Apple marginally improves App Store approval process

The App Store approval process appears to be improving in fits and starts. Wired was among the first to note that the Apple Dev Center site now features a table that displays whether a submitted application is "Waiting for Review," "In Review," or "Ready for Sale," along with a timestamp for each entry. Developer who submit their programs into Apple's black box can now get limited status updates on the state of the process.

But we've confirmed the update, which has also been mentioned by some iPhone developers on Twitter. Previously, the site gave only extremely impersonal statistical information about the overall approval rate, along the lines of Apple's claims last March that it approved 98 percent of applications within a week of submission. Of course, that's about the bare minimum information that the company should provide, and the system appears to be new enough that we don't yet know how it will handle the bizarre rejections that have plagued the approval process like crows stalking Tippi Hedren. This move is a step in the right direction, but it's also a little ridiculous given that the App Store has been open for well over a year-this is the kind of basic feedback that should have been in place from day one. The real problem here is that it seems that Apple doesn't treat developers-outside of the inner circle it parades around at events-with the same basic courtesy that it accords its customers. Meanwhile, prestigious developers continue to walk away from the platform, the latest being Facebook iPhone app developer Joe Hewitt, who has not shied away from expressing his disappointment with the App Store review process.

This, despite the fact that not only are pretty much all iPhone developers also Apple customers, but they pay to develop apps for the platform (and many have told me in the past that they'd gladly pay more if it were accompanied for a higher level of service). Imagine you, as a customer, bought a computer from Apple's online store. Should your order suddenly be canceled, wouldn't you want an explanation? Would you expect the ability to know the status of your order? And should you not be satisfied with that explanation, wouldn't you want some form of recourse, whether it be simply talking to a manager? And consider that not only are developers paying money directly to Apple, but they're investing in Apple, in the success of its platform-they're tying their own livelihood to Apple's product. These are all things we take for granted as part of the consumer experience, but they're elements woefully lacking from most developers' interactions with Apple.

They have a stake in Apple's prosperity so, despite being labelled as whiners and complainers, they want Apple to succeed. Sure, for every developer that decides to stop working on the iPhone there are a thousand that stay. You'd think that it would entitle them to a little respect. But you can bet Apple looks at data to figure out why people decide not to buy its products-I only hope it's being as vigilant about the developer side of the equation.

VMware ties disaster recovery to vSphere, lifting obstacle to adoption

VMware's Site Recovery Manager is now supporting vSphere, eliminating one of the obstacles preventing customers from upgrading to the latest version of VMware's virtualization platform. VMware on Monday released SRM version 4, with support for vSphere and other upgrades including a "many-to-one failover [that] protects multiple production sites with automated failover into a single, shared recovery site." Because Site Recovery Manager did not immediately support vSphere, numerous customers have delayed upgrades from 3.5, acknowledges Jon Bock, product marketing manager for VMware's server business unit. vSphere 4, the successor to ESX Server 3.5, was unveiled in April but until now did not work with Site Recovery Manager, VMware's software for recovering virtual machines in case of disaster.

Now that SRM supports vSphere, adoption should accelerate, he said. "vSphere was a significant change that we had to update the add-on products for. But the months-long delay is similar to delays often seen between the release of a new operating system and add-on products, he said. "A customer who has important production applications on ESX 3.5 is probably not going to upgrade to vSphere 4 the day after it's released," Bock said. In a perfect world, we'd love to have all the new releases of products released on the same day as the platform," Bock said. vSphere is still not supported by VMware View, the vendor's desktop virtualization software. Lifecycle Manager just gained compatibility with vSphere in a new release a few weeks ago. VMware View will be compatible with vSphere in its next release, expected in 2010, according to a VMware spokeswoman.

In addition to support for vSphere, Site Recovery Manager now supports NFS storage, along with Fibre Channel and iSCSI, which were already supported. "We have a lot of interest in NFS from customers looking at using that in important applications," Bock says. VMware provides an integration module to partners, and most of the major storage companies have made their products compatible with Site Recovery Manager. SRM works by integrating tightly with storage array-based replication. Shared recovery sites, the other new feature, could be useful for companies with multiple branch offices, Bock said. The new version of SRM is available now and costs $1,750 per processor.

Overall, the new release is "focused on expanding the use cases for Site Recovery Manager," he said. SRM was first released in June 2008 and has been purchased by more than 2,000 customers, Bock says. Virtualization offers inherent advantages when it comes to disaster recovery, since it eliminates the need to recover the actual physical server an application was running on, Bock notes. That's still a small portion of VMware's 150,000 customers overall. Some customers have been using SRM not for disaster recovery but to move applications from one site to another when they are switching data centers, he said.

SRM support for vSphere was a highly anticipated feature, says ITIC analyst Laura DiDio. "Disaster recovery and backup are in every customer's top five checklist of things you must have," she says. Still, disaster recovery is the main purpose for the software. Follow Jon Brodkin on Twitter

ITU Telecom World expo shifts in response to economic crisis

The ITU Telecom World exhibition has returned to Geneva after a visit to Hong Kong in 2006 - and has brought many Asian exhibitors back with it. The booths of China Mobile, ZTE and Datang Telecom Group loom over the entrance to the main hall, alongside those of NTT DoCoMo and Fujitsu, while upstairs Huawei Technologies and Samsung Electronics booths dwarf that of Cisco Systems, which has more meeting rooms than products on display. "Ten months ago, people were urging us to cancel the event," said Hamadoun Touré, secretary-general of the International Telecommunication Union, which organizes the exhibition and the policy forum that runs alongside it. There are also signs that the way some companies are using the show is shifting. The pessimists feared that the show would attract neither exhibitors nor visitors, as companies slashed marketing budgets and cut back on business travel in the midst of the economic downturn.

The ITU still expects 40,000 visitors at this year's show; 82,000 turned up at the last Geneva event, in 2003. This year, around half the show is occupied by national pavilions: Saudi Arabia has the biggest, followed by those of Spain and Russia. While the show is noticeably smaller than previous editions - it only occupies Halls 2, 4 and 5 of the sprawling seven-hall Palexpo exhibition center, with some yawning gaps between stands, Touré is satisfied. "It's a good show, despite the crisis," he said. Other European nations, including Belgium, France and the U.K., also have pavilions, but by far the most numerous are those of the African nations: Burundi, Egypt, Ghana, Kenya, Malawi, Nigeria, Rwanda, Tanzania and Uganda. The biggest company stands are those of the Asian network operators and equipment manufacturers, with the U.S. and Western European countries keeping a low profile. Microsoft and IBM have booths, but you'd barely notice. This domination of the show floor is not down to size alone: It's also about tactics.

There were actually only three of them, but their effect was magnified by loud music and the multiple video walls on the booth. Russia deployed what looked like an army of violinists dressed mostly in sequins on its stand on Monday. China Mobile has taken a similar route, with the logo of its 3G mobile brand, Wo, swirling and pulsing hypnotically across the walls and even the ceiling of its booth. Similar exhibits fill the stands at NTT DoCoMo and Samsung. ZTE has taken a more traditional route, with glass cases full of mobile phones, modems and cellular base stations. On the Cisco booth, there are almost no products to be seen - unless you count the looming bulk of one of its TelePresence systems, linking the booth in high resolution to similar systems around the world.

This shows images of the products that can be rotated on screen to examine them from different angles - and even measured or dismantled so that prospective buyers can figure out whether they would fit in their data center. Other elements of the Cisco product range are present virtually thanks to another screen, supplied by Massachusetts-based Kaon Interactive. Like Secretary-General Touré, Cisco faced a crucial decision last year about whether to maintain a show presence in Geneva. "One year ago, it wasn't clear how many customers were going to make this trip," said Suraj Shetty, the company's vice president of worldwide service provider marketing. That's why the rest of the stand is given over to meeting rooms. "Our focus is on customer intimacy," Shetty said. However, the company realized that "this could be used as an opportunity to shift how we get contact with customers," he said. Carrier Ethernet specialist Ciena has taken a similar approach.

Like Cisco, it prefers to show products virtually, rather than physically. "Computer graphics and touch screens are more effective in these cases. Its stand, close to Cisco's and even more discreet, consists entirely of meeting rooms. That's the trend," said Ciena CTO Stephen Alexander. If you're buying bulky network or data center infrastructure, then don't expect to kick the tires at a trade show next year - although you might be able to click on them, on the booth's screen or your own.

Intel/AMD deal could help solve virtualization compatibility problems

The $1.25 billion Intel/AMD settlement announced Thursday could improve competition in the server hardware market and solve some lingering problems related to server virtualization, analysts say. 50 greatest arguments in networking: AMD vs. But a new five-year cross-license agreement between the companies raises the possibility that Intel and AMD will share information on their instruction sets and enable live migration across servers with different processors, he says. Intel Today, a virtualization technology known as live migration lets customers move workloads from one physical server to another, but only if both servers contain processors from the same chip maker, according to Forrester analyst James Staten. "If you look at the virtualization instruction sets that have been implemented by AMD and Intel, they are incompatible with each other," Staten says. "If you build a virtualization pool and do live migration from one system to another, it has to be all Intel, or it has to be all AMD." The Intel/AMD settlement, which ends various antitrust and patent cross-license disputes, doesn't explicitly talk about virtualization, Staten notes.

Gartner analyst Martin Reynolds agrees the Intel/AMD settlement could be good news for virtualization customers. "If they were to integrate virtualization more deeply into the processors as a single standard that companies use, it's possible virtualization could become less expensive," Reynolds says. In the wake of the settlement, there are several other potential areas for new levels of compatibility between Intel and AMD processors, Staten says, including memory and power management, and security. The virtualization incompatibility has mainly harmed AMD, because the issue forces customers to standardize on one type of server and Intel has a dominant market share, according to Staten. Broad collaborations between the rivals should not be expected, though. "These are two fighters who just took a lot of bruises over the last two years," Staten says. "They're not about to run to the center of the ring and shake hands." In lawsuits filed against Intel, AMD claimed that Intel illegally forces customers into exclusive deals with cash payments, discriminatory pricing, marketing subsidies and other practices. I think that's beneficial for all." AMD benefits from the settlement more than Intel does, because it eliminates many concerns customers have about purchasing AMD-based servers, according to Staten.

The settlement prohibits Intel from "offering inducements to customers in exchange for their agreement to buy all of their microprocessor needs from Intel," and other anticompetitive practices such as inducing customers to limit or delay sales of AMD products. "Intel agreed to a set of rules of the road for how they will conduct business going forward," says AMD spokesman Drew Prairie. "It should help create a fair and open competitive environment where products compete on their merits, and where innovation is rewarded by the marketplace. Even if customers like AMD technology, they might have chosen Intel-based servers instead because of concerns about AMD's viability. The time and money allocated to fighting Intel in court may also have distracted AMD from product development. "Having those hindrances gone will definitely help AMD because their CPUs are quire competitive at this point," Staten says. Moreover, if AMD's allegations were correct, that means Intel's business practices were preventing OEM vendors from embracing AMD processors to the extent they would have liked. The settlement also makes AMD more attractive to outside investors, Reynolds says.

While both companies are embracing multi-core processors, Intel is taking a homogenous approach in which every core is the same and AMD is using different types of cores in the same CPU for different workloads, according to Staten. AMD is taking a different approach than Intel to the server market. AMD is also trying to go down the multi-core path faster than Intel, with attempts to get 16- and 24-core processors on the market before its rival. Generally, AMD is about a year behind Intel's technology, but turns a profit by making products that are cheaper and cost less to build, Reynolds said. "Generally the server vendors use the product that most meets their needs," he says. "They know their customers are smart and will buy the product that delivers the best value." Follow Jon Brodkin on Twitter. Reynolds said he doesn't expect the settlement to cause any major shifts in how OEM vendors approach Intel and AMD, however.

Expert provides more proof hackers hijacked Hotmail accounts

It's almost certain that hackers obtained the Hotmail passwords that leaked to the Internet through a botnet-based attack, a researcher said today as she provided more proof that Microsoft's explanation was probably off-base. "When I look at the infamous list of 10,000 Hotmail accounts, it just does not appear to be cataloged in the way you would normally expect from a phishing attack," said Mary Landesman, a senior security researcher at San Francisco-based ScanSafe. Microsoft acknowledged that "several thousand" Windows Live Hotmail usernames and passwords had been acquired by criminals, and that it believed the list was the result of a massive phishing attack. Landesman based her opinion on further analysis of the list that was posted to the Web two weeks ago. Google later said the same thing after another list surfaced with Gmail account details . "There are just too many inconsistencies in the list," Landesman said, ticking off several characteristics of the Hotmail list that didn't fit with phishing results researchers have uncovered in the past, ranging from relatively strong passwords to typos. "There were many misspellings of 'hotmail,' and other typos that you wouldn't expect people to make when they were logging in live to their accounts," Landesman said, noting that those kinds of errors are inconsistent with phishing attack lists.

Some researchers who analyzed the leaked list said that it was dominated by weak passwords , with the simple "123456" and "123456789" as the most popular. She also disputed the notion that a large number of the accounts used very weak passwords, another clue that the users were unsophisticated and thus more likely to fall for a phishing scam. While true, that doesn't tell the whole story, Landesman countered. "123456 was the most frequently used password, but it appeared only 63 times out of the +10,000 records," she said. Landesman first refuted Microsoft's contention that the Hotmail passwords had been obtained by phishers last week. That would represent just over 6/10ths of 1%. "I'd call most of the passwords certainly strong, respectable passwords, and not the type of passwords from someone naive," Landesman said. "That doesn't fit the profile of people who you might think would be susceptible to phishing scams." In fact, the treasure trove of Windows Live ID usernames and passwords that Landesman uncovered in August, which she believes is related to the leaked Hotmail list, contained a large number of accounts owned by corporate and government users, who typically relied on what she called "very strong" passwords. "A [malware-based] keylogger attack turns all the advice about strong passwords on its side," Landesman said, speculating that users with stronger passwords were less likely to succumb to the deceit of a phishing attack. "In cases where you see very strong passwords, it's almost certain that data theft was involved," she added. She added more to her list of proof points last Wednesday in a follow-up entry to the ScanSafe threat alert team's blog.

Native iPhone support ready for Lotus Domino

IBM/Lotus said next week it will ship the long-anticipated real-time access support for the iPhone on its Domino messaging platform. In January, IBM announced that it would add support for ActiveSync to its Lotus Notes Traveler, a server add-on that provides real-time replication between mobile devices and Notes. Lotus Domino support for the iPhone uses the Apple device's mail, calendar and contact application and synchronizes data between the two platforms in real time using Microsoft's ActiveSync protocol. It is the updated Traveler software in Domino 8.5.1, which was released Tuesday, that provides the iPhone support.

Updates to Traveler in Domino 8.1.5 add remote wipe, device lock, password management, and external calendar integration to the Symbian platform. Traveler already works with devices based on Windows Mobile and Symbian. Lotus is playing a bit of catch-up as Microsoft and other vendors such as Kerio who offer push e-mail for the iPhone. Also from Network World: Lotus goes after Microsoft's 'ridiculous and fabricated' figures The only thing iPhone users have to add to their device is a configuration file that tells the iPhone how to find the user's mailbox on the Domino server. Motorola, Nokia, Palm, Sony Ericsson, Symbian also support ActiveSync on their mobile devices.

For initial set-up, the iPhone's Safari browser is used to access the Domino server and download the configuration file. Those credentials are stored on the device so the iPhone and Domino can trade data without further user intervention. When the user signs onto Domino to get the configuration file, the user's sign-on credentials are captured by the iPhone. Lotus Notes users have had to suffer with e-mail access via the iPhone's Safari browser and the Notes Web Access client. We want to support all the devices out there and this is the next one we have added." The Domino iPhone support also features limited management capabilities, including the ability to remotely wipe data if the device is lost or stolen.  Follow John on Twitter

With that configuration, users have to manually connect to the Domino server and go through each individual e-mail via the browser. "It has rich email, attachment support and calendaring capability and is the same user experience a user would get using the iPhone against Exchange or Google," said Ed Brill, director of product management for Lotus Software. "Clearly the iPhone is increasingly a component of an enterprise strategy.

Google Apps scores in LA, with assist from Microsoft

Los Angeles City Council approved a US$7.25 million five-year deal Tuesday in which the city will adopt Gmail and other Google Apps. According to Los Angeles City Council minutes, just over $1.5 million for the project will come from the payout of a 2006 class action lawsuit between the City and Microsoft. Google is touting the deal as a major endorsement of its cloud-based approach to computing, but it turns out that some of the funding is indirectly coming from an unlikely source: Microsoft. Microsoft paid $70 million three years ago to settle the suit, brought on behalf of six California counties and cities who alleged that Microsoft used its monopoly position to overcharge for software.

Los Angeles City Council approved the deal unanimously on Tuesday, according to Google Spokesman Andrew Kovacs. Microsoft has paid out more than $1 billion in other class-action settlements based on similar claims. The migration from the city's Novell GroupWise e-mail servers will be handled by contractor Computer Sciences Corp. The five-year contract will cost Los Angeles about $1.5 million more than simply sticking with Novell. Other applications such as calendaring, document sharing and chat will be handled by Google Apps too. But because the city will get extra storage capacity from Google, while at the same time being able to run other software on the Novell servers, it's worth the cost, according to an Oct. 7 city finance committee memo written by City Administrative Officer Miguel Santana.

The Los Angeles deal may hint at how this product will work. Google has pushed Google Apps as an option for government agencies, promising to ship a product called Government Cloud, which will be certified under the Federal Information Security Management Act (FISMA), sometime next year. According to a Sept. 15 memo from the Los Angeles Information Technology Agency, Google will "provide a new separate data environment called 'GovCloud.' The GovCloud will store both applications and data in a completely segregated environment that will only be used by public agencies." This GovCloud would be encrypted and "physically and logically segregated" from Google's standard applications. Because data would be encrypted and then stored on many different servers, Google's administrators wouldn't typically be able to access the information, although there would be so-called "Super Administrators" who would be able to recompile the data and read it. The data would be stored only in the U.S. and only accessible to U.S citizens who have undergone security clearance.

The city would own the data and would be notified of "any request of data or security breach," the memo states. They convinced Los Angeles council members to tack on a "liquidated damages" clause to the contract that would award the city a payout in the event of a data breach. Critics are still worried about security and privacy, though. Kovacs of Google downplayed privacy and security concerns over the project. "One thing that was very clear in council today," he said. "They believe that Google Apps will make the city more secure than their current solution."

Microsoft shows off Bing tool for measuring ad effectiveness

Microsoft on Monday demonstrated a new tool for its Bing search engine that will allow advertisers to measure the effectiveness of their ads with online users. Mehdi pointed out that statistics show that 39 percent of Web users do 65 percent of the online searches, so it would be beneficial for advertisers to see which of those "heavy users" are targeting certain ads, versus which ads are favored by "light users." The tool Microsoft created shows where the interest in a marketing or advertising campaign is specifically coming from, he said. Speaking at the IAB MIXX Conference and Expo 2009 in New York on Monday, Yusuf Mehdi, senior vice president of Microsoft's Online Audience Business group, showed off what he called a "user-level targeting" tool that allows Microsoft to see which search-based ads that appear in the Bing search engine are getting the most traffic and from where. "What we're doing with Bing for vigorous measurement is we're matching the exact ad online with the exact user," he said.

This measuring ability for Bing was demonstrated as part of Mehdi's presentation, in which he discussed how Microsoft is applying lessons it's learned from studying advertising campaigns and creating technology to reflect that learning. You have to pick and focus." Microsoft revamped and rebranded its Live Search engine "Bing" in June, and making it more effective for search advertising is something the company continues to work on, Mehdi said. One of those lessons was what he characterized as "relentless measurement and optimization" to find out what ads are most effective so they can be better targeted to their proper audience. "One of the big things is trying to build a loyal fan base for the product," he said. "You can't just go out and put your message everywhere. It was unclear from Mehdi's presentation whether this technology is available for advertisers using Bing today or whether it's just something Microsoft is using internally. This kind of ability to measure what kinds of online advertising is working with users is becoming essential as more and more business is being done on the Web.

A representative from Microsoft's public relations firm, Waggener Edstrom, declined to answer follow-up questions about the technology or his presentation. In fact, Microsoft competitor Adobe Systems - an executive from which spoke before Mehdi on Monday - last week said it was purchasing Web analytics company Omniture to build measuring technology directly into Adobe's tools for creating online media.

Is the Cisco MARS mission going into abort on non-Cisco security devices?

Is Cisco freezing support for any new non-Cisco security devices in the Cisco Security Monitoring, Analysis and Response System (MARS) appliance? Since the SIEM market consists of equipment aimed at consolidating and correlating event information from multiple vendor equipment, several of Cisco's rivals, including NitroSecurity and Q1 Labs, contend Cisco MARS will lose its relevance if Cisco freezes support for non-Cisco appliances. "As of a certain timeframe, they'll support what they support, and that's it," claims Jerry Skrula, vice president of marketing at SIEM vendor NitroSecurity. Cisco isn't confirming it or denying it, but Cisco rivals claim they're hearing from Cisco customers that Cisco won't add support for additional non-Cisco security devices to MARS, a security information and event monitoring (SIEM) appliance used by about 4,000 Cisco customers.

The SIEM vendor claims to be hearing this from Cisco customers and others in industry. NitroSecurity states "industry sources have confirmed that Cisco has begun informing its customers of a freeze on MARS support for most non-Cisco event sources and is encouraging customers to find an alternative for log collection and event analysis for non-Cisco event sources," though NitroSecurity declined to reveal these sources specifically, merely noting they were Cisco customers and others in industry. Skrula admits he doesn't know the specific timeframe but NitroSecurity yesterday kicked off a so-called "MARS Migration Program" targeting Cisco SIEM customers. As part of its push to get MARS users, NitroSecurity is offering its own NitroView product, promising Cisco MARS customers "custom-tailored financial incentives" to switch. As for Cisco itself, spokesman David Oro, said "We are not going to address competitive rumors, but what I can tell you is that any decisions about MARS are future roadmap discussions that are internal and subject to change depending on market conditions and customer needs." He notes that Cisco continues to release "new versions of MARS that include support for new device features (like Botnet Traffic Filter and Global Correlation reporting in 6.04), new MARS application features (numerous improvements for operational features in the past couple of releases), and signature updates for Cisco and non-Cisco devices. At Q1 Labs, another Cisco SIEM rival, Brendan Hannigan, president and COO, and John Burnham, vice president of corporate marketing there, also say they believe Cisco won't be supporting new non-Cisco devices in MARS. And evidence this week of glee in that prospect is abounding, with rival ArcSight sponsoring a Google link that turns up "Worried about Cisco MARS?" when a search is done for "Cisco MARS" and another competitor, CorreLog, sponsoring "Cisco MARS Alternatives." But is it all just fear-mongering?

There is no internal or external end-of-service plan at this time, and MARS is available from Cisco and our partners." MARS 6.0.4 currently supports several non-Cisco security products, including McAfee IntruShield and Entercept, the NetScreen IDP, Symantec, NIDS, Enterasys Dragon, Qualys Guard and eEye Retina products for scanning and vulnerability assessment.

Microsoft confirms phishers stole 'several thousand' Hotmail passwords

Microsoft today confirmed that thousands of Windows Live Hotmail account usernames and passwords had leaked to the Internet, but said the credentials were "likely" stolen in a phishing attack. Earlier today, Neowin.net reported that more than 10,000 accounts had been compromised and speculated that Hotmail had either suffered a breach or an aggressive phishing campaign had collected the usernames and passwords by duping people into divulging the information. "We determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts," a Microsoft spokeswoman said in an e-mail to questions posed earlier today by Computerworld . Microsoft did acknowledge that Hotmail accounts had been compromised. "Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers' credentials were exposed on a third-party site due to a likely phishing scheme," the same spokeswoman added. "That's a big result for a phishing campaign," said Dave Jevans, the chairman of the Anti-Phishing Working Group (APWG), an industry association dedicated to fighting online identity theft. "But it's not outside the realm of possibility. The company denied that its Web-based e-mail service had been hacked and the account log-in information stolen because of some lapse on its part. We've seen 50,000 to 75,000 [compromised] accounts when phishers target an ISP with millions of users." Hotmail has about 400 million registered users, according to Microsoft, although the company declined to spell out how many are active users of the service. "A .05% rate, which is what 100,000 users would represent, isn't unreasonable for 10 to 20 million users," Jevans said. "They wouldn't have to spam every [Hotmail] user to get that." According to Neowin.net, which first reported the Hotmail incident, more than 10,000 accounts had been compromised.

If the 10,000 accounts for A-B are extrapolated to the full alphabet, it's possible that over 100,000 accounts were compromised. "If that's the case, this would definitely be one of the biggest single phishing events," said Jevans. "But it could be the result of a long period of time, months and months of harvesting." Although the number of phishing attacks declined earlier this year, they have recent stormed back, said Jevans. "They're close to, or at, an all-time peak," he said. However, Neowin said it had seen only a partial list - accounts with usernames starting with "A" or "B" - and suspected that the total could be much larger. Both Microsoft and Jevans recommended that all Hotmail users change their passwords, just in case. "Change it, ASAP," urged Jevans.

Computer programmers set for smash-mouth brain battle

A smart people smack-down is set to start next week where thousands of university computer researchers will pit their brains and machines in a grueling battle of logic, strategy, and mental endurance. Layer 8 Extra: 15 genius algorithms that aren't boring During the competition, ten to twelve problems are attempted in a five hour period. The 34th annual IBM-sponsored Association for Computer Machinery (ACM) International Collegiate Contest (ICPC) pits teams of three university students against eight or more complex, real-world problems, with a nerve-wracking five-hour deadline. The problems are of varying difficulty and flavor.

The goal is that every team solve two problems, that every problem is solved, and that no team solve them all, according to ACM. Contests in the past have included problems that searched for a missing boat at sea, triangulated the location of a faulty transmitter, computed golf handicaps, stacked pipe of varying diameters in a fixed width bin, coded or decoded messages, printed braille, sought an exit to a maze, processed satellite images and solved a math problem. ACM says it wants two problems that could be solved in an hour by a first or second year student, two that could be solved in an hour by a third year student, and two that will likely determine the winners. Problems are presented with no more than a page of text, a helpful illustration, a sample input set with and accepted output set, ACM states. And judging is relentlessly strict, IBM says. Teammates collaborate to rank the difficulty of the problems, deduce the requirements, design test beds, and build smart software systems that solve the problems under the intense scrutiny of expert judges. The students are given a problem statement, not a requirements document.

Each incorrect solution submitted is assessed a time penalty. They are given an example of test data, but they do not have access to the judges' test data and acceptance criteria. The team that solves the most problems in the fewest attempts in the least cumulative time is declared the winner. Some problems require a knowledge and understanding of advanced algorithms. For a well-versed computer science student, some of the problems require precision only.

Still others are simply too hard to solve - except for the world's brightest problem-solvers, according to IBM. The Battle of the Brains is the largest and most prestigious computing competition in the world, with more than tens of thousands of students from universities in approximately 90 countries on six continents participating. Previously, the 2009 ACM-ICPC World Finals took place in Stockholm, Sweden, where a team from St. Petersburg University of Information Technology, Mechanics and Optics in Russia emerged as the world champion for the second year in a row. Since IBM began sponsoring the contest in 1997, participation has grown from 1,100 to more than 7,100 teams. Regional bouts will begin in the United States on October 18 and continue through December, sweeping from continent to continent. Only 100 three-person teams will advance to the World Finals on February 5, 2010 hosted by Harbin Engineering University in Harbin, China. "The ACM-ICPC affords students the opportunity to showcase their talents and gain exposure among top recruiters," said Dr. Bill Poucher, ICPC Executive Director and Baylor University Professor. "The contest is also a forum for advancing technology in an effort to better accommodate the growing needs of the future."

HDTVs, Blu-Ray Players Push Web Connections

Connected TVs, set-top boxes, and Blu-ray Disc players aren't new, but they continue to make new connections with Web sites and services, from YouTube and Netflix to Amazon and Internet radio sites. Some offer a lot more than others, but all are building up their portfolios of Web video and interactive services. The definition of "connected" varies widely between consumer electronics vendors. Some of the newest entries were on display last week at the CEDIA (Custom Electronic Design and Installation Association) event in Atlanta.

Available on networkable Bravia sets, the video service will also appear on a new networkable Sony Blu-ray Disc player, the BDP-N460, which will ship later this fall priced under $250. (Sony Bravia TVs also offer Web content such as stocks, weather, and Twitter, via their Bravia Widgets.) LG Electronics, meanwhile, announced the addition (via a firmware upgrade later this month) of the Vudu on-demand service to the Netcast Entertainment Access service on its $399 BD390 Blu-ray Disc player. Sony, which already offers movies, TV shows, and music from some two dozen partners, including Amazon movies on demand, Slacker radio, and YouTube, announced that it will add Netflix to its Bravia Internet Video lineup later this fall. The service already offers access to CinemaNow, Netflix, and YouTube content. And Samsung's networkable Blu-ray Disc players, including the BD-P1600, BD-P3600, and BD-P4600, will add YouTube access to the existing Pandora and NetFlix services. Samsung's Internet@TV service, which already had a dozen Yahoo widgets, now offers on-screen access to Rallycast fantasy sports applications, including Facebook messaging and access to team stats. Pioneer, meanwhile, demo'd a new platform for connected electronics.

The prototypes at CEDIA featured everything from video-on-demand services to backup. Code-named Project ET, it is designed to allow device designers and/or consumers to choose the content and services they want by clicking on menu buttons in the service's Web portal. Pioneer officials said the platform could exist on a set-top box of its own or on a Blu-ray Disc player or other networkable device (one demo setup featured a Blu-ray player with 1 terabyte of built-in storage. The company hopes to show a product based on the platform within the next few months.

Beyond iTunes: streaming music services

Mention "streaming music services" around the typical gaggle of Mac users and it's like you've suggested that the Mona Lisa would benefit from the application of devils horns, an eye patch, and the words "Windoze Rulez!" scrawled across her beguiling mug with permanent marker. After all, if some music is good, more is better, right? Yet, the true multimedia Mac can greatly benefit from such services. And more is exactly what these services provide. (Note that unlike music purchased from iTunes or Amazon, streaming tracks aren't saved on your computer and can't be synced to an iPod or iPhone-similar to listening to streaming radio stations in iTunes). Some streaming services such as Pandora and Last.fm are available for free.

Other, commercial-free services such as Rhapsody and Napster, require that you pay a monthly subscription fee. Their operation is supported by advertising and they don't allow you to choose the specific tracks and albums you want to listen to. But for that fee you can listen to exactly the tracks and albums you choose. Pandora Billed as a "new kind of radio," Pandora is a streaming service that plays music based on artists and tracks you choose as well as the positive and negative feedback you provide about the music it plays. These services shake out this way. For example, if you chose Joni Mitchell as an artist starting point, Pandora would first stream a track from Ms. Mitchell, then, perhaps, a Dar Williams track, and then other tracks it believes reflect the character of her work based on an analysis of the music.

Thumbs Down lets Pandora know that it's missed the mark, and that information is considered for future tracks. If you particularly enjoy a track that comes along, click a Thumbs Up icon to tweak the settings so you get more music like this track. You can bookmark tracks and artists and move to these bookmarks to learn more about the artist as well as utilize links to purchase their work. Additionally, Pandora's pages feature advertising and you'll hear the occasional audio ad between tracks. The free version of Pandora limits you to 40 hours of listening per month. All Pandora listeners are limited to six song skips per hour.

You can upgrade to Pandora One for $36 a year. Those with free accounts can skip 12 songs total per day. Do this and the audio ads disappear as does the daily skip limit (though you're still limited to six skips per hour), and you receive a higher quality, 192kbps stream. It bases the music it streams on the music you play on your computer or iPod as well as the Last.fm stations you create and listen to. (Any information it collects is volunteered by its users.) In addition to its analysis tools,  Last.fm compares the music libraries of its users, making recommendations based on intersecting tastes (similar to iTunes' Genius feature). When you sign on, you create a profile page, which lists the tracks you've listened to, lists similar artists you might be interested in, and features comments from other Last.fm users who've chosen to remark on the track. Pandora is not available outside of the U.S. Last.fm Last.fm is another free music community streaming service.

This reflects Last.fm's emphasis on community and social networking. From within the service you find links to purchase tracks from the iTunes Store, Amazon MP3, and 7digital. Last.fm also has its commercial side. For $3 a month you can listen to Last.fm without interruptions and do so without advertising. Last.fm is free in the United Kingdom, U.S., and Germany. While Last.fm doesn't offer on-demand listening, you can listen to a 30-second preview of any tracks it has in its library.

A €3 monthly fee is required for listening outside these countries. Instead, today's Napster is a music subscription service as well as a music store where you can purchase DRM-free 256kbps MP3 files. Napster Take a word association test a few years ago, utter the term "Napster," and the response would surely be "piracy." The notorious file sharing service that was Napster is no more. Priced at $5 a month, a Napster subscription entitles you to access to Napster's multi-million track streaming library. Napster's music can be streamed through your computer or a compatible device such as the Sonos Multi-Room Music System and Logitech's Squeezebox systems.

Additionally, you receive credit for five MP3 downloads each month. Similar to the iTunes Store you can visit genre pages to find particular kinds of music. In addition to tracks and albums, Napster offers radio stations that stream particular genres of music. These pages feature new releases, top albums, tracks, and artists; playlists, and staff picks. These stations include such genres as rock, blues, comedy, electronica, heavy metal, hip-hop, jazz, reggae, and classical.

Rhapsody Real Networks' Rhapsody is another subscription music service. You can also listen to tracks from Billboard's charts as well as watch music videos. Priced at $13 a month, Rhapsody, like Napster, gives you access to millions of streaming audio tracks and you can play all of them on demand. Also as with Napster, you can stream Rhapsody's music not only to your computer but to a Squeezebox and Sonos system. Although no downloads are included with a subscription, you're welcome to purchase unencrypted 256kbps MP3 tracks and albums from Rhapsody.

TiVo subscribers can also access Rhapsody's service (Rhapsody account required). The Rhapsody experience is similar to Napster is other ways. You can also create playlists of music that you can later stream. On its Web site you'll find new releases, staff picks, top albums and tracks, and genre pages and channels. Rhapsody recently released an iPhone app that allows Rhapsody-to-Go subscribers ($15 a month) to stream Rhapsody's content to their iPhones or iPod touch. The current Rhapsody app has met with little enthusiasm due to the generally poor quality of the stream, but company has indicated that it's working on providing better sound from its app.

Western Digital launches WD TV Live

Western Digital announced Tuesday the launch of its new WD TV Live HD Media Player. Available now for $149.99, the WD TV Live hopes to transform your television into a home media hub. The WD TV Live is an upgrade over the previous WD TV model, now adding Ethernet connectivity and digital theater sound to its extensive features.

The concept remains the same: you plug the WD TV into a television set and any external hard drive. Western Digital says it designs products with users in mind and has paid particular attention to how user friendly the UI is. The WD TV is designed to take your media files from your external hard drive and play them on your TV. The device supports many different types of audio and video files, such as H.264, MKV, VIDEO_TS folders, and FLAC audio, and can play back HD video in full 1080p resolution. While providing high definition capabilities, it's designed to be easily navigable for the average user. First, it adds Digital Theater Sound (DTS) support (it previously supported Dolby Digital) for surround sound capabilities.

Since the introduction of the original WD TV, the Western Digital team has sought consumer input, said Seema Lindskog, a director of marketing for WD. In addition to offering an improved UI with a movie preview screen feature, the WD TV Live has two major advantages over its predecessor. With the addition of an Ethernet port, the WD TV Live can access popular Web services such as YouTube, Pandora, and Flickr with the click of a button. While some people may see this an oversight, Western Digital seems to be targeting this product for users with large media libraries who would quickly fill up a built-in hard drive. It can also stream content from an external hard drive, a Mac, or a Windows PC. The Ethernet capabilities of the WD TV Live make it easy to centralize your media, though the WD TV Live itself does not have any storage capacity. Also, not including storage in the unit allows the company to keep the price down.

Beware BlackBerry Browser Bug Until Carriers Offer Updates

BlackBerry smartphone users who frequently surf the Web via handheld will want to keep checking with their wireless carriers for BlackBerry Handheld Software updates in the coming weeks. The BlackBerry Browser dialog box informs the BlackBerry device user when there is a mismatch between the site domain name and the domain name indicated in the associated certificate, but does not properly illustrate that the mismatch is due to the presence of some hidden characters (for example, null characters) in the site domain name." The flaw relates to the BlackBerry software's certificate-handling functionality. That's because a new bug found in most current versions of Research In Motion's (RIM) device software, which makes it easier for malicious parties to execute "phishing" attacks on unsuspecting smartphone users, has been addressed via handheld software updates from RIM. From RIM's online security advisory: "This advisory relates to a BlackBerry Browser dialog box that provides information about web site domain names and their associated certificates. A hacker could potentially recreate, or "spoof," a site commonly visited by BlackBerry users, such as RIM's BlackBerry.com, by purposely adding "null characters" to the site certificate's Common Name (CN) field.

CVSS is a vendor agnostic, open standard for the security industry meant to depict the seriousness of vulnerabilities, according to RIM. The BlackBerry-maker recommends that all BlackBerry users running handheld OS 4.5 or higher check in with their wireless carriers to see if device software updates are available. The recently discovered flaw keeps the BlackBerry Browser from correctly identifying mismatched site certificates due to an inability to render said null characters. (See screenshot below for an example of how the BlackBerry Browser box should look when it encounters site certificate issues due to the presence of null characters in site CN fields.) The flaw was rated 6.8 (Medium Risk) on a Common Vulnerability Scoring System (CVSS) scale of one to ten, with one representing little or no risk and ten representing very serious risk. The problem: I just did a quick search of both AT&T and Verizon's BlackBerry download pages, but in a number of cases I could only locate earlier software versions than those recommended by RIM. Here's a list that specifies which software should be updated and to which new versions. If you encounter a BlackBerry Browser dialogue box like the ones shown in this post, you should choose to close the connection rather than subject yourself to potential phishing-related risk, according to RIM. More information on BlackBerry security can be located on the company's website. Current Software Version * BlackBerry Device Software v4.5.0.x to v4.5.0.173 or later * BlackBerry Device Software v4.6.0.x to v4.6.0.303 or later * BlackBerry Device Software v4.6.1.x to v4.6.1.309 or later * BlackBerry Device Software v4.7.0.x to v4.7.0.179 or later * BlackBerry Device Software v4.7.1.x to v4.7.1.57 or later Until you're able to sit down and update your device-or while you wait for your carrier to issue an update-RIM says to use caution when clicking unknown links in SMS text or e-mail messages, even if they're from what appears to be a trusted source.

Microsoft aims to spark new business for Web developers

Microsoft has launched a program that gives Web development professionals the chance to get free software and technical support to help them get new businesses off the ground. The program is similar to Microsoft's BizSpark program launched last year, which provides software and other resources to startups, and the DreamSpark program, which does the same for students. Web development companies with less than 10 employees can apply for the new WebsiteSpark program, which was unveiled at the PICNIC conference in Amsterdam Thursday.

Eddie Amos, general manager for Microsoft's developer platform and tools group, said the company added WebsiteSpark because it realized there was a "hole" in the enablement programs where Web professionals are concerned. In the Web development and Web design space many companies already use products from Adobe and other Microsoft competitors. The programs also provide a way for Microsoft to get young companies and developers using its software in their businesses. Through WebsiteSpark - which companies can apply for online - Microsoft will provide three licenses for Visual Studio 2008 Professional Edition, two licenses for Expression Web 3 and one license for Expression Studio 3. Qualifying companies also receive four processor licenses for production use of both Windows Web Server 2008 and Microsoft SQL Server 2008 Web Edition. Cyrus Massoumi, whose company ZocDoc has been a part of Microsoft's BizSpark program, said getting free software and support has been a great benefit. The program also includes two technical-support incidents per company, access to community support through connections with other Microsoft partners and unlimited access to technical managed newsgroups on the Microsoft Developer Network.

ZocDoc provides a Web site through which people can book doctors' appointments. "The program enables us to work with Microsoft's latest technologies without worrying about cost, and the savings for our data center are significant," said Massoumi, ZocDoc's CEO and founder. The 2.0 version is available online for download. In addition to unveiling WebsiteSpark, Microsoft Thursday also updated its Web Platform Installer software, which simplifies the installation of Microsoft Web development software to make it easier to build Web applications.

NEC upgrades to HYDRAstor grid storage system

NEC Corp. today unveiled several upgrades to its flagship HYDRAstor grid-storage system , adding write-once, read many (WORM) capabilities and the ability to encrypt data in transit. NEC officials said that the upgraded software will increase performance by 67%, while boosting security by improving HYDRAstor's ability to archive mission-critical data. "Over 70% of even high I/O data from source applications such as databases have not been touched after 6 months. The upgraded system also provides deduplication capabilities for more third party backup applications. A lot can be off loaded onto more efficient platforms," said Gideon Senderov, director of product management for NEC's IT Products Group.

The new RepliGrid in-flight data encryption capability protects data as it's being transmitted between HYDRAstor grids and data centers, he added. The new HYDRAlock WORM capability allows administrators to lock out any changes to documents or other records, maintaining a chain of custody for regulatory purposes, Senderov said. NEC also announced that it will allow users to license additional physical capacity that can be activated without adding additional components. A new quota management system allows administrators to set limits to the maximum effective capacity allocated for each file system and its associated application. For example, can now license as little as 12TB of capacity in a 24TB configuration and then pay a fee to activate additional capacity as needed.

The quota management system also offers threshold notifications as well as the ability to set aside a capacity reserve for other applications, such as critical archive data. The upgraded system can deliver up to 1.8TB per hour per accelerator node and up to 90TB per hour for the largest supported configuration of 55 accelerator nodes and 110 storage nodes, according to the company. Previously, the HYDRAstors grid architecture had a default capacity of 256 petabytes for all applications. "We are really looking forward to taking advantage of the new in-flight encryption and quota management functions," said Scott Ashton, a LAN/WAN specialist at TLC Engineering for Architecture Inc., an Orlando, Fla.-based engineering firm. "We've really seen the return on our initial investment as we've been able to take advantage of each new upgrade with HYDRAstor since our early adopter installation in 2007." NEC said that the performance boost comes from software enhancements and more efficient inter-node data transfer and communication protocols. Accelerator nodes are the controller blades with the CPU processing power and storage nodes are the system blades with disk storage capacity. NEC today also introduced lower-capacity, or "entry-level" models of HYDRAstor offering raw storage capacities of 12TB (or over 150 TB effective capacity); 24TB (or over 300 TB effective capacity) and 36 TB (or over 450 TB effective capacity). "A highly resilient storage solution primed for archiving, that self-evolves with the ability to intermix several generations of technology, offers global deduplication, great scalability, and automates provisioning, migration, workload balancing and system management will be the key features of a storage solution that the market will demand," said Dave Russell, a vice president at researcher Gartner Inc.

The new application-aware deduplication feature allows newly-supported third-party backup applications such as IBM's Tivoli Storage Manager and EMC's NetWorker, as well as previously previously supported Simpana from CommVault and NetBackup from Symantec, to take advantage of the data reducing feature. With the exception of WORM capability, the customers can install the latest HYDRAstor upgrades for free. The WORM upgrade costs $14,000 per accelerator node.

CA to buy NetQoS for $200 million

CA Monday announced plans to acquire NetQoS for $200 million, adding application-aware network and systems management products to the software maker's broad enterprise IT management portfolio. The added technology will also boost CA's efforts to manage advanced infrastructures that feature virtual systems and cloud computing environments, the vendor says. "NetQoS technology complements CA's Wily products and will help network and systems engineers better design their infrastructure to ensure application issues don't occur from the start," says Roger Pilc, senior vice president and general manager of CA's infrastructure and automation business unit. "The technologies will help network and systems management be more application aware." The deal, anticipated to close in CA's fiscal third quarter, would augment an already full software lineup grown via previous acquisitions of Wily Technology, Concord Communications and Aprisma. Hottest tech M&A deals of 2009 CA executives say the pending acquisition offers little overlap by way of products and will help CA products diagnose the root cause of application errors within the network and systems infrastructure.

CA executives say NetQoS products, designed for network managers responsible in part for application delivery, will add to the company's Wily products that detect performance problems in the application environment. Customers can visualize the links and relationships between the delivery technologies and the business applications and services with Wily, and understand the real-time application and service activity across those links and relationships with NetQoS traffic flows," says Jasmine Noel, co-founder and principal analyst at Ptak, Noel & Associates. NetQoS tools are able to detect application performance problems using network-centric measures such as traffic flow. "The acquisition is good because NetQoS has a focus on application delivery, so when combined with Wily, it offers a good one-two punch. With some areas of overlap in the former Concord eHealth and Aprisma Spectrum tools, CA's Pilc say the company will work to address issues after the deal closes. NetQoS technology will target network engineers who focus on application delivery where the management of traffic flows is the primary task, rather than the management of thousands of network devices." CA also expects the NetQoS technology to play a bigger role in its virtual and cloud management offerings.

Noel says customers should not expect NetQoS tools to get lost in the shuffle as CA could have targeted plans for each product suite. "In terms of portfolio, CA now has two network performance management solutions, eHealth and NetQoS. But I think CA has specific targets for both solutions," she says. "CA's eHealth technology will target network engineers who spend most of their time managing performance of specialized network infrastructure. With its ability to track flows across virtual and physical elements, NetQoS tools could be coupled with Cassatt assets CA acquired earlier this year, the company says. NetQoS co-founder and CEO Joel Trammel says CA represented the best fit with his company's technology, and customers shouldn't expect any change in products or support as the deal unfolds. With no previous partnerships, the two vendors share some 200 customers and CA's Pilc foresees "very little modification in the NetQoS product set and its approach to customers going forward." That is why NetQoS executives found the deal to be synergistic. NetQoS has more than 1,000 customers worldwide and reported revenue of $56 million in 2008. "We sought out CA because we saw a clear fit with us and the company's success in acquiring Wily, Concord and Aprisma. Industry watchers expect the deal could benefit both parties going forward if CA sales teams focus on the NetQoS suite. "For a small vendor, being acquired could be good because a larger sales force means a bigger pipeline.

We were excited and see the clear fit between tying these acquisitions together," Trammel says. Or it could be bad if it gets lost in the portfolio. Do you Tweet? In the Swainson era, CA has handled its acquisitions fairly well, and with Wily as a tag-team partner I don't see NetQoS getting lost," Noel says. Follow Denise Dubie on Twitter here.  

Skype Founders Sue eBay: What's Going On?

The founders of Skype are suing eBay for copyright infringement, a move that could block eBay's deal to sell a majority stake in Skype to a group of private investors for $1.9 billion. The sale was seen as a big failure because the company was not able to further monetize the potential of the VoIP service in the years to come. eBay purchased Skype back in 2005 for $2.6 billion, but failed to acquire Joltid, the company supplying the core technology behind Skype, also owned by the founders of the VoIP software.

So eBay sold a 65 percent stake in Skype two weeks ago to an investment group for $1.9 billion, managing to get back some of the money it invested initially. At the core of the suit is a peer-to-peer technology called "global index", which is used by Skype's software to route calls over the Internet instead of traditional phones lines. But it's not all good for Skype, as Skype's original founders are now suing eBay, seeking damages for copyright infringement. This technology is owned by Joltid, which is still owned by the founders of Skype. Now moving to the U.S. courts, Joltid is seeking an injunction against Skype, which could affect Skype's operation.

As if it wasn't complicated enough, eBay licensed "global index" from Joltid for continued use in Skype, but Joltid terminated the license in March and have been battling eBay in U.K. courts ever since. The trial could jeopardise the closing of the Skype sale to the private investors, who are also named as defendants by Joltid. What's even more ironic is that that the money Joltid is using to sue eBay is probably the money they got from eBay when they sold Skype. While eBay is working on its own technology to replace Joltid's, Skype could be forced to close down its operation if Joltid wins the trial.

China's Alibaba expects India joint venture this year

Top Chinese e-commerce site Alibaba.com aims to announce an Indian joint venture this year as the company expands its global footprint, it said Friday. A deal in India, where Alibaba.com recently surpassed 1 million registered members, would be the latest in the site's efforts to grow abroad. "I've got a lot of confidence in India," said Jack Ma, CEO of Alibaba Group, the parent company of Alibaba.com. Alibaba.com is in talks with an Indian reseller about forming a joint venture, CEO David Wei told reporters at a briefing.

Alibaba.com is a platform for small and medium businesses to trade everything from lumber and clothes to iPods and PC components. Alibaba.com already works with Indian publishing company Infomedia 18, its likely joint venture partner, to promote its platform in the country. Its main member base is in China, but the site also has 9.5 million registered users in other countries and facilitates many cross-border trades. The site also has a joint venture in Japan and recently launched a major U.S. advertising campaign to attract more users there. Ma said Alibaba knows it needs to "do something" in Latin America as well. Ma and other top Alibaba executives visited the U.S. early this year for meetings with potential partners including Amazon.com, eBay and Google.

When asked if the company would also seek to expand in Eastern Europe, Ma said, "I will be there." Alibaba will not hold a majority stake in joint ventures it forms, instead taking a share similar to the 35 percent it has in its Japan operation. "Our global strategy means partner with local people," Ma said. "We want partners and we want partners to control their business." Users place total orders of more than US$200 million each day on the Alibaba.com international platform, Wei said. About 50 percent of those orders go to Chinese exporters, he said.

Half of new servers are virtualized, survey finds

More than half of new servers installed in 2009 will be virtualized, and that number will hit 80% by 2012, signaling huge growth in the hypervisor market, according to a report released at VMworld by TheInfoPro, a research company.

Slideshow: VMworld product roundup 

The benefits of virtualization and growing maturity of hypervisors is certainly contributing to increasing use. But the economic downturn is also forcing IT to cut back on hardware spending, and many are turning to virtualization to wring more power out of previous server investments.

In 2008, about 30% of new servers were virtualized, says Bob Gill, managing director of search research at TheInfoPro. The data includes all types of servers, although the trend toward virtualization is largely being driven by the x86 market.

"It seems to many people that the party is over, that everyone is virtualizing," Gill says. "But the simple fact is it's just starting to kick in."

The data is based on interviews with IT pros at 195 enterprises in North America and Europe, mainly Fortune 1000-size companies. About 10% of respondents report having more than 1,000 virtual machine instances, and about half have deployed at least 100 virtual machines.

VMware is still dominating the x86 virtualization market, according to IDC. In the first quarter of 2009, 50% of new virtualization licenses deployed on x86 servers were from VMware, and 24% were from Microsoft, according to IDC's Worldwide Server Virtualization Tracker.

The opportunity for Microsoft and others to take significant market share away from VMware may not come until next year, Gill says. That's because VMware's strategy has been to sell large blocks of virtualization licenses to customers, and many customers will have to work their way through excess VMware licenses before they consider switching, he says.

62% of respondents have tested a hypervisor other than VMware's and 30% said they plan to put a non-VMware hypervisor to use.

But that's not to say IT shops are dissatisfied with VMware. Only about one in ten respondents said they are considering switching away from VMware, and nearly every VMware customer expects that the company will still be on its technology roadmap in three years, the survey found. The reality is, many IT shops are choosing to use multiple hypervisors. Nearly one-third of respondents said they will support a mixed set of technologies for x86 virtualization.

"We're going to see a very messy, heterogeneous hypervisor world," Gill says.

Questions about performance and manageability are the greatest impediments to virtualization, but these concerns are not likely to stop the upward momentum.

Customers may choose to avoid virtualizing some transactional-heavy applications like databases, but "nobody ever said 100% of all servers will be virtualized," Gill said.

Korean 'journalists' booted from Defcon

Four South Korean journalists were booted from the Defcon hacking conference this week after conference organizers decided their story didn't quite add up.

Conference representatives released few details of the incident. They said Sunday that they'd ejected the journalists two days earlier after deciding that they simply weren't acting like press. They believe that one member of the group was a legitimate journalist, but that the other three were on some sort of intelligence-gathering expedition.

Hackers who the group interviewed at the show said that their questions seemed inappropriate, organizers said. The journalists attended one day of Defcon's Black Hat sister conference before being ejected on Friday.

Defcon did not release the names of the journalists or say who they claimed to work for.

This kind of incident happens nearly every year, said one of the show's senior organizers who goes by the name "Priest."

In the past, they say they've caught members of Mossad, the French Foreign Legion, and other organizations posing as press. By registering as journalists, they can get more time to query researchers and raise no suspicions by asking probing questions.

"When you think about it, being a member of the press is a pretty good cover because you can ask difficult questions, people love to see their names in print and in lights, so they're much more likely to talk to you, so you can get away with a lot more," Priest said.

The French Legionnaires were easy to spot, he said. "There's a certain body type you find with people who are in that type of work," he said. "Broad shoulders, narrow waist, not very tall. I'm looking at these guys, going, 'You're in far, far too good shape to be press.'"

The Legionnaires eventually admitted that they were not press and were allowed to stay at the show as regular attendees. They even went on stage for Defcon's annual "spot the fed" contest where people are invited to pick out government employees from a group of attendees.

Government employees posing as press often move very quickly to technical questions, rarely showing any interest in the motivation behind the research. They get "very technical very quickly," Priest said. "They're much more interested in what the latest is and what the greatest is and how they can use it."

Often they also ask about U.S. government systems or seem to be gathering intelligence on the presenters, he added.

And often attendees are happy to provide the information, thinking that it may be used in an article, particularly young, inexperienced hackers, Priest said. "You've got usually a very introverted individual, who usually doesn't have a lot of friends, and if you have someone paying attention to you... you're flattered; you're ego's being stroked; you're much more likely to try to impress that person."

Microsoft patches 9 bugs, leaves one open for hackers

Microsoft today delivered six security updates that patch nine vulnerabilities, fixing two bugs already being used by hackers but leaving one still open to exploit.

Of the six bulletins, three patched some part of Windows, while the remainder plugged holes in Publisher, Internet Security and Acceleration Server (ISA) and Microsoft's virtualization software. Six of the nine bugs were ranked critical, Microsoft's highest ranking in its four-step score, while three were tagged as "important," the next-lowest label.

"We got what we expected," said Andrew Storms, director of security operations at nCircle Network Security. "We got the 'kill bit' we were looking for in the ActiveX control and the DirectShow fix," he said, referring to two recent vulnerabilities that attackers have been exploiting for weeks.

In May, Microsoft acknowledged that hackers had begun exploiting a bug in DirectShow, one of the components in Windows' DirectX graphics platform. Last week, it owned up to another bug, this one in a video streaming ActiveX control used by Internet Explorer (IE) - and admitted it had known about, but not fixed, the flaw for the past 18 months.

Microsoft patched the already-public DirectShow flaw with MS09-028, and for good measure tucked in fixes for two more vulnerabilities also reported by researchers.

The "kill-bit" update in MS09-032 didn't actually patch the underlying ActiveX problem. Instead, Microsoft simply disabled the control, effectively shutting off any possible attack by modifying the Windows registry using the update. Microsoft offered the same protective measure via an automated tool last week, but that required users to manually browse to a support document, then download, install and run the tool.

Researchers unanimously voted those two updates as the ones to deploy immediately. "Microsoft did well to get out the two zero-days," said Eric Schultze, chief technical officer at Shavlik Technologies, "especially the ActiveX. It was a little much to ask them to get out the Office ActiveX fix, though."

Schultze was talking about a bug in an ActiveX control used by Office Web Components to display Excel spreadsheets in IE. Microsoft warned users of the vulnerability only yesterday. By today, Web attacks had rapidly increased. On Monday, however, Microsoft said that it wouldn't wrap up a fix in time for today's release.

Like the DirectShow ActiveX flaw that was patched today, Microsoft has released a "Fix It" tool that users can download and run themselves to kill the control. But, according to Schultze, Microsoft's not planning to push a kill-bit update to users for this second flaw. "Setting the kill bits actually impedes functionality," Schultze said. "Microsoft told me today that they're working on a file-level fix."

Other researchers speculated that Microsoft might depart from its usual once-per-month patch schedule to get such a fix out before Aug. 11, the next regularly-scheduled update. "Obviously, that would be much better," agreed Wolfgang Kandek, chief technology officer at security company Qualys.

The third critical update, MS09-029, also caught the eyes of Schultze and Kandek. Two vulnerabilities in Embedded OpenType (EOT) Engine leave all versions of Windows, including Vista and Server 2008, open to attack.

"It looks pretty easy to exploit," said Kandek. "If you view some text on a Web site in that font, you're compromised. And if the attack comes in an e-mail, there's no need to open an attachment, you can be compromised just by viewing the e-mail."

Schultze agreed. Calling the font vulnerabilities "nasty," he said that they could quickly be used up by hackers. "If there's exploit code available, which there isn't yet, these would be pretty easy to exploit," Schultze said.

Microsoft also delivered patches today for bugs in Publisher 2007, ISA 2006 and the client and server editions of its virtualization software. The ISA bug, described in MS09-031 intrigued both Kandek and Schultze, but not for the same reasons.

"You can gain full control of the server if you know the administrator password," said Kandek. "And in some situations, that password may be 'administrator' or 'admin' or even 'root'."

Shops with weak usernames may be at risk of information theft, added Amol Sarwate, the manager of Qualys' vulnerability research lab. "[Attackers] could install small malware and maybe sniff the Web traffic [through the server], access other systems on the same network or even redirect users to another Web site," Sarwate speculated.

Schultze dismissed those worries. "It looks like all the planets have to [be] aligned just right," he said, referring to the narrow scenario Microsoft spelled out. "I'd call that a real edge case."

The remaining two updates patched Publisher 2007 ( MS09-030) and Virtual PC and Virtual Server ( MS09-033). Neither drew much attention from Schultze, Kandek or Sarwate.

Storms, however, put a finger on the Publisher patch. "MS09-029 and MS09-030 are bucking the trend," said Storms, talking about the Publisher and OpenType bulletins. "Typically, Microsoft's newer software is more secure, but that's not the case here.

"The fact that we got them both in the same month is probably just a coincidence," Storms continued. "But it doesn't surprise me that researchers are looking at the newer software, because it's the newer software that's being deployed."

Schultze and Kandek noted that the OpenType vulnerabilities' appearance in all versions of Windows, up to and including the unfinished Windows 7, likely means Microsoft had overlooked the flaw for years. "It tells me that that particular component has received less attention," Kandek said, "and that Microsoft didn't change anything in the code from when it was first used in [Windows] 2000.

And the virtualization software bugs? Nothing much to worry about, said Schultze, since there's no chance that an attacker could escape the "guest" operating system to wreak havoc on the "host."

"But I think it's a sign of things to come," argued Kandek. "Virtualization adds to the attack surface rather than subtract."

July's updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Antivirus testing outfit: Windows Security Essentials makes the grade

Microsoft's free security software passed a preliminary antivirus exam with flying colors, an independent testing company said today.

AV-Test GmbH tested Windows Security Essentials, the free software Microsoft launched yesterday in beta, on Windows XP, Vista and Windows 7, putting it up against nearly 3,200 common viruses, bot Trojans and worms, said Andreas Marx, one of the firm's two managers. The malware was culled from the most recent WildList, a list of threats actually actively attacking computers.

"All files were properly detected and treated by the product," said Marx in an e-mail. "That's good, as several other [antivirus] scanners are still not able to detect and kill all of these critters yet."

AV-Test also measured Security Essentials against a set of in-house false positives to see whether the software mistakenly fingers legitimate files, a nightmare for users, who can be left with a crippled computer, and a disaster to the reputation of a security company.

"None of the clean files were flagged as being malicious," noted Marx. "Very good."

AV-Test also examined the program's anti-rootkit skills and its ability to scrub a system of malware it finds with a limited number of samples and "found no reasons to complain," Marx said. "[Security Essentials] is able to remove found malware very well, but further tests against larger sets of samples are required before we can come to a final conclusion."

Marx put to rest the once-rampant rumor that Security Essentials would operate "in-the-cloud" by scanning PCs from Microsoft's servers. "The scanner works with the locally-installed anti-virus and anti-spyware databases - it doesn't appear to use 'in-the-cloud scanning' methods," he said.

AV-Test's results will disappoint some rivals in the security market, who yesterday knocked Microsoft's effort. "It just doesn't give you the protection that you need," argued J.R. Smith, the CEO of AVG Technologies, a company best-known for its free antivirus software. "People aren't worried about antivirus anymore. Most of it is just noise. [Security Essentials] will help, especially in emerging markets. But it's centered around viruses, which the bad guys aren't really pushing anymore."

Instead, cyber criminals increasingly rely on compromised Web sites to hit incoming PCs with exploits against unpatched vulnerabilities, said Smith. AVG packages LinkScanner, software that scans a URL for signs of infection, with its paid products. A free version of LinkScanner can also be downloaded from the AVG site.

Another noted antivirus testing lab, AV-Comparabives.org, said it would formally test Security Essentials in August, and release its results the next month.

Microsoft posted the beta of Windows Security Essentials to its site yesterday, saying it would cap the downloads at 75,000, which it has reached. As of early Wednesday, the site stated: "We are not accepting additional participants at this time. Please check back at later a date for possible additional availability."

The new software, formerly known as "Morro," replaces Windows Live OneCare, the for-a-fee security package that Microsoft is tossing June 30.

Microsoft has not revealed a ship date for the software, but the program's end-user licensing agreement (EULA) notes that it expires Sept. 30 or when the program is released, whichever comes first.

It's likely that Microsoft will deliver Security Essentials before it ships Windows 7, which is slated to debut Oct. 22.

Palm Pre fans line up in early hours to be first with the new smartphone

The nationwide launch of the Palm Pre today was more like a soft launch compared to the crowds that lined up to buy new iPhones, but Palm enthusiasts nonetheless gathered outside Sprint Nextel Inc. stores and other retailers in the hopes of being among the first with the highly anticipated smartphones.

For many buyers, the purchase of a Pre with its new WebOS, was a good investment in an exciting new smartphone, but also a way to support ailing Palm Inc. and even wireless carrier Sprint.

"As an original Palm Pilot user, I want to support Palm and see them make it, but this Pre is also just a bloody cool device," said Skip Tannen of Upton, Mass. He said he liked the way it felt in his hands, and was especially impressed with the QWERTY keyboard, instead of the touchsreen on the iPhone, which he also uses.

Tannen, an IT operations engineer at Babson College in Wellesley, Mass., waved his arms in victory holding his newly purchased Pre high as he left a Sprint store in Framingham, Mass, about 20 miles west of Boston. He was the first in line at 8 a.m. when the store opened, having left his home three hours earlier.

A Sprint spokesman characterized the launch in East Coast cities as "a nice flow of customers," with some stores attracting crowds of 40 to 50 people waiting to get in at 8 a.m. when many stores opened.

"Our service reps have been able to spend time with customers to set up the new Palm Pre and make sure they know how to ... use the features," said spokesman Mark Elliott.

Sprint sells the device for $200 after a $100 mail-in rebate, plus a two-year service agreement. Elliott, who was stationed at a store in lower Manhattan, said that by 11 a.m., there had been a steady line of customers at several East Coast stores he'd heard from.

In downtown Boston, there was still a line of about 15 people outside the Sprint store two hours after it had opened. According to Boston.com, the store sold out of its 55 Pres by 11 a.m. At at a Framingham Best Buy, where the $100 rebate is automatic, a store manager was waiting outside before the official opening to give Pre buyers a ticket to come back for activation at 10 a.m. He said most Best Buys only had three or four of the devices, and characterized the first day of sales as a "soft launch." At 9 a.m., he still had tickets available for two Pres.

Sprint would not say how many devices were available nationwide, although the Framingham Sprint store had sold at lease 20 Pres in the first 90 minutes, based on the number of customers seen leaving with one device. Sprint will replenish its stock, depending on when Palm makes them available, the spokesman said.

Seven successful Pre buyers who were interviewed at the Framingham store said they wanted a new smartphone with a bright screen and a hardware keyboard. Of those, four said they were willing to switch from Verizon Wireless and AT&T to do so. All of them said they had tried the iPhone, or owned one, and wanted a hardware keyboard instead of a touchscreen, finding the touchscreen hard to use.

Some had more specific interests, including learning about the Pre to consider writing applications for it that Palm would sell in its application storefront, called the App Catalog.

Adam Cooperman of Boston, who works for a health insurance company, said he wanted to get access to Palm's Software Developer Kit (SDK) to try to market a simple personal productivity application. "If it sells, great, but if not, then I have it for myself," he said.

Cooperman was one of the first to buy a Pre, and had to switch his wireless carrier to Sprint from T-Mobile USA. Minutes after he purchased the smartphone, the screen went blank. He quickly returned it for another, and said it was "probably something minor." Sprint officials said they knew of no similar widespread problems with the new Palm Pre hardware.

Jennifer Stoner, a private tutor from Newton, Mass., said she was hoping the Pre would not pose battery problems for her, since she had read early reviews saying it would work for five hours on a charge. "I need eight hours, as I'm driving around," she said. She uses a solar-powered charger that she stores in her car to keep her cell phone powered up.

Stoner was undecided about buying the Touchstone, a hockey puck-shaped charging dock offered by Palm that requires no cables and sells for $70. "I'm undecided on the Touchstone, even though it's adorable," she said, laughing.

Stoner, like several others at the Framingham store, is a longtime Palm user. Her current Treo smartphone is four years old and needs to be replaced. "I hope the Pre helps Palm, since Palm has always had the greatest apps," she said. A Pre will also impress her students, she said, giving her the ability to quickly browse for facts and information.

"A lot of my students are Korean, [and] they all have the latest phones and know devices," she said.

Richard Rosmarin, another longtime Palm user, said he was eager to have a multitasking smartphone like the Pre so that he could read his e-mail while also listening to music from it in the background. "Of course my wife asked me if having this Pre is critical to my life, but I'm getting it anyway," he said.

Rosmarin, a restructuring consultant at Cornerstone Management LLC in Wellesley, Mass., has followed the fates of Palm and Sprint for a long time. "Sprint needs something like the Pre, since they've lost customers recently," he said. "They need a cool device with pizzazz like this."

Anne-Marie Kenney, an assistant dean of student life at Lesley University in Cambridge, Mass., said having the Pre would help her sort through e-mail from Google, Yahoo and others more quickly in a common interface.

She smiled as she also bragged to people waiting in line that she could sync the Pre to iTunes to get access to about 1,000 songs she has there. Even if Apple Inc. decides to turn off that sync capability soon, she said, she will sync them as soon as she can to have all the songs available on her Pre.

Apple has not commented on plans to disrupt the Pre's sync capability with iTunes, although analysts predict Apple will either sue Palm or write the iTunes software to stop the Pre syncing. Palm has defended the sync capability as making it easy for Pre users to access their purchased songs, however.

The Pre customers who switched service from Verizon Wireless and AT&T Inc. said they found the Pre compelling enough to buy it now, rather than wait at least half a year before either competitor sells the Pre.

Verizon announced plans to sell the Pre and AT&T has said it is interested, although the expiration date of the Sprint deal as the exclusive Pre carrier is still up in the air. CEO Dan Hesse suggested Friday that the exclusive deal might last beyond the end of the year, although David Owens, director of Sprint consumer marketing said later it was through the end of year.

Elliott, the Sprint spokesman, attempted to rationalize both of those predictions today by saying, "What we've been saying is that the exclusive with Palm Pre lasts through at least the end of the year."

Nick Barber of the IDG News Service in Boston contributed to this report.