Hiring budgets begin to thaw

Employers could be filling IT positions in the coming months, research suggests, as the number of positions expected to be created could begin to outpace anticipated job cuts in some industries. Outplacement firm Challenger, Gray & Christmas reports that employers in September began to detail plans to hire more workers than they did in 2008. Through September 2009, employers have announced plans to hire 169,385 workers this year, marking an 88% increase over the nearly 90,000 planned hires announced in the first three quarters of 2008. The sectors planning the most hires include the retail, government and nonprofit, and enterprise and leisure industries. Where the IT jobs are: 10 American cities Hiring budgets could be coming out of the deep freeze initiated at the start of the economic recession, according to industry watchers.

Employers in the telecommunications industry announced 6,339 planned hires for 2009, compared to 2,689 last year. Electronics companies are expecting to add 1,765 new jobs, another decline from 2008's 3,013 planned positions. Aerospace and defense employers intend to add 2,618 new position, less than the 4,709 in the previous year. E-commerce vendors reported they would augment staff with 1,572 new openings, an increase over the 500 added in 2008. And while the computer industry reportedly announced 7,717 new hires, the data Challenger, Gray & Christmas tracked so far this year shows the industry isn't planning any new hires so far in 2009. "These figures represent just a tiny fraction of the hiring and available jobs out there. There simply are more job seekers than there are jobs. We track hiring announcements," said John Challenger, CEO at the outplacement firm, in a statement. 20 most useful career sites for IT professionals Challenger, Gray & Christmas also cited recent Bureau of Labor Statistics data that showed 2.4 million job openings as of August, down from 3.9 million in 2008. And the same government agency reported that 4 million workers were hired in August, despite the unemployment rate nearing 10%.  "There is no doubt that this is a tight job market.

However, it would be a mistake to assume that no one is hiring," Challenger said. David Foote, CEO and chief research officer, said in a statement that while high-tech industry segments have been posting job losses, they are losing fewer jobs and in some cases adding positions. Separately, IT research firm Foote Partners also found cause for optimism in recent government statistics. For instance, "five IT bellwether job segments" have posted collective job losses of between 4,000 and 11,000 jobs each month (including 4,300 lost in August), but also showed gains such as 7,400 positions in July.  "Consider that according to the Department of Labor's labor market segmentation there has been a net loss of 32,600 IT related jobs since January 2009, but a net gain of 1,400 since July, it's clear that we're heading in the right direction," Foote said. "We continue to maintain optimism for the rest of the year, for IT services sector in particular." Do you Tweet? Follow Denise Dubie on Twitter

NEC upgrades to HYDRAstor grid storage system

NEC Corp. today unveiled several upgrades to its flagship HYDRAstor grid-storage system , adding write-once, read many (WORM) capabilities and the ability to encrypt data in transit. NEC officials said that the upgraded software will increase performance by 67%, while boosting security by improving HYDRAstor's ability to archive mission-critical data. "Over 70% of even high I/O data from source applications such as databases have not been touched after 6 months. The upgraded system also provides deduplication capabilities for more third party backup applications.

A lot can be off loaded onto more efficient platforms," said Gideon Senderov, director of product management for NEC's IT Products Group. The new RepliGrid in-flight data encryption capability protects data as it's being transmitted between HYDRAstor grids and data centers, he added. The new HYDRAlock WORM capability allows administrators to lock out any changes to documents or other records, maintaining a chain of custody for regulatory purposes, Senderov said. NEC also announced that it will allow users to license additional physical capacity that can be activated without adding additional components. A new quota management system allows administrators to set limits to the maximum effective capacity allocated for each file system and its associated application. For example, can now license as little as 12TB of capacity in a 24TB configuration and then pay a fee to activate additional capacity as needed.

The quota management system also offers threshold notifications as well as the ability to set aside a capacity reserve for other applications, such as critical archive data. The upgraded system can deliver up to 1.8TB per hour per accelerator node and up to 90TB per hour for the largest supported configuration of 55 accelerator nodes and 110 storage nodes, according to the company. Previously, the HYDRAstors grid architecture had a default capacity of 256 petabytes for all applications. "We are really looking forward to taking advantage of the new in-flight encryption and quota management functions," said Scott Ashton, a LAN/WAN specialist at TLC Engineering for Architecture Inc., an Orlando, Fla.-based engineering firm. "We've really seen the return on our initial investment as we've been able to take advantage of each new upgrade with HYDRAstor since our early adopter installation in 2007." NEC said that the performance boost comes from software enhancements and more efficient inter-node data transfer and communication protocols. Accelerator nodes are the controller blades with the CPU processing power and storage nodes are the system blades with disk storage capacity. NEC today also introduced lower-capacity, or "entry-level" models of HYDRAstor offering raw storage capacities of 12TB (or over 150 TB effective capacity); 24TB (or over 300 TB effective capacity) and 36 TB (or over 450 TB effective capacity). "A highly resilient storage solution primed for archiving, that self-evolves with the ability to intermix several generations of technology, offers global deduplication, great scalability, and automates provisioning, migration, workload balancing and system management will be the key features of a storage solution that the market will demand," said Dave Russell, a vice president at researcher Gartner Inc.

The new application-aware deduplication feature allows newly-supported third-party backup applications such as IBM's Tivoli Storage Manager and EMC's NetWorker, as well as previously previously supported Simpana from CommVault and NetBackup from Symantec, to take advantage of the data reducing feature. With the exception of WORM capability, the customers can install the latest HYDRAstor upgrades for free. The WORM upgrade costs $14,000 per accelerator node.

Defunct airport fast-pass program may be revived

Tens of thousands of subscribers to a registered air traveler program, who were left feeling scammed when the company offering the service abruptly went out of business, may soon get a break. Subscribers to the Clear service, some of whom had signed up for two years or more of service just before VIP went out of business, will be offered a chance to continue their subscriptions after the deal goes through. A new investment group based in California has signed a letter of intent with Morgan Stanley, the defunct company's largest debt holder, according to the New York Times . Under a proposed plan, the investment firm will be allowed to buy the assets of Verified Identity Pass Inc. (VIP) and restart the Clear fast-lane security service, the Times reported, quoting the owner of the Emeryville, Calif.-based investment banking firm, Henry Inc.

If an individual chooses not to, any personal data on that individual that had been collected by VIP for Clear, will be permanently destroyed, the Times said quoting the investment banker. VIP was one of seven companies approved by the Transportation Security Administration (TSA) to operate a registered traveler program, which lets air travelers get through airport security checks faster. The news is likely to provide some comfort to thousands of customers of VIP who were left in the lurch when the company in June abruptly announced it could no longer offer the Clear service because it had run out of cash. It offered the service at 21 major airports, including New York's John F. Kennedy International Airport, La Guardia, Boston's Logan International and Atlanta's Hartsfield-Jackson airports. To sign up for VIP's Clear service, customers had to submit to background checks and provide identifying information, including Social Security and credit card numbers, home address, date and place of birth, phone numbers and driver's license number.

More than 200,000 customers had signed up for the service when the company went out of business. They also had to provide fingerprints, iris scans and digital images of their faces. The company made matters worse by hinting that it would sell the data it had collected to fulfill its debt obligations. VIP's decsion to shut the service raised concerns about the fate of the data that had been collected by the company. Many participants were left feeling scammed when VIP announced that it couldn't refund their subscriptions because it had run out of money. The motion was in response to a lawsuit brought by concerned customers.

Days after the company's closure, the chairman of the House Committee on Homeland Security asked the TSA to ensure that all information collected by VIP was properly protected and destroyed . In August, a federal judge in New York issued an injunction prohibiting VIP from selling, transferring or disclosing to any third-party the data it collected while operating the Clear service. The injunction, however, was later lifted on a technicality. For the moment, the purchase does little to alleviate the major complaint in the lawsuit, which is that VIP's customers didn't get a refund from their subscriptions. "That is something that they are entitled to regardless of whether or not other companies" purchase VIP, he said. Todd Schneider, an attorney with Schneider, Wallace, Cottrell, Brayton, Konecky LLP, a San Francisco law firm representing one of the parties in the lawsuit, today said he was unclear on the ramifications of the reported purchase of VIPs assets by the investment banking firm. A hearing in the case has been scheduled for Oct. 16, where Schneider plans to again ask the judge to bar VIP from selling its data assets to any third party.

News of the proposed purchase comes as the House Committee on Homeland Security is scheduled to hold a hearing today on the future of the registered air traveler program.

Avaya promises near-term support for Nortel gear

Nortel enterprise customers will be able to buy the company's current line of products for 12 to 18 months after Avaya officially takes ownership of Nortel's enterprise division that it won at auction for $900 million. Support for Nortel gear will continue throughout that transition, an Avaya spokesperson says. Slideshow: The rise and fall of Nortel    After that period, Avaya says it will have a migration path laid out that customers can follow to bring themselves into Avaya's official product line. Because the two companies' products overlap, some analysts think the deal was more about customers than it was technology.

Regardless of the migration path, Avaya says it will honor three- to five-year product support for all customers. Task forces from both companies will be tapped to figure out what products make the most sense to keep and which ones need to be merged. The company says the product road map for the expanded Avaya will be ready 30 days after the deal is officially closed. The contracts in question extended to Verizon customers through its services business. Avaya says it will honor all Nortel's service contracts including those that Verizon claimed in a legal filing would be canceled.

Verizon sought last week to get Avaya removed from the auction for Nortel's enterprise division. The customers will receive service," an Avaya spokesperson says. The last-minute appeal claimed Avaya intended to toss out the contracts and that would result in national security issues because some of the gear was supplied to critical governmental agencies. "We intend to fulfill the contract that is the subject of their filing. Long term Avaya says it will rely on its Aura Session Manager platform to unify customers' Session Initiation Protocol-based communications gear into a single system. Because Avaya Aura is compatible with Nortel's open architecture, customers will be able to build multi-vendor environments without requiring a swap-out to all-Avaya equipment.

Aura already supports Nortel gear as well as products from major VoIP vendors Alcatel-Lucent, Cisco, Mitel, NEC, Nortel, ShoreTel and Siemens. As for R&D, Avaya says the Nortel and Avaya resources are complementary enough to help the combined company bring new products to market more quickly.

Microsoft Internet Explorer SSL security hole lingers

Microsoft still does not acknowledge a weakness in its Internet Explorer browser that was pointed out seven weeks ago and enables attackers to hijack what are supposed to be secure Web sessions. If Microsoft doesn't fix the problem, Apple can't fix it on its own, Apple says. The company says it is still evaluating whether the weakness exists, but Apple, which bases its Safari for Windows browser on Microsoft code, says Safari for Windows has the weakness and the Microsoft code is the reason. Apple has fixed the problem for Safari for Macs.

Once our investigation is complete, we will take appropriate action to help protect customers," a Microsoft spokesperson said via e-mail. "We will not have any more to share at this time." The weakness can be exploited by man-in-the-middle attackers who trick the browser into making SSL sessions with malicious servers rather than the legitimate servers users intend to connect to. Black Hat's most notorious incidents: a quiz "Microsoft is currently investigating a possible vulnerability in Microsoft Windows. Current versions of Safari for Mac, Firefox and Opera address the problem, which is linked to how browsers read the x.509 certificates that are used to authenticate machines involved in setting up SSL/TLS sessions. The attacks involve getting certificate authorities to sign certificates for domain names assigned to legitimate domain-name holders and making vulnerable browsers interpret the certificates as being authorized for different domain-name holders. In July two separate talks presented by researchers Dan Kaminski and Moxie Marlinspike at the Black Hat Conference warned about how the vulnerability could be exploited by using what they call null-prefix attacks.

For instance, someone might register www.hacker.com. In that case, the authority would sign a certificate for bestbank.hacker.com, ignoring the sub-domain bestbank and signing based on the root domain hacker.com, Marlinspike says. In many x.509 implementations the certificate authority will sign certificates for any request from the hacker.com root domain, regardless of any sub-domain prefixes that might be appended. At the same time, browsers with the flaw he describes read x.509 certificates until they reach a null character, such as 0. If such a browser reads bestbank.com\0hacker.com, it would stop reading at the 0 and interpret the certificate as authenticating the root domain bestbank.com, the researcher says. An attacker could exploit the weakness by setting up a man-in-the-middle attack and intercepting requests from vulnerable browsers to set up SSL connections. Browsers without the flaw correctly identify the root domain and sign or don't sign based on it.

If the attacking server picks off a request to bestbank.com, it could respond with an authenticated x.509 certificate from bestbank.com\0hacker.com. The user who has requested a session with bestbank would naturally assume the connection established was to bestbank. The vulnerable browser would interpret the certificate as being authorized for bestbank.com and set up a secure session with the attacking server. Once the link is made, the malicious server can ask for passwords and user identifications that the attackers can exploit to break into users' bestbank accounts and manipulate funds, for example, Marlinspike says. These certificates use an asterisk as the sub-domain followed by a null character followed by a registered root domain. In some cases attackers can create what Marlinspike calls wildcard certificates that will authenticate any domain name.

A vulnerable browser that initiated an SSL session with bestbank.com would interpret a certificate marked *\0hacker.com as coming from bestbank.com because it would automatically accept the * as legitimate for any root domain. Such a wildcard will match any domain, he says. This is due to "an idiosyncrasy in the way Network Security Services (NSS) matches wildcards," Marlinspike says in a paper detailing the attack. The differences between what users see on their screens when they hit the site they are aiming for and when they hit an attacker's mock site can be subtle. A Microsoft spokesperson says Internet Explorer 8 highlights domains to make them more visually obvious, printed in black while the rest of the URL is gray. "Internet Explorer 8's improved address bar helps users more easily ensure that they provide personal information only to sites they trust," a Microsoft spokesperson said in an e-mail.

The URLs in the browser would reveal that the wrong site has been reached, but many users don't check for that, Marlinspike says. Marlinspike says the null character vulnerability is not limited to browsers. "[P]lenty of non-Web browsers are also vulnerable. Outlook, for example, uses SSL to protect your login/password when communicating over SMTP and POP3/IMAP. There are probably countless other Windows-based SSL VPNs, chat clients, etc. that are all vulnerable as well" he said in an e-mail.