uncompiled.com

According to a study by researchers at the University of Oviedo (Universidad de Oviedo) in Spain, the estimated total value of the 2.6.30 Linux kernel, released in June of 2009, is more than €1 billion. Using the kernel development history from version 2.6.11 to 2.6.30, the researchers calculated the costs by using the Constructive Cost Model 81 (COCOMO 81) and taking the average annual salary for a developer in 2006 in the European Union as a parameter. According to EUROSTAT, that was approximately €31,000. The Linux Foundation published a similar study in October of 2008.

The COCOMO algorithm calculates the value of software using a number of specific metrics, specifically the number of lines of code written. The study looks at the estimated annual research and development (R&D) costs of the kernel releases and shows that the annual Linux kernel R&D cost increased significantly in 2008. Between 2005 and 2006, annual R&D was estimated at between €72 to €94 million, however, in 2008, that number rose to more than €228 million.

The two researchers responsible for the study, Jesús García-García and Mª Isabel Alonso de Magdaleno, will be be presenting their findings at the Concord 2010 conference on corporate R&D taking place on the 3rd and 4th of March, 2010 in Seville, Spain.

Source

Server shipments increased in the fourth quarter of 2009, but revenue fell as x86 servers continued to bite into the declining market for Unix servers with RISC and Itanium chips, Gartner said in a study released on Wednesday.

Worldwide server shipments totaled 2.2 million during last year’s fourth quarter, growing 4.5 percent compared to the fourth quarter of 2008. Worldwide server sales totaled US$12.6 billion during the fourth quarter last year, a 3.2 percent drop from server sales in the same quarter of 2008. Worldwide sales of x86 servers rose 14.3 percent to $7.6 billion during the 2009 fourth quarter, while RISC and Itanium server sales declined by 20 percent to about $3 billion.

“The fourth quarter of 2008 was quite weak, so the fourth quarter of 2009 did not have to produce huge x86 server numbers to result in an increase,” said Jeffrey Hewitt, research vice president at Gartner, in a statement. “At the same time, other segments like RISC/Itanium Unix and mainframes remained constrained and that exerted downward pressure on overall vendor revenue results.”

IBM and Intel in early February released new chips for highly scalable servers that require high uptime. At the time of the Power7 chip launch, the senior vice president of IBM’s Systems and Technology group, Rod Adkins, said the Unix market is a sizeable and healthy market to the tune of $14 billion or $15 billion annually. Adkins also said IBM will try to provide more competitive pricing options on its Power7 servers to take on the “traditional” server market.

Industry analysts went on to say that the new chips will have little effect on reviving the declining sales of scalable servers running on the Unix OS, analysts said. The x86 servers are cheaper, are getting more powerful and have a more readily available software stack.

The x86 server market was trending toward a larger use of blades, Hewitt said. Blade server shipments grew by 11.1 percent during the quarter, while revenue grew by 22.1 percent.

IBM was the top server vendor during the fourth quarter, with sales of $4.1 billion, a drop of 5.9 percent year over year and a 32.7 percent market share. In a close second was Hewlett-Packard, with server sales of $3.95 billion, recording a small growth of 0.4 percent and 31.3 percent market share. Dell’s server revenue increased by 8.3 percent to $1.5 billion, putting it in third place. Sun Microsystems, which has since been acquired by Oracle, saw a massive 23.5 percent drop in server sales.

IBM was also first in Unix servers with a 40.5 percent market share during the fourth quarter of 2009. The company registered sales of $1.2 billion, a year-over-year drop of 11.1 percent. Hewlett-Packard was second, with sales of $876 million, a year-over-year drop of 19.9 percent. Sun shipped the largest number of Unix servers during the fourth quarter, but was third in revenue with sales of $753.8 million, a year-over-year drop of 29.1 percent. Fujitsu was fourth, recording the largest drop of 55.4 percent.

Hewlett-Packard topped the x86 server market with sales of $2.8 billion, a year-over-year growth rate of 15.7 percent, and a market share of 38 percent. In a distant second was Dell, recording an 8.3 percent year-over-year sales growth to reach $1.5 billion, for 20 percent market share. IBM was in third place, with its server sales growing 37 percent to reach $1.4 billion. Sun and Fujitsu were in fourth and fifth places, respectively.

Source

Wow. That’s quite a statistic, but there it is in front of me jumping off the pages of the latest global State of Enterprise Security study from Symantec. The two lines shining so brightly and grabbing my attention read “75 percent of organizations experienced cyber attacks in the past 12 months” and “these attacks cost enterprise businesses an average of $2 million per year”. I’ll say it again, wow!

Maybe that is not so surprising when you consider that the report states that every enterprise, yes 100 percent, experienced cyber losses in 2009. The top three losses being intellectual property theft, customer credit card data theft and the theft of other personally identifiable customer data. These losses translated into a financial cost 92 percent of the time mainly in terms of productivity, revenue, and tanking customer trust.

Of course, as I have said before the math is always hard on the brain when you read these reports. That 75 percent figure is revealed immediately after we are informed that apparently 42 percent of organisation consider that security is the number one consideration for their business, beating off competition from such things as natural disaster and terrorism and traditional crime. In fact, it is a bigger concern than all three of those things combined. The disparity between the two could, of course, be partly down to another revelation in the report: enterprise security is becoming more difficult due to understaffing, new IT initiatives that intensify security issues and IT compliance issues.

When it comes to understaffing, network security is the biggest problem for 44 percent of those responding, with endpoint security sharing the honours also on 44 percent. There there are the initiatives that IT rated as most problematic from a security standpoint include infrastructure-as-a-service, platform-as-a service, server virtualisation, endpoint virtualisation, and software-as-a-service. And not forgetting compliance, with your typical enterprise having to explore no less than 19 separate IT standards or frameworks and employ around eight of them.

“Protecting information today is more challenging than ever” said Francis deSouza, senior vice president, Enterprise Security, Symantec Corp. “By putting in place a security blueprint that protects their infrastructure and information, enforces IT policies, and manages systems more efficiently, businesses can increase their competitive edge in today’s information-driven world.”

Source

An over-emphasis on tackling new and emerging security threats may be causing companies to overlook older but far more frequently exploited vulnerabilities, says a recent report.

The report, from TrustWave Inc., is based on an analysis of data gathered from over 1900 penetration tests and over 200 data breach investigations conducted on behalf of clients such as American Express, MasterCard, Discover, Visa and several large retailers.

The analysis showed is that major global companies are employing “vulnerability chasers” and searching out the latest vulnerabilities and zero-day threats while overlooking the most common ones, the report said.

As a result, companies continue to be felled by old and supposedly well-understood vulnerabilities rather than by newfangled attack tools and methods.

For instance, the top three ways hackers gained initial access to corporate networks in 2009 were via remote access applications, trusted internal network connections and SQL injection attacks, TrustWave found.

All three attacks points have been well researched and known about for several years. SQL injection vulnerabilities, for instance, have been known about for at least 10 years, but still continue to be widely prevalent in Web-based, database-driven applications, TrustWave said.

The most common vulnerability that TrustWave discovered during its external network penetration tests had to do with the management interfaces for Web application engines such as Websphere, and Cold Fusion. In many cases, the management interfaces were accessible directly from the Internet and had little or no password protection, potentially allowing attackers to deploy their own malicious applications on the Web server.

Similarly unprotected network infrastructure components such as routers, switches and VPN concentrators represented the second most common vulnerability unearthed by TrustWave. The tendency by many companies to host internal applications on the same server that also hosts external content was another common vulnerability, as were misconfigured firewall rules, default or easy-to-guess passwords and DNS cache poisoning.

Meanwhile TrustWave’s wireless penetration tests unearthed common weaknesses such as the continued use of WEP encryption, legacy 802.11 networks with minimal to no security controls and wireless clients using public “guest” networks instead of secured private networks.

In almost all of the cases, the most common vulnerabilities unearthed by TrustWave were common well-understood issues that should have been addressed a long time ago said Nicholas Percoco, senior vice president at TrustWave’s SpiderLabs research unit.

“There are basically two themes,” Percoco said. “Through our study in 2009 we found some very old vulnerabilities present within enterprises, some as old as 20 to 30 years.” The second theme is that attackers are targeting these old flaws to break into enterprises, then using increasingly sophisticated tools to harvest data from companies, he said.

In addition to older keystroke logging and packet sniffing tools, malicious attackers are increasingly employing tools such as memory parsers and credentialed malware to steal data, Percoco said. Memory parsers are used to monitor the random access memory associated with a certain process and to extract specific data from it. Credentialed malware programs are a new class of multi-user programs that have typically been used to steal money and payment card numbers from ATMs.

There are several measures companies can take to mitigate the risks posed by older and often overlooked vulnerabilities, TrustWave said. One step is to maintain a complete asset inventory. Many companies are often unaware of all the IT assets they own or of the risks they pose to data, so maintaining an up to date list of assets is vital to protecting them, TrustWave said.

Decommissioning older legacy systems as much as possible can also help mitigate the risk. Also, in 80% of the cases that TrustWave looked at, third-parties were responsible for introducing vulnerabilities. So monitoring third-party relationships is key according to the company. Other recommended measures included internal network segmentation, data encryption and stronger Wi-Fi security policies.

Source

President Barack Obama’s 2011 budget proposal, released today, flattens federal IT spending and orders federal departments to consolidate and centralise IT operations.

This budget is unsparing in its criticisms and says federal IT departments have a history of not delivering productivity and performance gains “that are found when IT is deployed effectively in the private sector”.

This budget outlines Obama’s goal of creating an IT operation infused with private sector best practices, as well as enabling citizens to easily access government data and interact with federal agencies in new ways. The White House also wants social networking tools widely deployed to help make government, through continuous collaboration, smarter.

“The rise in social media and web 2.0 technologies has proven that no single organisation has a monopoly on good ideas,” said the budget narrative.

And the Obama administration wants to head in this direction without spending new money on IT.

The 2011 proposed federal budget proposal by the White House increases federal IT spending to US$79.4 billion, just over 1.2 percent and slightly above the White House’s inflation forecast for this year. In 2001, the US spent $45 billion on IT. The federal fiscal year begins October 1.

To cut costs, the White House will seek a reduction in the number of datacentres, now at 1,100. It does not set a goal but points out that in 1998 there were only 432 data centers serving federal agencies.

It also wants to centralise the delivery of some IT services across agencies through the use of cloud technologies and other platforms. The trick for federal CIOs will be to consolidate, centralise and increase their use of technologies such as virtualisation, without spending new money.

“There won’t be a lot of wiggle room for new technologies,” said Deniece Peterson, manager of industry analysis at government market research firm Input, who said that 70 percent of the money spent on IT now is just “to keep the lights on,” meaning, running operations.

Peterson said IT managers will likely start small but may also face more pressure from this White House for results than from previous administrations.

The Obama administration appointed the first federal CIO and one who is “aggressive in pushing the agenda,” Peterson said. Last year, Obama appointed Vivek Kundra, former CTO of the District of Columbia, as the federal CIO.

Even before this budget, the White House has come up with a means to shine a spotlight on the performance of federal IT department. It created an “IT dashboard” that rates IT projects and their performance at various agencies.

The reason for this Scarlett Letter-like attention, Peterson said, is that an IT failure at a private company could put a firm out of business, but “the ramifications of failure are not as pronounced in government”, hence the approach is “is kind of embarrassing agencies to perform”.

If agencies can’t increase spending easily, some IT vendors may be under pressure to cut their costs as well. Other vendors may see new opportunity to sell product.

Ken Powell, president of North American Operations at Micro Focus, said he is hopeful that the government’s direction will expand interest in his products that enable users to migrate mainframe applications to other platforms to reduce costs.

“In our economic climate and there is one thing that you have to focus on it’s not saving costs, its’ avoiding cost,” he said.

Source

PGP Corporation has acquired privately-held TC TrustCenter and its US parent company, ChosenSecurity, as part of plans to offer trusted identity management services from the cloud. Terms of the transaction, announced Tuesday, were not disclosed.

TC TrustCenter provides managed trust services for customers in the financial, car manufacture and utilities industries. This trust infrastructure supports applications include encryption, authentication, and secure collaboration. The technology supports PCs, servers, and mobile devices. PGP marketing manager Jamie Cowper explained that TC TrustCenter’s technology provides “managed identities and certificates for individuals and servers/services”.

PGP reckons there a neat fit between this “on-demand platform for managing trusted identities” and its line of disk encryption and data protection products. From a commercial perspective, the deal will allow PGP to better compete in the managed PKI market with the likes of Entrust and Verisign.

“Trusted identities are a crucial component for data protection solutions that secure sensitive data,” said Phillip Dunkelberger, president and chief exec of PGP Corporation. “With this acquisition, PGP Corporation is gaining an extensible platform that will dramatically accelerate its vision of delivering integrated data protection across vendors, technologies, and devices.” ®

Source

A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.

The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano.

In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary’s bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital.

Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures.

PlainsCapital promptly filed a lawsuit in the U.S. District Court for the Eastern District of Texas asking the court to certify that its security procedures were “commercially reasonable.” In its complaint, the bank noted that it had made every effort to recover the stolen money.

The bank sought to absolve itself from blame in the heist by stating that the unauthorized wire transfer orders had been placed by someone using valid Internet banking credentials belonging to Hillary Machinery. “PlainsCapital accepted the wire transfer orders in good faith,” and had therefore not breached any of its agreements with Hillary, the bank said in its complaint.

The complaint itself is somewhat unusual in that it doesn’t seek anything specific from Hillary. Rather all it asks is for the court to certify that its systems are reasonably secure.

In an interview with Computerworld today, Troy Owen, Hillary’s vice president of marketing, disputed the banks claims. Owen insisted that it was the bank’s failure to implement strong authentication and fraud detection measures that had enabled the theft.

“The bank is doing what their attorneys are telling them to do, which is to deny everything,” Owen said. “They obviously can’t just come out and say they know their systems are insecure so they are trying to bully us with a lawsuit,” Owen said.

Owen today claimed that Hillary had no idea how or when its online banking credentials might have been accessed by the cyber thieves.

While the transfers were initiated using valid login credentials, there were several details that should have alerted bank authorities that all was not right, Owen said. The biggest red flag should have been that the money was being transferred to foreign destinations, which had never happened before with Hillary’s account, Owen said.

Source

Three quarters of small to mid-sized hospitals in the U.S. plan to increase their IT budgets this year, with clinical point-of-care systems being the top IT priority, says a new survey.

The U.S. government’s health IT stimulus programs are apparently driving many of these hospitals’ IT plans.

Government regulatory matters, followed by financial incentives, were named as the top issues driving healthcare over the next two years, said the respondents to a survey conducted by the Healthcare Information and Management Systems Society (HIMSS) last October and released Wednesday.

HIMSS’ phone survey of 202 IT executives at small to mid-sized hospitals included 125 CIOs, CTOs, VPs and directors of IT in the U.S. and 77 in other countries, including Canada, the U.K., Germany, France and China.

The hospitals ranged from 100 to 400 beds and did not include U.S. hospitals run by the federal government, such as VA facilities.

About 76% of U.S. hospital IT executives surveyed said they planned to increase IT spending this year, while 17% expected no change in spending and only 8% predicted reduced budgets.

While this particular survey of small to mid-sized hospitals is new for HIMSS, an annual HIMSS leadership survey early last year found that only 55% of IT executives in a wider pool of U.S. hospitals of varying sizes expected to increase their budgets, said Jennifer Horowitz senior director at HIMSS Analytics, the research arm of HIMSS .

Overwhelming, hospitals in the U.S. are focused on an explosion in clinical data, including images, over the next two years.

Much of that data is expected to come from deployments of e-medical record systems as these hospitals race to participate in the U.S. federal government’s $20 billion stimulus program that rewards healthcare providers for their meaningful use of health IT systems starting in 2011.

In the U.S., 55% of respondents named point-of-care systems as their top priority, followed by data exchange (14%), leveraging data (12%), infrastructure (10%), administrative efficiency (2%), with the rest answering “other” or “don’t know.”

Answers from hospital IT executives from other countries overall were similar to U.S. hospitals’ priorities, although the biggest differences were in how other countries ranked priorities such data exchange (lower at 4%) and administrative efficiency (higher at 14%). Outside the U.S., 48% of hospital IT executives named point-of-care as their biggest IT priority.

Overall, U.S. hospitals have more complex IT hardware environments than hospitals in other countries. U.S. survey respondents have an average 75 servers in their hospitals and one-third of U.S hospitals have not yet begun to virtualize their data centers.

Often, there is one server per applications at U.S. hospitals, said Jamie Coffin, VP and general manager of Dell Computer’s healthcare and life sciences business, which sponsored the HIMSS survey. As hospitals plan for the explosion of data and storage needs, virtualization can help the proliferation of multiple underutilized servers and storage devices and reduce costs, he said.

Source

The cost of a data breach rose last year to $204 per customer record, according to the Ponemon Institute. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009.

The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute’s annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009.

Ponemon Institute based its estimates on data from 45 companies that publicly acknowledged a breach of sensitive customer data last year and were willing to discuss it.

Breach costs increased just $2 per compromised customer record, as compared to 2008 costs. However in the five years that Ponemon Institute has conducted its study, costs have increased from $138 per compromised customer record.

In tallying the cost of a data breach, Ponemon Institute looks at several factors including: the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help; and remediation expenses such as technology and training.

There appear to be three main causes for a data breach, says Dr. Larry Ponemon, chair and founder of the Institute, as indicated by the 45 companies that shared their stories for the “Fifth Annual U.S. Cost of Data Breach Study,” sponsored by PGP.

“As part of our analysis, we try to get at the root cause of the data breach,” Ponemon says. “There’s negligence, where people make mistakes, such as lost laptops, accounting for 40% of the data breach cases. There are system glitches, such as a third-party sending out statements they shouldn’t, which was 36%. And there are malicious and criminal attacks, at 24%.”

Ponemon adds that 2009 brought “more sophisticated criminal attacks that didn’t show up on our radar screen” the previous year. These malicious attacks often involved botnets and were carried out for reasons of financial gain.

Overall, 42% of all cases in the Ponemon data-breach study involved third-party mistakes and flubs. In addition, more than 82% of the cases in the Ponemon study were organizations that had more than one data breach in 2009 involving the loss or theft of more than 1,000 records containing personal information. At about 40% of the companies that participated in the study, the chief information security officer (CISO) was in charge of managing the response related to the data breach.

The management skills of the CISO, or an individual in an equivalent position, seemed to help hold down the cost of a data breach: The average per capita cost of an incident was $157 per record for companies with a CISO, versus $236 for companies without one.

The magnitude of the breach events, according to the study, ranged from about 5,000 to about 101,000 lost or stolen customer records. Among the incidents reported, the most expensive data breach cost nearly $31 million to resolve, and the least expensive cost $750,000.

Source

A slow but steady improvement in the macroeconomic environment in 2010 should support a return to modest growth in overall IT spending, according to Gartner. Worldwide IT spending will reach $3.4 trillion in 2010, a 4.6 percent increase from 2009.

Although modest, this projected growth represents a significant improvement from 2009, when worldwide IT spending declined 4.6 percent. All major segments (computing hardware, software, IT services, telecom, and telecom services) are expected to grow in 2010.

From a regional perspective, Gartner’s IT spending forecast reflects the economic situation in each region and country with the emerging regions leading the way in terms of growth both in the short and longer term. However, because of the scale of IT spending in North America and Western Europe, these regions weigh heavily in the global IT spending growth rate overall.

IT spending growth in emerging markets (with the exception of central and eastern Europe and some of the Gulf states) is expected to lead the way, with spending forecast to grow 9.3 percent in Latin America, 7.7 percent in the Middle East and Africa and 7 percent in Asia/Pacific.

Recovery in Western Europe, the United States and Japan will start more slowly, with Western Europe increasing 5.2 percent, the U.S. growing 2.5 percent, and Japan increasing 1.8 percent.

Source