Thursday, August 23, 2007

Bill Gates seeks patent for ad-rebate program

I don’t write a lot about Microsoft patent applications, as they’re often so vague that guessing their true intent is an effort in futility. But when it’s Microsoft Chairman Bill Gates’ name on the application, things get a little more interesting.

Gates and a Microsoft researcher applied for a patent in March 2006 for a advertising system that would use customer points to confirm transactions. (Thanks to Todd Bishop with the Seattle Post-Intelligencer for the patent link.)

The patent abstract:
“The claimed subject matter can provide a mechanism that facilitates a new advertising and/or referral architecture in the Internet advertising space, e.g., for advertising on search engine web pages and/or on content web pages. A mechanism is provided to confirm transactions even without monitoring them e.g., by issuing perishable, non-redeemable points to a merchant based upon an advertising budget. The points can then be issued as redeemable points to a customer, e.g., based upon the customer makes a purchase from the merchant. Points transferred to the customer can verify that a transaction occurred, and can be redeemed for products/services, including a convenient ‘micro-payment’ mechanism.”
This patent application is interesting for several reasons. First, it shows just how much time and energy Gates is putting into understanding the dynamics of the online advertising market. (And you thought all Gates cared about were perpetually up-and-coming technologies like Tablet PCs, voice-recognition software and IPTV….)

Gates has been mulling the role of points and micropayments in the e-commerce space for years. Anyone else remember Microsoft Wallet? As of late, like a number of other Microsoft brass, Gates also has been looking for ways to target advertising at specific consumers by using methods and technologies other than search engines and click-through rates (CTRs).
Could a point system, similar to a frequent-flyer rewards program, be a better and potentially more secure way to match advertisers and consumers? Playing the “anti-competitive” and “information monopoly” trump cards, the patent applicants argue:
“Conventional search engines providers usually sell the ad space to the highest bidder based upon a pay-per-click (PPC) scheme and/or set the fee for the ad space according to a click-through-rate (CTR). However, these schemes have proven to be counterproductive for both consumers and advertisers, and ultimately inefficient to the search engine industry as well. These schemes or business models are anti-competitive as evidenced by the extremely high profit margins of the top two search engine providers. However, the market share for these search engine providers continues to increase, establishing an ‘information monopoly.’ Moreover, these models do not account for the true value of the ad to consumers or compensate for click fraud, wherein a user clicks on an ad, perhaps numerous times, for the incentives provided rather than due to an interest in the advertiser.”

Another reason I found this patent application interesting was Gates’ co-applicant, Kamal Jain. Jain is a seven-year Microsoft Research (MSR) veteran. His current title is “Principal Researcher, Theory Group.” According to Jain’s bio, he started out as a member of MSR’s cryptography group. Now he’s part of MSR’s ACE (algorithms, computation and e-commerce) group.

Jain is listed as a co-inventor on a number of patents, “including some on contemporary areas related to ad display and ranking, dynamic ads in live games, ecommerce, wi-fi music sharing, peer-to-peer networking, water-marking, global and universal Turing tape, and ink-signature etc.” Besides Gates, Jain’s other co-inventors include Chief Software Architect Ray Ozzie and Distinguished Engineer Gary Flake.

According to the “SEO by the Sea” blog (a link also provided by the Seattle PI’s Bishop), Jain’s been a busy patent applicant and seems to be submitting patents on a variety of ad-referral- and ad-targeting-related inventions.
Any other observations about this patent application by Gates and Jain?

The Hidden Wealth in Domain Names

When will the ad industry and its clients wake up to the value of domains? When asked that question at 1:30 a.m. on the Domain Roundtable Conference's first night, conference chair Jay Westerdal responded: "They're going to wake up when it's too late." Most of those interviewed at the conference confirmed his views.

How to draw the advertising industry into the secondary market for domain names is preoccupying the domain name industry this year. Domain industry convocations have been grappling with the issue, seeing it as providing an opportunity for the secondary market to scale up and achieve sustained profitability and liquidity.

The most recent major conference was the Domain Roundtable Conference, hosted in Seattle by Name Intelligence Aug. 13-15. The Seattle conference highlighted the importance of the issue, and presented contrasting perspectives on why traditional advertising firms have largely stayed away from secondary markets for domain names.


Investing in Domain Names
Conference participants expressed agreement on the legal impediments that are seen as discouraging investment in domain names. Frank Schilling, a domain investor and panelist at the Seattle conference, advocates changes in intellectual property laws in the United States to provide increased security of title for registrants of domain names.

Schilling is alarmed at the prospect of trademark owners automatically assuming that they have the rights to every domain name that comes close to a variation or permutation of a registered trademark, regardless of whether a trademark and domain name are being used for related purposes.

"What is needed is reform of U.S. trademark laws that is fair to both sides," said domainer Gene Heu, speaking outside the auction session on the last day of the event. "Advertising agencies and their clients will be afraid to invest in domain names if they fear that another party will come after them."

Fairness for both sides was a theme echoed by Michael Zaugg of RevenueDirect, which provides parking services for domainers seeking to monetize their traffic with advertisements targeted specifically to individual domain names.

"In defense of trademark holders, they should not have to register thousands of typos and variations of their brands in order to have some protection, but yet the globalization of commerce has made it hard to find new domains that are not similar to those in use elsewhere," Zaugg said.

"The Internet has done what madmen and conquerors have tried to do throughout time: unify the world," said Heu. The unification of global commerce on the Web has forced all businesses and brand owners to compete on the same global platform for brand identity through domain names, Heu explained. Competition is fiercest for dot-com domains, which carry the most authority and prestige for branding purposes.

Domainers in Seattle suggested that new trademark rules could be accompanied by a domain name amnesty, whereby domain owners would be able to offer domain names to trademark holders in exchange for reimbursement of accumulated registration costs. Opportunities for trademark owners and domain owners to enter into non-adversarial discussions are seen as lacking from current dispute resolution systems.

Another suggestion was for the Internet Corporation for Assigned Names and Numbers (ICANN) to attach trademark rights information to domain names at the time of registration. Domain names being considered for registration could be flagged for potential trademark violations, thereby discouraging registrations that violate existing trademark rights. If a registrant decided to proceed, they would be provided with due notice of existing trademark restrictions governing the use of a domain name.

Do Advertising Firms Understand Domains?
The question of whether the advertising industry understands domain names did not elicit uniform responses at the conference. Speaking at the back of the auction hall on Aug. 15 after Rebate.com and Rebates.com had been sold together for US$1 million, Sahar Sarid outlined the "yes" position. Sarid is an Israeli-born domain investor and cofounder of the Recall Media Group.

Will old-media advertising firms become involved in the secondary market for domain names in the near future? No, Sarid answered.

"It's a conflict of interest," Sarid said. Why? "Because it works," he replied, explaining that the Internet is not good for old-media advertising agencies because it can make them look bad and cause their clients to fire them.

Sarid sees little or no accountability in ad spending on traditional media. As he described it, clients are encouraged to spend large amounts of money on television and print ads, without being able to accurately gauge the results -- either in terms of calculating the number of new clients or the amount of revenue generated by individual advertisements.

The purchase of domain names to attract customers through direct search and the purchase of advertising on domain-name landing pages allows advertisers to track incoming clients and revenue, Sarid pointed out, leading him to refer to those online methods as ROI, or return-on-investment, advertising.

ROI advertising is not restricted to direct search or domain-specific advertising, he said, but can extend to online advertising in general. Ad industry people are brighter than domain investors, Sarid said. Few domain investors know how to run a business, he said, only how to manage domain names.

Advertising Agencies Seen as Too Cautious
When will the ad industry and their clients wake up to the value of domains? When asked that question at 1:30 a.m. on the conference's first night, conference chair Jay Westerdal responded: "They're going to wake up when it's too late."

He added: "They are not going to know the value of those names until they are all locked up." Most of those interviewed at the conference confirmed his views.

Describing the position of technology firms, advertising agencies and investors who have already staked out a position in the domain industry, Yossi Goldlust of the online ad agency LookSmart said: "We have Internet jujitsu, we have first mover advantage."

On the question of when traditional advertising agencies would enter the domain name industry on a major scale, Goldlust said that they are not going to do it right away. He said that traditional ad agencies will need two to three years of experience in the domain industry first, experience that he says those agencies currently lack.

"The ad industry feels it is being pushed into a marriage [with the domain name industry], when it only wants to date a little," Goldlust said, speaking shortly after 2 a.m. on the first night of the conference. "Advertisers need to be educated on the value of domains and direct search traffic," he added.

"The domain industry has not found a way to translate its value proposition into terms that traditional advertisers can understand," said Goldlust. "We are in a 'Who's on first, What's on second, I Don't Know's on third' conversation now."

The gap between the domain industry and traditional advertisers is aggravated by two factors, according to Goldlust:


Lack of experience of domainers in traditional advertising.
The maturity of the traditional advertising industry and the fact that it is losing market share for total advertising dollars. This encourages risk-averse behavior.

"Contrary to how they like to position themselves, they are not open minded to new concepts and business opportunities," Goldlust said. "It's almost like a Greek tragedy."

He predicts that in 18 to 24 months the mainstream advertising industry will begin to establish a significant presence in the secondary market for domain names.

What is needed to bring the industries closer together? "Talk," Goldlust said. "Each side needs to learn each other's language. Each side needs to talk to each other."

Market Action Shifting Towards Registrars
Will the domain name industry and domain valuations stand still over the next two years? No, Sarid said, pointing to the new Domain Distribution Network (DDN) service being launched globally by the Australian company Fabulous.

The DDN allows domain name registrars to list domains available in the secondary market alongside query results for new domain name registration requests. The DDN enables registrars to quickly verify, sell and transfer ownership of domains in the secondary market, rather than merely referring buyers to legacy marketplaces such as Afternic and Sedo.

Sarid and Shilling suggest that the DDN could consolidate the primary and secondary domain markets into the hands of registrars, increase the number and speed of transactions in the secondary market and raise the asset value of domains that have preexisting commercial viability -- although not necessarily any traffic.

Auctions for premium domains will continue to serve as the centerpiece of upcoming domain industry conferences. Westerdal's plans for the next Domain Roundtable include lowering the starting bids for domains being auctioned and better tools for the auctioneer to instantly coordinate bids received from the conference floor with those received online.

The next Domain Roundtable is scheduled to be held April 18-20, 2008, in San Francisco. Westerdal's formula for the conference is: Domains + Ads + Web 2.0 = San Francisco 2008.

Incurable Viruses: How Real Is the Threat?

The only type of virus that is truly incurable is a physically destructive virus. If the virus is a Trojan, worm or other file infecter, it can be cleaned up. An incurable virus would be one that alters or damages the system in some way. The question is: If there is no damage to the hardware and you can reload the OS, is the virus truly incurable?

Pimply faced pranksters and lone profiteers who poison computer systems have been replaced by organized criminals of a different breed.

"These guys are professional organizations. They are fully funded and they're writing specifically for profit," David Frazer, director of technology services at F-Secure , told TechNewsWorld. "Notoriety virus writers are all but gone now."

This new wave of organized crime is churning out professional-grade, so-called "incurable viruses" that are leaving hundreds of thousands of victims in their wake.


Mouse Chases Cat
Malware writers are cunning, determined and largely undeterred by the security programs currently in play. Indeed, they find such programs helpful to their cause. "Malware writers have an advantage in creating viruses to get on the system without detection in that the virus writers use anti-virus products to test if their new virus is detected," Javier Santoyo, senior manager of development at Symantec (Nasdaq: SYMC) , told TechNewsWorld.

"The virus writers use packers to compress and obfuscate their threats until they find a combination anti-virus vendors don't support," he added. "This is a continuous cat-and-mouse chase between security vendors and malware writers."

The types of organizations behind threats today are highly organized.

"These organizations employ people who perform a typical 9-to-5 job. They have full quality assurance and testing before they try to infect," Frazer said. "Typically, they are targeting specific organizations or companies, and the infection is usually followed with a ransom demand."

"In the consumer segments they are using users' PCs as botnets in proliferating spam out to the Internet or using loggers to steal passwords, credit card and bank details from unprotected online banking and credit-card users," Frazer detailed.

The Incurable Lie
Malware writers do share one trait with their pimpled predecessors: arrogance.

"One interesting case was the Bagle / Netsky viruses. Each was authored by a separate virus writer, and they launched an ongoing war against each other in which they sought to remove the other's worms," confides Frazer. "In one day, F-Secure sent out 14 signature updates to keep up."

The viruses malware writers produce are far from the iron-clad monsters the creators purport them to be.

"Right now, there's no such thing as an incurable virus," said Frazer.

The only type of virus that is truly incurable is a physically destructive virus. If the virus is a Trojan, worm or other file infecter, it can be cleaned up. An incurable virus would be one that alters or damages the system in some way. The question is: If there is no damage to the hardware and you can reload the OS, is the virus truly incurable?

"A truly incurable virus would have to cause hardware damage," says Santoyo. "Very few viruses have existed that caused hardware damage with no chance of remediation."

However, that is not to say that the damage is not real or tangible.

"Ultimately, any malicious program can be wiped by re-imaging the hard drive; however, re-imaging may result in data loss unless you regularly back up data," Peter Firstbrook, research director at Gartner (NYSE: IT) , told TechNewsWorld.

There is also the problem of invisibility that allows malware to strike repeatedly without notice.

"Malware may be very well hidden so that users don't realize they have a virus," added Firstbrook.

Morph Morbidity
Viruses share a common mode of attack, according to Santoyo. First, if they can penetrate a system without being detected, they try to disable any security software from updating. This is one way that a virus can remain persistent on a system; the other is to use a watchdog process to re-launch or re-create themselves if they get deleted for any reason. Lastly, viruses also embed themselves in the operating system to be launched after a reboot.

Viruses that stop there are more easily caught and sterilized by anti-virus software. It is the more sophisticated and insidious generation that creates the most havoc.

"In general, metamorphic and polymorphic viruses are the most difficult to deal with," confided Santoyo. Both types, as their names suggest, change, mutate and move in order to avoid detection.

Zmist is a recent example of the serious threat posed by this class of viruses. Zmist replicated itself differently each time it infected a new computer. Zmist -- a.k.a. Zombie.mistfall -- is termed a metamorphic virus, one that recreates itself every time it is detected. Unless you have the exact signature, they're more difficult to detect.

"Zombie.mistfall was significant because it introduced code integration, a new vector of infection," explains Frazer. "This is where a virus would insert itself into a file and actually move code in a program out of the way and rebuild the executable that made it difficult to find within that file."

Tough to Track
Polymorphic malware has been around for awhile, but it is becoming more common.

"Packers and encryption software are useful for changing the characteristics of the malware each time it is distributed to avoid signature based detection mechanisms," said Firstbrook.

The latest round of metamorphic and polymorphic viruses includes Code Red, SASSER, NIMDA, the Melissa virus, and MS Blaster. "These were very destructive and propagated very quickly," says Frazer.

Rootkits can hide malicious programs from antivirus software so that they are difficult to detect.

"Some malicious programs have multiple components that have a heartbeat message every few seconds so that if one component is deleted in an attempt to remove the malware, the remaining component will create a new version of the deleted file, making it difficult to remove unless you delete both files simultaneously," says Firstbrook.

Then there is the garden variety of stealth viruses with a hefty new dose of aggressiveness finely aimed at specific victims.

"Targeted malware (vs. mass propagation) is also difficult to detect because it takes a while for the malware sample to get to the antivirus vendors for analysis and signatures," explained Firstbrook.

Horrors on the Horizon
As if viruses that jump to a different sector on a disk or move to another port of memory that has already been scanned are not difficult enough to deal with, there are other malware tricks breaching the horizon.

"In the spam community, the big trend has been sending malware in the forms of .pdf," says Frazer. "It's an accepted and universal standard and as such isn't filtered by most anti-spam software programs."

Mobile technology is also opening the door to new virus frights. Bluetooth enables mobile worms to spread by virtue of mere proximity, like an influenza virus. A Bluetooth-equipped phone can identify and exchange files with other Bluetooth devices from a distance of 10 meters or more.

As victims travel, their phones can leave a trail of infected bystanders in their wake -- although with current viruses, the recipients have to actively acknowledge the virus transmission before they can get infected.

That may soon change, however.

"Any event that gathers a large crowd presents a perfect breeding ground for Bluetooth viruses," warned Frazer.

With the advent of the iPhone, which delivers the Internet in its original glory, and the phones that will inevitably follow suit, malware writers will find new ways to exploit Bluetooth spreadability with their newly fortified arsenal of standard Internet deliverability.

It's enough to give security vendors more than just a few sleepless nights.

"The challenge is to stay ahead," said Santoyo. "Understanding the threat landscape is very important."

Researchers are busting it to bust the bad guys, however. So hope, too, is on the horizon.

Host-based intrusion prevention techniques are increasingly used in antivirus programs to detect new threats, Firstbrook said.

Some successful HIPS techniques include:

Memory access protection (buffer overflow), since 60 percent of malicious code depends on memory manipulation techniques to inject its payload;
Vulnerability shielding is a HIPS capability that protects known vulnerabilities from attack, regardless of the form the particular attack takes;
Genetic heuristics -- broad signatures of exploit families designed to detect variants by using higher-level characteristics of a malicious code rather than more-detailed signatures;
Application whitelisting/ blacklisting and "standard user" reduced privileges limit all new applications;
Sandboxing and virtualization techniques to run the unknown "gray" code in a restricted environment show promise, but Firstbrook says they are rare in current HIPS solutions.

However, the problem of stopping these crooks in their tracks is not solely of the technical realm.

"As far as regionally, we're seeing a lot of spamming, ID theft and even targeted attacks coming out of Asia, Russia and South America. The laws and challenges in working with different governmental bodies contribute to this," said Frazer. "By no means are these the only regions, but socioeconomic and legal challenges play a role here."

Indeed, the horizon shows the potential for a true "cyber-war."

User Armor
The best cure remains the same despite the many virus mutations: prevention. Firstbrook says there are seven steps to thwarting viruses before they can strike:

Use up-to-date antivirus and personal firewalls (not the Windows Personal Firewall),
Maintain all software (use auto update in windows) to current versions,
Do not use shareware or advertising sponsored software unless it comes from a very reputable source,
Do not add software to view Web content of questionable sources,
Do not use P2P networks,
Do not open e-mail or attachments from people you don't know (even from people you know but were not expecting),
Periodically scan your PC with an online scanner (i.e. not your incumbent AV vendor.)

He suggests using one of the following:

Webroot
Trend Micro

Symantec
McAfee

Monday, August 20, 2007

Microsoft Plans Canada Software Center

Microsoft has been a vocal proponent of increasing the number of visas granted to skilled workers from outside the U.S. At the same time, the software maker has repeatedly said the U.S. is not producing enough engineers to fill its chairs, and argued that the U.S. education system fails to place enough emphasis on math and sciences.

Microsoft Relevant Products/Services Corp. plans to open a software development center in Canada this fall to attract talent and avoid U.S. immigration issues.

The Vancouver, British Columbia location will be one of only a handful development centers outside the company's headquarters in Redmond, Wash., the software company said Thursday. It previously announced plans to build sites in Boston and Bellevue, Wash.

Microsoft says the Vancouver location will "allow the company to continue to recruit and retain highly skilled people affected by the immigration issues in the U.S."

Microsoft has been a vocal proponent of increasing the number of visas granted to skilled workers from outside the U.S. At the same time, the software maker has repeatedly said the U.S. is not producing enough engineers to fill its chairs, and argued that the U.S. education system fails to place enough emphasis on math and sciences.

"Microsoft is a global company, and our greatest asset is smart, talented, highly skilled people," said S. Somasegar, corporate vice president of the Developer Division at Microsoft, in a statement Thursday.

Microsoft Canada Co. was established in Mississauga, Ontario in 1985. The software, computer services and Internet technology development company has offices in Toronto, along with eight regional offices across Canada.

The company did not release any financial details on the new site, which is about 150 miles from Redmond.

Other centers are located in North Carolina, Ireland, Denmark, and Israel, while full research-and-development sites have been built in the U.K., India, China, and California's Silicon Valley.

Little Annoyances Still Big Vista Issue

Industry analysts say Windows Vista adoption is plodding along as expected, with most consumers and businesses switching over as they replace old hardware with new. IDC analyst Al Gillen said he expects Vista will be installed on the vast majority of computers in about five years, the time it took for XP to reach 84 percent of PCs.

Chris Pirillo leaned away from his webcam and pointed to his printer Relevant Products/Services/scanner/fax machine, which stopped scanning and faxing after he installed Microsoft Relevant Products/Services Corp.'s new Windows Vista operating system.

"I can't live in Vista if the software that I use in my life for productivity does not work," said Pirillo, in the third minute of a 52-minute video he posted on YouTube.

Nearly six months after it launched, gripes over what doesn't work with Vista continue, eclipsing positive buzz over the program's improved desktop search, graphics and security Relevant Products/Services.

With Vista now shipping on most new computers, it's all but guaranteed to become the world's dominant PC operating system -- eventually. For now, some users are either learning to live with workarounds or sticking with Vista's predecessor, Windows XP.

Pirillo is geekier than the average user. He runs a network of technology blogs called Lockergnome, and was one of several "Windows enthusiasts" Microsoft asked for Vista feedback early on.

Still, Vista tested even Pirillo's savvy. He fixed the hobbled printer and other problems by installing VMware, a program that lets him run XP within Vista. But when his trial copy expired, he decided the solution was too clunky -- and too expensive.

He "upgraded," as he called it, back to XP.

Users' early complaints aren't likely to threaten Microsoft's dominance in operating systems. The various flavors of Windows today run 93 percent of PCs worldwide, according to the research group IDC. Last fiscal year, Windows accounted for about a third of Microsoft's total revenue of $44.3 billion.

Industry analysts say Vista adoption is plodding along as expected, with most consumers and businesses switching over as they replace old hardware Relevant Products/Services with new. IDC analyst Al Gillen said he expects Vista will be installed on the vast majority of computers in about five years, the time it took for XP to reach 84 percent of PCs.

It's too early for industry watchers to know exactly how many people are using Vista. At the same time, it's hard to gauge Vista's success by comparing it to XP, because the PC market has grown tremendously in the last six years.

In early May, Microsoft said it had distributed 40 million copies of Vista, which costs $199 to $399 depending on the version. But it did not specify the number actually sold through to consumers, versus those shipped to computer makers like Hewlett-Packard Co. and Dell Inc.

Analysts noted that as many as 15 million of those copies could represent upgrade coupons given to XP buyers during the holidays, before Vista went on sale. Microsoft would not say how many of those customers installed the program, but Forrester Research analyst J.P. Gownder estimated just over 12 million U.S. consumers would have Vista by the end of the year, out of about 235 million PCs in the country.

As for the compatibility problems, 2 million devices -- such as cameras and printers -- now work with Vista, said Dave Wascha, a director in the Windows Client group.

"We are way ahead with Windows Vista right now than where we were when we shipped Windows XP," he said.

Still, it's an uphill battle: Vista interacts differently with programs and peripherals than previous versions of Windows, and some companies have chosen not to spend time and money updating older products. Printer makers, Wascha noted, draw profits from ink cartridges and services, and have little motivation to invest in updating drivers for old hardware.

As a result, many early adopters have made a sport of grumbling about the one device or program they still can't get to work.

And they've ranted about other things, from how hard it is to open Vista's snap-together plastic retail box, to what they see as arbitrary decisions on Microsoft's part to hide some settings and features.

One of the most common annoyances: Microsoft's user account control feature, designed to protect unwitting Web surfers from spyware and viruses that would otherwise install themselves on the computer.

Dan Cohen, chief executive officer of Silicon Valley startup Pageflakes, bought a Vista laptop a couple of months ago. After one too many pop-up windows warning of possible threats from the Internet, Cohen switched the control feature off.

Now he gets pop-ups warning him that turning off UAC is dangerous.

"I feel more secure -- and more irritated," he said. When Cohen went to buy his wife a new computer in April, he stuck with XP on a laptop from Lenovo Group Ltd.

Some analysts say Microsoft hasn't put enough energy into marketing Vista's benefits to consumers. But it may also be the case that Vista's biggest benefits are ones that cause average PC users' eyes to glaze over, like improved security.

"Everybody wants there to be a repeat of Windows 98 -- the excitement, the sales volume, the rate of growth and everything else," said Michael Cherry, an analyst for the independent research group Directions on Microsoft.

At the time of Windows 98's launch, broadband access to the Internet was catching fire and consumers were pumped up about getting a faster computer.

There's no such compelling reason to buy Vista, said Gownder, the Forrester analyst.

Businesses, like consumers, are in no hurry to upgrade. Before the business version of Vista landed late last year, a Forrester survey of about 1,600 companies found that 31 percent planned to upgrade within a year, and 22 percent more planned to be running it within two years.

Most businesses think those plans now seem too aggressive, said Forrester analyst Benjamin Gray.

While corporate technology departments are looking forward to some of Vista's security features and easier administration tools, there's little reason to switch if the more secure PCs end up choking on a critical piece of software.

"They're waiting for Microsoft to bless it with a service pack," said Gray, referring to a major software update that fixes bugs.

The University of Pittsburgh Medical Center, a member of Microsoft's Vista Technical Adoption Program, started evaluating Vista in January 2006. Today, only 300 of the hospital's 30,000 desktop computers run the software.

Karen Malik, associate director of technical services, said the rollout is behind schedule because several key programs still aren't compatible, including patient scheduling software. Malik knows the software vendors will catch up to Vista -- someday. In the meantime, she's not rushing.

"We know eventually we're going to need to move to this operating system," Malik said. "It's not really an option."

Hacker Unlocks Microsoft's DRM Platform

Underlying the attack on Microsoft's Digital Rights Management (DRM) technology is the belief among members of the multimedia underground that they should have the ability to back up copyrighted media files that they have purchased in the event of a primary system malfunction. Microsoft, however, may see this as an open door to pirates and unlimited P2P sharing.

A member of the Doom9 Forum known only as "Divine Tao" claims to have defeated Microsoft Relevant Products/Services's Digital Rights Management (DRM) platform for securing the distribution of digital media files over the Internet. According to other Forum members who have already downloaded it, the new utility program for PCs running Windows XP and Vista not only works wonderfully but can even run on Microsoft's Zune player.

Divine Tao's exploitation of a chink in Microsoft's armor merely represents the latest clash between the software giant and members of the multimedia underground who believe they have the right to store archival copies of the copyrighted multimedia files they purchase in the event that their hard disks ever crash.

However, the same technology can also be used to illegally copy and distribute copyrighted programs for free. That potential for piracy is of grave concern to multimedia content vendors who depend on Microsoft's DRM platform to ensure that only those who pay for the privilege can download the multimedia files they offer.

Undermining Confidence

Though it is always dismaying when an attack occurs, the cracking of Microsoft's DRM platform is hardly the end of the world, according to one long-time Microsoft observer.

"Security overall is an ongoing battle and no one can ever declare total victory or relax their vigilance," Yankee Group research fellow Laura DiDio explained. In terms of their numbers and the time they can devote, there are more hackers than a security Relevant Products/Services team even as large as Microsoft's can deal with, she continued.

"It's just a fact of 21st century computer life, because nothing is hack-proof," said DiDio. "Microsoft just has to address the issue as fast as they can."

Growing Importance

"It's been a real cat and mouse game of late" between the hackers and Microsoft "and it's enough to give companies cause for pause," noted Jim Murphy, research director for content management at AMR Research.

"Enterprises are deciding right now which DRM approach they will take" for securing their documents and intellectual property, Murphy explained. But given that so many of them have already made an investment in Windows -- "and Office remains their lingua franca" -- coming to terms with Microsoft's DRM platform "is all but unavoidable in one way or another," Murphy said.

"There is no DRM system that is completely invulnerable to attack," Murphy added. "The question is: How will Microsoft stay on top of it and rectify the issues that come up?"

One possible solution suggested by Murphy would be to deal with DRM hacks in much the same ongoing way that antivirus software vendors now handle the onslaught of new viruses. This would involve "the ability to update the DRM platform on the fly by keeping a database of hacks and then patching as quickly as possible," Murphy explained.

Though it won't be easy to implement in comparison to how most antivirus offerings currently function, Murphy said he sees the need for DRM platforms that can not only update an enterprise's server Relevant Products/Services software, but also protect sensitive enterprise documents after they have been disconnected from a company's IT network.

An Ongoing Battle

Divine Tao's new upload to the Doom9 Forum is actually an update to a utility first posted by Forum member 'Viodentia' way back in April of 2006, after which Microsoft was forced to release two patches as a quick fix. However, Viodentia quickly broke the software giant's fixes.

Microsoft subsequently went to court, but was later forced to drop its lawsuit given that the software giant had been unable to identify or locate the utility's author.

"Lacking the source code to the extant programs, I can only offer this output of my own efforts," wrote Divine Tao in the hacker's initial posting at the Doom9 Forum. This is an apparent reference to Microsoft's prior claims that the source code for its DRM platform had been illegally accessed by a company insider.

No Green Light Yet for Vista Service Pack

Now that Microsoft has moved to a monthly update system -- commonly known as Patch Tuesday -- the pressure for getting Vista Service Pack 1 (SP1) quickly out the door has been reduced. All the same, analysts say many companies are waiting on Vista SP1 as an important milestone before they will adopt Microsoft's newest operating system.

Earlier this week, Microsoft Relevant Products/Services Windows watcher Winbeta.org posted an e-mail from the software giant's Windows Driver Kit team that ended up launching a media feeding frenzy on news sites around the world. According to Microsoft's e-mail to the site, the release of a beta version of the first service pack for Vista was available for download.

The resulting avalanche of press reports from around the globe forced Microsoft to clarify the report by saying that the earlier e-mail was actually designed to announced the availability of the beta of Windows Server 2008 instead of Vista Service Pack 1 (SP1), and that the confusion was due to a typo.

Michael Silver, research vice president in Gartner Relevant Products/Services's Client Computing group, said that although Vista SP1 is not yet ready to roll, the sooner Microsoft releases it, the sooner businesses that look at SP1 as an important milestone will start adopting Vista.

If Microsoft gets SP1 out this year, he said, it could buy Microsoft an extra quarter of adoption in businesses, Silver explained. "That may not fuel a lot of extra revenue, but it helps improve the perception of Vista," he noted.

No Impact on Mainstream Users

In its latest update on the software giant's compliance with antitrust issues, the U.S. Department of Justice noted that Microsoft had agreed to release the beta of Vista SP1 this year. Microsoft has confirmed its commitment to a beta release in 2007, but did not commit to a specific date.

It has been standard practice for Microsoft to issue service packs for fixing security Relevant Products/Services holes and other bugs that the company identifies after each operating system's official release. But now that the software giant has moved to a monthly update system -- commonly known as Patch Tuesday -- the pressure for getting Vista SP1 quickly out the door has been reduced.

On whatever date that Microsoft does release the beta version of Vista SP1, it will have no impact on mainstream PC users. The goal of the software giant's beta release will be limited to getting a selected audience of software developers and engineers to review the service pack before it goes mainstream.

Heading Google Off at the Pass

Microsoft is currently in the midst of making changes to Vista that are the outgrowth of a recent settlement with the Justice Department and the attorneys general of 17 states that tries, in part, to rectify a complaint filed by Google against the software giant.

The Instant Search functionality embedded in Windows Vista relies on an index that is updated whenever files on the computer change. Google complained that this was a new "middleware product" that violated the antitrust judgments that the Justice Department had already imposed on Microsoft.

Microsoft recently agreed to allow greater flexibility among users and equipment manufacturers to install completing search products, such as Google Desktop. However, the changes will not go into effect until the release of Vista SP1.

Microsoft Inks Deal with Linux Provider Linspire

Microsoft's agreement with Linux provider Linspire, much like the other similar deals, details a wide variety of technical projects to "enhance interoperability and expand the functionality of Linspire" for working with Microsoft products. One notable part of the deal is that Windows Live Search will now be the default search for Linspire 5.0.

Another day, another Microsoft Relevant Products/Services cross-licensing Linux deal. On Thursday, the software giant and Linux desktop provider Linspire announced an "interoperability, technical collaboration."

As with Microsoft's recent parade of similar deals with other companies, this one includes protection for Linspire's customers from Microsoft's claims of Linux patent infringements.

"Linspire will be providing its customers," said a joint press release, "with the option of acquiring a patent covenant from Microsoft for customers operating the Linspire desktop."

The patent covenants, which customers can choose whether or not to obtain, "provide customers with confidence that the Linspire technologies they use come with rights to relevant Microsoft patents."

'Enhance Interoperability'

Microsoft has said that Linux and related open-source software infringe on some 235 of its patents, a declaration that is adamantly opposed by members of the open-source community. In recent months, its legal department has been busy making cross-licensing deals with such companies as Novell, Samsung, LG Electronics, Xandros, and others, each of which has included protection for the partnering company's customers from Microsoft claims of Linux patent infringement.

The Linspire agreement, much like the others, details a wide variety of technical projects to "enhance interoperability and expand the functionality of Linspire" for working with Microsoft products.

These projects include document format compatibility, including open-source translators for OpenOffice and Microsoft Office. In instant messaging, Linspire will use a Microsoft codec for voice-enabled interoperability between Linspire's Pidgin instant messaging client and Microsoft's Office Communicator and Windows Live Messenger clients.

New releases of Linspire will support Windows Media 10 audio and video codecs, for better sharing of media files between the two customer bases, and Linspire will license several Microsoft TrueType fonts.

Another notable part of the deal is that Windows Live Search will now be the default search engine of Linspire 5.0. Microsoft, Google, and Yahoo have been vigorously battling for search engine placements with their partners.

Microsoft's Stages

The Microsoft-Linspire deal and the others are part of the end stage of how the Redmond, Washington-based company has been dealing with Linux, said Yankee Group analyst Laura DiDio. "First," she said, "there's deny, deny, deny. Then it's hostility: '[Linux is] a cancer.' Then you get marketing and counter-marketing, to convince you that my products are better."

Finally, she said, it's "pragmatic good sense, or 'co-opetition,'" which is where Microsoft is now, as illustrated by this deal with Linspire and others.

Chris Voce, an analyst at Forrester, offered a similar take. He said that this deal is more about bridge-building for Microsoft and the Linux camp than about walling off patent partners. It is also, he pointed out, about getting Windows Live Search and other Microsoft products or translators "into as many hands as possible."

He added that, as far as he can see, the I.T. directors at major enterprises are not worried about being sued by Microsoft if they use Linux.

Searching for the Open-Source Desktop

I've not been able to find anything that meets all of the necessary desktop criteria, but things are beginning to change. The newest releases of open-source operating systems and apps are almost good enough. I believe that 2008 will be the year when the open-source desktop reaches the point where a nonengineer can install and use it effectively.

Is 2008 the year of the open-source desktop? Red Hat Linux is now widely deployed on the servers in my data center. Users have no idea what operating system underlies our Web applications and databases, nor do they care, as long as those tools are highly available.

But the desktop is uncharted territory. Over the past year, I've been on a quest to find an operating system that balances ease of use, stability, low cost, and high functionality. My experiences were the subject of an article in CIO magazine that described how I tried to use my enterprise applications with Windows XP, Mac OS X, Red Hat, and Fedora. Recently, I've spent months running Novell's SUSE Linux and Canonical's Ubuntu, and I'll report on those efforts soon.

Based on these experiences, I think I can say when the open-source desktop will become a more widely deployed end user operating system: when it becomes a product and not a project. That will require the following:

* The open-source desktop should recognize my video chip set, my wired/wireless networking hardware Relevant Products/Services and all my storage devices without being custom-configured, which would require me to search the Web to learn how others have done the same thing with the same hardware. Searching the Web works, but even for a high-level engineer, a typical laptop requires a lot of trial and error.

* Wireless support should include the common security Relevant Products/Services protocols: WPA, PEAP, LEAP and EAP-FAST. The wireless client should roam as I change locations, associate with the most optimal access point, and work perfectly upon waking from hibernation.

* USB thumb drives should work seamlessly without having to manually mount a volume.

* The open-source desktop should include a browser, a robust e-mail client, an office productivity suite, a photo editing tool, and a GUI tool for setting my configuration preferences.

* It must be stable and reliable.

* Finally, the average user should be able to use it (which rules out all command-line operations).

I've not been able to find anything that meets all of those criteria, but things are beginning to change. The newest releases of open-source operating systems and applications are almost good enough. For the first time, I can consider using them as my primary desktop tools. I've run into a few issues with my e-mail client, my SSL VPN client, and wireless networking that require consultation with a high-level engineer, but day to day, my experience is positive. I believe that 2008 will be the year when the open-source desktop reaches the point where a nonengineer can install and use it effectively.

This is not about being anti-Microsoft Relevant Products/Services. I oversee thousands of machines that use Microsoft software, and many users need applications that are available only for the Microsoft environment.

It's not about being anti-Apple. I respect the user experience of Mac OS X, and I wish Steve Jobs would license the operating system to other hardware manufacturers, who could then offer choices that meet other needs, such as a 2 lb. subnotebook for road warriors.

What this is about is recognizing that the open-source desktop is nearly ready for select desktop users. Dell has begun to offer open-source options for its desktops and laptops. Lenovo is certifying and supporting SUSE Linux Enterprise Desktop on the ThinkPad.

Let's hope 2008 will be the year that the projects end and we can assess all the products based on their suitability for each user.

Microsoft Claims Vista Is More Secure Than Linux

In addition to comparing Vista to XP, Jeff Jones, director of Microsoft's Trustworthy Computing Group, compared Vista to Red Hat Enterprise Linux 4, which saw some 129 bugs during its first six months of availability. On the basis of these numbers, Jones concluded that Vista is more secure than its open-source counterpart.

According to Microsoft Relevant Products/Services's Trustworthy Computing Group, the software giant's latest operating system is far more secure than competing platforms -- or even previous Windows iterations.

"The Windows Vista Six-Month Day Vulnerability Report" offers insights into the total fixed and unfixed Vista vulnerabilities, plus a comparative view of Linux, OpenOffice, and other applications. The report is available as a PDF download on the blog of Jeff Jones, the security Relevant Products/Services strategy director in Microsoft's Trustworthy Computing Group.

"The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six-month mark compared to its predecessor product Windows XP (which did not benefit from the SDL) and compared to other modern competitive workstation OSs (which also did not benefit from an SDL-like process)," Jones wrote.

The "SDL" Jones refers to is Microsoft's "secure development lifecycle," a software-development process Microsoft adopted for creating software that can withstand malicious attack.

Six Months and Counting

During Windows Vista's first six months on the market, Microsoft released four security updates to address 12 total vulnerabilities. In the National Vulnerability Database, the National Institute of Standards (NIST) rated 10 0f these issues as "high" severity, one as "medium," and one as "low."

There were also vulnerability disclosures during Windows Vista's first six months that have not yet been addressed by a fix. The NIST rated only one of them "high" severity, while four have been rated "medium" and 10 have been rated "low."

How does that compare with the first six months of Windows XP? When Windows XP shipped, there were already three Internet Explorer vulnerabilities, which had been disclosed and fixed three weeks prior to market distribution. Consequently, new users had to apply an IE patch immediately to address them.

In addition, Microsoft fixed a total of 36 vulnerabilities in the first six months Windows XP was available. The NIST rated 23 of those vulnerabilities "high" severity. At the end of the six-month period, a total of three publicly disclosed vulnerabilities did not yet have a patch available from Microsoft, two of which (CVE-2002-0189 and CVE-2002-0694) were rated "high" severity and one which was rated "low."

"With respect to its predecessor product, Windows Vista seems to have a better initial six months, with one-third as many vulnerabilities fixed and with Windows Vista having only one high-severity issue outstanding at the end of the six-month period," Jones noted.

Open-Source Comparison

In addition to comparing Vista to XP, Jones compared Vista to open-source operating systems. Red Hat Enterprise Linux 4, the most downloaded GNU/Linux distribution, saw 129 publicly disclosed bugs during its first six months of availability. Forty of them were ranked "high" severity. Red Hat fixed a total of 281 vulnerabilities in Red Hat Enterprise Linux 4 Workstation in the first six months, 86 of which were rated "high" severity. On the basis of these numbers, Jones concluded that Vista was more secure than its open-source counterpart.

The value of the Microsoft SDL has been demonstrated in the past with applications such as Microsoft's widely used Internet Information Services (IIS), which has suffered fewer critical vulnerabilities due to increased security controls, according to Michael Sutton, a security evangelist with SPI Dynamics and former director of the Verisign iDefense labs.

Still, Sutton said he is not ready to declare a winner in this long-standing security debate. "It is encouraging to see that thus far Vista has faced fewer critical vulnerabilities," he said. "However, six months is not a sufficient time frame to pass judgment on the overall security of the operating system."

Sutton also pointed out that Vista has introduced many fundamental changes and said it will take some time before researchers have spent adequate time testing the new operating system.

What's the Value of Open Source?

A public MySQL could be a good buy as it fills the underserved market for an affordable database aimed at companies exploiting new, more interactive aspects of the Web. But can MySQL keep up the growth without adding hefty sales and marketing costs -- and getting squeezed by competitors?

For all the success of open-source software -- developers the world over flock to the code available freely over the Internet -- its purveyors able to thrive as public companies are few. Linux operating system seller Red Hat has generated billions in value for investors, but its shares have slipped 3% in the past year amid new competition. Novell, which supports a version of Linux, has been criticized for striking a cooperation deal with Microsoft Relevant Products/Services seen by many as a threat to the spread of Linux.

That small community of open-source stocks may soon be widening. MySQL, a fast-growing maker of database software used by some of the Internet's most recognized brands, is preparing to file for an initial public offering, perhaps as soon as late 2007.

The offering could value the company at between $600 million and $1 billion, according to sources, and inject some pep into a tech IPO market that's seen only a handful of successful offerings in the past year. Credit Suisse is a top contender to lead the underwriting of the transaction, BusinessWeek has learned.

Tough Mindset

An S-1 filing by the Swedish software company, which grew more than 50% in 2006, to about $50 million in sales, and broke even for the first time, also could give investors a new yardstick to measure the value of open-source software, which lets users modify its code to suit their needs. "Red Hat really is a bit of a lone wolf out there in terms of public open-source companies," says Jim Zemlin, executive director of the Linux Foundation, a trade group. "Fund managers are clamoring for other benchmarks to measure open-source software companies."

Outside investment and tech circles, though, most people haven't heard of MySQL, which closed an $18.5 million round of funding in 2006 to raise its total venture backing to $39 million from investors, including Benchmark Capital. Yet MySQL's fast, inexpensive software is used by such Internet heavyweights as Google and Yahoo!, and it's making inroads into more traditional companies.

Going public could give MySQL more credibility with brick-and-mortar shops, and furnish it with currency for acquisitions. "The open-source model, as Red Hat has proven, can be extremely profitable," says Kevin Harvey, a general partner at Benchmark Capital, and MySQL's chairman. "It's not a story of profits at first; it's a story of profits you'll generate as you grow."

And MySQL would like to see considerably more growth, even before selling stock to the public. It would do that in part by upping the percentage of paying customers. Of the roughly 11 million copies of MySQL in use, the company only gets paid for about 1 in 1,000, underlining the risks of the business model governing much of open-source software: Give it away for free over the Internet and then charge large commercial users for technical support. "There are many users who will just never, never pay," says MySQL Chief Executive Marten Mickos. "It's not like we can just go in there wholesale and change that mindset." Making matters tougher, Microsoft's affordably priced SQL Server database competes with MySQL. And database software vendor Oracle has made inroads into the small and midsize business market, helping it gain share.

Many Adherents

MySQL, which a few years ago rejected a takeover offer from Oracle, is undeterred by the challenges. "We're working toward an IPO," says Mickos, a sturdy, sandy-haired Swedish Finn who migrated to Silicon Valley in 2003, two years after he became CEO following a series of executive posts in Europe. Mickos, who conducts business fluently in English, German, Swedish, and Finnish, has known MySQL's founders, including Monty Widenius, since 1981, when they studied graduate physics together in Helsinki.

MySQL has already started courting investors. It held a 2007 pre-IPO road show in New York and Boston to talk about the company's brand recognition, sales, and the appetite in the public market for an open-source software company, Mickos says. "We've gotten good feedback from some of the biggest public investors," he says.

There's reason for the warm reception. Growth at MySQL has taken off the last few years as some of the Web's hottest companies have adopted its technology. Google's ad-serving software runs on MySQL's database, as does its YouTube video site. "MySQL is a terrific database," says Chris DiBona, Google's open-source programs manager. Yahoo's Flickr photo-sharing site runs on MySQL, and the company uses the software for its finance and games sites.

Other Web companies including Wikipedia, Facebook, Craigslist, and Linden Lab's Second Life are adherents as well. "The technology was crucial to us being able to deliver so much so quickly," says Scott Dietzen, president and chief technology officer at Zimbra, whose open-source e-mail software ships with MySQL inside.

Gaining Traction

Compared with database software from Oracle, Microsoft, and IBM, MySQL's product dispenses with many features aimed at running financial software and other business applications in favor of a stripped-down approach that serves up Web pages at blazing speeds. "We grew up with the Web companies," says Mickos. "People say, 'MySQL, will you ever grow up to be an IBM?' And we say, 'No, that's the old world.'"

The company has carved a niche among Web companies that use its technology in conjunction with Linux and other open-source software to run their sites on the cheap. "That's the aspiration of these companies -- they want to grow big, but they don't want to spend a lot of money to do it," says Zack Urlocker, MySQL's executive vice-president of products. MySQL aims to sell its software for 90% less than its competitors, he says.

A public MySQL could be a good buy as it fills the underserved market for an affordable database aimed at companies exploiting new, more interactive aspects of the Web. And it's gaining traction at other companies, too. MySQL helps power Nokia's cellular network and Gap's checkout systems. NBC and The New York Times Co. are also customers. Cisco Systems, Symantec, and other tech vendors distribute MySQL with their products.

Valuation: Unknown

But can MySQL keep up the growth without adding hefty sales and marketing costs -- and getting squeezed by competitors? The company employs just 30 field sales staff out of a head count of 360 and strives to close deals more quickly than rivals. Most employees work from home. "Managing the cost of sales and marketing in an open-source company is the key to profitability," says Mickos, sitting in a small, spartan office adjacent to a sea of cubes in the company's Silicon Valley digs. "We're not just innovating in software, we're innovating in sales."

Rivals aren't taking the threat lying down. In 2005, Oracle bought a Finnish software company called Innobase, whose technology is used by MySQL. MySQL is building its own version of the software in a project code-named "Falcon," but for now must pay licensing fees to its bigger rival. And IBM and Sun Microsystems are backing an open-source database called Derby, which competes with MySQL.

How investors will value MySQL is another open question. Some reckon Red Hat, whose $4.55 billion market value is about 11 times its fiscal 2007 revenue, is a good starting point. Like MySQL, Red Hat also has millions of users and a low-cost sales model, says MySQL Chairman Harvey.

Jereme Le Blanc, vice-president at investment banker Boston Corporate Finance, says MySQL's 50%-plus growth for its size could catapult its market value well above $500 million -- if the company can convince users to keep paying for subscriptions. "That's pretty robust growth for a company that's already at $50 million," he says. MySQL's ability to keep selling service contracts for software that's also available free will affect its valuation, though. "A lot of people think the open-source market for database software is very lucrative," Le Blanc says. "It's too early at this point to gauge whether the model works."

Patch Tuesday Highlights Web-Based Malware

The number of updates Microsoft issued on August's Patch Tuesday dwarfs the number of patches released over the past several months and highlights the new frontier of Web-based attacks and next-generation media vulnerabilities, according to Amol Sarwate, manager of the vulnerability research lab at Qualys.

Get ready to roll up your sleeves. If you are in the I.T. department, you are going to be busy for a while. On Patch Tuesday yesterday, Microsoft Relevant Products/Services issued its second-largest set of updates this year with nine security Relevant Products/Services bulletins altogether.

The updates fix 14 vulnerabilities. Eight bugs are rated critical, four are rated important, and two are considered moderate. The patches fix holes in Windows, Windows Gadgets, Windows Media Player, Office, Excel, Internet Explorer, Visual Basic, Virtual Server, and Virtual PC.

"Many of the vulnerabilities addressed by Microsoft's fixes could be exploited if a Windows user simply visits a malicious Web site," said Dave Marcus, security research and communications manager at McAfee Avert Labs. "Microsoft's patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits."

Patch These First

With six critical flaws, I.T. admins are charged with targeting the most potentially dangerous of the bunch first. According to Sheldon Malm, a vulnerability researcher for nCircle, one of the most critical vulnerabilities is covered in security bulletin MS07-042, which describes the update for an XML services vulnerability. "XML is so pervasive -- it ships with so many different products and sits in so many different places on an enterprise network," he said.

Malm said he was most concerned about bulletin MS07-048, which describes three vulnerabilities in Vista gadgets. The RSS feed gadget vulnerability could allow a hacker that has gained control of a blog to create a malicious post and distribute it to everyone who subscribes to the RSS feed.

"RSS feeds have the potential to become the next big vector for worms or bots because it exploits an existing trust relationship. People place implicit trust in the security of the information source when they use RSS feeds," Malm said.

The New Frontier

This month's Patch Tuesday dwarfs the number of updates released over the past several months and highlights the new frontier of Web-based attacks and next-generation media vulnerabilities, according to Amol Sarwate, manager of the vulnerability research lab at Qualys. In total, August's updates address 14 vulnerabilities in Microsoft applications that touch all Windows users, from the home to the office.

Sarwate offered a different take on which patches are most critical to deploy first. "The most critical patch is MS07-046, fixing the Microsoft Graphics Rendering Engine in the core Windows operating system, or GDI," he argued. "Left unpatched, users that view malformed image files will open up their system to remote code execution."

In Sarwate's view, several bulletins, including MS07-044, MS07-045, and MS07-050, compete for second place as far as patching priority. Two of those patches relate to Internet Explorer and one to Microsoft Excel. All three are deemed critical because they affect extremely popular Microsoft applications.

"A typical exploit scenario would be for MS Office and Explorer users to receive and open a malformed Excel spreadsheet as an e-mail attachment or visit a Web site that hosts malformed Excel spreadsheets, at which point the machine can be compromised and overtaken by attackers," Sarwate said.

This month's release, he concluded, shatters the six-month pattern of smaller updates and is a reminder that Microsoft's Security Development Lifestyle that grew out of Vista's development is not infallible.

Citrix Challenges VMware with XenSource Buy


The Citrix acquisition of XenSource positions the companies squarely against VMware. XenSource's existing business allows Citrix to compete against VMware's Infrastructure 3 product today, and, looking forward, will serve as a cost-effective competitor to VMware's Virtual Desktop Infrastructure, analysts from The 451 Group said.

Hard on the heels of virtualization leader VMware's stunning IPO on Tuesday, Citrix Systems announced it is acquiring open-source virtualization company XenSource for $500 million.

Citrix expects the combined server Relevant Products/Services and desktop virtualization market to grow to $5 billion within four years. The purchase means XenSource will be able to compete aggressively in that market, XenSource CEO Peter Levine said. The deal is "about steering into the 90 percent white space that is wide open, both at the server and in new emerging opportunities at the desktop," he said in a statement.

XenSource's virtualization engine is licensed under the GPL and is developed by an open-source community, including engineers at RedHat, IBM, Intel, AMD, and HP.

"Game on now: it's CitiXen-Viridian versus VMware," William Fellows, Rachel Chalmers, and John Abbot, analysts for The 451 Group, wrote in a briefing on the deal, referring to Microsoft Relevant Products/Services's forthcoming virtualization software called Viridian.

The VMware Factor

At $500 million, the size of the deal -- the largest in Citrix's history -- was "undoubtedly inflated" by VMware's IPO, which valued the company at $19 billion, the analysts said. Currently, XenSource has just over 600 customers and $1 million in sales.

Even so, there are several reasons the deal was compelling for Citrix. First and foremost, the analysts said, the deal puts Citrix squarely in the virtualization game and saves Citrix "a couple of years' development."

Crucial to the deal, the analysts added, is XenSource's June 2006 pact with Microsoft, giving XenSource exclusive access to the source code for Microsoft's forthcoming virtualization offering, Viridian. "XenSource is betting the farm that exclusive access to the Viridian code will enable it to create a substantial business selling management tools."

The VMware IPO isn't the only good timing about the deal. XenSource had just released a new version of XenEnterprise that boasts substantially improved management, availability, and ease-of-use features.

The latest version marks "a major shift in strategy," the analysts said. XenSource will now focus on creating management tools for Microsoft's Viridian.

Next Up: Microsoft-Citrix?

While Microsoft won't enter the market for at least a year, the XenSource/Citrix combination positions the companies squarely against VMware. XenSource's existing business allows Citrix to compete against VMware's Infrastructure 3 product today, and, looking forward, "Xen will likely be used to underpin Desktop Server as a viable and cost-effective competitor to VMware's Virtual Desktop Infrastructure," the analysts said.

In addition, XenSource has solid connections with Symantec and Veritas, giving it a crucial link to the storage world, which might offset VMware's relationship with parent EMC Relevant Products/Services.

Could this deal be a prelude to Microsoft buying Citrix? Apparently, Citrix considered buying VMware back in 2003 but was too worried about antagonizing Microsoft to complete the deal. And Microsoft's deal with XenSource "might have" turned into a full-blown acquisition. The reason it didn't happen was likely intellectual property issues over XenSource's use of the GPL. "Open source remains a sticking point for the powers-that-be in Redmond," the analysts said.

But now that Citrix has brought in XenSource, Microsoft could acquire the larger company with fewer concerns about "the awkward GPL aspects of what XenSource does," jump-start its own slow-moving virtualization development, and "not least, get its hands on the lucrative $1 billion enterprise Windows revenues now generated by (Citrix's) Presentation Server," the analysts said. Other potential Citrix suitors include HP and Cisco.

Whether this scenario unfolds, for at least the next year VMware will be the most visible visitor to CIO offices around the country. "Citrix, XenSource, and Microsoft will likely be consumed with building out, integrating and plotting for at least a year once the deal closes, giving VMware time to concentrate on sales," the 451 Group said.

Can Linux Overtake Windows in OS War?

Microsoft execs have little reason to stay up at night worrying about Linux taking over, said Pund-IT analyst Charles King. Microsoft still has a commanding lead in the market, he said, but Linux growth is real and should continue to find adoption as a generation emerges that is more technically inclined and less attached to the Microsoft brand.


While Novell's CEO is calling for Linux to expand its market, the Linux Foundation's executive director is declaring that the open-source OS is moving into its second stage of growth.

At the LinuxWorld conference in San Francisco, Linux Foundation exec Jim Zemlin told attendees what they probably already knew: The battle for computing platform supremacy is ultimately between Linux and a certain software giant in Redmond, Washington.

"Windows is not going to go away," Zemlin asserted in his Wednesday speech. Moreover, he added, Microsoft Relevant Products/Services deserves respect. The way Zemlin sees it, Microsoft has done a good job executing public relations campaigns and creating doubt about open-source software and the legal issues related to its use.

The Second Stage

The Linux Foundation is combating that doubt by adding heavy-hitting legal experts to its arsenal. Karen Copenhaver and standards and consortium expert Andy Updegrove have joined the Foundation's legal team to provide leadership on legal issues affecting Linux.

"Promoting accurate and timely discussion of the legal infrastructure Relevant Products/Services supporting the adoption and deployment of open-source software is key to achieving our core mission," Zemlin said. This is one way the Linux Foundation is protecting the platform as the organization continues to promote and standardize the operating system during the second stage of growth.

The fact that Linux continues to gain market share on desktops, servers, and handsets is undeniable. There are two major reasons for that, according to Charles King, principal analyst at Pund-IT. Both the operating system and the applications that run on top of it are far more user-friendly than in times past.

Dell Lends a Hand

"On the consumer side, the work Dell is doing with Ubuntu is promising. Ubuntu is gaining a lot of mind and market share as being a user-friendly consumer, nontechnically-oriented Linux OS. It's got some solid basic productivity applications attached to it," King explained.

On the enterprise side, meanwhile, Red Hat is making moves with its JBoss acquisition and Novell and IBM are teaming up to deliver Big Blue applications that play well with SUSE Linux. All this translates to more choices for companies willing to explore the alternatives.

"With Vista, there have been a number of businesses exploring the options in the face of significant investments in hardware Relevant Products/Services to meet the operating system's requirements," King said. "Between Linux and the increasing sales of the Macintosh desktops and even Web-based applications like Google Apps, businesses have more choices today than they've ever had in the past."

Microsoft executives, employees, and shareholders have little reason to stay up at night worrying about Linux taking over, King added. Microsoft still has a commanding lead in the market, he said, but Linux growth is real and should continue to find adoption as a generation emerges that is more technically inclined and less attached to the Microsoft brand.

Acer Disappointed by Slow Vista Uptake

While Microsoft launched an early holiday push this week to encourage consumers to purchase Vista-enabled products from Dell, HP, Sony, and Toshiba, PCs from Acer are notably absent from the software giant's product promotions, likely due to Acer's president, Gianfranco Lanci, saying that the industry is disappointed with Vista.

The president of Acer told the Financial Times Deutschland this week that he thinks Microsoft Relevant Products/Services's newest operating system, Windows Vista, gives PC users little reason to upgrade.

"The whole industry is disappointed with Windows Vista," Gianfranco Lanci told the newspaper, while indicating that the new system's stability continues to be a worrisome problem. The president of the world's No. 4 PC-maker also suggested that Vista's current low adoption rates invite a discussion concerning possible alternatives.

"I do not really think that someone will buy a new PC right now because of Vista," Lanci said. "And that will not change in the second half of the year."

Style over Substance?

Microsoft launched an early holiday push this week to encourage consumers to purchase Vista-enabled products from Dell, HP, Sony, and Toshiba. By contrast, PCs from Acer are notably absent from the software giant's product promotions for this year's holiday season.

In particular, Microsoft applauded the aesthetics of PC products such as Dell's new Inspiron 1720 notebook PC, which features "personalized hues from midnight blue to crimson red, and pearl white to flamingo pink or spring green."

But in stressing style, is Microsoft drawing attention to Vista's apparent lack of a compelling killer app? "For home users, I'm not sure they know why they would want to upgrade," said Gartner Relevant Products/Services Client Computing research vice president Michael Silver. "Either the benefits are not there or Microsoft has not clearly communicated what they are."

Silver said that, for enterprises, he does not see Microsoft's Vista push to be significantly different from the one the company went through to get to Windows 2000. "For both enterprises and consumers, the benefits now are a bit more questionable, simply because Windows XP is a very good OS, as compared to the predecessors to Windows 2000, which had many issues," Silver explained.

Slow Adoption Not Surprising


During the company's earnings conference call with financial analysts last week, Microsoft said its OEM licensing grew by 11 percent in the year's second quarter, driven by demand for Vista. Moreover, CFO Chris Liddell said he sees PC growth ranging from 9 percent to 11 percent in the fiscal year ahead, with the company's client division -- to which Vista sales are posted -- poised to match anticipated market growth, step for step.

Following the conference call, two Wall Street financial analysts released client notes stating that Vista's adoption had been lower than they had expected, given that PC shipments had grown by roughly 12 percent during the second quarter, according to both Gartner and IDC.


Still, Silver said he does not find it surprising that Vista adoption has been slow thus far because it takes companies a good 12 to 18 months of testing and planning before they can bring in a new OS. "Also, the nature of the Internet has changed since 2001 and Windows XP, and there are many more venues for negative opinions to be circulated," Silver noted. "Windows Vista is likely suffering from this phenomenon."

Windows 7 in the Wings

Despite Vista's recent introduction, Microsoft is already talking about having its next-generation OS, known simply as Windows 7, ready to go in three years. "In terms of Windows 7, there's always something new around the corner," Silver noted.

Enterprises should not try to skip Windows Vista, advised Silver. "It increases the risk because Windows XP will be pretty old by 2011." Even if Microsoft is on time with a new release, he said, companies can't adopt that OS for 12 to 18 months after it ships.

Given all the work involved in upgrading from one OS to the next, is it likely that many PC users will simply stick with XP until the next OS rolls around? Microsoft has a pretty clear support timeline, Silver said. "They could come out with new features for Vista that they don't make available for XP, but it's pretty hard for them to reduce the XP support time."

HP Snaps Up Two Software Companies

HP's move to buy Opsware for $1.6 billion follows a strategic relationship the companies forged in 2003 in which Opsware provided its automation center to HP's Utility Data Center, a virtualization solution. In addition, the purchase of Opsware complements HP's acquisition last year of Mercury Interactive for approximately $4.5 billion.

Hewlett-Packard announced on Monday that it will acquire two companies expected to improve the Silicon Valley giant's business technology offerings. Opsware, a data center automation software company founded by Netscape creator Marc Andreessen and acquired for roughly $1.6 billion, will boost HP's data center portfolio, while NeoWare, acquired for $334 million, will help HP with thin-client technology.

HP plans to have Opsware CEO Ben Horowitz lead its business technology optimization group. Neoware will join HP's business desktop unit.

"This is an incremental opportunity for HP to help companies manage data centers more appropriately," said Brian Babineau, senior analyst for Enterprise Strategy Group. The purchase enhances HP's position by adding data center infrastructure Relevant Products/Services management to their existing expertise in process management, he said. Opsware gives HP "the ability to deploy servers, automate configuration, do patch management ... to automatically identify issues and take action," Babineau explained.

Complements Mercury Buy


The move to buy Opsware follows a strategic relationship the companies forged in 2003 in which Opsware provided its automation center to HP's Utility Data Center, a data center virtualization solution. In addition, the purchase of Opsware complements HP's acquisition last year of Mercury Interactive for approximately $4.5 billion. While Mercury's strength is in addressing performance bottlenecks and service-oriented architecture governance, Opsware's offerings will help HP get into "automated management of servers storage network," Babineau said.

Marc Andreessen founded Opsware as Loudcloud in 1999; it went public in 2001. The company was hit hard when the bottom dropped out of the tech market, and in 2002 sold off its managed network services business to EDS and reinvented itself as Opsware. It boasts 350 customers, including major financial and technology companies as well as the Defense Department.

Opsware's technology provides the ability to automate deployment and management of servers and storage. In combination with Mercury's offerings, if customers "want to deploy, they will be able to tune and optimize and deploy in an automated fashion," Babineau said. "Opsware can help deploy new servers and servers with configurations that comply with best operating procedures and internal or external rules."

Higher Scale Automation

In a statement announcing the Opsware acquisition, Thomas E. Hogan, senior vice president for HP Software, said the deal will enable HP to help customers resolve "one of their critical pain points: controlling the increasing complexity and cost of managing the data center."

Existing Opsware customers might see the acquisition as protecting their investment in the company's technology, Babineau said. "They'll have a much bigger company that owns the technology," he noted. For HP customers, the deal represents one more arrow in HP's quiver. "Customers will be able to do the majority of their data center purchasing through HP."

Announcing the news on his blog, Andreessen wrote that the deal means the company's vision will now get delivered at much higher scale. "Being part of HP's software business," he wrote, "will ensure that our software will be used by a much larger number of organizations and have an even more dramatic impact on the industry than we would possibly have been able to reach by ourselves over the next several years."

A Premium Valuation


While the Neoware deal is much smaller, Babineau said, it is also an important acquisition. "When you're trying to control and manage desktops as a customer, you might have outsourced that to a company like EDS," Babineau said. Customers now will be able to buy those services directly from HP.

HP paid $14.25 a share in stock for Opsware, a 39 percent premium on the pre-announcement stock price. "That's good for Opsware," Babineau said. "It's expensive in my opinion. Opsware had been treading water. They had a reasonably stable business but it hasn't been a rock star." It's especially good for founder Marc Andreessen. The Netscape creator will pick up a cool $138 million in the deal, on the basis of his ownership of 9.7 million shares.

Counting Clicks: Monitoring PC Usage at Work

If your business has started to find too many employees endlessly surfing the Web, constantly instant messaging their friends, or spending too many hours viewing the latest YouTube videos at work, it may be time to check out some of the software tools now available for tracking who's doing what with your company computers, on company time.

"Every key you strike, every site you surf, every note you send, every chat you start, we'll be watching you ..." The Police's timeless anthem to lovelorn paranoia and obsession could easily be turned into a catchy soundtrack celebrating employer eavesdropping on employee computer and Internet habits.

Employers who are tired of paying employees who fritter their working hours away surfing eBay for deals or managing their fantasy football squads are increasingly turning to monitoring software to track what employees do with their computers. Such software brings technological sophistication to the table that bosses love and workers fear.

The Web Giveth and the Web Taketh Away

There is no doubt the Internet has been revolutionary for corporate America, placing an incomprehensibly vast storehouse of information just a few mouse clicks and keystrokes away and contributing immensely to employee productivity. The problem is, the Internet is also a vast source of entertainment: from porn sites to online chat rooms to gambling sites, there is a Web site catering to just about every vice and time-wasting habit.

Naturally, employers are increasingly keeping tabs on what employees are doing online. The 2005 Electronic Monitoring and Surveillance Survey conducted by the American Management Association and the ePolicy Institute found 76 percent of employers monitor employee web surfing, and 65 percent use software to block inappropriate web surfing. And, statistics show the tried and true "I didn't know" excuse doesn't work anymore: over 80 percent of companies notify their employees they monitor content, keystrokes, and time on the keyboard, store and review employee files, and retain and review e-mail messages.

It might sound hypocritical, but most employers probably don't mind perpetuating workers' e-addictions, just as long as the information they're processing is work-related. The problems start when employees use their PCs, laptops, or mobile devices for "extracurricular" computing activities. This is why so many employers find monitoring software so appealing.

The Tale of the Tape

So, how do monitoring programs work? In general, monitoring software allows employers to capture and maintain an ongoing log of employee online and PC activities. Usually, these programs store information in a database which can then be used by employers to create reports summarizing employee activity.

For example, SpectorSoft's Spector 360, the company's "flagship" enterprise product, records Web site visits, inbound and outbound e-mail traffic, chats and IM, keystrokes, file transfers, and even documents printed and applications launched. One of the software's niftier features is the ability to screen capture employee activities.

Granted, nifty is in the eye of the beholder -- or the watcher -- but it's hard to deny the effectiveness of photographic evidence: after all, it's awful hard for a gaming addict to argue their case when the boss is armed with full color screen captures. (Memo to those who insist on a daily dose of gaming: do it at home or risk getting an unexpected permanent vacation.)

Spector 360 stores all this information in a database. Employers who want to see the results can access the information using more than 50 built-in reports, some with charts, summarizing the information. These reports can be used to zero in on a single employee's surfing habits or to provide an overall view of online usage patterns for an entire department or business.

Is online shopping universally popular across departments, or just a distraction in accounting? Is online poker only a problem in the manufacturing department, or is everyone from the boardroom to the mailroom preparing to go on the pro poker circuit? Inquiring employers now have the tools to know.

Filtering with Policies

Other types of employee monitoring programs work a bit more proactively by enforcing Internet usage policies and blocking employee access to sites blacklisted by administrators.

Websense Enterprise does this by enabling administrators to implement custom Internet usage policies from a centralized management console. The program also enables admins to filter Internet access using the Websense Master Database, with filtering actions such as Allow, Block, Continue, Quota, Block by Bandwidth, and Block by File Type.

Like other monitoring programs, Websense is armed with a wide variety of reporting options to give managers and administrators the summary information they need to monitor their policies and tweak them as necessary.

Spytech Software's SpyAgent is another example of a monitoring program that actively tracks employee activity. This software logs keystrokes, Web sites, applications launched, Internet connections, files opened and printed, chat conversations, e-mail sent and received, etc. The list goes on and on. As with other popular programs, SpyAgent records virtually everything and allows administrators to create extensive reports documenting employee online activities.

For those who need to create a usage timeline, SpyAgent's Events Timeline feature lets administrators view logged events in chronological order. Think of it as a faithful chronicle of wasted time spent web surfing, e-mailing, and chatting. And yes, the company even promotes the use of its software for spousal monitoring. Now bosses can keep tabs on their spouses. What a deal!

There are many other examples of software designed to track, monitor, or filter employee PC and online habits, including PC Acme Professional, Realtime Spy, Spy Agent, and NetVizor.

Bottom line: when it comes to spying on employees, employers have a huge arsenal of tools at their disposal.

Is It Right?

Peggy Eisenhauer, founder of Privacy and Information Management Services, a law firm specializing in assisting industry with privacy and security Relevant Products/Services compliance solutions, says CEOs need to be sure their organizations are managing risks properly and detecting security threats and breaches.

"Appropriate employee monitoring," adds Eisenhauer, "is an essential part of this process."

But, employers should strive to strike the right balance between privacy and monitoring by considering all the factors, she adds. For example, employees in the financial services, healthcare, education, and other sensitive industries should expect monitoring commensurate with business risk, says Eisenhauer. In addition, employees with access to sensitive data, such as I.T. and H.R. personnel, should also be subject to monitoring with regard to the sensitivity of the information they handle, she adds.

Also, says Eisenhauer, employees should be informed about the level of monitoring with transparency, so they know what to expect. Multinational companies should understand that employee monitoring programs outside the U.S. are subject to many other legal requirements, she warns.

For employees, the calculation is straightforward. As Eisenhauer points out, employees should expect all activities at work or some other public place to be subject to some level of scrutiny.

"Employees should govern themselves accordingly; if you want to send a private message or enjoy adult Web sites, you should use your personal PDA or home computer," says Eisenhauer.

It's actually pretty simple: in a world where technology is plentiful and the legal climate is favorable (at least in the U.S.), employees should come to work with no presumption of privacy when it comes to online and computing activities. Workers who don't want to run afoul of the boss' Internet usage policy should police themselves and save their personal online activities for after-hours.