Free Windows (TANSTAAFL)

Some are touting yesterday’s announcement that Microsoft was making Windows (including Windows Phone) free for devices with screens smaller than 9″ as the most impactful news coming out of Build 2014.  While I do think it is important news, I think other changes such as Universal Apps are far more important.  And there is one executive discussion I’d really have liked to sit in on that I’ll talk about near the end.

Current Microsoft profit from Windows Phone and Windows on small screen devices is at best rounding error and at worst represents a loss.  The story on revenue isn’t much better, it is immaterial.  That’s important since it is what matters to investors, and in the long run it is what determines how sustainable a move this is.  Microsoft basically gave up nothing in a “Hail Mary” pass to establish relevance in the software for mobile device market(s).

Some of the software pricing move is related to Microsoft’s evolution to a Devices company so let’s explore Windows Phone first.  With closure of the Nokia Devices acquisition Microsoft will itself be shipping 90%+ of Windows Phone devices.  Today Nokia sells a phone for say $150 and sends Microsoft a check for (say) $15.  Tomorrow Nokia’s sells that same phone for $150 and doesn’t send Microsoft a check.  But since Nokia is now part of Microsoft that $15 still accrues to Microsoft’s finances.  It is, in every sense except a financial reporting one, a neutral financial move by Microsoft.

Microsoft is trying desperately to foster a OEM model for Windows Phone, particularly as it relates to BRIC and developing countries.  In those extreme cost sensitive markets the price of Windows Phone is an issue, while the revenue and profit potential from software for phones alone is immaterial.  Another way to look at this, and it is even possible this is technically how Microsoft’s OEM contracts are structured, is that Microsoft is returning 100% of the price of a Windows Phone license to the OEM as Market Development Funds (MDF).  But even if the contract actually shows a price of zero, in which case Microsoft probably isn’t providing MDF, Microsoft has in effect committed the revenue it might have gained from charging for Windows Phone licenses to marketing.  That’s the correct way of thinking about this.

And the same story applies to smaller screen tablets.  Right now the market for those, aside from the apparent modest success of the Dell Venue 8 Pro, is immaterial to Microsoft’s bottom line.  Microsoft needs to protect its larger form factor Windows revenue stream by taking a very significant share of the smaller form factor tablet market and is willing to “spend” 100% of what it could have taken in on revenue for those Windows licenses to gain that market share.

Why is that market share gain so critical?  Because every iOS or Android device in someone’s hands represents an opportunity for Apple or Google to replace a notebook or desktop as well.  Chromebooks make no sense for me because I am not bought into the Google ecosystem.  The MacBook Air makes no sense to me because I am not bought into the Apple ecosystem.  But if I were a dedicated Android or iOS user I would be, and thus more likely to also become a OS X or Chrome OS user.  So every Windows Phone or Tablet win represents a chance to keep someone in the Microsoft ecosystem and sell them the products for which Microsoft really makes money.

As for the conversation I wish I could have been a fly on the wall for, it’s the one they must have had about setting a precedent.  What happens if Microsoft’s wildest dreams come true and it becomes the top supplier of phone and/or tablet OS software?  Can it raise prices and monetize that success?  This is why I always envisioned the technical pricing details as a 100% kickback in MDF rather than a zero list price.  You can always phase down MDF but raising prices will be like tiptoeing through a dense minefield.  I’m sure Microsoft longs for a day when it must face this problem!


Posted in Computer and Internet, Microsoft, Mobile, Windows, Windows Phone | Tagged , | 7 Comments

Let the Build 2014 games begin!

We are just a few hours away from Build 2014, and the most important set of reveals for Microsoft’s Operating System business in a decade.  Yes, more important than Windows 8.  Or Windows Phone 7.  Or whatever other seemingly, at the time, critical reveals Microsoft has had.  The reason for that is simple, the Operating System business at Microsoft continues to struggle.  Sure it had a temporary reprieve with Windows 7, in what now looks like a “dead cat bounce”.  But otherwise Microsoft’s relevance for software that powers hardware has been, at best, in a holding pattern for a decade.

What gets announced and talked about this week won’t be the launch of totally revamped products that change the world but rather products that tell us if Microsoft is getting its OS mojo back.  Hopefully we will learn where Microsoft sees its core Desktop OS efforts going the next few years, the very thing it all but mortally wounded with the release of Windows 8.  This is about more than just some continuing tweaks to make Windows 8.x more appealing to desktop users, it is about sending them a message that they are important and will have optimized support going forward.  And it is about reassuring Win32 and a.NET developers that they have a bright future as well.

Next up is eliminating the arbitrary discrepancy between Windows for Tablets and Windows for Phones.  Of the three major ecosystems only Microsoft has this disparity.  iOS and Android are the same, and most importantly have the same development model, on all slate form-factor devices.  On Windows the discrepancy has caused the app stores for both Windows and Windows Phone to stall.  Many apps are available on one platform but not the other as developers are forced to choose between supporting one #3 platform or having two separate efforts for two #3 platforms.  This has been devastating.  Based on leaks it appears certain that after this week developers will be able to focus on one app for both the phone and the tablet (and of course, all Windows form factors).

At the same time its critical that Microsoft bring its app model to parity with iOS and Android, eliminating barriers that have caused leading edge apps to skip the platform.  It can no longer be the case that underlying platform capabilities are blocked by the lack of support in the new APIs.  We can’t have the most interesting new app categories skipping Windows devices because, after all the evangelism is done, they simply can’t get their app to work on Windows.  Nor can we have the situation where some of Microsoft’s own properties find it easier to implement new features on Android or iOS than on Windows.

It is also time that Microsoft dropped the excuse that it is playing catch-up in the mobile OS space.  If Windows Phone can’t be competitive at the user feature level in 2014 then it just never will be.  Oh I’m not saying it needs to leapfrog Android and iOS and leave them behind, as if it ever could really do that.  I’m saying that as users we have to be able to see Windows Phone as every bit as leading edge as Android and iOS.  It needs to be at parity on everything that is important to users, and continue to innovate in ways that set it apart.  Windows Phone 8.1 must be the end of the line on “catch-up” if Microsoft wants end-users and developers to commit to the platform.

Following on from last week’s clear focus on the cloud we need to see how Windows is going to be the best OS to power cloud-connected devices over the next decade.  We simply need to walk away from Build 2014 believing this.  As a user of the entire Microsoft ecosystem I see and enjoy the promise on a regular basis.  But if I were a 100% Apple user or 100% Google user then my experience wouldn’t be much different.  I think this is a tall order for Microsoft as the world, and especially developers, have to believe two things.  The first is that in a 100% Microsoft ecosystem Windows-powered devices have to offer a better cloud-connected experience than in 100% Apple or Google worlds.  The second is that Microsoft has to show why Windows-powered devices will be the best end-points in a heterogeneous environment.  And they have to do that despite Apple and Google not playing nice.  Apple is not a surprise since with the exception of iTunes they ignore the Windows platform.  Google is a bigger problem as they have explicitly avoided legitimizing Microsoft’s Phone and Tablet offerings with Windows Store apps.

Lastly, the “Internet of Things” is the next frontier for the OS business and Microsoft has been fairly absent in letting us know how they plan to address that market.  Keep in mind that this is another area where Microsoft was early, way too early.  Now it is faced with the problem of being leapfrogged by the competition, and Google in particular.  Microsoft can not let this happen.  It must give its remaining development community a reason to stick with it as this new gold rush begins.

Fortunately through leaks and through what little information it has released, like the schedule of Build sessions, we know that Microsoft will be addressing most if not all of these areas.  Will it be enough?  Will the messages resonate with the believers and bring some non-believers back?  The technical details are one thing, what Microsoft executives say during the keynotes are far more important.  If they paint a picture of a Windows world that users and developers really want to play in then a revival of the Windows business is possible.  If they fail to excite then they probably relegate it to a legacy business.  Either way Microsoft will survive and prosper.  But its future is a lot brighter if at the end of this week the key stakeholders are a lot more positive about the future of Windows than they were at the end of last week.

Posted in Computer and Internet, Microsoft, Mobile, Windows, Windows Phone | Tagged , , , | 20 Comments

Microsoft has a near miss with the Xbox One Media Remote

Regular readers will of course be familiar with my Xbox: Fail from January, and I thought a little update was in order.

To get something out-of-the-way, the February and March updates did nothing noticeable to improve voice recognition.  I did recalibrate after the February update, but not after the one in March.  Maybe I’ll try again after the April update.  And it appears to me that one of the updates degraded facial recognition as much of the time my Xbox One isn’t recognizing me and automatically logging in.  To put a short summary on it, the experience is no better than when I wrote the piece in January.

And to say something positive, I love that Microsoft added music videos to the Xbox Music app on the Xbox One.  We had company for the weekend and Saturday night we all stayed up past midnight finding favorite music videos.  On the few we couldn’t find on Xbox Music I found them on the web and put them up on our 55″ using Miracast from my Lumia 2520.  That worked flawlessly too.  Especially watching the launch of MTV.  Coverage of the first launch of the Space Shuttle is way cooler than any music video :-)  And Video killed the radio star is a terrible song, even if it was perfectly appropriate as MTV’s first music video.

One thing I called for in the January piece was a Media Remote, and Microsoft has obliged with that.  I really like it, and if it weren’t for one major design flaw I would have titled this post “Xbox One Media Remote saved my marriage”.  That major design flaw?  The Xbox One Media Remote uses IR rather than RF to control the Xbox One.  That’s a problem for me because the Xbox One is in a cabinet, with a door blocking IR signals.

Given that the Xbox One come out of the box working with RF-based game controllers I never would have guessed that they’d use IR for the Media Remote.  Why not just have it use the same RF communications channel?  I hate IR.  It is the 80-column card of the A/V industry.  Except 80-column cards were a good idea in their time while I’m not convinced IR was ever a good idea.  In either case, their times have passed!

Dear Xbox team, wait until you see the blog post when one of my dogs crashes into the open door and breaks it off the built-in cabinet.  Wait until I send Satya the bill and demand payment in Hyderabadi Biryani, which I will do.  Seriously.

Anyway now I do open the cabinet door to consume media on the Xbox One.  This makes my wife happy because she interprets the voice commands about as accurately as the Xbox.  For example, I say “Xbox Select” and the Xbox displays a message about something else not being valid in the current context, if it hears me at all.  My wife interprets “Xbox Select” as “Dial Divorce Lawyer”.  Fortunately she tunes me out even better than the Xbox though I try not to press my luck.  So I no longer talk to the Xbox.

Meanwhile with the cabinet door perfectly positioned to absorb the shock of a Bernese Mountain Dog that is blissfully unaware that the U.S. Government has classified her as a weapon of mass destruction, I happily select apps, perform searches, play and pause media, etc. on the Media Remote.  It’s an accessory that I recommend to anyone who is going to regularly use their Xbox One for video.

What about installing (another, actually) IR repeater so I don’t have to leave the cabinet door open?  I suppose I will eventually.  But I hate IR, and I love Hyderabadi Biryani.

Posted in Computer and Internet, Home Entertainment, Microsoft | Tagged , , , , | 9 Comments

10″ LTE for me

One of the things that has bugged me about Windows 8.x from the beginning was the lack of devices with built-in WWAN, and particularly LTE, support.  I had 3G support in my original iPad, and it was a pleasure to just be able to open the case and start using the device without worrying about finding and connecting to a working WiFi network.  Not to mention the security advantages of avoiding public WiFi or avoiding draining the battery of my smartphone being used as a hotspot.  For the last couple of years I’ve been envious of my wife, who has her iPad on the Internet before I even have time to get my smartphone out of my pocket.

With the introduction of the LTE version of the Microsoft Surface 2 it turned out there were three devices I could choose from if I was serious about moving to a LTE device.  The final straw came the other day when I pulled my Lumia 1020 smartphone out of my pocket and discovered the battery was moments from being dead.  I just had to stop using it as a hotspot on a regular basis.  I’d thought about waiting to see what other devices hit the market in the next few months, and in fact I wouldn’t be surprised if I’m soon kicking myself for moving prematurely.  But what’s done is done.

A word about my computing environment before diving into my choice and a bit of review of it.  Prior to last week I had 3 tablet-like devices (not including those that are primarily my wife’s).  My primary tablet has been a Microsoft Surface RT.  Although it has a keyboard cover (and I go back and forth between the Touch and Type covers) my primary usage model is as a tablet.  It’s just nice to have a keyboard when you need it.  For the last 6 months I’ve also had a Dell Venue 8 Pro, which is obviously a pure tablet.  The DV8P has pushed my usage of the Surface more heavily towards notebook-like tasks since I tend to carry the DV8P when I use want something with me for consumption and the Surface when I think I might need to use a keyboard.  So last week I would have said the Surface RT is 40% Notebook and 60% Tablet.  The DV8P is 5/95.  Lastly I have a Surface Pro 2 which I purchased for my consulting practice.  As that implies, it sits in a dock as the desktop for my home office except when I am on a consulting engagement.  Then it is used 80% in notebook mode and 20% as a tablet.

The Surface Pro 2 is unlikely to need replacement for a couple of years.  The DV8P is on the chopping block later this year as the 8″ Windows tablet market matures and we get higher resolution devices with LTE.  But it was the Surface RT that was most ready for replacement.

As best I could tell there were three choices readily available on the U.S. market as of last week.  The oldest of the three was the Nokia Lumia 2520, which was introduced last fall.  Next up was the Microsoft Surface 2 LTE, identical to the Surface 2 introduced last fall except for the addition of LTE support.  Lastly was the Dell Venue 11 Pro line which just added a LTE model.

The Lumia 2520 was an attractive device from the moment Nokia announced it.  The 10.1″ form factor made it the most tablet-like of the choices.  It was built as a WWAN-based devices from the beginning, and you can’t even buy a WiFi-only version.  It is light (1.3lb).  It has an awesome screen.  And Nokia announced a keyboard case for it, one with an extra battery and a couple of USB ports to boot.  About its only negative is that it an ARM-based device like the Surface RT and Surface 2.  I seriously looked at buying one at introduction but there was a problem.  The keyboard case was unavailable and I was loath to buy the tablet and hope that the case, which more than doubles the weight of the combination, would be acceptable.  So month after month I would go to the AT&T store and the Microsoft Store and ask if they had the case in stock so I could see for myself.  Month after month they reported it wasn’t available.

When Microsoft introduced the Surface 2 they mentioned that a LTE version would be available in early 2014.  I waited, hoping that early would mean January.  January came and went with no LTE version.  February came and went with no LTE version.  Finally March brought announcement and availability of the Surface 2 LTE at the ridiculous price of $679.  Add on a Type 2 Cover and you are sitting at over $800.  Make it the new power cover and you are approaching $900.  That’s a lot of money to part with for any tablet, particularly one that is already half-way through its primary life-cycle.

The Surface 2 is also an ARM-based device.  It is heavier than the 2520.  With its 10.6″ screen it is a more awkward shape and size for tablet use, but the screen dimensions feel more natural for notebook-like use.  It also offers a wider array of keyboard covers (Touch, Type, Power).

The last entry, which I only learned about last week, is the LTE version of the Dell Venue 11 Pro.  Dell has introduced the Venue 11 Pro line as a family of x86-based devices with a choice of Intel Atom and Core processors.  The Atom-based models are thinner and more of a tablet-first offering while the Core-based models are thicker, heavier, and more of a notebook-first offering.  Basically the DV11P Atom models are Surface 2 competitors and the Core models are Surface Pro 2 competitors.  The screen size also positions them in this way, with the 10.8″ screen being comparable to the Surface family’s choice of 10.6″.  Moreover, the 10.8″ screen clearly positions them as members of the 11″ class of devices such as the MacBook Air notebook.  For me that is the problem.

The DV11P LTE model is Atom-based, which I do prefer to the ARM-based processors used in the 2520 and Surface 2.  However the 10.8″ screen size forces the DV11P into larger overall dimensions and a higher weight than the Surface 2.  I was looking for something much closer to the iPad Air in weight and size, so the DV11P was going in the wrong direction.  Pricing for the DV11P LTE is far better than for the Surface 2 LTE, and it has as good if not better set of accessories.  In particular, if you wanted to use any of the DV11P models heavily as notebook replacements than Dell offers one keyboard/cover option that is more of a notebook dock than anything available or the Surface line.  Indeed, if I didn’t already own a Surface Pro 2 I’d be giving the DV11P line a very serious look.  But it just didn’t add up for the needs around a Surface RT replacement.

With the DV11P LTE outside the envelope of what I considered a desirable physical characteristics envelope, and the Surface 2 LTE at a budget-busting price even for someone as price insensitive as I often am, I took another look at the 2520.

Months had gone by without me so much as being able to glance at the Lumia 2520’s power keyboard case.  Earlier this month I noticed that the local AT&T store had one on display, but it was bolted down so that I couldn’t actually hold one.  Actually you couldn’t even use it because of the design of the bracket.  The store was not stocking the keyboards, and corporate was refusing to accept orders for them because of the order backlog.  When I first saw this I checked at the Microsoft Store and they still hadn’t received any.

A few days ago I went into the Microsoft Store to pick up a Media Remote for my Xbox One.  They didn’t have the keyboard case for the 2520 on display, but I asked if they had any and they said yes!  So off they went to get one from the stockroom for me to see.  Taken alone the weight and feel were quite nice.  With a 2520 installed the combination was heavy (almost 3 pounds) but good feeling.  With a caveat I’ll mention in a moment, I decided the Lumia 2520 with its keyboard case would replace my Surface RT.

With the battery in the keyboard case the 2520 should come in at 16+ hours of actual use.  I’m not going to do a battery test, but I will say that I used it fairly heavily yesterday and when I looked this morning the cover’s battery was drained but the battery in the tablet itself was at 97%.  So you really can get 2 days of solid usage out of the combination.  There are things I like better about this keyboard than Microsoft’s Surface Type Cover 2, and things I like less.  Mostly less.  There is only one viewing angle as a negative.  The loose flap the touchpad is on is another.  But the most important negative is that you can’t fold the case out-of-the-way to use the 2520 as a tablet!  That isn’t just a problem in terms of holding the tablet in your hand, it is a problem in situations like tight airplane seats where the 2520 in its power keyboard case takes up a lot more room than a Surface 2 would.  Basically the 2520 power cover transforms the tablet into a notebook.

I’m disappointed that Nokia didn’t come out with a second keyboard cover that dispensed with the battery, because as nice as it is in theory to have a 16 hour device it isn’t really worth the 1/2 to 1 pound of extra weight for most people looking for this class of device.  Dropping the battery would also allow for a case that folded out-of-the-way for tablet use.  The 2520 doesn’t have a built-in kickstand, so you need some kind of case for almost any usage scenario.  What I decided to do was look for a third-party, keyboard-less, case that I could use when I wanted to carry the 2520 as a pure tablet.  As it turns out a few case manufacturers have created 2520-specific offerings and I have one on order through Amazon for $20.  It will be a few months until I know which case I use more often.

Although I’ve made my choice I’m rather disappointed by the Windows Tablet 10″ LTE landscape.  No manufacturer has come out with the right device, at the right price, in a timely fashion.  Nokia did the right device and the right price, but missed the boat on accessory availability and variety.  Microsoft has the right device and accessories, but totally missed the boat on both price and availability.  Dell is doing things right with the Dell Venue 11 Pro line, but the line is aimed solidly at the 2-in-1 space and is sub-optimal for the tablet space.

So there you have it, I’m a Lumia 2520 owner.  I may even be a fan, but it will be a few more weeks before I’ll be able to say.

One other thing to mention.  The Surface 2 LTE and DV11P LTE both come with 64GB of storage while the 2520 only comes with 32GB.  Of course they all take micro-SD cards.  I’ve lived with a 32GB DV8P long enough to know that it isn’t a problem, and an extra 32GB certainly isn’t worth the $168 difference between the Surface 2 LTE and the 2520.

Posted in Computer and Internet, Microsoft, Mobile, Windows | Tagged , , , , | 4 Comments

Supporting other platforms before Windows

A few Microsoft properties have received grief the last couple of years about shipping features, or even entire apps, on non-Microsoft platforms before those same features or apps come to Windows and Windows Phone.  I talked to a friend about this a few months ago,  and as rumors swirl that Office for iPad may arrive before a Metro/Modern version of Office for Windows 8.x I thought I’d relay his explanation.

What groups inside Microsoft are finding, just as third-party developers have found, is that the API set in WinRT and on Windows Phone is deficient compared to Android and IOS.  So the development team envisions a feature they want to add.  It takes them a couple of days to implement that feature for Android or IOS.  But for Windows/Windows Phone they get into a cycle of negotiating a feature request with the OS team and then waiting for an OS update that includes the feature.  That can take man-weeks of effort and many months of elapsed time.

Now the app or services team faces a dilemma.  They can wait the many months for the Windows support to appear while they lose competitive ground, or they can ship their feature on Android and IOS as soon as their own update schedule allows and play catch-up on Windows.  Years ago they most likely would have taken the hit to their own business in order to protect the Windows franchise.  However in an age where Microsoft is an underdog in many areas that is no longer considered a viable way to do business.  Thus we will sometimes see features or entire apps on non-Microsoft platforms before we see them on Windows/Windows Phone.

Now of course this really should be putting pressure on the OS team to expose a greater and more competitive set of features through their modern API sets.  This is something third-party app developers are getting rather vocal about as well.  So on one hand a lot of Microsoft fans are going to get upset as functionality comes to Android and IOS before appearing on the various flavors of Windows.  On the other, they should be happy that Microsoft teams are putting a lot of internal pressure on the OS team that in the medium to long-term will greatly improve Windows as a modern app platform.

Posted in Computer and Internet, Microsoft, Mobile, Windows, Windows Phone | Tagged , , , , , | 16 Comments

A call for EMET Lite

Often I make suggestions to Microsoft privately, occasionally I do so publicly.  I’m doing this one publicly to generate broader discussion and hopefully a consensus.  I already mentioned this on Twitter a few weeks ago, but the full discussion requires a blog entry.

Microsoft’s EMET (the Enhanced Mitigation Experience Toolkit) is a security tool aimed primarily at Enterprise Information Technology departments.  It can be used by, and is available to, sophisticated end users.  However it really isn’t designed for typical end-user use.  This is a call for Microsoft to create an “EMET Lite” that is available with or packaged into all Windows systems, with management provided by Microsoft via Windows Update.

To get an idea of why EMET Lite might be desirable take a look at the results from this week’s Pwn2Own hacking contest.  No one was able to claim the $150,000 Grand Prize for hacking IE11 with EMET running.  All major browsers, including IE11 without EMET, were hacked.

Ok, so what is EMET?  Let’s go back to the effort that Microsoft started in the early days of Windows XP when it became apparent that the OS had severe security problems in the Internet environment.  It started to add features (DEP, SEHOP, ASLR, etc.) to the operating system that applications could use to harden themselves against attacks.  Why did applications have to explicitly turn those features on instead of the OS just imposing them?  Easy, in many cases applications required minor changes to be compatible with the new security features.  So the model from Windows XP SP2 on has been that executables have to indicate when built that the features should be turned on.

Now Microsoft itself made turning on those features part of the Security Development Lifecycle (SDL) for its products, so those are fairly well protected.  And over the years many other software developers have adopted SDL or similar processes and turned on these features.  But what about applications that haven’t turned on those features?  What about bespoke applications that an IT shop writes that are no longer being actively developed?  What about apps that the source code is unavailable for?  Tweaking these apps and rebuilding them to use the features runs from impractical to impossible.  The answer to that problem was EMET.

EMET allows an IT shop to force one or more security features on for a particular executable.  So let’s take an example of how it was intended to be used.  You have a bespoke order processing application, and you have some kind of internal testing methodology for verifying changes to that application.  So you take EMET and you use it to turn on one or more of the features.  Then you test to see if you’ve broken the app.  If you haven’t broken the app then you deploy an EMET rule to all your clients turning on the features(s) for the order processing app.

The key here is that the IT department is responsible for testing and making sure the app is compatible with the selected security features.  And if the app is updated, the IT department is responsible for re-testing that the features don’t break it.  These are things beyond Microsoft’s control, and beyond what 99.99% of end-users are willing to deal with.  That’s why EMET is a toolkit and not simply an OS feature.

But if Microsoft is already mitigating its own software, and so are many ISVs, then isn’t EMET essentially only for bespoke apps?  Well, no.

Microsoft keeps expanding the set of mitigations available through EMET, with mitigations appearing in it before they are available through the OS and development tools.  Moreover, even if a new mitigation were available and used to protect “IE12” that wouldn’t help IE11.  So EMET can be used to add newer mitigation techniques to current, or older, software releases.

This is great for IT shops who can, and should, be using EMET to protect all software running on systems they are responsible for.  But what about the rest of us?

I propose that Microsoft create an EMET Lite that is distributed to users much as Microsoft Security Essentials and Windows Defender are today.  That is, either a free and recommended download or built-in to newer versions of the operating system.  The key differentiator between EMET and EMET Lite is that for the latter all of the rules would be generated by Microsoft and managed via Windows Update.    This places a burden on Microsoft, which is likely why they haven’t done it to date.  But for a company worried enough about security that they created EMET, and with evidence of the value of an EMET Lite such as the Pwn2Own results, Microsoft should take on this burden.

How much of a burden would Microsoft managing the EMET Lite rules actually be?  I don’t think it would be substantial.  Take as an example a default set of rules that come with the EMET 5 Technical Preview.  They turn on mitigations for “Microsoft Internet Explorer, WordPad, applications that are part of the Microsoft Office suite, Adobe Acrobat 8-11, Adobe Reader 8-11, and Oracle Java 6 and 7.”  So if you install EMET and accept the defaults you already have protected critical software using Microsoft supplied rules.  Now all they need to do is offer to update those rules as needed with Windows Update and you are rather close to my EMET Lite offering.

EMET Lite could be offered in a way that was almost totally transparent to end-users.  It could be distributed via Windows Update as a recommended download (and built in to post Update 1 versions of Windows 8.1 and later).  Once downloaded Windows Update would maintain the rule-set.  Telemetry from application crashes, as well as Microsoft’s other feedback loops, would be used to fix broken rules.  The testing processes used for Anti-Malware signatures and Patch Tuesday updates could be applied to proposed rule changes.

Third parties could be encouraged to validate and supply rules for their own software that Microsoft would then ship, though this carries some complexity and risks.  It seems that Microsoft already has many cooperation frameworks which could be extended to cover this case.  If not, Microsoft might simply let third-parties install and maintain their own rules.

EMET Lite also offers Microsoft an additional way to deal with some zero-day issues while it, or an ISV, develop a patch.  It could ship a new rule, or create a “Fix It” solution that installs a new rule, turning on a mitigation even if that creates a compatibility problem pending a real fix.  The Fix It path is particularly attractive because it allows Microsoft Customer Support to help customers while engineering is still investigating a permanent solution.

The benefits of EMET Lite seem enormous, the downside minimal.  Microsoft would take on some extra costs and risk.  But those costs and risk seem pretty minimal compared to the benefit that EMET is demonstrating.  Now is the time for EMET to move from IT toolkit to mass market security tool via an EMET Lite.

Posted in Computer and Internet, Microsoft, Security, Windows | Tagged , , , | 7 Comments

NEW post on Windows XP situation

I made two incorrect statements in my last post on Windows XP.  One is that I said it was my last warning on its demise, and obviously here is another one.  The other is that I said I’d write about how to live with Windows XP after support ends on April 8th, and I haven’t.  That’s the result of this blog being purely a hobby and having lost interest in the topic for a couple of months.  So this is an update on the Windows XP situation with one month to go before Microsoft ends support.

First a little story.  A couple of weeks ago I walked into the office of a new consulting client and staring me in the face was a Windows XP system.  I mentioned the coming end of support to the COO and a look of concern crossed her face.  She asked that I mention it to the VP of Administration, who owns IT, which I did.  She had the situation well in hand, with only 3 or 4 of their machines not yet moved off XP.  And they likely will be by next month.  So yes, a lot of people may have their head in the sand and be surprised when Windows XP support ends.  But it may be far fewer than most of us have been worried about.

Getting away from the anecdotal evidence let’s look at some numbers.  The panic-level numbers that have been in the press lately are global numbers from Netapplication.  As I’ve pointed out before, I can’t drill into those without paying so I’m going to use Statcounter numbers instead.  Statcounter paints a little rosier picture than Netapplication, with Windows XP continuing to be used by 18.6% of desktop computers on a worldwide basis as of February 2014.  Sounds a lot better than the 29% that has been in the press, right?  It is still too high though.  And the methodology of both organizations have their flaws, but they both provide data that is useful.  So let us drill in.

The truth about Windows XP usage is that looking at the situation globally gives a very distorted picture.  Why?  Well in China, where piracy was (and is) rampant Windows XP remains the leading operating system with 48.26% of the desktop OS market!  This has a number of implications which I’ll get to in a moment, but the first is that Chinese usage of Windows XP is really distorting the global number.

Here in the United States Windows XP usage is reported as 10.93% by Statcounter.  To put that in perspective, they report Mac OS X (all versions) usage as 18.07%.  Since malware authors target large populations, and historically OS X has been targeted less because of relatively low usage compared to Windows, this suggests malware authors may actually start losing interest in Windows XP!

It may not happen immediately, but if Windows XP share continues to drift down over the year after support ends then not a lot of economically-driven hackers aren’t going to be wasting their time searching for new XP-specific vulnerabilities.  Android, for example, has become a much juicier target.  The exception will be those in the “Advanced Persistent Threat” world, where you might be looking to launch a targeted attack against an entity you know is still running XP.  Think a Stuxnet-type attack.  This is something the corporate and government worlds need to take very seriously, and continue to push to eliminate XP from their operations.

In any case, 10.69% is a lot better than the 29% headline number.  In Australia XP usage is already down to 7.62%, and I imagine the U.S. will be there within a year.  This starts to get us down into the noise range, at which point you basically declare mission accomplished.  Europe is at 16.48%, which is surprisingly high.  But individual countries are all over the map.  The United Kingdom is at 8.53% while Poland is at 25%.  As a general rule North and South America, Europe, and Oceana are below average while Asia and Africa are above average.

Now there are probably some people who are happy with half of computers in China still running Windows XP.  The NSA is one of them.  But on an overall basis this is a very disturbing situation.  Western companies do a lot of business with China, and will now be sharing confidential information with entities running vulnerable systems.  It also blunts my argument about economically focused hackers losing interest in XP.  So with China, as well as other lingering high-usage countries, Microsoft and its ecosystem must retain their focus on migrating users off Windows XP.

Why is the situation in China so bad?  I can think of two reasons.  One of those is the high degree of software piracy in that country and the difficulties in engaging with owners of pirated software.  Second may be the economic reality of a much higher percentage of systems not being capable of running Windows 7 and later combined with an inability to afford a replacement system.  Similar factors may be impacting India (28.97%) and a number of other countries.

So what does all this mean?  I’m not sure.  In countries where Windows XP usage has dropped below 10% the situation moves from apocalyptic to problematic.  But on a worldwide basis, with a global connected economy, the problem is as bad as ever.  And it seems like no amount of effort by Microsoft, or other organizations, may drive down XP usage in places like China.  Not even the end of support.

Posted in Computer and Internet, Microsoft, Windows | Tagged , , | 8 Comments