New York Times badly confused on identity management

Goodbye Passwords is that rare misstep form the otherwise consistently solid Digital Domain section in the Sunday NYT: confused, misinformed and way off base. Among the several muddled arguments, four of them stand out:

1. Equating OpenID to passwords.

“OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site.”

Minor factual error: actually the password is not being typed into a random website. It is supposed to be provided only to the website where the identity was originally created, not the website where it is being used. But the general difficulty of determining whether one indeed starting at the authentic site instead of a fraudulent replace– especially when the user has been sent there by the “someone else’s Web site” in question leads to the standard critique of OpenID as increasing phishing risks.

Major factual error: OpenID is a federation standard, not a new user authentication approach. It does not mandate passwords or any other scheme for verifying identity. Open ID 2.0 specification is loud and clear on this point:

“Methods of identifying authorized end users and obtaining approval to return an OpenID Authentication assertion are beyond the scope of this specification.”

That means the identity provider can choose to use good old-fashioned passwords, smart-cards, biometrics or experimental approaches such as reading tea-leaves to authenticate the user; OpenID is silent on this. In fact one of the more hyped extensions to the protocol, added at the urging of MSFT which has been desperately trying to promote CardSpace, is a way for signaling to websites that the user authenticated with credentials resistant to phishing– Infocards in the original vision that carved out this niche case, but also more generally strong authentication mechanisms such as PKI capable smart-cards.

2. Narrow definition of single sign-on:

OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.

In the most general sense, single sign-on refers to one identity being valid for accessing multiple systems. This is in contrast to the current state of affairs on the web: most websites have their own notions of user identities, requiring users to create a new account. Each account is valid at exactly one website and not recognized anywhere else. Single sign-on (“federation” using the fashionable term) is about merging these disconnected islands of identity such that the scope of an identity can extend beyond that one site.

Quick peek at the Wikipedia entry would have hinted that SSO is not tied to passwords. So it comes as surprise that a Microsoft architect is quoted as criticizing SSO. Cardspace is an instance of single sign-on: the vision calls for one identity held by the user’s machine to be usable for logging into any number of websites. Inside the enterprise, Active Directory is single sign-on because it allows the same credentials to be used for accessing everything from logging into a workstation with the three-finger salute to accessing email or HR systems.

3. Misconception that “information card” is a generic term-of-art as it relates to identity management. Information card, or infocard to use the original name for the technology before it was rebranded into CardSpace, is a particular proposal that defines specific formats and protocols for identity management. Writing about “the information cards” makes about as much sense as writing about “the Facebooks” and “the Googles.” Each is a specific incarnation of a general concept: a social networking site, a search engine and an identity management protocol.

4. No hint of the history of strong authentication or alternatives. A reader may walk away from this article with the impression no realistic alternatives to passwords existed until Cardspace magically burst on the scene. Basic fact checking would have unearthed some not entirely obscure facts: there is a concept of digital certificates dating back to the 1970s, leveraging the same brew of “hard to break cryptography” whose virtues are extolled in the article. Since late 1990s, digital certificates have been standardized by X509, a stable and widely implemented supported format. It would be a small jump from there to realize that the SSL protocol universally used for securing communications online has provisions for users to verify their identity with digital certificates and that many large organizations, including the United States Department of Defense have been depending on this capability for years.

This is not to say that there are not good points in the article. OpenID is a major distraction and duplication of effort precisely because it is a mediocre reinvention of the wheel, ignoring all the investments made towards deploying PKI on the web compliments of SSL and muddying the waters one more time just when there was a fighting chance that the industry might converge on a standard (SAML, far from perfect as it may be) as the underlying format for identity assertions. But it is a non-sequitur to argue that OpenID is doomed because of its dependence on passwords and inherent problems with single sign-on.

cemp

Vintage code, common hardware and value of backwards compatibility

A data point on the value of backwards compatibility. This is an area where MSFT is frequently slammed, for its insistence on favoring compatibility with past mistakes instead of throwing everything overboard to start over again– the way Apple has done with OS-X and later switching to Intel x86 chips.

Imagine having to demonstrate an application running on Windows Mobile to a crowded room full of security professionals. This code will not run on the emulator– and even if it did, emulation hardly makes for a compelling demo. “Code always wins” as the old MSFT adage goes and working code on an actual device is the golden standard. This is the predicament confronting the blogger next week. Slide decks are not a problem; they can run off a locally installed PowerPoint or OpenOffice instance (the import process still loses some details if the latest eye-candy from Office 2007 is used) or better yet run from the cloud-hosted Google Presently. Showing UI from the device is a different challenge.

Most phones can not project the view of their own display to an external monitor using a standard VGA, DVI or HDMI output. (Oddly enough a few can project other video over Bluetooth to specialized devices and there is nascent efforst to give phones projectors of their own.) Having a dedicated, fixed camera pointing at the phone was not an option in this setting. And since it is not possible for dozens of people to cluster around a single handset trying to get a peek at the tiny screen, one option is to capture static screenshots at relevant points and project these as part of the slide-deck.

Even that is non-trivial: there is no “print screen” functionality on Windows Mobile out of the box. One quick Google search finds several third-party substitutes, including a freeware version from Ilium software. Luckily the search results also unearthed a better solution. An entry on the Windows Embedded Blog dated November 2004 references a Remote Display application included as part of the Windows Mobile Power Toys. This is good news; power toys are officially unsupported applications typically written by MSFT developers on the side. According to the description Remote Display shows real-time view of the phone display mirrored on the desktop.  Much better than static screen-shots and the audience can now follow along with the exact flow.

One problem: the Power Toys are dated December 2003. Supported operating systems on the download page include W2K SP3– long defunct– as well as “Windows Mobile 2002 based smart-phones.” In other words, this code is archaic. The MSI installed without a problem on Vista, even bearing a proper Authenticode signature to keep the inane UAC prompt happy about reporting the author. But the first attempt to run it with an HTC Diamond failed with an error message about unknown CPU type on the device. Not surprisingly 5 years after the code was written, the architecture of mobile devices, as well as the operating system MSFT is shipping to run on these devices had become unrecognizable under the assumptions the original author had made. Vista does not even have a separate Active Sync component, instead Mobile Device Center handles synchronization with phones.

But the README file provided plan B: the instructions described what to do for that particular error. The recommended fix was to manually find the correct binary over for the mobile device and copy it over. There were not exactly many choices either: Windows CE 3.0, CE 4.0 and smartphones based on CE 4.0. Each OS SKU had a corresponding array of architecture choices, including x86, MIPS and ARM4. As for the device? It is running Windows Mobile 6 on ARMv5i.

So it was a surprise that copying the ARM4 binary built for CE4 worked: Vista could mirror the device screen in real time. Even more impressively, Remote Display works both ways: clicking on the phone UI from the desktop PC actually sends the mouse clicks to the phone, allowing the phone to be driven by the full-size mouse and keyboard combination.

This is one of the rare cases where the insistence on backwards compatibility paid dividends. Not only did the ARM processor have to remain backwards compatible and run binaries compiled for an earlier version, but Windows Mobile itself had to evolve such that code written for earlier CE variants could run without any changes.

cemp

Cherry-picking identity providers in the open eco-system

Recap from a story developing last week:

• MSFT announced that it was accepting OpenIDs for the new HealthVault service, a cloud-based solution for managing health records. But not just any OpenID: only accounts issued by Trustbearer and Verisign are accepted. Both companies have two-factor authentication with portable hardware tokens.
• The blog ConnectID objected to the restriction, claiming that it violates the spirit of “open” in OpenID. Why is the user not free to choose any identity he/she prefers to use?
• MSFT’s identity architect fired back, joined by another blogger, both arguing that cherry-picking identity providers is fair game.

Underlying this exchange is a misunderstanding: agreement on protocols is necessary but not sufficient for identity federation. Accepting an identity issued by another company is a risk management decision– or under a broader perspective, it is a business decision. The mere fact that the aspiring ID provider has successfully implemented some protocol, is compliant with this other standard or runs the most popular software package for authentication is not enough.

Authentication is a security-critical function. Getting it wrong leaves any resource protected by that system vulnerable. And if something does break, it will always be the service provider’s problem downstream, even they are provably not at fault. Suppose that HealthVault accepted identities from Keys-Are-Us, a hypothetical incompetent OpenID provider operating out of a basement. This is an external dependency; when Keys-Are-Us makes an assertion about the identity of the user, HealthVault will accept that assertion on face value and provide access to controlled resources such as health records. This is essentially betting on the ability of this shady outfit to properly run an identity management system. If Keys-Are-Us experiences a security breach, and the health records accessed by unauthorized persons as a result, MSFT is still on the hook. Yes, in principle it was not their fault: Keys-Are-Us made the error. But try getting that message across to the media and blogosphere pouncing on the incident as another indication of everything that is wrong with the Internet. More importantly, by agreeing to accept identities from Keys-Are-Us, HealthVault is implicated in the risk management decision.

Case in point, HealthVault accepts Windows Live ID, the identity management service operated by MSFT. (Full disclosure: this blogger worked on WLID security in a former life.) Because both of these organizations roll up to the same corporate entity, HealthVault designers have visibility into and more importantly, influence over the risks of accepting these identities. Similarly the Verisign and Trustbearer systems are known quantities, and their reliance on hardware tokens makes it possible to gauge the security assurance level in a way that is not possible for random OpenID provider.

cemp

Next version of MSFT office to support open document format

The times they are changing for MSFT. A recent announcement that the next version of the Office suite will support new open source formats may be the most revealing example.

Interoperability is a complex strategic game but can be summarized this way: interop always helps the smaller competitors against a large established player. This is a standard consequence of network effects. Before Word had significant market share and was the small, scrappy upstart trying to gain a beachhead position against Word Perfect, it was imperative to read and write WP documents. This allowed customers to switch to Word but still continue to interoperate with the majority of people still using the more ubiquitous application. The developers for Word Perfect, on the other hand, have no incentive to help accelerate this switch, so their application would not recognize the new format. Here is a divergence from the golden rule of getting along in a network world: “be conservative in what you send out and generous in what you accept.” If interoperability were the only objective, every application would be able to open documents published by any other formats while itself using a very well narrowly-scoped that would be easy for these other applications to understand.

The same pressure applied to Excel when it was competing for market share against Lotus Notes. As MSFT Office became the de facto standard in the enterprise and eventually for consumers, this pressure gradually eased even though the import/export capability for the “legacy” formats remained. At some point the scales tipped and the burden shifts to the competing applications with smaller market share to work with the leading formats.

Open source software follows the same path: it was imperative for Open Office to be able to accept Word documents, as well as save new documents in Word format. This mean that every new release of Office required catch-up effort from the community to add necessary interop functionality. (It did not help that the office formats were largely undocumented and had to be reverse engineered until the XML based Open Office XML specification, which itself fueled another line of controversy during its push for standardization.) Same goes for cloud services: it is no coincidence that Word documents, Excel spreadsheets and PowerPoint presentations can be uploaded.

The announcement that MSFT Office will support the new open-source formats is not due to a tipping point in market share. Its current position remains virtually unassailable. Even the Apple commercials that try to mock PC platform as a square, clueless fellow are forced to pay a backhanded complement by emphasizing that the latest generation of Macs can run Office. Is this the sign that demand for interoperability has arrived? Is the golden rule a more compelling option than trying to create lock-in effects by using proprietary formats and breaking changes on every release that force open source alternatives to play catch-up? At least the European Union is not convinced and announced its own intentions to verify this:

“The Commission will investigate whether the announced support of Open Document Format in Office leads to better interoperability and allows consumers to process and exchange their documents with the software product of their choice.”

Between the competition from free Open Office, disruptive Google Apps for the Enterprise, Adobe trying to unify presentation layer with PDF and now additional regulatory scrutiny, it is getting interesting for the future of desktop productivity software.

cemp

Cross-platform vulnerabilities: revisiting the mono-culture risks

One of the CNet articles covering the 2008 RSA conference makes a new point about the competitive standing between the different operating systems: namely it may not be the OS itself that matters at this point. The author Tom Krazit argues in “Mac Security Not So Much About the Mac” that as the operating systems have been hardened, threats moved up the stack to applications running on top of the platform, which are often written by vendors with no connection to the OS vendor:

“At the CanSecWest conference, no one was able to take control of three laptops in play (the MacBook Air, a Fujitsu running Windows Vista Ultimate, and a Sony Vaio running Ubuntu) when attacks were confined just to the operating system. But Miller’s Safari exploit, and the Flash flaw later exploited by Shane Macaulay, Derek Callaway, and Alexander Sotirov on the Vista laptop, show how security threats are now much more focused on the browser, rather than the operating system.”

The comparison is not quite accurate because Safari is written by Apple and distributed aggressively, including the recent 3.1 update forced on all Windows iTunes users who may have expressed no interest in having yet another web browser. Flash on the other hand is now associated with Adobe after its acquisition of Macromedia. No connections to MSFT there, and in fact they are arguably competitors. (Over the years, Flash emerged as a successful new platform on top of web browsers for delivering rich client experiences; something Java attempted with much fanfare before it flamed out and Sun re-focused its efforts on the enterprise market. More recently MSFT has positioned Silverlight as an alternative to Flash to regain developer mind-share.) Safari is a part of the Apple platform as much as Internet Explorer is rightly considered a part of the operating system; the latter was a central argument in the bundling question from the DoJ anti-trust trial of the late 1990s. This would not be the first time that Flash caused problems; for example its deliberate opening of backdoors in the same-origin policy and flawed implementation of controls  for the backdoor (namely the well documented over-zealous desire to see a cross-domain policy in any conceivable piece of random data) lead to significant problems for web sites in the past.

Still there is an interesting connection between this observation and the mono-culture argument from 2003. Flash-back: a group of security professionals including Bruce Schneier,  Dan Geer and Peter Gutmman co-authored a position paper titled Cyberinsecurity: cost of monopoly. Subtitled “How the dominance of Microsoft’s products poses a risk to security” the paper argued that having one operating system running on large number of machines created a single point of failure that provided attackers with an easy way to take out a large fraction of infrastructure by exploiting just one vulnerablity. No good deed goes unpunished: Geer was summarily dismissed (“promoted to customer”) from @Stake, which at the time had a business relationship providing auditing and penetration services to Microsoft.

Machines getting 0wned thanks to cross-platform extensions such as Flash pose a challenge for the mono-culture argument. After all one of the benefits of Flash, like its predecessor Java before, is to write portable code that works in any web browser on any platform. But this also opens up the possibility of cross-platform vulnerabilities. Not all of the code for Flash will be shared between say a Mac/Firefox version and the Window/IE7 version. But at least some critical components are: for example recently bugs were discovered in the regular expression engine affecting all platforms. The irony is that even when the installed base of operating systems diversified, a middle-layer designed to bridge the differences between these platforms will create similar risks as a mono-culture. The existence of such a middle-layer is a guaranteed by market conditions, whether it is Java, Flash or Silverlight. It is not economical for developers to target code to every possible hardware, OS and browser combination. An intermediate layer gives up some power and expressiveness that could have been achieved with code “native” to a specific platform, but in return promises greater reach across all plaforms. The mono-culture agreement taken to its logical conclusion would suggest not all users must have Flash: some should have Silverlight only and perhaps others rely on Java for rich-client experiences. (It’s not enough to also install the others; since the presence of the extension is enough to make it exploitable.) At this point it is running against market dynamics.

cemp

Default settings and ecological impact

Do application settings reflect choices made by the user or the priorities of the developer? This questions comes up again and again, as the settings are linked to yet another unexpected negative outcome. The latest example is from ChangeTheMargins.com, courtesy of Good magazine.

Almost any interesting bit of software comes with a set of switches and knobs. The more complex the software, the more switches to fiddle typically. Sometimes the developers in a good-intentioned attempt to conquer the complexity reduce it to a series of multiple choice questions. How secure would you like that router? Low/medium/high. More likely there is an escape hatch left open for the tinkers, a custom or advanced option hiding in the UI that unlocks the full array of all possible configurations, to create the software equivalent of an extra-hot, 2% double-shot half-decaf mocha.

Unlike the whimsical Starbucks creations, application settings can have a wider reaching effects then the next caffeine buzz. Power settings are the obvious example: machines equipped with power management features that can either slow-down the CPU speed or hibernate altogether in response to low utilization can cut down on energy consumption. ChangeTheMargins picks a different battle; the choice of margins in Microsoft Word. Set to 1.25″ by default for left-right, the website argues for cutting that generous allotment of white-space down to three-quarters of an inch instead. There are detailed figures for exactly how much in paper, trees and dollars that will save.

All good advice. As for the interesting piece: the author is calling on Microsoft to set the defaults to 0.75″ in Office out-of-the-box. This raises an interesting question the extent that the current wasteful use of paper can be blamed on the developer and to what extent on the customers using that software. (Not to diminish the influence of middle-man along the way: the OEMs who install and configure that software on brand-new machines where it is bundled, the enterprise IT departments responsible for rolling-out Office to 10K desktops etc. In fact the website does have a stated goal for converting 5 corporations to sanction the narrower margins.) The issue of default can become a major headache to the vendor for three reasons:

• There are too many conflicting interests– including occasionally that of the vendor itself– and out-of-the-box settings must strike a balance that can not please everyone
• Anecdotal evidence suggests some fraction of users will not change settings. Especially anything marked “advanced” or “custom.” This makes it very hard to take the position that settings reflect user choice as opposed to user complacency. (This fact was impressed on the blogger when he worked on the P3P privacy settings for Internet Explorer 6.)
• Most applications must ship with some defaults at least. For many years UI designers hated the idea of forcing a decision on the user at first-run or installation time, because it was disruptive to their Platonic ideal of user-friendly software. They pointed out, quite correctly, that such a question materializing out-of-context, when the user is already occupied with a different primary would simply be perceived as a distraction, leaving everyone looking for the “OK” button to make it go away. Without any basis for weighing the options the user might as well flip a coin. Fortunately UI designers have become more pragmatic about this over time, especially in the context of security. IE6 XP SP2 “Information Bar” and more recently in IE7 phishing filter do in fact prompt the user to make a decision the first time when the choice would have a material impact.

Yes, the default width of margins matter. But to put this in perspective: it matters much less than other options. Printing double-sided can cut down paper waste by 50%. What about configuring printers to default to double-side? Not that easy it turns out because most of them can not do auto-duplexing. This blogger cared enough about the functionality to find one that could, but there were few viable alternative for home-office use: Brother DL-5250DN handily won out. Manually printing double-sided is very slow and often impractical for large documents because the secondary feed tray can not accommodate very many sheets at once. But the high-end multipurpose scanner/fax/color-laser printer/photocopier machines the size of washer machines found in large enterprises can and ought to be configured to default to double-sided and not waste paper printing out cover pages to distinguish the jobs.

Finally there is the question of trade offs: using smaller fonts, using single-spacing instead of double-spacing or printing two pages on one side (50% magnification) can all cut down on paper wasted, but the expense of readability. One reason conservation efforts have not resonated with the American public in the past is that they evokes images of huddling together in the cold –reduce heating to curb carbon emissions– in a dimly-lit space whit with pale glow of florescent lights– more efficient than incandescent– after taking a cold shower. At some point the quality of the printed document may not meet the strict standards used for academic or legal correspondence for example. That brings us to the most promising solution: minimizing the need to convert electronic documents into hard-copy.

cemp

Choosing the wrong side in a format war

MSFT finds itself in this situation after the HD-DVD format it backed was finally consigned to the dustbin of history after Toshiba announced that it will stop producing the players. This was a domino effect, starting with the studious announcing Blu-Ray exclusive production, Netflix switching and finally WalMart saying the last word.

That leaves the question of what to do with all those XBox 360s with HD-DVD drives which are going to be about as useful as a brick in a few years. In fact the decisive and abrupt BluRay victory has just created a large collection of expensive and useless gadgetry overnight. Consider the dual-mode Samsung players that could play both HD-DVD and BluRay, in an uneasy truce to allow customers to hedge their bets on the war. With a clear winner emerging from the format war, all of the effort goes out the door. On the bright side Samsung will fare better than the HD-DVD camp because the company itself hedged its bets.

There is going to be frustration among the early adopters who guessed wrong– but that’s the cost of doing business on the leading edge. Just ask the initial round of iPhone buyers after the price drop. Long term consumers are probably better off because standardization will increase sales of players by removing the cloud of uncertainty. More players will drive down costs, and increase availability of content. It may also cement Sony as the new hegemon unseating the reigning oligarchy of the DVD Forum, depending on how the licensing around patents and royalties for use of BluRay technology are structured.

cemp

Rumors of Windows server platform “failure” slightly exaggerated

This article which made it to Slashdot recently and the linked postback from CNN/Money could use an application or two of Occam’s Razor. It stipulates that the MSFT bid for Yahoo is prompted by an internal recognition that the Windows server platform has failed. The company having seen the light, according to this commentator, is going after systems built on the Linux/Apache platform instead.

“Microsoft runs on the Windows platform and it has proved inadequate to run big Internet companies. There is not one big Internet company – and I mean “BIG” like Google Inc. (GOOG), Yahoo, Amazon.com Inc. (AMZN), eBay Inc. (EBAY) and such – that runs on Windows besides Microsoft. Its software platform has been a disaster supporting its search engine, email and other free services.”

It only takes a second to recognize this as uninformed drivel: Hotmail/Windows Live Mail is the world’s largest email service period. Passport/Windows Live ID is the largest online authentication system. When it comes to instant messaging, MSN/Live Messenger is not to far behind Yahoo and AIM– never mind the branding confusion between MSN verses Live. All of them run on W2K3, IIS , SQL Server and the accompanying much criticized baggage. It’s not a recent phenomenon either: in the late 90s MSR built TerraServer– long before viewing satellite imagery was an everyday activity– to showcase the scalability of a massive data warehouse running on Windows.

Yet the quote above does raise an interesting question about why more large scale web services are not built on top of Windows. The obvious reason is easy to shoot-down: the difference between shelling out $$$ for W2K3/W2K8 or getting Linux for free. It’s true that a single license for server can run into the hundreds of dollars depending on the particular SKU and thousands of dollars for the more esoteric 64-bit variants. This is why hobbyist sites, non-profits and small-businesses (as well as the virtual hosting companies catering to them) are more likely to prefer open-source software, because of the extreme price sensitivity in the market segment. Assuming that the distribution of internet facing websites has a very large tail fitting that category, this would explain why Netcraft surveys continue to show Apache leading IIS 50% to 35%, in spite of huge jumps in April ‘06 and September ‘07 that narrowed the gap from previous 3x difference.

But in the enterprise context, the gating factor becomes recurring costs for running a data-center: all of that IT staff, leasing the space and power used adds up. The upfront purchase price of hardware and software is dwarfed by operational costs– and that’s one reason why Windows server platform continues to make inroads into this segment, joining Linux in slowly chipping away at the market share of the more expensive UN*X variants that once dominated the server business. Nowadays it is not rare to see entire IT infrastructures of companies run on Windows and developed using .NET programming models.

What about large scale Internet services? This is the mystery: the existence of very large-scale (in at least two cases cited above, the largest period) services running on Win32 and Win64 proves it can be very competitive. In that case the nagging question remains, why are there are so few examples outside Microsoft?

cemp

Security, excuses and hidden agendas

Bruce Schneier has often commented on the tendency for hidden agendas to masquarade behind excuses for security. “For security reasons, we must do …” or “due to security concerns, we do not alow…” The classic example in Beyond Fear was the prohibition against bringing beverages into a baseball park: is it really about safety inside the park in the heightened awareness of 9/11 or a boost to the soft-drinks sales inside which goes to lining the club’s pocket at the end of the day?

The latest MSFT one-eighty around virtualization is starting to look like another one. To recap, in June last year MSFT announced that it was expanding virtualization options for Vista to allow Home Basic and Home Premium skews to run in a VM. This was shortly reversed by a change of course, now requiring users to fork for the more expensive business editions due to unstated security reasons.  More recently MSFT announced that it is again allowing  virtualization of the less expensive varieties. What to make of this? If this was a politician running for a coveted nomination on super primary Tuesday this type of change in policy would be understandable. Ruling that out, two other options remain:

1. It was decided that customers can live with lower security assurances for the scenario. That is to say, after spending 5 years to ship the most secure version of Windows to date in Vista, break backwards compatibility and even sink untold amounts of R&D into inane, useless features such as UAC to prove this commitment, Microsoft is now letting go of a strategic advantage by allowing the operating system to be run in a vulnerable configuration.
2. Security excuse was a ruse all along, intended to push customers towards more expensive Vista skews until the company itself could develop a proper response to the disruptive nature of virtualization.

#2 is looking like the smarter bet at the moment. It is not clear that virtualization is necessarily a short term revenue threat. Virtualized or not those copies of Windows must still be licensed. In other words the Mac user running Vista under Parallels of VMware Fusion is still paying for a full-license as if they had installed it natively. (Granted there might be a small uptick in piracy since pre-activated/genuine-advantage-validated VM images make for a convenient way to distribute pirated copies.) This scenario might be of greater concern to Dell or HP since it means that consumers have the option to purchase a Mac instead of a PC. Meanwhile server consolidation, the other major business case for virtualization is not affected by the Vista licensing arrangements because Vista is a client OS. Windows Server 2003 and 2008 are the relevant products for virtualized data-center environments, and it’s primarily the virtualization policies around these products that have to be carefully crafted to protect server business revenue.

Long term however there is a strategic threat. Parallels and VMware might be great for getting the best of both worlds from Linux/Mac + Windows but if Vista is increasingly seen as a “secondary” OS to run alongside a primary, purely for compatibility with applications written for the venerable Win32/64 API, it raises the question of how long before those applications can be finally ported to the other platforms so they do not need virtualization as a crutch. More than any short term risks around piracy or missed revenue from consumers opting for the inexpensive Vista skews, this is the great danger of undercutting the platform that MSFT has to contend with.

cemp

MSFT and One-Laptop-Per-Child

OLPC project is showing a pattern of tumultuous relationships with leading IT companies. In the wake of a widely publicized fall-out with Intel comes a disagreement with Microsoft over the meaning of “dual-boot laptops.” To recap:  news reports suggested that OLPC and MSFT were working on models of the XO that could run both the custom Linux operating system and garden-variety Windows. Later Microsoft firmly denied these rumors and suggested the company had a different vision than Negroponte for integrating the Windows platform into the XO system.

Hardly any surprises here because XO laptop and Windows are ultimately irreconcilable concepts. There is no question that earning the loyalty of future PC users in emerging markets is critical for the long-term success in the platform battle. It is important enough to justify giving away copies of an operating system at a loss or trying to co-exist in an open-source ecosystem. But this is going to be a difficult balancing act.

One-Laptop-Per-Child project started out with the goal of producing $100 devices at scale. Some SKUs of Vista cost more than that already. This is a glimpse into the  impending reality check for Windows: as the price of hardware drops and the licensing costs for the operating system begin to constitute ever increasing shares of that price, vendors and customers are increasingly motivated to search for alternatives. Cost is a huge factor for OLPC but so is energy consumption and CPU/memory resources– two things that Vista has a voracious appetite for. That’s good news for Intel, AMD and for that matter any company supplying PC components: as long as the software continues to peg capabilities of the hardware, improvements in hardware can make a meaningful impact on the overall user experience and justify the investment.  But the target audience for OLPC is not subject to the standard hardware upgrade cycles, nor expected to meet the minimum recommended specs for Vista.

Even if copies of a highly stripped down version of Windows could be made to run efficiently in the highly minimalist specs of the XO and given away for free (similar to the Starter Edition sold at a significant discount at emerging markets where even the basic SKUs are very expensive compared to standard earnings) it will not create a sustainable advantage. Converting those free copies into full-paying licenses down the road will be a challenge to the extent that the premium for a Windows PC over an open-source one is appreciable– exactly the situation guaranteed by Moore’s law and dropping hardware prices.

cemp