Microsoft changes 'ballot screen' to close antitrust case

Microsoft has changed its proposed browser "ballot screen" to wrap up a nine-month antitrust case in the European Union, but rivals remained noncommittal today about whether the modifications are enough. Today, the commission said Microsoft had altered some provisions of the ballot screen, and that it would take comments on those changes from consumers, software makers and computer manufacturers until Nov. 9. The comment period is required by EU law. "We agreed to make a significant number of changes to improve our proposals, and we believe that we've been able to do that," said Brad Smith, Microsoft's chief counsel, in a telephone press conference today. Three months ago, Microsoft told Brussels-based antitrust officials that it would give users a chance to download rivals' browsers with a "ballot screen," just one of the moves Microsoft has made since January in an effort to ward off fines or even more drastic measures by the European Commission. Opera Software and Google said they were studying the changes. "Opera Software supports the concept of a ballot screen to give users easy access to better browsers," said Hakon Wium Lie, Opera's chief technology officer in an e-mail today. "The important question is how this ballot screen is implemented.

Opera, Google and Mozilla, the maker of Firefox, have been allowed to see the charges against Microsoft, study the July ballot screen proposal, and suggest changes. We are still studying the announcement ... and will have further comments at a later stage." Opera's December 2007 complaint sparked the antitrust action, which the EC filed last January, accusing Microsoft of illegally bundling Internet Explorer (IE) with Windows and therefore shielding it from real competition . "The proposal to increase consumer choice in browsers has just been made public and we, like many others, will be reviewing it with interest," a Google spokesman added from Brussels today. "The test will be whether people can easily choose the browser they want to use." Google's interest comes from its Chrome browser, one of the 12 that will be offered users. Mozilla criticized Microsoft's July idea, with top executives claiming that it favored IE and failed to install other browsers. Microsoft's revised ballot screen proposal addresses several concerns of those rivals. Opera, meanwhile, called on Microsoft to offer the ballot screen to all customers, even though Microsoft is legally obligated to offer it only to EU Windows users.

According to the documentation ( download PDF ) released by the commission today, the "Install" link offered for the choices will not only download the selected browser - which is what Microsoft had proposed before - but will also install the application on the user's machine. "An 'install' link will connect to a vendor-managed distribution server, which, upon the user's confirmation, can directly download the installation package of the selected web browser for local execution & the resulting situation will therefore equal a scenario in which the user himself had downloaded and executed the installation package without being aided by the Ballot Screen," said Microsoft's new proposal. Other changes include a new screen that will provide some basic information about browsers, and remind users that they should be connected to the Internet before they proceed. The ballot screen will also display the choices - Apple's Safari, Chrome, IE, Firefox and Opera on the first screen, an additional seven on a second - in alphabetical order by the name of the browser maker - a change from before, when Microsoft had placed IE in the first spot on the far left based on its market share. Microsoft also modified the timing of the ballot screen, which will be delivered to Windows XP, Vista and Windows 7 users via Windows Update. Instead, Microsoft has agreed to start offering the ballot screen to all Windows users eight weeks after EU antitrust officials sign off on the proposal. Previously, Microsoft said it would push the ballot screen to Windows 7 owners on Oct. 22, or within two weeks of approval of the deal, then follow that three to six months later for Windows XP and Vista users.

For its part, the EU seems satisfied with the revised ballot screen. "We believe this is an answer," said commission chief Neelie Kroes in a press conference today in Brussels. Even so, Kroes acknowledged that the revamped proposal may not make everyone happy. "A number of people are never 100 percent satisfied," she said. She also indicated that it was likely the commission would accept Microsoft's ballot screen revisions. "At the end of the day that's what we are looking for," she added. Microsoft was "very pleased" with the EU's decision to move into the last month of the case, Smith said in his press conference. "We welcome the announcement by the European Commission to move forward with formal market testing of Microsoft's proposal relating to Web browser choice," he said.

Microsoft Launches Big Gadget Push for Holidays

Microsoft made its holiday pitch Tuesday in New York giving a sneak peak at what its gadget lineup will look like. The OS adds improvements to Internet Explorer Mobile, new navigation tools, Flash Lite support, and the introduction of Windows Marketplace for Mobile - a new app store. (See Related: Review of Windows Mobile OS 6.5 HTC Pure) To me Windows Mobile 6.5 seems like a transitional step to a future OS - might it be called Windows Mobile 7? - that could pose a more realistic challenge to Android, iPhone, and other mobile operating environments on the consumer side. Here Microsoft stressed its portable music player Zune, Xbox, Windows Mobile 6.5 OS phones, and Windows 7. Microsoft's Robbie Bach, head of Microsoft's entertainment and devices division, said this season it will stress the integration of "lifestyles" with "work-styles." All eyes were on Microsoft's Mobile 6.5 operating system which was announced today.

As for Zune and Xbox, Microsoft says it will be rolling out a new feature that enables content downloaded to one of these devices to be played back on the other. Microsoft Zune representatives say the move will represent the first in a series of steps by Microsoft toward greater integration between various Windows-enabled hardware devices. The video quality will support an impressive 1080p high-definition (HD) video. In attendance Tuesday was phone makers Samsung, HTC, LG, Hewlett-Packard and Toshiba were all on hand delivering first looks at Windows Mobile 6.5 devices. Microsoft, though, faces increasingly visible competition from both the Google Android and Apple iPhone camps in a struggle to expand beyond its relatively good position in the corporate smartphone space. Also on hand were mobile carriers Verizon Wireless, AT&T, Sprint, Telus and Bell Mobility.

Today Verizon and Google announced a partnership to bring Android-based smartphones, PDAs, and netbooks to market later this year. At the CTIA show in Dallas, TX this week, Samsung and T-Mobile introduced the Behold II, a touchscreen phone that brings together the Linux-based Android operating system with Samsung's new TouchWiz user interface for one-touch access to the user's favorite features and applications.

Domain-name abuse proliferates; rogue registrars turn a blind eye

For legitimate businesses, a domain name is a way to hang a shingle in cyberspace. America's 10 most-wanted botnets Criminals are amassing domain names by registering them under phony information, paying with stolen credit cards or hard-to-trace digital currencies like eGold, and breaking into legitimate domain-name accounts. In the criminal world, domain names are a key part of botnet and phishing operations, and cyber-criminals are plundering domain-name registrars around the world to get them. To add to the problem of domain-name abuse, some rogue registrars often look the other way as the money rolls in. "There's absolutely a big problem," says Ben Butler, director of network abuse at Go Daddy, an Arizona-based domain-name registrar that's authorized by the Internet Corporation for Assigned Names and Numbers and the appropriate ICANN-accredited registries to sell domain names based on the generic top-level domains (gTLD) that include .com, .aero, .info, .name and .net.

It fights a round-the-clock battle to identify domain-name abuse, and if a domain name is determined to be used for harmful purposes Go Daddy will essentially "kill the domain name," Butler says. (See related story, "How registrars tackle domain name abuse") During the suspension process, a malicious domain is redirected to a non-resolving server that delivers an error message. Go Daddy has 36 million domain names under management for more than 6 million customers, making it one of the largest registrars around the globe. That's the preferred process instead of outright cancellation, since it's not always clear who the owner of a malicious domain is. "We investigate literally thousands of complaints on domain names each week," Butler says. "And we suspend hundreds of domain names per week." In spite of all these efforts, criminals still slip through the net, in part because registration services are highly automated, validation processes are insufficient, and the criminals are cagey, determined and technically savvy. But the larger issue is not about Go Daddy, which has a good reputation for fighting domain-name abuse, Landesman says. ScanSafe researcher Mary Landesman last month uncovered evidence that a handful of Go Daddy domains were being farmed out for use in three distinct botnet-controlled SQL injection attacks against Web sites in India, U.S. and China.

Rather, the problem encompasses the entire domain-name registration system, along with the faulty Whois database of registrant information (overseen by ICANN) that contains fake data, even total gibberish. "It's not intentionally designed for this kind of abuse, but it works in favor of the criminals," Landesman notes. Domain-name appeal Criminals who mastermind botnets for spam, phishing, and denial-of-service attacks have come to rely on domain names because it gives them "stability" in their controls, says Joe Stewart, a researcher at Atlanta-based SecureWorks. "All the bots can map to the new IP address when it comes up." "It would be a lot less convenient to use an IP address," says Amichai Shulman, CTO at Imperva, since this would tend to limit criminals to a more specific set of servers. Effective reform of the domain-name registration process would strike at the heart of Internet crime, she says. Many note that criminals today can be seen making clever use of what's known as "fast flux" to rotate a botnet through "thousands of IP addresses using a single domain or group of domains," says Dean Turner, director of Symantec's global intelligence network. "It's designed to defeat IP blacklists." "Domain names are easily portable," says Sam Masiello, director of threat management at McAfee. "They use fast flux for content delivery." A report published in May highlights the role of domain names in phishing cybercrime. Within that number, "we identified 5,591 that we believe were registered by phishers," the report says. "These 'malicious' domains represents about 18.5% of the domain names involved in phishing. The Anti-Phishing Working Group's report, "Global Phishing Survey: Trends and Domain Name Use in the 2nd Half of 2008," shows that there were 56,959 phishing attacks for that period occurring on 30,454 unique domain names.

Virtually all the rest were hacked domains belonging to innocent site owners." The report notes that the number of phishing methods based on unique IP addresses rather than domain names is steadily dropping, from the 6,336 seen in the first half of 2007 to just 2,809 unique IP addresses in the second half of last year. This practice can only be mitigated by the subdomain providers themselves, "and some of these services are unresponsive to complaints," the report says. Another trend, according to the report, is for phishers to use so-called "subdomain registration services" via providers that give customers subdomain "hosting accounts" beneath a domain name the provider owns. This takes the problem to another level, particularly for ICANN, which has no obvious authority outside of its direct contractual relationships with registrars and registries in the ICANN-driven domain-name world. However, the report notes the .com domain still scores as the largest single TLD favored by phishers, accounting for 46% of the phishing domains monitored for the period. Subdomains now count for about 12% of all domains involved in phishing, with Russian freemail provider Pochta.ru and French hosting provider Wistee.fr said to be the worst offenders among 360 subdomain registration providers.

ICANN responds VeriSign, the authoritative ICANN-accredited registry for .com and .net, declined to discuss the topic of domain-name abuse. ICANN gets thousands of complaints about registrars every year, many related to perceived inadequacies or wrong information in the Whois database. ICANN recognizes the problem of domain-name abuse by the criminal underworld, but its policies are still evolving, and there are a lot of uncertainties about ICANN's authority in this area. "Criminal activity that concerns the abuse of domain names is a huge concern to ICANN," says Stacy Burnette, director of contractual compliance for the Marina Del Ray, Calif.-based organization. "It disrupts the system." The tip of the iceberg can be seen in irregularities in the Whois database. ICANN must review them all, and then contact registrars to report and remedy any identified failings. But ICANN has held meetings, including the "Generic Names Supporting Organization Registration Abuse Policy Workshop" that took place in Mexico in March, to discuss policies and guidelines it might want to embrace for domain abuse and registration abuse.

But when it comes to the broader problem of cyber-criminals' abuse of domain names, ICANN today is not in a position to play cop. "ICANN is a non-profit organization, we are not a regulatory authority or a police authority," Burnette points out. Dave Piscitello, ICANN's senior security technologist who works on such issues, says ICANN plans to introduce a proposal in October for possible new guidelines for tighter security in advance of ICANN's planned expansion of new gTLDs http://www.networkworld.com/news/2009/062409-icann-new-domains.html next year. Other ideas, such as requiring auditing of registrars, are definitely on the table at ICANN, Piscitello says. Though not at liberty to discuss the specifics, he points out this proposal will have to undergo a review by the entire ICANN community, and hold up to criticism, before it has any chance to be adopted by the ICANN Board. "We are focusing more on registration issues and malicious conduct," Piscitello says. "I don't think anyone wants to see the DNS abused." VeriSign, he notes, recently proposed adding a strong-authentication service for registrars and registrants for two-factor authentication. But he notes that the ICANN community is broad, consisting of countries that have more influence over how their country-code top-level domains (ccTLD) are used than ICANN. "We can set an example with the gTLDs, but only a cooperative effort with all governments can solve this problem." Meanwhile, an ICANN committee last month issued a 154-page report on the topic of fast flux and criminal abuse of domain names. Detection methods to uncover criminal fast flux are quite reliable, but there have been worries expressed about liability in the case of false positives.

Like any paper, it doesn't by itself necessarily mean change, but ICANN does note it could lead the organization to "consider whether registration abuse policy provisions could address fast flux by empowering registries/registrars to take down a domain name involved in malicious or illegal fast flux." Piscitello says so far no consensus has been reached about what to do on this issue. The domain name may be a handy tool in cybercrime today, "but one goal of the DNS community is to take that tool out of the toolbox," he said. His opinion is that ICANN, which has overall responsibility for the Whois database of registration information, has to find a way to validate the entries. "Some rules in ICANN are just broken," Mohan says. Making changes There are many language and jurisdictional legal issues that make tackling domain-name abuse problems extremely hard, says Ram Mohan, CTO at Dublin-based registry services provider Afilias and a liaison for the ICANN Security and Stability Advisory Committee (SSAC) on the ICANN Board of Directors. The overall domain-name registration system "was created at a time of a benign Internet.

Some doubt ICANN really has authority or the will to adequately police the system it oversees. Today we have no burden of validation and that can be fixed." He also says it might be a wise move to require some sort of security audit of the registrars and registries. Stewart at SecureWorks, for instance, thinks the national CERTS chartered in each country for emergency response and security warning should have their roles expanded to coordinate response to cybercrime, such as domain-name abuse. If the domain-name registration system can't be improved, the problem of abuse can only be expected to get worse. Mohan says he hopes some reform can be carried out before ICANN proceeds with its plans next year to set up a whole new set of top-level domains. "ICANN is opening up the floodgates for top-level domains," says Mohan. Attempts by industry to cut off criminal access to domain names is proving difficult.

But after six months of trying, there's not much to show for it.  "Hats off to Microsoft for organizing this," says Neustar's Neuman. The first globally organized effort to attempt that - the Conficker Working Group - sought to disable domains targeted by the Conficker worm for use in its command-and-control system. Neustar joined the Conficker Working Group with others that have a measure of power to influence the domain name system, including VeriSign, Afilias, Public Internet Registry, Global Domains International, ICANN, and the Chinese CNNIC, among others, including security vendor Symantec. The Conficker Working Group, in spite of efforts to tie up of millions of domain names that Conficker was pre-programmed to use, was outflanked when the botnet's designers switched to ccTLDs in the .C version of Conficker earlier this year. But the complex Conficker botnet - now fairly quiet outside of attempts to sell fake anti-virus software - remains undiminished as a command-and-control structure of about 4.5 million compromised computers it quietly holds as zombies. The Conficker Working Group hasn't been able to get enough ccTLD participants on board to effectively tie up Conficker domains. "We have 90% of the ccTLDs partipating but 10% are not involved," says Symantec's Turner. "It didn't work," says Dan Holden, X-Force product manager at IBM's Internet Security Systems division.  Microsoft, which has offered a $250,000 award for information leading to the arrest and conviction of those responsible for Conficker, said in a statement that the Conficker Working Group has established "a new level of industry collaboration and cooperation" for a quick response effort and method of defense, and that the Conficker investigation is still ongoing.

Its success is having established a collaborative response." ICANN's Piscitello says the importance of the Conficker Working Group is that it "demonstrated that if we do get significant collaboration, we can inflict a little pain on the criminal, make it more difficult.

Seagate announces its first solid-state drive

Seagate Technology LLC today announced its first solid-state disk drive and said the product is aimed at the booming general server and blade server marketplace. The Pulsar will offer up to 240MB/sec. sequential read speeds and 200MB/sec. sequential write speeds or peak performance of up to 30,000 read IOPS and 25,000 write IOPS, according to Seagate. Seagate's new Pulsar SSD is a 2.5-in., enterprise-class drive that uses single-level cell (SLC) NAND flash chips.

The company is backing the drive with a five-year limited warranty. Seagate originally tested the NAND flash technology waters with the introduction of a hybrid laptop disk drive that combined disk storage with flash memory two years ago, but it found little success. Seagate is among the last of the big disk drive manufacturers - a list that includes Fujitsu, Hitachi and Western Digital - to enter the SSD market. The 2.5-in. Western Digital entered the SSD market with its acquisition of SiliconSystems in March. Momentus 5,400-rpm drive featured 256MB flash cache memory and was supposed to only spin up the hard disk about 10% of the time.

Seagate said it was waiting until the market and customers indicated the time was right. "Seagate comes out with solutions when it makes business sense to do so, when our customers tell us that they're ready," said Teresa Worth, a senior product marketing manager at Seagate. "We've seen lower adoption than what's being hyped in the market. We're the first enterprise hard drive vendor to enter the enterprise solid-state drive market," she added. Now with SSD approaching a $1 billion market in the next calendar year, it makes sense for us to enter the volume market." "We've been the undisputed worldwide market leader for enterprise storage for 15 years. Seagate said that, whereas other hard drive manufacturers purchased the SSD technology they are offering, the Pulsar will be a Seagate-manufactured product. The Pulsar SSD, which has been shipping to systems vendors since September, will not be offered via direct sales and is being used in the manufacturing of generalized servers and blade servers. Rich Vignes, senior product line manager at Seagate, said the Pulsar is also the name of the company's entire new line of SSD products, which will eventually target other market segments with offerings such as external storage arrays. "We have a large number of engineers who are working on firmware, controller technology and memory technology," he said.

Worth said Seagate would not disclose a suggested retail price for the drive, since equipment manufacturers will have to determine the retail price. Like SSD products from Intel Corp. and other manufacturers, Seagate's Pulsar SSD uses a multichannel internal architecture to increase throughput. The drive uses a SATA 2.0 specification 3Gbit/sec. interface. Vignes said the drive has 16 channels to the flash storage. Seagate said its SSD uses 50% less power than its traditional hard drives. In comparison, Intel's X25-E enterprise-class SSD has 10 channels.

Like other SLC-based flash memory products, the Pulsar is rated for about 100,000 read-write cycles. As an additional safeguard, Pulsar is equipped with Seagate's power loss data protection technology to ensure against data loss in the event of a power failure. Seagate said its drive has a 0.44% annualized failure rating. Worth said Seagate doesn't expect SSDs to have a significant impact on its hard drive sales. "We understand enterprise storage, and have been leading the standards bodies for decades... and we have a global presence in manufacturing," Worth said. "Seagate's perspective is that solid-state disk and hard disk drives will co-exist for the long term and our portfolio will include both types."

Google Docs Gets Shared Folders

Google Docs received an overhaul this week that makes it easier for users to share items, upload documents, and stay organized. Shared Folders One of Google Docs best features is its ability to let you share and collaborate on documents with other users. The new tweaks also brought a slight change to the Google Docs homepage with a more uniform and simpler look. In the past, if you had multiple documents you needed to share with one workgroup, Google Docs required you to send out multiple sharing notices for each document.

Just drag and drop the files you need to share into a folder, and then click "share this folder" and invite members of your workgroup. The new shared folders feature solves this problem, by allowing you to set up sharing permissions for one folder. The people in your workgroup will get an e-mail notifying them you've shared this folder. The new feature is handy, but there is one few quirk you should keep in mind. Once they've logged on to Google Docs, members of your workgroup can see the files you've added to the folder, and also drop files into your folder to share with the same group. Even though a document is in a shared folder, the access permissions for that document are attached to the folder-not the file.

Managing Your Workflow Back by popular demand is the "Items Not In Folders" filter that allows you to see any documents you have that are not organized into folders. So if you pull a document that you own (i.e. you created it) out of the shared folder, your workgroup will no longer be able to access the document. Google brought back the feature because some people were using this as a workflow tool. Then you can move a document into a folder once it's ready for prime time. One way to take advantage of this filter is to use it as a tool for tracking documents in draft stage. There is one detail you should be aware of when using this feature: Let's say John shares a report directly with Mary, but John doesn't have that report in a folder.

The "Items Not In Folders" filter can be accessed under the "More Searches" menu in the left hand navigation pane. If Mary puts it into one of her folders, John will see the report has a folder tag, but it will still show up when John filters his documents by "Items Not In Folders." That way, Mary's actions don't interrupt John's workflow. Google Docs will also let you upload multiple files at once. You'll also notice Google Docs has a slightly different look. Just select all the files you want using the "shift" or "ctrl" ("command" on a Mac) keys, and then start your upload.

The new layout is a little boxier, and the visual icons (like starred, share, upload and delete) have been removed in favor of a text-only look. Live Mesh, launched last year, allows you to create a network of devices and sync folders between them. Sharing Alternative If Google Docs isn't for you, Microsoft also has two document sharing options. Live Mesh also gives you your own online desktop, called Live Desktop, where you can share folders with people outside of your network or Mesh. Live Mesh works on both PC and Mac systems. To use Live Mesh you have to download a small program, but people you share items with only need to sign up for the Live Desktop.

Microsoft's other alternative is its online storage space called Skydrive. However, Skydrive's sharing permissions are a little too complicated, so I recommend going with Live Desktop and Live Mesh if you are a Windows Live user.

Ballmer takes on SharePoint, software licensing issues

Microsoft CEO Steve Ballmer says that the potential of SharePoint shows no signs of having any limitations for the foreseeable future and that Microsoft will have consistent licensing across online and on-premises software, and will protect data in the cloud so episodes such as the Sidekick data loss never happens again. 10 things you need to know about Windows 7Microsoft's two new operating systems: A win-win Ballmer made those and other remarks during an exclusive interview with Network World after he delivered the opening keynote address at the annual SharePoint conference. Ballmer told the crowd he was pumped up and that SharePoint is at the center of innovation at Microsoft as it develops its three-screen strategy - PC, Web and television. Ballmer noted that it was his first-ever keynote address at a SharePoint Conference, a duty that was typically reserved for Bill Gates.

He carried both those themes into his interview with Network World. Among many new features in SharePoint Server 2010, which goes into its first public beta next month and ships in the first half of 2010, he pointed out storage improvements that help cut costs "With SharePoint, I think we have a lot of runway left in terms of capability and the right kind of ease of cost profile management and deployment," he said. Ballmer said he thinks SharePoint, which can be used for such things as file storage, portals, intranet and Internet sites, and social computing, will not bump into any limitations for the near future. "The list of things we see customers wanting to add, and our ability to add those seamlessly on top of the platform, is pretty good," he said. In terms of licensing, Ballmer said Microsoft won't penalize users on client access licensing as they move between the cloud and on-premises deployments of software such as Exchange and SharePoint. "We have a big enough installed base of people that bought licenses that say, 'Hey, when we buy your service we don't want to be re-buying what we have already paid you for in terms of software." He also gave reaction for the first time on the recent Sidekick episode that led to the loss, and subsequent promise of recovery, of users's personal data. "It is not good," he said of the Sidekick incident. "People will want to know, is our approach different for SharePoint Online, is our approach different for the enterprise infrastructure. Ballmer said that Microsoft is working to open up SharePoint with cloud-based APIs, the 2010 version adds support for REST and ATOM, and that Microsoft eventually hopes to have fully trusted applications running in SharePoint.

I think we have good answers, but I know we are going to continue to upgrade our processes and have to upgrade how we talk about this stuff, because we are going to get more questions. Today, only partially trusted applications are supported "With 2010, we built a sandbox environment so we can host SharePoint online, SharePoint for Internet and intranet sites in the cloud. And as always, Ballmer showed his affinity for developers, Microsoft's quintessential leading punch in any emerging market opportunity. "We are excited to have some developers, developers, developers jump right in there," he said rubbing his hands together with glee and anticipation. The sandbox is extensible and is where people can write applications in the cloud and that will only continue to get richer and deeper as we move forward," he said. Ballmer will have served 10 year as CEO of Microsoft in January, and when asked about his successes, challenges and regrets over that time period, he chuckled and said, "I have had all three of those in spades." He said he is proud of many things, among them building Microsoft into a serious player in the enterprise in the face of many doubters. Most are 'hey, I wish we had done something earlier, or made a decision a bit differently." But mostly, he said he is proud. "I think we are well positioned for the future." Watch for more of the Ballmer interview in separate stories coming on Network World.

When ask about his challenges, he cited search and mobile, and in terms of regrets he said with a sly smile, "There are plenty of regrets. Follow John on Twitter: twitter.com/johnfontana

Feds: We need tools to meet transparency law

Federal IT officials doubt that agencies can enforce the Obama administration's accountability and transparency rules as they spend funds allocated by the American Recovery and Reinvestment Act of 2009, according to a survey that will be released on Monday. The majority of respondents - 62% - said either that they don't know if agencies can enforce the ARRA transparency requirements (33%) or they don't believe agencies can meet these rules (29%). States scramble to track federal stimulus bucks The survey was commissioned by Serena Software, a provider of business process modeling software that sells tools designed to meet specific federal regulations. Only 38% of respondents said they believe federal agencies can enforce the transparency requirements of ARRA, according to an e-mail survey of 200 defense and civilian agency IT officials. It was conducted in September.

Three-quarters of respondents said their agency had put a medium-to-high level of importance on reaching transparency goals. Survey respondents agree that meeting ARRA's transparency goals is important. Meeting these requirements will take time, survey respondents said. Another 31% believe they could meet the requirements within a year, and 27% believe they can meet the requirements within two years. Less than half of survey respondents - 43% - said they believe their agencies could meet the transparency requirements today.

Agencies say they need new automated tools to meet the transparency rules. Half of the 64% said they have funds available in their budget to purchase these tools. More than half of respondents - 64% - said they could benefit from automated tools. A lack of automated tools to meet transparency rules may be one reason that federal agencies are taking their time to award ARRA funds. Only 11% of survey respondents said their agency had obligated or spent more than 80% of their ARRA money. "We've been working with federal agencies on process automation, transparency and accountability issues since before the new administration came into office," says Dave Dantus, federal director for Serena Software. "We had a strong suspicion that there was a gap between what [the Office of Management and Budget] and the administration were expecting and what agencies were able to deliver in terms of reporting and transparency." Dantus said that a significant number of agencies are using e-mail and spreadsheets to meet ARRA transparency rules, rather than automated tools such as those provided by Serena. "It's not easy to track or report on ARRA funds with e-mail and spreadsheets," Dantus says. "Certainly, this is an opportunity for our company." Serena Software is a privately held software company with $300 million in revenues.

More than half of the survey respondents - 51% - said their agency had obligated or spent less than 20% of their ARRA funds. The company's Business Mashups software allows users to quickly automate processes without having to write software code. Dantus says Serena Software has more than 200 federal customers that use its software to comply with regulations regarding information assurance, financial controls and requests for information.