The high-profile troubles on the city of San Francisco's computer network continue, despite a dramatic jailhouse intervention by the city's mayor this week.

While the city has regained control of the five devices at the heart of its FiberWAN network, which carries data between city government buildings, administrators are still locked out of the city's VoIP system and local LANs within the Sheriff's Department and the Recreation & Park Department. Assistant District Attorney Conrad Del Rosario revealed the ongoing problems Wednesday at a bail hearing for Terry Childs, the former network administrator with the city's Department of Telecommunications and Information Services (DTIS) who is accused of holding the city's networks hostage for the past 10 days.

[ Read InfoWorld's scoop on "Why San Francisco's network admin went rogue" | Paul Venezia has technical analysis of the city's case against Childs ]

During that time, the networks have functioned normally, but IT staffers have been unable to make administrative changes to some of the city's critical routers and switches.

Childs' attorney, Erin Crane, had moved for a reduction in the $5 million bail set in the case. San Francisco Superior Court Judge Lucy McCabe denied that motion Wednesday.

Childs' defense has portrayed him as a capable engineer, surrounded by incompetent management, who simply didn't trust anyone with the administrative passwords to the five network devices at the heart of the FiberWAN. On Monday, Childs had a secret meeting with San Francisco Mayor Gavin Newsom where Childs turned over the passwords.

Del Rosario argued against any reduction of bail, noting that Childs handed over the passwords only after a scheduled July 19 power outage at the city's One Market Street datacenter failed to take down the FiberWAN. Because Childs did not store network configuration files on the routers' hard drives, a power outage would wipe this information out of memory, disabling the network until it was reconfigured, he said.

The assistant DA said it was "extremely suspicious" that Childs only communicated with the mayor after the network did not go out of service.

In court filings, prosecutors say they do not know where these critical router configuration files are located.

As the city's principal network engineer, Childs worked on about 1,100 networking devices throughout the city, Del Rosario said. Even with the FiberWAN passwords, there are still questions about the rest of these systems. "We do not know whether we have control of these devices," he said.

Crane said that her client was the victim of jealous co-workers who were upset because his good work made them look bad. "I think the entire thing is specious," she told the judge. "This is a DTIS management problem."

This is not Childs' first time in criminal court. He also served four years in Kansas prison on aggravated robbery and aggravated burglary charges, prosecutors said. Those charges stem from an incident that occurred when Childs was 16 years old, Crane said.

The court also ordered Childs to stay away from several of his former co-workers, including Jeana Pieralde, the DTIS director of security who was allegedly so afraid of Childs that she locked herself in a room in the data center, and his former supervisor Herb Tong, whom Childs felt was undermining his work at the department.

Prosecutors say that police found bullets when they searched his Pittsburg, California, home on July 13.

In a brief appearance before reporters after the hearing, Crane said that she and Childs were "deeply disappointed that bail had not been reduced."

Childs' next scheduled court date is a Sept. 24 pretrial hearing.

Intel is readying a second release of the Moblin open-source platform for mobile computing, with plans set for an alpha-level version in a few weeks, an Intel official said at the O'Reilly Open Source Convention (OSCON) in Portland, Ore. on Wednesday.

Moblin is a project for mobile Linux that is centered on a range of devices, with Intel eyeing Moblin for its Atom processor for mobile systems. "Our focus as a company right now is on the Atom platform, but I'm sure other people in the community will drive it [in] other directions," said Dirk Hohndel, chief Linux and open-source technologist at Intel.

Intel is putting together the software stack for Moblin 2, featuring a forking off of Fedora and the Gnome mobile stack. "We're going to open this up to the public," Hohndel said. "I want to see the community that really takes this project and runs with it and makes it their project."

Hohndel stressed that Intel was firmly in the open-source camp. "Open source is something that we believe really helps change the game," Hohndel said.

Also at the conference Wednesday, O'Reilly Media CEO Tim O'Reilly brought up two MySQL dignitaries from Sun Microsystems to quiz them on how things were going since Sun acquired the open-source database company earlier this year. The two MySQL officials, Michael Widenius and Brian Aker, waxed positive about the merger.

"It's actually been really rewarding," Aker said.

"Sun has given use more free hands to do what we want to do," said Widenius.

Commenting on Sun's switch from a proprietary to open-source software company, Aker did note that there are inevitable tensions when engineers have to go public with their code.

Aker also called Microsoft "irrelevant." Additionally, he said he wanted a new iPhone but hoped that Google gets its Android systems out fast enough that it works well enough that he could use it.

An audience member asked why the open-source world can not do anything as "insanely great" as iPhone. O'Reilly cited potential developments in that direction, such as Android and Openmoko.

One of the hot topics on the VMware Forums lately has been about the advisability of using virtual firewalls within the VMware Virtual Infrastructure. The main question is whether it's a good idea.

The general answer is yes; they work well enough for most experts to recommend them. However, the more specific answer depends solely on how you have set up your physical and virtual networks and the purpose of the virtual firewall.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Is your purpose to protect all VMs attached to a virtual switch from other VMs on the same virtual switch? You can achieve this with a virtual firewall only if you use portgroups and firewall between different portgroups.

Is your purpose to protect all VMs attached to a virtual switch from other VMs on different virtual switches? You can achieve that by having a virtual firewall between the protected virtual switch and up to three other virtual switches. Why three? There is a limitation on the number of virtual NICs available to a VM.

Is your purpose to firewall a DMZ attached to the outside world from the inside world? This is also achievable with a virtual firewall, however it requires multiple physical NICs attached to different pSwitches or VLANs within your physical network. It also applies the principle of vSwitch to vSwitch protection.

The other big question is which virtual firewall to use? There are several contenders: Smoothwall, m0n0wall, and a host of others. There is also the possibility of using the software from a hardware firewall within a VM, but that depends on the vendor and whether or not the OS they use within the hardware firewall can be virtualized, there is support to do this, and some form of instructions to do this.

The Smoothwall folks for example sell a hardware appliance as well as provide an installable image for a Virtual Machine.

The main concern about using a virtual firewall is to ensure isolation of those items to be protected with proper virtual and physical network layout.

The other concern is that unless you make some low level modifications VMs attached to a vSwitch that is not, itself, attached to a physical NIC cannot participate in VMotion or the ability to move VMs from virtualization server to virtualization server without powering them down.

This last item may dissuade people from using virtual firewalls but it will not stop me. I use them and recommend them as a solution to an often tricky problem that requires them. However, due diligence with your network layout is absolutely required.

Virtualization expert Edward L. Haletky is the author of "VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers," Pearson Education (2008.) He recently left Hewlett-Packard , where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.

A year after creating an online open-source software development community to take on SourceForge.net and other rivals, the development team at Ubuntu Linux will be the first to admit that they still have a long way to go to achieve the popularity of their competitors.

Ubuntu's beta community, called Launchpad, debuted last July and has seen a huge increase in the number of open source projects under development, from 1,500 projects at the start to about 7,000 today.

[ Read what Ubuntu founder Mark Shuttleworth recently had to say about developing a Linux desktop to rival Apple. ]

While that's a sizable increase, it still pales compared to the number of open source projects hosted on its more popular and well-known rival, SourceForge.net, where about 150,000 open source projects are availabe today.

For users, Launchpad offers an open source software hosting and development collaboration Web site similar to SourceForge.net, but there's one big difference according to Ubuntu -- code and other resources posted on the site can be shared back and forth across all the open source projects that are underway there.

That, said project manager Christian Reis, makes Launchpad a more collaborative environment for projects that could eventually refine the way open source software is developed.

Reis, known in the open source community as "kiko," talked about the scheduled debut next week of the new Version 2.0 of Launchpad yesterday at the 10th annual O'Reilly Open Source Convention . The new version will be announced next week by Canonical, the commercial sponsor of Ubuntu Linux.

On other development sites, he said, "there's not a lot of communication between" open source projects. "Launchpad, as part of it's core strategy, seeks to encourage sharing. This is where we think it makes a big difference for us."

The biggest open source development project on Launchpad is Ubuntu Linux itself, he said, including management of packages, bug tracking and foreign language translations.

And while the number of projects hosted on Launchpad has grown, Ubuntu has learned a lesson in the project's first year. That lesson, he said, is that "it's very difficult to break new ground" in the project development arena because of the entrenched nature of SourceForge.net's community. Most of Ubuntu's efforts so far have been by word of mouth, but that's a slow process.

Other large-scale open source projects are also coming aboard the Launchpad community. MySQL began using Launchpad about a month ago for its development, he said.

With Launchpad, developers don't need to get prior permission to contribute code or create a new direction in a project, unlike traditional open source software development models. Project leaders still ultimately have final say on what does and doesn't make it into the final code, but individual developers have more leeway in trying new ideas and getting feedback from others.

Here, developers can put up projects or code and "people discover it," he said.

By including Ubuntu in the pool, the development of many other related open source applications can also be found on Launchpad, including projects involving Mozilla Firefox, GNOME, KDE, and others. "You really have to understand how much Ubuntu is a magnet for other open source applications," he said.

"Launchpad is about lowering the barrier for participation so that anybody in the community can come in and add a translation or make a new version of your source code or help you manage your bugs," he said. "We're mating the idea of facilitating collaboration between projects. It's the next generation of project hosting."

Unveiled last July, the Launchpad Personal Package Archive service provides a new way for developers to build and publish packages of their code, documentation, artwork, themes and other contributions to free software.

It's been a busy month for Ubuntu Linux. Several weeks ago, Ubuntu announced that for the first time, a retail boxed version of the operating system will be sold to consumers with support for $19.99 at Best Buy stores.

Computerworld is an InfoWorld affiliate.

Oracle Wednesday unveiled a suite of access management tools including a new server that provides controls to fine-tune user privileges.

The Oracle Access Management Suite is a bundle of software the company has collected from the acquisitions of Oblix, Bharosa, and BEA. The suite provides users with a range of authentication and authorization technologies to support Web application single sign-on (SSO), strong authentication, fraud protection and cross enterprise federation and SSO. ( Compare identity management platforms. ) 

In addition, Oracle released what it calls the Entitlements Server, which is a rebranding of the former BEA AquaLogic Enterprise Security software. The server relies on policies and user attributes such as title or location to craft sophisticated access controls around any network resource including documents.

The Entitlements Server supports Extensible Access Control Markup Language ( XACML ) for policy interoperability.

The other servers in the suite are the Adaptive Access Manager for strong authentication and fraud protection, Access Manager for Web SSO, and Identity Federation for cross domain access controls.

Oracle will continue to sell the pieces separately.

The suite also integrates with middleware including Oracle Fusion, Oracle applications, Office SharePoint Server, IBM WebSphere and BEA Weblogic.

Oracle officials say they have done integration and certification around the products to ensure that they work together, but clearly the company has work ahead of it to mold the four pieces into a cohesive unit.

"It is relatively easy to put together a strategy and vision for all of this, but the engineering work is going to be significant for them," says Gerry Gebel, an analyst with the Burton Group. But Gebel says the move toward entitlement management is a good one for Oracle, which has been buying up companies to gain its foothold in the identity market.

"The entitlement management market is one that is really immature," Gebel says. "But Oracle has one of the better products and they are in a good position."

The Entitlements Server, Access Manager and Identity Federation are all deployed behind the firewall, while the Adaptive Access Manager installs as a proxy protecting the Web infrastructure. The servers can be integrated with corporate directories that support the Lightweight Directory Access Protocol.

"The thing we saw over the last two to three years was that customers were piecing all these elements together as they built a comprehensive strategy," says Amit Jasuja, vice president for identity management at Oracle. "They were dealing with all the integration, certification, patching."

Jasuja says Oracle expects the new suite to compete with offerings from IBM, Sun, and CA.

The Oracle Access Management Suite is priced at $45 per internal user and $12 per external user.

Network World is an InfoWorld affiliate.

The iPhone 3G may have a lock on the Sexiest Gadget Alive title for 2008, but in the frumpy and boring world of things that matter to enterprise IT managers, it's no pinup.

Despite Apple's improvements upon the previous iPhone, primarily through its licensing of Microsoft's ActiveSync technology, the 3G and its iPhone 2.0 software remain less competent and less tested than its BlackBerry and Windows Mobile counterparts.

[ For more on bringing the iPhone into the office, read "How to make the new iPhone work at work." ]

"From an IT support standpoint, you want a hardened device, something you can fire and forget," said Todd Christy, president and CTO of Pyxis Mobile, a smartphone application maker. "I think the iPhone is cool, but it isn't there from an enterprise standpoint."

"It's a great product but has a ways to go," said a senior IT official at a large U.S. business who, after evaluating the iPhone 3G, chose not to deploy it, citing weaknesses in configuring, securing and supporting the iPhone up to enterprise standards.

"A year after Apple comes out with a consumer device, these kinds of enterprise things are not going to happen magically," said the official, who declined to be identified.

So on exactly what tracks does the iPhone still lag?

1) Manageability and security

When it comes to employees' smartphones, IT managers may seem like the worst kind of control freak. And for good reason -- nothing is as easily lost or stolen as a smartphone, along with its corporate data.

RIM's ability to ease IT managers' worries has been key to the BlackBerry's success. It introduced device management software, BlackBerry Enterprise Server, at the same time it launched the device itself back in 1999. Today BES, as it is affectionately called, lets IT managers enforce more than 200 security and other IT policies, as well as create their own.

Microsoft is attempting to challenge BES' dominance. Earlier this year, it released System Center Mobile Device Manager. SCMDM, as it is often abbreviated, gives IT managers 125 built-in policies for managing Windows Mobile 6.1 phones, as well as the ability to create their own.

SCMDM's biggest strength may be its integration with the popular Active Directory technology, which lets IT managers reuse their carefully tweaked set of employee privileges and access rights with little extra work.

Jonas Gyllensvaan, CEO of mobile management software vendor Conceivium Inc., expects SCMDM to "make big inroads by the end of the year."

For IT managers not on SCMDM, their experience remains firmly in the second tier, with 45 policies available to them via Microsoft Exchange 2007 SP1's ActiveSync. Policies include numerous ways to manage passwords, control whether phones and storage cards must be encrypted, and turn on or off the phone's camera, consumer e-mail account, or text messaging.

"That's still very robust, and a lot more than what the average IT person in the mid-market or enterprise needs," said Scott Gode, vice-president of marketing and product management for Azaleos, a provider of outsourced Exchange server management.

The iPhone 3G uses the same ActiveSync technology in Exchange 2007 SP1, but experts place the iPhone in a third tier. "The Windows Mobile implementation of ActiveSync is, from an IT admin point of view, far superior," said Ahmed Datoo, vice-president of product marketing for mobile software maker Zenprise Inc.

Why? Because many ActiveSync features are missing. Those features include the ability to limit users from downloading some or all third-party software, the ability to turn off expensive international data roaming, and the ability to natively encrypt data on the iPhone or its storage card.

The lack of native encryption is the iPhone's "one failing," said Glenn Edens, an independent mobile consultant, who is otherwise bullish on the iPhone 3G. "Remote wipe helps but is not good enough."

Without encryption, the District of Columbia, which is testing the iPhone 3G now, would only deploy the iPhone 3G by keeping key applications and data off the device, said Vivek Kundra, CTO of the governmental body.

At least one ISV, SplashData, has already come up with a third-party encryption app. But as David Gewirtz, an e-mail security expert, put it, "everybody prefers stuff from the manufacturer."

The dearth of built-in management features is in contrast with the iPhone's many built-in consumer features, such as its 2-megapixel camera, its music and video player and fast Web browser. These all create more potential security and compliance problems and ways for the device to be misused.

For instance, employees goofing off by downloading TV programs from iTunes can "interfere with other users trying to run critical applications across the same wireless LAN network," said David Messina, vice-president of marketing for network management software maker, Xangati Inc. "Think about environments like hospitals, where WLANs are critical to patient care."

For sure, Apple won't stand still. But for now, its enterprise manageability is "enough for it to gain a beachhead, but not enough long-term for Apple to get the market share it wants," Gode said.

2) Network and deployment

The iPhone has one advantage over RIM: All messages and updates are routed directly from server to smartphone and vice-versa.

Syncing with a BlackBerry, meanwhile, requires updates to be sent to RIM's Canadian network operations center, outside of a corporate firewall. That NOC has been prone to failure in the past year, frustrating BlackBerry users.

So score one for the iPhone -- and Windows Mobile, for that matter -- versus RIM. However, application and patch deployment is another matter.

Most consumers will add applications to their iPhone via the iTunes client, which connects to the Web-based AppStore controlled by Apple.

That setup is unacceptable to most companies, who generally prefer a larger degree of control over what, which and how applications are added to employee smartphones.

There are two alternatives , one existing now and one slated for the future. The first is enabling the setup of an'ad hoc' restricted list of iPhone users who are allowed to download a given app via AppStore. Ad hoc distribution is available today, though there are many reports of problems. Moreover, it doesn't scale past 100 users, making it suitable only for smaller firms or workgroups.

The other is letting companies essentially run their own mini-version of AppStore on their own servers so they can oversee which apps are served up to the copies of iTunes running on employees' PCs. Employees connecting their iPhones via cable to their desktop or laptop computer then automatically receive applications uploaded to their devices.

There are several problems. For productivity reasons, many companies don't want to allow employees to install iTunes on their work PCs. Moreover, relying on employees to sync their iPhone with their PC is slower and less reliable than directly pushing out apps, updates or patches wirelessly, which both BlackBerry and Windows Mobile allow.

Finally, Apple hasn't said when enterprise deployment will be available. Some observers don't think it will arrive until the middle of next year.

Rob Woodbridge, CEO of Rove Mobile, a maker of systems management software for smartphones, thinks Apple at that time needs to bring out a full-fledged solution along the lines of BES or Microsoft's SCMDM, one that enables IT folk to install more policies and apps wirelessly.

"That's what they need to do if they really want to sell into the enterprise," he said.

3) Technical support

Big companies are used to getting the white-glove treatment for the big bucks they spend. Is Apple, which has little enterprise presence, up to providing that? What about AT&T?

Not according to the unnamed IT official, who said multiple, escalating levels of support -- widely available for BlackBerry and Windows Mobile users -- didn't appear to be an option today.

"Would we even have an Apple account management team to support us? Probably not," the official said.

Others, such as Ahmed Datoo, vice-president of product marketing for mobile software maker Zenprise, say reports of'bricked' iPhone 3Gs and unavailable MobileMe services earlier this month don't build confidence, either.

As a result, says Xangati's Messina, companies wanting to deploy iPhones on a wide scale need to resign themselves to beefing up their own in-house support.

"The iPhone is going to be a mobile enterprise device in the same vein as a laptop. If there are issues with it, the help desk is going to have to be involved," Messina said.

4) Application ecosystem

Having 500 applications available at the iPhone 3G's launch was impressive. And no doubt that number will grow, fast. But the fact remains that there more than 18,000 applications available for Windows Mobile at public Web storefronts such as Handango.com.

And while the BlackBerry platform remains difficult for developers, there are still nearly 4,000 BlackBerry apps at Handango.com, along with thousands more custom business apps.

Of course, many business apps have already been ported over to the Web. For these, no porting is needed -- iPhone users can simply fire up Safari. But many applications still run better as clients. And some of those ISVs, such as Rove Mobile, say they are in no hurry to port their products over to the iPhone.

5) Cost and carrier choice

The iPhone 3G may only cost $199, but its true cost over the life of a typical two-year contract with AT&T is at least $2,000 (including voice plan, unlimited data plan and $5/month for 200 text messages). Pricey for a consumer toy, but comparable to a BlackBerry or Windows Mobile smartphone.

Rather, the true cost for an enterprise switching to the iPhone comes from the substantial investments in money, time and personnel those firms have already made in BlackBerry devices, multi-year contracts, BES servers, and the like.

And there is the matter of Apple's preference to sign a single carrier in each market for the iPhone, in contrast to the multi-carrier availability of BlackBerries and Windows Mobile phones. The District of Columbia's Kundra says the biggest hurdle to deploying the iPhone widely is AT&T's spotty geographical coverage.

Their surveys said...

Only 1 out of 25 senior wireless executives queried by Immobile.org for a poll earlier this month expect both corporate IT admins and employees to embrace the iPhone. Three out of four expect the iPhone to make few inroads and for Research In Motion, the maker of the BlackBerry, to maintain or strengthen its lead.

Another survey, by investment bank Goldman Sachs, found that 17 percent of 100 Fortune 1000 CIOs polled plan to buy an iPhone, though the Wall Street Journal, which reported the survey, opined that the figure "strikes us as pretty high." The survey also did not ask those CIOs how many iPhones they plan to buy -- a key point.

"I think companies will start to put the iPhone on their approved list, but I don't see many making it their standard-issue device," said Gyllensvaan.

The lust created by the iPhone 3G could even help end up helping its competitors. Rove's Woodbridge thinks that IT managers may try to steer employees demanding an iPhone 3G to sexed-up BlackBerries such as the upcoming Bold and Thunder models, or to touchscreen-based Windows Mobile phones such as the HTC Touch Diamond.

Computerworld is an InfoWorld affiliate.

Ubuntu Linux Founder Mark Shuttleworth urged development of a Linux desktop to rival what Apple has done in this space and aired a vision of software changing the world.

Shuttleworth, speaking at the O'Reilly Open Source Convention (OSCON) in Portland, Ore., on Tuesday evening, also urged development of a new revenue model to fund free software and set his sights on a services-based mechanism for this.? He also stressed the importance of interoperability with Windows.

Shuttleworth, of Canonical, emphasized development of the Linux desktop as well as mobile development.

"Can we go right past Apple in the user experience we deliver," Shuttleworth asked the audience. There is a profound challenge in the Linux desktop during the next two years to build this type of desktop.

"Certainly on the desktop experience we need to shoot beyond the Mac, but I think it's equally relevant [in] the mobile space," said Shuttleworth.

"The challenge for us is to figure out how to deliver something which is crisp and clean," without sacrificing the community process, he said.

An audience member mentioned issues that would emerge in developing an Apple-like desktop in the free software world.

"It would be hard to do from a free software point of view, I think, because so many people have so many different opinions," said Brad Cavanagh, data reduction software engineer at the Joint Astronomy Centre in Hilo, Hawaii.

"That's not to say you can't get good things out of open source. Obviously, you can but it?s going to be tough," Cavanagh.

Shuttleworth cited the need for newer business models, beyond advertising for free software.

"We had the Web for quite a long time before we figured out how [to do] ad-funded Web businesses," said Shuttleworth. But he said he did not see how advertising could fund Web-based applications and free software applications. He instead noted an emerging emphasis on services, calling services the engine for funding investments in free software.

"I think advertising works very well in the search case, but I don?t think it?s the sort of final solution in terms of business models to drive investment in free software," Shuttleworth said. "A more general view of services is required."

There will be tremendous innovation and experimentation with services, he said.

The free software world is in a quest for a complementary economic model. "When we look back at this era, we'll be looking at economics," as much as factors such as technology, Shuttleworth said.

Technology, he said, provides the opportunities to drive economic change, create wealth, and change society. "The way we run our lives today, software determines more and more of it," Shuttleworth said.

"In a very real sense, everything is becoming software," said Shuttleworth. "There have never been better opportunities to create wealth, better opportunities to change the world."

Recent wealth creators such as Google have been built on free software, Shuttleworth said. Free software, meanwhile, is "the ultimate form of disclosure" and serves as an engine for innovation.

"The question we should be asking the free software world is how can we stimulate that? How can we drive innovation faster," said Shuttleworth.

Shuttleworth also promoted the notion of cadence in free software releases. "The idea of establishing a regular rhythm or regular, predictable release schedule for free software is, I think, gaining prominence," and helps to stimulate the free software development process, he said.

Society, he said, needs a "pipeline of innovation."? A free software platform must be made accessible and architected for innovation, Shuttleworth said. The Firefox platform for instance, has been effectively made a platform for innovation through extensions and plug-ins, he said.

Linux, Shuttleworth said, must link up with Windows.? He stressed his belief that "Linux is the platform of the future. But I think it?s essential that we learn how to work with Windows."

Extensible software must work across both platforms, said Shuttleworth.

Shuttleworth also asked how free software changes the perception of software methodologies. He suggested extending agile programming. "If I look at the innovation story, the methodology story, the common thread on both of those to me is collaboration and participation," said Shuttleworth.

At Ubuntu, there is a goal of enabling people to make changes and build a community around changes, with nobody having to ask permission to participate.

A global glut of NAND flash memory chips, which store songs, photos, and other data in gadgets from iPods to digital cameras, will continue for at least the next few months because companies have been slow to rein in production, according to DRAMeXchange Technology.

The market researcher, which is based in the heartland of the global memory spot market in Taipei, predicts the NAND flash supply will grow 149 percent this year despite worsening prices for the chips. The problem is that chip makers such as Samsung Electronics, Hynix Semiconductor, and SanDisk's partner, Toshiba, have not moved fast enough to cut production.

The good news for users is that companies will be able to offer more NAND flash storage capacity for a lower price, or offer better deals on existing products such as flash memory cards and MP3 players. Low NAND flash prices could also spur companies to lower prices on hot products such as SSDs (solid state drives) in hopes of growing the market for the drives.

Prices of NAND flash memory dropped 20 percent on average in the month of June, DRAMeXchange said, and an upturn for the market may not be in the offing until as late as September.

The NAND flash market has been so bad that the creator of the chips, SanDisk, on Monday reported a surprise loss of $68 million for the second quarter. The company blamed the supply glut for its problems, pointing out that it sold a record amount of flash, 120 percent more than the same time last year, but that prices are down 55 percent compared to then.

SanDisk also said NAND flash prices may worsen in the third quarter. The company's Nasdaq-listed stock fell $4.31, or 24 percent, to end Tuesday at $13.62 as a result of its earnings news.

To counter the deteriorating market, SanDisk will delay the start of production at a new joint venture chip factory until April 2009 and put plans for another factory on hold until market conditions improve.

Credit Suisse analyst John Pitzer notes that SanDisk's plans to delay building new production lines are a positive for the NAND flash industry and rivals are likely to follow. SanDisk and partner Toshiba account for around a third of the global NAND flash supply, he said in a report.

The latest survey from security vendor McAfee has found that small to medium-size businesses wrongly conclude their revenue is too low to draw the attention of cybercriminals.

SMBs are in fact rich hunting ground for hackers, McAfee said. Although there may be less money or data to steal, the attacks are also less likely to gain the attention of law enforcement organizations such as the U.S. Federal Bureau of Investigation.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

"Lots of small attacks add up to large amounts of revenue," according to the survey , which polled 500 companies in the U.S. and Canada. There are an estimated 7.4 million SMBs in North America.

McAfee's study this year focused on North America, whereas last year it surveyed 600 European SMBs. However, the conclusions of the two studies are similar. About 45 percent of North American businesses felt they did not have valuable data to steal. Last year, 58 percent of European businesses gave the same response.

In the U.S., 39 percent of businesses with up to 1,000 employees reported spending an hour or less a week on IT security. The figure is higher for Canadian businesses: 44 percent.

Part of the problem is that attention to security takes time, and SMBs have fewer resources. Many don't have an employee dedicated full-time to IT security. But McAfee argues that SMBs could face critical shutdowns in business as a result of weak security.

Every business retains employee data, which could be valuable, the survey said. Also, every business is hit with spam, which often is laden with malicious data-stealing programs.

McAfee said it expects hackers to increasingly go after VOIP (Voice over Internet Protocol) phone systems, virtual systems, as well as mobile devices. McAfee's advice: patch regularly, filter e-mail, and use antivirus software.

One day after a security company accidentally posted details of a serious flaw in the Internet's Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon.

Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, said Dave Aitel, chief technology officer at security vendor Immunity. His company will eventually develop sample code for its Canvas security testing software too, a task he expects to take about a day, given the simplicity of the attack. "It's not that hard," he said. "You're not looking at a DNA-cracking effort."

[ Read the related story on how details of a major Internet flaw were posted by accident. And learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday. In a telephone interview, HD Moore, author of the Metasploit penetration testing software, agreed with Aitel that the attack code was not going to be difficult to write.

The flaw, a variation on what's known as a cache poisoning attack, was announced on July 8 by IOActive researcher Dan Kaminsky, who planned to disclose full details of the bug during an Aug. 6 presentation at the Black Hat conference.

That plan was thwarted Monday, when someone at Matasano accidentally posted details of the flaw ahead of schedule. Matasano quickly removed the post and apologized for its mistake, but it was too late. Details of the flaw soon spread around the Internet.

And that's bad news, according to Paul Vixie, president of the company that is the dominant maker of DNS software, the Internet Systems Consortium. Vixie, like others who were briefed on Kaminsky's bug, did not confirm that it had been disclosed by Matasano. But if it had, "it's a big deal," he said in an e-mail message.

The attack can be used to redirect victims to malicious servers on the Internet by targeting the DNS servers that serve as signposts for all of the Internet's traffic. By tricking an Internet service provider's (ISPs) servers into accepting bad information, attackers could redirect that company's customers to malicious Web sites without their knowledge.

Although a software fix is now available for most users of DNS software, it can take time for these updates to work their way through the testing process and actually get installed on the network.

"Most people have not patched yet," Vixie said. "That's a gigantic problem for the world."

Just how big of a problem is a matter of some debate.

Neal Krawetz, owner of computer security consultancy Hacker Factor Solutions, took a look at DNS servers run by major ISPs earlier this week and found that more than half of them were still vulnerable to the attack.

"I find it dumbfounding that the largest ISPs ... are still identified as vulnerable," he wrote in a blog posting . "When the [hackers] learn of the exploit, they will go playing. They are certain to start with the lowest hanging fruit -- large companies that are vulnerable and support a huge number of users."

He expects that users will see attacks within weeks, starting first with test attacks, and possibly even a widespread domain hijacking. "Finally will be the phishers, malware writers and organized attackers," he wrote in a Tuesday e-mail interview. "I really expect these to be very focused attacks."

Most ISPs will have probably applied the patch by the time any attacks start to surface, and that will protect the vast majority of home users, said Russ Cooper, a senior information security analyst with Verizon Business. And business users who use secure DNS-proxying software will also be "pretty much protected" from the attack at their firewall, Cooper said.

"If anyone actually tries to exploit this, the actual number of victims will end up being extremely small," he predicted.

HD Moore said he didn't exactly see things that way. Because the flaw affects nearly all of the DNS software being used on the Internet, he said that there could be lots of problems ahead.

"This is a bug we'll be worrying about a year from now," he said.

REFERENCES:
Details of major Internet flaw posted by accident, Jul. 21, 2008
The Internet gets a patch, as DNS bug is fixed, Jul. 8, 2008
Internet bug fix spawns backlash from hackers, Jul. 9, 2008

Brocade Communications Systems' planned $3 billion acquisition of Foundry Networks is a major strategic move in a brewing war over the future of datacenter connectivity, industry analysts said Tuesday.

The deal, expected to close in the fourth quarter, would combine a maker of Fibre Channel SAN (storage area network) switches for datacenters and a specialist in enterprise Ethernet LANs, two technologies that are headed toward a merger themselves.

[ Learn more about Brocade's $3 billion acquisition of Foundry Networks. And keep up on the latest networking news with our Networking Report newsletter.  ]

The future of datacenters lies with Ethernet, because it's relatively inexpensive, keeps scaling up to higher speeds, and is ubiquitous throughout the rest of enterprise networks, analysts say. Virtualization and datacenter consolidation are helping to drive the need for Ethernet's growing speeds. The idea is to create a "unified fabric" that spans both the datacenter at the enterprise's core and the LAN where client systems are located. But there are two main ways to bring Ethernet to datacenters with the features needed there.

Both Brocade and Cisco are pushing FCoE (Fibre Channel over Ethernet), an IEEE standard expected later this year that would combine characteristics of both systems. By mapping Fibre Channel traffic over Ethernet networks, it will let enterprises take advantage of Ethernet speeds of 10Gbps and up while keeping the latency, security, and traffic management benefits of Fibre Channel. FCoE will also smooth the migration to Ethernet by letting the two technologies coexist in a single switch, so existing SANs (storage area networks) can stay.

The alternative is iSCSI, (Internet Small Computer System Interface) which some smaller enterprises have adopted because it can be used with conventional Ethernet switches and without in-house Fibre Channel expertise, said Bob Laliberte of Enterprise Strategy Group. Its main proponents have been storage vendors, he said.

Although it will take years for current Fibre Channel SANs to be replaced, one of the two is likely to win out, analysts said.

"There's a major religious war between FCoE and iSCSI," said Burton Group analyst Dave Passmore. They represent completely different technical approaches to combining Ethernet and storage transport protocols. "Reasonable people will disagree," he said.

Like Fibre Channel, FCoE does not use TCP/IP (Transmission Control Protocol/Internet Protocol), the basic communication protocol of the Internet and Ethernet networks, instead making up for it with other tools. Of the two approaches, only FCoE requires expensive, specialized switches, Passmore said, but it's more attractive to many organizations because it allows for a smoother transition from existing architectures, he said.

Enterprises could eventually lose out by choosing the technology that loses, but FCoE and iSCSI will probably coexist for years, Passmore said.

A unified fabric could save users money as well as complexity, Passmore said. For example, instead of having one network connection to the LAN and another to the SAN that it taps into for data, a blade server could have just one set of connections.

"That would greatly simplify the user's network infrastructure and require fewer switches," Passmore said.

Security is the main potential concern about having a common type of network across data centers and LANs, he said. Having two completely different networks as is traditionally done has built-in security benefits. But costs and benefits always have to be balanced in adopting new technologies, he said.

Brocade's purchase of Foundry will create a second powerful vendor of FCoE, said Yankee Group analyst Zeus Kerravala. So far, Cisco has been the only company with both the vision and the technology to create a unified fabric, he said. Brocade had the vision and now is gaining the Ethernet goods, Kerravala said.

"If the concept of unified fabric really does come true, there are really only two vendors," Kerravala said.

San Francisco Mayor Gavin Newsom met with jailed IT administrator Terry Childs Monday, convincing him to hand over the administrative passwords to the city's multimillion dollar wide area network.

Childs made headlines last week when he was arrested and charged with four counts of computer tampering, after he refused to give over passwords to the Cisco Systems switches and routers used on the city's FiberWAN network, which carries about 60 percent of the municipal government's network traffic. Childs, who managed the network before his arrest, has been locked up in the county jail since July 13.

[ Read InfoWorld's scoop on "Why San Francisco's network admin went rogue" | Paul Venezia has technical analysis of the city's case against Childs ]

On Monday afternoon, he handed the passwords over to Mayor Newsom, who was "the only person he felt he could trust," according to a declaration filed in court by his attorney, Erin Crane. Newsom is ultimately responsible for the Department of Telecommunications and Information Services (DTIS) where Childs worked for the past five years

Mayor Newsom secured the passwords without first telling DTIS about his meeting with Childs, according to DTIS chief administrative officer Ron Vinson, who added, "We're very happy the mayor embarked on his clandestine mission."

The department now has full administrative control of the network, he said in an interview Tuesday night.

It's likely that Childs had a lot to tell the mayor when the two met.

Childs' attorney has asked the judge to reduce Childs $5 million bail bond, describing her client as a man who felt himself surrounded by incompetents and supervised by a manager who he felt was undermining his work.

"None of the persons who requested the password information from Mr. Childs ... were qualified to have it," she said in a court filing.

Childs intends to disprove the charges against him but also "expose the utter mismanagement, negligence, and corruption at DTIS, which if left unchecked, will in fact place the City of San Francisco in danger," his motion reads.

Vinson dismissed the allegations. "In Terry Childs' mind, obviously he thinks the network is his, but it's not. It's the taxpayers'," he said. "The reason he's been sitting in jail is because he denied the department and others access to the system."

The court filings help explain just how this happened.

According to an affidavit from James Ramsey, an inspector with the San Francisco Police Department, he and other investigators discovered dial-up and DSL (digital subscriber line) modems that would allow an unauthorized connection to the FiberWAN. He also found that Childs had configured several of the Cisco devices with a command that would erase critical configuration data in the event that anyone tried to restore administrative access to the devices, something Ramsey saw as dangerous because no backup configuration files could be found.

This command, called a No Service Password Recovery is often used by engineers to add an extra level of security to networks, said Mike Chase, regional director of engineering with FusionStorm, an IT services provider that supports Cisco products.

But without access to either Childs' passwords or the backup configuration files, administrators would have to essentially re-configure their entire network, an error-prone and time-consuming possibility, Chase said. "It's basically like playing 3D chess," he said. "In that situation, you're stuck interviewing everybody at every site getting anecdotal stories of who's connected to what. And then you're guaranteed to miss something."

Without the passwords, the network would still continue to run, but it would be impossible to reconfigure the equipment. The only way to restore these devices to a manageable state would be to knock them offline and then reconfigure them, something that would take weeks or months to complete, disrupt service, and cost the city "hundreds of thousands, if not millions of dollars," Ramsey claims.

Crane argues that these monitoring devices were installed with management's permission and were critical to the smooth functioning of the network. They would page Childs when the system went down and allow him to remotely access the network from his personal computer in case of an emergency.

In interviews, current and former DTIS staffers describe Childs as a well respected co-worker who may have gone too far under the pressure of working in a department that had been demoralized and drastically cut as the city moved forward with plans to decentralize IT operations.

About 200 of the department's 350 IT positions had been cut since 2000, mostly to be relocated to other divisions within city government, said Richard Isen, IT chapter president with Childs' union, the International Federation of Professional and Technical Engineers, Local 21.

Despite his conflict with some in the department, Childs has a lot of support there, Isen said. "There is a lot of sympathy, only because there is a basic feeling that management misunderstand what we actually do and doesn't appreciate the complexity of the work."

(Paul Venezia is Senior Contributing Editor with InfoWorld)

Sun is announcing on Wednesday availability of Sun Web Stack, which puts the company?s own twist on the popular open-source LAMP (Linux Apache MySQL Perl/Python or PHP) stack.

The company is unveiling the stack at the O'Reilly Open Source Convention (OSCON) in Portland, Ore. Also at the conference Wednesday, Sun will ship Sun OpenSSO Express, which is a version of Sun's OpenSSO (single sign-on) software featuring enterprise support and indemnification. Sun and Joyent at OSCON will announce a social application program featuring free Web-hosting.

Sun Web Stack provides software needed for deploying Web applications and Web sites, said Ken Drachnik, Sun open source community development and marketing manager. With Sun Web Stack, users have the option of deploying the "AMP" portion of the LAMP stack with either Sun's Solaris OS or Linux, Windows or other operating systems.

"Up till now, [the stack] has been a developer offering from Sun, not a fully supported enterprise offering," Drachnik said.

Web Stack consists of Web and proxy servers, database and scripting languages, and the Apache HTTP Web server version 2.2.8. Featured components include the Apache Modules Memcached 1.2.5 distributed memory object system, the MySQL 5.1 database, lightpdd Web server v 1.4.18 and Tomcat Servlet engine 6.0.16. Versions of the Ruby, Perl, PHP, Ruby on Rails, and RubyGems development platforms are featured as well.

Also included is the Mongrel 1.0.1 HTTP library and server for Ruby, the fcgi package providing FastCGI capabilities, RedCloth text parsing, and the Squid proxy server 2.16.x

Sun will provide product control for the supported stack across multiple operating environments enabling applications to redeployed to another operating system with minimal changes.

Support for Solaris is planned for this quarter while Linux backing is due next quarter. Other OSes will be supported afterward, including Windows later in the year.

Sun also said it is open-sourcing core components of Sun Java System Web Server 7.0 and Sun Java System Web Proxy technologies under a Berkeley Software Distribution license. These technologies are part of the Web Stack sub-project in the open-source OpenSolaris community, Sun said. The open-source moves enable developers to achieve faster time to market with their applications, the company said.

"With the open sourcing of our Web server and our proxy server, we've now pretty much open sourced most of the entire middleware stack from Sun," Drachnik said.

With OpenSSO, Sun is providing support for open-source identity management and Web single sign-on software. Also featured with OpenSSO are access management, federation, and secure Web services capabilities.

"It?s a way of federating securely identities across multiple different Web sites," Drachnik said.

Sun plans to offer OpenSSO Express releases about every three months to coincide with major releases of OpenSSO, which started as a Sun-sponsored project.

Joyent and Sun are announcing a collaboration intended to accelerate development and deployment of social applications for the Facebook and Google OpenSocial environments. Users will get as many as 12 months of free Web hosting on the Joyent Cloud, which is an infrastructure powered by OpenSolaris, the open-source version of Solaris.

"With this new program, Sun can provide social application developers access to Sun's technology and expertise in building large-scale applications with Joyent helping them to deploy," on a scalable platform, said Juan Carlos Soto, Sun vice president of global market development and engineering.

Sun and Joyent plan to tour cities like San Francisco, Los Angeles, New York, and Chicago in coming months to offer training on building social applications for the Web.

In other developments pertaining to Sun at OSCON:

* Sun plans to add Sparc CPU support to OpenSolaris in November, a Sun official said. Currently, OpenSolaris is limited to Intel and AMD chips. Also planned for the 2008.11 version of the platform is an automated install capability, said Glynn Foster, Sun OpenSolaris product manager.
* Josh Berkus, who had been Sun's specialist on PostgreSQL database matters, has left the company, Berkus said in an interview at OSCON. He cited how things had changed regarding Sun's position on PostgreSQL following the company's acquisition of MySQL. "My job at Sun became very different from what it was when I was hired," Berkus said. The job became more focused on support with less emphasis on developing interesting open-source projects, he said.

Sun has become very focused on revenues pertaining to PostgreSQL and databases, he said. "They're interested in having a successful support offering," said Berkus, who added he was not laid off. The company recently let go of? about 1,000 employees.

Sun, meanwhile, is bringing in someone to take over for Berkus, a company representative said.

Apple's iPhone 3G has a powerful browser and faster wireless connections to all kinds of data and multimedia, but those features may be too much of a good thing for international business travelers paying data roaming rates.

One U.S.-based manufacturing company with global operations would like to deploy hundreds of iPhone 3Gs but has found that international data roaming costs are too high, said an IT worker at the company who asked not to be named, citing company policies.

[ Special reports: Apple launches the iPhone 3G | IT's guide to the iPhone ]

The manufacturer's finance department has put a ban on company purchases of the iPhone 3G because the international data roaming plan for the phone's exclusive carrier in the U.S., AT&T, is too expensive, he said. The company is in talks with AT&T to get a better price for the service.

"Until we have an international data rate plan that isn't extortion, we're holding off deployment of iPhone 3G," said the IT manager. "IPhone sucks down data like no tomorrow."

With the first-generation iPhone, the IT manager said, several executives traveled abroad and encountered "psycho-expensive" data rate costs. One executive spent three days in Canada and incurred an $800 data roaming cost, while another spent two weeks in Italy and racked up $5,000 in costs.

The IT manager said he is asking AT&T to cut its international data roaming fee to one-tenth of its current rate, from about 2 cents per kilobyte to 0.2 cents per kilobyte.

"I realize that's an order-of-magnitude reduction, but that's what's necessary to make this device succeed for any kind of international uptick," he said. So far, however, AT&T has told the manufacturer to "lump it or leave it," the IT manager said.

An AT&T spokesman said he could not discuss an individual company's plan, although he said AT&T enters into contracts with large customers based on negotiated rates. However, AT&T has implemented some special international data plans for iPhone customers, recognizing "that the iPhone consumes data and that it is worse outside the U.S.," said the spokesman, Mark Siegel.

Siegel said he could not say whether many customers have complained about international data roaming costs with the iPhone 3G. However, he warned customers traveling abroad with iPhone 3G devices to be prepared for the high data usage and the cost of using a network in a foreign country under a roaming agreement.

"If customers have not thought about data use abroad, we have a whole array of tips on how to avoid added costs," he said, referring to the AT&T Web page on international calling.

Analysts said the manufacturer seeking lower roaming rates could be somewhat unusual because its sales personnel travel extensively to many countries. In many companies, however, sales personnel will stay in a single country, which would lower their data roaming costs, analysts noted.

Siegel said that, in general, it would be less expensive to work in a single country than to travel and pay roaming fees.

Analysts noted that international roaming costs are onerous no matter what kind of wireless device a user carries. But because the iPhone 3G is designed to rely on using data over 3G networks, it might be an even greater concern than with some other devices, especially cell phones that rely primarily on voice connections.

Data roaming can be turned off by the iPhone user, but that doesn't give IT managers much comfort. One blogger noted the problem, and said that with Windows Mobile 6 settings, an IT manager could automatically shut off the data roaming feature to prevent a traveler near a country's border from accidentally roaming into another country, incurring added costs.