In this month's column, rather than devoting it to a single topic, I'll bring readers up to date on some of the issues that I've covered recently.
Windows Security, an ongoing struggle. Its been a rough month on the security front. In my September column I talked about computer security for Windows NT/2000. I hope that my readers were paying attention. While the column was sparked by the “Code Red” worm that was wreaking havoc at that time, the Nimda worm that appeared in the wild beginning on September 17th was even more aggressive in its power to propagate, consume network bandwidth, and corrupt servers. Each new generation of viruses and worms benefits from each of its predecessors. Nimda exemplifies this process in that it included quite an amalgamation of dirty tricks that each has been expressed in earlier viruses and worms. Nimda proved to be one of the most insidious worms of all time. The worm was programmed with at least six different ways to spread itself—all of which were known vulnerabilities for which patches had been available for quite some time. Nimda managed to penetrate some servers that had been fully patched, following infection of the Code Red worm the previous month. In many cases there were “back doors” created by Code Red that were not removed as part of installing the service patch. Nimda was able to take advantage of this back door as one of its avenues of attack.
Remember, as I emphasized in my September column: keep your system up-to-date with all operating system service releases and hot fixes, keep your anti-virus software current, keep all unessential network ports disabled, and use personal firewalls to supplement your network's security infrastructure. Organizations that followed this advice would have likely been spared from the wrath of Nimda.
It is also important to follow proper procedures when recovering from a security incident. Once a computer has had a system-level security compromise, it is nearly impossible to discover all the problems introduced by the attack. In the case of Nimda, the only guaranteed approach to safely recover the system involves disconnecting the server from the network, reformatting the hard drive, reinstalling the operating system, applying all security patches and then reinstalling the software applications and data. While Nimda removal tools have been developed that involve a less drastic approach, there remains some possibility that they may not detect and remove all possible problems. Such was the case with Code Red where back doors were left in place causing the server to be vulnerable to future attack.
I cannot emphasize strongly enough, if your organization makes use of Windows NT/2000 servers, it is essential to be very attentive to security issues. The hacking community continues to target Microsoft's operating systems and applications. Microsoft's operating systems continue to reveal security flaws.
The persistent attacks and the increased effort and attention required to keep them patched and secure may drive many organizations away from Windows and toward Unix/Linux as a preferred server platform. Gartner, one of the best respected computer industry research firms, recently went as far as to suggest that organizations consider moving their Web applications away from Microsoft's Internet Information Server (IIS) in favor of other alternatives. (see: “Nimda Worm Shows You Can't Always Patch Fast Enough” by John Pescatore www3.gartner.com/DisplayDocument?doc_cd=101034). I personally don't believe that libraries necessarily need to take immediate or drastic steps in this direction. Yet, these latest worm outbreaks will likely have a longer term effect on the level of confidence that can be placed in Windows-based systems for critical services.
IntelliMagic. A correction. Last month I wrote about Inmagic's new IntelliMagic competitive intelligence product. I mentioned, based on information given to me by Inmagic that IntelliMagic uses XML as its means of moving information through the application. The Inmagic folks later told me after the column went to press that while Inmagic.NET relies on XML, the initial version of IntelliMagic does not.
Sirsi's acquisition of Data Research Associates. For the July/August issue I wrote about the acquisition of Data Research Associates by SIRSI Corporation. This deal has now come to completion. Though it took just a little longer than originally announced to finalize the purchase, DRA is now a wholly-owned subsidiary of SIRSI Corporation.
Since DRA was a publicly owned company, more information is available than would be the case when a merger or acquisition involves only private companies. The documents filed with the SEC available on Edgar/Online and elsewhere indicate the complexity of the transaction. The process involved not only the corporate entities that I mentioned in the earlier article, SIRSI Corporation, SIRSI Holdings Company, CEA Capital Partners, and DRA, but also another temporary entity called McGuire Acquisitions, Inc, a company created by SIRSI Holdings company to purchase DRA stock and transfer the board of directors of DRA to SIRSI appointees. With the conclusion of the purchase McGuire drops away and SIRSI remains as the surviving company.
With the acquisition complete, the interesting part of the process commences. Key questions seem to involve how SIRSI will position Taos relative to Unicorn, especially for libraries that use the DRA Classic system. Commitments have been strongly expressed that the combined company will continue development and support of Taos. Prior to the sale, adoption of Taos was sluggish. It will be interesting to observe how this product fares in the market under the ownership of SIRSI.
OCLC SiteSearch. Last June, OCLC announced that it had plans to phase out its SiteSearch product. The initial announcement indicated that OCLC would cease development with release 4.2.0, due to be released in Fall 2001 and that support for the product would extend through the end of 2002.
Following that announcement, OCLC held a series of meeting with its US and European SiteSearch customers. Based on these conversations, OCLC has made several decisions regarding the future of the product.
Consistent with the initial announcement, Version 4.2.0 will be the last developed directly by OCLC, and it is still expected to be delivered this fall. OCLC has extended the time that it will provide support through the end of 2003—including annual maintenance releases. Training on the product will continue to be available from OCLC during the support period. Libraries have been able to purchase custom services for SiteSearch, where OCLC will build customized interfaces for a fee. This service will also be available through the end of 2003.
One of the key issues regards the source code. A major trend involves the distribution of software in an open source model where the original programming code is included along with an application. This model allows anyone to make modifications and changes in the application. With the alternative closed-source approach, only the original software developer can make changes.
A large number of SiteSearch customers expressed a strong interest in making SiteSearch completely open source. OCLC has announced that the Java source code for SiteSearch will be provided to current licensees of the software with the 4.2.0 release. OCLC indicates that it will make the Java source code available for all non-commercial purposes by the first quarter of 2002, which comes very close to the full open source approach. The main exception is that it any commercial reselling of the software would be subject to royalties.
The cost of SiteSearch has always been pegged to the number of simultaneous users allowed or to the size of the organization's user population. OCLC will continue to enforce the restrictions associated with each library's license through the end of the support period. Past that date, libraries can use the software as they wish without cost implications.
A new president for epixtech. A change in leadership will occur soon at epixtech. Lana Porter will be stepping down as CEO and President of epixtech, effective January 2002. Porter has led the company since 1996, when it was known as Ameritech Library Services, and operated as a subsidiary of the Ameritech, a major telecommunications company. In 1999 Ameritech Library Services was purchased by a group of investors, emerging as epixtech, inc. Porter played a key role in this transition, and has continued to head the company since that time. After she steps down as President and CEO, Porter will continue her association with epixtech, inc. as Vice Chairman of the Board of Directors.