(InfoWorld) - Mario Apicella is on vacation, so in his absence we present two classic Storage Insider columns. This week, we're revisiting storage management: learn more about strategies to keep seldom-used archives away from your first-tier storage and data deduplication.

Should you trim your file servers?
March 30, 2007: If you like to cook, you may have played the same game that I sometimes play while waiting in line at the grocery store: Checking out what other shoppers have in their baskets and trying to guess what meals they have in mind.

Silly? Perhaps, but it's better than reading the tabloids.

Watching storage vendors often triggers in me the same type of curiosity to figure out what’s cooking -- that is, in terms of their acquisitions.

The latest vendor to get me guessing is Cisco with its recent one-two punch of NeoPath and WebEx. Those two acquisitions both suggest an expansion of Cisco's menu beyond the traditional data transport focus.

I won't speculate on what Cisco plans to do with WebEx because Ephraim Schwartz has already posted some good thoughts on that, but looking at NeoPath, I see a more elaborate dish in the making than just file virtualization…

Read the rest here: "Should you trim your file servers?"

Prepare for the upcoming data deluge
April 6, 2007: Have you read "The Expanding Digital Universe"? It's a study, commissioned by EMC and put together by IDC, on the amount of digital data that we can expect to see in the next few years. (As due diligence disclosure, IDC is part of IDG, the same editorial group to which InfoWorld belongs.)

I don't know if those global predictions will prove to be correct year after year, give or take an exabyte, and frankly it doesn't matter. What matters is how much data your company is going to create and how you are going to store and manage it.

We know from past experience that blindly purchasing more capacity just pushes the problem back without attempting to solve it. Sure, you can keep buying more storage arrays if the budget allows, but at some point, you will meet an insurmountable wall, such as running out of floor space in your datacenter or hitting the limits of the electrical and cooling systems.

If -- or rather, when -- you reach one of those walls, you face spending millions of dollars to expand or move the computer room, before you can even begin to add more capacity.

What's the alternative? Unfortunately, technology is not keeping up with our capacity demands. For our long-term, nontransactional data, we desperately need a storage medium that can perform faster than tapes or optical disks and is less energy- and space-hungry than disk drives…

Read the rest here: "Prepare for the upcoming data deluge"

(InfoWorld) - As a Microsoft employee, I try to avoid writing on areas that blatantly promote Microsoft. However, I think this question is generic enough to involve Microsoft in the discussion: Can IP addresses ever be used for statistical analysis of malicious Web sites?

I’ve been a malware fighter for more than 20 years. I consider myself fairly up-to-date on the subject of malicious mobile code, malware, hackers, and exploitation vectors in general.

So it was with surprise then that I read another of Google’s recent studies purporting that IIS Web servers were twice as likely to contain malware as Apache Web servers (although Apache and IIS Web servers contained malicious Web sites in equal numbers).

This astounded me for several reasons. First, my personal experience tells me it isn’t so. I run multiple IIS and Apache Web servers on my honeynet, and my Apache Web servers get 89 percent more hacking traffic than my IIS servers.  Most of the traffic is PHP/CGI/MySQL based. This is not unexpected, as the Internet contains at least twice as many Apache Web servers, and popularity draws malicious hacking.

Second, in general and contrary to traditional wisdom, the average Apache Web administrator has less security knowledge than the average IIS administrator. I find Apache Web administrators much more likely to download and use dubious code from the Internet (which a previous Google study revealed often contained malware).

While both types of Web administrators, in general, really don’t care about security, IIS is helped by the fact that it has had only three published vulnerabilities over the last four years, as compared to Apache’s 33.

Even if we include application coding errors, ASP and ASP.Net compare favorably against PHP and CGI. PHP proponents are desperately trying to put more security into PHP, but there's a ton of insecure PHP applications out there — just read one of the many vulnerability lists.

Maybe hackers are breaking in using SQL injection or back-end database vulnerabilities? MS-SQL hasn’t had a severe vulnerability since 2003, while Oracle, MySQL, and other databases have had dozens to more than 100.

IIS 6 comes secure by default. Unless the administrator goes out of their way to make it vulnerable or unless the application adds a vulnerability, it’s very secure. When Apache is installed, its defaults are more permissive and less secure.

But the mental kicker for me is my knowledge of Web site infectors. Most Web sites are not maliciously modified by individual hackers. Like client-side attacks, most Web site infections are automated. The most popular Web site attack tool, Web Attacker Toolkit, is responsible for 30 to 80 percent of all infected Web sites, depending on whose statistics you believe. It is a PHP/CGI infector. The MPack Web site infection tool, which is in the press these days for its large-scale infections, again, infects PHP-based Web sites. I’ve yet to come across a Web site attacking tool on the same scale for IIS.

I like Google and the many fine folks who work there. I’ve written positively about their related research recently. But aside from my own personal experiences and knowledge, another recent post from the Washington Post's security blog made me question Google’s summary conclusions.

The article discusses how one Web hosting company, IPOWER, is potentially responsible for more than 250,000 malicious Web sites. I doubt the figure is anywhere accurate, but it's based on the fact that nine of IPOWER’s Web servers contained 2,650 malicious Web sites (33 percent of the 8,192 virtual Web servers).

What are those servers running? No surprise: Apache and PHP.

Whether or not you believe the larger number or just the 33 percent figure, it reveals that IPOWER appears to average about 910 virtual Web sites per server.

The study in which Google purports that IIS is twice as likely to contain malware includes the following disclaimer: “Note that these figures may have some margin of error as it is not unusual to find hundreds of domains served by a single IP address.” Essentially, any Web server containing multiple virtual Web sites will cause the Google study to have sampling error.

In the IPOWER case alone, the sampling error appears to be 30,000 percent (9 servers serving up 2,650 malicious Web servers). I think any reader would generally agree that Apache Internet Web servers are significantly more likely to host multiple Internet Web sites on a single server than IIS.

How many Web servers used in the Google study contained multiple malicious Web sites? According to my research, it is not an insignificant amount. And when I find them, the servers often contain dozens to hundreds, if not thousands, of malicious Web sites. This is because the Web hosting firm has not patched the Apache software or uses a management add-on that's long known to be vulnerable. One compromise leads to hundreds.

If this is the case, is it ever possible to accurately relay IIS vs. Apache malicious statistics based upon IP addresses alone? I contend that the potential sampling error is just too large for this to be successful. How large is it? I contacted Google and members of the research team directly to ask for more clarification on their findings. I was just pointed back to the same published report. I then told them that if I could have the IP addresses used in the study, I would do my own analysis, even if it required a nondisclosure agreement. I want to find the truth, because the truth is important than whether the outcome supports IIS or Apache.

So far, they’ve not responded to my requests for the data.

(InfoWorld) - I'll never get it. Of any industry, save perhaps the stock market, you'd think the tech market would have become inured to hype. Yet every souped-up calculator that comes along seems to create ripples far in excess of its true weight in the universe. This week, it's the iPhone. Hey, I bought a MacBook Pro, so I'm certainly not immune to Apple's marketing (though I do blame the lucidity lapse on Parallels and Paul "Sasquatch" Venezia's overbearing Orchard fetish), but from an IT manager's perspective, you can sum up the iPhone in two words: Who cares?

The little white pill may be the biggest thing for summer beach-going entertainment since Danielle Steele, but for those of us managing a network, June 30 isn't going to be a heckuva lot different from the day before. 'Cause it's just a phone, see? An Internet surfing phone, see? With a badly executed access plan, batteries that can't live up to its feature set, and an apparent lack of APIs. Not like we haven't managed those before. And if you don't have a compelling business reason to manage one now, that's not going to change, no matter how many colorful TV commercials come out of Cupertino. Get a grip -- we have far weightier issues to worry about:

1. Keyword content blocking at the firewall. That includes anything with the words Paris Hilton, Angelina Jolie, or Lindsay Lohan. If we don't curb this content infestation into corporate workdays soon, broad swaths of IQ points will disappear from the American public, and there will be a spike in office AK-47 rampages.

2. Real-world use for Vista's speech-recognition technology. This needs to be harnessed for the upcoming presidential campaign coverage. That way, when the leader of the free world mispronounces nuclear, jewelry, or the names of foreign heads of state, your users' PCs can instantly translate those terms into recognizable English. This alone could save the election and dramatically reduce Prozac consumption among journalists.

3. A killer app for Second Life. The virtual meeting room idea sounded good, likewise the virtual tour of long-erased historical sites and landscapes, such as ancient Rome or Babylon. But we need more, and we need it soon. Because the driving force behind our finally realizing the Snow Crash vision simply can't be porn and rabid consumers paying 5 cents for a cup of coffee that doesn't really exist. Too cynical, even for me.

4. Patent reform and a few executions. What did Redmond say back in 2005? The company wanted to up its annual patent applications to more than 3,000? And that's just one company, just one FUD factor. This keeps up across the industry and someone's going to try and patent the process for putting on pants; then I'll have to start wearing a kilt. No one wants to see that. Reform the patent process and lop the heads off a few patent trolls. If we don't do something, the world is going to grind to a halt, a cemetery-like silence will settle over the whole country, and the only sound will be intellectual property lawyers whispering to each other at $500 an hour.

5. Invading Nigeria. Forget Iran or North Korea. The real root of world evil is Nigeria's Axis of Spam. Let's send the Marines in there. Either they'll stop 50 percent of world spam in a single go, or they'll find that pesky prince's lost fortune. Then maybe we'll each get a $3 federal income tax break in 2008. Either way, we come out ahead.

When you started reading, users banging on your office door, clutching iPhones in their sweaty hands were your primary concern. Now you can honestly say you have five more important things to worry about. It's all about perspective.

(InfoWorld) - I was talking with some CIOs last week about the impact of Web 2.0 on the enterprise. One of them made the intriguing comment that Web 2.0 -- with all its mashups, syndications, consumable services, and instant gratification -- enables customers to more easily "show disrespect for long-established corporate business processes."

Her thesis was this: Web 2.0 technologies put more power and control in the hands of customers than ever. And once customers get a taste of sitting in the driver's seat, they may not look kindly on companies that keep trying to sell the same old thing. They'll want to dictate the terms on which they buy, regardless of how companies prefer to sell.

For example, customers may start to refuse your corporate "wrapper." "Just give me the feed," they may say, or "just sell me some individual cable channels. I don't want to buy your whole stinking bundle."

Further, customers may not permit you to dictate functionality anymore. It's no coincidence Apple was able to use the iPhone to force AT&T to abdicate its usual control over content, UI, apps, and branding. Apple was acting as a proxy for consumers, who don't want AT&T playing gatekeeper. "Just sell me access to your network," the almighty consumer is saying to AT&T in this deal -- through their designated spokesman, Steve Jobs.

Another example: Customers may force you come to them, rather than the other way around. "Just put it on YouTube," the customer is saying to video producers. "I don't want to go to your Web site … just let me do it on Second Life because I've been spending a lot of time there," and so on.

That's b-to-c. But how will this play out for b-to-b customers? Mostly they'll insist on a lower price or better service, as Web 2.0 and its cousin SaaS (software as a service) increase access to real-time price discovery and flexible sourcing.

Across the board, Web 2.0 will accelerate disrespectful customer attitudes and their consequences. How should corporate America and IT organizations respond to this new reality? My recommendation: If you can't fight 'em, join 'em. Throw open the floodgates and deliver your value to the marketplace in as many ways as possible. Let customers "mash up" with you and by doing so, give you the brutal, honest feedback about which aspects of your products and services they really value and which they don't. Embrace their disrespect so that you can morph into something they do respect.

There are costs and risks here, of course -- to your brand, security, operational efficiency, and focus. Perhaps the biggest risk is that by unbundling products and services, corporations may lose control over the "customer experience." But get over it. The customer wants to be in control. If you don't let them, one of your competitors will.

To get this column delivered to your e-mail inbox every week, sign up here.

(InfoWorld) - Gartner is known for its comprehensive market research, but Wednesday, the firm produced two separate reports that could leave IT managers scratching their heads over whether to support Apple's iPhone.

On the one hand, two Gartner analysts issued a research note to their clients that clearly says the iPhone is "not yet an enterprise device" and urges businesses to "resist general requests from users to admit Apple's iPhone into their corporate environment."

On the other hand, Gartner issued a separate press release that advises in a headline, "Companies Must Embrace Consumer Technologies as Additional Opportunities to Innovate." The release quotes a third Gartner analyst, Jackie Fenn, about the value of "embracing and leveraging employee experimentation and experience with consumer technologies."

The two points of view may seem contradictory, but they have been a discussion point at Gartner and other analyst firms for several years and have been voiced over iPhone specifically by IT managers recently. For example, at media giant ABC last week, one IT manager said he was sure a few top ABC executives would demand iPhone connectivity to corporate e-mail to be able to experiment with the device and learn its value in communications, even though the official policy was not to support the iPhone.

The research note, co-authored by analyst Ken Dulaney, seems to recognize the plight faced by ABC and other companies with the title of its research note, "How to Plan for User Interest in the Apple iPhone." But it nonetheless urges that "general requests to support iPhone should not be fulfilled on the basis that the device cannot be fully secured and managed" to levels Gartner has described for smart phones.

"IT organizations should refuse to support the iPhone at this time," the research note continues. "If for political reasons this is not an option, then the iPhone should be placed under the concierge support level ... meaning that support will be granted as an exception, with the associated costs for support covered by a monthly billing to pay for the dedicated support staff uniquely trained for this device."

The note adds that the resulting total cost of ownership will be double the cost of a normally supported device, such as a Research In Motion BlackBerry or a Palm Treo.

But the note also urges IT staffers to familiarize themselves with the iPhone because "broad employee adoption" is expected to occur outside the workplace.

The research note lists several obstacles to adoption inside businesses: Lack of support of the iPhone from major mobile management and mobile security software programs; lack of support from major business e-mail systems; an operating system not licensed to alternative hardware suppliers, resulting in no backup hardware suppliers; feature deficiencies that increase support costs, such as no removeable battery; current availability from only one U.S. operator, AT&T; and a high price of $500 when compared with other smartphones on the market.

In addition, the note adds that the iPhone is "unproven ... from a vendor that has never built an enterprise-class mobile device" and is seen by Apple as focused on the consumer audience, not the enterprise business.

The note further urges IT organizations to request mobile operators supporting the iPhone to remove the requirement that individuals obtain an iTunes account because the agreement should be with the business and not the individual. Some IT managers have expressed concerns that multiple iTunes accounts could flood storage resources and pose questions about whether songs have been properly procured.

Dulaney acknowledged that the research note had undergone many drafts in recent days as Apple released more information on the device.

"Most of what Apple has for the enterprise is rudimentary," Dulaney said. "It is clear they have not focused on this and are only hoping to have enough [in the technology] so that some enterprises will permit their users to employ the device without being disturbed by IT. I am sure that third parties will fix some of these things, but most of what they hope to do is via rudimentary VPN technology and through Web browsing. There is a huge difference between what RIM does and what Apple will provide."

Despite Dulaney's cautionary words, the prevailing view by Gartner and many analysts seemed to be summarized by one of Fenn's comments in the Gartner press release: "The flood of consumer-led technologies into the enterprise is not going to subside," Fenn said. "To fully realize the benefits, IT must embrace these technologies as an ongoing strategy rather than on a case-by-case basis."

In a later e-mail, Dulaney took note of Fenn's comments and emphasized that he had urged IT to begin testing the technology.

"We have concluded that no IT organization can stop the invasion of consumer technologies," he said. "But IT gets hurt when they get caught off guard. So they should investigate it. Something as powerful as the iPhone will probably make its way into the enterprise. But for now, we recommend that only specialized support be given."