TechHairBall.com Tech All…

Google has solved a problem that affected the layout and functionality of the "Start" pages of its Apps hosted collaboration and communications suite.

Apps administrators who reported problems in the official Apps discussion forum described what they perceived as being an erratic Start page update designed to make it look and act more like iGoogle, the company's personalized home page service for consumers.

However, Chandra said that wasn't the case, although he understands why the administrators would interpret the incident that way, since the iGoogle logo replaced company logos in affected pages. The problem was caused by a system bug that altered Start pages layouts, broke some links and interfered with some "gadget" applications, like the one for Gmail, he said.

With a permanent fix now in place, all affected Start pages should have reverted back to their normal layout and operation without any loss of data or functionality, Chandra said. Google had prematurely declared the problem solved at around 8 p.m. on Thursday, but problem reports kept flowing in.

Google Apps is a hosted collaboration and communication suite aimed at workplace use, and its Start pages are designed as a portal main point of entry for end-users to their applications, such as Calendar and Gmail. Apps' Standard and Education versions are free, while its more sophisticated Premier edition costs $50 per user per year.

The problem was disruptive at New Hope Fellowship in Springdale, Arkansas, which uses the Apps Education edition. The church's Start page was hit intermittently by the bug between Thursday at around 2 p.m. and noon Friday.

"Our users were trained to access their mail through the Start page. Once that didn't work, they could not access e-mail, which is critical to our work. We had to send paper memos around on how to access the mail without going through the Start page. Very frustrating," said Josh Jenkins, New Hope Fellowship's media director and Apps administrator.

This wasn't the only problem New Hope Fellowship's 40 Google Apps users encountered this week. They also lost access to their e-mail due to an unrelated and prolonged Gmail outage that hit some Apps customers this week.

"Google must improve communication with business customers if they wish to be competitive in the corporate IT space. The 2-sentence 'we're working on it' blurbs posted in the [online discussion] groups are an unacceptable way to treat business clients," Jenkins said.

Susan Novotny, Apps Standard edition administrator at a national nonprofit with 30 users in Ontario, Canada, said that the occasional bugs that hit Google Apps "do shake my confidence a little."

"I guess I expect a spectacularly wealthy company to be as reliable as the average e-mail provider," she added. "But they're providing tools no other provider can."

Nelson & Co. Engineering in Birmingham, Alabama, also experienced the Start page bug, but it wasn't too disruptive for its four Apps Premier users, said Apps administrator Ryan Nelson. The company feels that, despite the hiccups, Apps provides it with a great value at $50 per user per year.

"As a Premier user I would think that these issues would not happen. In the long run, Google Apps has been the best technology move we've ever made. Little issues crop up a couple times a year for less than 24 hours: not ideal, but better than anything else we've ever used," Nelson said.

Others were more frazzled, like an Apps administrator identified as Jay in the official discussion forum, who wrote Friday morning: "I now have over 1,200 users that have no idea how to get into their e-mail. The phones are ringing off the hook. What is going on with customer service these days. This really stinks."

The problem wasn't related to a major iGoogle upgrade the company rolled out on Thursday, Chandra said.

The unrelated Gmail problem this week kept users from accessing their e-mail in some cases for more than 24 hours between Wednesday and Thursday. Google declared that problem solved late on Thursday.

During Google's third-quarter earnings conference call on Thursday, cofounder and Technology President Sergey Brin said that there are now more than 1 million businesses using Google Apps.

Google Apps is one of the best-known examples of a new wave of Web-hosted communication and collaboration suites that are emerging as options to Microsoft's Office and Outlook/Exchange suite.

Apps is hosted by Google in its data centers and accessed by end-users via a Web browser. The appeal of Web-hosted software like Apps is that it doesn't have to be installed by customers on their own hardware, reducing maintenance costs and complexity. Apps and others like it are also designed from the ground up for workgroup collaboration.

However, when something breaks on the vendors' datacenters, IT administrators have little or no control over how or when to remedy the problem, and are left to appease their angry end-users as best they can.

In August, Gmail had three significant outages that affected not only individual consumers of the free Webmail service but also paying Apps Premier customers. As a result, Google decided to extend a credit to all Apps Premier customers and said it would do better at notifying users of problems.

Google annoyed administrators when it made changes to Google Apps "Start" portal pages without letting them know it was updating layout and functionality of those pages. Some administrators reported at a discussion forum that they were swamped with angry calls from end-users who couldn't access Gmail accounts. On a slightly brighter note, there are some IT jobs that persevere even in the face of financial difficulty, and Apple unveiled new notebooks to much fanfare. Meanwhile, Mozilla continues work on its mobile browser, code-named Fennec, which was released in alpha this week for use on Nokia Internet tablets.

1. Recession-proof IT jobs: Believe it or not, some IT jobs are still in high demand even in this slumping economy. Unlike some other industries that have been hit hard, IT is seen as a core area that nearly every company needs. As such, there are still plenty of IT skills that can lead to new jobs — or just keep you secure in the job you have now.

[ Video: Catch up on the week in tech news with the World Tech Update ]

2. Apple's new notebooks answer the call for innovation: As expected, Apple showed off updates to its laptop lines this week, with a new MacBook and MacBook Pro. InfoWorld's Tom Yager got a good look at them and came away with a positive impression of the updates in both technology and pricing.

3. Google Apps portal pages malfunctioning: Google Apps "Start" portal pages have become malfunction junctions for some administrators, who complained over two days this week at discussion forums that changes Google made to those pages are making their working lives miserable. The company apparently updated layout and functionality of those pages without telling admins what they were about to do, leading end-users to flood administrators with complaints and issues, including not being able to access Gmail.

4. E-voting report: Several states still vulnerable: E-voting systems will fail on Election Day, Nov. 4, somewhere in the United States, with multiple states that use such systems ill-prepared for the upcoming election, according to a report from three voting-rights advocacy groups. While the report noted that there have been improvements in e-voting systems and election preparations since the last presidential race in 2004, it also found that some states still have not taken even the most basic precautions against technical problems and fraud.

5. Mozilla offers alpha version of mobile browser for N810: An alpha version of Mozilla's mobile browser, code-named Fennec, was released for Nokia's Internet tablets, marking the first public release of the software. Mozilla hopes the release will bring in feedback leading to the next step in its browser road map, which is "optimizing for performance," according to Jay Sullivan, Mozilla's vice president for mobile.

6. Microsoft: "No interest" in pursuing Yahoo deal: Microsoft CEO Steve Ballmer stirred things up — as he is prone to do — when he reportedly said at a Gartner conference that it still makes economic sense for shareholders of both companies for Microsoft to buy Yahoo. His company responded by issuing a statement saying it has "no interest in acquiring Yahoo." Investors responded by giving Yahoo's share price a boost.

7. FBI says Dark Market sting netted 56 arrests: The U.S. Federal Bureau of Investigation, working with other law enforcement agencies in the U.K., Turkey, and Germany, infiltrated online "carder" forums hosted at the now shut-down DarkMarket.ws site and seized compromised accounts and prevented about $70 million in fraud. The two-year undercover investigation also led to the arrests of 56 alleged online fraudsters.

8. Microsoft mulling "instant on" feature for Windows: Microsoft confirmed it is thinking about adding into its Windows client OS a function that would let users have limited access to the OS so that they could turn on their PCs quickly. The company surveyed users about that function and screenshots of the survey wound up on the Engadget blog. Microsoft won't yet offer specific comments about "instant on," but a good guess is that it is contemplating that addition for Windows 7, which is expected out late next year or early in 2010.

9. With eyes on Atom, AMD to detail netbook strategy next month: Advanced Micro Devices will provide its product road map for netbooks at an analyst meeting scheduled for Nov. 13. Netbooks are small, inexpensive laptops that have taken the market by storm, fueled by Intel's low-cost Atom processor. AMD hasn't been competitive with Intel in that area yet, but promises it soon will be.

10. Cybersecurity threats grow in sophistication, subtlety, and power: Malware, botnets, cyberwarfare, threats to VoIP and mobile devices, along with an "evolving cybercrime economy" mean that online threats are becoming increasingly sophisticated, the Georgia Tech Information Security Center said in an annual threat report. Criminals have figured out ways to make such online threats more subtle, and they continue to gain in ability to exploit changes on the Web, including increased use of social-network sites, the GTISC found.

Several U.S. states still are not doing all they can to ensure the accuracy of votes over electronic voting machines, and 10 states received inadequate grades in three of four categories of safeguards, a report from three voting security advocacy groups said.

Somewhere in the United States, voting systems will fail on Election Day Nov. 4, predicted the report, released Thursday by Common Cause, Verified Voting and the Brennan Center for Justice at the New York University School of Law.

[ For more on how technology is reshaping the race for the U.S. presidency, see InfoWorld's special report. ]

On Election Day, "voting systems will fail somewhere in the United States in one or more jurisdictions in the country," the report said. "Unfortunately, we don't know where. For this reason, it is imperative that every state prepare for system failures."

State protections against voting fraud and e-voting machine failure have improved greatly since the last U.S. presidential election, in 2004, said Pamela Smith, president of Verified Voting. But several states still refuse to take basic precautions to protect the integrity of voting systems, she said.

"There are some folks who still don't get it," Smith said.

The report details which states have not taken precautions against fraud or technical errors associated with e-voting machines and other voting systems:

– Ten states — Colorado, Delaware, Kentucky, Louisiana, New Jersey, South Carolina, Tennessee, Texas, Utah, Virginia — received failing grades in three of four voting security areas.

– Of the 24 states using direct recording electronic (DRE) machines, only three — California, Indiana, and Ohio — get satisfactory grades in all four categories, the report said. Colorado, Delaware, Louisiana, Nevada, Texas, Utah, Virginia, and West Virginia have no state-mandated requirement for emergency paper ballots to be available in precincts that use voting machines, in the case of voting machine failure.

– Nine states — Alabama, Illinois, Kentucky, Maine, New Jersey, South Carolina, Texas, Utah, and Virginia — have requirements for ballot accounting that "fall far short" of the groups' recommended best practices.

– Eighteen states, including Florida, New York, Texas, and Virginia, do not have adequate requirements in place for paper-record backups to e-voting or other nonpaper voting methods. Voter-verified paper records allow states to conduct recounts of voting machine totals, supporters say.

– Another 27 states, including New York, Michigan, Virginia, and Georgia, do not have adequate provisions in place for conducting post-election audits of voting results, the report said.

Others took issue with the report, saying states will be ready for Election Day.

"We are prepared and we continue to make preparations for the general election," said Chris Whitmire, a spokesman for the State Election Commission in South Carolina, a state that flunked three of the four voting security categories in Thursday's report. "We will be adequately prepared."

The report comes too late for changes to be made this year, added David Beirne, executive director of the Election Technology Council, a trade group representing e-voting machine vendors.

"With less than three weeks to go, the election has already begun and now is not the time for new procedures to be adopted," Beirne said. "It is also unlikely that the Department of Justice would grant approval for such changes this close to the election. While well intentioned, the report and recommendations may only drive fear for the voting public, which is not productive at this stage in the process."

The report also fails to recognize steps taken by county election officials to ensure against fraud or errors, Beirne said. "The call for procedural safeguards has been recognized by the elections community in recent years and there is little question that the state and local election officials will be prepared for Nov. 4," he added.

The report points out several shortcomings, but most states are headed in the right direction, Smith said. "Over the next couple of years, I see significant improvement," she said.

In 2004, only eight states had requirements in place for election systems to have paper backups, and a few more used paper backups during the election, Smith said.

This year, 32 states have either voter-verifiable paper ballots, or voter-verifiable paper record printers connected to voting machines statewide, the report said. Four states — Maryland, New Jersey, New York, and Tennessee — have laws that take effect in 2009 or 2010 requiring voter-verified paper records.

Arkansas, Colorado, and Mississippi have paper in most counties. The District of Columbia and Florida have paper ballot systems in all counties, along with paperless DREs, and Florida will eliminate paperless systems altogether by 2012, the report said.

Mozilla plans to release on Thursday an alpha version of its mobile browser for Nokia's Internet tablets.

[ Track the latest trends in open source with InfoWorld's Open Sources blog. ]

In addition to the alpha release for the Internet tablets, Mozilla is offering a PC emulator that developers can download to their desktops to see some of the features included in the browser and to get a feel for the user interface, said Jay Sullivan, vice president of mobile for Mozilla.

"This is really for our community to be able to test and localize and build add-ons," he said, referring to both the emulator and the Internet tablet release.

Despite being made by Nokia, the Linux-based N800 devices aren't quite mobile phones. They are larger than a phone but smaller than a laptop and can connect to the Internet via Wi-Fi. They don't include cellular capabilities, although users can connect a phone to the device to reach the mobile Internet. The devices are popular with developers because they use open source software, but Nokia has not revealed sales figures to indicate how many are in the market.

Mozilla hopes that this release will result in some good user feedback, Sullivan said. "The next step in the road map is to start optimizing for performance," he said.

His group has simultaneously been developing a version of Fennec for Windows Mobile phones. While Sullivan said they've been working hard on it, he wouldn't reveal a release time frame for that browser. His group has also been looking at developing the browser for LiMo phones that are based on the mobile Linux operating system and for Symbian phones, he said.

Mozilla released a video in June that offered a first look at Fennec. One unique feature to the browser is that it displays control buttons, such as back and forward, off screen. Users flick the screen to the left or right to display and click the buttons. "One of our big goals is to take advantage of the whole screen, because they are pretty small," Sullivan said. The design lets a Web page fill the whole screen.

He also thinks that Fennec will be unique because Firefox developers will be able to build add-ons for it. "We don't claim to have all the answers. We want to build a great product but make it extensible so anyone can hack on it," he said.

Mobile browsing has historically been a painful experience, and countless handset and software makers have created mobile browsers hoping to make them easier to use. While mobile browser development from the likes of Apple, Google, and Microsoft is unlikely to cease because of Fennec, other mobile browser efforts may, Sullivan said. "When our browser is ready, a lot of folks will stop building custom browsers," he said. "Carriers and OEMs are telling me they'd rather ship Firefox rather than hack together their own browser."

While he wouldn't reveal names, Sullivan said that Mozilla is talking to handset makers and operators about preloading Fennec onto phones. Traditionally, only a very small percentage of phone users load applications onto their phones, so preloading the browser could significantly help distribution.

This isn't the first time that Mozilla has begun work on a mobile browser, and most of its previous attempts have fizzled. For several years, it worked on a mobile browser it called Minimo that included a release for Windows Mobile devices. But last year Mozilla said it wouldn't continue work on that browser, instead focusing on Fennec, which is based on the latest Mozilla platform that also supports Firefox.

Mozilla also developed and later retired a project called Joey that let people save portions of Web sites while on their PC and call up those images from their mobile phones.

While Mozilla has been working on those projects, Apple released its iPhone and included a mobile version of its Safari browser. That browser has been widely praised as a significant improvement over historical mobile browsers because it displays Web pages just as they look on a computer but allows users to easily scroll around and examine the page. Next week the first phone running Google's Android software will hit the market, and it includes a browser developed by Google and based on Webkit, the same technology that fuels Safari. That browser offers a similar improved experience but one-ups Apple's Safari because it can display Flash Web sites.

Mozilla expects to make the alpha download for the Nokia tablets available on Thursday from its Mozilla.org Web site.

Adobe Systems has released a new version of its Flash Player software, fixing a critical security bug that could make the Internet a dangerous place for Web surfers.

The new Flash Player 10 software, released Wednesday, fixes security flaws in Adobe's multimedia software including bugs that could allow hackers to pull off what's known as a clickjacking attack, wrote Adobe spokesman David Lenoe in a blog posting.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

For those who can't update to this new version of Flash, a Flash 9 security patch is still about a month off, he added. Adobe rates the clickjacking bug as 'critical.'

Although not widely used by criminals, clickjacking has received a lot of attention since it was first discussed a month ago. Flash isn't the only software that is vulnerable to a clickjacking attack, but Flash attacks have been considered among the most dangerous.

The security researchers who discovered the problem, Robert Hansen and Jeremiah Grossman, had intended to fully discuss clickjacking at a Sept. 24 security conference presentation. But they backed off and gave a slimmed-down version of their talk when Adobe asked for more time to patch its software.

Last week, however, security researcher Guy Aharonovsky showed how an Adobe Flash clickjacking attack would work, and with the information now out in the open, Hansen and Grossman went public with their findings.

In a clickjacking attack, the hacker users a variety of techniques to take control of what links the victim is actually clicking. In one attack, for example, the attacker would first have to trick the victim into visiting a malicious Web page and then clicking on what appeared to be a regular Web link. In reality the victim would be clicking on something altogether different such as a Flash object that turned on his microphone. "It's almost impossible for a user to determine what's going to happen when they click on a link," said Hansen, who is CEO of SecTheory.org, in an interview last week.

A clickjacker could wiretap victims' PCs, force them to execute online stock trades, delete blog pages, change a router or firewall configuration, create new Web mail accounts, or even force them to download software, Hansen said.

Because clickjacking affects other browser plugins, the best way to fix the clickjacking problem may be to change the way browsers work, Hansen said. "Browser makers understand the problem and they're trying to find ways to mitigate it," he said.

TopCoder, a company known for its competition-based software development services, is turning its sights on the SMB market with a new portal called TopCoder Direct that will come out of beta at the end of October.

Whereas TopCoder has previously used its community of programmers to develop custom applications for enterprises, the new offering will enable a wide range of customers to set up coding contests on their own.

[ Keep up on the latest tech news headlines at InfoWorld News, or subscribe to the Today's Headlines newsletter. ]

Users furnish a description of what they want developed, name a prize purse, and start a contest. Community members then submit entries, and the user chooses a winner and downloads it.

"The enterprise business is still strong. But this was always the vision from the start," said Robert Hughes, chief operating officer.

Initially, TopCoder Direct will focus on front-end tasks like logos and Web site look-and-feel. Later the service will move to full-blown application development. The second release will introduce "co-pilots" — community members that for a negotiated fee will help customers set up competitions.

There is no charge to access the site; customers pay to start a contest. TopCoder will make money by taking a cut — now set at 20 percent — of the prize purse.

"It took us quite a while to build the supply side — the community — and to build out the processes, to get a predictable outcome from the community," Hughes said. "There'll be somewhat of a learning process for us [with TopCoder Direct]. Not everything is going to work right out of the gate."

Financial services provider Tree.com has been involved in the TopCoder Direct beta-testing period.

The service doesn't yet appear to be a money-saver, but that is not why Tree.com is involved, according to Keith Moore, senior vice president and head of the company's emerging business unit.

"We have a lot of great of ideas, but don't have a lot of flexibility to ramp up projects and ramp them back down," Moore said. "It's not an outsourcing model for us, it's really a bandwidth and innovation model … I can see over time how it could be a potential money-saver for us, but we're not looking at it that way."

In general, outsourcing application development can make sense, assuming the project is concretely defined and it is easy to measure success, according to RedMonk analyst Michael Coté.

"It's a very binary sort of thing. Either the code works or it doesn't," he said.

"The more you know what you want, the cheaper it is," Coté added. "You can imagine if you made a house without a blueprint. You'd probably start over a few times."

TopCoder claims to have more than 170,000 community members in more than 200 countries. In addition to the custom development work these individuals perform, TopCoder has a catalog of prebuilt application components. The company claims that a program can be half-completed from the start, thanks to the catalog, which is available via subscription.

In an atmosphere where government fines for breaches in privacy regulations are increasing, SAP and Cisco unveiled this week Data Privacy Composite Application by SAP and Cisco at the SAP TechEd conference in Berlin.

The application supports compliance with a company?s data privacy policies as well as any external requirements from government agencies. If, for example, an admitting nurse in a hospital attempts to send an e-mail to friends that a celebrity is checking in to the hospital, the SAP-Cisco application would quarantine that e-mail and thus prevent it from being sent.

According to Sharada Achanta, senior director of SAP GRC Data Privacy Solutions, the average cost in the United States for fixing a breach in privacy and related fines is now about $4.8 million per incident.

The composite application is unique in that it takes its components from the SAP application layer and Cisco network layer, making it a network-wide solution rather than a point solution.

Using components from SAP’s GRC (Governance Risk Compliance) application portfolio for attaching controls to business processes and documents as they relate to privacy, the controls are enforced at the network layer using Cisco’s AON (Application Oriented Networking) middleware. AON adds message-level inspection to the network.

“The business process rules and controls that reside in the application layer and that are usually run by GRC managers have never before been integrated with IT network policies. That makes this unique,” said Achanta .

“We are exposing network services at a network layer to the application layer, which means that the network can talk to the GRC process control application and vice versa,” added Vaughn Miller, director for business development at Cisco.?

The combined solution would also prevent an employee from transferring data from the network on to transportable media like a USB stick.

Other privacy prevention capabilities include creating privacy policies based on location so that a U.S. employee would be restricted from accessing data residing in another country, and stopping e-mails sent to unauthorized employees or names outside of the company firewall. The solution requires NetWeaver, the BI module, and SAP GRC Process Control 2.5 for the SAP stack. From Cisco, users must have AON.

The solution is shipping now.

In an atmosphere where government fines for breaches in privacy regulations are increasing, SAP and Cisco unveiled this week Data Privacy Composite Application by SAP and Cisco at the SAP TechEd conference in Berlin.

The application supports compliance with a company?s data privacy policies as well as any external requirements from government agencies. If, for example, an admitting nurse in a hospital attempts to send an e-mail to friends that a celebrity is checking in to the hospital, the SAP-Cisco application would quarantine that e-mail and thus prevent it from being sent.

According to Sharada Achanta, senior director of SAP GRC Data Privacy Solutions, the average cost in the United States for fixing a breach in privacy and related fines is now about $4.8 million per incident.

The composite application is unique in that it takes its components from the SAP application layer and Cisco network layer, making it a network-wide solution rather than a point solution.

Using components from SAP’s GRC (Governance Risk Compliance) application portfolio for attaching controls to business processes and documents as they relate to privacy, the controls are enforced at the network layer using Cisco’s AON (Application Oriented Networking) middleware. AON adds message-level inspection to the network.

“The business process rules and controls that reside in the application layer and that are usually run by GRC managers have never before been integrated with IT network policies. That makes this unique,” said Achanta .

“We are exposing network services at a network layer to the application layer, which means that the network can talk to the GRC process control application and vice versa,” added Vaughn Miller, director for business development at Cisco.?

The combined solution would also prevent an employee from transferring data from the network on to transportable media like a USB stick.

Other privacy prevention capabilities include creating privacy policies based on location so that a U.S. employee would be restricted from accessing data residing in another country, and stopping e-mails sent to unauthorized employees or names outside of the company firewall. The solution requires NetWeaver, the BI module, and SAP GRC Process Control 2.5 for the SAP stack. From Cisco, users must have AON.

The solution is shipping now.

It's the mother of all patch days for enterprise IT shops, with both Microsoft and Oracle releasing critical software updates Tuesday.

Microsoft kicked things off Tuesday morning with 11 security updates, including fixes for critical security bugs in Windows Active Directory, Internet Explorer, Excel, and the Microsoft Host Integration Server, which integrates Windows computers with IBM mainframes.

[ Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

Security experts say that the Internet Explorer update, which fixes six bugs in the browser, is the one to watch. That's because it is rated critical for Internet Explorer 6 users running Windows XP — a very common configuration in the enterprise.

But customers who are running Windows Active Directory on older Windows 2000 machines should move the MS08-060 Active Directory update to the top of their patch queue, said Don Leatham, a director of solutions and strategy at Lumension Security. Because an Active Directory server can be used to set permissions on other machines and manage users on the network, taking over this machine "would be the Holy Grail for someone trying to get into a company and totally disrupt it," he said.

Normally, Active Directory servers are blocked at the firewall, which means that an attacker would probably have to be on an internal network to mount an attack, said Eric Schultze, chief technology officer with Shavlik Technologies. But the bug "means any internal, disgruntled user can take complete control over Windows 2000 domains and domain controllers," he said via instant message.

Mitigating this concern, however, is the fact that Microsoft has not had any reports that this vulnerability has been exploited in an attack. While it's likely that an attacker could crash the Windows 2000 machine by exploiting this bug, "creating functioning exploit code to leverage remote code execution is difficult," Microsoft said in a note on its Web site.

In total, 20 security bugs were fixed in Microsoft's 11 updates. There were also six less-critical updates, rated "important," by Microsoft, for various Windows components, and a "moderate" patch to fix a bug that could let an attacker snoop information from an Office user.

Oracle's security updates, expected at 1 p.m. PT, will include fixes for 36 bugs in a range of Oracle products, including the company's flagship Database, its Application Server, E-Business Suite, and WebLogic server and development tools. Bug-fixes are also planned for the company's JD Edwards and PeopleSoft products.

It's unusual for both Microsoft and Oracle to be pushing out patches on the same day. Microsoft's security updates come out on the second Tuesday of every month, known as Patch Tuesday in the industry. But Oracle's patches are a quarterly affair, delivered on the Tuesday nearest the middle of the month. Typically, that puts the Oracle patches on the third Tuesday of the month, but this month, the Microsoft and Oracle release dates converged.

Tuesday's Microsoft updates came with a little more information for the company's customers too. They included a new section called the "Exploitability Index," designed to make it easier for Windows users to figure out which bugs are most likely to be exploited by hackers.

Microsoft has now rated all of its security updates with the following descriptions: "Consistent Exploit Code Likely," "Inconsistent Exploit Code Likely," or "Functioning Exploit Code Unlikely."

The company said that exploit code was likely for bugs in the critical Internet Explorer, Microsoft Host Integration Server, and Excel updates. One of the Internet Explorer bugs, which could let an attacker gain elevated privileges on a Windows machine, has already been publicly disclosed, but is not thought to have been used in real-world attacks, Microsoft said.

Another first: Microsoft gave certain security partners early access to its updates this month so that they could roll attack detection into their software as the patches were released Tuesday.

Interest in modular datacenters is growing, fueled by high-profile endorsements from Microsoft and Google. But the model raises new management concerns, and efficiency claims may be exaggerated.

Modular, containerized datacenters being sold by vendors such as IBM, Sun, and Rackable Systems fit storage and hundreds, sometimes thousands of servers into one large shipping container with its own cooling system. Microsoft, using Rackable containers, is building a datacenter outside Chicago with more than 150 containerized datacenters, each holding 1,000 to 2,000 servers. Google, not to be outdone, secured a patent last year for a modular data center that includes "an intermodal shipping container and computing systems mounted within the container."

[ Get sage advice on IT careers and management from Bob Lewis in InfoWorld's Advice Line blog and newsletter. ]

( See related slideshow: IT takes a close look at shipping container-based datacenters.)

To hear some people tell it, containerized datacenters are far easier to set up than a traditional datacenter, easy to manage and more power-efficient. It should also be easier to secure permits, depending on local building regulations. Who wouldn't want one?

If a business has a choice between buying a shipping container full of servers, and building a datacenter from the ground up, it's a no-brainer, says Geoffrey Noer, a vice president at Rackable, which sells the ICE Cube Modular Data Center. 

"We don't believe there's a good reason to go the traditional route the vast majority of the time," he says.

But that is not the consensus view by any stretch of the imagination. Claims about efficiency are over-rated, according to some observers.

Even IBM, which offers a Portable Modular Data Center and calls the container part of its green strategy, says the same efficiency can be achieved within the four walls of a normal building.

IBM touts a "modular" approach to datacenter construction, taking advantage of standardized designs and predefined components, but that doesn't have to be in a container. "We're a huge supporter of modular. We're a limited supporter of container-based datacenters," says Steve Sams, vice president of IBM Global Technology Services.

Containers are efficient because they pack lots of servers into a small space, and use standardized designs with modular components, he says. But you can deploy storage and servers with the same level of density inside a building, he notes.

Container vendors often tout 40 to 80 percent savings on cooling costs. But according to Sams, "in almost all cases they're comparing a highly dense [container] to a low-density [traditional data center]."

Containers also eliminate one scalability advantage related to cooling found in traditional data centers, according to Sams. Just as it's more efficient to cool an apartment complex with 100 living units than it is to cool 100 separate houses, it's more cost-effective to cool a huge datacenter than many small ones, he says. Air conditioning systems for containerized data centers are locked inside, just like the servers and storage, making true scalability impossible to achieve, he notes.

Gartner analyst Rakesh Kumar says it will take a bit of creative marketing for vendors to convince customers that containers are inherently more efficient than regular datacenters. Gartner is still analyzing the data, but as of now Kumar says, "I don't think energy consumption will necessarily be an advantage."

Finding buyers
That doesn't mean there aren't any advantages, however. A container can be up and running within two or three months, eliminating lengthy building and permitting times. But if you need an instant boost in capacity, why not just go to a hosting provider, Kumar asks.

"We don't think it's going to become a mainstream solution," he says. "We're struggling to find real benefits."

Kumar sees the containers being more suited to Internet-based, "hyper-scale" companies such as Google, Amazon, and Microsoft. Containerized data centers offer scalability in big chunks, if you're willing to buy more containers. But they don't offer scalability inside each container, once it has been filled, he says.

Container vendors tout various benefits, of course. Each container is almost fully self-contained, Rackable's Noer says. Chilled water, power and networking are the only things from the outside world that must be connected to each one, he says. Rackable containers, which can be fitted with as many as 22,400 processing cores in 2,800 servers, are water-tight and are fitted with locks, alarms, and LoJack-like tracking units. Sun's Modular Data Center can survive an earthquake — the company made sure of that by testing it on one of the world's largest shake tables at the University of California in San Diego.

A fully-equipped Rackable ICE Cube costs several million dollars, mostly for the servers themselves, Noer says. The container pays for itself with lower electricity costs due to an innovative Rackable design that maximizes server density, Noer says.

But it's still too early to tell whether containerized datacenters are the way of the future. "We're just at the cusp of broad adoption," Noer says.

Potential use cases for containers include disaster recovery, remote locations like military bases, or big IT hosting companies that would prefer not to build brick-and-mortar datacenters, Kumar says.

A TV crew that follows sporting events may want a mobile datacenter, says Robert Bunger, director of business development for