NASA ready for Mars rocket test flight Tuesday

NASA is set to launch a test flight of its new Ares I-X rocket that is designed to replace the aging space shuttle fleet and eventually spirit humans to Mars . NASA announced today that the test vehicle is slated to take off some time between 8 a.m. and noon tomorrow from Kennedy Space Center's Launch Pad 39B. The space agency noted that Ares I-X rocket is the first non-space shuttle craft to be launched from the Pad 39B since the Apollo program's Saturn rockets were retired more than 25 years ago. "For those of us who've lived with the shuttle and grew up looking at Saturn Vs, it's obviously a little different than what we're used to seeing," said Jon Cowart, one NASA's two Ares I-X deputy mission managers, in a statement. If the 1.8-million-pound, 327-foot-tall rocket doesn't launch on Tuesday, the take-off will be rescheduled for Wednesday, according to NASA. The space agency noted on its Web site that it's looking for tomorrow's flight to gauge the dependability and characteristics of the rocket's hardware, facilities and ground operations. Bad weather could stand in the way of the big test launch, though, as meterologists say that there's only a 40% change of good weather in the four-hour window. With more than 700 sensors on board, Ares I-X is wired to relay ascent data back to engineers on the ground.

NASA reported that the rocket's four first-stage, solid-fuel booster segments come from the space shuttle program. The Ares I-X combines technology from several different operations. A booster segment contains Atlas-V-based avionics, and the rocket's roll control system comes from the Peacekeeper missile. NASA's Ares rockets are expected to return humans to the moon and later take them to Mars. However, the launch abort system, simulated crew and service modules, upper stage, and various connecting structures are original. NASA has been planning on a move to the moon and then on to Mars for several years now.

With budgetary concerns in the forefront, the review is looking at possible alternatives to programs already in the pipeline. The space agency has been working toward setting up a lunar outpost by 2020. However, the schedule, if not the mission itself, has come into some question as President Barack Obama's administration oversees an independent review of NASA 's human space flight activities.

Momentum builds for open content management standard

A proposed standard meant to help content management systems communicate with each other has steady momentum, and an initial version could be finalized early next year. Organizations face difficulties when integrating information from various content repositories, because specialized connectors typically have been required for each system. Content Management Interoperability Services (CMIS) was first announced in September 2008. It outlines a standardized Web services interface for sharing content across multiple CMS (content management system) platforms.

Both customers and vendors stand to gain from CMIS. It should cut the amount of one-off integrations and custom development work end-users currently must do, and in addition, software vendors won't have to build and support a wide range of connectors, said 451 Group analyst Kathleen Reidy via e-mail. The company said Monday it has included support in the 3.2 version of its platform for CMIS 1.0, which is now in a public review period scheduled to end Dec. 22. CMIS' inclusion in Alfresco 3.2 will enable users to get a hands-on look during the review period, the company said. The specification, which is being developed under the auspices of standards body OASIS (Organization for the Advancement of Structured Information Standards), is supported by the content management industry's biggest players, including EMC, Adobe, Microsoft, Open Text, IBM and SAP. Open-source CMS vendor Alfresco is also a backer. CMIS 1.0 is on track to be finalized within the first few months of 2010, according to a recent blog post by Ethan Gur-esh, a Microsoft program manager. But even that percentage is "remarkably high" given that CMIS isn't even a standard yet, CMS Watch analyst Alan-Pelz Sharpe said in a blog post at the time. "CMIS has good momentum and has the right set of vendors backing it," the 451 Group's Reidy said. "It will take a while for the standard, once ratified, to show up in actual, commercially supported, shipping versions of most ECM products though, just due to the release cycles of these products. Despite the high-profile vendors involved, it's not clear how many end-users are aware of CMIS. A study released recently by research firm AIIM said it had "gained traction" among 15 percent of the organizations surveyed.

But it does look like it will happen, as most have stated support and have support for the current spec in developer-only downloads and so forth."

E-voting system lets voters verify their ballots are counted

A new electronic voting system being used today for the first time in a government election in the U.S. will allow voters and elections auditors in Takoma Park, Md. to go online and verify whether votes have been correctly recorded. It uses cryptographic techniques to let both voters and election auditors check whether votes have been cast and counted accurately. The voting system is called Scantegrity and was developed by independent cryptographer David Chaum, along with researchers from the University of Maryland-Baltimore, the George Washington University, MIT, the University of Ottawa and the University of Waterloo.

The Scantegrity technology is being used to augment regular optical-scan voting systems in Takoma Park's city council election. When the bubble is filled, it reveals a three-digit confirmation number already printed on the ballot using an invisible marker. To cast a vote, an individual takes a paper ballot and fills in the optical-scan oval next to the name of the selected candidate using a pen with a special type of ink. That three-digit code is a sort of randomly generated cryptographic marker that's used to associate the voter's choice with the appropriate candidate. If the code is present on the Web site, it means the ballot was counted correctly, he said.

The codes are separately randomized for each oval and for each ballot, ensuring that the codes don't reveal who an individual voted for, Chaum said in an interview with Computerworld . Voters can use that confirmation code to later log into the city's election Web site to confirm that their votes were recorded accurately. Scantegrity also lets election auditors - and even third-party observers - check whether the results were accurately tabulated without revealing how each individual vote was cast, Chaum said. Scantegrity uses cryptographic techniques to first map each code to the associated candidate and then completely conceals the link. Though it is not possible to link an individual ballot to a specific candidate, auditors can verify that the codes do lead to the recorded votes. It then uses a concept known as "zero-knowledge proof" to show auditors that the codes do in fact correspond to the right candidates, said Aleks Essex, a PhD. student in computer science at the University of Ottawa who was involved in the Scantegrity effort.

For example, an individual could use a piece of paper with a hole cut in it to prove to a child that he knows the location of Waldo in a "Where's Waldo" puzzle, Essex said. Zero-knowledge proof is a way to demonstrate the authenticity of a statement without revealing any other details about the statement, said Essex. By placing the hole over Waldo, he shows he knows Waldo's location in the puzzle, but doesn't reveal the exact location to child. The results of today's elections in Takoma Park are being audited by two officials one of whom is from Harvard University. "It is a really powerful thing to have public transparency of the tabulation process and yet preserve ballot secrecy," Chaum said. Scantegrity enables auditors to get the same sort of proof to show that confirmation codes in an election map to the right candidates, without revealing an individual voter's choice, he said.

Because Scantegrity is built on open-source software, it can be used elsewhere to run similar audits against election results using custom tools, he said. But to a large extent, optical-scan voting machines already offer a relatively high degree of verification support. Pamela Smith, President of the Verified Voting Foundation, said that technologies such as Scantegrity do add an additional layer of integrity to the election process. Because such machines save a record of the voter's intent, auditors can go back and verify results if necessary, she said. Maryland is one of the few states that rely on touch-screen voting systems, which are costlier to operate and maintain than optical scan systems, she said. The bigger issue in Maryland is that the state needs to adopt optical-scan systems on a larger scale, she said.

UC Berkeley tightens personal data security with data-masking tool

To better safeguard the personal data of its students, the University of California at Berkeley (UC Berkeley) has adopted a specialized data-masking technique in its application development work that effectively can hide data in plain sight by mixing it up. 10 of the Worst Moments in Network Security History Data such as students' first and last names can be switched around to camouflage the real names, and sensitive information such as student identification numbers also undergoes a gentle jumbling so what appears to the eye is not the true number. Steve McCabe, associate director of information in UC Berkeley's residential and student services program, says the advantage in using the dataguise tool is it significantly reduces security risks around personal, sensitive data. "Student IDs paired with names becomes restricted data here," says McCabe, describing some of the data-privacy rules that the university must follow. It's done with a tool called datamasker from dataguise.

But the challenge has been how to enforce restrictions in a software-development environment where constant work by several developers is ongoing to support UC Berkeley's home-grown Web-based applications for SQL Server, such as the housing and assignment system. Though the actual production database has to be protected through other means, the risks associated with data exposed to developers and testers in the course of their work has been vastly reduced since UC Berkeley started using the tool about half a year ago. McCabe says the data-masking approach, in which the dataguise tool mixes up names, sensitive numbers and other data prior to developers seeing it (dataguise calls it "de-identification"), has worked out well because the data columns maintain the necessary structure but the content is effectively concealed to the naked eye. "We do a lot of application development and handling large volumes of student information, and we wanted a way to restrict that data," McCabe says. "So we randomize the IDs, and first name, last name, date of birth, and so forth." While one main copy of a production database is preserved, with the genuine student information, developers can freely work on copies that have undergone the dataguise data-masking treatment in what McCabe calls a "sanitized version" without concern of a potential data breach. "It maintains the relationship and updates with scrambled data," McCabe says. UC Berkeley, like many universities, has suffered consequential data breaches. In May of this year, UC Berkeley acknowledged a data breach in which it said hackers broke into its health-services databases, compromising health-related information on about 160,000 individuals.

Cloud security service looks for malware

Webroot Tuesday announced it has extended its cloud-based Web security service, adding a way to filter outbound as well as inbound Web traffic, monitoring for threats in order to detect and block malware such as botnets that have infected computers. If the cloud-based Webroot service detects malware such as botnet code calling out to get instructions or otherwise perform an activity, it will block that request, though not all traffic on the user's machine. Five questions to ask before trusting your data to Amazon or other storage cloud provider  "We already have inbound filtering and now we're adding outbound," says Brian Czarny, vice president of solutions marketing at Webroot about the Web Security Service that can now monitor for signs of malware-infected corporate computers trying to "call home" for more instructions, a common practice among criminally run botnets.

The Webroot service would then notify the systems administrator of the security event via e-mail and the Web-based administrative console where reports can be obtained. The service works by having the corporation proxy its Web traffic through Webroot's data centers where a variety of security methods can clean malware and ward off phishing attacks. Czarny says there is no additional charge for the outbound monitoring now available through the Webroot Web Security Service, which also includes some basic URL filtering for productivity purposes. Webroot is also announcing on Tuesday an in-the-cloud e-mail archiving service that lets customers store e-mail to be searched and retrieved whether from on-site corporate mail servers or Google Apps. The pricing for the e-mail archiving is $6 per month per user for unlimited storage and retention; the Web Security Serivce costs $5 per user per month, with discounts based on volume.

Unpatched SMB bug crashes Windows 7, researcher says

A day after Microsoft plugged more than a dozen holes in its software, a security researcher unveiled a new unpatched bug in Windows 7 and Server 2008 R2 that, when exploited, locks up the system, requiring a total shutdown to regain control. Laurent Gaffie posted details of the vulnerabilities, along with proof-of-concept exploit code, to the Full Disclosure security mailing list today, as well as to his personal blog. Microsoft acknowledged that it's investigating the flaw.

The attack code, said Gaffie, crashes the kernel in Windows 7 and its server sibling, Windows Server 2008 R2, triggering an infinite loop. "No BSOD [Blue Screen of Death], you gotta pull the plug," Gaffie said in notes inserted into the exploit code . Gaffie claimed that the exploit, powered by a vulnerability in the new operating systems' implementation of SMB (Server Message Block), could be successfully launched from within a network from an already compromised computer, or used to attack Windows 7 machines via Internet Explorer (IE) by transmitting a rogue SMB packet to the PC. Unlike more serious flaws, the Windows 7 SMB bug cannot be used by attackers to hijack a PC, Gaffie confirmed. "No code execution, but a remote kernel crash," he said in an e-mail today. None of the 15 affected the final version of Windows 7, which was released to retail Oct. 22, or affected Windows Server 2008 R2. Gaffie also said that Microsoft's security team has acknowledged the vulnerability, which he first reported to them last weekend, but was told by the company that it wasn't planning to fix the flaw with a security update, instead perhaps correcting it in the first service packs for Windows 7 and Server 2008 R2. A Microsoft spokesman confirmed that the company is looking into Gaffie's claims. "Microsoft is investigating new public claims of a possible denial-of-service vulnerability in Windows Server Message Block," said the spokesman in an e-mail reply to questions. "Once we re done investigating, we will take appropriate action & [which] may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves." Gaffie's disclosure came just a day after Microsoft issued November's security updates , which patched 15 vulnerabilities in Windows, Windows Server and Office.

Microsoft pushes switchover deal for CRM Online

Microsoft is trying to steal away Salesforce.com and Oracle CRM on Demand customers with a new offer that will provide them with six months' access to its own CRM Online application at no charge if they sign a 12-month contract. That compares to $65 per month per user for Salesforce.com Professional. Microsoft charges US$44 per month per user for CRM Online Professional edition. Oracle CRM on Demand pricing starts at $70 per month per user.

Microsoft will consider expanding access to customers of other CRM products once it sees how well the program is received, Wilson said. Meanwhile, Microsoft's application is comparable from a feature standpoint and "already about 35 percent cheaper" than the competition, said Brad Wilson, general manager of Dynamics CRM. The six-month offer is valid through the end of this year. Six months is about how long it takes a customer to know for sure whether an application is right for their business, said Ray Wang, partner with the analyst firm Altimeter Group. For one thing, a customer and Oracle or Salesforce.com may have a year-to-year deal, which might still be in effect when the six-month trial period expires, Wang said. But potential hurdles lie in the way of a smooth transition over to CRM Online, he added. While contract terms may allow the customer to cancel, they may not get a refund on the year's remaining fees, according to Wang. "Hopefully you'd be [signed up] month-to-month.

Microsoft on Monday also announced price cuts for its Business Productivity Online Suite. It's good to check and see where you are in that process." Overall, however, "users win" in price wars like this, Wang said. Other SaaS (software as a service) vendors, such as NetSuite, have made a steady stream of financial enticements in recent months too, as sales slowed during the global recession. It is also planning to roll out the software worldwide in the second half of 2010, he said. Salesforce.com has also quietly lowered monthly per-user fees for its two lowest-end editions, Contact Manager and Group Edition, to $5 and $25 respectively, down from $9 and $35. Meanwhile, Microsoft is announcing the CRM switch-over deal in conjunction with an update to CRM Online, Wilson said. The service is now available in North America.

No credit card information is required to sign up, although users need to provide an e-mail address. In the new release, Microsoft made signing up for CRM Online "super-simple," he said. They can then start a free trial with either Microsoft's Outlook client or a browser-based interface, Wilson said. A series of help tools provide information on setup and maintenance. Thirty-day trials include sample data so users can begin experimenting with the system. Microsoft has also developed an improved data import wizard.

In addition, mobile access is available at no additional charge for any phone with a HTML 4.0-compliant Web browser. "We specifically tried to engineer [the application] to make it really easy for people who don't have CRM systems," Wilson said.