Thursday, 20 December 2012

Oracle to stop patching Java 6 in February 2013

Java 6 will be retired from security support in less than two months, and users and businesses should prepare now for its demise, experts said today.


Oracle will publicly patch Java 6 for the last time on Feb. 19, 2013. After that date, only enterprises with contract support plans will receive security updates, according to the Java support roadmap.


[ Think you know Java? Test your programming smarts in InfoWorld's Java IQ test. | Master the latest in Java development with our JavaWorld Enterprise Java newsletter. ]


That means consumers and most businesses should upgrade to Java 7 as soon as possible, said security professionals Wednesday.


"If you're not able to upgrade [to Java 7], you'd better have some pretty deep in-depth defenses in place," warned Jason Miller, manager of research and development at VMware.


Miller has a point: In 2012, Java vulnerabilities were widely targeted by exploit writers and hackers. Last March, for example, approximately 2 percent of all Macs were infected with Flashback, malware that exploited a Java bug that Apple was sluggish in patching, even though Oracle had issued fixes for other platforms.


Apple continues to maintain Java 6 for OS X users but ceded responsibility for Java 7 to Oracle in 2010.


Miller thought there was more to Oracle's decision to push aside the 2006 software than Java 6's longer-than-usual life. "Java 6 was Sun's Java," Miller noted. "Java 7 is Oracle's first. It's Oracle's product now."


Oracle acquired Sun Microsystems in late 2010 after it offered $7.4 billion for Java's creator the year before. Oracle released Java 7 in July 2011.


Although Oracle extended Java 6's EOL, for "end-of-life," twice this year -- first from July to November 2012, then again from November 2012 to February 2013 -- Miller was certain that this time the date would stick.


"At some point, they just have to say it's retired," said Miller, comparing Oracle's situation to that of Microsoft, which has delayed Windows XP's retirement, but now seems ready to stand by an April 2014 expiration date.


While individuals may have little trouble upgrading to Java 7, enterprises face a bumpier road.


IT administrators and Java developers are the most at risk of not making the deadline, said Miller. "They really need to test their [Java] apps," said Miller, and if necessary, rebuild or modify their in-house and public apps.


The bright spot is that users and enterprises have six months to dump Java 6 before they'll miss a bug fix. After the Feb. 19 update, the next Java patches will be released June 18, 2013. "Between now and June, enterprises should be testing [Java 7] and deploying it," Miller recommended.


Java 6's support death presents special problems for Mac users. While Java 7 runs on all current editions of Windows, including the 11-year-old Windows XP, it requires OS X 10.7, aka Lion, or its successor, Mountain Lion, on Macs.


That will leave a significant portion of Mac users without the means to run an up-to-date Java next year. According to Web metrics company Net Applications, approximately 41 percent of all Macs still run versions of OS X older than Lion.

New NEC server has built-in batteries for backup power

NEC's new high-end server contains swappable battery packs, intended to provide backup power without the need for an external uninterruptible power supply (UPS) in data centers.


The new rack-mounted server is part of NEC's main "Express5800" line. The company said the internal batteries will cut power use, outlast traditional UPS systems and allow for more compact data centers.


[ Doing server virtualization right is not so simple. InfoWorld's expert contributors show you how to get it right in this 24-page "Server Virtualization Deep Dive" PDF guide. ]


The rack-mountable server can hold up to two battery packs, although it ships with only one. When both are used, they can deliver 100 watts for 15 minutes and 30 seconds, or six minutes and 40 seconds with a single battery. The dual setup can provide power for 3 minutes and 40 seconds when the server is maxed out at 311 watts.


The internal nickel-metal hydride batteries used in the setup can last about five years before needing replacement, longer than most UPS systems, NEC said. As everything is stored internally, the new servers can also save space, and by eliminating the need for a UPS, the server reduces the number of times power has to be converted between alternating and direct current, which cuts electricity use.


The server went on sale in Japan on Wednesday, costing from ¥316,000 ($3,760), and shipments will begin Dec. 26. NEC said it is considering selling the server internationally, but has yet to decide where or when.


The use of internal batteries as backup in servers has slowly grown in recent years. Google surprised many in the industry when in 2009 it revealed its home-grown servers, complete with their own onboard batteries for power outages.


NEC's new servers come in several configurations, with Intel Xeon processors, up to 384GB of memory, and four 2.5-inch drives that can hold up to 4TB of SATA storage.


NEC is one of Japan's largest manufacturers of servers for data centers. Power outages are a major concern for any data center, but have been a focus in Japan, where earthquakes and other natural disasters have often caused outages in the past.

Microsoft courts Google Apps small-biz users with longer Office 365 free deal

For the second day in a row, Microsoft on Tuesday pitched one of its products to customers abandoned by archrival Google.


In an attempt to woo users of Google Apps, Microsoft yesterday tripled the length of its Office 365 Small Business free trial from 30 to 90 days. The deal -- pegged "P1" in Microsoft's current stable of subscription plans -- offers cloud-based email, shared calendars and Web-based Office app access to up to 10 employees. Normally, P1 costs $72 per user per year.


[ Also on InfoWorld: Google to start charging small businesses for Google Apps. | Get familiar fast with Office 2010's key applications -- Word, Excel, PowerPoint, and Outlook -- with InfoWorld's set of Office 2010 QuickStart PDF guides. | Stay abreast of key Microsoft technologies in our Technology: Microsoft newsletter. ]


Although Tony Tai, an Office 365 product marketing manager who announced the extended trial in a blog post, did not make the target audience explicit, he referenced firms what had ditched Google Apps and replaced it with Office 365.


Last week, Google ended the Google Apps free ride for businesses with 10 or fewer users. Instead, they were asked to pay $50 per user per year, as larger firms already do for the cloud-based email and software dubbed Google Apps for Business. Small businesses currently using the free Google Apps can continue to do so, Google said in the Dec. 6 announcement. Individuals accounts were also unaffected.


Microsoft's offer was the second from the Redmond, Wash. developer in two days: On Monday, Microsoft plugged the free Outlook.com online email service to Google customers dismayed by the search giant's decision to drop a synchronization service on Jan. 30, 2013.


 The 90-day Office 365 Small Business trial will be available until the end of February. By then, Microsoft will have unveiled the pricing structure of its revamped Office 365 line-up and begun selling Office 2013 to the general public. While Microsoft has not yet set pricing for Office 365, or launch dates for either that or Office 2013, late January is most likely if the company hews to past Office timetables.


The company previously spelled out pricing of two of the new Office 365 plans: Home Premium and Small Business Premium. Unlike P1, those plans include rights to install Office 2013 -- or on Macs, Office for Mac 2011 -- on up to five devices per household or user.


Office 365 Small Business Premium costs more than twice P1, however, running $150 per user per year. A preview of that plan, which will run for approximately 60 days after the retail launch of Office 2013, is also available.


Small businesses that want to try the 90-day trial of Office 365 Small Business (P1) can register at Microsoft's website.


Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed. His email address is gkeizer@ix.netcom.com.


Read more about desktop apps in Computerworld's Desktop Apps Topic Center.

IBM plans to buy e-discovery firm StoredIQ

In a move to expand its portfolio of information governance software, IBM is acquiring e-discovery software vendor StoredIQ.

Founded in 2001, StoredIQ offers e-discovery systems that help organizations index, store, de-duplicate, and delete their unstructured data. The process, which IBM calls information lifecycle governance, can help organizations comply with regulations, respond to litigation, and cut storage costs by reducing data volume.

[ Explore the current trends and solutions in BI with InfoWorld's interactive Business Intelligence iGuide. | Discover what's new in business applications with InfoWorld's Technology: Applications newsletter. ]

StoredIQ is the latest in a number of acquisitions IBM has made in the information management space. IBM purchased e-discovery vendor PSS Systems in 2010 and enterprise search vendor Vivisimo in 2012. IBM will fold StoredIQ into its software group, and will offer StoredIQ software as part of its Information Lifecycle Governance portfolio.

StoredIQ is a privately held company based in Austin, Texas, and has over 120 enterprise customers worldwide, including companies in the financial services, health care, government and manufacturing industries.

Because StoredIQ's architecture allows the software to run across multiple servers, it could manage petabytes worth of information. Because of this distributed capability, the company has recently rebranded itself as a big data vendor. The company also claims its systems can be installed and configured quickly, in hours rather than months that it says other e-discovery packages can take. StoredIQ delivers its software either on servers or in virtual containers.

Financial terms of the deal were not disclosed. IBM expects to complete the acquisition within the first three months of 2013.

Fiscal cliff or not, it's already rough for federal IT vendors

If Congress doesn't avert the fiscal impasse, automatic budget cuts could reduce federal IT spending by $66 billion in the fiscal year that began Oct. 1, according to an analysis by the industry group CompTIA.

As it stands, sequestration requires an across-the-board spending cut of 9.4 percent to defense spending, and 8.2 percent to non-defense spending. The U.S. spends about $80 billion annually on IT.

[ Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. | Read Bill Snyder's Tech's Bottom Line blog for what the key business trends mean to you. ]

But vendors that work with the government are already being hurt. SRA International in Fairfax, Va., for instance, told investors recently that the uncertainty around future automatic spending cuts "is causing some clients to delay contract starts." The company said it has seen an increase in bid protests and delays in contract awards.

Mike Walsh, federal regional director of sales for Gigamon, a networking provider, says the turbulence in the federal market has been longstanding.

"The impact of sequestration and ongoing government negotiations over the budget has had a dramatic impact on the IT vendor community," said Walsh. This past year "was a rough year before sequestration talks even began."

Funding for big projects uncertain and full-year funding targets are in doubt because the government is operating under interim budgets, thanks to congressional gridlock.

With sequestration, the budget problems are compounded. CompTIA said its members, small and mid-sized tech firms, "stand to be significantly impacted." If Congress doesn't reach an agreement, layoffs are expected. Analysts are keeping an eye on government websites where mass layoffs are posted under the Worker Adjustment and Retraining Notification (WARN) Act rules.

Among the largest IT related WARN notices so far was by SRA, which announced a layoff of 222 people on Jan. 1. But those layoffs, the company says, aren't related to sequestration, but the result of a lost Federal Deposit Insurance Corporation contract, which accounted for as much as 9 percent of revenue in one quarter.

There might be more WARN notices, if the White House allowed it. But it has told government contractors not to use the WARN system to warn Congress about the budget impact on their employees. The WARN act requires employers with at least 100 employers to provide written notice to employees 60 days before layoffs. The threat of sequestration fears isn't a reason to provide layoff notice because of the uncertainty.

The White House also said sequestration-related WARN notices would "create unnecessary anxiety and uncertainty for workers."

The White House wrote that memo at the end of September. It is now less than two weeks to the New Year and uncertainty about Congress remains. Ray Bjorklund, vice president and chief knowledge officer at Deltek, a market research firm, believes federal agencies will continue with routine IT purchases post sequestration. But big program spending may be cut.

IT agencies are going to be careful in any case, because if they were to award a contract now and if sequestration happens, "that contract would probably have to be broken later in the year," said Bjorklund.

Add-on that forces HTTPS for popular websites released for Internet Explorer

Cloud-based security services provider Zscaler has released an implementation for Internet Explorer of the HTTPS Everywhere browser security extension.


HTTPS Everywhere forces the browser to always connect over HTTPS (HTTP Secure) to popular websites that support the secure communication protocol but don't enable it by default. The extension also sets the "secure" flag for authentication cookies, preventing them from being transmitted over unencrypted connections.


[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]


Some HTTPS-enabled sites fail to set this flag for authentication cookies because they expect users to automatically be logged in even when they access the HTTP versions of the site. However, this allows attackers who compromised a network's gateway or who can sniff traffic on an unprotected wireless network, to steal the cookies from users and hijack their accounts.


HTTPS Everywhere was originally released as an extension for Mozilla Firefox in 2010 and is jointly developed by the Electronic Frontier Foundation (EFF), a digital rights watchdog organization, and the Tor Project, the creators of the Tor anonymity software. A version for Google Chrome has also been released since then.


Version 0.0.0.1 of HTTPS Everywhere for Internet Explorer was released Monday and was developed independently of the EFF or the Tor Project by Zscaler senior security researcher Julien Sobrier.


The IE implementation replicates the core functionality of the official Firefox and Chrome HTTPS Everywhere extensions and includes their default rule sets for popular websites. However, some additional features like the ability to create custom rules or the support for the HTTP Strict Transport Security (HSTS) security policy are still missing.


"As the version number suggests, this is a very early release," Sobrier said Monday in a blog post. "I have been using the extension for several weeks without any problems, but it should be considered an alpha release."


The missing features will be added in future versions, the researcher said. For now, the primary goal is to share the source code for the IE version with the EFF and make it available through their website, he said.


In the meantime, people who want to use or try out HTTPS Everywhere for Internet Explorer can download it from a dedicated page on Zscaler's website.


However, this reporter had trouble accessing Wikipedia.org with the add-on enabled in the latest version of Internet Explorer 9 running on a 64-bit installation of Windows 7 Ultimate, so it seems that there are still some bugs to fix.


While this extension sounds like a good tool to have, it remains to be seen how many IE users will actually be interested in using it.


"IE users tend to be more passive and accepting of the default app, rather than adding DIY [do it yourself] extensions -- especially those with a security function," David Harley, a senior research fellow at antivirus vendor ESET, said Wednesday via email.


"I'm not convinced that it will be widely adopted unless Microsoft actually promotes it or, more likely, includes something similar in a future release," Harley said. "It might appeal to security hobbyists, but that's the group that's least likely to use IE."


Harley believes that adoption in corporate environments, where IE has a very strong user base, is also unlikely, at least with the extension's current limitations and at this early stage of development.

U.S. judge rules against Motorola in dispute with Apple

An administrative law judge at the U.S. International Trade Commission has ruled that Apple did not violate a Motorola Mobility patent relating to a sensor controlled user interface for a portable communication device.


Judge Thomas B. Pender ruled in his initial determination on Tuesday that there had been no violation of Section 337 of the Tariff Act of 1930 with respect to U.S Patent no. 6,246,862.


[ Simon Phipps tells it like it is: Why software patents are evil. | Stay ahead of the key tech business news with InfoWorld's Today's Headlines: First Look newsletter. | Read Bill Snyder's Tech's Bottom Line blog for what the key business trends mean to you. ]


Section 337 investigations conducted by the ITC most often involve claims regarding intellectual property rights, including allegations of patent infringement and trademark infringement by imported goods. The commission may review and adopt, modify, or reverse an initial determination.


The '862 patent refers to the use of a sensor to disable a touch-sensitive input device from being accidentally actuated when it is close to the user. Judge Pender declared claim 1 of the patent to be invalid and "not obvious."


The ITC ruled in August that it did not find a violation of 337 in the investigation with respect to three other Motorola patents. These were U.S. Patent Nos. 6,272,333 ("the '333 patent"); 6,246,697 ("the '697 patent"); and 5,636,223 ("the '223 patent"). It however remanded the investigation to the presiding ALJ with respect to the '862 patent' after it decided to reverse a finding that claim 1 is indefinite. The Commission remanded the investigation to the ALJ to consider the issues of infringement, validity, and the domestic industry requirement for the '862 patent.


Motorola said it is disappointed with the outcome, and is evaluating its options. The ruling is the latest in disputes between Apple and Motorola, which was acquired by Google for $12.5 billion in a bid to shore up its patent portfolio.


John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John's email address is john_ribeiro@idg.com.