Microsoft security guru wants Vista bugs rated less serious
Microsoft's own bug hunters should cut Windows Vista some slack and rate its vulnerabilities differently because of the operating system's new, baked-in defenses, according to the developer who is often the public persona of the company's Security Development Lifecycle (SDL) process. Michael Howard, a senior security program manager in Microsoft's security engineering group, said that the Microsoft Security Response Center (MSRC) is being too conservative in its Vista vulnerability rating plans. Because Vista includes security techniques and technologies that Windows XP lacks, the MSRC should reconsider how it ranks Vista when a vulnerability affects both Microsoft's new operating system and its predecessor, Windows XP, he said. "The MSRC folks are, understandably, very conservative and would rather err on the side of people deploying updates rather than trying to downgrade bug severity," said Howard on his personal blog last week. "Don't be surprised if you see a bug that's, say, Important on Windows XP and Important on Windows Vista, even if Windows Vista has a few more defenses and mitigations in place." The operating system, released to consumers in late January, includes a number of new security features that randomize memory, check code for buffer overflows and require user permission for potentially risky operations. Not surprisingly, the MSRC rejects Howard's argument. "Windows Vista will not be treated any differently, and severity ratings for any issues will be based on vulnerability traits and merits, along with technical mitigating factors," an MSRC spokesperson said. "This process is the same for all Microsoft products." Although the MSRC's security bulletins may qualify a bug's severity in some specific environments, its rating system is clear-cut. If an Internet worm can spread without user action -- the MSRC's definition of "critical" -- on Vista, the vulnerability will be so tagged, Vista-specific security technologies notwithstanding. Analysts and outside Microsoft security professionals took the MSRC's side -- and blasted Howard's idea. "A remote-code execution exploit still remains a remote-code execution exploit," saidJohannes Ullrich, chief research officer at the SANS institute
Vodafone shows Skype calling on cell phones
HANOVER, Germany - Vodafone Group PLC is demonstrating a service at the CeBIT trade show that allows mobile phone customers to call and exchange presence information with users of Internet phone services such as Skype. The prototype application, called Starfish, makes use of two switching systems: the circuit-switched technology used in Global System for Mobile Communications (GSM) networks and packet-switched voice-over-IP technology, according to Jochen Hertle, director of new business development at Vodafone. Calls initiated on mobile phones are transmitted over the airwaves via traditional circuit-switching technology. A gateway at the mobile switching station coverts the call into IP and forwards the packets to the PC user via their VoIP service. Vice versa, PC users can initiate a VoIP call, which is converted to circuit-switched signal at the media gateway and transmitted over the airwaves to mobile phone customers. In addition, Starfish uses General Packet Radio Service technology to provide the presence function featured in Internet messaging services such as AIM, Skype and Yahoo, according to Hertle. Other companies have tried to achieve the same results with an all-VoIP approach, putting client software on smart phones, and using mobile data connections to carry the voice traffic. In contrast, Vodafone's hybrid approach with Starfish has a couple of benefits, said Jan Holzberg, new business product manager at the company. "First of all, the voice quality is excellent because we use GSM over the airwaves," he said. "The quality of VoIP calls over the air is nowhere as good largely because of low data speeds, and even when new higher-speed transmission rates become available, circuit-switched voice quality will remain noticeably better." Second, Starfish works on all GSM networks, which are ubiquitous, unlike all-IP mobile networks, which are available mostly in large, urban areas, according to Holzberg. Starfish generates call fees, however. Mobile phone customers must pay to initiate a call as do PC users connecting to a mobile phone network.But Hertle pointed out that VoIP calls on mobile devices also carry a fee; users must pay a mobile data charge. "There will always be a cost to communicating on a mobile phone, whether voice or data," he said. "The issue will be which is cheaper."
Foundry launches high-density WLAN gear
Foundry Networks Inc. this week launched new wireless LAN access points and controllers that can help users concentrate more connections per access point and stretch WLAN applications beyond simple data access. With a new location management offering as well, Foundry said the new gear and software will help companies simplify WLAN deployment and management, and consolidate wireless data access with other services -- such as VoIP and location tracking -- on a single 802.11-based infrastructure. Foundry's IronPort Mobility AP150 access point -- based on technology from Meru Networks -- can support as many as 120 WLAN connections per device, a useful feature for deployments in large public spaces or high-traffic areas. The IronPort Mobility Radio Switch 4000 is an even beefier WLAN access point, with built-in dual 802.11a and 802.11g radios, and support for as many as 256 connections per device. These products, combined with IronPort Wireless Location Manager 2.02 software, let users deploy such services as rogue-access-point detection and location, and WLAN-based employee or asset tracking. The IronPort Mobility AP150 and IronPort Radio Switch 4000 provide multiple-radio coverage and the ability to deploy an entire WLAN with a single 802.11 channel and a single Secure Service Set Identifier network name. Foundry said this simplifies management and configuration for administrators. The new IronPort gear also supports in-the-air quality of service (QoS) -- where the devices prioritize certain types of radio traffic between the client and the access point. Other WLAN equipment applies QoS settings to data or voice traffic only once packets hit the wired network at the access point, Foundry said. The IronPort Wireless Location Manager 2.02 software now identifies the location of unauthorized access points -- for example, an access point set up by a user in a cubicle or at a desk -- as well as unauthorized WLAN clients in a building or campus. This service can be overlaid on top of an existing Foundry WLAN infrastructure and does not require additional access points dedicated to location tracking, the company says. The Meru-based Foundry WLAN gear competes with products such as Cisco Systems Inc.'s Airespace-based WLAN equipment, as well as gear from Aruba Networks Inc. and Trapeze Networks. "Meru's architecture is superior to any of these other vendors when it comes to supporting applications such as voice over WLAN, and providing wireless in areas where user density is high," says Rachna Ahlawat, research director for wireless networking at Gartner Inc. She adds that Foundry's location-based security and asset-tracking capability also "provides enterprises with a more complete" location-based capability.The IronPort Mobility Radio Switch 4000 costs $2,100 or $2,200, depending on whether it is fitted with a 180-degree or 360-degree omnidirectional antenna. The IronPoint Mobility AP150 costs $525, and the IronPoint Wireless Location Manager 2.02 software costs $8,000. The products will be available next month.
IBM Adds Google Gadgets to Portal
IBM and Google Inc. have jointly unveiled new portlet software that will allow users of IBM’s WebSphere Portal to integrate more than 4,000 Google Gadget services and utilities into the portal.The IBM Google Gadget Portlet, which will be available in April, will allow companies to add gadgets such as maps, to-do lists, product delivery tracking tools, driving directions and language translators to WebSphere Portal 6.0 and Portal Express systems used on corporate desktops, said IBM.‘Curb Appeal’ Frank Brooks, senior manager of data resource management and chief data architect at Chattanooga-based BlueCross BlueShield of Tennessee Inc., said that the gadgets could add “curb appeal” to the insurer’s WebSphere portal.However, he added, “most of them wouldn’t be meaningful to our employees” because they include nonbusiness gadgets like webcams and games.Brooks did note that the link with Google could enable his company to pull in more substantive gadgets that Google may add in the future.“One of my concerns is who controls the quality of the gadgets,” Brooks said. “Is there quality control, or are they just gadgets you use at your own risk? How do you know if it is a meaningful gadget as opposed to a frivolous gadget?”“We’re trying to bust the barrier of things you do on the consumer side and things you do on the enterprise side,” said Larry Bowden, IBM’s vice president for portals and Web interaction services.For example, a gadget that provides driving directions could be useful in the business world, he said, noting that sales personnel could use it when driving to clients’ offices.At many companies, he added, employees are demanding tools like wikis, blogs and instant messaging, which can all be added using the gadgets. Pulling the gadgets into the portal would provide such employees with access to new collaborative tools that incorporate professional features like security, Bowden said.In related news, IBM also announced its new Search Sitemap Utility portlet, which is designed to optimize portal content for search by external search engines
Microsoft to Add Office Link to Its Dynamics ERP Apps Microsoft Corp. today is set to introduce a new tool that it says will let end users more easily access Dynamics ERP applications from its desktop software.Officials said the company plans to unveil the new Dynamics Client tool, which will link 12 Microsoft self-service ERP products to Microsoft Office and SharePoint Server applications, at its Convergence 2007 user event in San Diego.Microsoft said the offering reduces the need to train Office and SharePoint users to run its ERP software.James Utzschneider, general manager of Dynamics marketing at Microsoft, also noted that Dynamics Client will allow users to access back-end ERP data without having to buy a full software license.Greater ERP BenefitNick Garbidakis, chief technology officer of the American Bible Society in New York, said that Dynamics Client has the potential to significantly extend the benefit of an ERP system.He noted that the tool could save money on software purchases and allow end users to access back-end corporate data without special training.Microsoft said it also plans to bring out new ERP implementation and migration tools, a new configurable interface and several updated Dynamics ERP applications during the conference.Utzschneider said Dynamics Sure Step, the set of ERP implementation and migration tools and processes, will help customers more efficiently roll out the Dynamics software.The new role-based user interface can be tailored according to an employee’s position — such as a financial or manufacturing post — within a company, Utzschneider said. Utzschneider also noted that Microsoft already offers a similar tool, called Duet, that can access ERP applications from SAP AG through the Microsoft Office software. The biggest challenge in a customer relationship management or ERP application implementation is end-user adoption, noted Rob Bois, an analyst at Boston-based AMR Research Inc.He said the new Client software should help users more quickly access customer and other related information without making them log into the full-blown CRM application.Microsoft Dynamics Client for Microsoft Office and Windows SharePoint Services, which includes basic data access and collaboration capabilities, is priced at $195 per user.Microsoft Dynamics Client for Microsoft Office and SharePoint Server, which includes an executive dashboard and enterprise search and role-based reporting capabilities, cost $395 per user.The Dynamics Client will be available in May
|
0 comments:
Post a Comment