> News > Full Story
'biggies' take a little plunge in US
a report by IDC, the US server market plunged 30 percent in
the third quarter of 2001, with IBM the least damaged and
HP edging to within a fraction of Sun's lead in the key Unix
server segment. The total server market dropped from $15.2
billion in the third quarter of 2000 to $10.7 billion in the
third quarter of 2001.
In the overall market, IBM sales dropped 6.1 percent to $2.8
billion, but its market share rose 6.5 percent. Much of that
gain took place at the expense of rival Sun Microsystems,
which lost 6.3 percent of market share and saw revenue plunge
53 percent to $1.3 billion.
Sun, which specializes in the Unix servers that make up the
largest part of the overall market, had been ascendant in
2000, but lumbering IBM mustered a response and now is carving
back sales from Sun. Meanwhile, HP, once the top Unix server
seller, is fighting back as well, and IDC said that, the company
is within a hair's breadth of reclaiming the lead.
In the Unix market, Sun had 28.8 percent of the market in
the third quarter, with sales of $1.33 billion. HP had 28.5
percent with sales of $1.31 billion, IDC said. IBM, in third
place, had $960 million in sales for 20.9 percent of the market.
In the overall market, Compaq Computer was in second place
with 16.3 percent of the market and a revenue drop of 34.7
percent to $1.75 billion. HP was in third place with 15.2
percent and revenue that dropped 29.7 percent to $1.64 billion.
Dell, in fifth place with 7.9 percent of the market, had a
revenue drop of 5.8 percent--the smallest of the top companies--with
revenue of $847 million.
hole ignored by many
new survey by Web server information firm Netcraft
reports that administrators of many e-commerce
websites have yet to plug a year old security
hole that allows malicious users to hijack other
According to the report, all vulnerable systems
use Java Application Servers based on Sun Microsystems'
reference implementation of the Java Server Developers
Kit 2.0. The affected applications are Java Web
Server from Version 1.1, IBM's WebSphere, and
various versions of Cambridge, Mass.-based Art
Technology Group Incorporated's Dynamo e-Business
The vulnerability may harm users because it can
provide unwanted access to session IDs. Netcraft
in a monthly survey said, more than 1000 transactional
websites, many of which are high-profile, still
use predictable session Ids. Session IDs are issued
to users when they log in and are used to identify
each page request. A user's ID is displayed in
the Web browser address bar or stored on a user's
hard disk in a cookie. The IDs are encoded using
a simple rule, making them easy to predict. A
malicious user could simply alter the address
or cookie on his machine and take over somebody
JSP (Java Server Pages) aren't widely deployed
by rank-and-file sites, but professional e-commerce
Web sites that provide services such as stock
trading, banking and ticketing often use them,
Netcraft said. Most vendors however have fixes
for the problem.
new replication technology called asynchronous
replication is the latest approach to providing
fault tolerance for server and network storage.
Unlike the replication technologies that preceded
it, asynchronous technology works by capturing
changes in files at the OS level.
Previous replication technologies like SQL transaction
replication, work either within applications or
at the hardware layer. In the former case, the
level of protection is limited to a single application
engine and typically adds overheads to the network.
In the latter case, it often causes latency to
the production disk or significant and cost-prohibitive
WAN (Wide Area Network) usage.
Instead of replicating transactions within an
application or disk blocks, asynchronous replication
technology captures changes to any files managed
by the server OS at a byte level. This is accomplished
by installing a file-system filter driver, which
filters all transactions sent to the file system.
Using a few simple rules, the filter driver captures
a copy of each transaction and passes it to a
system service or daemon, which then transmits
it via TCP/IP to the target server.
Regardless of the application that creates data
change, like SQL, Exchange, Web services, and
file sharing, the disk write looks the same by
the time the OS sees it. Specifically, the disk
write is an instruction to modify the logical
bytes of a given file.
From the OS viewpoint, there is no difference
between an update to Exchange and an update to
a text file from NotePad.exe. This approach ensures
the data replication is completely independent
of the application. This approach is hardware-independent.
It doesn't matter whether a Windows 2000 OS is
storing data on a storage-area network or on its
own storage drives.
A common misunderstanding about asynchronous replication
is that the replicated data isn't as current as
the production data. This occurs only in cases
in which there is a constant flow of writes to
the production disks and the amount of actual
bytes changed is greater than the bandwidth of
the connecting pipe.
However, in environments with large databases,
the I/O demands on production disks are significantly
higher in reads than writes. So the small percentage
of write I/O is actually replicated with negligible
latency to the target.
As for data delivery, almost all replication technologies
use standard network protocols. The differentiator
is whether they use a dedicated crossover cable
or standard Internet Protocol. Crossover connections
require servers to be in relatively close proximity,
which negates their viability for disaster recovery.
Standard IP networking with asynchronous replication
provides a very economical disaster recovery solution
because you can deploy disaster recovery target
servers across the Internet or a corporate WAN.
In regard to data integrity, it's important to
ensure the sequential transmission of asynchronous
replication. Since it's possible to lose packets
across the wide area, and given the possibility
of latency, it's critical to ensure that packets
don't arrive at the target in a different order
than the one in which they were transmitted.
The OS receives logical changes from applications
and converts them to file-write instructions.
Asynchronous replication technologies capture
these file-change commands and send them to another
server via IP networking. The second server simply
applies the same file-change command.
at Internet Security Systems Inc. (ISS) and the Computer Emergency
Response Team/Coordination Center (CERT/CC) said in separate
statements that attackers could get full access to servers
running Unix versions supplied by Sun and IBM. This is due
to a security hole in the login program of the OS.
A buffer overflow flaw in the Unix login program authenticates
access to the system by usernames and passwords. Since the
login program can also be used remotely by running telnet
and rlogin (remote login), the flaw can be exploited even
by those who do not have direct access to the system. Systems
are only vulnerable if telnet, rlogin, and other terminal
connection services that use login for authentication are
enabled, which they usually are by default.
Attackers can exploit the vulnerability to gain superuser
privileges or root access to the server, which is the highest
privilege level on Unix systems, allowing the attacker to
execute arbitrary commands. A software tool, or exploit, to
compromise systems running the affected OSs has been made
ISS and CERT/CC advise system administrators to install SSH
(Secure Shell), a secure alternative to telnet and rlogin,
and disable default terminal connection services until the
software can be patched. Sun and IBM have software fixes available,
according to CERT/CC.
Sun's Solaris 8 and earlier versions, and IBM's AIX versions
4.3 and 5.1, are affected. Other systems derived from the
same code base, Unix System V, could also be vulnerable, CERT/CC
The ISS security advisory can be found at xforce.iss.net/alerts/
The CERT/CC advisory can be found at www.cert.org/advisories/CA-2001-34.html
companies more keen to outsource security
findings by IDC point out that larger organizations are more
comfortable outsourcing the management of their security functions,
unlike their small and medium-sized counterparts. The key
reason is, ironically, that big enterprises typically have
dedicated IT staff to manage their security in-house, and
therefore have clearly defined security policies and procedures.
By the same token, small companies lack both the manpower
and resources and only one person does everything. And so
he/she may not have the time to properly document the processes.
By having proper security processes with clear documentation,
an enterprise can not only mitigate the risks involved in
going to an external party, but also enable itself to identify
critical elements of security functions that need to be managed
IDC's early findings highlight an important point. Security
outsourcing is an option that more companies are willing to
consider--even conservative ones. High profile security breaches,
increased Internet usage, the increased number of e-commerce
initiatives undertaken, and increased mobile and collaborative
computing are business factors driving the change in attitude
and old bias.
upgrade adds Java and SOAP support
latest release (Release 2) of Oracle's 9i Application
Server supports Java 2 Enterprise Edition, Web
technologies like SOAP (Simple Object Access Protocol)
and the Universal Description, Discovery and Integration
directory of business-to-business services. A
free developers' edition of the upgrade is available
for downloading from Oracle's website. Standard
and enterprise editions of the software are scheduled
to ship in the first quarter.
Oracle users feel the Java support in Release
2 can help reduce the cost of tying together different
enterprise applications. The upgrade can help
reduce costs and ease integration complexity by
providing a single platform for connecting applications.