Electrons are electrons: price discrimination and phone accessories

Observation from a recent involuntary 8-hour layover at San Francisco airport, complements of incompetent United Airlines stranding half the passengers on a flight from Sydney after the plane was delayed.

This blogger had a HTC G1 out of juice and no charger. A quick stop at the local gadgets shop was necessary to find a way to power the device again. The iGo units are ubiquitious at airports and with a flexible arrangment of power unit and swappable tips, promise to power just about any device. Tips are sold seperately and this is where a bizarre pricing scheme enters into the picture: the tips for the Motorola Razr were priced $2 less than the tips for T-Mobile/Google G1. They are the exact identical form factor: mini-USB. Even if the G1 draws more current, that would be handled by the iGo power adapter which already has enough smarts to handle varying demand from an array of different models. A USB cable is a USB cable.

Presumably this was a case of price discrimination: since the G1 is a more expensive smart-phone, owners are assumed willing to pay more for accessories as well, even when they are virtually identical to accessories for a more basic phones. That may work in economical terms but much to the manufacturer’s dismay, electrons do not care if they are being delivered from a “premium” cable or basic cable. Mobile phone manufacturers are notorious for trying to create various lock-in effects, for example by restricting which chargers can power a particular phone in an attempt to create artifical differentiation between otherwise identical units. But paying more for the same copper connections does not make the current magically more capable of delivering electricity. (This is the same problem that vendors of expensive pointless HDMI cable face, with an error-corrected digital signal the quality of the cable is hard to compete on.)

CP

Identity as externality: Trustbearer, CAC, eID

TrustBearer has become the first public demonstration of an idea this blogger first described in a ThinkWeek paper in 2006: identity management systems create positive externalities. Once built for a purpose, they are often easily extended, adopted or co-opted for completely different objectives. This pattern predates the Web, PKI and even the development of modern computing systems. The classic example is the social security number. Originally introduced by the FDR’s New Deal-era Social Security Administration for the purpose of administering benefits, it has become the de facto identifier for everything from credit rating agencies to some badly designed online banking websites; Fidelity originally used SSN as “username” but later changed the system to allow for choosing nicknames. Drivers licenses were introduced to control who can drive vehicles on public roads. When laws introduced minimum drinking age and imposed penalties for serving to minors, bars found it the natural choice to decide who gets to order drinks. (A bartender in Seattle once declined to server this blogger due to an expired driver’s license.)

Not all of these extensions are necessarily good ideas. In particular the re-purposing of the social security number from a simple identifier into a credential– something that proves identity, never intended in the original design– created  the current identity theft mess. In another example, RFID tags are a primitive identity management system designed for tracking inventory; the tag identifies the object it is attached. But when the tags are not deactivated after they are sold to consumers, they can be repurposed for tracking. Each tag emits a constant identifier that can be scanned by anyone with the appropriate transmitter and receiver set up, allowing tracking of individuals in physical space.

Occasionally unofficial extensions to an identity system provides unexpected benefits. Typically there is a very large upfront investment in deploying a system, driven by a well-defined objective. But once the system is built, adding one more person who can use it, or one more website which uses that system for authentication has a small marginal cost. Take for example the Common Access Card or CAC, soon to be replaced by the PIV. These are both PKI systems managed by the Department of Defense, for the purpose of controlling access to systems with national security implications. But once the PKI deployment is operational, individuals have been issued their cards and smart-card readers, they can be used for purposes completely unrelated to defense sector. Case in point: TrustBearer’s OpenID service accepts CAC/PIV cards for authentication to any OpenID enabled relying site. DoD certainly did not design the system for employees to check their personal email accounts or write blog comments in spare time. But given that the smart-cards were already out there in the hands of users, it was a no-brainer for TrustBearer to accept these credentials for strong authentication. Any other website could have done the same: called “SSL client authentication,” the underlying functionality has been supported by web browsers and web servers in some fashion since the late 1990s. The user interface may be clunky because it is rarely seen outside the enterprise context, but all it takes is tweaking some settings in IIS or Apache. The Department of Defense created a positive externality for all websites.

Design matters of course: some technologies are far more amenable to being re-purposed this way. For example, Kerberos is inherently a closed system: adding another relying party requires coordinating with the people in charge. Public-key infrastructure is open by design: once a digital certificate is issued, people can use it to authenticate anywhere. There are still gotchas: revocation checking imposes costs on the identity provider (adding another relying party is not a free lunch when it is hammering the system with revocation checks) or it may not work at all for an entity “outside” the official scope. Some new protocols such as OCSP stapling address that by making freshness proofs portable. More important is the question of acceptable use policy. Just because the cryptography works out does not mean that the official owner of the identity system will approve the creative re-purposing.

That brings us to the European eID deployments. These are national ID systems, with the cards containing PKI credentials. Here is one case where a PKI based system funded by tax-payer money is built with the express intent that anyone can use it for authentication to their service. (This is what governments do after all– they generate externalities, much to the chagrin of libertarians.) Not surprisingly eID cards are also accepted by TrustBearer– specifically Belgian eID. This is an even greater externality because there are bound to be many more of them in existence even today, and this will only improve over time as other EU governments make progress on their deployment. On the other hand, the precedent for using eID online is scarce and chances are most users lack the required card-readers and drivers, while the CAC/PIV users already use their cards regularly in a professional context.

cemp

LifeLock: the plot thickens

(Follow-up from earlier post)

The past few weeks had more developments on the story of LifeLock, the company that promises identity theft protection and challenges would-be criminals with the social security number of the CEO. New York Times published an article on May 24th covering this story. The overall tone of the article is fairly negative on the value proposition of this service:

“…a fraud alert is more like a burglar alarm. And if the alert repeatedly fires off false alarms, forcing creditors to constantly double-check the identities of LifeLock customers who have never been victims of fraud, it is possible that those credit issuers will pay less attention to them. Experian is so worried about this, along with other issues, that it has filed suit against LifeLock.”

Strangely the company has found a new ally in Bruce Schneier who came out swinging in defense of LifeLock.  BS portrays the issue purely as a conflict of business models between the triumvirate of credit reporting bureaus (Equifax, Experian and TransUnion) and Lifelock. Credit reporting agencies prefer that the process of completing a credit check and clearing an applicant is easy. Lifelock’s mission in life is to make that process as difficult as possible for the lender, in order to reduce the risk that the application was fraudulent.

“The reason lenders don’t routinely verify your identity before issuing you credit is that it takes time, costs money and is one more hurdle between you and another credit card. (Buy, buy, buy — it’s the American way.) So in the eyes of credit bureaus, LifeLock’s customers are inferior goods; selling their data isn’t as valuable. LifeLock also opts its customers out of pre-approved credit card offers, further making them less valuable in the eyes of credit bureaus.”

And later in the same approving vein: (links in the original)

“It’s pretty ironic of the credit bureaus to attack LifeLock on its marketing practices, since they know all about profiting from the fear of identity theft. Facta also forced the credit bureaus to give Americans a free credit report once a year upon request. Through deceptive marketing techniques, they’ve turned this requirement into a multimillion-dollar business.”

One point where everyone is in agreement is that the services are not worth it from a purely financial point of view. Most of the actions taken on behalf of subscribers by the commercial services can also be taken by individuals directly for free. Convenience is the main selling point. For example anyone can request to have an alert put on their credit file but these expire after 90 days.

The original Wired article covering allegations that the service does not work appears to have been removed. Not to worry: Kim Zetter (full disclosure– she is a friend) writing on the ThreatLevel blog has missile lock on the company. In a series of posts, she highlighted an original piece from the Phoenix New Times that surfaced questionable past connections of the co-founder. LifeLock announced in response that he was resigning from the company.

cemp

Ford Motor Company and the long-anticipated rude awakening

According to CNN/Money, Ford Motor Company concedes that high gas prices are here to stay, and as a result the company will not be able to execute on its profitability plan by 2009 as forecasted earlier.  Readers maybe wondering why this is news. Detroit has been a single trick-pony for a long time. All three manufacturers had established businesses in light-to-heavy trucks and SUVs. These bet paid off handsomely through the 1990s and well into the first half of this decade with the exception of the brief recession following dot-com implosion. Meanwhile the passenger car market was ceded to foreign imports and there was virtually no interest in new fuel efficient alternatives. But such over-specialization is extremely dangerous: it is generally recognized that dependence on a single product line creates a major vulnerability. The technology parallel is MSFT, a perennial two-trick pony with operating systems and productivity software. The difference is MSFT has been very aggressively trying to diversity into online services, gaming consoles and automative computing, to name a few. Ford has been forging full speed ahead.

It’s not clear whether Ford management failed to see this coming or if the internal structure prevent action. A more charitable interpretation is that Ford did not hedge correctly on price of oil. The last decade of the 20th century showed a clear upward trend in price of crude and gasoline, with long periods when the price of the refined product seemingly “unhinged” from the price of the underlying commodity. Yet the fluctuations did not appreciably change lifestyles. There was no price elasticity, commentators argued, because the amount of fuel consumed is decided a long time in advance based on the commute and vehicle. Once individuals migrate to the exurbs and commit to 45 minutes of rush-hour driving with the 8000lb SUV, it’s difficult to respond to changes in pricing.

But the laws of economics were not permanently suspended. There is a price point where even existing owners may change their consumption pattern. More importantly before that point is reached another pressure appears: prospective car buyers will gravitate towards higher milage options. Ford CEO Alan Mulally says: “We saw a real change in the industry demand in pickups and SUV in the first two weeks of May. It seems to us we reached a tipping point.” This acknowledgment is an important first step but arrives about 5 years too late. Interesting enough Mulally was vice president at Boeing earlier, another company very vulnerable to oil prices and no easy way out: there is no such thing as a hybrid 747 although Virgin airlines grabbed headlines with a brief biodiesel experiment. Fortunately airlines unlike consumers have always factored efficiency into their purchasing decisions. Bringing this insight into Ford could be one of his main contributions. Meanwhile Ford remains unlikely to garner a “buy” recommendation any time soon.

cemp

CFP 2008: Network neutrality and the end of flat pricing models

(Reflections on the past Computers, Freedom and Privacy conference.)

The event had no coherent theme this year unlike the relevance of copyright in 2002, electronic voting in 2004 at Berkeley, the panopticon of commercial surveillance in 2005 at Seattle and the corresponding questions around intelligence in 2006 in DC. Network neutrality and the recent overtures from Comcast, British Telecom and Charter may have been the closest to a shared preoccupation with the crisis-of-the-day.

One welcome development is that the audience on the whole had moved beyond the particulars of Comcast blocking BitTorrent, discussed earlier here. Many people including Paul Ohm and David Reed (who coined Reed’s law describing the value of collaborative networks) made the point that the purported goal of managing scarce upstream bandwidth could have been managed by much less intrusive means including metering usage regardless of the protocol involved. Network neutrality principle rules out any justification for picking on one protocol or application– even if Comcast network engineers decided empirically that one protocol was responsible for the lion’s share of bandwidth usage. And there is no excuse for injecting bogus network traffic (forged reset packets) in response to perceived usurping of bandwidth. Comcast to its credit had a recent moment of clarity and announced a more nuanced approach for managing its available capacity, emphasizing “protocol agnostic.”

As the CFP discussion made clear, BitTorrent and its alleged use for sharing copyrighted content is a red herring, a distraction from the core issue that is purely economical. It is the question of who is paying for bandwidth and exactly how much. Throughout much of the 1990s residential Internet access remain slow, primitive and uncommon. Dial-up connections were the norm and subscribers paid for amount of bandwidth used. In this environment bits were precious, applications were designed to eke out the greatest utilization from the modest bandwidth available and spam literally cost money by driving up usage charges. Eventually as the amount of capacity expanded everywhere, from the massive amounts of fiber underground bulking up the backbone to upgrades in the so-called last mile to the home, it became possible for ISPs to enter the market with a disruptive business model: flat monthly fee for unlimited usage. When AOL switched over to this structure in 1996, it was overwhelmed by the response.

During the transition from dial-up to broadband this tradition of all-you-can-eat pricing was inherited. Granted, service tiers still existed and greater bandwidth could be purchased for higher monthly fees. Within a particular tier it made no difference if the subscriber surfed the web all day along or rarely powered up her computer. This was either the realization of an old prediction made about nuclear energy (“electricity to cheap to meter”) realized in the context of bandwidth, or a sign that everyone was on board with the arrangement of infrequent users subsidizing the high-demand households. It would not have been the first time: similar subsidies occur all the time in technology, including for example different SKUs for software where enterprises pay far above cost to enable consumer versions to be sold at deep discounts.

Either way, the tacit agreement between subscribers and ISPs has continued. Until now. As predictable as the post World War II euphoria over nuclear energy making electricity essentially free disappeared in the Cold War anxiety as the long term problems were better understood, the visions of exponentially improving bandwidth quickly disappeared. Unlike CPU and memory, it proved surprisingly resilient to Moore’s law. Broadband access by DSL or cable still costs comparable to what it did several years ago, and while available network speeds increased gradually, it was a far cry from the doubling every 18 months rate that other components of the PC experienced.

The major disruption instead was the rise of new bandwidth hungry applications, particularly those clamoring for upstream bandwidth. Peterson’s law says that work expands to fill the time available. Internet applications did the same thing for bandwidth. Streaming video may have brought us to an inflection point. All-you-can-eat makes sense when the subsidies are reasonable; in other words the expected range of consumption lies in a narrow band, where the difference between heaviest users and less demanding ones is small. (That is a proxy for the amount of subsidization going on. Less frequent users are missing out on that much value and the heavy users get a corresponding free ride.) In the good old days of narrowband, the difference between the Internet addicts and infrequent users may have been insignificant. Today the difference between checking email and streaming a Netflix movie can be two orders of magnitude.

It’s clear that ISP networks are over provisioned: there is not enough capacity to deliver 10Mbps to every user at the same time even though that is the advertised service level. As long as the average demand works out to below some threshold, everyone is happy. That situation calls for a mix of connection profiles: some idling, others engaged in low bandwidth-intensive tasks and another fraction going full throttle. When more subscribers start maxing out their usage and disparities in consumption grows, the flat pricing model can not survive. Not surprising for a telco, Comcast tried to solve this problem in the most crude and heavy-handed way by trying to “take out” one protocol and suppress demand. Equally predictably, it just dug itself into a deeper hole, sparking a new round of debate on network neutrality and even stirring government into action.

Future predictions? Instituting pay-as-you-go may be a challenge, even when it is most efficient allocation of bandwidth. Customers are used to the flat fee structure. Instead we might expect two things. First is a global cap on amount of bandwidth available per month, similar to wireless plans, with overcharges or reduced service levels when the cap is reached. The second response would be an increasing number of service tiers: for example a “file-sharing plan”  (obviously named something more acceptable) may offer higher upstream bandwidth and greater caps. All of these are consistent with network neutrality: the subscriber gets an allotment of bandwidth in terms of maximum available, sustained over a period of time and perhaps for the duration of a month. The user is free to exercise this bandwidth any way they choose: any protocol, any website, any time etc. without interference from the ISP. Limitations imposed on exceeding the expected demand level are transparent and fixed in advance. More importantly the customer can decide to opt for the next service tier when necessary.

cemp

The future of diesel: still cloudy

Treehugger looks at the possibility of diesel becoming more popular in the US for mainstream automobiles. After a bad experiment in the 1970-80s, diesel cars were relegated to niche status with only a handful of manufacturers, most notably Volkswagen, continuing to produce them for passenger cars. Many diesel models manufactured for sale in Europe were never imported states-side and large trucks for commercial use remained the primary application owing to better fuel-economy, reliability and cost factors. As diesels progressed far beyond their bad reputation for noise and soot, environmentalists continued to gripe about this state of affairs.  Some continued to pin their hopes on a diesel revival for reducing carbon emissions and because these engines can be converted to run on biodiesel mixtures, including 100% blends of used vegetable oil. Occasional success story, no matter how far removed from the mundane world of passenger cars, such as Audi winning 24 hours of Lemans in 2006 with a diesel race car, kept these hopes alive.

But the current prospects are not good. California tightened emissions standards related to sulfur in diesel, which restricts the type of fuel that can be used legally. More importantly the price difference between gasoline and diesel inverted: it is now more expensive to buy diesel. This was an abrupt change.

“Over the past year, the average price of diesel in America has risen by 117%—twice as fast as petrol. While both carry the same taxes in America, diesel now costs 60 to 70 cents a gallon more than regular gas. [...]“

At least some economists are expecting this to increase to the point of canceling out the improved mileage from pure cost point of view. (Reduced carbon emissions remains as a benefit.) Meanwhile the cutting edge for high efficiency vehicles appears to be concentrated on gasoline-electric hybrids or fully electric vehicles, even though a few diesel-hybrids are in the works. Diesel just may become another beta-max: a better technology whose time never comes because of market quirks.

cemp

Credit rating system and meaningful choice

A story from NYT Real Estate section about a British expat’s search for an apartment in Manhattan reads on different levels. Describing the interaction with a real estate agent:

“Almost by way of small talk, she said ‘Where are you from’  and I said ‘I’ve just come over from London yesterday,’ … She asked whether he had a credit history in the Unites States or a bank account or a Social security number, all of which he would need to rent an apartment. No, no, no. … But his employer would provide initial financing and act as guarantor.”

What would be the expected response from the realtor? In this case walking out on the client:

“She completely lost interest and just left,” leaving him standing on the pavement.

Welcome to the Big Apple. It would be easy to dismiss this as yet another rude-awakening in the ways of Manhattan for a new arrival– an experience this blogger can relate to. But there is a more subtle point about the pernicious growth of credit rating systems here. It’s not an oversimplification to say that without a social security number, a US consumer is just a nebulous and largely invisible presence in the eyes of lenders.  Most of the data compiled by data-brokers such as Acxiom, Choicepoint and the more familiar credit-reporting bureaus such as Experian and TransUnion are indexed by the SSN. To oversimplify in database terms one could say SSN is the primary key to the database. In this case the expression “key” is quite appropriate because it unlocks all the reputation information required for a significant transaction: buying a car, leasing an apartment, even getting a cell-phone contract. With the credit history available, consumers stop being blanks faces, they acquire useful numbers: Alice has 700 FICO score, Bob has an 8-year mortgage in good standing etc. Everyone is now a three-dimensional character jumping out of the page, shrouded in precise numbers.

One of the arguments in defense of massive data collection is that it enables credit: individuals can go anywhere around the country and still enjoy the same access to credit as if they lived in a small-town where everyone knew first-hand about their impeccable track record in paying back debts. (The flip-side, never mentioned in the same sentence, is that nobody can start over: the scarlet letter of bankruptcy or foreclosure also follows people around. It is true that in this case there are no second acts in American life.)  The more wide-spread and inflexible our reliance on credit history, the more difficult it is to get started and the greater discrimination between those who have an extensive dossier verses those with a blank slate. NYC may be an extreme example. In keeping with its completely ludicrous and preposterous state of affairs, some landlords demand to see bank statements,  employment verification on official company letterhead and even past tax returns before approving a lease. But stories like the one above are far from unique: if the agent had any shred of common sense, she would have realized that a decent sized company–implied by having offices in London and New York– as a guarantor is much better than one would expect to get from most consumers: while individuals can go bankrupt or disappear, a company with deep pockets can be litigated to the last penny. The story did have a happy ending because at least one rental agency was sane enough to accept his application with six month deposit– but only after running a credit check on this person’s manager. There is no escaping the system.

cemp

The conscience of a mutual-fund manager

“Upon reflection it doesn’t take long to realize that we were living for more than two decades in the Age of Decadence. This decadence was so prevalent that everyone from the government down to the regular citizen was an accomplice. During this period we saw America continually make the wrong decisions, lose its industrial might, damage its national balance sheet, and erode the reserve status of its currency.”

This could have passed for a stump speech by an aspiring politician sharpening his/her rhetorical skills for November. Instead it comes from the opening paragraph to the annual report for a mutual fund. The private Swiss bank Julius Baer is more likely to make the headlines these days because its role in shutting down the controversial Wikileaks website than any flourish with prose. Yet a quick peek at the report covering the period ending 10/31/07 reveals a different side of the culture.

Mutual fund reports and statements are invariably written in a dry, legalistic language designed with only one purpose in mind: minimizing liability to the company from a litigation-happy client who is looking for a scapegoat to blame after losing their shirt on trading straddle options on the Zimbabwe stock exchange. Disclaimers about past performance not being an indication of future results are everywhere, as are doom-and-gloom, danger-Will-Robinson caveat abouts the risks of non-diversification, short-term fluctations, exposure to emerging markets and the health hazards of consuming trans-fats. At least one section of the Julius-Baer report is a far cry from this content-free boilerplate:

“We also created structural imbalances and excesses in our economy that led to one bubble then another—the least painful way to contain one bubble is to create another; hence postponing the day of reckoning. In this period, we made useless financiers fly-by-night billionaires, destroyed most American’s living standards by depressing their wages and sinking the dollar against most currencies known to man—with few exceptions such as the Zimbabwe dollar. “

Such moral outrage and indignation against incompetent fiscal policy and income inequity can’t be a very common sentiment in the financial sector. Penned by Rudolph-Riad Younes, long-time manager for the successful International Equity Fund, ticker symbol BJBIX, now closed to new investors, these words carry a strange sense of gravity more appropriate to an oped column than an announcement of financial results. (Full disclosure: this blogger owns shares in the fund.) It only gets better as Younes takes aim at other sacred cows:

“The Fed has shirked many of its responsibilities: by allowing asset bubbles to form unfettered; by maintaining ultra-lax monetary policies; by neglecting its regulatory oversight authority; and, by succumbing easily to the faintest political pressure. [...]
The rampant decadence at the top trickled, as expected, all the way to the bottom resulting in two major bubbles while laying the foundation for future ones.” 

What follows are brief retrospectives on the tech bubble and the more recent housing bubble. One of the most interesting arguments is in the section labelled “The Cardinal Sin: Believing in Santa Claus.” Here he argues that a good deal of the problem originated with the Federal government revising its inflation measure to a completely different benchmark which made the figures come out significantly lower, very conveniently thank you– the equivalent of tampering with the speedometer as a way to speed up the car. A dangerous implication is that “true” inflation rates driving economic forces stand at 4-6% above stated numbers.

Finally throwing in a simple metaphor to emphasize the folly in case it was lost on the reader:

“In short, the government (the parents) invented Santa Claus in order to cheer up pensioners and laborers (the children) who were worried about their parent’s ability to pay for their entitlements (gifts). The whole family was happy with Santa Claus. The children were happy with the yearly gifts and parents were satisfied that their children were buying the fairly tale and able to rein in spending. But as in real life, it is a blessing only when children believe in Santa Claus and a tragedy when parents do!” 

No happy endings here though. The report concludes with predictions of more decadence and bubbles. Great reading overall.

cemp

Rumors of Windows server platform “failure” slightly exaggerated

This article which made it to Slashdot recently and the linked postback from CNN/Money could use an application or two of Occam’s Razor. It stipulates that the MSFT bid for Yahoo is prompted by an internal recognition that the Windows server platform has failed. The company having seen the light, according to this commentator, is going after systems built on the Linux/Apache platform instead.

“Microsoft runs on the Windows platform and it has proved inadequate to run big Internet companies. There is not one big Internet company – and I mean “BIG” like Google Inc. (GOOG), Yahoo, Amazon.com Inc. (AMZN), eBay Inc. (EBAY) and such – that runs on Windows besides Microsoft. Its software platform has been a disaster supporting its search engine, email and other free services.”

It only takes a second to recognize this as uninformed drivel: Hotmail/Windows Live Mail is the world’s largest email service period. Passport/Windows Live ID is the largest online authentication system. When it comes to instant messaging, MSN/Live Messenger is not to far behind Yahoo and AIM– never mind the branding confusion between MSN verses Live. All of them run on W2K3, IIS , SQL Server and the accompanying much criticized baggage. It’s not a recent phenomenon either: in the late 90s MSR built TerraServer– long before viewing satellite imagery was an everyday activity– to showcase the scalability of a massive data warehouse running on Windows.

Yet the quote above does raise an interesting question about why more large scale web services are not built on top of Windows. The obvious reason is easy to shoot-down: the difference between shelling out $$$ for W2K3/W2K8 or getting Linux for free. It’s true that a single license for server can run into the hundreds of dollars depending on the particular SKU and thousands of dollars for the more esoteric 64-bit variants. This is why hobbyist sites, non-profits and small-businesses (as well as the virtual hosting companies catering to them) are more likely to prefer open-source software, because of the extreme price sensitivity in the market segment. Assuming that the distribution of internet facing websites has a very large tail fitting that category, this would explain why Netcraft surveys continue to show Apache leading IIS 50% to 35%, in spite of huge jumps in April ‘06 and September ‘07 that narrowed the gap from previous 3x difference.

But in the enterprise context, the gating factor becomes recurring costs for running a data-center: all of that IT staff, leasing the space and power used adds up. The upfront purchase price of hardware and software is dwarfed by operational costs– and that’s one reason why Windows server platform continues to make inroads into this segment, joining Linux in slowly chipping away at the market share of the more expensive UN*X variants that once dominated the server business. Nowadays it is not rare to see entire IT infrastructures of companies run on Windows and developed using .NET programming models.

What about large scale Internet services? This is the mystery: the existence of very large-scale (in at least two cases cited above, the largest period) services running on Win32 and Win64 proves it can be very competitive. In that case the nagging question remains, why are there are so few examples outside Microsoft?

cemp

Security, excuses and hidden agendas

Bruce Schneier has often commented on the tendency for hidden agendas to masquarade behind excuses for security. “For security reasons, we must do …” or “due to security concerns, we do not alow…” The classic example in Beyond Fear was the prohibition against bringing beverages into a baseball park: is it really about safety inside the park in the heightened awareness of 9/11 or a boost to the soft-drinks sales inside which goes to lining the club’s pocket at the end of the day?

The latest MSFT one-eighty around virtualization is starting to look like another one. To recap, in June last year MSFT announced that it was expanding virtualization options for Vista to allow Home Basic and Home Premium skews to run in a VM. This was shortly reversed by a change of course, now requiring users to fork for the more expensive business editions due to unstated security reasons.  More recently MSFT announced that it is again allowing  virtualization of the less expensive varieties. What to make of this? If this was a politician running for a coveted nomination on super primary Tuesday this type of change in policy would be understandable. Ruling that out, two other options remain:

1. It was decided that customers can live with lower security assurances for the scenario. That is to say, after spending 5 years to ship the most secure version of Windows to date in Vista, break backwards compatibility and even sink untold amounts of R&D into inane, useless features such as UAC to prove this commitment, Microsoft is now letting go of a strategic advantage by allowing the operating system to be run in a vulnerable configuration.
2. Security excuse was a ruse all along, intended to push customers towards more expensive Vista skews until the company itself could develop a proper response to the disruptive nature of virtualization.

#2 is looking like the smarter bet at the moment. It is not clear that virtualization is necessarily a short term revenue threat. Virtualized or not those copies of Windows must still be licensed. In other words the Mac user running Vista under Parallels of VMware Fusion is still paying for a full-license as if they had installed it natively. (Granted there might be a small uptick in piracy since pre-activated/genuine-advantage-validated VM images make for a convenient way to distribute pirated copies.) This scenario might be of greater concern to Dell or HP since it means that consumers have the option to purchase a Mac instead of a PC. Meanwhile server consolidation, the other major business case for virtualization is not affected by the Vista licensing arrangements because Vista is a client OS. Windows Server 2003 and 2008 are the relevant products for virtualized data-center environments, and it’s primarily the virtualization policies around these products that have to be carefully crafted to protect server business revenue.

Long term however there is a strategic threat. Parallels and VMware might be great for getting the best of both worlds from Linux/Mac + Windows but if Vista is increasingly seen as a “secondary” OS to run alongside a primary, purely for compatibility with applications written for the venerable Win32/64 API, it raises the question of how long before those applications can be finally ported to the other platforms so they do not need virtualization as a crutch. More than any short term risks around piracy or missed revenue from consumers opting for the inexpensive Vista skews, this is the great danger of undercutting the platform that MSFT has to contend with.

cemp