a lot more power. The ability to index more documents. Indexing speeds - that is, how quickly you can put a document through our indexing system and make it searchable - is much, much better."

Building a search index is an epic number-crunching exercise. Today, Google handles the task using its proprietary Google File System, which stores the data, in tandem with a distributed technology called MapReduce, which crunches it. But these tools are used across other Google services as well, including everything from search to YouTube.

by Lucas Mearian

Intel will release a $120 solid-state disk (SSD) drive positioned as a server "boot drive" with only 40GB of capacity, but the drive could also be used in low-end laptops PCs and netbooks.

Intel is also planning a new line of enterprise-class SSDs with 50GB, 100GB, and 200GB capacities, which would more closely mimic the capacities of high-end hard disk drives used in servers today, an Intel representative said. Intel's current line of enterprise-class drives, the X25-E series , have capacities of 32GB and 64GB.

The 120GB X25-V SSD, known internally as the Glen Brook drive, uses lower-cost multi-level cell (MLC) NAND flash chips. The drive is currently being shipped in sample volumes among computer equipment makers and is expected to be generally available in January, said Jon Peracchi, a marketing manager at Intel.

Peracchi, who was speaking at a SSD Seminar sponsored by Bell Microproducts in Westford, Mass. said the new enterprise-class SSDs, which are based on single-level cell NAND, would represent a 40 percent price cut or about $6.50 per gigabyte over its current X25-E SSD prices. For example, the new 50GB drive is expected to have an MSRP of $350.

The new enterprise-class drives are expected to ship as samples to equipment manufacturers in April and are expected to be generally available in July, 2010.

In other SSD news, STEC plans to begin shipping next week a new enterprise-class ZeusIOPS SSD with serial-attached SCSI interface. The new drive would have a 6Gbps SAS interface compared with the current 3Gbps SAS SSD, according to an STEC representative. The new ZeusIOPS SAS SSD will support sequential read rates of up to 350MBps and write rates of 300MBps.

The company is also planning a new follow-on to its Mach8 SATA SSD, which will double the interface throughput to 3Gbps and include support for native encryption. The Mach16 SSD drives are expected out in the second quarter of 2010, and will support read rates of 250MBps and write rates of 225MBps.

by Jessica Dolcourt

Want great software for your mobile phone? Keep up the complaints. That was the message at a Tuesday session of the BlackBerry Developer Conference here in San Francisco aimed at developers. But it's a dictum that applies to all smartphone owners.

In the symbiotic relationship between the application developer and the user, a well-placed critique is key to a good programmer improving their mobile application. The motto of the squeakiest wheel getting the most grease may seem obvious, but the importance of user feedback becomes even clearer when articulated in dollar signs and numbers.

A single-star rating for an application on a review site or storefront can severely limit its chances of getting downloaded, and therefore of making money.

"This is the curse of the one-star," said session speaker Stephen King (not that Stephen King), CEO of app testing company Mob4Hire.

His company's research suggests that the bulk of users feel comfortable downloading new mobile software that gets four stars or above. With 69 percent of people discovering apps based on rankings, reviews, and friend recommendations, and the mobile app industry growing 26 percent year over year, according to Juniper Research, there's real money to be made or lost. Addressing peoples' complaints isn't just a best business practice; it may directly affect the bottom line.

The bare financial truth of customer satisfaction isn't to say that real users' opinions are unimportant. To highlight this, King showed pictures of the barrage of errors he received after initially downloading Google Talk on his BlackBerry. Performance bugs frustrate everyone. Yet, developers should tackle customer critiques the same way they would their business model, by intelligently designing a feedback loop that makes the most impact to the most people.

Focus groups, user forums, and in-app surveys are just some ways to get quality responses, and for disgruntled (or overjoyed) users to be heard. Offering free updates and monetary rewards are other tactics for encouraging engagement. You may already be providing feedback if developers use analytics embedded in their apps, or AB testing, where a small sample of application users see one of multiple versions of an app so the developer can determine which one had higher levels of engagement.

King dove into details about best practices for holding town hall meetings, covering everything from multicolored Post-It notes and computations to measuring customer satisfaction on a scale of one to ten. King showed a quadrant graph that balances the importance of a feature request or problem with its ease of implementation. His marching orders for application-authors: Start first with solving the easy, important stuff and move on from there, keeping the impact of each proposed change in mind, rather than its cool factor. Ask users for ideas on how to correct the failings.

At the end of the day, while user feedback is important, developers shouldn't rely on paying customers to design their application architecture, especially if mistakes are prone to frustrate the user. King was careful to note that creating a thoughtful application first is the way to go.

"There's so much marketing [for apps] that's just pure hype and crap," King reiterated to a room full of BlackBerry developers. "You can't sell software unless it's good." And sometimes, you can't get better software without making a stink.

by John Oates

LinkedIn is linking up with Twitter. Users will soon be able to choose status updates on the business networking site to appear on Twitter, and vice versa.

LinkedIn claims 50 million users. The updates will come online in the next few days and will allow you to share tweets with your followers on LinkedIn.

When you're on Twitter you can share some, or only specified, messages with your LinkedIn profile too.

Excited?

There's more on LinkedIn's blog here. (http://blog.linkedin.com/2009/11/09/allen-blue-twitter-and-linkedin-go-together-like-peanut-butter-and-chocolate/)

LinkedIn had been struggling with its sub-Facebook, more business-focussed strategy, but has started gaining users again in recent months.

by Gregg Keizer

Microsoft has yanked a tool it touted as a way for netbook owners to install Windows 7 without a DVD drive after a prominent blogger accused the company of using open-source code without acknowledging where it originated.

The free utility, WUDT (Windows 7 USB/DVD Download Tool), has been pulled from Microsoft's site, as has the page of instructions on how it was to be used.

Microsoft released the Download Tool last month, and at the time trumpeted the utility as a workaround that would let netbook owners create a bootable flash drive from a downloaded .iso file, or disk image, of Windows 7 purchased from Microsoft's online store.

"We are currently looking into this issue and are taking down WUDT from the Microsoft Store site until our investigations are complete," a Microsoft spokeswoman said in an instant message reply to questions Tuesday. "We apologize to our customers for any inconvenience."

Microsoft's move was prompted by Rafael Rivera's claim last Friday that WUDT included code gleaned from a GPLv2-licensed open-source project. Rivera, who writes the Within Windows blog, said Microsoft had "obviously lifted" code from the ImageMaster project, and had then compounded the problem by not sharing the source code for its modifications, or the tool itself, to the project, as required by the terms of GPL (GNU General Public License).

GPL is a widely-used free software license that was originally drafted by Richard Stallman of the GNU project.

Microsoft has previously released several code modules under GPL, including the Live Services Plug-in for Moodle last July.

Today, Microsoft declined to answer questions about the future of WUDT, including whether it would re-release the tool at some point, and whether the utility had been removed from its site because of the GPL brouhaha that Rivera instigated.

Rivera said he was "99.9999 percent sure" that Microsoft used the open-source code within WUDT, and provided code examples to prove his point.

"I'm not a GPL expert - the thing reads like Latin - but it is my understanding that the tool would have to be open-sourced, as required by GPL," Rivera said today in an interview conducted via instant messaging.

Actually, the algorithm in question originated with the open-source file archiving software, 7zip, which is licensed under the LGPL, or GNU Lesser General Public License, a software license published by the Free Software Foundation, said Rivera. Microsoft's tool grabbed code from the GPL-protected ImageMaster project, however.

As to Microsoft's next step, the company was mum, although Rivera took a stab at its alternatives. "Ultimately, I believe one of two things will happen: The tool will either be rewritten or open-sourced," said Rivera. "I suppose the third option would be (to make it) no longer available."

by Lance Whitney

Google's Caffeine initiative to perk up search results is leaving the sandbox.

First revealed as a "secret project" in early August, Caffeine is intended to speed up search results and improve their accuracy. Google's Webmaster Central blog at the time described Caffeine as "the first step in a process that will let us push the envelope on size, indexing speed, accuracy, comprehensiveness and other dimensions."

A Caffeine Web page had been set up as a developer preview test site asking people to try out the new feature and offer their feedback. But as spotted by Mashable.com, the developer information has been taken down and replaced with a note from Google, pegging Caffeine a success and briefly describing the next phase.

Based on the success we've seen, we believe Caffeine is ready for a larger audience. Soon we will activate Caffeine more widely, beginning with one data center. This sandbox is no longer necessary and has been retired, but we appreciate the testing and positive input that webmasters and publishers have given.

Caffeine won't change the look or feel of Google's popular search engine but will work under the hood to improve its performance, reportedly delivering faster, better, and more flexible results. Though Google continually tweaks its search engine, Caffeine represents the first major enhancement to its search indexing since 2006.

No word or response yet from Google on when Caffeine might actually go live.

In a late August interview with WebProNews, Google engineer Matt Cutts said that the feedback on Caffeine had been very positive.

And in a forecast of Google's latest move, Cutts also said he wouldn't be surprised if Caffeine were gradually opened up one data center at a time. Then once Google is satisfied with the new search indexing, Caffeine should spill out into more and more data centers.

by Gavin Clarke

VMware has unveiled the latest version of its ESX-based virtualization software to capitalize on Microsoft's rollout of Windows 7.

The company has launched VMware View 4.0, featuring a new communications protocol called PC-over-IP to provide real-time screen rendering, plus the ability to deploy and manage tens of thousands of virtualized desktops without the need for custom engineering.

Planned for the first-half of 2010, meanwhile, is a native hypervisor so that PCs can run offline, using the machine's local resources, and then synchronize when re-connected to the network.

View 4.0 will come in two flavors - enterprise and premier, priced $150 and $250 per concurrent user. The former features vSphere, vCenter, and View Manager, while the latter features these plus View Composer for single-image management and storage and application virtualization and ThinApp 4 for working on thin clients.

VMware believes the changes will bring desktop virtualization to a mass market of power users in addition to more traditional types in call centers through the addition of things like PC-over-IP.

PC-over-IP was a hardware protocol VMware licensed from Teradici and that was used in high-end graphics and CAD. The companies have implemented PC-o-IP in software to run provide real-time rendering of graphics like Flash and text in the virtualized desktop.

It's never a smart idea to introduce a new protocol, so VMware's made sure it's got the backing for partners for PC-over-IP - Cisco Systems, Hewlett-Packard, Dell, IBM and Wyse.

On management, VMware claims View 4.0 will now scale to tens of thousands of PCs out of the box, beyond the previous 500 to 1,000 PCs. The View 4.0 vSphere ESX-based virtualization component on the desktop and View Manager management server have both been updated to support what VMware called "multiple connections at scale". View Manager will authenticate users against Microsoft's Active Directory.

So what does this have to do with Microsoft and Windows 7?

VMware believes the vSphere 4.0 changes in performance and management will make its desktop virtualization attractive to organizations rolling out Windows 7. Rather than paying Microsoft for client copies, they can run virtualized instances instead, potentially saving on licensing, and the work of rollout and on-going management by working through instances and images.

In particular VMware's making a pitch for those with legacy Windows XP applications. Windows 7 introduces Windows XP Mode to run Windows XP applications on the desktop. With vSphere 4.0, though, VMware will let you run both Windows 7 and Windows XP, while also managing the rollout of Windows 7 using just a single Windows 7 image.

Separately, VMware is today expected to announce partnerships with four hardware companies building reference architectures based on View 4.0. Cisco Systems and EMC, HP and Dell will provide architectures around computing, storage, networking and software, with Cisco and EMC also providing services. NetApp will provide storage reference architecture. ®

by Mikael Ricknäs

Intel's Atom processor, which is used in netbooks, helped PC microprocessor makers sell record numbers of chips during the third quarter, although the overall value of the market fell, according to market researcher IDC.

The PC processor market has made a remarkable recovery since the start of the year, IDC said.

Unit shipments rose by 23 percent quarter-over-quarter, according to IDC. Even more important is that sales grew by 0.3 percent or 220,000 units compared to the third quarter last year, which also was a record breaker, it said.

The low-cost Atom processor may have helped to boost unit growth, but it also meant vendors were on average paid less for their products. The average sales price per processor dropped by 7 percent compared to the second quarter and by 10 percent year-over-year, according to IDC

Intel's unit market share grew to 81.1 percent, up 2.2 percentage points since the second quarter, while AMD's dropped 1.9 percentage points to 18.7 percent.

VIA Technologies' already small market share dropped even further, to 0.2 percent of units shipped, down from 0.5 percent last quarter, and 0.6 percent a year earlier.

IDC is becoming more optimistic about the future, and now expects over 300 million processors to ship in 2009. That would be a 1.5 percent increase compared to 2008. That projection is dependent on continuing growth in China, which so far this year has been helped by government incentives.

by Tom Krazit

When the long-expected development of smartphones and handheld devices into primary computers reaches maturity, Google wants to make sure it occupies just as strong a position on the small screen as it does on the big one.

Google set the stage for that future Monday when it announced a $750 million all-stock deal to acquire AdMob, which is considered one of the strongest ad network providers for the mobile-computing world. It's a familiar strategy; just as Google bought DoubleClick in 2007 to blend search ad expertise with display ad expertise, so it plans to add AdMob's network of partners to its own mobile search ad efforts.

For all the work Google does in other areas-Google Apps, Android, Google Voice-advertising has always been, and will likely remain, its most important source of cash. It dominates the most lucrative segment of online advertising (search) and wants to expand its efforts in display advertising as well with a revamped DoubleClick Ad Exchange and increased efforts to court the major advertisers of the world.

But unlike the PC-based Internet, the mobile Internet-advertising business is still very small and very fragmented, with dozens of companies claiming to play a leading role. AdMob founder and CEO Omar Hamoui said he had no idea how much market share his company had in the business of providing mobile ads to Web site publishers, although AdMob is considered by outsiders to be one of the strongest companies in this area due to its work with ad units for iPhone applications.

Few doubt the staying power of mobile computing, however. Even with mobile advertising accounting for just a fraction of overall online advertising in 2009 ($416 million out of a total online spend of $24 billion according to eMarketer figures quoted by Google), AdMob has been cash-flow positive for about a year as advertisers show increasing interest in trying out mobile ads on smartphones like the iPhone and Android-based devices.

Google said it thought getting AdMob's 140-person team inside its company was "a pretty unique opportunity," said Vic Gundotra, vice president of engineering at Google, in an interview following the announcement of the deal. Gundotra and Hamoui both cited the cultural fits between the two companies as helping to streamline a deal; San Mateo, Calif.-based AdMob counts three Google veterans among the 10 executives listed on its management page.

It's not clear yet how Google will integrate AdMob into its existing structure. Google already operates DoubleClick Mobile, an ad delivery service that allows publishers to sell mobile ads directly to advertisers through a variety of ad networks, including AdMob's. What it doesn't have is its own display ad network with the reach and heft of AdMob's 15,000 and growing name-brand advertisers, which allows mobile publishers to essentially outsource their ad sales.

It's also not clear whether AdMob will now become "the" ad network for DoubleClick Mobile customers, but that might exclude a lot of business: Google lists its own AdSense, the MBrand and Decktrade networks from Millennial Media, and AdMob as just some of the ad networks if offers for DoubleClick Mobile customers.

In addition, Hamoui said AdMob would continue to sell ads across many different types of phones, rather than focusing on Google's Android. The whole reason AdMob has grown to the level it has was because it was able to separate its technology from specific phones like the iPhone or Android, which gives advertisers a much broader reach than if the ad network focused on any one phone, he said.

Google is now positioned to offer a one-stop shopping experience for companies interested in online advertising, combining search and display ad possibilities on both regular Web sites and mobile sites and applications. As has been the case for so many Google products and initiatives this year, that will likely raise an eyebrow among federal regulators.

As such, Google said while it doesn't expect to encounter significant regulatory issues with the AdMob purchase, "closer scrutiny has been one consequence of our success. On that basis, we wouldn't be surprised if there were some regulatory review before the deal closes." Google said it hoped to wrap up the deal "in the next several months."

Google took great pains Monday to point out how small a deal this was in the grand scheme of the advertising market. It created a Web site devoted to the deal where it quoted competitors in support of its point that mobile-ad budgets are tiny at the moment compared to the overall amount of money spent on online ads.

But Google's willingness to cough up $750 million in stock--making this its third-largest acquisition once it's finalized-shows just how important it thinks this market will become over the next decade.

When asked how quickly Google might see a return on this deal, Gundotra emphasized the future possibilities over short-term financial concerns.

"Getting that group of talented people into our company is an unbelievable return," he said. "It's likely lead to products and innovations we haven't even thought of yet."

by Rik Myslewski

Steve Jobs has been crowned CEO of the Decade by the preeminent house organ of US corporate shillery, Fortune magazine.

Love him or hate him - or both - Jobs has earned the honor.

Fortune's panting panegyric covers the now-familiar saga of Jobs's rescue of Apple from the jaws of disaster, spiced with details of how he reshaped a rapidly sinking ship worth a mere $5bn in 2000 into today's $170bn juggernaut.

The article recounts Jobs's series of canny moves during the early part of this decade: streamlining Apple's discombobulated product line, pulling the plug on the cash-hemorrhaging Newton, snuffing out the money-losing Mac-clone experiment, shepherding the genre-transforming iMac, redefining music marketing with the iPod and iTunes Store, replacing Apple's creaky operating system with the (eventually stable) Unix-based Mac OS X, creating destination shopping with the 276-strong squadron of Apple retail stores, and more.

And then there was that other genre-redefining offering: the iPhone.

All smart - and successful - moves, to be sure. But what the article doesn't fully consider is what a smoldering train wreck Apple was when Jobs took it in hand. Although the company could have been fairly described in those dark days as having nowhere to go but up, that direction was far from clear in the late 1990's.

The speed with which Jobs was not only able to get Apple back on track but also to transform its image from laughingstock to acclaimed trend-setter has been nothing short of jaw-dropping.

How dysfunctional was Apple before Jobs's reappearance? This reporter's favorite story of those dark days was when he, as an editor for the late, lamented US Mac rag, MacUser, was enduring the now-famously excruciating Macworld Expo 1997 keynote address by Apple's then-CEO Gil Amelio. As thousands of attendees sat in stunned silence, a fellow editor turned to your reporter and mouthed two short words: "We're fucked."

He was right. Apple was adrift, and Amelio - despite his best behind-the-scenes reorganizational efforts - was failing to rally even the most fervent faithful.

In that valley of death through which Apple then slogged, the company's confused product line was stuffed with a gaggle of competing and often poorly engineered offerings, investor confidence was well-nigh nonexistent, its efforts to replace an aging proprietary operating system were writhing in agony, and its belated attempt at OS licensing was siphoning off revenue streams as more-nimble competitors such as Power Computing repeatedly introduced faster Macs more quickly than did Apple, and at lower prices.

That MacUser editor's succinct observation was right on the money - and, for Apple, that money was spurting from its system faster than blood from a slashed aorta.

Fast-forward to today, when Apple's stock hit a high of $195, its cash reserves total $34bn, and in its most recent fiscal quarter, it earned $1.67bn on sales of $9.87bn. All mid-Meltdown.

It would of course be a mistake to credit all of Apple's success to Fortune's CEO of the Decade. Cupertino is chock-a-block with talented engineers, designers, and coders. But Steve Jobs has been the man at the helm during Apple's unarguable resurgence.

Unfortunately - and equally unarguably - there's Good Steve and there's Bad Steve. Some say that Apple's rise has been due to Jobs's penchant for ruling with an iron hand. Others would replace "hand" with "fist".

The Valley abounds with Bad Steve stories - his dismissiveness, his "my way or the highway" imperiousness, and his ability to strike fear in the hearts of his underlings.

One story that nicely sums up Steveophobia was told by a former Apple employee on his blog: "...the level of paranoia was directly related to the closeness to the top floor at One Infinite Loop. I remember coming over to Steve's floor to pick up an executive VP for a briefing. He quickly suggested a route off the floor that didn't go in front of Steve's office. He explained the choice by saying it was safer."

Other such stories can be found in the mutitude of books dissecting Jobs and his managerial manner - Leander Kahney's Inside Steve's Brain, Alan Deutschman's The Second Coming of Steve Jobs, and Jeffrey Young and William Simon's iCon Steve Jobs, to name just a few.

That publication of that last book, in fact, led to an incident that well explains Steve Jobs's desire to control any and all situations that touch upon him personally. Before iCon's publication, as reported by The New York Times and others, it and all other books by its publisher, John Wiley & Sons, were not-so-mysteriously banned from Apple's retail stores.

Apple under Steve Jobs has become near-fanatical about controlling its messages - and it has no qualms whatsoever about limiting access to only those it vets as being of use to its message machine. Your reporter, for example, enjoyed access to Apple spokespeople for nearly 20 years - until he joined the staff of The Reg.

It can be argued, however, that extreme message-management as practiced by Jobs's Apple works greatly to the company's favor. As the Fortune story notes, one Harvard prof has estimated that by not providing sanctioned information about the iPhone before its 2007 release resulted in a media frenzy worth $400m in free advertising - a media manipulation now being repeated with the oft-rumored Apple tablet.

You may think of Apple's extreme secrecy as being a bit crazy, but we'd argue that "crazy like a fox" is a better analysis.

Savvy, mercurial, visionary, cruel, secretive, involved, insightful, manipulative, hard-charging, private, quixotic - these are all terms that could arguably be used to describe Fortune's CEO of the Decade.

One term, however, is indisputable: successful. ®

by Chris Brandrick

Chip-maker Intel has promised to supply a fix for a recently released firmware update, which once applied, bricked certain users' SSDs (solid-state drives).

The firmware, dubbed the SSD Optimizer update, was made available late last month, but was quickly pulled by Intel. The decision by Intel to stop the firmware's availability was due to various reports, including several disgruntled forum posts, that the software was bricking certain users drives.

Updating promised to make the X25-M series of SSDs more efficient, assuring speed increases of up to 40 percent. Even though some users have had the pleasure of enjoying the detailed performance upgrade, certain users have not been so lucky, experiencing a software crash and ending up with bricked devices.

The glitch in the firmware has been identified as a problem only for those running the 64-bit edition of Windows 7. Intel's Alan Frost explained that the company had "replicated the issue" internally and were "working on a fix" with the resolution being seen "as a high priority", unfortunately he failed to deliver a solid date for the fix's availability.

by Stephen Shankland

For almost all of its existence, Mozilla Messaging has been known for Thunderbird--e-mail software with the traditional view that a person's PC is the center of their computing existence.

Now, though, the Mozilla Foundation subsidiary's scope is expanding beyond the confines of the computer under your desk or on your lap. In the near term, the new Thunderbird 3 is becoming more integrated with the Web. And in the longer term, the Raindrop project has the potential to lift your inbox all the way to the cloud.

"For us it's really important to have Thunderbird. It's also important to not stay in the blinders of that scenario," Mozilla Messaging CEO David Ascher said in an interview at the company's headquarters here. With Raindrop, "We're focusing on best experience for messaging in a Web application."
Mozilla Messaging CEO David Ascher

The change reflects the changing nature of computing. Where Thunderbird's chief competition once was now software such as Microsoft's Outlook, it's now also got to reckon with Google's Web-based Gmail service and its ilk, Ascher said.

Thunderbird is still a priority. Thunderbird 3 is set to arrive next week in near-final form-though nearly a year later than had been planned-but Mozilla Messaging has high hopes the new version will be faster, easier to use, and more versatile through the addition of third-party extensions.

Universal inbox
Raindrop is something of an ultimate inbox in the company's vision, a Web application that draws not just from e-mail but from other communication conduits such as Twitter, Facebook mail, and instant messaging. Its goal isn't just to consolidate today's overabundance of communications channels, it's to help prioritize what's important and put off what's optional until a more convenient time.

"We're breaking the notion of one list coming in, in chronological order," he said. What just arrived isn't necessarily the most important thing to do, though human minds are prone to thinking it is.

Some aspects of Raindrop's future are more certain than others. It's way to early to say when the company might release its first version of the actual software, but one thing that's settled is that Raindrop won't be a service Mozilla offers. Instead, the software will run on others' servers--at Internet service providers, for example.

"Hosting a messaging system for the world is not something we can afford right now," Ascher said. Still, it's revealing that the company chose to create Raindrop as a server-based technology accessible through a Web browser rather than as PC-based software.

Will Raindrop rule the roost?
In the longer term-say 2015-might Raindrop replace Thunderbird as people's messaging interface of choice? Perhaps.

"I suspect some people will and some people won't," he said. "I think desktop software still has a bunch of user benefits that will last for quite awhile."

Persuading everybody to freely cooperate with Raindrop could be tough. Sites like Facebook like their central positions in people's electronic lives and like to serve ads next to their content. In time, though, Ascher believes they'll come aboard.

"I think in the long term, openness wins," he said.

Even without Raindrop, Thunderbird 3 will integrate with the Web. It's got Firefox's engine built in for displaying Web pages, a fact that means the software can display Web content.

That ability means Thunderbird can, for example, show Yahoo and Google calendars in separate tabs. There's little in the way of integration with those services today, but it can be added, Ascher said. He expects plenty more add-ons will bring it closer to the cloud, too. He didn't mention it, but even Raindrop could be added in its own compartment.

Mozilla Messaging is part of a peculiar organizational structure. In the beginning the non-profit Mozilla Foundation oversaw the open-source software that was the core of Netscape Communicator. Eventually, that software split into two main components: the Firefox browser and the Thunderbird e-mail software.

The foundation set up two subsidiaries to oversee the two projects, first Mozilla Corp. for Firefox in 2005 and second Mozilla Messaging for Thunderbird in 2007. Ascher has since 2007 led the latter, which employs six engineers and nine others.

It also draws on the expertise of many volunteers in the open-source world who translate the software, write add-ons, and help debug it. Because of this help, Mozilla Messaging gets by with only one quality assurance employee and one marketing employee, and Thunderbird 3 will arrive in more than 40 languages.

The subsidiary today gets its funding from its nonprofit Mozilla Foundation parent, which in turn receives the lion's share of revenue from search advertising revenue that results from searches Firefox sends Google's way. Ultimately, Ascher wants Mozilla Messaging to be financially self-sustaining. But how?

"I'm not sure yet. I think what we're looking for are rev models like Firefox-revenue models where the user benefits and doesn't have to pay anything, and somehow enough money flows into Mozilla Messaging to fund development long-term," Ascher said.

That may sound like a lot of hand-waving, but Ascher points out he has no investors looking for a big and quick return on the money they invested, so Mozilla Messaging is a relatively cheap operation to run.

Ads? No thanks
One route the company won't take is advertising, the approach that's vital to Gmail, Hotmail, and Yahoo Mail, as well as to Firefox.

"I don't think people benefit from advertising in mail," he said. "One reason it works for search engines is people often are searching to buy. They're happy to see ads. It helps them. I don't think that works in e-mail."

Today, there are probably somewhere between 10 million and 20 million Thunderbird users, said Rafael Ebron, Mozilla Messaging's director of marketing. That's a far cry from Firefox, whose users total more than 300 million, Mozilla says.

But both projects can punch above their weight. Just being a freely available alternative-whether with Thunderbird or with Raindrop-can steer other products and services, Ascher believes.

"Firefox had an influence over people greater than its market share," Ascher said. "I don't think we'd need to manage everybody's e-mail servers for us to have an influence over the e-mail landscape and make sure everybody has a better experience."

by Dan Goodin

Researchers say they've uncovered a flaw in the secure sockets layer protocol that allows attackers to inject text into encrypted traffic passing between two endpoints.

The vulnerability in the transport layer security protocol allows man-in-the-middle attackers to surreptitiously introduce text at the beginning of an SSL session, said Marsh Ray, a security researcher who discovered the bug. A typical SSL transaction may be broken into multiple sessions, providing the attacker ample opportunity to sneak password resets and other commands into communications believed to be cryptographically authenticated.

Practical attacks have been demonstrated against both the Apache and Microsoft IIS webservers communicating with a variety of client applications. A consortium of some of the world's biggest technology companies have been meeting since late September to hash out a new industry standard that will fix the flaw. A draft is expected to be submitted on Thursday to the Internet Engineering Task Force.

"A core security guarantee made by TLS is violated as a result of this problem," said Steve Dispensa, CTO of PhoneFactor, a provider of two-factor authentication services, the company where Ray works. "It's going to take a while for the protocol changes necessary to be rolled out, because every browser and every server in the world is going to have to be patched."

Ray and Dispensa were quick to note that the vulnerability would most likely have to be exploited in concert with some other security weakness, say a flaw in a home router or the recent DNS bugs discovered by researcher Dan Kaminsky. And even then, an attacker would be unable to read encrypted data that flowed between a server and a client.

Indeed, Moxie Marlinspike a security researcher who has repeatedly exposed serious shortcomings in SSL, said the attacks were hard to pull off in the real world, in large part because they appeared to target a rarely used technology known as client certificate authentication.

"It's clever, but to my knowledge the common cases in which the majority of people use SSL (webmail, online banking, etc.) are currently unaffected," he wrote in an email. "I haven't found these attacks to be very useful in practice."

But Ray and Dispensa said there are attacks that don't rely at all on client authenticated certificates. They maintained that the ability of an attacker to inject plaintext of his choice into an authenticated data stream represented a major threat. And they said the attack has special implications for smartcards and other technologies that rely on client authenticated certificates.

"There is consensus among the biggest vendors in the world that it's a big problem," Dispensa said.

Already, developers from OpenSSL and GNU TLS have developed patches and are in the process of testing them. Other providers of hardware and software that implement SSL are in various stages of patching as well. Dispensa and Ray presented their findings under a non-disclosure agreement to a large number of company representatives on September 29 in Mountain View, California, at a company they declined to name.

The parties had planned to continue working on a fix in secret throughout the rest of the year. Coincidentally, a separate researcher recently documented the basics of the protocol defect and made some of the findings public, prompting Ray to disclose his research. The flaw has existed in TLS since the specification was published in the mid 1990s.

The vulnerability stems from the ability for either party in an SSL transaction to renegotiate the session, usually so one or the other can refresh its cryptographic keys. Because HTTP lacks a way to direct the client to resubmit the request within a newly authenticated channel, the server must apply the authentication retroactively. ®

by Jeremy Kirk

Social-networking sites MySpace and Facebook have apparently fixed coding errors that could have allowed an attacker access to all of their users' data and photos.

The simple coding errors are alarming considering the extent to which social networks have gone to reassure their users that their data will be safe. The problem involved the way those sites handle requests for data from other domains, known as the "cross-domain policy."

Sites such as MySpace and Facebook typically block other domains from requesting and receiving data for privacy reasons, except for their own vetted subdomains.

Facebook disallowed access from other applications on its main domain, but a developer in the Netherlands, Yvo Schaap, found that Facebook would allow data to be given out from one of its subdomains.

Since the subdomain also hosted all of Facebook's data, it would be possible to steal data by luring a victim to a URL with a Flash application rigged to grab the data if the victim had their auto-login enabled, which most people do, according to Schaap's blog.

A "more invasive and hidden exploit could harvest all the user's personal photos, data and messages to a central server without any trace, and there is no reason why this wouldn't be happening already with both Facebook and MySpace data," Schaap wrote on his blog.

He also found the problem on MySpace, which allowed a domain called "farm.sproutbuilder.com" to access data. A Flash application could be uploaded to that site, which would then be allowed access to the data if a victim visited a malicious URL.

MySpace disagreed with the severity of the error, saying it would have only exposed information that was already public. The problem was with the sproutbuilder domain, and it has since been fixed, a spokeswoman said. "No public MySpace data was exposed and the vulnerability was never exploited,” she said.

A look at Facebook's latest crossdomain.xml file shows that the bug appears to have been fixed. MySpace also appears to have taken "farm.sproutbuilder.com" out of its cross-domain list. In a statement, Facebook said it "worked with the researcher who identified this issue to fix it. We have not received any reports that it was ever exploited."

by Matt Asay

Google's biggest threat is no longer Microsoft. It is itself.

As the company harvests copious quantities of personal data, it becomes dramatically better at serving customer needs...

...and at freaking them out over privacy concerns.

In other words, Google gets stronger with every Google Doc created, every Google Voice call dialed, and every Gmail e-mail sent. It becomes stronger because data is the heart of the Web's biggest businesses, as Redmonk analyst Stephen O'Grady implies.

But in so doing Google also becomes more threatening to the very consumers it is trying to serve.

Google Dashboard is meant to change this by putting consumer data back in the hands of consumers. It's a move that follows on Google's earlier pledge to "open data" and its Data Liberation Front.

As CNET reports, Dashboard lets people review the personal data Google has stored for them, delete it, and alter future collection policies. It's a great way for Google to mollify concerned users, putting control back in their hands.

Still, it's almost certainly never going to be used by the vast majority of Google users. Ever.

Why? Because for all our hand-wringing over privacy-and for good reason-the reality is that most of us, most of the time, really don't care. Or, rather, if accessing useful services or getting work done more efficiently requires some privacy concessions, we gladly concede.

It's not that we don't value our privacy. It's just that in many contexts, we value other things as much or more. We weigh the risks versus the benefits, and often the benefits trump the privacy risks.

It's the same thing with file formats. For years we've been agonizing over Microsoft's lock-in of customers through proprietary file formats (.pst, .doc, etc.). Now Microsoft is opening up the specifications for file formats like .pst (Outlook file format), and yet it will almost certainly change little to nothing in what products most people use most of the time.

People don't use Microsoft Office because they're forced to. They do so because it's convenient. (Yes, an argument can be made that it's convenient because Microsoft has forced network effects through lock-in.)

This, incidentally, is exactly the reason that Wednesday night I declared a ban on Microsoft Office in our family in favor of Google Docs-and didn't opt for OpenOffice (which we also use). I got sick of having to recover documents and perform other IT tasks related to a locally installed office suite, open source or proprietary. And I find it easier to let Google handle the back-end IT operations.

I wasn't trying to evade lock-in. I was trying to increase personal happiness.

Am I concerned about Google snooping on the documents we write and store in Google Docs? Let's just say I worry more about my time fixing Office than whether Google gleans any information from my 12-year old's seventh-grade essay.

Dashboard leaves Google in the prime position of being able to honestly say that it doesn't control user data, while still delivering increasingly beneficial services based on that data. It will not change the way that the vast majority of consumers use Google, but it just might change the way they think about Google.

A very smart move by Google, one that all data-driven businesses should emulate.

by Austin Modine

Google is embracing complete user-access anarchy in its new-age collaboration tool, Google Wave, so that early testers won't be tempted to fall into their old emailing habits.

A puzzling attribute of Google's new open-communication sandbox is the complete lack of permissions. As it stands today, if a person is invited to a Wave session they have full editing privileges on absolutely everything. And with Google intending Wave to become a serious collaboration tool for businesses, there's clearly some potentially disastrous situations ahead if an army of underlings can simultaneously fiddle with something like a quarterly report or grant application without permission.

Speaking at the Enterprise 2.0 Conference today in San Francisco, Google Wave's product manager Gregory D'Alesandre explained that leaving out access controls is part of Google's agenda to wean users and developers away from restricted email environments.

"We really buy into the concept of collaboration - and collaboration in all things," said D'Alesandre. "Eventually we'll get to the point where we have some permissions where you have read-only people. But when we started, we realized if you put all those permissions in place, everyone would immediately lock down everything because that's what we're accustomed to."

So his team instead chose to blow open the barn door completely. Although Google Wave does provide a session recorder so users can discover who edited what and when, there's nothing to prevent items from being modified in the first place. Admitting that even employees inside Google had difficulties at first getting used to editing each other's messages with abandon, D'Alesandre said therein lies the company's vision of replacing traditional email with free-sharing Wave.

"We realized if we put all these sorts of classic permissions into place so people could lock it down and make it feel like email - they would lock it down and make it feel like email," he said.

Novell and SAP have already sipped the commune-ication Kool-Aide in Google Wave.

SAP swung by during the presentation to show off its Gravity application for Wave which allows users to collaborate on creating and modeling business processes.

Next came Novell to show how it's working to plug its new real-time document collaboration platform, Novell Pulse, into Google Wave.

Novell says Pulse combines email, document authoring, and social messaging into a single platform - and if you think that sounds exactly like Wave itself, you aren't alone. In fact, it was hard to tell where Wave stopped and Pulse began in the demonstration.

And while Novell said Pulse will feature robust security and management capabilities, the demo showed several people editing each other's instant messages as easily as they pleased. Evidently, they're jockeying against the order inherent in email too. ®

by Jon Brodkin

In a data center at Purdue University, a rare supercomputer is crunching numbers for researchers studying a broad range of scientific problems. The 5,832-processor machine is capable of performing 8 trillion calculations per second, yet it consumes just a fraction of the electricity needed by Purdue's other supercomputers. The machine is one of a kind at Purdue – because the company that built it doesn't exist anymore.

It comes from the recently folded SiCortex, a start-up founded with the idea of building the world's most efficient computers. SiCortex's story illustrates the difficulty of trying to build a new systems company in a maturing industry. Even if the idea is innovative, the product solves real-world problems and the company attracts an experienced management team and venture backing, success is far from guaranteed.

"It's always difficult to build this type of company," says Jud Leonard, SiCortex co-founder and chief architect. "You're up against a very well established, strongly entrenched business and you know, Intel is a fierce competitor. We never imagined it was going to be an easy job."

IT industry graveyard 2009

Purdue CIO Gerry McCartney says SiCortex helped him address one of his nagging challenges: providing compute cycles to researchers without overwhelming his power and cooling systems. McCartney was hoping to buy one or two more SiCortex clusters and put them together to build one giant scientific research machine, but he'll never get the chance.

In a better time, SiCortex might have carved out a profitable niche in the high-performance computing market. Instead, the vendor shut its doors in May when venture capitalists yanked its funding. SiCortex officials believe the recession played a major role in the company's demise, but even in a good economy the company would have been fighting an uphill battle in a market dominated by Intel- and AMD-based supercomputers.

No other vendor has purchased SiCortex's core intellectual property. But its technology will live on for a time in data centers such as Purdue's, where the SiCortex cluster performs millions of CPU hours of research per month for researchers in aeronautics, computer science, nanoelectronic devices, mechanical engineering and other fields.

"We're not going to unplug it just because the company's gone away," McCartney says of his SC5832, the highest-end machine sold by SiCortex. "The promise of this was a very low power consumption device with a very friendly carbon output. The limiting factor on most of our purchases is the power and cooling requirement. SiCortex was really a very good machine in that regard. It's terribly disappointing that they've gone out of business."

by John Paczkowski

"I don't think John McCain could run a major corporation. I don't think Barack Obama could run a major corporation. I don't think Joe Biden could, either. But it is not the same as being the president or vice president of the United States. It is a fallacy to suggest that the country is like a company. To run a business, you have to have a lifetime of experience in business, but that's not what Sarah Palin, John McCain, Barack Obama or Joe Biden are doing."
Former Hewlett-Packard CEO Carly Fiorina

Her dreams of heading up the World Bank dashed, former Hewlett-Packard Chief Executive Carly Fiorina, the architect of one of the worst tech mergers in history, has turned her attention to the U.S. Senate.

After months of speculation, Fiorina on Wednesday officially announced her candidacy. She'll run as a Republican against Sen. Barbara Boxer (D-Calif.). Of course to do that, she must first win the Republican primary. Fiorina broke the news in an op-ed in the Orange County Register.

"Admittedly, I have not always been engaged in the electoral process, and I should have been," she wrote. "For many years I felt disconnected from the decisions made in Washington and, to be honest, really didn't think my vote mattered because I didn't have a direct line of sight from my vote to a result. I realize that thinking was wrong. As I grew throughout my career, beginning as a secretary and eventually becoming a CEO, I saw how government impacted business. I learned more as a member of advisory boards at the State Department, the Pentagon and the CIA. I now understand, in a very real way, that the decisions made by the Senate impact every family and every business, of any size, in America. This is what motivates me to run for the U.S. Senate. And so today I am announcing my candidacy to serve the people of California as your next U.S. senator. ... Together we can turn things around."

Together we can turn things around? Not if Fiorina's performance at HP is any indication. Before she was forced out of the company by its board of directors, she was so at odds with the uniquely Californian "HP Way" that her corner office could have been powered solely by Bill Hewlett spinning in his grave.

by Tony Lock, FreeformDynamics

The “architectures” deployed in server rooms are beginning to change dramatically. Organisations are seeking to increase service delivery to their customers while keeping a strong hold on costs, both in terms of acquisition and, increasingly, operation. This trend in turn is shaping the skills required to run the datacentre and branch / remote systems, especially as virtualization solutions are used to support mainstream business processes.

With so much change taking place who does what in today’s server room? What skills are needed and how is resourcing managed? When there is a need to support branch office operations, what kind of balance is struck between central and local technology, resources and process?

Many organisations are deploying server virtualization technologies (http://www.theregister.co.uk/2009/08/28/x86_server_virtualization_study/) to help them better utilise the processing power now available in x86 servers. At the same time those that have extensive remote office / branch office networks that make use of IT systems are investigating how they can best support business applications and services without having the expense of keeping skilled IT staff on site at far flung locations.

In response to these demands many operations are seeking to centralise servers to their main computer rooms at the centre of the business and then make use of network capabilities to supply access to key systems to staff throughout the business. In these solutions the focus inevitably turns to ensuring that the applications running on the central servers are highly available thus placing an onus on service monitoring and management tools.

As we all know, fat network pipes do not solve all service delivery problems and in scenarios where application latency is a factor it may well prove to be the case that servers will need to be physically retained at remote locations to keep service quality levels up to those needed by the business. In these cases the focus often needs to take in remote access and management tools, possibly backed up with alternative / redundant networking solutions.

But in all cases there is a clear requirement for IT staff to add to their portfolios of skills, hopefully with less time needed to be spent keeping the company car / van in shape. So what is happening in your workplace? Are you getting the training you think you need to do the job well? Or are you relying on picking things up as they happen?

Do your tools give you a clear enough vision of just how the servers are performing in these new service architectures? Do you have a clear knowledge of what workloads they are supporting, especially in situations where server virtualzsation is used extensively (http://www.freeformdynamics.com/fullarticle.asp?aid=789) or where the servers may be hundreds of miles away? Is the very ability to support huge workloads, to load new virtual servers quickly causing you to rethink the way you handle change management requests? Are your users expecting you to deliver services that run all the time and never fail, but without recognising how much this changes the job of server administrators?

We are keen to know understand more about your server operations and the challenges you face, with or without virtualization. Please do let us have your thoughts and experiences of just how things are changing in your organisation.

by John Cox

About 30 percent of Apple's App Store downloads are paid applications, and about half of all iPhone and iPod Touch users have downloaded at least once. These downloads have reaped close to $1 billion in overall developer revenue since the online iPhone catalog was launched. So there's a lot of opportunity to make it big by developing youir iPhone apps, right? Wrong.

Athough paid applications clearly drive most App Store revenue, the influx of funds is heavily skewed to a relatively few developers, according to Greg Yardley, CEO of Pinch Media, which has analyzed Apple's App Store and provides to iPhone developers software that collects anonymous data from client applications to shows how they're being used and how developers could improve them.

10 iPhone apps that could get you into trouble. 8 iPhone VoIP apps that can help you save minutes

According to a blog post on the company's Web site, Pinch's data pool covers about 10 percent of all downloaded applications. By titles, paid applications are about 77 percent of the 100,000 applications in the online catalog. Yardley estimates that the average number of downloads for a paid application is 9,300, compared to about 71,000 for the average free application. That number translates into an average revenue of $12,100, with a net to the application's author of $8,500.

"That's not to say this is a common result!" Yardley writes. "The arithmetic mean can be misleading. App Store sales and distribution are top-heavy, with the most popular applications receiving a very disproportionate amount of sales. A small segment of developers do dramatically better than this average. Most do much worse."

Even that's an understatement.

Pinch Media divided the paid applications into tenths, and then looked at how the downloads distributed among them. The top 10 percent of paid applications average nearly 75,000 downloads. The second 10 percent of applications fell to a mere 9,232, slightly less than the overall average cited above. The third 10 percent fell by more than half that, to 3,849. A full 50 percent of all paid applications have an average download of less than 1,000.

Within a certain range, users are not price-sensitive. Pinch Media found that the average 99 cents application "is not downloaded substantially more often than the average $4.99 application." Yardley speculates that the performance of these more expensive applications is a "reflection of their quality, and a sign that the App Store (users) will support higher prices for an engaging experience." Most costly applications trigger much stronger price sensitivity among users, according to Pinch Media.

Paid applications overall are used slightly more often and for somewhat longer periods than free software, the survey found. The average number of user for all free applications is about eight or nine; for all paid applications just over 10. Yardley suggests that difference could reflect application quality or increased user "attachment" to something that actually cost them money.

According to the Pinch figures, 99-cent applications have an average of about eight or nine uses, the lowest number for all paid application categories. The $4.99 programs have an average of nearly 20 uses. But when application's price doubles to $9.99, the average number of uses nearly halves, to about 11.

These numbers are in line with Pinch Media data released earlier this year, which found that most iPhone apps after being downloaded are rarely used.

by Dave Rosenberg

As much as Twitter is a powerful communication and social application, it's a relatively simple Web app. As part of a new contest sponsored by Engine Yard, Ruby on Rails developers are going to turn Twitter into their own application server.

The contest asks developers to program the "Worst App Server Technology Ever" (Waste) using Twitter as the message bus. While much of the contest is being done tongue-in-cheek, it's actually an interesting use case to see if a service like Twitter can take the place of a more traditional message bus like IBM MQ series or AMQP (Advanced Message Queuing Protocol).

Contest participants register up to five Twitter handles and code the function that each would perform in a program. When the contest challenge is issued on November 12, participants will have to use at least 10 of the pre-designated Twitter handles (other than their own) as endpoints to perform functions on data sets located at unique URLs. All messages will work through a series of automated public Twitter replies.

This is somewhere between an application server, a social game, the "telephone game" and service-oriented architecture (SOA) where Twitter plays the role of the enterprise service bus and the Twitter API is the broker between data sources. SOA relies on services exposing their functionality other applications and services can read to understand how to utilize those services. In this case, Twitter can be used as an application server in the cloud. (Take that buzzword bingo players.)

The funny thing is that as absurd and comical as this sounded when the Engine Yard guys told me about it, I've started to think about this as a way to possibly achieve a real technological breakthrough. And while I don't think that Twitter will be the "cloud bus," I do think that there is a lot to be learned from applying this type of constraint to a data flow process.

Engine Yard VP of marketing Michael Mullany told me that the contest shows how developers can leverage a relatively straightforward platform in innovative ways. But it's also another example of an interesting marketing effort to use Twitter as the vehicle for one's own benefit. Also, in true open source fashion, developers wind up building new applications based on code written by their peers.

Let's hope Twitter can handle the attention and developers are not greeted by the ever-lurking fail whale. You can check out the contest and learn more details at Engineyard.com