The proposition that one day we would be so overwhelmed with the information out there in the ether, and would somehow be inclined to use it, and capable of exploiting it to our advantage, was not really taken seriously until recently. Once the greatest information gathering device in the world, the Internet, came about, data became the elephant in the room. Now we see software applications doodling around with notions from the advertising world, which is where most ideas are generated these days. Structured data and unstructured data are being mixed and matched to sort out how we spend our time, if we are a danger or an asset to the powers who be.
Mobile technology, the newest playing field leveler, especially for undeveloped countries, is expected to grow by 100% through the next few years. Data mavens salivate from this because the data reconnoitered from mobile devices can be tagged to individuals thus making it even more valuable than an ordinary IP address.

“Sources such as online or mobile financial transactions, social media traffic, and GPS coordinates now generate over 2.5 quintillion bytes of so-called big data every day.”

Services in health, education, financial services, and agriculture promise to vault the developing world into the 21st Century, and we have certainly seen evidence of that already.

The dynamics of the data ecosystem demand an unbiased referendum on how governments, business and the general public are protected and how profits can be gained. We’ve already witnessed how companies peddling CRM attributes have mined their customer base to help them help their customers.

The concept of the “Superuser” as a free source of expertise is not new, God knows, the evolution of the beta test used by companies like Microsoft, to cure their turgid code, has been part of the general good, though never intended as such.

We’ve seen, regardless of your politics, how the Arab Spring and natural disasters have been assisted by social networking and how information shared somewhat altruistically can be an important tool for the betterment of humankind and the natural world.

The private sector maintains vast troves of transactional data, much of which is data exhaust, or data created as a by-product of other transactions; the public sector in most countries also maintains enormous datasets in the form of census data, health indicators, and tax and expenditure information. Medical establishments and their cohorts are finally getting on board in the race for using big data to reduce the 17% of GDP we now spend on healthcare.

Big data is no secret and nothing new. Obstacles abound from every segment of the economy and threats prevail that can bring down entire societies. The notion that people can trust their information to a Facebook or a Google or their government is simply a myth as all these giants are doing anything they can to mine the data and repackage regardless of what their privacy statements say.

Education is a must and leadership is desperately gone from the landscape. Take my advice and don’t share your personal identifying information and if you decide to discuss personal locations and other attributing features, accept the fact that it will not be kept private. Lastly, encourage those you vote for to learn how countries and some governments are doing things the right way.

We’ve heard it from the recording folks, the movie folks and the producers of ephemeral, tactile, devices that cling to the idea that, if something is embedded on a physical entity, it is somehow worth more, or safer, than if it is simply out there, floating in the ether. Now that everything will be out there floating, how do we adjust our past perceptions to maintain the magic of the Internet, without risking losing our hold on our business and freedom?

At Cloud Connect 2012, last week, we interviewed the head of the Business Software Alliance (BSA), Robert Holleyman, a fine, sincere and intelligent man whose mission is to make countries play fair with copyright laws and treat digital borders the same way we are supposed to treat physical ones. As physical boundaries have shifted, however, so have ethics.

BSA aims to pressure governments to set standards and quit using cyber space as the new substrate for the Cold War, my metaphor, not his. He has an enormous challenge ahead as the gloves are coming off all around us, and no one seems willing to play fair or show their hands.

Not everyone has the same perspective on what we should be willing to do to allow the Internet to be more carefully monitored, with little thought to personal freedoms. From Security Week’s Adam Rice:

“The Hands-off Approach to Monitoring and Managing Threats that Transit an ISP’s Network is Putting Businesses and Government at Risk.

“Nortel was in the news this week, joining a long list of companies who have a problem with the Chinese owning their networks. Nortel had known about the APT problem on their networks for years and did done very little to stop it besides changing the password of the CEO and a few other executives. Shocked? Amazed? Not me. I get it.

“What shocks me is the following: it seems APTs have spread their tentacles all over the globe, everyone knows about them, the U.S. government spends millions of dollars investigating it, and on the surface no one calls the Chinese to the table to spread out the evidence and hold them responsible for the shear volume of cyber theft. Nortel and other companies’ continue to be ram shackled by the Chinese daily. It is an open secret. Millions of bytes of data have been sent back to China in the form of intelligence, trade secrets, and military contractor data.”

Nearly every day we log on to the world, we read stories about abandoning our Constitution and accepting defeat in the eyes of our enemies who seem to be re-doubling daily. We accuse nations, like China, on the one hand, that are investing in our lands, our businesses and our future, of stealing our intellectual property and our junk entertainment, and attacking our networks. Yet we allow them to buy our property at ten cents on a dollar. We watch as the government ignores the rights and liberties of our citizens, daily, and rationalizes it all with the cliché that, if you have nothing to hide, why should you care?

Today, we read in the NYTimes where the FTC uses their top-down influence to shrug off the the Electronic Privacy Information Center, known as EPIC, that sued the Federal Trade Commission in Federal District Court in Washington, calling for it to investigate Google’s privacy policy changes. Google, without sway, continues to provide just about anything they are asked with no consequence for losing credibility:
“Google has said it will combine the user data it collects from all of its different products, in effect compiling what an individual searches on Google with what is posted on YouTube, Google Plus and other Google properties. Google has aggressively been flagging the changes to its customers. The company insists that does not violate its agreement with the government.”

The Constitution Project, with its ironic acronym, TCP, has been concerned by legislation, and legislators, who have continuously sought to undermine our liberty by amending our Constitution. From its web page:
“Amendments often are introduced because they are seen as powerful political organizing tools and are made before ordinary statutory changes have been sought. Some amendments reach the full House or Senate for a vote without a single hearing being held. Mark-ups and debates are limited or non-existent. Some proposals have been given expedited floor consideration and several passed at least one house in the 104th Congress.”

Recently hacks into the “Federal Trade Commission and the Bureau of Consumer Protection were attacked by AntiSec in response to their support and participation in ACTA, the Anti-Counterfeiting Trade Agreement, and issues with Google’s recent privacy policy changes.” (http://www.securityweek.com/antisec-takes-down-ftc-and-consumer-protection-websites?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29&utm_content=My+Yahoo )

Their reasoning: “Even more bothersome than your complete lack of competence in maintaining your own f*****g websites and serving the citizens you are supposed to be protecting, is the US federal government’s support of ACTA,” AntiSec supporters said.

“If ACTA is signed by all participating negotiating countries, you can rest assured that AntiSec will bring a fucking mega-uber-awesome war that rain torrential hellfire down on all enemies of free speech, privacy, and internet freedom. We will systematically knock all evil corporations and governments off of our internet.”

On the surface, reading the mission of the BSA and the TCP, one might think these two entities are diametrically opposed. Yet, their bottom lines are quite the same. Education is the key message from both organizations and is needed to show users, consumers and companies that you must get up to speed on the use of where you put your personal information and why you put it there.

In another story on Anonymous, which has international reach,“In the last couple of days, the infamous Anonymous hacker group has released a threat against Israeli websites. Based on ERT experience with blocking Anonymous attacks in Israel and all over the world, we are releasing here a short list of security-policy recommendations. Attacks are expected against Israeli government, public institutions, and other high profile websites starting of today, Tuesday February 14.”

According to McAfee, 4 out of 10 people use their personal mobil phone for business and 51% don’t use passwords. Mal advertising and malicious apps, not all apps are good, pose some of the greatest risks today and few individuals check to see if they need them and how to use them effectively. Submersive Multi Vector (SMV’S) threats, which includes people, processes and technologies target ignorance of users, rather than vulnerabilities. Spyware, mobil and static devices are more vulnerable than ever, GPS and Bluetooth applications need more awareness and should be disabled when not in use and Cloud computing new challenges demand a much higher awareness from people on how remote data is stored and updated.

As we get ready to cover RSA here in San Francisco, we will be highlighting these issues and video taping interviews for your perusal to see exactly what the experts have to say and give you an opportunity to dialog on what you see as important. Stay tuned and visit www.nethawk.tv to have your say and let us know what you want covered next.

In any event, after getting an iPhone, I now have firsthand experience with mobile computing and mobile clouds. Now I know why this is such a big deal. Those who were already using a smartphone would tell me that this is yesterday’s news. Anyway, I have a lot of catching up to do. But not everything about mobile computing is great and dandy. Here are some of my complaints:

1. Short battery life: It barely lasts one full day and I need to keep recharging it.
2. Soft keyboard: The soft keyboard is not the easiest thing in the world to use. The voice-activated agent, Siri, is good but does not always work well.
3. Slow connection: Without help from a local Wi-Fi connection, my 3G connection is a little too slow to browse websites. Verizon has an optional data plan to use the iPhone as a hotspot. Initially, I thought it was a good idea, but the slowness of the 3G connection’s speed in getting me onto the Internet may test my patience.
4. Energy waste: The iPhone ecosystem (equally true of the Android’s) is designed to encourage the user to enjoy services, which is translated into energy and cash use. People may use them mainly because they are fun, and without regard for energy consumption. Some of the services may not be necessary, leading to the abuse of energy.

Still, those problems, except the last, will eventually be solved, and I see mobile computing changing the world and ICT as we know them. However, I do not have a solution for the last problem. People do not seem to get it when I talk about the potential for energy abuse by mobile computing. You’d think I just stepped out of an alien spaceship.

In any event, I will discuss what I heard about mobile and cloud computing at the recent Cloud Connect 2012 in the next few blogs. There were many interesting subjects covered in the conference, like those below.

• Private clouds
• Legacy applications in the era of cloud computing
• Mobile
• Big Data
• Cloud management
• Open source

There was a track on mobile computing and mobile clouds on the last day, which was quite interesting. By the way, all the keynote speeches are available at tv.cloudconnectevent.com, regardless of your attendance. Unfortunately, presentation materials are available for attendees only. Stay tuned.

Flash forward to the pop disco seventies and the Hooter’s crowd was omnipresent and overweight guys hawking wares in double-knit suits with wide lapels replaced the hippy garb while giant companies gave away swag that was gobbled up by the masses. The eighties again offered a shift in style and substance. I made my transition from advertising in the textile apparel industry to the tech business and selling networks.

It was the Age of Hardware and left little room for the hawkers, who sold disposable goods, to guys who actually could explain the difference between a Local Area Network and client/server setup. Flashy babes still scattered the landscape but many wondered why. Then came the nineties and the birth of the World Wide Web, and, sure enough, the carnival show was back in bloom. But fast forward to Cloud Connect and the vibe is totally different. Though there was sprinkling of Betty Grable pumps and tight dresses, today the smell of revolution permeated the floor without the aromas of Marxist rhetoric, patchouli or pot. Instead we had enthusiasm and brilliance at an amazing level present and the shift was more than just remote stacks in the sky. It’s more about a playing field of opportunities that place the economic burden for hanging out your shingle off your budget.

For IT guys, however, you better bring your lunch because if you don’t get on board, someone else will be eating it. If there ever was a model for our free market enterprise, the cloud and its constituent parts are it. We spoke with folks like Gordon Haff Chief Evangelist at Red Hat, Lori McVittie Technical Marketing Manager at F5 Networks, Peder Ulander, vice president of product marketing for the Cloud Platform Group at Citrix, Dave McCrory at VMWare, Scott Sanchez, Director of Business Development for Rackspace Cloud Builders, Eric Farrar Product Manager at Sybase, Isabelle Guis VP of Marketing at start-up Big Switch and an interesting Cloud broker, Steve Crawford at Jamcracker.

We also interviewed attendees and tried to get a feel for their take on the Techweb conference which I thought was one of the best product shows in a long time. It was a show of human dynamics and really smart people on the cutting edge of our future. Check in at www.nethawk.tv and join the chat and let us know what you would like to see next. Our plan is to follow up with some of the business’ security leaders at the RSA show which has evolved rapidly. It promises to be fun and exciting.

There are two bulletins that administrators should look to patch immediately.  Both of these bulletins address vulnerabilties that have the potential for drive-by attack scenarios from websites.

First up is Microsoft security bulletin MS12-010.  This bulletin affects all supported Microsoft Internet Explorer browsers and addresses four vulnerabilities in the browser.  As is the case with most, if not all Internet Browsers, it is extremely important to patch as soon as possible as browsers are one of the most attacked pieces of software.  The vulnerabilities addressed in this patch could allow an attacker to exploit the browser through malicious websites.

Similarly, MS12-013 also has a possible drive-by attack vector.  This bulletin addresses one vulnerability in the C Run-Time Library.  If an attacker can entice a user to open a malicious media file, the attacker can gain full access to a system.  In this new media and social media age, media file attack vectors are just as important as browser attack vectors when it comes to patching security vulnerabilities.

Our old friend, the DLL preload vulnerability, is making a return after a one-month hiatus.  Two bulletins this month fix the DLL preload vulnerability in Microsoft applications.

MS12-012 – Color Control Panel
MS12-014 – Indeo Codec

Since releasing the Security Advisory for this issue in November 2010, Microsoft has patched different programs affected by this vulnerability 22 times.  It is safe to say we will continue to see the DLL preload vulnerability being addressed by Microsoft in the coming months.

On the non-Microsoft front, there is already one vendor joining Patch Tuesday.  Adobe released two new security bulletins today affecting two Adobe products.  Security bulletin APSB12-02 affects Adobe Shockwave and fixes nine vulnerabilities.  Adobe Security bulletin APSB12-04 affects Adobe RoboHelp for Word and fixes one vulnerability.

This has been quite a busy month with multiple non-Microsoft vendors releasing security updates for their software.  After a very quiet December and January, it appears the non-Microsoft vendors are getting back to a normal cadence for releasing security updates for their software application.  The following vendors have released security updates since January 2012 Patch Tuesday:

Opera
Google Chrome (twice)
Yahoo Messenger
Mozilla Firefox (twice)
Mozilla Thunderbird (twice)
Mozilla SeaMonkey (twice)
Real Player
Skype

For those administrators who wait for a monthly maintenance window for their patching needs, this month is going to be quite a large month combining all of the Microsoft and non-Microsoft security bulletins released since the last Patch Tuesday.

Without going into any details, lets just say it is a popular myth just like saying that there is no money in hardware or that all software and people services are pure profit. Ok, lets leave sleeping dogs lay where rest (at least for now).

Why will some storage vendors make more margin off of HDD when everybody is supposed to be adopting or deploying solid state devices (SSD). Or Hybrid Hard Disk Drives (HHDD) in the case of workstation, desktop or laptops? Simple, SSD adoption (and deployment) is still growing and a lot of demand generator incentives available. Likewise HDD demand continues to be strong and with supplies affected, economics 101 says that some will raise their prices, manage their expenses, make more profits which can be used to help fund or stimulate increased SSD or other initiatives.

Storage, IT and general Economics 101

Economics 101 or basics introduces the concept of supply and demand along with revenue minus costs = profits or margin. If there is no demand yet a supply of a product exists then techniques such as discounting, bundling or other forms of adding value to incentivize customers to make a purchase. Bundling can include offering some other product, service or offering that could be as simple as an extended warranty to motivate sellers. Beyond discounts, coupons, two for one, future buying credits, gift cards or memberships for frequent buyers (or flyers) are other forms of stimulating sales activity.

Likewise if there is a supply or competition for a given market of a product or alternative, vendors or those selling the products including value added resellers (VARS) may sacrifice margin (profits) to meet revenue as well as unit shipped (e.g. expand their customer and installed base footprint) goals.

Currently in the IT industry and specifically around data storage even with increased and growing adoption and demand deployment around SSD, there is also a large supply in different categories. For example there are several fabrication facilities (FABs) that produce the silicon dies (e.g. chips) that form nand flash SSD memories including Intel, Micron, the joint Intel and Micron Fab (IMF) and Samsung. Even with continued strong demand growth, the various FABs seem to have enough capacity at least for now. Likewise manufactures of SSD drive form factor products with SAS or SATA interfaces for attaching to existing servers, storage or appliances including Intel, Micron, Samsung, Seagate, STEC and SANdisk among others seem to be able to meet demand. Even PCIe SSD card vendors have come under pressure of supply and demand. For example the high flying startup FusionIO recently saw its margins affected due to competition which includes Adaptec, LSI, Texas Memory Systems (TMS) and soon EMC among others. In the SSD appliance and storage system space there are even more vendors with what amounts to about one every month or so coming out of stealth. Needless to say there will be some shakeout in the not so distant future.

On the other hand, if there is a demand however limited supply, assuming that the market will support it, prices can be increased from what discounts had applied. Assuming that costs are kept inline any subsequent increase in average selling price (ASP) minus costs should result in higher margins.

Another variation is if there is strong demand and shortage of supply such as what is occurring with hard disk drives (HDD) due to recent flooding in Thailand, not only prices increase, there can also be changes to warranties or other services and incentives. Note some of HDD manufactures such as Western Digital were more affected by the flooding than Seagate. Likewise the Thailand flooding was not limited to just HDD having also affected other electronic chip and component suppliers. Even though HDDs have been declared dead by many in the SSD camps along with their supporters, record number of HDDs are produced every year. Note that economics 101 also tells us that even though more devices are produced and sold, that may not show a profit based on their cost and price. Like the CPU processor chips produced by AMD, Broadcom, IBM and Intel among others that are high volume, with varying margins, the HDD and nand flash SSD market is also high volume with different margins.

As an example, Seagate recently announced strong profits due to a number of factors even though enterprise drive supply and shipments were down while desktop drives were up. Given that many industry pundits have proclaimed a disaster for those involved with HDDs due to the shortage, they forgot about economics 101 (supply and demand). Sure marketing 101 says that HDDs are dead and if there is a shortage then more people will buy SSDs however that also assumes that people are a) ready to buy more SSDs (e.g. demand) and b) vendors or manufactures have supply and c) that those same vendors or manufactures are willing to give up margin while reducing costs to boost profits.

Note that costs typically include selling, general and administrative, cost of goods, manufacturing, transportation and shipping, insurance, research and development among others. If it has been awhile since you looked at one, take a few minutes sometime to look at public companies and their quarterly securities exchange commission (SEC) financial filings. Those public filing documents are a treasure trove of information for those who sift through them and where many reporters, analysts and researchers find information for what they are working or speculating on. These documents show total sales, costs, profits and losses among other things. Something that vendors may not show in these public filings which means you have to look or read between the lines or get the information elsewhere is how many units were actually shipped or the ASP to get an idea of the amount of discounting that is occurring. Likewise sales and marketing expenses often get lumped into or under general selling and administration (SGA). A fun or interesting metric is to look at the percentage of SGA dollars spent per revenue and profits.

What I find interesting is to get an estimate of what it is costing an organization to do or sustain a given level of revenue and margin. For example, while some larger vendors may seem to spend more on selling and marketing, on a percentage basis, they can easily be out spent by smaller startups. Granted the larger vendor may be spending more actually dollars however those are spread out over a larger sales and revenue basis.

What does this all mean?

Look at multiple metrics that have both a future trend or forecast as well as trailing or historical perspective view. Look at both percentages as well as dollar amounts as well as both revenue and margin while keeping units or number of devices (or copies) sold also into perspective. For example its interesting to know if a vendors sales were down 10% (or up) quarter over quarter, or versus the same quarter a year ago or year over year. It is also interesting to keep the margin in perspective along with SGA costs in addition to cost of product acquired for sale. Also important is to get a gauge of if sales were down, yet margins are up, how many devices or copies were sold to get a gauge on expanding footprint which could also be a sign of future annuity (follow up sales opportunities). What Im watching is over the next couple of quarters is to see how some vendors leverage the Thailand flooding and HDD as well as other electronic component supply shortages to meet demand by managing discounts, costs and other items that contribute to enhanced margins.

Rest assured there is a lot more to IT and storage economics, including advanced topics such as Return on Investment (ROI) or Return on Innovation (The new ROI) and Total Cost of Ownership (TCO) among others that maybe we will discuss in the future.

Ok, nuff fun for now, lets get back to work.

Cheers gs

During my days at U.C. Berkeley, in the early nineties, stories about how only the top anthropology and biology students were being wined and dined by CIA and FBI to study cultural propensities in the face of government hegemonic initiatives were bragged around campus like that was the entire point of the discipline. Anyone who has studied anthropology learned early on how Ruth Benedict was courted by the United States Office of War Information (OWI), the predecessor to the CIA, to, ostensibly, determine how the Japanese would respond to the U.S. occupation, there were 500,00 U.S. troops there at the time, and, in a more cryptic sense, how they would respond to our dropping of the atom bomb. Bendedict’s classic entitled, “The Chrysanthemum and The Sword,” documents how her work determined that the people would rather die than surrender.

While Benedict never visited Japan, the war prevented it, she inferred her ethnographic reasoning from tedious interviews with immigrants who expressed dread of her exhausting, repetitive, intrusions into their most personal feelings. The last sixty years have seen this work used from every conceivable point-of-view from the TV show Madmen, to Physicist Takada Jun’s latest work, “The Nuclear and the Sword.” My purpose here is not to debate cultural relativism or the ethics of Benedict’s work but to raise a question about why our government didn’t study other possibilities through the lens of ethnography and scientific journey.

I have little doubt the Federal cops are still plucking the best and the brightest from all our universities but I am still baffled as to why they continue to miss the most important goals we ought to consider for our world today – security in the face of the digital frontier so that a peacetime economy might be established. Is our only motive to control other cultures and take their resources for our own use, which is what I was told we fought the Cold War for – to prevent Russia from doing that to us?

Numbers from 2005 claim we are faced with occupying over 150 nations, with 737 military bases and 2.5 million people. Our overseas bases, according to the Pentagon, contained 32,327 barracks, hangars, hospitals, and other buildings, which it owns, and 16,527 more that it leased. The size of these holdings was recorded in the inventory as covering 687,347 acres overseas and 29,819,492 acres worldwide, making the Pentagon easily one of the world’s largest landlords.

Yet yesterday, the CIA web site was brought down by young hackers affiliated with Anonymous who explained the reasons of the attack: “We do it for the lulz,” referring to the popular online abbreviation “for laughs.” This was not the first time Anonymous brought down cia.gov. In June, as part of a 51-day-long hacking spree, the Anonymous affiliated group LulzSec took down the CIA’s site for a few hours. The reason was the same, “For the lulz.”

Over at CNET, they reported that they, “pilfered from police and government servers in Alabama, operatives for the group had managed to lift information on 46,000 Alabama residents, including their names, Social Security Numbers, dates of birth, criminal records, and license plate numbers, just for being ‘lazy,’ and in protest of Alabama’s House Bill 56, controversial immigration legislation that became law in the state last year, they took down the Mexican Senate and Interior Ministry Web sites, for alleged exploitative labor conditions and business practices at Camimex. It also said it had exposed e-mail addresses from the Mexican Mining Chamber and he group makes a habit of targeting law enforcement and related agencies on Fridays. The same day as the FBI post, Anonymous claimed to have hacked into police sites in Texas, Boston, and Salt Lake City, as well as the site of defense lawyers for a U.S. Marine accused of leading a civilian massacre in Iraq.”

Now no one is saying that all hacks are righteous and in the interest of justice or sobriety even. Yet many of the targeted hacks are, at least in the mind of the hackers, done to show up the authorities who don’t seem capable of handling them. Hackers, like most of us on the Internet, are used to beta test crappy software and used to try to break things so they work better. Hell, there wouldn’t be a Microsoft if it weren’t for that concept.

But instead of poking into the private lives of folks like Steve Jobs, John Lennon and no doubt us, wouldn’t it be smarter for all the government police to start protecting our nation from the real enemies and start showing the world the biggest, richest and smartest people really do want peace and we are prepared to start now? Has anyone in government even offered a rationale for what a peace time economy might look like or how it might work? Maybe if Jobs had lived long he would have grown tired of gadgetry and taken on that project. No doubt he’d have done better than the all police government of paranoia we have now.

My point is this, if you can’t handle the hack, hire the hackers. Instead of chipping away at social scientists to take over the world, hire the young folks who can’t find jobs and are bored with the usual fare allowed them. Make it possible for our young folks to do their magic for good instead of evil. I doubt it, but maybe those bigwigs in Washington can learn something.

It was simple in the enterprise world. There was a main business organization with a handful of supporting departments like HR, accounting, legal, and facilities management. There was no doubt that the business organization was king. It ruled the enterprise without question. Then computers came to the enterprise. At the beginning, computers were subordinate, simply supporting business. As computer technologies advanced, it became necessary to form an independent organization called IT. Even so, IT was subordinate to business. Business dictated and IT followed.

It is hard to say when, but at some point IT got so powerful that business could not tell it what to do. Or more accurately, business was still boss, but IT became less responsive to business needs, and not just to requests; IT did not and could not respond to the changes taking place around it. IT was supposed to support and accelerate business goals, but it became a barrier to business. It became so bad that people said IT was the place where big, important projects went to die, according to Tim. For some time, business was frustrated with IT but did not have the means to bypass it. Then came the era of cloud computing and commercialization of IT. Business secretly formed a shadow IT department, like a shadow cabinet in the UK, and started to bypass IT whenever possible. Who can blame non-IT folks who need IT services yesterday? If it is going to be months before IT can satisfy my needs when I need it now, I will bring in my own gear or outsource the services. The big difference now is that we can do it if we want. It was not possible to do so only a few years ago. Tim said some CIOs now realize this and are working to face this straight, but many CIOs still think the old and traditional way of running IT departments is appropriate.

There is no real department for shadow IT. In a way, any business or non-IT staff who needs IT services can virtually form a shadow IT group and outsource their needs to cloud and mobile computing. If there were really one physical shadow IT department, it would be easier for the real or traditional IT department to confront it and take back control. But this shadow IT group is like guerrilla warfare. There is no particular place the group shows up. It appears where there is a real need for IT services, gets them quickly, and then may disappear. As far as I know, Tim is the first person in IT to admit that the blame is on IT for bringing this situation on itself.

This may not be a good analogy, but at the same conference Pascal Finette of Mozilla gave a keynote speech on open innovation. His theme was that opening the barrier could accomplish even greater results. Maybe it is a stretch, but I am saying that the IT department should be more OPEN to what their internal customers want and work with them for the entire company. Tim said that CIOs in this new era should take a very hard look at their core capabilities, review their portfolio of services, and decide what should be retained and what should be outsourced. This is a hard thing to do because it may mean downsizing the IT department. The CIO and the IT group need to have heart-to-heart discussions among themselves and with their internal customers.

It is easy to propose this at a high level, but how do you actually implement it? When it comes to cloud computing, the number of popular services like Salesforce.com and AWS is low, and it may be easy to evaluate the usefulness of each. But if IT approves a “bring your own device” (BYOD) policy, the sheer number of variations could be a problem. I would like to ask Tim about this. Maybe he has already addressed this in his blog.

Tim advocates that IT take the initiative to evaluate current services and gear before its internal customers come asking for support and approval. It would be great if, when a customer asks for services or new technologies, IT is ready to embrace the request and seamlessly integrate it into the current portfolio of services. That is a new value to IT and will definitely increase their importance in the company. There is going to be new pressure on IT. IT needs to study the market trends and new services and technologies daily and constantly. This alone would produce a ton of work. So this makes it even more important to review what they currently have and remove services of low priority from their portfolios. If some services can be easily outsourced without losing important elements, such as security, they should be.

For example, if IT studied Salesforce.com well in advance of a customer request to incorporate its services for business, it could accommodate the request with strong support. Moreover, because IT is probably the only department that interacts with most, if not all, departments in the company, it can facilitate communication between departments. For example, if IT understands how marketing and sales operate, it could avoid sending conflicting messages to the same customer from marketing and sales, which is very embarrassing, according to Tim.

What if IT provides virtualization? Would it be enough to prevent internal customers from resorting to outside clouds? Virtualization and cloud are two different things. I caught Tim after the interview to get more details on this, but that is a story for later. For now, let’s say virtualization is not cloud, and cloud is more than that. Tim said that the three pillars of cloud computing are economic value, flexibility, and responsiveness. In most discussions, economy is considered the key value for cloud computing, but Tim said it might not be the most important factor. Sometimes cloud computing may cost you more, but you may want to adopt it for its flexibility and responsiveness. To sell cloud computing to your CFO and CEO, you should be able to make each point by giving a concrete example and the savings associated with it. For example, scaling from 50 to 1,500 servers over days and weeks could only be accomplished via cloud computing; no traditional methods accommodate change on such a scale. Moreover, you should be able to convert this to $ to explain it to the CFO and CEO.

Is virtualization a necessary process before adopting a cloud service? Tim said that the adoption of virtualization is probably in the 30% to 40% range, less than the 50%-plus estimated by IDC. If you have not virtualized your data center yet, you need to take a holistic view rather than simply considering virtualization. Looking solely at technology (virtualization) is not right. After all, virtualization maximizes server utilization, but other things—like maximization of the organization’s resources and processes—are also very important. So, according to Tim, it is OK to bypass virtualization and adopt cloud services by paying attention to the whole picture.

What about organizations that have already invested in hardware? It is easy to talk about startups, which have very little IT gear, but larger companies, even small to midsize companies, may have a hard time moving to a new paradigm. Tim’s answer was clear: whether it’s hardware or software, everything will be replaced at some point. The lifespan of server hardware is about four to five years, and software applications must be upgraded or replaced at some point. That is the time to take a hard look at what to do from several points of view: economy, technology, process change, and the whole organization.

Finally, security is the number one inhibitor mentioned in many research results. The perception is that only larger companies need to consider both security and regulatory conformance and that small startups can adopt cloud computing readily. Tim said both considerations are required in any business of any size. So that kind of argument does not have merit. Also, he said, in many instances cloud providers’ data centers and security measures for other elements are better than those of companies of many sizes and kinds. In any event, if you worry about data security, you need to weigh convenience and ease of use with security risks. Having data at your own data center does not make it more secure than the data hosted somewhere in clouds.

There is a lot of talk about cloud computing, but sometimes people duck the hard questions. I will catch Tim in the future to discuss some of mine:

• How do you transition from virtualization to cloud computing?
• What are public, private, hybrid, and federated clouds?
• Is there such a thing as private cloud?
• Hybrid clouds? What about interoperability of VMs between private and public clouds?
• What new requirements, such as ID management, do federated clouds bring?
• What are green clouds? Can you quantify the greenness of clouds?

So stay tuned!

Published: Thursday, February 09, 2012

Version: 1.0

This is an advance notification of security bulletins that Microsoft is intending to release on February 14, 2012.

This bulletin advance notification will be replaced with the February bulletin summary on February 14, 2012. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications.

Microsoft will host a webcast to address customer questions on the security bulletins on February 15, 2012, at 11:00 AM Pacific Time (US & Canada). Register now for the February Security Bulletin Webcast. After this date, this webcast is available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcasts.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.
Bulletin Information
Executive Summaries

This advance notification provides a number as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier.

The following table summarizes the security bulletins for this month in order of severity.

For details on affected software, see the next section, Affected Software.
Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical
Remote Code Execution Requires restart Microsoft Windows
Bulletin 2 Critical
Remote Code Execution Requires restart Microsoft Windows,
Internet Explorer
Bulletin 3 Critical
Remote Code Execution Requires restart Microsoft Windows
Bulletin 4 Critical
Remote Code Execution May require restart Microsoft .NET Framework,
Microsoft Silverlight
Bulletin 5 Important
Elevation of Privilege Requires restart Microsoft Windows
Bulletin 6 Important
Elevation of Privilege May require restart Microsoft Office,
Microsoft Server Software
Bulletin 7 Important
Remote Code Execution May require restart Microsoft Windows
Bulletin 8 Important
Remote Code Execution May require restart Microsoft Windows
Bulletin 9 Important
Remote Code Execution May require restart Microsoft Office
Top of section
Affected Software

This advance notification provides a number as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier.

The following tables list the bulletins in order of major software category and severity.

How do I use these tables?

Use these tables to learn about the security updates that you may need to install. You should review each software program or component listed to see whether any security updates pertain to your installation. If a software program or component is listed, then the severity rating of the security update is also listed.

Note You may have to install several security updates for a single vulnerability. Review the whole column for each bulletin identifier that is listed to verify the updates that you have to install, based on the programs or components that you have installed on your system.
Windows Operating System and Components
Microsoft Office Suites and Software
Microsoft Server Software
Microsoft Developer Tools and Software
Top of section
Detection and Deployment Tools and Guidance

Security Central

Manage the software and security updates you need to deploy to the servers, desktop, and mobile computers in your organization. For more information see the TechNet Update Management Center. The TechNet Security Center provides additional information about security in Microsoft products. Consumers can visit Security At Home, where this information is also available by clicking “Latest Security Updates”.

Security updates are available from Microsoft Update and Windows Update. Security updates are also available at the Microsoft Download Center. You can find them most easily by doing a keyword search for “security update”.

For customers of Microsoft Office for Mac, Microsoft AutoUpdate for Mac can help keep your Microsoft software up to date. For more information about using Microsoft AutoUpdate for Mac, see Check for software updates automatically.

Finally, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (such as, “MS07-036″), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ.

Detection and Deployment Guidance

Microsoft provides detection and deployment guidance for security updates. This guidance contains recommendations and information that can help IT professionals understand how to use various tools for detection and deployment of security updates. For more information, see Microsoft Knowledge Base Article 961747.

Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer.

Windows Server Update Services

By using Windows Server Update Services (WSUS), administrators can quickly and reliably deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 to Windows 2000 and later operating systems.

For more information about how to deploy this security update using Windows Server Update Services, visit Windows Server Update Services.

System Center Configuration Manager 2007

Configuration Manager 2007 Software Update Management simplifies the complex task of delivering and managing updates to IT systems across the enterprise. With Configuration Manager 2007, IT administrators can deliver updates of Microsoft products to a variety of devices including desktops, laptops, servers, and mobile devices.

The automated vulnerability assessment in Configuration Manager 2007 discovers needs for updates and reports on recommended actions. The Software Update Management in Configuration Manager 2007 is built on Microsoft Windows Software Update Services (WSUS), a time-tested update infrastructure that is familiar to IT administrators worldwide. For more information about how administrators can use Configuration Manager 2007 to deploy updates, see Software Update Management. For more information about Configuration Manager, visit System Center Configuration Manager.

Systems Management Server 2003

Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users.

Note System Management Server 2003 is out of mainstream support as of January 12, 2010. For more information on product lifecycles, visit Microsoft Support Lifecycle. The next release of SMS, System Center Configuration Manager 2007, is now available; see the earlier section, System Center Configuration Manager 2007.

For more information about how administrators can use SMS 2003 to deploy security updates, see Scenarios and Procedures for Microsoft Systems Management Server 2003: Software Distribution and Patch Management. For information about SMS, visit the Microsoft Systems Management Server TechCenter.

Note SMS uses the Microsoft Baseline Security Analyzer to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of SMS in these cases to target updates to specific systems. For more information about this procedure, see Deploying Software Updates Using the SMS Software Distribution Feature. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack) to install these updates.

Update Compatibility Evaluator and Application Compatibility Toolkit

Updates often write to the same files and registry settings required for your applications to run. This can trigger incompatibilities and increase the time it takes to deploy security updates. You can streamline testing and validating Windows updates against installed applications with the Update Compatibility Evaluator components included with Application Compatibility Toolkit.

The Application Compatibility Toolkit (ACT) contains the necessary tools and documentation to evaluate and mitigate application compatibility issues before deploying Microsoft Windows Vista, a Windows Update, a Microsoft Security Update, or a new version of Windows Internet Explorer in your environment.