Monday, September 17, 2012

Tablets driving DRAM growth, but PCs still reign supreme


Sep 17, 2012 06:52 pm | PC World
by Caitlin McGarry

A Friday report on how mobile devices are now consuming the majority of the DRAM market sparked bloggy commentary declaring the decline of the PC. The report included provocative numbers, but the statistics deserve a reality check: IHS analyst Clifford Leimbach said DRAM shipments for PCs are in fact still growing--just at a slower pace than in years past.
IHS iSuppli's DRAM market report indicated that PCs' share of DRAM shipments had dropped from 50.2 percent in the first quarter of this year to 49 percent in the second quarter. The decrease is noteworthy, representing the first time PCs have dropped below 50 percent of DRAM market share since the 1980s.
The overall market, however, is expanding, led by the growing popularity of tablets and smartphones. More DRAM units are also shipping for PCs, just not at the clip they once did.
"The PC is no longer the central hub. You have a lot more options now," Leimbach told PCWorld. "You still have a lot of need for PCs, and you're going to [in the future]. Even though looking at it through the DRAM lens, it's not as dominating as it once was, PCs are still very pivotal in DRAM."
Leimbach said the world is entering a "post-PC era," but that doesn't mean the PC is no longer a leader in computing. It just has to share the spotlight.
Mobile devices still demand just a small fraction of the DRAM market. For example, Leimbach said 3.4 billion DRAM units for PCs were shipped in the last quarter, compared to 264 million units for tablets. As for market share, tablets grew from 1.6 percent to 2.7 percent in terms of total DRAM market consumption in the second quarter, according to the IHS report. Cell phones captured 13.2 percent of the market, a share that IHS expects to reach nearly 20 percent by the fourth quarter of 2013.

Read more »

The Week in iPhone Cases: Take 5, part 3


Sep 17, 2012 06:35 pm | Macworld.com
by Marco Tabini

Were you lucky enough to get your order in for your iPhone 5 in time for delivery on September 21? Or are you planning on waiting in line at the Apple Store, so you can revel in the glory of the iPhone 5 with other owners? Regardless of how you plan to acquire your new iPhone 5, you won't have a difficult time finding a case for it. Last week, we had not one, but two installments of The Week in iPhone Cases, both devoted to the iPhone 5. And this week, the iPhone 5 cases keep a-comin'.
CM4: The Q Card (iPhone 5; $40) combines a protective snap-on shell made of comfortable soft-touch rubber with the convenience of an inner premium fabric compartment capable of holding up to three plastic cards, plus some extra cash. Its front bezel is designed to keep the screen of your iPhone elevated from the ground to help protect it from scratches and bumps. The Q Card comes in black, blue, red, or brown.
Dicota: The company's iPhone 5 lineup includes the Hard Cover (iPhone 4, 4S, and 5; ¬9), a patterned hard plastic shell available in 4 different styles (as well as a Pro edition (iPhone 5; price unavailable) that features a faux-leather exterior).
If you're looking for a more discrete case, you may want to check out the Slim Cover (iPhone 5; price unavailable), which is designed for thinness and is available in several different patterns and colors.
Fabrix: The company's lineup of fitted sleeves (iPhone 5; $15 to $30) includes literally dozens of different designs, all made from high quality materials like wool felt and corduroy, and available in a wide variety of designs and colors, some in collaboration with well-known bespoke tailors from around the world.
Orbino: The Pantera (iPhone 4, 4S, and 5; $189 to $399) is handmade from fine leather crafted to fit your iPhone perfectly, with an all-metal home button, and a front flap that provides all-around protection. A cleverly-designed belt clip at the back of the case can also be rotated to double as a kickstand. The Pantera comes in eleven different styles, ranging from traditional Tuscan leather to more exotic crocodile, stingray, snake, and ostrich varieties.
Sena: The company's iPhone 5 lineup includes eleven different cases, all made from Sena's trademark high-quality leather.
The UltraSlim (iPhone 5; $30) is an ultra-thin pouch that features soft velvet lining with stitching along the opening and comes in black, tan, red, white, or brown. For a slightly more substantial feel, you may also want to check out the Elega (iPhone 5; $50), which comes with a shock-absorbing layer and is available in black, tan, orange, or black.
Sena's wallets include the Magia Wallet (iPhone 5; $55), whose seamless design includes a special adhesive tape to hold your handset in place; the Hampton Wallet (iPhone 5; $60), which features three card pockets and is made of full-grain croc leather, available in black or red; the WalletBook (iPhone 5; $55), available in black, tan, red, or brown with its secure snap closure, a money compartment, a removable ratcheting metal clip system; and the Wallet Skin (iPhone 5; $55), whose simpler construction brings together minimal bulk and excellent style, which is available in black, tan, red, or brown.
If flip cases are your things, look no further than the Magnet Flipper (iPhone 5; $55), which includes a magnetically attached front flap and provides wraparound protection for your handset. Likewise, theHampton Flip (iPhone 5; $60), which also includes two credit card pockets and a full-grain leather protective cover with a snap-on clasp.
Targus: Although the company's website has not yet been updated, Targus has announced three iPhone 5-compatible models: The Wallet Case (iPhone 5; $40) features a special hidden compartment in which you can safely store credit and identification cards and paper money, and is available in black, french blue, or Merlot faux leather.
The Slider Case (iPhone 5; $35) is designed to provide maximum protection to all sides of your handset while minimizing bulk. Its raised front face helps prevent damage to the screen, while a special interior bumper keeps the electronics safe from shocks. The Slider is available in black, french blue, or poppy red.
Finally, the Slim Fit Case (iPhone 5; $25) is a snap-on back case made of TPU and polycarbonate and designed for a snug fit that doesn't add to the iPhone's heft. It comes in black, french blue, poppy red, pearl grey, olive branch, or Merlot.
USBFever: The Tuneprism (iPhone 5; $20) is a snap-on shell that features a unique prism pattern on its back, offering a unique stylish way to protect your handset from the vagaries of everyday use. It weighs just 16 grams, and its rubberized exterior provides a secure grip. The Tuneprism comes in smoke black, pink, turquoise, or black.

Read more »

AMD CFO Seifert resigns


Sep 17, 2012 05:49 pm | IDG News Service
The chip maker is now hunting for a replacement

by Agam Shah

Advanced Micro Devices announced Monday that its chief financial officer, Thomas Seifert, has resigned from his post and that a hunt is on for his replacement.
AMD has appointed Devinder Kumar, senior vice president and corporate controller, as interim CFO until a replacement is found. Seifert will stay on at the chip maker until the end of September to help with the transition, AMD said.
Seifert joined AMD in 2008 and has been one of the few remaining executives from the management team that included former CEO Dirk Meyer and former product chief Rick Bergman.
Seifert was made CEO on an interim basis after Meyer's resignation and played a key role in the search for AMD's new CEO, a job other executives including Apple's Tim Cook, Oracle's Mark Hurd and VMware's Pat Gelsinger were said to have shied away from.
AMD ultimately appointed former Lenovo President and Chief Operating Officer Rory Read in August last year.
AMD has since overhauled the management team, appointing Mark Papermaster as chief technology officer and Lisa Su as senior vice president and general manager of the global business units.
Seifert left on his own accord, an AMD spokesman said.
"Seifert's departure is not based on any disagreement over the company's accounting principles or practices, or financial statement disclosures," AMD said in a statement.
AMD has been struggling financially and in July reported that its quarterly profit declined by 40 percent year over year to US$37 million, with revenue dropping 10 percent to $1.41 billion. The company blamed a weak consumer PC market for the lower profits.
Kumar joined AMD in 1984 as a financial analyst. He became corporate controller in 2001.
Agam Shah covers PCs, tablets, servers, chips and semiconductors for IDG News Service. Follow Agam on Twitter at @agamsh. Agam's e-mail address is agam_shah@idg.com

Read more »

Oracle buys SelectMinds to boost capabilities gained from Taleo acquisition


Sep 17, 2012 05:36 pm | IDG News Service
Oracle is battling SAP and now IBM in the HCM (human capital management) software market

by Chris Kanaracus

Oracle on Monday said it has agreed to acquire SelectMinds, a maker of "social talent sourcing software," in a bid to flesh out the capabilities it gained through this year's US$1.9 billion acquisition of Taleo.
Terms of the deal, which is expected to close this year, were not disclosed.
SelectMinds' software aims to help organizations find high-quality job candidates through social media channels. Beyond posting job ads on sites such as Facebook and LinkedIn, companies can create "talent communities" and help their current employees share information about openings, according to SelectMinds' website.
"Recruiting candidates through employee referrals is widely acknowledged as the most effective method to find talent through trusted contacts," said Thomas Kurian, executive vice president of product development at Oracle, in a statement.
SelectMinds' products already work with Oracle's cloud-based recruiting, performance management and HCM (human capital management) software, according to the statement.
Oracle's Taleo acquisition was seen as a competitive response to SAP's purchase of Taleo competitor SuccessFactors. While Taleo's products are centered on talent management, Oracle is aligning them as a suite along with its Fusion HCM product, which covers areas such as payroll.
Software vendors are eager to get a strong foothold in the HCM market because the applications can potentially be licensed for many or all employees within a company, compared to more specialized software, which may only be used by a single department.
That desire was highlighted by IBM's recently announced $1.3 billion acquisition of HCM vendor Kenexa. IBM has long maintained that it has no interest in being a business applications provider and competing with the likes of Oracle and SAP, but the Kenexa deal marked a shift in that position.
Chris Kanaracus covers enterprise software and general technology breaking news for The IDG News Service. Chris' email address is Chris_Kanaracus@idg.com

Read more »

Microsoft's Office 365 Home Premium to cost $99.99 annually per subscription


Sep 17, 2012 05:33 pm | IDG News Service
Office 365 Small Business Premium will cost $149.99 per employee, per year

by Juan Carlos Perez

Microsoft has announced the consumer and small-business prices for the new Office suite, which will be sold both via traditional single-device, perpetual licenses and via a new annual, multi-device cloud subscription.
The subscription version for consumers, called Office 365 Home Premium, will cost US$99.99 per household, while the small-business version, called Office 365 Small Business Premium, will cost $149.99 per employee per year, Microsoft announced Monday.
The licensed versions, called Office Home & Student 2013, Office Home & Business 2013 and Office Professional 2013, will cost $139.99, $219.99 and $399.99, respectively.
Microsoft will offer details later about versions of the new Office suite for large companies. It hasn't said when the new Office versions will be available commercially.
Since announcing the new Office, Microsoft has been clear in saying that it would prefer that buyers choose the new subscription model, but that it recognizes that there will be people who prefer the conventional license.
Now that the pricing information is available, customers will have the last word about which purchase model ends up being the preferred one -- paying once for the suite and using it for years on one device, or paying an annual fee that lets them access the suite in multiple devices.
One Office 365 Home Premium license gives the buyer the right to install the suite on up to five Windows 7, Windows 8 or Mac OS computers. In the buyer's household, multiple people can use the suite, each with his or her own account. The software is downloaded from a Microsoft data center and will be updated with new or updated features several times a year, according to Microsoft.
The Office 365 Home Premium license includes 20G bytes of storage in the SkyDrive online storage service, and 60 minutes of Skype IP telephony per month. Settings, preferences and documents can be synchronized via the cloud among the different devices included in the subscription.
A feature called Office on Demand lets users stream the suite to a device not included in the subscription for one-time editing purposes, such as when users are traveling and using a hotel PC. Office 365 Home Premium includes Word, Excel, PowerPoint, OneNote, Outlook, Access and Publisher.
Office 365 Small Business Premium works in the same way, except that licenses are per employee at a cost of $12.50 per month. Businesses can have licenses for up to 25 employees. Each employee can install the software on up to five Windows 7, Windows 8 or Mac OS computers.
In addition to the applications in Office 365 Home Premium, Office 365 Small Business Premium includes Lync Online and InfoPath, as well as Exchange Online -- shared calendars, 25G-byte mailboxes with virus and spam protection -- and SharePoint Online, which includes 10G bytes of cloud storage overall plus 500M bytes per user and tools to create websites.
Meanwhile, the conventional license suite Home & Student 2013 comes with Word, Excel, PowerPoint and OneNote, while Home & Business 2013 adds Outlook. Professional 2013 comes with the previous applications plus Publisher and Access.
All versions, whether subscription or conventional, have a new interface consistent with the "Modern" -- formerly called "Metro" -- interface of Windows 8, which is optimized for touchscreens, such as those in tablets.
Microsoft also announced that starting Oct. 19, buyers of Office 2010 or Office for Mac 2011 will be able to sign up free for a one-year subscription of Office 365 Home Premium or the equivalent Office 2013 offering. Small-business owners will get a three-month trial of Office 365 Small Business Premium.
The company recently said that the Office version that will ship with Windows RT devices will be available between November and January. Windows RT is the Windows 8 version for ARM-based tablets and devices.
Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.

Read more »

FBI warns financial institutions are being highly targeted by fraudsters


Sep 17, 2012 05:31 pm | Network World
by Michael Cooney

The FBI today said cybercriminals have recently stepped up efforts to steal money and gain access to banks and other financial institutions using spam, phishing emails, keystroke loggers and Remote Access Trojans (RAT).
Specifically, the fraudsters are looking to compromise financial institution networks and obtain employee login credentials. The stolen credentials are used to initiate unauthorized wire transfers overseas. The wire transfer amounts have varied between $400,000 and $900,000, and, in at least one case, the criminals raised the wire transfer limit on the customer's account to allow for a larger transfer. In most of the identified wire transfer failures, the perpetrators were only unsuccessful because they entered the intended account information incorrectly, the FBI stated.
In the bank fraud, the FBI said cybercriminals "used spam and phishing e-mails to target their victims. Once compromised, keyloggers and RATs installed on the financial institution employee's computer provided the attackers with complete access to internal networks and logins to third party systems. Variants of Zeus malware were used to steal the employee's credentials in a few reported incidents. In some instances, the [attackers] stole multiple employee credentials or administrative credentials to third party services and were able to circumvent authentication methods used by the financial institution(s) to deter fraudulent activity. This allowed the intruders to handle all aspects of a wire transaction, including the approval. The unauthorized transactions were preceded by unauthorized logins that occurred outside of normal business hours using the stolen financial institution employees' credentials. In at least one instance, attackers browsed through multiple accounts, apparently selecting the accounts with the largest balance."
The FBI made a number of recommendations for financial institutions to help prevent security problems:
" Educate employees on the dangers associated with opening attachments or clicking on links in unsolicited emails.
" Do not allow employees to access personal or work emails on the same computers used to initiate payments.
" Do not allow employees to access the Internet freely on the same computers used to initiate payments.
" Do not allow employees to access administrative accounts from home computers or laptops connected to home networks.
" Ensure employees do not leave USB tokens in computers used to connect to payment systems.
" Review anti-malware defenses and ensure the use of reputation based content and website access filters.
" Ensure that workstations utilize host-based IPS technology and/or application whitelisting to prevent the execution of unauthorized programs.
" Monitor employee logins that occur outside of normal business hours.
" Consider implementing time-of-day login restrictions for the employee accounts with access to payment systems.
" Restrict access to wire transfer limit settings.
" Reduce employee wire limits in automated wire systems to require a second employee to approve larger wire transfers.
" If wire transfer anomaly detection systems are used, consider changing "rules" to detect this type of attack and, if possible, create alerts to notify bank administrators if wire transfer limits are modified.
" Secure and/or store manuals offline or restrict access to the training system manuals with further security, such as enhanced access controls and/or segregation from the payment systems themselves.
" Monitor for spikes in website traffic that may indicate the beginning of a DDoS and implement a plan to ensure that when potential DDoS activity is detected, the appropriate authorities handling wire transfers are notified so wire transfer requests will be more closely scrutinized.
" Strongly consider implementing an out of band authorization prior to allowing wire transfers to execute.
" Limit systems from which credentials used for wire authorization can be utilized.
Follow Michael Cooney on Twitter: @nwwlayer8 and on Facebook.
Read more about wide area network in Network World's Wide Area Network section.

Read more »

Nasuni latest to roll out mobile access to cloud-based network storage


Sep 17, 2012 05:31 pm | Network World
by Brandon Butler

Within a few years, mobile access to cloud-based storage will be a "checkmark" feature that will be fairly ubiquitous among the major vendors, predicts 451 Research Group analyst Simon Anderson. We're not quite there yet, but more and more vendors are rolling out the feature.
The latest is Nasuni, which delivers a cloud-based network-attached storage option for enterprises. The release of the fourth version of the company's software this week extends the capability of Nasuni to access data from mobile devices.
Nasuni's offering leverages a hybrid cloud approach, which combines on-premise storage controllers that collect and encrypt data behind the enterprise's firewall, then send the encrypted data up into its public cloud, which is hosted in Amazon Web Services and Microsoft Azure. The behind-the-firewall encryption means only the customer has access to the keys to unencrypt the data, not Nasuni or its network of cloud providers.
The newest mobile access capability, which was made generally available this week, allows users to access and upload images, videos and files via iOS and Android devices. Users are authenticated through Active Directory, giving IT departments the ability to control data flow to the individual device level, and segment which data sets are available to which groups of employees. Data can be deleted from devices remotely as well.
Terri McClure, an analyst with Enterprise Strategy Group, says Nasuni's offering hits at an emerging pain point in the enterprise. Users want access to their work files outside of their office, so many turn to consumer-oriented applications, such as Dropbox, Google Drive and SugarSync. The problem, she says, is when workers do that, IT loses control of which data is where, allowing for the possibility to sensitive data to be brought outside the firewall unprotected.
"Everyone is out there using two or three devices and we want to access our files from our iPhoneiPadand our PC," she says. "When users subscribe to these services personally, IT has no visibility into what corporate data is out there." A recent ESG survey found that 77% of IT leaders have policies against or strongly discouraging employee use of personal cloud storage options for corporate data, yet 70% know or strongly suspect they're being used anyway.
Nasuni is not the first to offer mobile access to files. Egnyte, Box, SugarSync and Dropbox each have the feature.
"Adding mobile access support also will bring Nasuni into conflict with the other file-sharing services out there, the number of which seems to increase on a weekly basis," says Anderson of the 451 Group. "Nasuni believes it has a better security and control model versus cloud players like Dropbox and Box -- which it says move the control point outside of the corporate firewall -- while noting that on-premises or private offerings from the likes of VMware Octopus, Oxygen and Citrix ShareFile still require internal IT to 'babysit' the storage infrastructure, so still incur OPEX overhead."
McClure says because Nasuni is meant to be a company's primary NAS, the mobile application is therefore just an extension of the storage, differentiating it from competitors.
Network World staff writer Brandon Butler covers cloud computing and social collaboration. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW.

Read more »

CIOs Look Ahead: Millennials, Consumer Tech and the Future


Sep 17, 2012 05:10 pm | CIO.com
by Tom Kaneshige

It's 1 a.m. and Josh Robin is busy working.
"I'm kind of stir crazy, don't need a lot of sleep, so it's probably prime time for getting things done," says the fast-talking 25-year-old director of innovation at MBTA, the Massachusetts Bay Transportation Authority.
At any moment on any given day, Robin might be Skype-ing with interns, Tweeting work updates, or tapping on his personal iPhone to manage a cutting-edge mobile ticketing project. It drives him crazy that his workplace doesn't have Wi-Fi, which basically means he can't use his personal computer there.
Robin pays the monthly iPhone bill out of his own pocket, while a corporate-issued BlackBerry collects dust. "BlackBerries have become the metaphor for old-line IT," he says. "It would be a pain in the butt," if he was forced to use it.
If you think Robin is an oddity, think again. He is part of the next generation workforce known as the Millennials. They've been called many names: Always-On Generation, Gen Y and Digital Natives. They grew up right along with Facebook, Twitter, Skype and Apple's iPocalypse. They have different ways of working, different ideas about their jobs.
They're also the ones who will be running your company in the future.
Millennials and Consumer Tech
The Millennials, born between the years 1981 and 2000, are 85.4 million strong, outnumbering even the Baby Boomers, according to 2010 statistics from the U.S. Census Bureau. Attracting the brightest among them requires understanding and, yes, even catering to their desires.
A big part of that is giving them technology freedom.
Like Robin, Millennials don't want to unplug from work on the weekends and after-hours like their older counterparts, and so they want technology that keeps up with this lifestyle. They're driving today's big tech trends, such as consumer tech and bring-your-own-device, or BYOD, which naturally blends work life and social life.
Truth is, they want to be in charge of the technology they use at work and don't want to be told otherwise. And chances are they do have a better grasp of the power of technology than older generations that grew up with, say, desktop computer towers, numeric pagers and clunky Microsoft Office.
"Millennials have little patience for bad IT solutions," says a 20-something mobile manager at a Silicon Valley company, speaking on condition of anonymity because he wasn't authorized to speak to the press. "When I interview Millennial job candidates, I ask, 'Do you have any questions for me?' They almost always respond, 'Will I have admin rights on my computer?'"
What's at Stake?
Appealing to Millennials with new-fangled technology just might be a CIO's highest priority. Fact is, Millennials will either drive your IT policy or your attrition rate.
Just ask Electronic Arts CIO Mark Tonneson. EA has been moving away from Windows-based Dell laptops and Hewlett-Packard desktops in favor of MacBooks, iPads, iPhones and Android phones. Some 10,000 smartphones fall under a sweeping BYOD policy. EA is even replacing cubicles and offices with open work spaces.
"This is a big push, and it's all in relation to the Millennials," Tonneson says. "As we look to bring on young talent, we're competing with Facebook, Zynga, Google, Apple."
EA's staff retention rate has never been better, Tonneson says, and consumer tech has played a crucial role in recruiting and keeping Millennials. It's certainly not the allure of stock options, since EA's stock has been sliding over the past year.
"They're staying because it's a great place," Tonneson says. "A lot of it is how we deliver solutions and services to them... and not encumbering them with old-line technologies."
Email and the Generation Gap
The effort to keep Millennials happy, though, has a dark side.
At last year's Consumerization of IT Expo, or CITE, in San Francisco, tech leaders spoke of the growing animosity between older workers and the Millennials. (For more CITE coverage, see BYOD: Making Sense of the Work-Personal Device Blur.)
When one company told its employees that they had to use a new enterprise social network to communicate with each other rather than email, older workers saw this as a sign that the company was prioritizing Millennials. Older workers felt their jobs were threatened.
The biggest difference among the generations is how people communicate, says Adam Noble, CIO at GAF Materials. Baby Boomers rely on the telephone, Gen X is all about email, and Millennials prefer social networking, instant messaging and even video chat. Tensions rise when, say, an old-line worker gets a video call across his PC from a Millennial worker.
"I often joke that if I email my teenage daughters, I'll never get a response," Noble says. "But if I put something on their Facebook page, I may get a response in seconds."
The challenge is to incorporate different styles of communication. Both GAF Materials and EA are working to integrate email and social communication to make the transition easier. Eventually, old-line employees will have to get on board with newer forms of communication.
"You can absolutely devolve into an argument of you-are-young-and-you-don't-get-it versus you-are-old-and-you-don't-get-it," says the Silicon Valley mobile manager. "But people who are the most creative and open-minded are going to adopt the coolest technology, regardless of how old they are."
Millennials Take Work Personally
If you don't embrace consumer tech, will Millennials bolt to a competitor?
Probably not right away, but down the road is another matter. The reason, say CIOs, stems from a common Millennial trait: Their identity is wrapped up in the job more so than older generations.
"Millennials tie a lot of their self-worth to the job," the mobile manager says.
Such a tight bond can lead to job-hopping. If they don't have the tools they think they need to perform at a high level, they may take it personally and become discouraged. As job performance suffers, they will look elsewhere.
Don't expect an older generation's sense of company loyalty to keep Millennials from jumping ship. Millennials have watched their parents get laid off, have their salaries cut, and their 401k's plummet. "Millennials have very little loyalty for sticking around a company," the mobile manager says.
Throwing cash at Millennials won't help, either. Last year, Cisco surveyed more than 2,800 Millennials and found that 40 percent of college students and 45 percent of young professionals would accept a lower-paying job if it had more flexibility on device choice, social media access and mobility.
The most effective way to foster loyalty among Millennials is by supporting trendy consumer tech in the enterprise, from iPhones to social communication to BYOD. They believe strongly that these tools play to their skills and give them the best opportunity for success, both personally and professionally.
Put more simply, MBTA's Robin says, "Technology tools today can facilitate the different ways people work, so why should technology get in the way?"
Tom Kaneshige covers Apple and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Tom at tkaneshige@cio.com

Read more »

Jenkins integration server suffers security vulnerabilities


Sep 17, 2012 04:48 pm | InfoWorld
Four vulnerabilities, including two affecting the Jenkins core and one deemed critical, have been identified

by Paul Krill

Jenkins, the open source continuous integration server that forked out of Oracle's Hudson project, is facing several security vulnerabilities Monday, with the Jenkins project leader recommending upgrades to the Jenkins core and some plug-ins to fix the problems.
A security advisory posted by project leader Kohsuke Kawaguchi cites four vulnerabilities, including two affecting the Jenkins core. The first vulnerability has been deemed critical. "The first vulnerability in Jenkins core allows unprivileged users to insert data into Jenkins master, which can lead to remote code execution. For this vulnerability to be exploited, the attacker must have an HTTP access to a Jenkins master, and he must have a read access to Jenkins," the security advisory said.
[ Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. ]
The second vulnerability in the core involves a cross-site scripting vulnerability, allowing an attacker to craft a URL that points to Jenkins, with an attacker able to hijack a legitimate user's session. Two other vulnerabilities, also involving cross-site scripting, affect the Violations and Continuous Integration Game plugins. The Violations plug-in scans for violation XML files in the build workspace; the Game plug-in offers tips on improving builds.
To fix the core vulnerabilities, main line users should upgrade to Jenkins 1.482, and LTS (Long-Term Support) users should upgrade to version 1.466.2. To fix the Violations plug-in, users are to upgrade to version 0.7.11 or later, while the CI game plug-in can be remedied by upgrading to 1.19 or later.
Kawaguchi said the fixes plug all known holes. "However, the nature of this game is such that someone will find a new vulnerability --- it's just a matter of when. So we encourage users, especially those who run Jenkins in a higher-risk environment (on the public Internet, in a security sensitive environment, etc.), to monitor security advisories by subscribing to the mailing list or an RSS feed."
He assuaged fears about the vulnerabilities, noting limitations. "Those who are running Jenkins inside a corporate firewall, which I think are the majority, [have] a mitigating factor, because one of the vulnerabilities requires an attacker to have an HTTP access to the Jenkins master and the other vulnerability requires the attacker to know the URL of your Jenkins. So it pretty much requires an attacker to be an insider." But he added, "Nonetheless, we recommend everyone to update to a version that contains the fix in a timely fashion."
Hudson forked out of Project Hudson in the wake of Oracle's 2010 acquisition of Sun Microsystems. Oracle has since handed Hudson over to the Eclipse Foundation.
This article, "Jenkins integration server suffers security vulnerabilities," was originally published atInfoWorld.com. Follow the latest developments in business technology news and get a digest of the key stories each day in the InfoWorld Daily newsletter. For the latest developments in business technology news, follow InfoWorld.com on Twitter.
Read more about security in InfoWorld's Security Channel

Read more »

How to Manage Data Center Complexity


Sep 17, 2012 04:45 pm | CIO
by Thor Olavsrud

Complexity in the data center has a number of unwelcome effects on the enterprise, from increased costs to reduced agility and even downtime. For the past five years, organizations have been virtualizing their data centers in an effort to reduce complexity and increase efficiency. But while virtualization offers significant benefits, many such projects have shifted rather than eliminated complexity in the data center. To truly mitigate data center complexity, organizations need training, standardization and information governance.
"So many people think that virtualization is the penicillin of the data center, but in reality, what we've seen is that while people are investing heavily in virtualization, they didn't necessarily have the foresight to see the ramifications of virtualizing so quickly," says Danny Milrad, director of product marketing at Symantec, which just released the results of its 2012 State of the Data Center Survey. "One of the benefits of virtualization is spinning up an application so quickly, but they don't think about how big the footprint of that application can become."
Business-Critical Apps Drive Data Center Complexity
The increasing number of business-critical apps is the primary driver of complexity in the data center: 65 percent of respondents in Symantec's study listed it as a driver of the complexity of their data centers. Symantec contacted 2,453 IT professionals from 32 countries. They included senior IT staff focused on operations and tactical functions, as well as staff members focused on planning and IT management.
"Show me an app that isn't a business critical application outside of file and print these days," Milrad says. "Now you've got to replicate it, and your storage footprint goes up. With all these new applications coming online, they're being virtualized, and you've got a ton more data than you ever expected."
When that happens, organizations hit a wall. "As they virtualize more and more, the cost of storage and the cost of virtualization licenses and everything that falls out of that grows faster than expected," he says. "Storage is cheap, but it's still very expensive when you have to buy 10 times more than you expected."
Other key drivers of data center complexity include the growth of strategic IT trends such as mobile computing (cited by 44 percent of respondents), server virtualization (43 percent) and public cloud (41 percent). The most commonly cited result of data center complexity is increased costs (47 percent). But other effects include reduced agility (39 percent), longer lead times for storage migration (39 percent) and provisioning storage (38 percent), security breaches (35 percent) and downtime (35 percent).
Complexity a Key Contributor to Data Center Outages
The survey found that the typical organization experienced an average of 16 data center outages in the past 12 months, at a total cost of $5.1 million. On average, one of those outages was caused by a natural disaster (costing $1.5 million), four were caused by human error (costing $1.7 million) and 11 were caused by system failure resulting from complexity (costing $1.9 million).
That's not to say virtualization is a bad thing, Milrad is careful to note, but it does mean IT needs to pay attention and prepare for the potential side effects.
"It's much like what happened with the introduction of SharePoint," Milrad says. "SharePoint created a power and cooling nightmare. It wasn't expensive for marketing or sales to spin them up, but power, cooling and storage costs went up as a result. It's the same thing with virtualization. IT needs to get [its] arms around it and manage it as part of the infrastructure. It's just a matter of slowing down and looking at what you're doing."
The survey found that 90 percent of organizations are implementing or actively discussing information governance in an effort to get their data center complexity under control. They cite enhanced security, ease of finding the right information in a timely manner, reduced costs of information management and storage, reduced legal and compliance risks and moving to the cloud among the benefits they seek to achieve.
Best Practices for Mitigating Data Center Complexity
Trevor Daughney, also a director of product marketing at Symantec, recommends adopting the following best practices to help reduce data center complexity:
Get visibility beyond platforms. Understand the business services that IT is providing, and all of their dependencies, to reduce downtime and miscommunication.
Understand what IT assets you have, how they are being consumed, and by whom. This will help cut costs and risk. The organization won't buy servers and storage it doesn't need, teams can be held accountable for what they use and the company can be sure it isn't running out of capacity.
Reduce the number of backup applications to meet recovery SLAs and reduce capital expenses, operating expenses and training costs. The typical organization has seven backup applications, generally point products for particular databases.
Deploy deduplication everywhere to help address the information explosion and reduce the rising costs associated with backing up data. It's not to simply deduplicate the backup. Consider placing an archive that has deduplication capabilities next to applications such as Exchange or SharePoint that tend to be the biggest data offenders.
Use appliances to simplify backup and recovery operations.
Establish C-level ownership of information governance. Building an information-responsible culture and creating an umbrella of information governance can help organizations capture synergies across focused projects.

Read more »