Florencio Benson

SolarWinds Tuesday announced an updated product that the company says will enable IT departments to use Cisco IP SLA to better manage WAN connections, router performance statistics and VoIP metrics. It could potentially have a pretty negative impact," says Josh Stephens, head geek for SolarWinds. "That has changed a lot over the past few years and now you can configure devices in such a way that IP SLA and NetFlow don't impact the operation of the device, but still add value when it comes to network performance monitoring." The software, targeted at network engineers ideally, can understand from every point on the network how voice applications, for instance, are performing, Stephens says. View SolarWinds' Orion IP SLA Manager in Network World's Products of the Week slideshow   SolarWinds' Orion IP SLA Manager replaces the vendor's Orion VoIP Monitor and combines capabilities to track voice metrics such as jitter, latency and packet loss with visibility into Cisco's IOS IP SLA. According to Cisco, IOS IP SLAs  "use active monitoring to generate traffic in a continuous, reliable and predictable manner, thus enabling the measurement of network performance and health." SolarWinds says it decided to monitor the Cisco technology with a commercial product (the vendor already made a free IP SLA monitoring tool available) because enterprise IT managers are overcoming the traditional barriers to such Cisco tools as http://www.cisco.com/en/US/products/ps6602/products_ios_protocol_group_h... ">IP SLA and NetFlow, for instance.   "Traditionally there were key barriers to the deployment of IP SLA in customer environments. The product can help network managers get from one tool metrics on how each site is operating from a WAN perspective as well.

It tracks edge-to-edge router performance statistics that can be exported into a dashboard for quick reference as well, SolarWinds says. "Performance can vary greatly across sites," Stephens explains. "This product helps to make the process of collecting this data simple and helps network engineers better understand the performance of the networks, applications and services." Competitive products include CA's eHealth, which CA obtained via its Concord Communications buy, and tools developed by InfoVista. Because IP SLA is already built into Cisco routers, network managers can quickly generate network and services performance data to identity site-specific or WAN-related performance issues. SolarWinds Orion IP SLA Manager pricing starts at $1,495, including first year maintenance. A free 30-day trial of the product is available for download here.   Do you Tweet? Orion IP SLA requires an installation of Orion Network Performance Monitor (NPM). Pricing starts at $2,475 for Orion NPM, including first year maintenance.

Follow Denise Dubie on Twitter here.  

Blacktree Software has released Secrets 1.0.6, a Snow Leopard-compatible version of their preference pane which exposes hidden features on your Mac. Secrets provides handy checkboxes to turn these features on and off, and doubles as a menu of secret settings. If you've ever read a Mac tip that starts, "Open a Terminal window and type 'defaults write...'", it's highly likely that you can save yourself that effort with this preference pane.

A "Top Secrets" entry shows a list of popular options, but many more options for various applications can be selected from the application sidebar. A few caveats before you go too nuts with the Secrets features: many of the features in Mac OS X that aren't official remain "secret" because they're not entirely debugged. Clicking on any of the listed features will show you a short description of what it does in the bottom of the window; click on the More Info button for a detailed description. You can expect to see some odd behaviors if you turn some of these on, so don't tick every checkbox at once; try out a change to see if you like it (and can live with any side effects) before you go on to something else. If this is happening with several of your third-party preference panes, you can set System Preferences to stay in 32-bit mode by selecting the System Preferences.app in the Finder, choosing Get Info, and ticking the "Open in 32-bit mode" checkbox.

The Secrets preference pane requires System Preferences to run in 32-bit mode, and will prompt you to relaunch if, as per Snow Leopard default, it's in 64-bit mode when you launch it. All of your Apple 64-bit preference panes will work just fine. Secrets requires Mac OS X 10.5 or later and is a free download. [via TUAW]

The growing demand for online applications could push the number of mobile devices accessing the Internet past 1 billion by 2013, IDC said in a survey issued on Wednesday. Some of the popular online activities through mobile devices today include accessing news and search engine Web sites, downloading multimedia files and exchanging e-mail and instant messages. The explosion in the number of Internet-capable mobile devices will grow with the number of mobile users seeking access to online services, which could top 900 million by 2013, IDC said. Consumers will make a larger number of online purchases using mobile devices, which could lead to growth in e-commerce activity.

But at some point, the lines could blur as mobile devices get utilized for corporate and personal activities, said John Gantz , chief research officer at IDC. Close to 450 million users sought access to the Internet through mobile devices this year, IDC said. Businesses will also look to increase mobility of employees by providing access to business applications and corporate e-mail systems. That number could grow as Internet-capable mobile phones, smartphones and other wireless devices become affordable. A total of 1.6 billion people accessed the Internet this year, and the number could reach over 2.2 billion users in 2013. More than 1.6 billion devices, including mobile devices, PCs and gaming consoles, were used to access the Internet this year, and that number could top 2.7 billion by 2013. The U.S. had the largest number of fixed and mobile devices connected to the Internet, but China led in the number of Internet-connected mobile devices at around 85 million. The number of mobile Internet users will grow as the number of worldwide Internet users increases. China also had the largest total number of Internet users, with 359 million this year, and the number is expected to grow to 566 million by 2013. The U.S. had 261 million Internet users in 2009, which could reach 280 million in 2013. The number of Internet users in India could double between 2009 and 2013, according to IDC.

Threats of cyberwar and a story of real violence rubbed shoulders at a news conference to mark the opening of the ITU Telecom World exhibition and forum in Geneva on Monday. "The next world war could begin in cyberspace," warned Hamadoun Touré, secretary general of the International Telecommunication Union, the United Nations agency that organized the event. That's why the ITU is pushing an ambitious worldwide program for cybersecurity and peace. "By the end of next year, we will broker a global agreement with every country to protect its citizens online, not to harbor cyberterrorists, and not to start an online attack," he said. The beginnings of such an unconventional war could be out of the control of conventional diplomacy, he said, because in cyberspace "there is no such thing as a superpower: Every citizen is a superpower." With an army of "bots," or compromised computers, at their command, almost anyone could wield great power in a virtual battle, as a number of recent denial-of-service attacks against targets around the world have shown. "We know from conventional wars that the best way to win is not to start," Touré said. U.N. Secretary General Ban Ki-moon began by expressing his sorrow at news of an all-too-real attack, the suicide bombing earlier in the day of the Islamabad, Afghanistan, office of the U.N. Food and Agriculture Organization, which left several people dead.

Encouraging the participation of "our youth, drivers of innovation and change," is vital if those divisions are to be eradicated, he said. Returning to the theme of the conference, he highlighted "a world divided," those with access to information on one side, and those without on the other. Investment in infrastructure and services must be encouraged too in order to eliminate the technology divide - but the motive should be profit, not charity, Touré said. "In our strategy of connecting the world, we have no need for charity: It's pure business. The telecommunications industry will always have investment, because it's a profitable industry, he said. If you have the right business plan, you will have investment," he said.

That's turning out to be the case in Rwanda, said President Paul Kagame, where state infrastructure projects have attracted investment from Chinese network equipment manufacturers. "The availability of capital for everything is getting more and more scarce, but in our country there is a strong partnership between public and private sectors," he said. In the company's home market, revenue from international calls is down 20 percent because of a reduction in tourism and manufacturing exports, he said. China continues to invest internationally, despite the impact of the global economic crisis and the attraction of the untapped potential of its home market, said Wang Jianzhou, chairman and chief executive officer of China Mobile, also present at the news conference. "We have still got challenges from the international financial crisis," he said.

Microsoft late Monday held out a glimmer of hope to Sidekick users, saying that it may be able to recover some data previously believed lost in a massive server failure. "Recent efforts indicate the prospects of recovering some lost content may now be possible," a Microsoft spokesman said in a statement that was duplicated on T-Mobile's support site . "We will continue to keep you updated on this front; we know how important this is to you." The news came two days after Microsoft and T-Mobile confirmed that a server failure "almost certainly" meant that users' data had been lost. On Monday, hints surfaced that Microsoft might have made progress in restoring the lost data, as some users said that personal data had reappeared on their phones. In a joint message at the time, the companies said that although engineers were working on the problem, "the likelihood of a successful outcome is extremely low." The outage sparked users to post thousands of messages on T-Mobile's support forums, where most customers raged at the loss , calling it "inexcusable" and beating the drum for a class-action lawsuit.

Sidekicks use the servers run by Microsoft subsidiary Danger Inc. to synchronize the smartphone's content, including contacts, appointments and photos, with a cloud-based storage service. Some reports had linked the server failure to an upgrade of Danger's storage area network (SAN). Microsoft, however, declined to confirm those reports. When the servers went down and data on them was lost, that same data was then deleted from Sidekicks whose users had removed the battery in an attempt to reset the device, or had let the phone's battery completely drain. T-Mobile promised customers $100 for their troubles, but with significant caveats. "In the event certain customers have experienced a significant and permanent loss of personal content, T-Mobile will be sending these customers a $100 customer appreciation card," the mobile carrier said. "This will be in addition to the free month of data service that already went to Sidekick data customers. The failure, the spokesman added, "impacted both the main and backup databases." But Microsoft also made a point to distance its own cloud-based plans from the disaster. "The Sidekick runs on Danger's proprietary service that Microsoft inherited when it acquired Danger in 2008," said Microsoft's spokesman. "The Danger service is built on a mix of Danger-created technologies and third-party technologies. This card can be used towards T-Mobile products and services, or a customer's T-Mobile bill." Affected customers will be automatically notified within the next two weeks, T-Mobile added. "We however remain hopeful that for the majority of our customers, personal content can be recovered." Also on Monday, Microsoft provided some additional information about what happened at Danger, the Sidekick software and services developer it acquired in 2008 . "A server failure at Microsoft/Danger caused an outage that affected the applications and services available on the Sidekick devices," a Microsoft spokesman said Monday afternoon.

Microsoft's other cloud computing projects are totally separate from the Danger Service and do not rely on the Danger Service technology." T-Mobile, meanwhile, yanked the Sidekick from its online store Monday. As of 2 a.m. Eastern today, the Sidekick was still listed as "temporarily out of stock."

The U.S. Department of Homeland Security is looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid. Wang and another colleague then investigated how a major outage in one subnetwork would affect adjacent subnetworks, according to an article in New Scientist . The aim of the research was to study potential weak spots on the West Coast grid, where an outage on one subnetwork would result in a cascading failure across the entire network. Jian-Wei Wang, a network analyst at China's Dalian University of Technology, used publicly available information to model how the West Coast power grid and its component subnetworks are connected. A cascading failure occurs when an outage on one network results in an adjacent network becoming overloaded, triggering a similar set of failures across the entire network.

Wang's research was expected to show that an outage in a heavily loaded network would result in smaller surrounding networks becoming overwhelmed and causing cascading blackouts. The massive blackouts in the Northeast in August 2003 , which affected close to 10 million, were the result of such a cascading failure. Instead, what the research showed was that under certain conditions, an attacker targeting a lightly loaded subnetwork would be able to cause far more of the grid to trip and fail, New Scientist reported quoting Wang. Wang did not reply to an e-mailed request for comment seeking details on the report. The article does not describe Wang's research (paid subscription required) or any further details of the attack. Wang's report, which appears to have been largely overlooked until the publication of the New Scientist article last week, was completed last November and has been available online since March.

The so-called "inherently fault current limiting" (IFCL) superconductor technology is part of the DHS' Resilient Electric Grid project. John Verrico, a spokesman for the DHS' science and technology directorate, said the DHS has not reviewed the research but is "very interested in the findings." In an e-mailed comment, Verrico said the DHS is working on a "self-limiting, high-temperature superconductor" technology that is designed to prevent power surges in one network from affecting surrounding networks. According to a DHS description, the technology is capable of carrying 10 times as much power as current copper wires of the same size, while also being able to automatically adapt to massive power surges and outages. The effort, which is funded by the DHS' science and technology directorate, involves teams from American Superconductor Corp., Southwire Co. and Consolidated Edison Co. The technology was successfully tested at the Oak Ridge National Laboratory in Tennessee earlier this year. A single such IFCL cable will be capable of replacing 12 copper cable bundles. Pilot tests of the IFCL cable in New York are expected to start in 2010, Verrico said.

In April, The Wall Street Journal , citing anonymous national security officials, reported that cyberspies from China, Russia and elsewhere had gained access to the U.S. electrical grid and had installed malware tools that could be used to shut down service. News about Wang's research comes at a time when there are considerable concerns about the security of the U.S. power grid. Though the access hasn't been used to disrupt service, the concern is that the malicious hackers could do so with relatively short notice during a time of crisis or war. The letter lamented the apparent lack of awareness within the power sector of the cyber and noted how the horizontal nature of networked technology could allow attackers to take down multiple power sector assets at once, and from a distance. In a letter sent to industry stakeholders in April, Michael Assante , chief security officer at the North American Electric Reliability Corp., drew attention to the need for operators, suppliers and distributors in the power sector to properly identify and protect critical assets and associated critical cyber assets.

Building an internal cloud is as easy as installing VMware, right? Last year, Forrester Research asked enterprises in a survey how many of them had built an internal cloud, and about 5% said they had, according to analyst James Staten. That's what a lot of customers think, but in reality the virtualization of servers is just one of many required steps for enterprises that want to build a cloud network. But when asked to define the internal cloud, IT executives typically replied "my VMware environment," Staten says.

Most enterprises are not." Additionally, customers need extensive experience with virtualization and automation technologies, and must be comfortable with letting users provision their own services through a self-service portal.  10 IT management start-ups to watch Cloud networks deployed by an enterprise for its own users are often called "private clouds," but that phrase has been co-opted by a few vendors to describe certain forms of external hosting services. In reality, adoption of internal clouds as defined by Forrester is less than 2% of enterprises, and vendors are just beginning to provide the proper tools necessary to build them, he says. "The big challenge we see is most enterprise organizations are not organizationally ready to deploy an internal cloud," Staten says. "You have to be ready to share resources among business units. Therefore, Forrester and other analysts have decided to use the phrase "internal cloud" to describe cloud networks that exist entirely within a customer's own IT infrastructure. Both are composed of a collection of x86 servers topped with either a grid engine or a virtual infrastructure based on hypervisors." But internal clouds have several key elements that go beyond virtualized infrastructure. In a report titled "Deliver Cloud Benefits Inside your Walls," Forrester's Staten writes: "Architecturally, an internal cloud isn't that different from a virtualized scale-out infrastructure in today's enterprise.

For example, an internal cloud lets developers deploy applications to the cloud via a self-service portal, without any involvement from a server administrator, Forrester says. Moreover, internal clouds are multi-tenant, sharing resources across business units and divisions within a company that may not share computing equipment today, Staten says. "To account for the use of the virtual pool, internal cloud infrastructures usually provide a method of metering and tracking resource use that feeds chargeback or direct billing for the resources consumed," he writes. Additionally, internal clouds have an automated workload distribution engine (such as those found in grid networks) to determine the best placement of new workloads and optimize the pool of virtualized computing resources to make room for more applications. In her research, Yankee Group analyst Agatha Poon defines three key elements of an internal cloud: the network, process and corporate culture. In addition to strict access controls, the network must be robust enough to survive a performance hit that could be caused by virtualization. "Running virtual machines on a single server and accessing them via Gigabit Ethernet could overwhelm the network, leading to degraded performance," Poon writes in a report titled "Rebuilding Corporate Data Centers as Private Clouds." "The situation is exacerbated as enterprise users expect to access business applications anywhere, anytime, resulting in applications being dynamically rerouted on the fly to meet specific requests." In terms of process, automation is key for dynamically scaling IT resources and enabling quick provisioning and deprovisioning of computing instances and applications. "Automation is a key feature used in the cloud computing environment to orchestrate the interplay between the physical and virtual components required to build an internal cloud," Poon writes. "As the number of virtual machines per physical server continues to swell, it becomes very cumbersome for enterprise IT to manually manage processes such as installing and configuring the OS and doing patching and upgrades for ongoing support." Adequate monitoring tools and policies are also needed to guarantee service availability and performance, and meet regulatory demands. On the network front, reliability and security become more important than ever in a cloud environment because of the reliance on a consolidated pool of processing and storage, Poon says.

Key vendors in this area include IBM, VMware, Neustar and AccelOps, according to Poon. Users often resist changes to the status quo, but that does not mean IT should avoid innovation. "When a company decides to build an internal cloud to share a pool of computing resources for the deployment of user-specific applications, it should provide users with a familiar interface for accessing resources so that little or no training is required to simplify the transition," the Yankee Group report states. Enterprises also need to tackle the corporate culture in order to effectively deploy an internal cloud. While numerous vendors have tackled one or more aspects of the cloud-building process, several say their platforms alone are robust enough to build a private cloud. VMware's vSphere isn't a complete cloud platform yet, lacking self-service deployment, automated provisioning and billing, but VMware can be expected to bolster these aspects in the future, Staten says. VMware has dubbed the latest release of its virtualization software a "cloud operating system," while cloud building software packages are also available from Platform Computing, 3tera, Eucalytpus Systems and other vendors.

Platform Computing's ISF software aggregates servers, storage, networking tools and hypervisors to create a shared pool of physical and virtual resources. SAS, a business intelligence software vendor, is piloting Platform ISF internally to create a self-service portal for developers allowing them to "quickly and reliably provision and deploy compute and application resources," says Cheryl Doninger, research and development director for the enterprise computing infrastructure at SAS. Pooling together server, storage and networking resources will eliminate inefficiencies in SAS's previous method of deploying custom computing setups to individual R&D groups. It is perhaps the most comprehensive cloud building software, according to Staten, noting that it includes a workload distribution engine; an infrastructure aggregation layer; a self-service portal for IT administrators; metering and monitoring; and robust APIs for integration with third-party tools. SAS went with Platform ISF because the company needs to support multiple hypervisors and wanted its cloud to include both physical and virtual servers, possibilities not supported by VMware's vSphere. "Even though virtualization technology is getting better, there is still a performance consideration when you move an application from a physical deployment to a virtual deployment," Doninger says. Virtualization alone does not give users control over their own resources, Wolski explains, so products like Eucalyptus enable the self-service interface and sharing of resources. "Users can configure their particular piece of the cloud in exactly the way they want, just like they do with Amazon," Wolski says. "The cloud enables the user to have a great deal more control over the piece of infrastructure they are entitled to use.

Eucalyptus Systems, an open source company, provides a Linux-based platform that installs on existing hardware and is designed to let an internal data center operate like the Amazon Elastic Compute Cloud, says Eucalyptus CTO and co-founder Rich Wolski. Without a cloud, the administrator has to control everything." Private cloud adoption may be low today, but the market is expected to heat up significantly over the next few years. The analyst firm Gartner predicts that IT organizations will invest more in private cloud services than in external cloud providers through 2012. "Private cloud services will be a stepping-stone to future public cloud services," Gartner says. "For many large organizations, private cloud services will continue to be required for many years, as public cloud offerings mature." In addition to software-only products such as Platform ISF and Eucalyptus, companies such as IBM and HP are selling hardware/software bundles that work in similar ways, albeit without the benefit of reusing existing hardware.

Built during the Great Depression, Hoover Dam is one of America's great historical landmarks. Security officials from Reclamation gave CSOonline a tour of the facilities in mid-September, showing us highlights of the various security programs. Securing the dam and providing a safe experience for the many visitors requires a robust security program.

SEE IMAGES FROM INSIDE THE HOOVER DAM The Art Deco concrete structure, located about an hour outside Las Vegas in the Black Canyon of the Colorado River, straddling the Nevada-Arizona border, was the largest hydroelectric generating station, and the world's largest concrete structure when completed in 1936. Over 75 years later, Hoover Dam continues its multiple roles in flood control, power generation, and as a major supplier of water in the Southwestern U.S. See also: New Cyber-Security Standards for N. American Power System The site is practically a city in itself, with its own police department and other security services. Guiding us was Peter Gregson, regional security officer for Reclamation's Lower Colorado Region. Some security procedures and systems, designed to deter, detect, and defend the facility were visible; however, much of the security activity is hidden. The tour began at the Hoover Dam Police Department in the Security Command Center, where the security staff monitors the various security, access control, and communications systems on a 24/7 basis. Gregson said many of the security controls, including such things as the checkpoints and command center, were instituted in direct response to the 9-11 terrorist attacks. In addition to the Hoover Dam police force, the dam employs additional contract security personnel to man vehicle checkpoints on the Nevada and Arizona entrance points.

Commercial vehicle traffic across the dam is restricted. Security training and exercises for the police and security officers is conducted frequently often with other federal and local law enforcement agencies to provide them with familiarity of the facility. At the checkpoints U-Haul-type vehicles are allowed after a search is conducted, while semi-trailer trucks, buses carrying luggage, and enclosed-box trucks are prohibited from crossing the road atop the dam (That traffic is diverted south to a Colorado River bridge at Laughlin, Nevada). "Cars are searched on a random basis or if there is a reasonable suspicion," he said. The Hoover dam police department partners with many of the neighboring law enforcement agencies. "They conduct joint training with us," Gregson said. It will divert U.S. 93 traffic downstream from the dam.

Meanwhile, a new Hoover Dam Bypass and bridge is under construction, scheduled for completion next year. Once the bypass is completed, the road atop the dam will no longer be a direct route between Nevada and Arizona. The following slideshow shows various areas, from the road over the dam to the surrounding buildings and tunnels within the dam itself, as well as the energy-producing machinery and surrounding work spaces, a small representation of the diverse spaces that the Hoover Dam Police Department and security staff protect. Those managing dam security are bound by a host of government regulations and security standards including Homeland Security Presidential Directives and regulations and standards enforced by the North American Electrical Reliability Council (NERC). Under Presidential Directive 12, employee and contractor identities and suitability must be confirmed through background checks. "Everyone undergoes some form of identity verification and must display their identification badge when they are on the facility," Gregson said.

China's state-run news agency Friday started collecting questions from local Internet users for U.S. President Barack Obama, who is slated to speak to Chinese youth next week during his first visit to the country. Obama is scheduled to hold the session in Shanghai next Monday as part of a three-day visit to a country of rising economic and political influence worldwide. China and the U.S. have appeared to wrangle over the details of the dialogue session, such as whether it will be broadcast live.

China's Xinhua News Agency opened an online forum for users to submit questions and said the Web site would broadcast the event. Chinese officials often portray the Dalai Lama, Tibet's exiled spiritual leader, as a dangerous separatist, while he is usually seen as a peaceful religious activist in the West. "Do you really understand our China?" another question read. Questions that appeared in the forum ranged in tone from innocently curious to accusatory and nationalistic. "China's total elimination of serfdom [in Tibet] in 1959 was identical in nature to Lincoln's abolition of slavery in the U.S.," one post in the forum read, repeating a comparison made by a Chinese foreign ministry spokesman at a press briefing the previous day. "Mr. Obama, do you plan to meet with the Dalai Lama after leaving China?" Demands for greater religious and political autonomy in Tibet are among the most hot-button issues in China. Other questions were more personal. "What kind of Chinese name would you pick for yourself?" one post read. A representative at the U.S. Embassy in Beijing said a final decision on the format of the event still had not been reached.

Xinhua did not say if the event would also be broadcast on other Web portals or on TV. When asked earlier this week if the event would be broadcast, Ben Rhodes, a U.S. deputy national security advisor, told reporters that Obama hoped to reach as wide an audience as possible at the session but that details remained to be worked out, according to a transcript of his comments. Chinese leaders including President Hu Jintao have held rare online chats with Chinese Internet users in an apparent attempt to boost the government's image. Local Internet companies are expected to erase sensitive comments that appear on blogs or other parts of their Web sites and can face punishment for failing to do so. Chinese authorities heavily police the Internet for sensitive political content, pornography and other material deemed harmful.

Unisys is introducing a new service on Wednesday that will allow its customers to better manage, secure and support mobile devices carried around by employees, company executives said on Tuesday. CIOs are concerned about corporate data "roaming the streets," he added. Staff now expect to use their choice of devices anytime and anywhere, and this causes problems for CIOs around cost, the cost of support, and the security of applications and data, said Tony Doye, president of Unisys' Global Outsourcing and Infrastructure Services group, in a telephone interview.

The service framework for the new end-user productivity services will support Windows Mobile phones and BlackBerry devices, with support for the iPhone and other devices available in later releases. Some early-adopter customers, mainly in Central Europe, are already using the mobile-device management framework, he said. Currently organizations generally manage devices with specific technologies that only work with a specific platform, rather than with a consistent framework across a variety of devices, said Sam Gross, Unisys' vice president for global IT outsourcing solutions. The framework is managed by Unisys for customers, and the management and support of the devices is also done from the company's services delivery centers around the world, he added. Unisys is also offering access to standard office suites by subscription through a service called Virtual Office as a service from the Unisys Secure Cloud.

The new service will enable CIOs to reduce end-user costs by providing support for different devices, desktop PCs, applications and mobile data access through a mix of traditional, virtualized and secure cloud-based service delivery models, Unisys said. The Unisys Secure Cloud has technology that protects both data in mobile devices and in storage, using a combination of encryption and dispersion of data. "The model that we are delivering is server-side virtualization services, and in this situation the data never ends up on the end-point," Gross said. Unisys' Unified Communications as a Service, also delivered through Unisys Secure Cloud, offers Microsoft Exchange, Microsoft Office SharePoint Server and Microsoft Office Communicator applications in a multi-tenant environment. Unisys is also offering generic services such as the ability to destroy the image on a device if it is reported lost, he added. Besides offering these productivity applications, customers can also provide their employees with access to other applications running at the company, through the Unisys cloud, Gross said.

Google confirmed today that passwords for its free Gmail online e-mail service had been harvested by hackers, but downplayed the phishing attack as involving just a "small number" of accounts. We will continue to force password resets on additional accounts if we become aware of them." Like Microsoft on Monday , Google today denied that Gmail had been hacked, and Gmail usernames and passwords stolen because of a lapse on its end. "This was not a Gmail security issue, but rather a phishing scheme," said the Google spokesman. Earlier Tuesday, the BBC reported that both Gmail and Yahoo Mail had been targeted by a large-scale identity theft scam, perhaps the same one that collected between 10,000 and 20,000 passwords from those services as well as from Microsoft's Windows Live Hotmail, Comcast, Earthlink and others. "We recently became aware of a phishing scheme through which hackers gained user credentials for Web-based mail accounts including a small number of Gmail accounts," a Google spokesman confirmed today in a reply to questions from Computerworld . "As soon as we learned of the attack, we forced password resets on the affected accounts. Google told Gmail users to change their passwords if they suspected that their accounts had been compromised. "If you can no longer sign into your account, you can regain access by answering security questions," the company added, referring to Gmail's single-question automated password reset function . Last year, a Tennessee college student was accused of breaking into former Alaska governor Sarah Palin's Yahoo Mail account by abusing Yahoo's similar reset tool.

Neither Google or Microsoft, however, has directly alerted users to the possible danger by sending messages to Gmail or Hotmail accounts, respectively, or by posting a warning on those services. Shortly after Palin's account was hijacked, Computerworld confirmed that the reset mechanisms used by Hotmail, Yahoo Mail and Google's Gmail could be exploited by anyone who knew an account's username and could answer a single security question . Microsoft, which acknowledged late Monday that passwords for "several thousand" Hotmail accounts had been hijacked by criminals, has blocked access to those accounts, and has made tools available to users who have lost control of their Hotmail inboxes. Phishing attacks are on the rise, according to the Anti-Phishing Working Group (APWG), an industry association dedicated to stamping out online identity theft. The APWG's most recent data ( download PDF ), reported that the number of unique phishing-oriented Web sites had surged to nearly 50,000 in June, the largest number since April 2007 and the second-highest total since it started keeping records.

The use of virtualization by cloud service providers to host virtual machines belonging to multiple customers on a shared physical infrastructure is opening up fresh data leak risks, a research report warns. The use of virtualization by cloud service providers to host virtual machines belonging to multiple customers on a shared physical infrastructure is opening up fresh data leak risks, a research report warns. The report by four researchers at MIT and the University of California at San Diego shows how vulnerabilities in cloud infrastructures could allow attackers to locate and eavesdrop on targeted virtual machines (VMs) anywhere in the cloud.

The attack described in the report was conducted against Amazon's Elastic Computer Cloud (EC2) service. The report is scheduled to be presented at the Association for Computing Machinery (ACM) Conference on Computer and Communications Security next month. But the vulnerabilities that enable it are generic and would likely affect other cloud providers, said Eran Tromer, a post-doctoral researcher at MIT's Computer Science and Artificial Intelligence Laboratory and one of the authors of the report. The research raises questions about a fundamental assumption about cloud computing which says that data hosted in a cloud is relatively safe from targeted attacks because it's hard to know where in the cloud the data is located. According to Tromer, the research shows that it is possible for attackers to identify the physical server on which a targeted virtual machine is hosted in the cloud. The reserach also comes at a time when concerns are high about security and privacy issues related to cloud computing.

The attackers can then establish a rogue virtual machine on the same machine to go after the victim. A VM acts as a self-contained computer within a larger server, with virtual boundaries separating each VM from the other. A virtual machine is an operating environment created within another larger environment. Multiple VMs can run within one physical server. In the case of Amazon's EC2 infrastructure, for instance, analyzing the IP address of a VM can reveal details such as geographic region, as well as the availability zones or specific infrastructure segment it is on, he said. The multi-stage attack starts with mapping the internal cloud infrastructure to locate the physical server hosting a target VM. Much of the information needed to glean the location of a target VM hosted in a cloud is contained in the IP address and domain name for that particular machine, Tromer said.

The IP address also specifies an instance type, indicating the amount of computational power, memory and persistent storage that is available to the virtual machine. The data gives attackers an idea of the parameters needed to establish a rogue VM on the same physical server as the target VM. They can then proceed to do this by instantiating new VMs until one is placed "co-resident with the target server," Tromer said. In addition, VMs located on the same physical server also tend to have IP addresses that are close to each other and are assigned at the same time. Attackers can significantly boost their chances of achieving "co-residency" by launching a denial-of service-attack against the target server and forcing it to expand capacity by adding new VMs. If the hackers simultaneously request new VMs of their own, their chances of getting one on the same physical machine as the target, is significantly increased. These "side-channel attacks" have proved highly successful in non-cloud contexts so there's no reason why they shouldn't work in a cloud environment, he said. "The basic vulnerabilities, such as architectural side-channels, are inherent to virtualization technology used by all infrastructure-as-a-service cloud providers," Tromer said. According to Tromer, once an attacker gains access to the same physical server as the target VM, the attacker can monitor shared resources on the server to make highly educated inferences about the target VM. For instance, by monitoring CPU and memory cache utilization on the shared server, an attacker could determine periods of high activity on the target servers, estimate high-traffic rates and even launch keystroke timing attacks to gather passwords and other data from the target server, Tromer said.

What the research shows is that until cloud providers can guarantee impermeable partitions between virtual machines on a single server, customers should try as much as possible to avoid sharing physical servers with others in the cloud, he added. But in comments made to the MIT Technology Review , a spokesman said that Amazon has already rolled out safeguards to protect against the mapping techniques described in the research paper. Amazon did not respond to requests for comment. The company also refuted the notion that side-channel methods could be used to steal information from a VM on a shared physical server. In comments to the MIT Review, the Amazon spokesman said the researchers had tested such attacks in a "carefully controlled lab configuration that do not match the Amazon EC2 environment."

Symantec has updated its Data-Loss Prevention Suite so that if the software finds a data issue that needs fixing, it can apply third-party encryption and digital-rights management controls to the problem. Announced today, Symantec DLP Suite v. 10 adds what's called the "Flex-Response" capability to find sensitive data that has been left unprotected in the enterprise and apply security controls through encryption and DRM products from vendors such as PGP, Oracle, GigaTrust, Liquid Machines and Microsoft. Watch a slideshow of this product.

Symantec is also publishing a set of open APIs and a software development kit (SDK) to facilitate support for security controls through additional products, says Rob Greer, senior director of product management at Symantec. "Suppose I scan a file server, finding information not secured, not encrypted. The data can also be brought under the control of various DRM products so there can be controls placed on viewing, printing or adding to content.  Symantec DLP v.10, expected to ship in December, will have a workflow process that can alert managers to data that's out of compliance with corporate DLP policies; let them choose to apply encryption and DRM; and confirm that security policies have been enforced. For remediation I could apply PGP encryption," Greer says. Other changes in DLP Suite v. 10 are expected to tighten ties with other Symantec products. There will also be integration with Symantec's Control Compliance Suite for risk assessment of operating systems and applications. "You will get a full risk position view," Greer says. For instance, the updated version will be integrated with Symantec Security Information Manager for centralized collection and correlation of event and log data to determine security status.

Symantec has already begun adding ways to trigger policy-based DLP actions on its Symantec Endpoint Protection security software, such as "making [a desktop] a brick" if it's determined sensitive data is at high risk, Greer says. Symantec DLP v.10 starts at $25,000. Other automated actions are also being added to DLP v. 10 to allow interaction between Symantec's DLP and its flagship security software.

Television ads for the iPhone promise that "There's an app for that." And, if you're talking about to-do lists, tip calculators, and myriad other categories, that's likely true. And, assuming you have the programming chops to actually build such an app, how can you expect to garner any attention in an App Store that's jammed with 80,000 or so other programs also hoping to catch the eyes of users? But what if there's not an app to pull off the particular task you're hoping to perform on your iPhone? Appswell thinks it has the answer to both problems-an iPhone app that lets you propose ideas for mobile applications and vote on which ones should ever see the light of day. "We really believe the next big iPhone app idea is bouncing around the head of users," said Daniel Sullivan, Appswell's president and founder.

Other users, who've registered with Appswell, can offer their feedback on the idea, voting for the ones they like. The app-also called Appswell-allows users to submit ideas for iPhone and iPod touch applications. Every four weeks or so, Appswell picks a winner based on user votes. Appswell, along with its partner Bit Group will turn the app proposal into a finished product. The prize?

The user who came up with the idea gets $1,000 plus 10 percent of the profits from subsequent App Store sales. The idea has to be something that Appswell and Bit Group are able to build and it has to adhere to Apple's standards for iPhone apps-no porn, bandwidth hogging, privacy-compromising, malicious, or illegal apps, in other words. And then the contest kicks off again. (There are some general requirements for app ideas, Sullivan says. Which, sadly, eliminates, most of my app ideas right off the bat.) While Appswell is billing its crowd-sourced approach to app development as "The American Idol of iPhone apps, contest winners will be entirely chosen by other Appswell users, with no panel of judges weighing in with its opinions. By involving users early in the development process, Appswell believes, it can find out what consumers want before apps are even built.

So don't look for the App Store equivalent of a Simon Cowell making lemon faces while you describe your idea for the perfect iPhone app. "Right now, we really want to take this as the voice of the [Appswell] community," Sullivan said. "We don't want to put a filter on it." In addition to giving users the chance to propose ideas for would-be iPhone apps, Sullivan thinks Appswell's approach solves one of the major dilemmas facing developers-namely that it's hard to stand out in the App Store with so many apps arriving on any given day. And Appswell-developed apps will have a built-in fanbase of users who voted on the app from the get-go; that potentially gives the app an edge when it eventually arrives in the App Store. Mac users might remember My Dream App, a contest that generated several "winning" app ideas, but none of the apps ever saw the light of day. It remains to be seen, though, how successful the crowd-sourcing of app ideas can be.

Microsoft's acid-tongued covert blogger Mini-Microsoft offered up a report card on Thursday's all-company meeting at Seattle's Safeco Field, giving CEO Steve Ballmer   two zeros and accusing business division president Stephen Elop of "sucking the life out of the stadium." While Microsoft employees provided tepid tweets from the company meeting that pulled 20,000 of them into the baseball stadium and jammed AT&T's cellular network, Mini-Microsoft looked for signs that the company was tuned into the job at hand, understood the impact of thousands of layoffs over the past year, and how Microsoft might stem inefficiencies at the company. He must acknowledge it starkly. The evolution of Microsoft Windows Seven things to love, hate about Windows 7 CEO Ballmer was the first to disappoint, according to Mini-Microsoft, who hoped that the company leader would "come out front first, before any other Microsoft leadership, to speak the truth about the last year and where we are now. We had layoffs.

Ballmer got zeros on both counts. We had inefficiencies." Ballmer, however, didn't appear until the end, slapping hands with employees sitting close to the stage and tearing an iPhone out of an employee's hands and pretending to stomp on it. Elop faired even worse, drawing Mini-Microsoft's wrath for crushing the blogger's hope for short, sweet and powerful demos. "Elop. Baby. Steven. Dynamics.

What did I do to you to have that forced down my eyeballs? ... Geez. XRM. Really? Did anyone give you advice that this was a bad idea? If not, you're seriously lacking good reports willing to give you honest feedback." Mini-Microsoft had blogged before the confab on six hopes for the company meeting. If so, keep listening to them. In the grading system each hope represented a point and when all was said and done the score was 1.75. "Hey, almost one-third realized," wrote Mini-Microsoft.

The other hopes included "practical vision," which Mini-Microsoft graded out at .5, giving Craig Mundie, chief researcher and strategy officer, and Ray Ozzie, chief software architect, props for focusing on "practical aspects of product groups, research, and inbetween the technology transferring power of the labs groups."Mini-Microsoft's hope for short, sweet and powerful demos earned a .5. "Robbie Bach [president of the entertainment and devices division] did okay, but I can't say the demos blew me away," wrote Mini-Microsoft. Ballmer's zeros came from not coming out first to "set the context for the meeting in light of a pretty awful FY09 Q3 and Q4," and one for not giving a serious wrap up. The grade for Mini-Microsoft's hope on getting a good peek at new stuff came up .75. He called looks at Bing, Zune HD and new Laptop Hunter commercials "conservative." And the hope to see a new review system got a zero. And Mini-Microsoft had kind words for Dr. Qi Lu, formerly of Yahoo and now running Microsoft's online services group. "[He] might be my favorite techie right now. On the up side, Mini-Microsoft said he was surprised to hear COO Kevin Turner, who opened the meeting, admit that the company had over hired.

I was impressed with what he's brought together for Bing and what's coming and how he has focused the team and adopted some of the new technology that Satya [Nadella, senior vice president of research and development] was showing. Ever?" Who the hell thought we'd be feeling so good about our search decision engine?

Security vendor PandaLabs has discovered an online service offering to help those so inclined to hack into any Facebook account they choose for a price: $100. However, those who sign up for the service could find themselves becoming the victims instead, PandaLabs warned today. Users of the service are required to first register with the site and then provide an ID of the Facebook account they want hacked, said Luis Corrons, technical director of PandaLabs. The Facebook hacking service, which is delivered via a professional looking Web site, was discovered by PandaLabs earlier this week. Users who enter the ID and click on a "Hack it" button are then presented with the username of the owner of the Facebook account.

But to actually get the password, the user is then required to send $100 via Western Union to an individual in Kirovohrad, Ukraine. They then have the option to "Start Facebook hacking." Those who follow the instructions are eventually told that the hack was successful and a password for the account was retrieved. It's not clear whether sending the money will yield any login and passwords, Corrons said. The site contains an FAQ section, which claims the site has been in business for more than four years. But the way the site has been designed and the ease with which a potential client can interact with it lends it a certain degree of credibility, he said.

The site even provides a link to a Webmoney account that in fact does appear to be four years old, Corrons said. At least as of the last time PandaLabs inspected the site, it was not downloading or distributing any malware and seems to have been set up purely to scam those seeking to gain illegal access to Facebook accounts, Corrons said. However the domain itself appears to have been registered by someone in Moscow only a couple of days ago, he said. "We've been looking at it and we are 99.9% sure it is a ruse," to get people to pay up money in exchange for what they think will be legitimate Facebook credentials, he said. Those who do fall for the scam are unlikely to go to law enforcement to report it, he noted.

Even though demand for H-1B visas fell sharply this year, the debate over the program that lets employers temporarily hire foreign technology and other specialty workers has continued to intensify, especially in Congress. Thus the fiscal 2009 visa winners were selected via a lottery. The federal government's fiscal year began today with some 66,700 H-1B visas set to be issued, and nearly 20,000 still available under the cap of 85,000. A year ago, the available issues were reserved long before the start of fiscal 2009 after the government received 163,000 visa petitions within days of April 1, 2008, the first day applications were accepted.

Despite the the waning interest in applying for visas as the economy declined, Congress is gearing up for what may be the final showdown over H-1B, arguably the most heated technology issue today. A list of fiscal 2009's 10 top H-1B stories, as compiled by Computerworld , follows: Number One : Senators Richard Durbin (D-Ill.) and Charles Grassley (R-Iowa) filed the H-1B and L-1 Visa Reform Act of 2009. The bill, which has not yet faced a Congressional hearing, has already become the rallying point for H-1B opponents and a top concern for the technology industry as a whole. The status of the visa could be resolved for the long term during the debate expected during fiscal 2010 over comprehensive immigration reform. The sweeping measure would require companies to post all help wanted ads on the Internet, and first complete "good-faith" efforts to fill the posted jobs with U.S. workers. Indian offshore firms appear most concerned about the bill because it would limit the number of visa holders they could employ to 50% of their U.S. workforce.

The bill also includes new wage requirements which would raise the salaries of the lowest paid visa holders. Durbin and Grassley are both members of the Senate subcommittee on Immigration, Refugees and Border Security and positioned to influence any comprehensive immigration reform legislation. Leading the debate is Sen. Number Two : The continuing debate over a comprehensive immigration reform prior to the filing of a bill in Congress. Charles Schumer (D-NY), who heads the subcommittee on Immigration, Refugees and Border Security and is an ardent supporter of the H-1B visa program. Greenspan called for an end to visa restrictions and said the H-1B cap protects tech workers from global competition.

Schumer offered a tip about what he wants in a reform bill by inviting former Federal Reserve Chairman Alan Greenspan to a committee hearing on immigration reform earlier this year. In fact, Greenspan called the U.S. tech workers a " privileged elite ." Number Three : The indication that Congress would be willing to set restrictions on the H-1B visa program when it approved the $700 billion Trouble Asset Relief Program (TARP) in February. Grassley and Bernie Sanders (I-Vt.) imposed H-1B restrictions on banks that receive bailout funds. An amendment to the bailout bill by Sens. The restriction requires that the banks make a good faith effort to hire U.S. workers, though it didn't limit their use of offshore outsourcing firms. Number Four : The decision by the U.S. Citizenship and Immigration Service (USCIS) to step up enforcement of the H-1B visa petition process, demanding more evidence from companies to support the need for foreign workers.

The measure was driven by public anger over the bailout and fears of job losses. The paper chase was launched following a USCIS report last fall that found nearly 20% of H-1B visa applications had problems, which included fraud. Randall Sidlosca, an immigration attorney at Ogletree, Deakins, Nash, Smoak & Stewart, PC in Miami, said the main reason for the decline is the economic downturn, though the TARP restrictions also played a role. Number Five : A study by researchers at the New York University's Stern School of Business and Wharton School of the University of Pennsylvania found evidence that H-1B use is reducing tech wages by as much as 6%. Number Six : Demand for H-1B visas declined, at least temporarily, in recent months. The lack of H-1B jobs has prompted many foreign national students in U.S. universities to seek additional degrees, according to Sarah Hawk, who heads the immigration practice at Fisher & Phillips LLP in Atlanta.

Some say it was the largest H-1B enforcement action ever taken by the federal government on the H-1B program. Number Seven : The U.S. Department of Justice filed H-1B fraud charges against a dozen people and companies, alleging that they were "displacing qualified American workers," by avoiding prevailing wage laws, undercutting tech worker salaries and treating H-1B workers as itinerant laborers. Number Eight : President Barack Obama appointed strong supporters of H-1B visas to positions in his administration. For example, Diana Farrell, deputy director of the National Economic Council, is a former executive at McKinsey & Co., a consulting firm that has produced research that concludes offshore outsourcing is a means to improving the U.S. economy. The Obama administration has yet to outline its approach to the H-1B visa issue, but the views of his appointees, or at least the companies they have worked for, are well known. Janet Napolitano, the former governor of Arizona and now secretary of the U.S. Department of Homeland Security, which oversees the USCIS, is another H-1B advocate.

CEO Eric Schmidt, who has also argued against cap restrictions, was appointed to the President's Council of Advisors on Science and Technology (PCAST), along with Microsoft's Chief Research and Strategy Officer Craig Mundie. Google Inc. Microsoft Chairman Bill Gates has been a leading proponent of ending the visa restrictions. But the case forced tech workers into a Catch-22 situation after the government argued that the guild and its co-filers didn't have standing to bring a case, which raised the question of who should file the suit. Number Nine : The Programmers Guild's legal challenged a decision by President George W. Bush's administration to increase the term of student visas from one year to 29 months.

Number Ten : The shrinking IT job market brings the H-1B debate into clearer focus. Unless the tech employment picture improves before the immigration reform debate reaches its apex, The H-1B issue will draw ever sharper focus. For the technology industry and tech workers, the H-1B visa is at the heart of the globalization issue. It is a fight between those who believe H-1B visas are needed to foster economic growth, and those who see the visa as a means for displacing U.S. workers.

Top Chinese e-commerce site Alibaba.com aims to announce an Indian joint venture this year as the company expands its global footprint, it said Friday. A deal in India, where Alibaba.com recently surpassed 1 million registered members, would be the latest in the site's efforts to grow abroad. "I've got a lot of confidence in India," said Jack Ma, CEO of Alibaba Group, the parent company of Alibaba.com. Alibaba.com is in talks with an Indian reseller about forming a joint venture, CEO David Wei told reporters at a briefing.

Alibaba.com is a platform for small and medium businesses to trade everything from lumber and clothes to iPods and PC components. Alibaba.com already works with Indian publishing company Infomedia 18, its likely joint venture partner, to promote its platform in the country. Its main member base is in China, but the site also has 9.5 million registered users in other countries and facilitates many cross-border trades. The site also has a joint venture in Japan and recently launched a major U.S. advertising campaign to attract more users there. Ma said Alibaba knows it needs to "do something" in Latin America as well.

Ma and other top Alibaba executives visited the U.S. early this year for meetings with potential partners including Amazon.com, eBay and Google. When asked if the company would also seek to expand in Eastern Europe, Ma said, "I will be there." Alibaba will not hold a majority stake in joint ventures it forms, instead taking a share similar to the 35 percent it has in its Japan operation. "Our global strategy means partner with local people," Ma said. "We want partners and we want partners to control their business." Users place total orders of more than US$200 million each day on the Alibaba.com international platform, Wei said. About 50 percent of those orders go to Chinese exporters, he said.

U.S. Federal Communications Commission Chairman Julius Genachowski's decision to seek to formalize net neutrality rules would either bring "unconstitutional" new regulations to the Internet or a welcome "paradigm shift" in U.S. communications policy, depending on whom you talk to. Genachowski also pushed to apply the net neutrality regulations to mobile broadband providers, and he called for an expansion in existing broadband policy principles to prohibit broadband providers from discriminating against Web content and services while allowing them to engage in reasonable network management. Genachowski announced Monday that he will ask his fellow commissioners to support a rulemaking proceeding to create formal net neutrality rules that would prohibit Internet providers from selectively blocking or slowing Web content and applications. The FCC has been enforcing net neutrality principles on a case-by-case basis since August 2005, but formal rules would ensure that application and content developers on the "edge" of broadband networks can innovate without interference from network operators, Genachowski said in a speech at the Brookings Institution. "This is the power of the Internet: distributed innovation and ubiquitous entrepreneurship, the potential for jobs and opportunity everywhere there is broadband," he said. "Saying nothing - and doing nothing - would impose its own form of unacceptable cost.

It would deny the benefits of predictable rules of the road to all players in the Internet ecosystem." But some broadband providers and conservative think tanks suggested Genachowski's plan could lead to burdensome new regulations. It would deprive innovators and investors of confidence that the free and open Internet we depend on today will still be here tomorrow. The FCC is currently developing a national broadband plan and Genachowski's proposal might "change the rules of the road" before that's completed, said Ken Ferree, president of the Progress and Freedom Foundation, a conservative think tank. "I'm troubled to learn that the FCC is embarking on an exercise that would probably result in rules that are unconstitutional and almost certainly beyond the FCC's statutory jurisdiction," he said in an e-mail. "Aside from the legal issues it raises though, I find myself at a loss to understand why the administration wants to start meddling with a sector of the economy that, despite a challenging macro-economic environment, is performing pretty well by any rational standard. The FCC used its broadband policy principles to prohibit Comcast from blocking or slowing peer-to-peer traffic in a commission vote in August 2008. Comcast was glad to see that Genachowski appeared to suggest that the Internet is now free and open, Comcast Executive Vice President David Cohen said in a blog post. "Before we rush into a new regulatory environment for the Internet, let's remember there can be no doubt that the Internet has enjoyed immense growth even as these debates have gone on," he wrote. "The Internet in America has been a phenomenal success that has spawned technological and business innovation unmatched anywhere in the world. It's almost as if they are trying to turn a story of success into one of failure." Broadband provider Comcast said it welcomes a dialogue about net neutrality, but officials there questioned if more regulations are needed. So it's still fair to ask whether increased regulation of the Internet is a solution in search of a problem." CTIA, a trade group representing mobile carriers, said it was concerned that the FCC could make rules that prohibit mobile carriers from differentiating their products and services.

The Internet is a work in progress, and we really don't know what it's going to look like five years from now," he said. "We believe that new capabilities will be created by innovation in the network, and those new capabilities and innovation should not be precluded by regulation." Young said he was glad to hear Genachowski say the end result of the rulemaking has not been determined in advance. "We need to determine what are the problems that need to be fixed," he said. "What are the examples that require a dramatic change in the regulatory policy of dealing with the Internet." Until now, U.S. lawmakers and regulators have had a hands-off approach to the Internet, Young added. Genachowski pointed to limited competition among service providers as part of the need for new net neutrality rules, but competition is strong among mobile carriers, said Chris Guttman-McCabe, vice president of regulatory affairs at CTIA. "We are concerned about the unintended consequences Internet regulation would have on consumers considering that competition within the industry has spurred innovation, investment, and growth for the U.S. economy," Guttman-McCabe said in a statement. "Unlike the other platforms that would be subject to the rules, the wireless industry is extremely competitive, extremely innovative, and extremely personal." Verizon Communications supports a free and open Internet, but new FCC rules could make it difficult for broadband providers to offer security features or other innovative products, said David Young, the company's vice president for federal regulatory affairs. But Genachowski and Gigi Sohn, president of digital rights group Public Knowledge, said net neutrality rules wouldn't really be new. Over the past four years, there's been a heated debate in Washington, D.C., about the need for net neutrality rules, he said. "It is the elixir of consumer choice and competition that we have long been waiting to see firmly applied in the Internet space," Scott said. "We're going to settle this question once and for all, and we're going to deliver an open Internet for the U.S." Other companies and groups supporting Genachowski's announcement included Google, Skype, the Consumer Electronics Association, and the Computer and Communications Industry Association, a tech trade group. Until 2005, when the FCC changed the rules, broadband providers had to operate open networks to share with competitors, Sohn said. "American Internet users should be celebrating today," Sohn said. "After four years of regulatory uncertainty, the FCC chairman announced that the agency will start a proceeding to adopt rules that will ensure an open Internet on every single broadband platform." Ben Scott, policy director at media reform group Free Press, called Genachowski's announcement a "paradigm shift" in FCC policy that will ensure the health of the Internet.

Senator Byron Dorgan, a North Dakota Democrat, also welcomed Genachowski's plan. This principle of open access has been the cornerstone of the Internet's growth so far, and is vital to its continued success in the future." Dorgan has pushed for net neutrality legislation in the U.S. Congress. "An open and democratic Internet is necessary in order to allow innovation, economic opportunities, and consumer benefits to flourish, and it is critical that we maintain this access," Dorgan said in a statement. "By ensuring that consumers and online businesses can use the Internet without interference from broadband service providers, net neutrality will prevent the advent of haves and have-nots.

Avaya has emerged as the winning bidder for Nortel's enterprise business, reportedly beating out Siemens Enterprise Communications over the weekend. Avaya will also contribute an additional pool of $15 million for an employee retention program. The firm will pay $900 million for the unit, Nortel's Government Solutions group and DiamondWare Ltd., a Nortel-owned maker of softphones. That price is nearly twice what Avaya was initially said to be buying the enterprise business for back in July before auction bidding kicked in.

Telecom carrier Verizon, however, is expected to contest the sale on the grounds that Avaya does not plan to retain customer support contracts between Nortel and Verizon. Slideshow: The rise and fall of Nortel Avaya has sought Nortel's enterprise business in hopes of boosting its share of the enterprise telephony and unified communications markets, and getting more customers to migrate to its IP line of communications products.  The sale, expected to close later this year, is subject to court approvals in the U.S., Canada, France and Israel as well as regulatory approvals, other customary closing conditions and certain post-closing purchase price adjustments. Nortel is confident the sale will go through without any snags. "We do not expect the Verizon interaction to impact court approval or the close of this deal," said Joel Hackney, president of Nortel Enterprise Solutions. "We will continue to go forward in supporting customers." Hackney would not say whether Nortel is engaged in the negotiations between Avaya and Verizon on the future of certain customer support contracts, mentioning only that Nortel supports Verizon as a customer as well as the carrier's customers. Nortel customers hope the deal works out in their interest. "Nortel earned the trust of our user group members by delivering innovative, reliable communications solutions and ensuring high-levels of service and support, " said Victor Bohnert, Executive Director of the International Nortel Networks Users Association, in a prepared statement. "With the announcement of today's purchase by Avaya, we look forward to extending that relationship forward to serve the business communications needs of our constituency base across the globe." Nortel will seek Canadian and U.S. court approvals of the proposed sale agreement at a joint hearing on September 15, 2009. The sale close is expected late in the fourth quarter. Hackney also said there were two bidders for the enterprise unit but would not identify the second suitor. In some EMEA jurisdictions this transaction is subject to information and consultation with employee representatives.

As previously announced, Nortel does not expect that its common shareholders or the preferred shareholders of Nortel Networks Limited will receive any value from the creditor protection proceedings and expects that the proceedings will result in the cancellation of these equity interests.

Microsoft Corp. called the claim by Canadian developer i4i Inc. that it plotted to drive the company out of business "distorted," and "a breathless tale" that was not supported by the evidence, according to a court documents. But Microsoft also pressed the appeals court for a complete reversal, saying that decisions made by the Texas lower court led "to erroneous verdicts of infringement and validity, and grossly unsupportable damages." Microsoft's response brief saved its most blistering words for i4i, the Toronto-based company that in 2007 said Microsoft illegally used its patented technology to add XML editing, and "custom" XML features, to Word 2003, and later, to Word 2007. "Having little to rebut Microsoft's arguments on the merits, i4i devotes the majority of its brief to a distorted presentation of irrelevant 'evidence'," read Microsoft's brief. "i4i labors mightily to paint Microsoft pejoratively, portraying it as a once-close 'business partner' that supposedly stabbed i4i in the back and 'usurped' i4i's patented invention." Last week, i4i claimed Microsoft marketed the former's XML software to potential customers at the same time it planned to make that software obsolete by building similar features into Microsoft Word using its technology. At the least, Microsoft told the U.S. Court of Appeals for the Federal District, it deserves a new trial. "At minimum, a new trial is warranted," the company said in a reply brief filed Monday. Within days of a 2001 meeting between representatives of the two companies, according to an internal e-mail, someone at Microsoft said, "[I]f we do the work properly, there won't be a need for their [i4i's] product," i4i said as it linked the two events.

Microsoft's reply was the latest round in a patent infringement case that started two years ago when i4i accused the software maker of using its technology in Microsoft's popular Word software. That's nothing but a tall tale, Microsoft said. "Unfortunately for i4i, the truth is both comparatively mundane and innocent: After a handful of unfruitful meetings, i4i and Microsoft went their separate ways and Microsoft later released the custom XML functionality for Word that it had told i4i it was developing," the company's lawyers said in the brief. Last May, a Texas jury said Microsoft was guilty of patent infringement, and awarded i4i $200 million in damages. The injunction, said Microsoft, meant it might have to pull Word, and the Office 2003 and Office 2007 suites, off the market for months. In August, U.S. District Court Judge Leonard Davis added more than $90 million in additional damages and interest to Microsoft's bill, then issued an injunction that would have prevented it from selling Word 2003 and Word 2007 as of Oct. 10. Microsoft quickly won a fast-track appeal after warning the three appellate judges that the injunction would create sales chaos for the company and its partners, including Hewlett-Packard Co. and Dell Inc., the world's two largest computer makers.

Two weeks ago, the court of appeals suspended the injunction while it hears and decides Microsoft's appeal. But the company's lawyers also disputed claims made by i4i in the brief it submitted Sept. 8, particularly the conclusion that Microsoft had schemed to tout i4i's software on the one hand, and use its technology in Word on the other. "Most of the evidence demonstrates only that i4i attended certain meetings with Microsoft," the company said. "There is absolutely no evidence in this record from which a juror reasonably could infer that Microsoft had knowledge of the contents of the [i4i] patent." Nor should the injunction against selling current versions of Word stand, said Microsoft. "Even assuming that i4i had shown both competition and harm tied to that competition, an injunction is inappropriate because i4i has not shown that whatever harm it has suffered is irreparable and cannot be remedied by money damages," Microsoft stated. "Today's reply brief is an opportunity to reinforce our key assertions in this case," said Microsoft spokesman Kevin Kutz on Monday. "We believe the district court erred in its interpretation and application of the law in this case [and] we look forward to the September 23 hearing before the U.S. Court of Appeals." Kutz's reference was to the oral hearing scheduled for next week, when both parties will present their arguments before the panel of three judges. i4i was unavailable for comment on Microsoft's brief. Most of Microsoft's brief was a recitation of points made last month in its request for an appeal, when it lambasted Davis for his handling of the case and called the verdict a "miscarriage of justice." Microsoft again hit on some of the same points, criticizing Davis' rulings during the trial and arguing that i4i's patent was obvious, and thus not protected.

Microsoft late Tuesday confirmed that a bug in Windows Vista, Windows Server 2008, and the release candidates of Windows 7 and Windows Server 2008 R2, could be used to hijack PCs.

The vulnerability in SMB (Server Message Block) 2, a Microsoft-made network file- and print-sharing protocol that ships with Windows, was first disclosed late Monday, when a researcher posted exploit code he claimed crashed Windows Vista and Windows 7 systems, causing the dreaded "Blue Screen of Death."

Later in the day, several researchers, including Tyler Reguly, a senior security engineer of nCircle Network Security, vouched that tests showed the attack code crashed machines running Vista, Server 2008 and the Windows 7 and Server 2008 R2 release candidates, but not the final, or RTM, versions of the latter two. Also on Tuesday, another researcher, Ruben Santamarta , said on the Bugtraq mailing list that the vulnerability was not only a denial-of-service flaw, but also allowed remote code execution, security-speak for a bug that could be used to jack a machine.

In a security advisory issued around 9 p.m. ET Tuesday, Microsoft corroborated both Reguly's and Santamarta's findings.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft's advisory said. "Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."

Microsoft also noted that while the release candidates of Windows 7 and Windows Server 2008 R2 are vulnerable, the RTM, or release to manufacturing, editions are not.

The RTM versions of Windows 7 and Windows Server 2008 R2 are the ones that were handed over to computer makers in late July, and issued to volume license customers, and some developers and IT professionals in early August.

The release candidates, on the other hand, have been widely distributed, with millions of users downloading Windows 7 RC during the three and a half months it was available to the public.

"This vulnerability was reported after the release of Windows 7 Release Candidate," Microsoft's advisory noted. "Customers running this platform are encouraged to review this advisory and follow the steps listed here."

Earlier versions of Windows, including Windows 2000, XP and Server 2003 are also safe, since they do not use SMB 2.

Microsoft said it is working on a patch for the SMB 2 vulnerability, but did not spell out a timeline. Its regularly-scheduled September updates were issued Tuesday about 1 p.m. ET; the next expected batch of patches isn't due until Oct. 13.

Until a patch is available, Microsoft recommended that users disable SMB 2 by editing the Windows Registry - a task too daunting for most consumers - or block TCP ports 139 and 445 at the firewall. Doing the latter will cripple several important services or applications, including the browser, Microsoft acknowledged.

Even though the flaw exists and exploit code is in circulation, some researchers were upbeat. "At the moment I think the default configurations are going to provide enough mitigation for most users, those being the default firewall configurations since Windows XP SP2," said Andrew Storms, nCircle's director of security operations, in an instant message late Tuesday.

Hackers who manage to get within the perimeter of a network, however, may find easy pickings. "The key to a good attack would be to get in on the inside, where enterprises have host-based firewalls disabled," he said.

The SMB 2 vulnerability isn't the only Microsoft bug that's gone public, but has not been patched. Last week, Microsoft announced it was working on a fix for a flaw in the FTP (file transfer protocol) server included in the company's popular Internet Information Services (IIS) Web server.

Microsoft has confirmed that hackers are already using exploits of the FTP bug to attack Web servers.

Security experts are making progress in their efforts to identify the hackers responsible for the distributed denial-of-service (DDoS) attacks that that crippled Twitter for several hours yesterday.

They have also come up with strong evidence that confirms claims the DDoS rampage that brought down Twitter and hit Facebook, Google's YouTube and LiveJournal, were caused by attacks targeting a pro-Georgian activist and blogger.

But they have yet to nail down exactly who was behind the attacks, how they were conducted, and from where.

Twitter, meanwhile, admitted that the attacks were "geopolitical in motivation."

"This was a very targeted attack, and what the research shows is that it was aimed at one particular person, and that person's accounts on Twitter, Facebook, YouTube and LiveJournal," said Dave Marcus, director of security research at antivirus vendor McAfee.

McAfee has identified six separate DDoS attacks against various accounts registered to a user pegged as "Cyxymu," as well as a simultaneous spam e-mail campaign aimed at Cyxymu's Gmail account.

"We back-traced and correlated the data the attacks targeting Facebook, Twitter and others, and found commonalities in the IP [address] information," Marcus said.

Although McAfee was as of yet unable to identify the botnet responsible for the DDoS attacks, its trace-backs revealed that 29% of the machines composing the army of hijacked computers were located in Brazil. Turkish PCs accounted for another 9%, and Indian systems made up another 8%.

Marcus declined to guess the botnet's size. "That's kind of point of contention," he said. "In the case of Twitter, they've gone down before anyway, so it could have been small. Facebook, however, tends to be a lot more resilient, with a lot more load balancing and defensive measures." That might indicate the botnet, which hampered Facebook but didn't knock it offline, is larger.

"We're still looking at which botnet it was that did this," Marcus said.

So is Don Jackson, director of threat intelligence for SecureWorks and a noted DDoS expert, who last year at this time investigated Russian "cybermilitia" attacks against Georgia, the former Soviet republic that was then battling Russian military forces over a territorial dispute. "We don't have indication that it's part of a known botnet," Jackson said today. "For such a high-volume, high-profile DDoS [attack], there's a conspicuous lack of evidence."

Jackson and other researchers at SecureWorks haven't seen the usual chatter in known hacker and "hacktivist" forums, been able to locate any botnet command-and-control servers showing evidence of having ordered the DDoS attack, or found any clues that the usual commercial DDoS suspects, who make a living renting out bots for such attacks, were involved.

"Either we had a serious breakdown in our security intelligence on this, or the commercial DDoS guys have researched, and found, different ways to mask their attacks," said Jackson.

However, what data SecureWorks does have points to multiple DDoS attacks launched against the pro-Georgian blogger, Jackson said, backing what Marcus has said.

Even so, Jackson was mystified at the lack of hard information. "We have all kinds of feelers out there to find out if this is a Georgia versus Russia thing," he said. "We have all kinds of triggers that would tell us if that was the case. But so far, there's been nothing."

Last August, Russian hackers mobilized an ad hoc DDoS against numerous state-sponsored sites in Georgia, including its foreign ministry's, defense department's and president's sites. At the time, researchers said that the attacks had left Russian hacker fingerprints.

Today, Jackson said there might well be a connection between last year's attacks and those against Twitter, Facebook and others yesterday. He cited the circumstantial evidence of the dates - Georgia attacked the break-away province of South Ossetia on August 7, and Russia responded the next day.

"There's certainly a lot constant hackers involved over there, but there's no chat about it at all in the usual places," Jackson said. "But I think it would be unusual for them to self-mobilize for an attack of this size, against one person."

That would add weight to the idea that a commercial DDoS operator might have been involved. If it was a Russian group that specializes in DDoS attacks, "the cost would be free," said Jackson, adding that it was conceivable that the botnet had been donated to the cause of hitting Cyxymu.

"Hacktivism is very much back," said McAfee's Marcus. "But it's really hard to say that this is the beginning of a trend, this targeting of individuals that leads to collateral damage [like the Twitter outage]."

On the plus side, Marcus said, when Twitter went dark for several hours the outage prevented not only the innocent, but also the criminals, who rely on Twitter as a launch platform for spam and malware distribution.

"I guarantee that they were irritated," Marcus said.

For its part, today Twitter co-found Biz Stone acknowledged that the micro-blogging site had not restored full service, and was in fact still fending off attacks. He also hinted at a confirmation of what McAfee, SecureWorks and other security firms said today, that the attacks had some kind of political agenda.

"The ongoing, massively coordinated attacks on Twitter this week appear to have been geopolitical in motivation," Stone said in a company blog posted just before 2 p.m. Eastern.

"However, we don't feel it's appropriate to engage in speculative discussion about these motivations," Stone said.

More predictions about the future of mobile devices are coming out of the MobileBeat Conference in San Francisco. Ilja Laurs, the head of GetJar - a mobile device app store that boasts 14 million downloads monthly - recently said that mobile phone applications "will be as big if not bigger than the Internet," according to the BBC. That statement is in direct contrast to last week's declaration by Google's vice president of engineering, Vic Gundotra, who said it's not the apps, but the browser that will be the future application platform for the mobile device.

Laurs believes the popularity of applications will peak by 2020 with around 10 million apps available worldwide. After 2020, the popularity of mobile apps will drop off considerably. But Gundotra says the multitude of available cell phone platforms will become too costly for companies to develop a separate app for each operating system. The alternative, Gundotra says, is building applications for the still nascent mobile browser.

Sounds to me like a fight is brewing over how you'll use your mobile device in the future. In the one corner you have Apple, GetJar, and almost every other company championing the downloadble app; and the in the other, the mighty Google declaring the Web as the future of just about everything.

The Downloadable App

Apple turned the mobile industry on its head with the iPhone, and the company took its success even further with the release of iPhone OS 2.0 and the App Store in iTunes. Today, the iPhone is becoming a platform for just everything including games, social networking, turn-by-turn directions, e-reading, and news updates. Recently, Apple announced that iPhone customers have downloaded more than 1.5 billion applications from a library of more than 65,000 titles in the app store. Based on Apple's success, practically every major handset manufacturer has jumped on the app store bandwagon, with online retail outlets open for Blackberry, Nokia, Palm, Windows Mobile and even Goolge's Android handsets.

But the downloadable model has inherent problems. Apple has been accused many times of having bizarre and incomprehensible policies about its approval process for third-party developers. Budding programmers designing for the iPhone and other devices are also finding it difficult to make a profit from their applications. Many times, a particular application will gain traction with the public, but then die off as other more interesting applications take their place. Speaking with the BBC, Laurs said this is the inherent problem with all application stores and that approximately 90 percent of all developers are doomed to failure. However, Laurs also said those app devlopers that remain standing will have a highly profitable business.

The Mobile Web App

While Apple has the download market cornered, Google is working hard to capitalize on the growing importance of the Internet. The company recently announced its cloud operating system, Chrome OS, as a follow up to Google Chrome, its questionable attempt to revolutionize the traditional Web browser. The Internet monolith that started with a simple search box is now the go-to service for millions around the world with online offerings that include e-mail, office document software, an RSS catcher, social networking, video streaming, news aggregation, blogging, and on and on. With such an overwhelming presence online, it's clear why Google would want the Web to be the future of the mobile device.

However, the problem with accessing apps through the browser is that they are rendered useless once you lose your Internet connection. The future may point to a day when every square inch of the United States is covered by some sort of wireless connection, but as InfoWorld's Bill Snyder recently pointed out, it's hard enough to find a good signal in San Francisco or New York, never mind trying to access your Gmail while you're traveling across the plains of Wyoming or the Nevada desert. Mobile Internet service just isn't ready for Google's revolution.

In theory, browser-based apps are a nice idea, and Google's dream may be inevitable, but for now I'm betting most of us don't want our phones to lock us out of our music, games, or other content every time we drop our Internet connection.

So, what about you? Are you happy with your downloaded content, or are you willing to give up your mobile applications for Google's cloud?

Router maker Juniper Networks has barred one of the company's security researchers from discussing security flaws in Automated Teller Machines after an ATM maker threatened legal action.

Staff Security Researcher Barnaby Jack had been set to deliver a July 30 talk entitled "Jackpotting Automated Teller Machines" at the Black Hat security conference in Las Vegas. But Jack abruptly asked conference organizers to pull the talk on Monday, according to Black Hat Director Jeff Moss. The talk has also been pulled from Black Hat's sister conference, Defcon, he added.

News of the cancellation was first reported by security news site Risky.Biz.

In a statement, Juniper said Tuesday that it made Jack withdraw the talk after an ATM vendor expressed concern that Jack's research could be misused. "Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack's presentation until all affected vendors have sufficiently addressed the issues found in his research," Juniper said.

Neither Juniper nor Moss would name the ATM maker that Jack had been studying, but Juniper says it is reaching out to other vendors as well to share information.

According to Jack's description of the talk on the Defcon site, he had found a vulnerability in the underlying software used to run "a line of popular new model ATMs."

"I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine," the Juniper researcher wrote. "I think I've got that kid beat."

The presentation was supposed to "explore both local and remote attack vectors, and finish with a live demonstration of an attack on an unmodified, stock ATM."

According to a source familiar with the situation, Jack had been working with the vendor for the past nine months, but the ATM maker grew concerned that Jack's talk would lead to some bad publicity.

Black Hat talks have been pulled in the past because of legal threats. In 2005 researcher Michael Lynn was told by his employer, Internet Security Systems, to pull a Black Hat talk on router vulnerabilities after Cisco Systems threatened to sue him. Lynn quit and gave the talk anyway.

Within months, he was hired by Juniper.