Windows Phone 7: dropping a generation of developers
Posted: February 16, 2011 Filed under: markets, mobile, MSFT, software Leave a comment »One of the less discussed aspects of the Nokia-MSFT deal is impact on developers. After all platforms stand or fall on the strength of their applications. (Steve Ballmer wanted every MSFT employee to take this message to heart.) Windows was able to leverage this virtuous cycle to deliver a stunning upset to Apple in the 1990s, by creating a very attractive environment for developers to enrich the platform one application at a time. Windows API was stable, through two decades as everything changed about the basic PC architecture. CPUs went from 16 to x64, multiple cores and SMP became common, GPUs gained a prominent role, the Network became a critical component of writing code. Windows programming still looked the same. In fact “app compat” became one of the major costs in operating system development– through heroic engineering effort, buggy applications relying undocumented APIs in some archaic version of the operating system were coaxed into working properly on the latest and greatest kernel, lest the incompatibility deter some customer from upgrading.
The same approach applied to mobile programming. Even before smartphones, MSFT pursued handhelds with PocketPC. A subset of the venerable windows API was still present, and later expanded into Windows Mobile. Any developer familiar with programming desktop applications could, with a little effort, write code for mobile devices. To a large extent Apple took the same approach to allow its developers to transition from writing Mac OS-X applications to targetting the iPhone/iPad.
So it came as a major surprise that WP7 dropped backwards compatibility. Native code is now verboten, only .NET applications can be written. In one bold stroke, MSFT may have lost a generation of developers who grew up scrutinizing the MSDN documentation for the subtleties of the classic Windows API. An even bigger question is whether they will be able to court new developers and gain mindshare among those contemplating a career in development. From the perspective of a newly minted computer science graduate trying to decide which programming language/environment to excel in, the options are:
- Learn C/C++ and take up any systems programming task. (This includes traditional Windows applications, an admittedly endangered species.)
- Learn Java and program either server applications, or dive into mobile development with Blackberry or Android– the new hotness.
- Learn Objective C and write OS X or iPhone applications. Also known as “objectionable-C” this was an attempt (emphasis on attempt) to add object-oriented features to C before Stroustrup did it the right way with C++. Outside of Cupertino few people care about it.
- Learn C# and .NET to program… what exactly? For all the work on promoting the idea that .NET is cross-platform and beats Java at its own game of write-once-run-everywhere, the technology remains very much tied to MSFT platforms. This used to be seen only for enterprise line-of-business applications, and web applications running on Windows server variants: before Windows Phone 7 came along and mandated managed code. The problem is these are highly specialized segment of the market. Much like learning Objective-C and Cocoa development, it is not a portable skill useful in any other context. Unlike OS-X/iPhone, WP7 does not have a commanding presence in the market and proven revenue model with an app store.
It is difficult to justify taking that last option, except as a way to capitalize on lack of competition. In other words, since every one else is writing for iPhone and Android, one viable strategy for ISVs may be churning out copy-cat WP7 applications styled after the popular ones on the leading platforms. But this is hardly a sustainable model, or an appealing proposition for a new developer seeking challenging work.
CP
Standardizing on a standards body
Posted: August 3, 2008 Filed under: Internet, markets, oped, software Leave a comment »Greetings to the Open Web Foundation. OWF is a new organization for promoting community-driven specifications:
“The Open Web Foundation is an attempt to create a home for community-driven specifications. Following the open source model similar to the Apache Software Foundation, the foundation is aimed at building a lightweight framework to help communities deal with the legal requirements necessary to create successful and widely adopted specification.”
The next statement goes on to state that one of the objectives is to avoid creating a separate foundation for each new technology. Of course the natural reaction to that will be: “In that case, why are you creating yet another self-appointed standard organization? What is wrong with IETF or W3C?” To recap:
- W3C is the World Wide Web Consortium. It maintains core standards related to the web: HTML, CSS, XML, XSL, XPath, SOAP– for the most part, anything involving angle brackets falls under the jurisdiction of the W3C. Most of these are commonly recognized, widely supported data formats or data manipulation frameworks. (By contrast W3C forays into protocol design such as PICS, P3P and SOAP have met with mixed results.) The consortium charters working groups and issues official, versioned specifications.
- IETF is the Internet Engineering Task Force. IETF does not officially endorse standards. Its documents go by the more modest name RFC or “request for comments,” suggesting ideas in flux, perennially under editorial review, always open to improvement and changes. Yet many of the core protocols and specifications underlying the Internet can be attributed to an RFC. Email addresses? That would be RFC822. The HTTP protocol shuttling web pages around? RFC 2616. The official TLS protocol that gives us the peace-of-mind and security of the lock-icon on those pages? RFC 2246.
Ben Laurie seeks to preempt that question, also raised in the discussion group. Jury is out on the characterization of W3C as pay-to-play-cartel but the article does highlight a basic problem with IETF: being too inclusive. A former colleague at MSFT described it the requirements for participation in IETF as “a keyboard and Internet connection.” (We can also add: “… and an unshakeable conviction in the infallibility of your ideas.”) This model probably worked well when the workings of arcane protocols was of interest to the academic community only, and everyone that cared to participate started out on the same page, sharing common interests. Today the Internet is too large, the range of stake-holders too diverse and too much commercial success hinges on the outcome of standardization process to continue with that naive assumption of unified purpose.
That same colleague provided this insightful comment on the IETF process: It is a great forum to capture the dominant paradigm on paper and enshrine it as the Internet standard when consensus exists around one. It is not a very good forum for creating consensus in the first place, when everyone shows up at the table with different ideas and irreconcilable objectives. These words were uttered in the aftermath of the Sender ID meltdown where the working group rejected an anti-spam proposal from Microsoft.
OWF raises anew the question of who gets the privilege of a seat at the table once the IETF model (anyone is welcome or “no fool left behind”) is declared dysfunctional, because there is too much randomization. Intuitively those writing software to implement the standard emerge as obvious candidates. But are some implementors more equal than others? Surely not every crackpot with a copy of networking for dummies is entitled to derail the standard process. What about individuals who are recognized subject matter experts but not currently developing software in this space? Moving away from the core, how about companies whose products will be indireclty impacted? Do ISPs get a say in the development of a P2P filesharing protocol, considering it is their infrastructure about to get hammered? Does a firewall vendor get to express an opinion on anti-spam technology because they want to inspect traffic at the edge? Do other participants have the right to declare that they are not interested in supporting that scenario, shutting them out of a particular market segment? Even more controversially, what about companies whose business model is at risk from the existence of the technology? (Advertising networks, criticially dependent on third-party cookies for their existence, were participants in the working group tasked with developing the privacy standard P3P that Internet Exporer uses to manage cookies.)
Assuming that OWF gains any traction, at least one benefit will be forcing some soul searching inside IETF and W3C.
cemp
Customer lock-in and US mobile market
Posted: July 8, 2008 Filed under: Internet, markets, oped, policy, software Leave a comment »Dated story from The Unofficial Apple Weblog hints at the sad state of competition in the US wireless market. As the release date for the second-generation iPhone draws near, news stories pointed out that AT&T and Apple are trying harder to lock down the phones. The widespread use of jailbreaking on first generation phones caused AT&T to miss out on significant revenue as customers bought the devices without any intention of signing up for the corresponding wireless service. This time around buyers are forced encouraged to surrender the money upfront: phones are pre-bricked according to CNet and must be activated in the store, along with minimum 2 year commitment to a wireless contract. (AT&T to Apple customers: “submit to our authority!”) Expect delays as the purchase itself got complicated by doing credit checks and all the other ceremonies that go with signing up for service plans.
It is still possible to purchase the device itself, but at steep premium. This is standard in the US market where phones are subsidized by the wireless service contract, and sold below cost. There are early-termination fees in case the user decides to part ways with the carrier before they generated enough revenue to offset the cost of the subsidy. But there is still a gap in the logic as the TUAW points out in the article Doing the wacky AT&T math: it is still more economical to sign up for the contract and then break it after one month instead of purchasing the unlocked device.
On that note, Jonathan Zittrain was at Google NYC yesterday to talk about his recently published book “The Future of the Internet and how to stop it.” One of the highlights from the presentation involved a picture of Steve Jobs on stage discussing the application approval process for iPhone, describing the criteria used to decide when code is unworthy of running on the sacred device. Alongside the usual suspects “malicious” and “bandwidth hog” were one that captured Apple’s attitude towards open platforms: “unforeseen.”
cemp
Charter and Project Canoe: one step forward, two steps back
Posted: June 30, 2008 Filed under: Internet, markets, oped, privacy Leave a comment »Charter communications announced that it was canceling a controversial plan to sell advertisers information about the web usage patterns of customers. The plan had sparked backlash from privacy advocates, soon spreading to regulatory agencies, culminating in Connecticut Attorney General formally asking Charter to throw in the towel. As CNN/Money reports the market barely shrugged, sending the stock down a mere 3.5%, leaving it trading well above its 52-week low. All of that effort for nothing? Once the dust settles, Charter may be remembered for successfully generating free PR (but not necessarily of the desirable variety) and positioning itself as an ISP ready to make aggressive, ill-advised moves in the name of monetizing existing subscribers with complete disregard for privacy.
With the ink on that story barely drying, another news item from Reuters reports on privacy concerns about US cable providers have teaming up to mine the TV viewership data from their subscribers. Objective: stop the advertising revenue from shifting over to the web. Individual, targeting is the main differentiating factor for advertisement the web, whether this is done by profiling users over time or derived from point-in-time context, such as a search query. By contrast mass media suffers from its “broadcast” nature where many people by definition will see the same content. The ability to tailor the message to the audience is very crude by comparison, despite heavy investments to improve that over the years. For example today newspaper can target particular zipcode– it is possible to get New York Times to print a full page ad but only for certain zipcodes in Manhattan. Impressive as that sounds for an old school newspaper, this is primitive compared to the level of customization on the web.
There are two pieces to the puzzle: first one is being able to understand the audience better and the second one is being able to deliver unique, personalized content for each subscriber. Digital cable in principle already solves the second problem. Unlike analog systems where all channels are delivered to the user at all times and a “tuner” picks out the particular one, with digital cable the subscribers set-top unit requests a particular channel from the provider. That also allows solving the first problem: getting to know the subscriber. DVRs were the first devices with visibility into everything a user is watching and the ability to call home with this information. TiVo unwittingly created the first privacy scare over DVR tracking by commenting on the 2004 Super Bowl. Cable providers have long been able to derive similar conclusions. (The DVR does have an advantage in that it can report on multiple-views, including the number of times a recorded program is watched and when. But then again many DVRs today are bundled with cable packages and cobranded by the provider so it is not clear who is calling the shots on the device logic.)
With both pieces in place, what remains is creating the platform. Enter Project Canoe. Backing this new initiative are Time Warner, Comcast, Cox, Cablevision — and Charter. From a privacy perspective there is good reason for concern. The extent of data mining is unclear. A key question is whether it will be limited to TV content. Several of these companies are both cable providers and broadband Internet providers. Charter crossed the line once before backing down. The current attitude is summed up in this quote:
“The cable industry is betting that full disclosure to subscribers about the information being collected, the ability for them to opt out, and the attraction of more relevant ads would help overcome potential misgivings.
The problem is few people read the disclosures and even fewer understand the extent of data collection and its implications to make an informed decision on whether this practice is consistent with the person’s personal values on privacy. Even for users who decide to take issue, some fraction will be deterred by the difficulty of the opt-out process. Quoting an analyst about the initiative the article concludes:
“It’s all but certain that the cable operators will have to set a third-party clearing house for information to safeguard privacy concerns,” Moffett said.
The article does not speculate on which independent entity would be stepping up to the plate for that role. In general the idea of trusted third-parties safeguarding information is very attractive in principle, but so far there have been no takers. Even the organization trying to offer a much simpler service, third-party verification of privacy practices have been dogged by skepticism about their effectiveness.
cemp
Charging by the gigabyte and end of the free bandwidth lunch
Posted: June 15, 2008 Filed under: Internet, markets, oped, policy Leave a comment »This Sunday an article in the NYT takes up the question of bandwidth pricing, joining earlier speculation on this blog about the twilight of flat fee subscription models. The article with the self-explanatory title “To curb Internet traffic, access provider are beginning to charge by the gigabyte” cites an experiment Time Warner is running in Beaumont where customers can choose between 5GB, 20GB or 40GB capped monthly plans. In case you have never heard of Beaumont: the article states that it is a city in Texas with around 100K population– exactly the type of place to run such an experiment without attracting a lot of attention or generating resentment from a cosmopolitan audience spoiled on the comforts of streaming YouTube videos all day long. It is a good, balanced piece aside from the author’s confusion between BitTorrent the protocol verses BitTorrent the company when recounting the Comcast debacle
These magic 5/20/40GB numbers also raise the question of exactly what the average bandwidth usage is. There seems to be few academic papers in this area. One TTime-Warner exedcutive quoted in the article says:
“Average customers are way below the caps… These caps give them years’ worth of growth before they’d ever pay any surcharges.”
The only figure cited in the article is that 95% of customers use under 40GB of traffic each month. (It is not clear if this is downstream, upstream or combined.) Chances are Time-Warner has sliced and diced the bandwidth usage data very carefully before choosing these numbers and associated prices that range from $30 to $50, and the $1 per GB overage fees for exceeding the caps. One problem is there is no single average Internet user, as the author of the NYT piece argues very convincingly. The novice checking email and movie times could be happy with the 5GB cap but an addict streaming videos or watching TV shows on Hulu.com is likely to run over even the more generous limits. One Netflix download is a couple of GB. Watching a handful of movies every month may not break the bank in this model but at the surcharge rates of 1$/GB, suddenly a movie ticket or rental from the local store is competitive with what used to be “free, unlimited” instant viewing. More importantly there is a network version of Parkinson’s law which states that content expands to saturate the bandwidth available. As the capacity of networks increase, more bandwidth-hungry application are introduced.
So far it is an experiment but if this model goes mainstream, it would threaten the revenue stream for media companies. Netflix and Hulu are dependent on consumers being able to stream their content. Until now subscribers did not have to dutifully count their bytes the way cell-phone users count their minutes. An iTunes download is not competing for scarce bandwidth quoates with a high-definition movie from XBox Live Marketplace. Even if the bandwidth is not capped but throttled in the interest of fairness, it will create a mindset of scarcity and zero-sum choices between different options. On the bright side, broadband users may become more discerning and not forward that inane lolcatz video around one more time.
The alternative is for the content providers to compensate the ISPs. In this model Netflix would pay Comcast directly and those downloads would not count towards the monthly quota. In effect this is a type of revenue sharing or extortion depending on which side of the deal one is focusing on. It also creates a troubling situation for network neutrality. When some content is “free” and others require payment in scarce bandwidth allocation, speakers that are not able to pay ISPs to absorb access costs are in effect disadvantaged. Critics might content the same situation applies today, in that companies with large data centers and fat egress pipes are better able to push their content to an audience. Yet those correspond to capital invesments in the endpoints, fully under control of the speaker. An ISP metering bandwidth is situated between the content provider’s data center and the target audience, able to manipulate economic incentives for accessing that content regardless of how state-of-the-art the data center originating the content may have been. This is a case where artificially created bandwidth scarcity may have the effect of picking winners and losers between business models, as well as content providers.
cemp
“Unauthorized charger” and other device restrictions
Posted: June 7, 2008 Filed under: hardware, markets, oped Leave a comment »One of the common complaints about electronic gadgets is that nearly each one requires a different power adapter. The diversity can not be explained by the difference in power consumption; a laptop that burns 90W could just easily be powered by an adapter that is rated to 100W. The price would at best go up increase very slightly with maximum rating and this difference would be likely compensated for by the economy of scales from standardizing on a small number of models. Yet manufacturers continue to insist on not standardizing their adapters in the hopes of generating additional revenue.
Mobile phones are an interesting case. As smart-phones proliferate they require both power and data connectivity. The other end of the data connection is likely going to be USB. A sufficiently arrogant company could insist on their own Firewire (or is that IEEE1394?) technology in left field as the original iPods were but most consumer electronics have settled on USB2.0 fortunately. Speaking of the iPod it was one of the first that combined data and power into a single cable. Mobile phones are following suit now.
So it is something of surprise to see the Razor V3m display “unauthorized charger” when connected to a MacBook Pro. It is not a smart-phone so there is hardly any data to synchronize but USB is still good as a power source. There is no good reason for the phone to reject it. If this is by design and not just flakiness on the part of the handset, it is yet another pointless attempt to go against the current of interoperability in order to lock in consumers into a single brand of peripherals.
cemp
Ford Motor Company and the long-anticipated rude awakening
Posted: May 26, 2008 Filed under: economics, environment, markets, transportation Leave a comment »According to CNN/Money, Ford Motor Company concedes that high gas prices are here to stay, and as a result the company will not be able to execute on its profitability plan by 2009 as forecasted earlier. Readers maybe wondering why this is news. Detroit has been a single trick-pony for a long time. All three manufacturers had established businesses in light-to-heavy trucks and SUVs. These bet paid off handsomely through the 1990s and well into the first half of this decade with the exception of the brief recession following dot-com implosion. Meanwhile the passenger car market was ceded to foreign imports and there was virtually no interest in new fuel efficient alternatives. But such over-specialization is extremely dangerous: it is generally recognized that dependence on a single product line creates a major vulnerability. The technology parallel is MSFT, a perennial two-trick pony with operating systems and productivity software. The difference is MSFT has been very aggressively trying to diversity into online services, gaming consoles and automative computing, to name a few. Ford has been forging full speed ahead.
It’s not clear whether Ford management failed to see this coming or if the internal structure prevent action. A more charitable interpretation is that Ford did not hedge correctly on price of oil. The last decade of the 20th century showed a clear upward trend in price of crude and gasoline, with long periods when the price of the refined product seemingly “unhinged” from the price of the underlying commodity. Yet the fluctuations did not appreciably change lifestyles. There was no price elasticity, commentators argued, because the amount of fuel consumed is decided a long time in advance based on the commute and vehicle. Once individuals migrate to the exurbs and commit to 45 minutes of rush-hour driving with the 8000lb SUV, it’s difficult to respond to changes in pricing.
But the laws of economics were not permanently suspended. There is a price point where even existing owners may change their consumption pattern. More importantly before that point is reached another pressure appears: prospective car buyers will gravitate towards higher milage options. Ford CEO Alan Mulally says: “We saw a real change in the industry demand in pickups and SUV in the first two weeks of May. It seems to us we reached a tipping point.” This acknowledgment is an important first step but arrives about 5 years too late. Interesting enough Mulally was vice president at Boeing earlier, another company very vulnerable to oil prices and no easy way out: there is no such thing as a hybrid 747 although Virgin airlines grabbed headlines with a brief biodiesel experiment. Fortunately airlines unlike consumers have always factored efficiency into their purchasing decisions. Bringing this insight into Ford could be one of his main contributions. Meanwhile Ford remains unlikely to garner a “buy” recommendation any time soon.
cemp
CFP 2008: Network neutrality and the end of flat pricing models
Posted: May 25, 2008 Filed under: economics, events, Internet, markets, oped Leave a comment »(Reflections on the past Computers, Freedom and Privacy conference.)
The event had no coherent theme this year unlike the relevance of copyright in 2002, electronic voting in 2004 at Berkeley, the panopticon of commercial surveillance in 2005 at Seattle and the corresponding questions around intelligence in 2006 in DC. Network neutrality and the recent overtures from Comcast, British Telecom and Charter may have been the closest to a shared preoccupation with the crisis-of-the-day.
One welcome development is that the audience on the whole had moved beyond the particulars of Comcast blocking BitTorrent, discussed earlier here. Many people including Paul Ohm and David Reed (who coined Reed’s law describing the value of collaborative networks) made the point that the purported goal of managing scarce upstream bandwidth could have been managed by much less intrusive means including metering usage regardless of the protocol involved. Network neutrality principle rules out any justification for picking on one protocol or application– even if Comcast network engineers decided empirically that one protocol was responsible for the lion’s share of bandwidth usage. And there is no excuse for injecting bogus network traffic (forged reset packets) in response to perceived usurping of bandwidth. Comcast to its credit had a recent moment of clarity and announced a more nuanced approach for managing its available capacity, emphasizing “protocol agnostic.”
As the CFP discussion made clear, BitTorrent and its alleged use for sharing copyrighted content is a red herring, a distraction from the core issue that is purely economical. It is the question of who is paying for bandwidth and exactly how much. Throughout much of the 1990s residential Internet access remain slow, primitive and uncommon. Dial-up connections were the norm and subscribers paid for amount of bandwidth used. In this environment bits were precious, applications were designed to eke out the greatest utilization from the modest bandwidth available and spam literally cost money by driving up usage charges. Eventually as the amount of capacity expanded everywhere, from the massive amounts of fiber underground bulking up the backbone to upgrades in the so-called last mile to the home, it became possible for ISPs to enter the market with a disruptive business model: flat monthly fee for unlimited usage. When AOL switched over to this structure in 1996, it was overwhelmed by the response.
During the transition from dial-up to broadband this tradition of all-you-can-eat pricing was inherited. Granted, service tiers still existed and greater bandwidth could be purchased for higher monthly fees. Within a particular tier it made no difference if the subscriber surfed the web all day along or rarely powered up her computer. This was either the realization of an old prediction made about nuclear energy (“electricity to cheap to meter”) realized in the context of bandwidth, or a sign that everyone was on board with the arrangement of infrequent users subsidizing the high-demand households. It would not have been the first time: similar subsidies occur all the time in technology, including for example different SKUs for software where enterprises pay far above cost to enable consumer versions to be sold at deep discounts.
Either way, the tacit agreement between subscribers and ISPs has continued. Until now. As predictable as the post World War II euphoria over nuclear energy making electricity essentially free disappeared in the Cold War anxiety as the long term problems were better understood, the visions of exponentially improving bandwidth quickly disappeared. Unlike CPU and memory, it proved surprisingly resilient to Moore’s law. Broadband access by DSL or cable still costs comparable to what it did several years ago, and while available network speeds increased gradually, it was a far cry from the doubling every 18 months rate that other components of the PC experienced.
The major disruption instead was the rise of new bandwidth hungry applications, particularly those clamoring for upstream bandwidth. Peterson’s law says that work expands to fill the time available. Internet applications did the same thing for bandwidth. Streaming video may have brought us to an inflection point. All-you-can-eat makes sense when the subsidies are reasonable; in other words the expected range of consumption lies in a narrow band, where the difference between heaviest users and less demanding ones is small. (That is a proxy for the amount of subsidization going on. Less frequent users are missing out on that much value and the heavy users get a corresponding free ride.) In the good old days of narrowband, the difference between the Internet addicts and infrequent users may have been insignificant. Today the difference between checking email and streaming a Netflix movie can be two orders of magnitude.
It’s clear that ISP networks are over provisioned: there is not enough capacity to deliver 10Mbps to every user at the same time even though that is the advertised service level. As long as the average demand works out to below some threshold, everyone is happy. That situation calls for a mix of connection profiles: some idling, others engaged in low bandwidth-intensive tasks and another fraction going full throttle. When more subscribers start maxing out their usage and disparities in consumption grows, the flat pricing model can not survive. Not surprising for a telco, Comcast tried to solve this problem in the most crude and heavy-handed way by trying to “take out” one protocol and suppress demand. Equally predictably, it just dug itself into a deeper hole, sparking a new round of debate on network neutrality and even stirring government into action.
Future predictions? Instituting pay-as-you-go may be a challenge, even when it is most efficient allocation of bandwidth. Customers are used to the flat fee structure. Instead we might expect two things. First is a global cap on amount of bandwidth available per month, similar to wireless plans, with overcharges or reduced service levels when the cap is reached. The second response would be an increasing number of service tiers: for example a “file-sharing plan” (obviously named something more acceptable) may offer higher upstream bandwidth and greater caps. All of these are consistent with network neutrality: the subscriber gets an allotment of bandwidth in terms of maximum available, sustained over a period of time and perhaps for the duration of a month. The user is free to exercise this bandwidth any way they choose: any protocol, any website, any time etc. without interference from the ISP. Limitations imposed on exceeding the expected demand level are transparent and fixed in advance. More importantly the customer can decide to opt for the next service tier when necessary.
cemp
Next version of MSFT office to support open document format
Posted: May 22, 2008 Filed under: markets, MSFT, software Leave a comment »The times they are changing for MSFT. A recent announcement that the next version of the Office suite will support new open source formats may be the most revealing example.
Interoperability is a complex strategic game but can be summarized this way: interop always helps the smaller competitors against a large established player. This is a standard consequence of network effects. Before Word had significant market share and was the small, scrappy upstart trying to gain a beachhead position against Word Perfect, it was imperative to read and write WP documents. This allowed customers to switch to Word but still continue to interoperate with the majority of people still using the more ubiquitous application. The developers for Word Perfect, on the other hand, have no incentive to help accelerate this switch, so their application would not recognize the new format. Here is a divergence from the golden rule of getting along in a network world: “be conservative in what you send out and generous in what you accept.” If interoperability were the only objective, every application would be able to open documents published by any other formats while itself using a very well narrowly-scoped that would be easy for these other applications to understand.
The same pressure applied to Excel when it was competing for market share against Lotus Notes. As MSFT Office became the de facto standard in the enterprise and eventually for consumers, this pressure gradually eased even though the import/export capability for the “legacy” formats remained. At some point the scales tipped and the burden shifts to the competing applications with smaller market share to work with the leading formats.
Open source software follows the same path: it was imperative for Open Office to be able to accept Word documents, as well as save new documents in Word format. This mean that every new release of Office required catch-up effort from the community to add necessary interop functionality. (It did not help that the office formats were largely undocumented and had to be reverse engineered until the XML based Open Office XML specification, which itself fueled another line of controversy during its push for standardization.) Same goes for cloud services: it is no coincidence that Word documents, Excel spreadsheets and PowerPoint presentations can be uploaded.
The announcement that MSFT Office will support the new open-source formats is not due to a tipping point in market share. Its current position remains virtually unassailable. Even the Apple commercials that try to mock PC platform as a square, clueless fellow are forced to pay a backhanded complement by emphasizing that the latest generation of Macs can run Office. Is this the sign that demand for interoperability has arrived? Is the golden rule a more compelling option than trying to create lock-in effects by using proprietary formats and breaking changes on every release that force open source alternatives to play catch-up? At least the European Union is not convinced and announced its own intentions to verify this:
“The Commission will investigate whether the announced support of Open Document Format in Office leads to better interoperability and allows consumers to process and exchange their documents with the software product of their choice.”
Between the competition from free Open Office, disruptive Google Apps for the Enterprise, Adobe trying to unify presentation layer with PDF and now additional regulatory scrutiny, it is getting interesting for the future of desktop productivity software.
cemp
Cross-platform vulnerabilities: revisiting the mono-culture risks
Posted: April 13, 2008 Filed under: markets, MSFT, Security Leave a comment »One of the CNet articles covering the 2008 RSA conference makes a new point about the competitive standing between the different operating systems: namely it may not be the OS itself that matters at this point. The author Tom Krazit argues in “Mac Security Not So Much About the Mac” that as the operating systems have been hardened, threats moved up the stack to applications running on top of the platform, which are often written by vendors with no connection to the OS vendor:
“At the CanSecWest conference, no one was able to take control of three laptops in play (the MacBook Air, a Fujitsu running Windows Vista Ultimate, and a Sony Vaio running Ubuntu) when attacks were confined just to the operating system. But Miller’s Safari exploit, and the Flash flaw later exploited by Shane Macaulay, Derek Callaway, and Alexander Sotirov on the Vista laptop, show how security threats are now much more focused on the browser, rather than the operating system.”
The comparison is not quite accurate because Safari is written by Apple and distributed aggressively, including the recent 3.1 update forced on all Windows iTunes users who may have expressed no interest in having yet another web browser. Flash on the other hand is now associated with Adobe after its acquisition of Macromedia. No connections to MSFT there, and in fact they are arguably competitors. (Over the years, Flash emerged as a successful new platform on top of web browsers for delivering rich client experiences; something Java attempted with much fanfare before it flamed out and Sun re-focused its efforts on the enterprise market. More recently MSFT has positioned Silverlight as an alternative to Flash to regain developer mind-share.) Safari is a part of the Apple platform as much as Internet Explorer is rightly considered a part of the operating system; the latter was a central argument in the bundling question from the DoJ anti-trust trial of the late 1990s. This would not be the first time that Flash caused problems; for example its deliberate opening of backdoors in the same-origin policy and flawed implementation of controls for the backdoor (namely the well documented over-zealous desire to see a cross-domain policy in any conceivable piece of random data) lead to significant problems for web sites in the past.
Still there is an interesting connection between this observation and the mono-culture argument from 2003. Flash-back: a group of security professionals including Bruce Schneier, Dan Geer and Peter Gutmman co-authored a position paper titled Cyberinsecurity: cost of monopoly. Subtitled “How the dominance of Microsoft’s products poses a risk to security” the paper argued that having one operating system running on large number of machines created a single point of failure that provided attackers with an easy way to take out a large fraction of infrastructure by exploiting just one vulnerablity. No good deed goes unpunished: Geer was summarily dismissed (“promoted to customer”) from @Stake, which at the time had a business relationship providing auditing and penetration services to Microsoft.
Machines getting 0wned thanks to cross-platform extensions such as Flash pose a challenge for the mono-culture argument. After all one of the benefits of Flash, like its predecessor Java before, is to write portable code that works in any web browser on any platform. But this also opens up the possibility of cross-platform vulnerabilities. Not all of the code for Flash will be shared between say a Mac/Firefox version and the Window/IE7 version. But at least some critical components are: for example recently bugs were discovered in the regular expression engine affecting all platforms. The irony is that even when the installed base of operating systems diversified, a middle-layer designed to bridge the differences between these platforms will create similar risks as a mono-culture. The existence of such a middle-layer is a guaranteed by market conditions, whether it is Java, Flash or Silverlight. It is not economical for developers to target code to every possible hardware, OS and browser combination. An intermediate layer gives up some power and expressiveness that could have been achieved with code “native” to a specific platform, but in return promises greater reach across all plaforms. The mono-culture agreement taken to its logical conclusion would suggest not all users must have Flash: some should have Silverlight only and perhaps others rely on Java for rich-client experiences. (It’s not enough to also install the others; since the presence of the extension is enough to make it exploitable.) At this point it is running against market dynamics.
cemp
