Recently in Software Choices Category

Software licence audits: Confidence in Your Choices

| 1 Comment
| More

Over the last few weeks Computer Weekly has written about software licensing and how suppliers are demanding IT departments run costly software audits. At the same time, we have started looking at the complexities of licensing, such as in a virtualised environment.

In this guest blog post, Martin Thompson, a SAM consultant and founder of The ITAM Review and The ITSM Review, provides some top tips on what to do when you receive an audit letter:


Payment Protection Insurance (PPI) spam is in vogue.

You may have received one or two of these recently:

"You are entitled to £2,648 in compensation from mis-sold PPI on credit cards or loans."

PPI claims and other spam solicitations are the bane of our inboxes. The vast majority of us know to simply ignore them. Unfortunately the handful of those who do respond justifies the exercise to the spammers. 

This mass-marketing technique is used in exactly the same fashion by trade bodies such as BSA and FAST to force their agenda and start software audit activity.

Supplier audits are a fact of life, some software audit requests are serious and expensive, some are merely spoof marketing campaigns - how can IT professionals decipher between the two?

Whilst I'm not a legal expert, fifteen years in this industry has taught me that there instances when you should respond to an audit request and instances when you should simply walk away.

When to Take Software Audit Requests Seriously

In my opinion there are two instances when you should take software audits seriously:

  1. When you are approached by a software publisher directly with reference to a signed contract
  2. When you are approached by an organisation with real proof of a breach of intellectual property law.

Contracts with software publishers have 'Audit Clauses', the right to come and audit you periodically at your own cost. Your company either signed this and agreed to it or will need to fight against it. Smart companies negotiate it out of the contract by demonstrating maturity in their internal processes.

Breaches of intellectual property supported by evidence are a legal dispute and should be treated as such - by passing the issue over to your legal team in the first instance.

When to Ignore Software Audit Requests

Requests for 'Self-Audit' or other direct mail fishing exercises can be ignored.

Trade bodies such as BSA and FAST commonly write letters to companies requesting them to 'Self-Audit' or declare a 'Software Amnesty'.

These organizations are masters at crafting well-written legal sounding letters but have no legal authority whatsoever. Nor do they have the resources to follow up to every letter sent.

Just like any other complaint made to your business it should only be taken seriously if there is firm evidence or the organisation issuing the dispute is supported by the appropriate government agency. For example the Federation Against Software Theft (FAST) has no teeth whatsoever unless accompanied by HM Customs and Excise.

Confidence in Your Choices

IT departments with the appropriate Software Asset Management (SAM) processes in place have both the confidence and the supporting data to discriminate between bogus claims and genuine supplier audit requests.

Whilst much noise is made in the industry of senior management being sent to prison or the company name being dragged through the gutter - the real and compelling downside to a lack of software management is UNBUDGETED cost and DISRUPTION. Surprise license costs and massive disruption whilst IT staff are diverted from key projects to attend to an audit or hunt down the appropriate data.

Unexpected software audits can be good for your health in the longer term if it allows the organisation to realize it is out of control.

SAM is so much more than compliance and counting licenses. Organisations with a solid SAM practice are more nimble, competitive and dynamic. No more stalling on that virtualisation project because we're unsure of the licensing costs, no more uncertainty about moving to the cloud because we don't know how that leaves us contractually. SAM provides the business intelligence to innovate and take action.

Martin is an independent software industry analyst, SAM consultant and founder of The ITAM Review and The ITSM Review. Learn more about him here and connect with him on Twitter or LinkedIn.

Saas flexibility comes at a price, but the numbers don't add up

| No Comments
| More

It's been a few weeks since my last post. I've been busy attending conferences - Cloud Expo at Olympia and the Intellect Regent Annual Summit. Cloud computing is all the rage with the suppliers, but a survey from TechTarget, the parent company of Computer Weekly, shows that IT directors and senior IT decision makers are not buying the hype. It really is time for the industry to take a step back and try a little harder to appreciate the challenges IT departments are facing during these tough economic conditions.

The tough economic climate was the backdrop to the Intellect event in London last week. Antony Miller from analyst TechMarketView presented a compelling argument as to why the economics of cloud do not work. In most instances flexibility comes at a price, but the cloud providers want everyone to believe they can offer the ultimate flexibility, cheaper than on-premise software. He pointed out that most of the Saas companies are losing money, some have already been acquired by traditional suppliers. So maybe Saas providers will need to increase their prices to remain in business.

What to Watch Out for When Migrating to Office 365

| No Comments
| More
In this guest blog post, Jeremy Thake, enterprise architect and Microsoft Sharepoint MVP at Avepoint looks at how to move onto Office 365.

Thumbnail image for JeremyThake.jpgOffice 365 is Microsoft's latest iteration of its online business productivity suite, potentially shifting many traditionally on-premises products and services from the server room to the cloud. With many businesses assessing the pros and cons of cloud computing, the issue of moving content is being highlighted as a key concern for potential users unsure of the complications associated with the migration process. So, what exactly are these challenges and what can businesses do to ease their way into the cloud without threatening business continuity?  

Limited Functionality
When considering tools like Office 365 for enterprise-wide collaboration, it is important to have very clear business goals upfront for the technology. Then, great care must be made to assess if the tools have all of the necessary functionality in order to meet those established goals and limit the threat of business disruption. For example, as it stands today, Office 365 doesn't offer all of the functionality that business users can expect from an on-premises SharePoint 2010 environment. Customisations can only be installed at site collection level and there are restrictions on what customisation can be done due to the multi-tenancy of the service. Consequently, most business users considering a migration of its business data to Office 365 are likely to do so utilising a hybrid approach, still keeping some data on-premises. While this allows businesses to benefit from both the functionality of SharePoint 2010 and the economic and scalability benefits offered by Office 365, challenges are presented around data flow between the two platforms. While it is possible for businesses to develop custom solutions internally that allow locally held data to integrate seamlessly with data stored in the cloud, this development process is highly complex and would require significant skill and on-going maintenance. Third-party solutions for hybrid management - which leverage fully supported Microsoft methodologies and APIs - can take this taxing, costly process out of the hands of in-house IT managers and allow them to concentrate on more business-critical tasks. 

There are several methods - and subsequent challenges - by which organisations can attempt to migrate existing enterprise content onto Office 365. Two of the more commonly considered methods are staged migrations and blanket migration with policy management. Businesses should be aware, however, that migrating data to the cloud is like any other more traditional in-house migration - doing a 'spring clean' and deleting unused or old files and archiving records at the outset will avoid wasted time spent migrating unnecessary data. This also has cost implications, as without proper planning, you could find yourself storing unnecessary data in the cloud. This can become costly if it goes beyond Office 365's storage parameters which they charge at a 1 GB per user, per month extra. 
Once any data cleansing process has been completed, businesses need to consider how much time the migration is likely to take. Moving on-premises content into the cloud will invariably result in a certain amount of delay for users to be able to access the content. With that in mind, organisations must decide whether a staged or blanket approach would best meet their business needs. For example, large organisations often have significant data footprints, meaning the migration of content onto cloud platforms like Office 365 is likely to take more than just a weekend. A blanket migration of data is therefore likely to creep into office hours, potentially causing disruption to business-critical operations. 

To get around this, businesses may consider a staged approach to migration, but cross-dependencies within content mean that employing tools which facilitate integration are essential. As an example, if site A is migrated on day 1 of the project as a priority, but site B is identified as data that can be migrated on day 3 or 4, third-party solutions from vendors including AvePoint can ensure any changes to content in site B that impact site A will be identified. Certain files can also be set as 'read only' during the migration phase, depending on business preferences. With such tools in place, business and IT staff can be confident that all content is kept up-to-date throughout the migration process, even if that process is staggered over the course of a week, for example.  Security policies such as access rights and authentication management can also be automatically updated into the new cloud-hosted platform, further removing the need for manual intervention by IT staff once the migration is complete. 

It's clear that Office 365 is appealing for businesses, and its feature set will evolve quickly as upgrades and patching processes are dramatically simplified when compared with on-premises software.  With improvements in constant development, and third-party tools helping businesses to make the most of their on-premises and cloud SharePoint environments, businesses can continue striving toward its day-to-day business goals while confidently providing IT assurance without overburdening IT administrators. 

September 13th Microsoft Patch Tuesday Application Compatibility Report by ChangeBASE

| No Comments
| More

Application Compatibility Update

By: Greg Lambert


Executive Summary

With this September Microsoft Patch Tuesday update, we see again a relatively small set of updates in comparison to the lists of updates released by Microsoft in the previous months. In total there are five Microsoft Security Updates with the rating of Important. This is a minor update from Microsoft and the potential impact for the updates is likely to be moderate.


As part of the Patch Tuesday Security Update analysis performed by the ChangeBASE AOK team, we have seen very little cause for potential compatibility issues.


Given the nature of the changes and updates included in each of these patches, most systems will require a reboot to successfully implement any and all of the patches and updates released in this September Patch Tuesday release cycle.


Sample Results 1: MS11-070 Vulnerability in WINS Could Allow Elevation of Privilege

 patch sept 1.png


Sample Results 2: MS11-073 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution


patch sept 2.png


Testing Summary



Vulnerability in WINS Could Allow Elevation of Privilege (2571621)


Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)


Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505)


Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)


Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)


Sample Results 3: AOK Summary Report Sample from a small database

patch sept 3.png

AOK Patch Summary Results

Patch sept 4.PNG

Security Update Detailed Summary



Vulnerability in WINS Could Allow Elevation of Privilege (2571621)


This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS). The vulnerability could allow elevation of privilege if a user received a specially crafted WINS replication packet on an affected system running the WINS service. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.


W03a3409.dll, Wins.exe, Winsevnt.dll, Ww03a3409.dll, Wwins.exe, Wwinsevnt.dll


Important - Elevation of Privilege



Vulnerability in Windows Components Could Allow Remote Code Execution (2570947)


This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate rich text format file (.rtf), text file (.txt), or Word document (.doc) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.




Important - Remote Code Execution



Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505)


This security update resolves five privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Installing and configuring Office File Validation (OFV) to prevent the opening of suspicious files blocks the attack vectors for exploiting the vulnerabilities described in CVE-2011-1986 and CVE-2011-1987.




Important - Remote Code Execution



Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634)


This security update resolves two privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file or if a user opens a legitimate Office file that is located in the same network directory as a specially crafted library file. An attacker who successfully exploited either of the vulnerabilities could gain the same user rights as the logged on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.


Ietag.dll, Mso.dll


Important - Remote Code Execution



Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)


This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft SharePoint and Windows SharePoint Services. The most severe vulnerabilities could allow elevation of privilege if a user clicked on a specially crafted URL or visited a specially crafted Web site. For the most severe vulnerabilities, Internet Explorer 8 and Internet Explorer 9 users browsing to a SharePoint site in the Internet Zone are at a reduced risk because, by default, the XSS Filter in Internet Explorer 8 and Internet Explorer 9 helps to block the attacks in the Internet Zone. The XSS Filter in Internet Explorer 8 and Internet Explorer 9, however, is not enabled by default in the Intranet Zone.


Groove.exe, Groovedocumentsharetool.dll, Grooveutil.dll, Groovewebplatformservices.dll, Groovewebservices.dll


Important - Elevation of Privilege


*All results are based on an AOK Application Compatibility Lab's test portfolio of over 1,000 applications.



Linux Squeezebox sound server and player: a project for the weekend

| 1 Comment
| More

If you have ever wanted to learn about Linux, then why not try making something useful and fun. Here's how to put together a Linux sound server. The basic configuration is a a good start for any novice trying to get under the covers of Linux and networking.


This weekend I decided I would build a headless Linux server (ie no keyboard or display). Why? because I wanted to run an old PC as a sound server and Linux is by far the cheapest way to do this. The PC is a seven-year old Hush, a 1.2 GHz Via system with 40GB hard disk and 1 GB of barely enough to run Windows.

The Hush is, in my opinion, the best-looking PC ever - it uses a fanless design, based on a mini-itx motherboard, and is housed in an aluminum case, which doubles as a heatsink. As the name suggests, it is extremely quiet and looks perfectly in place in a hi-fi rack.


"In my experience, installing a sound server on Linux is one the best ways - and also a pretty rewarding way - to improve your understanding of how computer systems work."

Setting up Ubuntu is pretty straightforward. I chose the 10.04 LTS distribution as it's recommended for legacy hardware. It can be downloaded as an ISO image from a Windows PC. You then burn the .iso file using a DVD writer.

On the Hush PC, all I did was pop in the newly burnt Ubuntu CD and switch on. Obviously you need a working keyboard and display to install Ubuntu and you may need to change your Bios settings to boot from CD-ROM first.

The keyboard and display can be unplugged once the operating system software is running and you have enabled remote access (see below).

The installer has several options and the Function keys should be used to set things like keyboard, language etc. At this point, make sure you select the console-only version as a graphical user interface is a bit redundant - and a big overhead - for a server that will not require a keyboard, mouse or display.

Once Ubuntu has installed and rebooted,, make sure you have network access.

Try ifconfig which will give you the IP address of the PC (such as , then ping

If this works try ping

And finally ping another computer on your network. If anything fails at this point you'll need to do some googling from another PC and check out Ubuntu network problem posts >>

In my case, the Ubuntu PC was unable to ping other machines on the network when it was connected directly to my wireless router, but it works perfectly when connected to a wireless bridge.

Linux is notoriously bad at wireless support - particularly on legacy gear. To overcome this,  I use a D-Link DAP-1522 802.11n wireless bridge to connect the Hush PC Ubuntu machine to my LAN via an ethernet cable.

Finally is important to log into your router's admin console and add the IP address of your new Ubuntu machine to the DHCP reserved list.

Remote Terminal
On my setup I wanted to manage the Ubuntu machine remotely. OpenSSH can be used for this. See >>

On Ubuntu you issue the following command:
sudo apt-get install openssh-client openssh-server

I use a Windows PC running Putty ( to access the Ubuntu machine remotely. So for everything needed to do, I simply logged in remotely to my Ubuntu console from Windows using Putty.

Squeezebox Server
Squeezebox is a great basis for a sound server on Linux project because there is a load of open source stuff out there, which you can use instead of, or to add to, Logitech's own excellent Squeezebox hardware like the Touch below.


Basically it's possible to get a Squeezebox system running for free, or you can enhance an existing one with more players and controllers using an Android device as a Wi-Fi remote control and any spare PCs or laptops, to distribute music to another room. Just plug-in a pair of speakers or headphones!

Everything you need to get started can be found on the Squeezebox Wiki (

To install the latest stable release it is necessary to update your Ubuntu /etc/apt/sources.list to include:

deb stable main

One of the great things about Squeezebox is that the Squeezebox server can be managed from any LAN computer with a web browsre. Simply type:

http:[enter the IP address of the ubuntu server here eg]: 9000

So in my configuration I use the following address in Firefox:


In my setup I wanted the music files to be stored n a NAS drive. This requires Samba.  Here is a great explanation of how to mount a NAS server at boot time using Samba >> (

If all you want is a Squeezebox server then that's it.

But I also wanted to use the Ubuntu box to play music as well...

Getting Sound working
This is why people hate Linux. Sound can very tricky. From my own experience, plenty of Googling "Alsa", finally gave me what I needed - basically the alsa-base, alsa-lib and alsa-utils Ubuntu packages need to be installed and configured. There are many variations of things that can go wrong. See the Ubuntu Sound Trouble Shooting Guide here >>

I eventually got sound out of the Ubuntu box - but be warned, this was quite traumatic.

Install Squeezeslave
There are plenty of Squeezebox clients,  like SoftSqueeze, a Java client and SqueezePlay a native Squeezebox player. But these rely on the Gnome desktop GUI. For a text-only player, there's SqueezeSlave.

Now this is what open source is all get SqueezeSlave working it is necessary to compile it for your system. This is not as bad as it sounds

First you need to install the various utilities require for compiling:
sudo aptitude install build-essential

A guide to getting it installed can be found on the SqueezeSlave Wiki here >>

sudo apt-get install subversion
sudo apt-get install libasound2-dev
sudo apt-get install libncurses5-dev
sudo apt-get install liblircclient-dev
svn checkout
cd squeezeslave
make -f makefile.linux26-alsa-display realclean
make -f makefile.linux26-alsa-display

You will need also to install LAME. Here's how to do it >>

There is a good set of tips on making sure Squeezeslave is working and it also shows how to start Squeezeslave at boot time at

If you have installed the console-only version of Ubuntu, you may need have difficulty hearing any audio from the root user (which runs when the machine starts up).

I added root to the audio group. See:

You will also need to make sure the volume works (my setup uses the SPDIF output, which, strangely I had to mute to hear sound using sudo alsamixer!). Here's a pic of the Android Squeezebox controller on a Sony X10 Pro. This software can be downloaded for free from the Android Marketplace.


Once it is going
You can try a wealth of the Squeezebox plug-ins such as the great BBC iPlayer plug-in. One of the most useful ones I have discovered is svrpowercontrol, which lets you power down the server.

Save 90% with second user SAP and MS licenses...but are they legitimate?

| No Comments
| More
During my research for the Top five IT finance and asset management issues article, about how to finance IT purchases, I came across two companies specialising in second-user systems.

It's surprising how many people actually buy second-user hardware - and why shouldn't you, when the cost is significantly cheaper than the full price of a new product, and you are offered a guarantee. It certainly makes sense for enterprise hardware like servers, network equipment and storage.

But what is really interesting, is that there is also a burgeoning market for second user software licences. Discount-Licensing is a specialist in this space. I spoke to the managing director, Noel Unwin abut concerns over software piracy and whether you can actually sell pre-owned software licences. Apparently there is a clause in MS licences that allow for transfers.

To comply with licence audits, he says:

"We provide documentation including a sale of purchase agreement, unique licence number, volume licence key, a copy of the licence agreement, and a Microsoft Notice of Potential Transfer form, which the customer signs and sends to Microsoft."

This document can be downloaded here >>

This means you can save 25% on MS Exchange - and if you have too many licences, they can be resold to Discount-Licensing. Now what is really interesting about this is that Discount-Licensing also buys and sells SAP licences. According to Unwin, businesses can buy pre-owned SAP up to 90% cheaper than the cost of a new licence. Equally, organisations that are downsizing and divesting, can resell unused SAP licences.

Unfortunately Unwin says it is too hard to do the same thing with Oracle. Shame.

Video: Why won't applications run on a hypervisor?

| No Comments
| More

I spoke to Greg Lambert, chier fechnical architect at ChangeBase, about application comaptibility. Compatibility is not only about getting things to work on Windows. Hypervisors can also pose app compatibility issues. And, as I mentioned in recent posts, browsers like IE9  can also present problems.


IE 8 and IE 9 incompatibility: Thousands of sites are failing

| More

Last month Microsoft warned developers they "may" experience problems with IE8 and IE9 incompatibility:


"Some Web sites may not be displayed correctly or work correctly in Windows Internet Explorer 8 or in Windows Internet Explorer 9 Beta. This problem does not occur in earlier versions of Internet Explorer, and the affected Web sites continue to be displayed correctly and to work correctly in Windows Internet Explorer 7."

According to Microsoft: 

  1. Menus, images, or text are in the wrong positions on some Web sites.
  2. Some Web site features do not work.
  3. You receive script error messages on some Web sites.
  4. Internet Explorer stops working or crashes on some Web sites.

Even Microsoft's own site has a fudge to workaround the IE8/9 incomatibility issues. It uses the following tag to force IE7 compatibilty:

<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /><meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />

According to some expert, there are literally thousands of web-based applications and web sites, that will fail to render correctly in IE8 and IE9. Microsoft's own list for IE9 lists over 1111 sites including:

For more info please look at: and


LibreOffice ready for mainstream

| 1 Comment
| More

LibreOffice will be available for download from 25 January. Finally people will be able to use an Office suite that's not backed by Microsoft, Google, Oracle or IBM. LibreOffice uses Java and is derived from OpenOffice, both of which are part of Oracle's empire. Given its track record on Java and the whole open community development process, Oracle is probably not the best company to support major open source initiatives, such as OpenOffice.

In a blog post today Forrester analyst John Rymer, wrote: Oracle's strategy for Java will change the Java ecosystem that has existed for 11 years:

  1. Oracle will direct Java innovation.
  2. Competition will shift to frameworks.
  3. Fewer young developers will learn Java first.

Open source is supported by commercial developers, and software companies should be praised for their help in maintaining and adding code to open source projects. But Oracle has yet to prove itself as an open source innovator. A rival to OpenOffice will benefit all open source projects, by reminding commercial software companies that they don't "own" open source.




Microsoft Patch Tuesday Update - 14th December 2010

| No Comments
| More

With this week's Microsoft Patch Tuesday update, we see the largest collection of updates ever delivered by Microsoft in a single Patch Tuesday release with 17 updates having the following rating; 2 Critical, 14 Important and 1 Moderate. Aside from the significant number of Security and Application updates with this Patch Tuesday release cycle, we see a moderate number of issues affecting a small number of applications. The ChangeBASE team recommends a particular focus on the Microsoft Security Update MS10-106 as it raised a significant number of issues on the AOK sample server platform portfolio.

Here is a sample of the results for one application and a summary of the Patch Tuesday results for one of our AOK Sample databases:

MS10-105 Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution
Patch Tuesday - image 1.JPG

And here is a sample AOK Summary report for a sample database where the AOK Patch Impact team has run the latest Microsoft Updates against a small application portfolio:

Patch Tuesday - image 2.JPG

You can read a full analysis of the AOK Patch Impact Testing Summary here.

About this Archive

This page is a archive of recent entries in the Software Choices category.

Skills is the previous category.

Software Quality is the next category.

Find recent content on the main index or look in the archives to find all content.


Category Archives


-- Advertisement --