More good stuff from The VAR Guy today, this time on the likelihood that virtualization is starting to harm server sales:

Novell could do the same with SUSE.

commentary

Thinking out loud here, but I wonder if Ubuntu, which has been getting into the virtualization game, couldn’t ship as an “Ubuntu Mini Cloud,” which would be an out-of-the-box virtualization server to allow an array of open-source and proprietary services to run on top? Ubuntu could charge more for this virtualization-friendly version. Customers would pay more but would save plenty by running one copy of the slightly more expensive version rather than multiple copies of the cheaper version.

One thing is clear: Virtualization is shaking up the enterprise server market, and it’s unclear how the server vendors will benefit unless they eat their young on this one. For newcomers like Ubuntu and Novell, they have the benefit of also being able to eat the young…of the established vendors.

Each time The VAR Guy speaks with a CIO or solutions provider, he hears about yet another server consolidation project. Through virtualization and more effective storage management, companies can simplify their data centers while raising server utilization rates….The VAR Guy doesn’t think the economy is destroying server sales. Rather, businesses are becoming far more efficient at leveraging the servers they already have.

This would be difficult for Red Hat (or Microsoft) to achieve because both are already on a frenetic Linux server unit pace. Having said that, Red Hat seems to be hoping that by lowering the price of virtualization vis-a-vis VMware it can maintain its own pricing. Could be.

Find more deals, coupon codes, and bargains on CNET’s Shopper.com.

(Credit:
CNET Networks)

The Connect comes with a somewhat paltry 4GB of RAM, but you can expand it using microSD cards. (Here’s a 4GB card, which would double your total storage (duh), for $19.) The player received very high marks from CNET, though I’m troubled by its lack of video support. Still, if you live, work, and play in hotspot-rich environments, this could be just the music box for you.

Why the steep initial price tag? The Sansa Connect leverages built-in Wi-Fi to stream Internet radio, download music from online stores, view Flickr photos, and share tunes with other Sansa users anywhere in the whole wide world! (Microsoft’s
Zune has Wi-Fi, too, but it’s limited to wireless syncing and local sharing.)

Congrats to EnterpriseDB for scoring such a high-profile executive and to Ed on his new role.

EnterpriseDB, known for its products based on the open-source Postgres database, today announced that it has named Ed Boyajian, former Red Hat vice president and general manager of North American sales, as president, and chief executive, and board member.

Flickr currently has more than 30 million registered users, 3 billion page views per month, and 60 million unique users per month, she said.

It doesn’t change another core part of Flickr, though, the pages that house each photograph. That will be changed in a future update, she added.

Yahoo on Wednesday started offering Flickr users a new home page for the photo-sharing site that’s designed to show off more images and make it easier for people to use the site’s social features.

“It’s definitely on our roadmap to improve that page,” she said.

Another big change is a “recent activity” tab that displays new comments on a member’s photos, notices that others have made the member a contact, and other social events.

Flickr's home page now features a 'recent activity' tab that lets people interact more quickly with others on the photo-sharing site.

Update 4:30 p.m. PDT: Yahoo has gradually added various features to Flickr, including video. But this change is about improving basic parts of Flickr that haven’t been changed in a much longer time, Srivastava said.

“What we wanted to be able to do is make the home page more engaging, useful, and efficient for advanced users who have hundreds and sometimes thousands of contacts and who upload and log into Flickr several times a day (and for) our newest members who are trying to figure out how to engage with Flickr,” Srivastava said. The change also is part of the Yahoo Open Strategy, which is geared in part to “light up” Yahoo users’ online social activity.

The change is available now to people who opt for it, but it will become standard for all users in coming weeks, Srivastava said.

The redesigned Flickr shows more photos and, through a 'recent activity' tab, more social interactions. (Click to enlarge.)

The redesigned page displays more photos, both from the Flickr member and from his or her contacts. And it adds photos from Flickr groups to which the member belongs, said Matthew Rothenberg, director of product management.

“This is not about adding new features, it’s about reducing the number of clicks of many of our most important core features,” she said. As long as a user has a fast network, the new pages load faster, though those with a slow dial-up connection might be constrained since more photos show on the home page, she added.

Many people just use Flickr to store and share their own photos, but the site also has social features including groups where like-minded people can share photos, a contacts list to share with particular friends, and comments that can lead to a discussion thread. Much of the redesign aims to spotlight these social features, making them more visible and easier to use, said Kakul Srivastava, Flickr’s new general manager.

(Credit:
Stephen Shankland/CNET News)

Yahoo described the change on its Flickr blog–which, by the way, is now featured on the new home page to spotlight news regarding the site.

MS08-063: Important

Microsoft on Tuesday released its October 2008 security bulletin. The four critical bulletins concern Windows, Internet Explorer, Microsoft Host Integration Server, and Microsoft Excel. The patch for Internet Explorer is cumulative.

MS08-061: Important

Exploitability index: 1-3.
Microsoft recommends that customers apply this update immediately. Titled “Cumulative Security Update for Internet Explorer (956390),” this bulletin affects Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on all supported editions of Microsoft Windows 2000, and for Internet Explorer 6 running on all supported editions of Windows XP. For Internet Explorer 7 running on all supported editions of Windows XP and
Windows Vista, this security update is rated Important. Otherwise, this security update is rated Moderate or Low. This bulletin addresses the issues detailed in CVE-2008-2947, CVE-2008-3472, CVE-2008-3473, CVE-2008-3474, CVE-2008-3475, and CVE-2008-3476. Microsoft says that “the vulnerabilities could allow information disclosure or remote code execution if a user views a specially crafted Web page using Internet Explorer.”

MS08-064: Important

MS08-059: Critical

MS08-066: Important

Microsoft is now sharing the technical details of new vulnerabilities in advance of so-called Patch Tuesday to give software developers a chance to update affected products before the public announcement.

Exploitability index: 2. Microsoft recommends that customers apply the update at the earliest opportunity. Titled “Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841),” this bulletin affects Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4036. Microsoft says that “the vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights..”

Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled “Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803),” this bulletin affects Windows XP and Windows Server 2003. The update addresses the vulnerabilities detailed in CVE-2008-3464. Microsoft says “a local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Exploitability index: 2. Microsoft recommends that customers consider applying the security update. Titled “Vulnerability in
Microsoft Office Could Allow Information Disclosure (957699),” this bulletin only affects Microsoft Office XP Service Pack 3; all other supported versions of Microsoft Office are not affected. This bulletin addresses the vulnerability detailed in CVE-2008-4020. Microsoft says an attacker “who successfully exploited this vulnerability could inject a client side script in the user’s browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site.”

MS08-060: Critical

Microsoft is also including within each bulletin this month an “exploitability index” to help system administrators prioritize the patches–1 is for consistently functioning exploits (of most concern), 2 is for inconsistently functioning exploits (of moderate concern), and 3 is for vulnerabilities that are unlikely to produce functioning exploits (of least concern). All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

Exploitability index: 1-2. Microsoft recommends that customers apply this update immediately. Titled “Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416),” this bulletin affects Microsoft Office Excel 2000 and is rated Important for all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack , Microsoft Office Excel Viewer, and Microsoft Office SharePoint Server 2007. This bulletin addresses the vulnerability detailed in CVE-2008-4019, CVE-2008-3471, and CVE-2008-3477. Microsoft says an attacker who exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights.”

Exploitability index: 1-3. Microsoft recommends that customers apply the update at the earliest opportunity. Titled “Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211),” this bulletin affects users of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-2250, CVE-2008-2251, and CVE-2008-2252. Microsoft says a “local attacker who successfully exploited these vulnerabilities could take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users.”

Exploitability index: 3. Microsoft recommends that customers apply the update at the earliest opportunity. Titled “Vulnerability in Message Queuing Could Allow Remote Code Execution (951071),” this bulletin affects Microsoft Windows 2000. This update addresses the vulnerability detailed in CVE-2008-3479. Microsoft says the “vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled.”

MS08-056: Moderate

Exploitability index: 2
Microsoft recommends that customers apply the update at the earliest opportunity. Titled “Vulnerability in SMB Could Allow Remote Code Execution (957095),” this bulletin affects all supported versions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4038. Microsoft says the “vulnerability could allow remote code execution on a server that is sharing files or folders. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user right.”

Exploitability index: 2.
Microsoft recommends that customers apply the update immediately. Titled “Vulnerability in Active Directory Could Allow Remote Code Execution (957280),” this bulletin affects implementations of Active Directory on Microsoft Windows 2000 Server. This update addresses the vulnerability detailed in CVE-2008-4023. Microsoft says that “this vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability.”

MS08-065: Important

MS08-058: Critical

Exploitability index: 1.
Microsoft recommends that customers apply the update at the earliest opportunity. Titled “Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155),” this bulletin affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1446. Microsoft says an “attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

MS08-057: Critical

Exploitability index: 1.
Microsoft recommends that customers apply the update immediately. Titled “Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695),” this bulletin affects Microsoft Host Integration Server 2000, Microsoft Host Integration Server 2004, and Microsoft Host Integration Server 2006. This bulletin addresses the vulnerability detailed in CVE- 2008-3466. Microsoft says this “vulnerability could allow remote code execution if an attacker sent a specially crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights.”

Could Apple do the same for the iPhone, at some point down the line, when PA Semi is able to get power consumption down to milliwatt levels? We learned during the iPhone SDK event in March that the iPhone’s OS X is almost exactly the same thing under the hood as Mac OS X, which would suggest that it also was developed with Universal binaries in mind that could run natively on ARM and other instruction sets, such as x86 or Power. That’s not at all certain, but it’s an interesting possibility.

Don’t count on much official word from either Apple or PA Semi just yet. Apple spokesman Steve Dowling told Forbes that the company doesn’t comment on its plans for acquired companies, and the PA Semi representative said she couldn’t even discuss whether the company’s engineers would be moving across Silicon Valley from Santa Clara to Cupertino.

There’s an extensive list of applications on Apple’s Web site that were created with the Universal binaries. That means it would be relatively painless for Apple and its partners to switch back to the Power architecture for anything that runs on the Mac, since Universal software would run natively on PA Semi’s chips.

Finally, there’s the possibility that Apple is working on some new type of handheld computer that needs something different than what the ARM community or Intel has in mind two or three years down the road. I can’t imagine that Apple would buy Dobberpuhl’s company without giving that team some kind of project.

Apple's Scott Forstall explains how the iPhone's operating system is just like Mac OS X at Apple's iPhone SDK unveiling.

Apple’s iPhone group almost assuredly doesn’t want PA Semi’s current product. The PWRficient PA6T-1682M is the only product listed on PA Semi’s Web page. It’s a dual-core 64-bit chip designed for high-performance computing and embedded applications–things like server appliances or sophisticated telecommunications gear.

Even Intel’s Atom chip, which is going into so-called mobile Internet devices, consumes less power than the PA6T-1682M (that’s a hell of a name). To date, no other company appears to be developing a smartphone based on this generation of Atom.

PA Semi's chips aren't going to fit into this little package just yet, but they could one day.

A few interesting possibilities perked up as I traveled across the Web this morning. A commenter at The Register, picked up by Slashdot, suggested that Apple could have a game console in mind. That would be a perfect application for this kind of chip, though I’m not sure that if Apple has the desire to get into game consoles, despite filing a patent for that type of device. Maybe Apple TV 3.0 could use a performance boost, which Apple would certainly get, switching to the PA chip and dropping an older version of Intel’s Pentium M processor.

Initially last night, distracted by the epic Game 7 played by the San Jose Sharks, I was floored by the possibility that Apple might switch back to Power after such a public divorce. Veteran Apple software developers must have whiplash at this point, working with Power, ARM, and x86 in just three short years.

If Apple follows through and uses a chip designed by its latest acquisition, PA Semi, in a future product, the company will have made major bets on Power, x86, ARM, and Power again in just this decade. What, no love for SPARC or MIPS?

(Credit:
Corinne Schulze/CNET Networks)

Another interesting possibility could be that Apple wants to get more involved in the server market. PA Semi initially wanted to get its chips inside Apple’s notebooks, and was apparently in discussions with Apple right up until its decision to embrace Intel’s notebook processors in 2005. After that defeat, PA Semi pitched its chip as ideal for clusters of low-power servers.

Is Apple really that much of a chip hopper?

That would mean that Apple has figured out a way to develop its software as to take advantage of whatever the best chip on the market is at a given time, without having to worry about porting concerns. Don’t like Intel’s road map? Switch to PA Semi. Don’t like PA Semi’s next big idea? Switch back to Samsung. That might be a stretch, but if true, it would send a shudder down the spine of many a chip industry executive.

Apple could be planning to release a mobile Internet device of its own based on the chip. Again, power consumption concerns raise a red flag here, as you’d have to design any handheld device to accommodate the worst-case scenario power consumption of PA’s chip: 25 watts. You’d really need something bigger to effectively dissipate that much heat, as it would require a cooling fan.

A PA Semi representative on Wednesday confirmed last night’s news that Apple has paid $278 million for the low-power chip designer. Led by prominent chip designer Don Dobberpuhl, the two-and-a-half-year-old company makes chips for embedded devices based on IBM’s Power instruction set.

The most likely scenario is that Apple wants a future PA Semi product for a handheld, server, notebook, or something in between. Dobberpuhl and his team of veteran chip designers are some of the brightest minds in the industry, with an extensive track record. The chipmaker also brings along a low-power patent portfolio that would be attractive to any company focused on low-power computers.

But I failed to remember (helpfully reminded by TalkBackers this morning) that when Apple made the switch to Intel’s chips, it directed software development down the Universal Binary path. Any piece of software written for the Universal binaries will run natively on either x86 chips or Power chips, which allows PowerPC-based
Mac owners to keep their systems and upgrade to new software, such as Mac OS X Leopard.

So what might Apple want with PA Semi? Forbes reported that Apple plans to put its chips inside the
iPhone, but several possibilities are being considered this morning, as the industry tries to digest this piece of news.

It’s a pretty powerful chip that consumes between 5 watts and 13 watts of power, in most situations. However, while that may be ideal for a server, networking switch, or even a MacBook, it’s way too much for a handheld device like the iPhone or the
iPod Touch. The Samsung chip inside the iPhone is based on a core designed by ARM that consumes about 279 milliwatts running flat-out at 620MHz. Apple uses a slightly slower version.

(Credit:
CNET Networks)

Trend No. 4: SOA and IAM are growing together
It took awhile, but now, finally, not only vendors from both sides, but also application developers, have become aware of it: Collaboration between SOA and Identity Management is an important requirement. A discussion is beginning about which concepts for the execution of services in the context of identities are most suitable to ensure end-to-end security. This discussion will gather in pace and importance in this coming year with the result that the significance of Identity Management, particularly of Identity Federation for an application-wide use of identity data, and of virtual directories for the flexible provision of selected identity data, will continue to grow.

This top 10 list of Identity Management trends explores GRC and some other interesting facts. Personally I am all about trends No. 3 and 4.

I read last week in some print publication (that’s right, people still read magazines) about a growing “superstructure” of GRC (Governance, Risk Management, and Compliance) and how it starts to address some of the shortcomings of SOA (Service-Oriented Architectures), meaning the stuff in between all the loosely coupled data flying around.

Trend No. 3: Open systems and modules instead of monolithic suites
The past year has demonstrated that the core products of Identity Management–the provisioning solutions mostly referred to as “Identity Manager”–need to be opened up. However, the support by external workflows and standards like BPEL (Business Process Execution Language) are only one step in this direction. A flexible collaboration with GRC solutions should be targeted as well as a strategy for the support of ESBs (Enterprise Service Bus) for communication. The applications of the future need to be flexible to be used with other components of IT infrastructure. This also opens up market opportunities for new vendors covering sectors like MDM (Master Data Management) and BPM (Business Process Management), but also for specialists producing solutions to connect to various identity repositories such as LDAP directories.

Jon Callas, PGP’s chief technology officer, told me on Monday that the software is “in active development” and will run on Intel-based Macs. Callas didn’t want to elaborate on a shipping date, unfortunately.

Another problem with FileVault is that it hasn’t always been implemented that securely. Earlier versions of OS X didn’t encrypt the swapfile used for virtual memory, meaning the password could in many cases be easily extracted. And a paper (click for PDF) published last year by Jacob Appelbaum and Ralf-Philipp Weinmann found other potential security weaknesses.

This promises to be a boon for OS X users, especially laptop users who are more likely to lose their machines or run into snoopy border police and airport security guards who want to poke around the contents of their hard drives. Right now there’s no way for OS X users to encrypt their entire boot disks.

PGP Corp. is planning to release a version of its whole-disk encryption software for Apple Macintosh computers running OS X.

OS X already features FileVault, of course, but that focuses on encrypting the user’s home directory. Without whole-disk encryption, Unix-derived systems including OS X store in unencrypted form details about VPN usage, login times, and what applications are installed in the default location. Some applications including Thunderbird save working copies of documents in an unencrypted area outside the home directory.

I should also note here that a free volume encryption utility called TrueCrypt was released for OS X last week (it was previously available for Windows and Linux). TrueCrypt doesn’t do whole-disk encryption, but it does offer a way to conceal the fact that an encrypted volume exists–although that handy feature isn’t yet available on OS X and Linux.

CNET Review (Review on its way, but check out the user section, 8.8 average rating from 12 users.)

There’s something to be said about a product still going strong after 23 years in this evolving industry.

Price: $35 with free shipping on Amazon. Maybe less on eBay.
Sound quality: Best sound I’ve heard out of sub-$200 cans. Instead of telling you how awesome these are, I’ll let these 249 people do the work for me:

(Credit: Koss) Versatile: I’ve used these during all day cycling trips, at the desk, at home, and a during a million other activities and they’ve withstood the worst: liquid and food spills, long drops, heat, snow, and rainstorms. Warranty: Koss offers a lifetime warranty on them. No questions asked. The appeal here is that you can drop $35 once and never buy another set again. (Credit: Koss) Longevity: These phones have become something of a cult favorite among audiophiles. They aren’t sold in stores so they’re kept in production by word of mouth purchases such as these, and I’m more than happy to pass on the good word. Having used the PortaPros for years in a million different applications and environments, I can say without exaggeration that these are my favorite headphones I’ve ever heard or purchased. This isn’t a “best headphone for your buck” talk, the low price is just icing on the cake. If they were $100 I’d definitely still throw down for them.

Design: Love them or hate them, you have to admit that they look insane. Koss hasn’t changed the design since 1984, and personally I love the retro Tron look. People stop me all the time asking about them, and I always give them this exact same speech about how much I love them.
Super comfortable: I’ve worn them for the last two years for at least a couple of hours everyday, if not a full eight hours and never felt any irritation, mostly because of the side padding and the adjustments you can make to width of the band. Other headphones I’ve owned (Grado SR-80, Sennheiser PX-100, Sony MDR-V700DJ, Shure E3c) start to irritate my ears after prolonged usage, but the PortaPros are so comfy that I sometimes forget that I have them on.

(Credit: Koss)

Koss has a bad reputation for manufacturing terrible audio products, but it struck gold back in 1984 with one set of headphones, the PORTAPROS. They’re still being produced with continued success after 23 years and are, in my opinion, the most underrated headphones on the market, and here’s why:

Oh, man, we were so high when we wrote that!