The scale of the DoS problem, where networks are brought down by flooding them with e-mail, is difficult to assess. Many attacks are simply not reported because organizations fear they may undermine client confidence in their security.

The number of “zombie” computers being used to action these distributed DoS attacks is another unknown, but estimates always range in the millions. Armies of zombie computers can be hired for relatively small amounts of money on the black market, and the attack command is usually given via instant messaging. Internet service providers (ISPs) are currently able to survey the instant message servers, and ascertain from the traffic where the control is coming from, where it is going and even anticipate an attack. If the control traffic were to be obfuscated, however, then catching those responsible for DoS attacks would become more difficult.

According to CRN, VoIP tools could offer good cover traffic for DoS attacks because VoIP runs continuous media over IP packets. The ability to dial in and out of VoIP overlays allows for control of an application via a voice network, making tracing the source of an attack almost impossible. In addition, proprietary protocols–intended to protect a company’s technology edge and prevent those ISPs who are also telephone companies from blocking the VoIP application–inhibit the ability of ISPs to track DoS activity. Encryption for user privacy, P2P and a super-peer system to assist with call routing and NAT/firewall traversal further obscure the command traffic.

“While these security measures are in many ways positive,” says CRN’s Jon Crowcroft, Marconi professor of communications systems at Cambridge University, “they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks. Although one could slowly shut down and patch or upgrade the exploited machines, it would be much harder to find affected computers and almost impossible to trace the criminals behind the operation.”

Crowcroft suggests that the loophole could be resolved if VoIP providers were to publish their routing specifications or switch over to open standards. These measures would not only allow legitimate agencies to track criminal misuse of VoIP, Crowcroft contends there is also a clear business case for their implementation. If VoIP providers were to interwork with instant messenger tools that now offer voice, they could stand to increase their market share. If the routing specifications were to be more transparent, those ISPs who are not telephone companies could traffic engineer for VoIP traffic, delivering a better quality of service to VoIP users.

In a new study of more than 200 Linux enterprises conducted for Levanta, however, Enterprise Management Associates (EMA) found that this perception is no longer accurate. Sophisticated management tools now allow Linux management to be fast, effective and inexpensive. With lower acquisition costs, Linux is now a cost-effective alternative to Windows, EMA says.

Study respondents represented a range of industries, with most organizations being small to midsize enterprises, earning less than $5 million in revenues, although 27% had revenues of more than $100 million. Most respondents had fewer than 500 employees, but almost 20% had more than 2,500 employees.

EMA analyzed the cost factors cited in previous studies and found the following:

Seventy-five percent of administrators using sophisticated tools can provision a Linux system in less than one hour; one-third can provision a system in less than 30 minutes. Most Linux administrators spend less than five minutes per server per week on patch management. Sophisticated management tools reduce this effort even further.

Most respondents reported 99.99% or higher availability for their Linux systems. A significant number (17%) reported no downtime at all. In more than 60% of cases when problems occur in Linux environments, they are diagnosed and repaired in less than 30 minutes, more than eight times faster than the industry average.

Eighty-eight percent of enterprises with Linux and Windows spend less effort managing Linux; 97% say it is, at worst, the same for both systems. Respondents with sophisticated management tools all reported Linux management is the same or easier than Windows management. Enterprises with sophisticated management tools did not find any significant difference in storage-management effort or utilization for either Windows or Linux.

Salaries for combined Linux/Windows administrators are only marginally higher than for Linux-only administrators. Linux skills are readily available. Seventy-nine percent of enterprises spent nothing on Linux consulting, and 63% spent nothing on training.

For similar environments, Linux acquisition costs can be almost $60,000 less per server than Windows in software costs alone. Windows also incurs higher hardware costs. Linux tends to be more productive, as Linux administrators tend to manage more servers than Windows administrators, and Linux systems tend to handle greater workloads than Windows systems.

Seventy-five percent of Linux administrators spend less than 10 minutes per server per week managing security. With sophisticated management tools, this goes up to more than 85%. Ninety-five percent of Linux administrators with sophisticated tools spend less than 10 minutes per server per week managing viruses and spyware. Respondents strongly endorsed Linux as inherently less vulnerable.

One administrator who handles both Linux and Windows for a large entertainment software group said, “I see way less (virus) traffic for Linux than for Windows.” Another administrator for a major U.S. bank said he spends twice as much time on virus and spyware protection for Windows than for Linux. A large peripheral manufacturer spends 10% of its virus and spyware management effort on Linux, and 90% on Windows.

The MIS manager at a large city university with equal numbers of both platforms said, “It is a constant battle to get the Windows servers to work.” The MIS manager at a large state university stated simply, “Anything you need to do on Windows just takes more time than the same thing on Linux.”

That is the primary assessment of the State and Local Government Technology Investment Curve (TIC), a review of government purchasing behavior since 2000 conducted by CDW Government, a subsidiary of CDW Corp. The TIC maps all potential state, county and city government customers against five years of CDW-G customer data, and encompassing all 50 states, more than 100,000 products and 1,000 manufacturers.

State and local governments that understand the value of technology and its impact on the business of government display similar traits. These “ahead-of-the-curve” governments are cognizant of the risk-reward tradeoff, but tolerant of the risk and capable of managing it; have legislative and/or political support for IT agenda; have association or institutional support for IT education; and prioritize IT security expenditures across multiple product categories.

The initial installment of the TIC indexes core information-security purchases in network and security hardware, security software, and antivirus, antispyware and antispam software. Of the 24 most-active states in IT spending, five states have information-security investment profiles between 31% and 76% higher than the average. These “lead investor” states–Ohio, Michigan, Wisconsin, Washington and Massachusetts–demonstrate significant, committed investment in core information-security technologies at all levels of government, and over the entire time span of the assessment.

The TIC for security is a quantitative, relative index of information-security investment. Information security investment is a single component of the people, processes and technologies required to maintain a robust security profile.

The entire electronics assembly industry in Japan, the world’s top developer and manufacturer of electronic components, has already begun to pursue aggressively the removal of lead from the manufacturing process. The Japanese Electronic Industry & Technology Association is already developing manufacturing processes that eradicate lead from production and are well down the line investigating tin/bismuth/zinc alloy solders.

Now, American manufacturers must address legislation enacted by the European Union (EU), called “restriction on hazardous substance” (RoHS), not because U.S. law requires compliance but because they will not be able to sell into Europe unless their products meet RoHS requirements. The result is likely to be that products sold in the United States will be in compliance with the EU directive, as U.S. manufacturers opt not to produce different products for the two markets.

The EU directive on RoHS is just part of an ever-increasing push for more environmentally sound manufacturing policies. Launching around the same time in the European Union is the Waste from Electrical and Electronic Equipment Directive (WEEE), which covers the recyclability of equipment. Although there is little or no federal legislation similar to RoHS or WEEE in the United States currently, California has announced legislation effectively mirroring the EU directives.

Among the products affected are IT and telecommunications equipment, and electrical and electronic tools. The six substances banned by RoHS include cadmium, mercury, hexavalent chromium, polybrominated biphenyls and polybrominated diphenyl ethers, as well as lead.