JackBe, looking to take advantage of the growing use of mashup technology in corporate IT operations, Monday announced the general availability of a developer edition of its Presto enterprise mashup software. The company said the updated offering aims to ensure that the software meets the security and governance requirements of large companies.

JackBe described the new Presto Developer Edition as a single-user version of its Presto software. The company said free support services are available to users through JackBe's new Mashup Developer Community.

Mashup applications lash together data from various sources into applications that fit a company's specific needs or work processes.

"The developer or IT-centric side of the house needs more help with mashups -- this was an interesting realization for us," noted Chris Warner, JackBe's vice president of marketing. "We had a pitch for over a year that mashups can help the business become more self-serve. Inevitably, a mashup has to connect to a bunch of systems that have a great deal of security and governance overhead."

The new online developer community offers mashup training videos, code samples and demonstrations for both novice users and those with more experience, JackBe said. It also includes interactive forums monitored and moderated by JackBe engineers.

Researchers at Independent Security Evaluators say they've discovered a security flaw in the Android browser that could make users of phones with the browser vulnerable to attack.

Android, Google's open-source software that is currently only running on one phone, HTC's G1, is based on outdated open-source components, the researchers say. As a result, the vulnerability they have discovered was previously known and fixed, but Google didn't incorporate the fix into Android, they say.

[ Special report: All about Google Android | Take InfoWorld's slideshow tour of the T-Mobile G1 and then read Tom Yager's first look at the iPhone killer. ]

The G1 went on sale last Wednesday from T-Mobile USA, and Google published the source code behind Android on Tuesday. Other manufacturers, including Motorola, are expected to also release phones running Android in the future.

On a Web page for ISE, Charlie Miller, Mark Daniel and Jake Honoroff wrote that they won't reveal much about the vulnerability until Google fixes it. However, they say that Android users who visit malicious Web sites may find their sensitive information stolen. That's because an attacker could access any information the site uses, including saved passwords, information entered into a Web application form and cookies.

The researchers also say, however, that the impact of the attack is limited because of Android's security architecture. An attacker can't, for example, control functions of the phone such as the dialer.

Google said it is developing a solution to the problem. "We are working with T-Mobile to include a fix for the browser exploit, which will soon be delivered over the air to all devices, and have addressed this in the Android open-source platform. The security and privacy of our users is of primary importance to the Android Open Source Project -- we do not believe this matter will negatively impact them," the company said in a statement. It did not say when it expects to push out the update.

The researchers say that they notified Google of the issue on Oct. 20.

The incident raises questions about potential difficulties that the Android community might face in the future. Because Google has adopted an open model with Android, many vendors and operators in the future may offer a variety of phones, each potentially with slightly different versions of the operating system. If vulnerabilities are found in the future, phone makers and operators will have to determine if their version of the software is affected and then coordinate the distribution of a fix to users.

At Microsoft's PDC (Professional Developers Conference) in Los Angeles, Chief Software Architect Ray Ozzie unveiled the company's much-anticipated cloud computing platform, dubbed Windows Azure.

Primarily a platform for developers, Windows Azure plays host to the .Net framework, SQL Server, SharePoint, Dynamics CRM, and an offering called Live Services which, according to Ozzie, will extend Azure services "outward" to connect with locally running Microsoft software. Using this rich environment, developers will be able to build and deploy Web applications and services running on Microsoft's worldwide infrastructure of datacenters.

[ For more news from Microsoft's Professional Developers Conference, check out InfoWorld's special report. ]

Previously known as Project Red Dog, Windows Azure "is a scalable hosting environment for you to deploy your apps in our cloud," said Microsoft Corporate Vice President Amitabh Srivastava, one of the key players behind the platform.

"Windows Azure is a new Windows offering at the Web tier of computing," said Ozzie. "This represents a significant extension" of the Windows computing platform, he said.

Windows Azure serves as the underlying foundation of the Azure Services Platform, which helps developers build applications spanning from the cloud to the datacenter and PCs, the Web, and phones, Microsoft said.

Cloud-based developer capabilities are combined with storage, computational, and network infrastructure services. A limited Community Technology Preview of the Azure Services Platform is being made available at PDC.

Key components of Azure Services Platform include the following:

-- Windows Azure, for service hosting and management and low-level scalable storage, computation, and networking.

-- Microsoft SQL Services, for database services and reporting.

-- Microsoft .Net Services, which are service-based implementations of .Net Framework concepts such as workflow.

-- Live Services, for sharing, storing, and synchronizing documents, photos, and files across PCs, phones, PC applications, and Web sites.

-- Microsoft SharePoint Services and Microsoft Dynamics CRM Services for business content, collaboration, and solution development in the cloud.

Ozzie couched the announcement as long in coming. At last, he said, Microsoft could tell the "complete story" of Microsoft's transition to services. "We are deeply and genuinely combining the best of software with the best of services," said Ozzie.

The sprawl of management consoles, the proliferation of data they provide, and the rising use of virtualization are adding challenges to corporations looking to more effectively manage mixed  Linux , Windows, and cloud environments.

Traditional standards are being tapped in order to bridge the platform divide and new ones are being created to handle technologies such as virtualization that create physical platforms running one technology but hosting virtual machines running something completely different.

[ Stay up to date on the latest virtualization developments with InfoWorld's Virtualization Report blog and newsletter. ]

The goal is better visibility into what is going right or wrong -- and why -- as complexity rises on the computing landscape.

Some help is on the way. The Distributed Management Task Force (DMTF) last month began hammering out virtualization management standards it hopes will show up in products next year. Those standards will address interoperability, portability, and virtual machine life-cycle management, as well as incorporate time-honored management standards such as the Common Information Model (CIM).

Vendors such as Microsoft , VMware, and Citrix are on board with the DMTF and are creating and marketing their own cross-platform virtualization management tools for x86 machines. Linux vendors, including Novell and Red Hat , and traditional management vendors such as HP also are joining in.

To underscore the importance of heterogeneous management, Microsoft is supporting Linux within its virtualization management tools slated to ship by year-end rather than relying on third-party partners.

And the vendor said in April it will integrate the OpenPegasus Project, an open source implementation of the DMTF's CIM and Web-based Enterprise Management (WBEM) standards, so it can extend its monitoring tools to other platforms.

The trend toward services is forcing IT to think about management across systems that may have little in common, including the same LAN. Services are increasingly made up of numerous application components that can be running both internally and externally, complicating efforts to oversee all the piece parts, their platforms and their dependencies.

The big four management vendors, BMC , CA, HP, and IBM, are handling the mixed-environment evolution by upgrading their monolithic platforms to better manage Linux as its use grows. And a crop of next-tier vendors, start-ups and open source players are angling for a piece of the pie by providing tools that work alone, as well as plug into the dominant management frameworks.

"We are starting to see IT put more mission-critical applications on Linux and from there you only start to see the stronger growth [of Linux]," says Ute Albert, marketing manager of HP's Insight management platform. In January, she says, HP will boost its Linux support with features HP already supports for Windows platforms, such as capacity planning.

Analyst firm the Enterprise Management Group reports that use of Linux on mainframes has grown 72 percent in the past two years while x86 Linux growth hit 57 percent.

In the trenches, users are moving to suck the complexity out of their environments and make sense not only of individual network and systems components but of composite services and how to aggregate data from multiple systems and feed results back to administrators and notification systems.

Console reduction
At Johns Hopkins University, managers are trying to reduce "console sprawl" in a management environment that stretches across 200 projects -- many with their own IT support in some nine research and teaching divisions, as well as healthcare centers institutes and affiliated entities.

Project leader pick their own applications and platforms with about 90 percent to 95 percent running Windows and 5 percent to 10 percent on Linux. There are also storage-area networks, network devices, Oracle software, Red Hat, VMware, EMC , IronPort e-mail relays, and hardware from Dell, HP, and IBM.

John Taylor, manager of the management and monitoring team, and Jamie Bakert, systems architect in the management and monitoring group, are responsible for 15,000 desktops and 1,500 servers, nearly 50 percent of the university's total environment.

"Our challenge is we do not want to create another support structure," says Taylor, who has standardized on Microsoft's System Center management tools anchored by Operations Manager 2007 and Configuration Manager 2007.

Because Taylor doesn't control what systems get rolled out, he is using Quest Software's Management Xtensions for System Center to support non-Windows infrastructure.

"Quest allows us to bring in anything with a heart beat," Bakert says.

And that allows for managing distributed applications, which incorporate multiple components on multiple platforms.

"Microsoft has a limited scope of what they are bringing into System Center at this point," he says.

For instance, Bakert uses Quest Xtensions to monitor IronPort relays that work with Microsoft Exchange to ensure everything in the e-mail service is monitored in one tool.

The Quest tools also let Bakert store security events on non-Windows machines so he can report on both Windows and non-Windows platforms, which helps with collecting compliance data.

Taylor and Bakert also are beta testing Microsoft's System Center Service Manager, slated to ship in early 2010, with hopes they can reduce System Center consoles from five to one.

Eventually, Service Manager's configuration management database will host data from Configuration Manager and Operations Manager, as well as incorporate ITIL, a set of best practices for IT services management, and the Microsoft Operations Framework.

Taylor and Bakert also are testing System Center's Virtual Machine Manager, slated to ship by year-end, which will manage Windows, the VMware hypervisor and Suse Linux guest environments.

Virtualization getting mixed management workout

Microsoft ironically had the title as first to support mixed hypervisor environments because it was last to release a hypervisor -- Hyper-V.

Without the benefit of the in-development Microsoft code, VMware, Novell, Red Hat, HP, and others are momentarily playing catch-up on cross-platform management support.

Novell is using its February 2008 acquisition of PlateSpin to support management across both physical and virtual environments. The company's existing partnership and interoperability agreement with Microsoft has yielded virtualization bundles and the company's acquisition of Managed Objects last week will give IT admins and business managers a unified view of how business services work across both physical and virtual environments.

"In the datacenter we see that people are not saying consolidate [on a platform], they are saying give me a universal remote," says Richard Whitehead, director of product marketing for data center solutions.

Red Hat also is developing its portfolio. Its February 2008 launch of the open source oVirt Project has a stated goal of producing management products for mixed environments.

"The oVirt framework will be used to control guests in a cloud environment, create pools of resources, create images, deploy images, provision images and manage the life cycle of those," says Mike Ferris, director of product strategy for the management business unit at Red Hat.

HP has aligned its HP Insight Dynamics -- Virtual Server Environment (VSE) with VMware and plans to add support for Microsoft's Hyper-V in the next release, according to HP's Albert. In addition, HP is increasing the feature set of its Linux management and monitoring support.

And while the vendors work on their tools, the DMTF is working on standards it hopes will be as common as existing DMTF standards CIM and WBEM.

The Virtualization Management Initiative (VMAN) released by the DMTF Sept. 16 is designed to provide interoperability and portability standards for virtual computing. The initiative includes the Open Virtualization Format (OVF) for packaging up and deploying one or more virtual machines to either Linux or Windows platforms. Tools that are based on VMAN will provide consistent deployment, management, and monitoring regardless of the hypervisor deployed.

"The truth is we have been working on this whole platform independence since 1998," says Winston Bumpus, president of the DMTF, in regard to the organization's goals.

Virtualization is only one of the DMTF's initiatives. In the next month, the group will start its interoperability certification program around its SMASH and DASH initiatives. The Systems Management Architecture for Server Hardware (SMASH), used to unify data center management, includes the SMASH Server Management (SM) Command Line Protocol (CLP) specification, which simplifies management of heterogeneous servers in the data center. The Desktop and Mobile Architecture for System Hardware (DASH) provides standards-based Web services management for desktop and mobile client systems.

Open source
Standards efforts are being complemented by open source vendors who are aligning their source-code flexibility with the interoperability trend.

Upstarts such as GroundWork, Centeris, Hyperic, OpenQRM, Zenoss and Quest's Big Brother platform are working the open source route to build a united management front.

"We picked [tools] most people pick when they use open source, and we packaged them together," says Dave Lilly, CEO of GroundWork. The company's package includes 100 top open source projects, including Nagios, Apache and NMap.

GroundWork also includes a plug-in it wrote to integrate Windows systems using Microsoft's native Windows Management Instrumentation.

"We don't provide the entire tool set you may want, but we at least take the time and energy out of providing the monitoring infrastructure," Lilly says. Via standards, GroundWork can plug into other management tools such as service desk applications.

Other open source management resources include Open WS-Man, an XML SOAP-based specification for management using Web services standards. The project, which focuses on management of Linux and Unix systems, is an open source implementation of WS-Management, an industry standard protocol managed by the DMTF. There are other WS-Man variations such as the Java implementation called Wiseman.

"Interoperability is the end game," DMTF's Bumpus says. "You can have all the specs, but if you don't have interoperability who cares."

In today's evolving datacenters and services revolution it turns out a lot of IT managers are beginning to care very much.

Network World is an InfoWorld affiliate

iPhones rule, everyone else drools this week in our news quiz. Whether it's employees or naughty words, everyone seems to be cutting back something. Also making headlines this week: Bill Gates' new company, Comcast's new speeds, and the strange things people do with their cell phones. Correct answers are worth 10 points. Are you ready to strain your brain? Then let us commence.

1. The world's economy may be sucking wind, but Apple still blows everyone else away -- thanks largely to the iPhone. What percentage of Apple's Q4 revenue came from this pocket-size device?

a. 19 percent
b. 29 percent
c. 39 percent
d. 49 percent

Take the InfoWorld news quiz

Yahoo will launch its platform for Web developers next week, part of an effort to attract more visitors by adding Facebook-like social networking features to Yahoo's Web sites.

Yahoo hopes to drive more traffic to its sites by allowing people to share information about their interests and activities with friends. Like on Facebook, they'll be able to create a network of connections and send alerts to those people when they upload photos to Flickr or comment on a story at Yahoo News, for example.

[ Keep up on the latest tech news headlines at InfoWorld News, or subscribe to the Today's Headlines newsletter. ]

The platform will extend to non-Yahoo sites such as Amazon and Digg, so that users will be able to see from within Yahoo's Web sites what their friends have been doing elsewhere on the Web. And third-party sites will be able to publish user activity back into the Yahoo network, which could help those sites draw more visitors.

The search company is making the data it stores about users -- such as their contacts, interests and location -- available for developers to build their applications. End users will be able to regulate which of their information friends and developers can see, said Yahoo officials, who previewed the platform in San Francisco on Friday.

It's an ambitious project that required Yahoo to "rewire" its properties to create a single underlying platform that connects them all. Those services existed in the past as "silos" that allowed for little interaction between them, said Ash Patel, executive vice president with Yahoo's Audience Product Division.

"The platform is how we start rewiring and reforming the user experience," he said.

Yahoo launched the first piece of the puzzle last week, a site called Yahoo Profiles where end users can manage their activities, interests and social connections in one place. Next week will mark the launch of the developer component. It's built on top of Yahoo's existing network infrastructure and consists broadly of three layers.

The first is the Yahoo Social Platform, a repository where Yahoo stores the personal data about its users, along with their "social graph," or information about who their friends are. Above that is the Application Platform, which provides the development framework. And above that is the Yahoo Query Language, which developers will use to pull personal user data from Yahoo's servers and write their programs. YQL is very similar to the widely used SQL database language, according to Yahoo.

The platform also makes use of public APIs such as Open Social , for aggregating user data from other social networking sites, and OAuth , a protocol for consuming and publishing personal data. The tools and documentation will be available for free download next week from the Yahoo Developer Network, said Jay Rossiter, head of Yahoo's Open Strategy project. He wouldn't say exactly which day.

Yahoo officials gave examples of the types of applications it wants developers to build. If a person receives an e-mail telling them it's a friend's birthday, an application could allow them to view their friend's Amazon.com Wish List from within Yahoo Mail. Another program might automatically upload photos received via Yahoo Mail to an online photo account, be that Flickr or a non-Yahoo service such as Shutterfly.

Part of the challenge will be getting Yahoo's users to buy into the idea. At some time in the future, when they log into a Yahoo service they'll see the Yahoo Activator, which will present a list of all their contacts pulled from Yahoo Mail, Yahoo Messenger and other services. They'll use this to build their connections list and decide who can see what information.

Activations can already be done at the new Yahoo Profiles site and with a beta of Yahoo Messenger 9 that was just released. Activations will be rolled out more widely in a few months when the option is presented to people when they log into their Yahoo Mail accounts, and at other Yahoo services after that.

Each new application will have to warn users about the data it plans to access, such as their address book, inbox or profile, and about who the information will be shared with. Patel admitted that this is a delicate area. Yahoo will make certain selections by default that users can then alter.

"Choosing the right defaults so people don't inadvertently give away their privacy is part of the challenge," Patel said.

The OAuth protocol allows users to give a site access to their data for a limited time, such as two weeks, said Neal Sample, a Yahoo chief architect.

Yahoo doesn't expect the Profiles page to become a major destination. Instead, users will eventually be able to install applications and display updates at their My Yahoo page, in Yahoo Mail, and possibly at Yahoo's main home page.

Yahoo, which has been struggling to sustain its growth rate, hopes the social networking features will encourage people to use more of its services. If the average user visits two or three of its sites today, it hopes that seeing what friends are doing elsewhere in its network will prompt them to visit four or five sites in the future, Patel said.

Yahoo spent the past year developing the platform. Much depends now on the creativity of developers to make it a success, Patel said.

Attendees of IBM's Information on Demand conference this week in Las Vegas will be bombarded by a rash of product and services announcements and a lot of discussion about how to create an "Information Agenda."

IBM launched the IOD strategy, which pulls together a wide range of data management, storage, and analysis technologies, a few years ago. Since then, IBM has made a string of acquisitions to support IOD, including the large BI (business intelligence) vendor Cognos.

Announcements at this year's conference are expected to include:

-- "Foundation Services," which consist of a one-day workshop followed by 12 weeks of follow-up consulting, that are meant to help customers create an "Information Agenda." IBM hatched the phrase in September when it announced a set of tools, services and industry-specific data models for helping companies use information "as a strategic asset across their businesses."

-- The C3000 and C4000 editions of the InfoSphere Balanced Warehouse, which are data-warehousing appliances aimed at small and medium-size businesses, now include Cognos 8 BI.

-- Seven new performance management and financial offerings based on Cognos technology. Among them are Clinical Resource Planning, for pharmaceuticals to perform modeling and forecasting, and Earned Value Management, which federal agencies can use to monitor capital spending.

IBM is also expected to discuss news around MDM (master data management), ECM (enterprise content management) and a range of releases due before the end of the year from its Optim product line, which it acquired through the purchase of Princeton Softech in 2007. Optim products focus on data archiving, classification, data privacy and test data management.

About 7,000 attendees are expected at this year's conference, compared to roughly 6,000 last year, according to IBM.

IBM's IOD strategy is broadly relevant simply because so many companies "have bet the business on a large swath of IBM solutions," said Forrester Research analyst James Kobielus. In a weak economy, customers may consider consolidating their data management technology "down to fewer, but more strategic and comprehensive, vendors, such as IBM," he added.

As far as the BI portion of its arsenal, IBM could be in a better position to innovate in coming years than its rivals Oracle and SAP, according to Forrester analyst Boris Evelson.

Oracle still has a good deal of work to integrate products from its Siebel and Hyperion acquisitions, while SAP, which recently bought BI vendor Business Objects, has "some tough decisions to make on how to help their customers migrate from Netweaver BI to the new product line," Evelson said.

Meanwhile, the IBM-Cognos merger saw few product overlaps and Cognos "already took the time a few years ago to streamline and upgrade the platform," he said.

When the financial crisis first struck, it appeared that IT shops were prepared to weather the storm and that IT spending might hold up despite the downward economy. But a lot has happened since then.

Several more banks have faltered or been acquired. The stock market has continued to ricochet around, enough to destroy the confidence of all but its wealthiest masters. And layoffs keep coming across many industries, including the technology realm -- with no end in sight.

[ Learn more about how the financial crisis is affecting IT and the high-tech industry, plus what IT can do to help, in InfoWorld's special report. ]

IT, both corporate departments and the industry itself, has survived tough economic conditions before, notably the dot-com crash of 2001. Perhaps that's why IT shops are already battening down the hatches.

Preparing for the storm
Steve Minton, vice president of worldwide IT markets at IDC, says, "Companies are in the mindset of not spending in the next 3 months and increasing only 1 or 2 percent in the next 12 months. That's quite a change from last year when it was between 7 and 8 percent."

Gartner, in a report issued earlier this month, stated that even though the bailout of banks spares IT from a worst-case scenario, they're still turning budgets downward while heading toward 2009.

The bank fallout itself is not to be overlooked. Gauging only from the hardships of Bear Sterns, Lehman Brothers, and Merrill Lynch, Robert Iati, a partner and global head of consulting of the Tabb Group, a research and advisory firm that focuses on financial markets, sees "investment banks spending about $4.5 billion, or 20 percent, less on IT in 2009 than in 2008." That's more than just a big number. "Investment banks represent the engine of cutting-edge enterprise technologies," Iati adds.

Critical to enterprise technology advancements they may be, but Wall Street firms, banks, and other financial services organizations are not the only ones yanking dollars out of the IT spending pool -- or abandoning and mothballing projects.

"We do see people throw away even great ideas in tight times," says Mark Raskino, a Gartner fellow and vice president for emerging technologies and trends.

As gloomy as it looks, the tech sector is not returning to the days of the dot-com bust. "We're not seeing a replay of the big tech bust of 2001-2002," says Andrew Bartels, a principal analyst at Forrester Research. "But we do see a slowdown."

Innovation may take a hit
There are implications to companies spending less on IT. That reality might not hit the largest tech vendors -- the ones still reporting profits and sitting on large cash reserves -- hard enough to break any bones, but smaller companies will certainly feel the sting of less spending.

"There will be a lot of disruption to the progress of the industry because the pipeline of startups that fuels innovation will be challenged by the credit crisis," Gartner's Raskino explains.

That, in turn, inhibits the fresh new ideas that IT shops can choose to achieve their goals. "Less competition alone will harm overall IT innovation and the future of IT," says Andre Preoteasa, director of IT at Castle Brands, the alcoholic beverage producer and importer.

Andr? Gold, former head of IT security at financial services firm ING, explains that "the startup market has changed over the last five years, so it's not as sexy or profitable as it once was for new companies to come to market, IPO, and make wealthy or wealthier the VCs and entrepreneurs who seeded and founded the company."

That said, though, Gold contends that the model is not broken and remains valuable to IT shops. "I have gone to small-cap companies and startups for superior [intellectual property] at a reduced rate," Gold explains. "If the company has good [intellectual property], I have no shame in putting my checkbook behind that because they're likely to be acquired, and by a vendor I already have a relationship with."

Just don't expect IT budgets to spring back quickly. Gartner's Raskino expects this turbulence to continue through next year. "There's no chance that it will all be sorted out by Christmas and all will be well on January 1," he says.

Tabb Group's Iati looks out even further: "We're in for a period where it will probably take five years to reach the tech spend we had in 2007."

"It is enough that the people know there was an election. The people who cast the votes decide nothing. The people who count the votes decide everything." -- Joseph Stalin

In the past eight years, elections in the United States have taken on the guise of a TV game show, with the elections themselves not quite as compelling as watching voting mechanisms fail across the country, especially in key battleground states such as Florida and Ohio. Pols and pundits from both sides of the aisle are quick to place most of the blame on faulty electronic voting systems. But until we set a technical policy that favors open voting systems, as Australia did in 2001 with its open source eVACS (Electronic Voting and Counting System), we have only ourselves to blame.

[ For more on how technology is reshaping the race for the U.S. presidency, see InfoWorld's special report. ]

The closed source approach to disenfranchisement
Current U.S. policy ensures that e-voting remains in the hands of very few proprietary vendors, including the much-maligned Diebold, which has received so much bad press that it has renamed its voting machine division Premier Election Solutions.

Don't let the new name fool you. Little has changed about e-voting systems, which take on several forms, including the two most common: touchscreen devices and optical-scan readers. What they have in common, however, is that they all use closed source code. In many cases, even the manufacturers don't have the source code to software running on their own systems. Premier Election Solutions recently advised that its machines lost votes in Ohio primaries due to an incompatibility with McAfee's anti-virus software. In the words of XKCD, someone is clearly doing their job horribly wrong. Later, Premier claimed that its own software was at fault.

More often than not, however, blame for e-voting failure is placed on the storage media of these devices, either due to their relative fragility or their apparent ease of tampering.

When results from elections conducted on e-voting systems are called into question, manufacturers point the finger at defective "memory cartridges." Those of us in IT know that if all flash storage were this error-prone, digital cameras and iPods wouldn't exist. Worse, we know it's far simpler to pocket or swap out a small flash card containing a few thousand votes than it would be if those votes were recorded on paper ballots.

Another problem of current e-voting systems is that many still in operation provide no paper trail. Americans can't fill up their cars or access their bank accounts from an ATM without being prompted to print a receipt, but in many voting precincts, we can vote with nothing tangible to show for it.

Most voters already know these systems are flawed. It's the relative lack of outrage that is troubling. Perhaps trust in the electoral process is still sufficient to assuage fears of stolen elections, or the issue of flawed voting technology itself has become a running joke, like cracks about an honest politician. Even The Simpsons parodied the situation recently.

Those of us who live in IT every day know better. We know exactly how poorly designed some software frameworks are. We see the security challenges presented by Web servers, mail servers, remote access, and so on, but when it comes to the foundation of our democracy, we just shake our heads and move on.

Maybe it's time for us geeks to come to the rescue, with a little help from Congress. We've built the Internet, designed staggeringly complex technologies for conducting lightning-speed financial transactions, securing sensitive patient data, even our own entertainment. After all, you'd be hard-pressed to say that there's more complexity in an e-voting machine than in, say, your TiVo or even your cell phone.

But the key to securing e-voting resides in making its systems open source.

Opening the polls to open source
If you look around the open source community, you will find a wide variety of projects that are not only widely used but extremely well designed and very secure. Apache, Perl, PHP, OpenBSD, FreeBSD, and the Linux kernel are just a few examples. Coders who contribute to these projects generally do so without remuneration, producing some of the best code available.

It's time for us to make good on the promise of open elections and open our e-voting systems as well -- no black boxes, no intellectual property protections, no obfuscation, and certainly no backdoors. Doing so would require a federal mandate, one that would eliminate the use of closed source devices.

This being a free-market economy, vendors should certainly be able to participate in the construction of truly secure e-voting systems. But to ensure the integrity of our elections, the code they run on their products must be open. Moreover, it should be the same across all e-voting platforms. Just as the PC industry produces multiple PC brands that all run Windows, e-voting vendors should produce systems that run the same open source voting software.

The open source community has already gotten involved in reshaping our approach to e-voting systems. The Open Voting Consortium, for example, is pushing for simple, standard touchscreen voting systems that do not directly interface with any system, or record votes. These systems would simply print paper voting receipts with bar codes that would then be scanned and dropped into a ballot box, officially casting the vote.

This method removes the need for any polling station to be held responsible for counting votes, thus eliminating any effect tampering with machines might have on results. It also ensures a paper trail for potential recounts. Moreover, by relying on paper in printers rather than official ballots, no voter can be turned away for lack of ballots at a polling place.

This solution is cheap and straightforward, yet isn't widely used. Instead, we have spent billions of dollars on commercial solutions that offer no paper trail -- just a poor security history.

One recent example involved a Republican at-large election in Washington, D.C., in which thousands of votes appeared and then disappeared during the day. Sequoia Voting Systems equipment was used for that election. Not surprisingly, Sequoia has laid the blame for those phantom votes on human error, perhaps a corrupt memory cartridge. Retailers wouldn't accept cash registers that were this error-prone. In many cases, brand-new e-voting systems have been shelved due to such issues, at a fantastic cost to taxpayers.

Network integrity: Ensuring all votes count
Leveraging existing network infrastructures to completely remove the polling place from the vote-counting equation is another essential step to ensuring secure elections.

In many cases, public polling is conducted in government buildings, schools, community centers, and other facilities equipped with some form of broadband Internet access. Devices running open source software could be made to create an instant, encrypted link to transmit all votes to a centralized server, while still providing a paper trail at the polling place in the form of a printout.

In this way, votes from a significant number of precincts could be counted as they are entered, rather than after the fact. Communication with the central server would be secured using existing encryption methods such as AES (Advanced Encryption Standard) and certificate-based authentication. Even when voting in someone's garage, your vote would be more secure than it would be using a pile of flash cards in a box.

In addition, these devices wouldn't require manual configuration. Once connected and authenticated to the central server, all ballot choices would be pulled from the central server for display to the voter. Thus, setting up the polling place would simply require volunteers to plug everything in and turn the systems on.

Of course, connectivity to the central server is sure to be this solution's weakest link. Though all transactions would be encrypted, the system would also need to incorporate a queuing method to retain votes until the server is available. This functionality could also maintain vote integrity even where Internet connectivity is not available. Simply connect the device to the network at a later time, and the votes are delivered to the central server. As above, paper receipts of each vote would be made available as they were cast, as a fallback should problems occur.

Open source in the voting booth
Anyone familiar with current e-voting technologies will note that the logistics of this solution are no more or less complex than those of existing systems. The key, however, is that they would be driven by open source code that anyone could download and use.

With all the covers off, it becomes extremely difficult to embed backdoors or commit cloak-and-dagger fraud. The ability to view the code that records our votes should be a basic right -- if only to ensure that the conditions leading to a successfully recorded vote do not set success as a default.

The best bet for an open voting system would be code based on NetBSD or OpenBSD, embedded in nonremovable flash on the mainboard of the device. The device would also require a serial or USB-driven touchscreen, as well as a USB-connected, embedded printer. Code updates to the device would not be allowed via the touchscreen, but rather through a certificate or key-secured USB or serial connection.

Such a device would be less complex than a McDonald's cash register, running extremely basic, open code that's been hardened for years, and can be easily reduced to only the required functions. There's no reason it couldn't be cheap, simple, and extremely easy to produce. Further, it should easily handle being mothballed for a year or two between elections.

Detractors will claim that if the code is open, anyone planning to commit fraud will have the blueprints to circumvent the security of the system. The ever-growing adoption of open source software in businesses large and small, as well as the Internet's reliance on open source solutions, provides evidence to the contrary. For example, open cryptography solutions are no less secure than their closed counterparts. In fact, one could argue that they're more secure, given that complete code visibility greatly reduces the potential for backdoors.

Open elections require open systems
Ultimately, the call for open source e-voting systems isn't as much about open source software as it is about securing our inalienable right to legitimate elections. It just so happens that open source is the best way to accomplish that goal.

If the past few elections are any indication, secure voting machines are essential to political legitimacy. With machines sold by companies that produce far more secure ATMs than voting systems, something must change, especially as the inaccuracies and irregularities incurred by these systems continue to mount. No effective steps have been taken by the government thus far to address the integrity of our vote, other than small measures by state and county governments that have already blown budgets on insecure systems.

In 2002, Congress passed the Help America Vote Act in response to the hanging-chad debacle of Florida's 2000 presidential elections. The act's main thrust was to provide money to states to replace outdated punch-card- and lever-based voting systems with optical-scan or touchscreen models. The act largely accomplished that goal, filling the coffers of closed source voting system manufacturers. In doing so, the act may have inadvertently placed the country in a worse situation, given how difficult it is to rig large numbers of votes with punch card or lever systems. By contrast, a single poorly designed e-voting machine can be used to covertly modify large numbers of votes.

Of course, even with a paper ballot cast in a locked box, there have never been fail-safe assurances that any given vote has been counted and recorded. Human error and malfeasance are sure to be constants.

Yet in every industry, computers have reduced or eliminated human error and guarded against fraud. From banking to taxes to tollbooths, computers ostensibly provide a dispassionate third party to tally numbers, not as we might wish them to be but as they are. Voting systems are no exception, and they should be afforded far more protections, oversight, and regulation than those in most other industries as they protect the very foundation for our democracy.

The law has always trailed behind technical innovation. In the case of e-voting, Congress must act to close this gap, by passing legislation to provide grants for developing a single, open framework for all voting systems and to provide funds to states to retrofit existing hardware where possible.

This "Open Vote Act" should also enact laws that prohibit the use of any voting system that does not provide a paper audit trail, and it should mandate that companies use government-approved voting code without modification when building proprietary systems. If we can nationalize big banks and spend a trillion dollars to recover from the irresponsible actions of a relative few, we can certainly nationalize portions of our voting infrastructure. There's too much at risk to think otherwise.

Hanlon's razor: IT's call to action
As we head into the 2008 elections, we all hope that there are no surprises come Election Day. The media will hang on every instance of voting-system inaccuracy, and we're sure to hear from voters across the country who have been inadvertently disenfranchised by malfunctioning e-voting systems.

Here, Hanlon's razor ("Never attribute to malice that which can be adequately explained by stupidity.") comes into play. If there are widespread problems with e-voting systems this time around, we have no one but ourselves to blame. We have seen the flaws of these systems, and we have not acted to correct the system that has given rise to them.

If voting irregularities occur during this election, let's hope the novelty of current e-voting systems will wear off for the population at large, giving way to meaningful voting reform in Washington. If everything seems to go smoothly, however, let's not just assume the issue of e-voting security has magically gone away.

Either way, those of us who know how computers work, who know how easy it is to slip backdoors into closed code, and who know how these problems should be addressed will always provide an undercurrent of distrust -- not just for our individual votes but for the entire elections system in general.

Isn't it time we put our knowledge into action?

Canonical, which wants Linux to challenge Apple's Macintosh in usability on the desktop, is unveiling on Monday upgrades to its Ubuntu Linux distributions, offering 3G and virtualization improvements. Version 8.10 of Canonical's Desktop and Server Linux distributions are being announced Monday and will be available Thursday.

At the O'Reilly Open Source Convention in Portland, Ore. in July, Ubuntu founder Mark Shuttleworth set forth a goal to have Linux on the desktop match the usability of the Macintosh. While version 8.10 does not yet attain that goal, it is a step in that direction, said Steve George, director of corporate services at Canonical. "That continues to be what we're working towards," George said.

"I think Linux on the desktop is definitely picking up speed. The new netbook category [of smaller, mobile laptop systems] is a great opportunity for Linux," said George.

The Desktop release features 3G network support for moving from wired and Wi-Fi networks onto 3G cell phone networks while traveling, Canonical said.

An analyst lauded the 3G capabilities. "This allows users of Ubuntu to connect to a variety of 3G networks worldwide with no complex configuration," said Stephen O'Grady, principal analyst at RedMonk.

Users of the Desktop edition can start a "guest session" and let someone use their computer to surf the Web or check e-mail while maintaining security and integrity of their own data, Canonical said. Ubuntu's Desktop can be put on any USB key and installed on any machine.

The Gnome 2.24 desktop environment in the release offers a new instant messaging client, a time-tracker and the Ekiga 3.0 video and audio conferencing tool. Also, file management has been improved, as has support for multiple monitor use.

Another feature in the Desktop release is programming from the BBC, including streamed content available through default media players in Ubuntu 8.10. A mixture of video, radio, and podcasts will be available.

Another analyst, however, was skeptical of Canonical's desktop ambitions.

"Ubuntu is a nice Linux distro for both the server and the desktop," said analyst Gordon Haff, of Illuminata. "That said, the suggestion that Ubuntu will bring Linux onto the desktop in a big way, I just don?t buy it. With Internet-based computing going where it?s going, I just don't see a lot of enthusiasm for another desktop OS in the Windows or OS X mold. That's not to say that you won't see Linux, maybe Ubuntu, on some laptops (especially specialized ones like netbooks) but you have to distinguish some penetration from going mainstream."

Ubuntu 8.10 Server Edition, which will be maintained for 18 months, offers capabilities for virtualization, Java development, and system management.

In the virtualization space, improvements have been made in setting up virtual machines, with the release building on the Just Enough Operating System, which was launched last year and is configured for virtual appliances. The Server product offers a Virtual Machine builder to allow virtual machines to be built from the command line in fewer than five minutes. Custom virtual images can be built. Virtual Machine builder offers a component to a provisioning process for virtualization, Canonical said.

Xen technology is featured as a "paravirtualized guest," providing for efficiency in running a virtualized environment, George said.

Canonical's Vm-builder helps ISVs put together a software appliance, said analyst Brett Waldman at IDC. "In that respect, they're a leader in that Linux space," he said. In other respects, though, Canonical is middle-of-the-pack, said Waldman.

Java servlet capability based on Apache Tomcat is featured for running lightweight Java Web applications under Ubuntu Linux. "The importance of that is [if] you want to use Ubuntu to deploy a Java-developed app, then you can do that now. And particular, in a case where you need full Java EE (Enterprise Edition) capabilities," George said.

A client for the Landscape system management tool is bundled with the server release, offering reporting at each login. Mail server capabilities in the product provide for spam detection and virus filtering.

The tool chain for compiling Ubuntu has been updated with security features such as glibc functional call fortification. With this version of the Server platform, it is harder for bugs to be turned into exploited vulnerabilities,

Encrypted private directors are mounted when users log in. Sensitive data is kept secure even if a system is stolen, Canonical said.

An "Uncomplicated Firewall" feature makes it easier to manage a host firewall through the addition of application profiles, Canonical said. Services like apache and bind9 declare which ports they use so the administrator only has to enable a network service rather than a set of ports.

Also, RAID capabilities have been improved with support for SATA RAID controllers via DMRaid, and system administrators now can configure booting from a degraded RAI array.

Ubuntu's Linux distributions are free of charge, but Canonical does sell support services.

Soon after Microsoft released a patch for a critical bug in its Windows Server software, attack code surfaced, and by Friday afternoon an early sample of the code was out, which led to the week ending on a warning note. Between the beginning and the end of the week, former Fed chairman Alan Greenspan blamed the U.S. economic crisis at least in part on the use of bad data. Perhaps next week will bring better news.

1. Attack code for critical Microsoft bug surfaces and New worm feeds on latest Microsoft bug: It didn't take long after Microsoft provided information about a critical Windows flaw, along with a patch, before attack code showed up. Developers of the Immunity security testing tool had an exploit written within a couple of hours of Microsoft's announcement on Thursday. Although the developer's software is only for paying customers, security researchers said they expected a version of the code to go public soon. That happened Friday afternoon when sample code appeared on the Web. The flaw, in Windows Server service, which is used to connect network resources, was also being exploited by a worm.

[ Video: Catch up on the news of the week with the World Tech Update ]

2. Greenspan, Cox tell Congress that bad data hurt Wall Street's computer models: Insufficient and faulty data used in risk management models contributed to the financial mess embroiling the U.S. and rippling across the globe, said former U.S. Federal Reserve chairman Alan Greenspan. Financial firms made business decisions using "the best insights of mathematicians and finance experts, supported by major advances in computer and communications technology," Greenspan told the House Committee on Oversight and Government Reform. "The whole intellectual edifice, however, collapsed in the summer of last year because the data inputted into the risk management models generally covered only the past two decades -- a period of euphoria."

3. Microsoft expanding Surface access: In order to get the SDK for Microsoft's touch-based apps platform, developers had to buy Surface hardware, which could be a pricey proposition. Well, no more: Microsoft will give the SDK to developers who attend a Surface workshop at its Professional Developers Conference next week.

4. Android phone launch day relatively quiet: Google's Android phone went on sale Tuesday, with people here and there standing in short lines outside of stores to be first to get their handsets. While there wasn't anything approaching the buzz surrounding the first iPhone sales, T-Mobile stores reported a steady stream of customers for its G1 phone, which is the first on the market to run the Android operating system.

[ Special report: All about Google Android ]

5. Intel repudiates executives' criticism of the iPhone: Comments from Intel executives who criticized the iPhone weren't appropriate, Intel said, after reports on the statements emerged from the company's developer forum in Taipei. Shane Wall and Pankaj Kedia said the iPhone is slow and incapable of running the "full Internet" because the smartphone has an Arm processor instead of, you guessed it, an Intel processor. "Apple's iPhone offering is an extremely innovative product that enables new and exciting market opportunities. The statements made in Taiwan were inappropriate, and Intel representatives should not have been commenting on specific customer designs," the company said later in a statement posted on its Chip Shots Web site.

6. Gmail activation problem in Apps finally solved: A problem was finally solved this week with Google Apps that kept those who recently subscribed to its Web-hosted office suite from being able to get to their new Gmail accounts. The problem kept Gmail accounts from being activated for new Apps users, starting late last week. The company said Monday the problem would be fixed by Tuesday, but it didn't work out that way, to the consternation of many Apps users, or would-be users.

7. Sun tussles with startup over noted systems designer: In an oddball of a story, startup Arista Networks set off a mini firestorm with Sun Microsystems when it announced that Andreas Bechtolsheim is the company's new chief development officer. Bechtolsheim, you see, is Sun's chief scientist and a top-notch systems designer, so Arista's news led to reports that he had resigned from Sun, which Sun denied, sending e-mail to journalists saying those reports were inaccurate and that he would continue at the company, though part time. That led Arista's director of marketing, Mark Foss, to say that as far as the startup is concerned Bechtolsheim is working full time at Arista, and that there was "a miscommunication" between his company and Sun that they were working to clarify. Bechtolsheim then did the clarifying -- he works full time now at Arista, which he cofounded and where he also serves as chairman, but he's going to advise Sun on a part-time basis of "no more than one day a week."

8. Intel shows off new laptop platform: Users got a glimpse of Intel's upcoming laptop platform, code-named Calpella, at the Intel Developer's Forum in Taiwan. The primary focuses of Calpella are efficiency and battery life.

9. Microsoft looks to secure Web content: At its Professional Developers Conference next week, Microsoft will show off its Web Sandbox initiative, which seeks to secure Web content by isolating it. The technology includes a cross-browser JavaScript virtualization layer that provides a secure standards-based programming model without requiring any add-ons.

10. Where the presidential candidates stand on tech issues: Both Democrat Barack Obama and Republican John McCain bring technology experience to the table as presidential candidates, though the experiences are quite different. Obama is an avid user of technology -- he's among the capital's BlackBerry enthusiasts -- while McCain admits he's not much for using electronic devices, but he has been on the Senate Commerce, Science and Transportation Committee for a long time, and a lot of technology-related legislation passes through that group before going to the full Senate. IDG News Service took a look at where they each stand on five key technology areas: telecommunications, national security, privacy, IT jobs, and innovation.

Researchers at McGill University in Montreal have discovered a new state of matter that they say could greatly extend Moore's Law.

Engineers at companies like Intel and AMD have long been cramming more and more transistors -- the building blocks of the processor -- onto a chip. Last fall, for instance, Intel announced that each of its new Penryn chips hold 820 million transistors. The Penryn chip keeps alive the 40-year-old prediction by Gordon Moore that the number of transistors on a chip will double every two years.

Some observers have long predicted that leakage and energy consumption will be significant roadblocks to the law at some point.

The McGill scientists, though, think they may have a way around those roadblocks.

The researchers say they've found a quasi-three-dimensional electron crystal that could enable them to harness quantum physics to make increasingly small computer chips. The crystal was discovered using a device cooled to a temperature that is 100 times colder than intergalactic space.

Dr. Guillaume Gervais, director of McGill's Ultra-Low Temperature Condensed Matter Experiment Lab, said that the material is not quite three-dimensional but it's something in between two- and three-dimensional.

"In a standard transistor, you have a gate, and the electron flow is controlled by it like a faucet would control a gas flow," Gervais said in a statement. "You can understand the particles as independent units, which lets us treat them as ones and zeroes or on and off switches in digital computing. However, once you get down to the nano-scale, quantum forces kick in and the electrons may condense into a collective state and lose their individual nature. Then all sorts of bizarre phenomena pop up. In some cases, the electrons may even split. Concepts of 'on' and 'off' lose all meaning under these conditions."

Dan Olds, principal analyst with the Gabriel Consulting Group, said the McGill scientists are working on far-reaching science, and even if their theories hold true it would be quite some time before they could be used in the chip manufacturing process.

"There also isn't any evidence to say that this is the answer to continuing Moore's Law. It's a possible answer, it's a potential answer, but only after we understand how these new materials work, which we don't yet," said Olds.

"From a higher perspective, this is the kind of experimental activity that is taking place all over the world. It's great, because we see these breakthroughs that others will build on. Many will fall by the wayside -- blind alleys that don't go anywhere interesting -- but a few will be found to be extremely useful over time. It's the law of the jungle in technology," Olds added. "There are many experiments. Some are interesting but useless. A very few are interesting and very useful. It's too soon to tell which camp this one will fall into."

In its work to shrink transistors and extend Moore's Law, IBM announced last February that they had hit a major milestone in nanotechnology, figuring out how to measure the amount of force needed to move an atom. Their new measurement capabilities could enable researchers to shrink the size of transistors used in computer chips.

Shrinking transistors cuts power requirements and boosts speed.

Computerworld is an InfoWorld affiliate.

One day after Microsoft issued a rare emergency Windows security patch, the bad guys have a few new ways to take advantage of the bug.

By Friday, security researchers had identified a new worm, called Gimmiv, which exploited the vulnerability, and a hacker had posted an early sample of code that could be used to exploit the flaw on the Web.

[ For earlier developments in this bug's progress, see "Microsoft to rush out emergency Windows patch" and "Attack code for critical Microsoft bug surfaces" ]

Microsoft issued the patch more than two weeks ahead of its next security updates because the bug could be used to create an Internet worm attack and Microsoft had already seen a small number of attacks that exploited the flaw.

This vulnerability lies in the Windows Server service used to connect with other devices on networks. Although the firewall software that ships with Windows will block the worm from spreading, security experts are worried that the flaw could be used to spread infections between machines on a local area network, which are not typically protected by firewalls.

And that's exactly what the Gimmiv worm is designed to do, according to Ben Greenbaum, a senior research manager with Symantec. "It is downloaded onto a target machine via social engineering and then proceeds to scan and exploit machines on the same network, using this newly disclosed vulnerability in the Server service," he said.

The worm then loads software that steals passwords, security experts say.

Both Symantec and McAfee said Friday that they had seen only a very small number of attacks based on this exploit, but Symantec says that, starting Thursday evening, they found a 25 percent jump in network scans looking for potentially vulnerable machines. That could be a sign that more attacks are coming.

That scenario becomes more likely, too, as more tools that exploit the flaw are released to the public. On Friday, sample exploit code was posted to the Milw0rm.com hacker site, and over the next few days hackers are expected to move that code into attack tools that are easy to use.

Greenbaum predicted that the attack code will soon be used to build botnet networks of infected computers. "What we are going to see is this attack being added to the arsenal of botcode," he said.

"Once it evolves to the point where people really don't have to know much about the exploit ... those are the situations where people write the worms that do a lot of [damage]," said McAfee researcher Craig Schmugar.

Does he expect a damaging worm to emerge from this latest bug? "If history is a lesson, then yes," he said.

The lawsuit filed by Waste Management against SAP in March over what the trash-disposal company claims was a botched ERP implementation is growing increasingly rancorous, with accusations of withheld information and deliberate foot-dragging.

In addition, the systems integrator Deloitte Consulting has become caught up in the suit, though not as an official party.

[ See earlier developments in this story: "Waste Management sues SAP over ERP implementation" and "Update: SAP files counterclaim against Waste Management" ]

In a filing in Harris County, Texas District Court earlier this month, SAP asked the court to delay the trial until February 2010 due to the complexity of the case. The vendor also alleges Waste Management has not behaved in good faith during the discovery process.

"Rather than focusing on producing the most relevant documents first, Waste Management appears to have taken the opposite approach," SAP said.

While Waste Management's production "has been voluminous, most of those documents -- such as customer invoices, office building sign-in sheets, and customer addresses -- relate generally to its business operations and not specifically to the purchase or implementation of the software at issue in this suit."

SAP also wants the court to delay the depositions of a number of SAP employees.

"The only possible explanation for Waste Management's refusal to produce the documents on which it intends to rely at the depositions -- or, for that matter, for seeking to depose key witnesses before producing its own documents -- is that it hopes to 'surprise' SAP's witnesses with documents they have never seen, or have not seen in years and have long forgotten," the filing alleges.

Meanwhile, SAP has produced "hundreds of thousands of pages of documents, including e-mails and what Defendants believe are most of the critical documents," SAP said.

But a response filed by Waste Management states "SAP has sought to delay the case at every turn," and that trial should begin in April 2009.

"These types of lawsuits, arising from defective software and failed implementation, are routine for SAP," Waste Management said. "There are standard motions it files and it uses the same types of expert witnesses. ... There is no reason the case cannot be discovered and tried in 2009."

SAP's assertions regarding Waste Management's conduct during discovery are "baseless," the filing adds. "Waste Management has made 10 separate productions of 'substantive' information to SAP totaling 947,304 pages (compared to SAP's production of approximately 308,000 pages)."

The documents include issue and resolution logs "addressing specific issues with the programming, conversion and implementation of SAP Waste & Recycling software," the filing states.

SAP has also "refused to present witnesses for deposition, has failed to substantively answer interrogatories, and has lodged boilerplate objections to discovery that it refuses to withdraw," Waste Management said.

Therefore, "it is important for Waste Management to start depositions to determine what SAP refuses [to] disclose and determine what discovery SAP is not providing," the filing adds.

SAP previously filed a counterclaim to Waste Management's suit arguing in part that the trash-disposal company violated its deal with SAP including by "failing to timely and accurately define its business requirements" and not providing "sufficient, knowledgeable, decision-empowered users and managers" to work on the project.

Apparently in support of this line of argument, another recent filing shows that SAP has subpoenaed Deloitte, asking the company to provide all documentation tied to work Deloitte performed for Waste Management regarding the licensing and implementation of a range of SAP software, as well as "any analyses or other work performed by Deloitte concerning Waste Management's business processes."

Waste Management's internal name for the SAP implementation project was "C1" or "Customer First," and the company hired Deloitte to perform an independent review after a site in New Mexico went live, according to the filing.

Deloitte allegedly told Waste Management that "the original Blueprint workshops were ineffective at capturing the business requirements for the WM solution" and that "as a result, after the workshops the Blueprint design was allowed to constantly change as the teams' understanding of the functionality evolved."

"To the extent Waste Management believes [SAP's] software was a failure, the blame lies with Waste Management," the filing adds.

Waste Management argues that SAP's subpoena is worded too broadly. "To the extent that Deloitte's work at Waste Management is not part of the SAP implementation project, plaintiffs object that the request is an improper fishing expedition."

Waste Management and Deloitte declined additional comment on Friday.

SAP spokesman Andy Kendzie said the company does not discuss ongoing litigation. "I would say that beyond that, we will vigorously defend our brand and reputation during the litigation process," he added.

dMicrosoft will distribute the second service pack for Windows Vista to a small group of beta testers next Wednesday, the company said Friday.

A small group of Technology Adoption Program members will get a test version of Windows Vista Service Pack 2 (SP2) in the middle of Microsoft's Professional Developers Conference (PDC), which it scheduled next week in Los Angeles, the company revealed on the Windows Vista team blog.

Vista SP2 will include previously released fixes that focus on specific reliability, performance, and compatibility issues with Vista, according to the blog entry, attributed to Mike Nash, vice president of Windows product management at Microsoft.

The company expects Vista SP2 will be compatible with applications that are written using public APIs (application programming interfaces) that run on both Vista and Vista SP1, he said. It also will be released for both Vista and Windows Server 2008 simultaneously.

Microsoft has not set a date for the final release of SP2 and will base that release on feedback from the beta program, according to Nash's post.

Some of the improvements Microsoft plans to deliver in SP2 include the addition of Windows Search 4.0 to enable faster and better relevancy in searches, Bluetooth 2.1 Feature Pack to support the latest Bluetooth technology and the ability to record data onto Blu-ray video format natively in Vista, Nash said.

Vista SP2 also will add Windows Connect Now technology to simplify the configuration of Wi-Fi networks, and include support for UTC (Coordinated Universal Time) timestamps to ensure that files are synchronized across time zones, according to the blog post.

In his post, Nash advised users that if they are waiting for SP2 to upgrade to Vista, they should consider using the Vista SP1 OS now rather than wait.

"While we will recommend SP2 when it ships, your best bet today is Windows Vista SP1," he wrote.

Even as Microsoft readies Vista SP2, the company is expected to distribute an early release of Vista's follow-up, Windows 7, at the PDC next week.