Will Microsoft get the new Surface(s) right? Part 1

It appears that on May 20th Microsoft will announce at least one new member of the Surface family, most likely a Surface Mini (aka 7-8″ class device).  The rumors have heated up suggesting that there will actually be two or more new Surface devices introduced.  Now that would be exciting!

From my perspective this is pretty much the make or break announcement for the Surface line.  The Surface/Surface 2/Surface Pro/Surface Pro 2 generation of devices grew out of Microsoft’s pre-Windows 8 launch thinking.  Yes the 2s are the same generation as the originals, nicely upgraded but still based on the original design center.  Whatever we see on the 20th are the first devices that could have been seriously impacted by what Microsoft learned from the Windows 8 and Surface launch experience.  The first that could have a different design center.  And the first where new CEO Satya Nadella can influence the pricing and positioning (though not the designs themselves).

Part of Microsoft’s problem with the original Surface was its schizophrenic positioning.  Was this a content consumption device positioned against the iPad or a content creation device positioned against the MacBook Air and Ultrabooks?  I discussed positioning in my original “review” of the Surface, which didn’t get to the marketing side of things.  What Microsoft tried to do initially was position the Surface as a content consumption device and the Surface Pro as more of a content creation device.  They missed the mark on both.

The Surface didn’t find acceptance as a content consumption device for two major (and a few modest/minor) reasons.  First, it was considerably overpriced.   Microsoft thought they had a lot of value in the device that consumers didn’t see.  Second, the device had no apps.  By basing the Surface on an ARM processor, thus limiting it to only new Windows Store apps, Microsoft had created a version of the “Which came first, the Chicken or the Egg?” problem for itself.  They could have broken through by pricing the Surface aggressively to drive sales volume that created a pull on app developers.  But they didn’t.  Consumers stayed away.

Where the Surface showed some promise, and did gain traction after last fall’s price drop, was amongst people who needed a Microsoft Office-centric productivity tablet.  Basically something even more into the Content Creation space than Microsoft’s original positioning.  Unfortunately Microsoft was slow to follow-up on that limited success and has kept the Surface 2 priced much too high to build on last fall’s traction with the original Surface.  It has been overpriced by at least $100.  A Surface 2 with the Touch Cover for $399 would be a compelling offering.  But at $530 it is a non-starter.  And the pricing of the LTE model is outrageously non-competitive.

The ARM-based Surface continues to face the problem of a weak app library.  My most recent example is the lack of a Windows Store app for Amazon Instant Video, meaning I can’t take my Amazon content offline.  So on my expensive Surface I couldn’t download my Amazon videos to watch on the airplane, but on my inexpensive x86-based Dell Venue 8 Pro I could (because I could install the desktop Amazon Unbox video app).  I left the Surface at home.

High price, lack of consumption apps, and a myriad of more modest consumer disconnects (e.g., the bet on a 16:9 aspect ratio hasn’t paid off, very late delivery of LTE support) doomed the Surface/Surface 2.

The Surface Pro/Surface Pro 2 is more of a success story.  It offers an amazing set of capabilities in a small package.  Unfortunately it is too thick and heavy for use as a primary tablet, and has too small a screen for most people to accept as a primary Content Creation device.  So it is a niche product for those desiring a secondary Content Creation device with good Content Consumption capabilities.  If Microsoft had gotten the thickness and weight down with the Surface Pro 2, and priced it just a little more aggressively, they could have had a smash hit.

Unfortunately Microsoft botched the rollout of both the Surface Pro and Surface Pro 2.   In the case of the original Surface Pro they prioritized shipping the Surface first, even though the Surface Pro would have been an instant success and driven Windows Store app development.  By the time the Surface Pro shipped it was tarnished by the poor acceptance of the Surface and poor battery life associated with a dated processor that had already been superseded in Intel’s family.  In the case of the Surface Pro 2 they had availability problems, and then failed to deliver critical accessories, such as its docking station and the power keyboard cover, in a timely fashion.  Thus despite having a solid product, Microsoft simply botched the opportunity.

In Part 2 I’ll discuss a new design center for Surface and suggest what I’m looking for in the next set of products they introduce.

Posted in Computer and Internet, Microsoft, Mobile, Windows | Tagged , , , , , | 14 Comments

Free Windows (TANSTAAFL)

Some are touting yesterday’s announcement that Microsoft was making Windows (including Windows Phone) free for devices with screens smaller than 9″ as the most impactful news coming out of Build 2014.  While I do think it is important news, I think other changes such as Universal Apps are far more important.  And there is one executive discussion I’d really have liked to sit in on that I’ll talk about near the end.

Current Microsoft profit from Windows Phone and Windows on small screen devices is at best rounding error and at worst represents a loss.  The story on revenue isn’t much better, it is immaterial.  That’s important since it is what matters to investors, and in the long run it is what determines how sustainable a move this is.  Microsoft basically gave up nothing in a “Hail Mary” pass to establish relevance in the software for mobile device market(s).

Some of the software pricing move is related to Microsoft’s evolution to a Devices company so let’s explore Windows Phone first.  With closure of the Nokia Devices acquisition Microsoft will itself be shipping 90%+ of Windows Phone devices.  Today Nokia sells a phone for say $150 and sends Microsoft a check for (say) $15.  Tomorrow Nokia’s sells that same phone for $150 and doesn’t send Microsoft a check.  But since Nokia is now part of Microsoft that $15 still accrues to Microsoft’s finances.  It is, in every sense except a financial reporting one, a neutral financial move by Microsoft.

Microsoft is trying desperately to foster a OEM model for Windows Phone, particularly as it relates to BRIC and developing countries.  In those extreme cost sensitive markets the price of Windows Phone is an issue, while the revenue and profit potential from software for phones alone is immaterial.  Another way to look at this, and it is even possible this is technically how Microsoft’s OEM contracts are structured, is that Microsoft is returning 100% of the price of a Windows Phone license to the OEM as Market Development Funds (MDF).  But even if the contract actually shows a price of zero, in which case Microsoft probably isn’t providing MDF, Microsoft has in effect committed the revenue it might have gained from charging for Windows Phone licenses to marketing.  That’s the correct way of thinking about this.

And the same story applies to smaller screen tablets.  Right now the market for those, aside from the apparent modest success of the Dell Venue 8 Pro, is immaterial to Microsoft’s bottom line.  Microsoft needs to protect its larger form factor Windows revenue stream by taking a very significant share of the smaller form factor tablet market and is willing to “spend” 100% of what it could have taken in on revenue for those Windows licenses to gain that market share.

Why is that market share gain so critical?  Because every iOS or Android device in someone’s hands represents an opportunity for Apple or Google to replace a notebook or desktop as well.  Chromebooks make no sense for me because I am not bought into the Google ecosystem.  The MacBook Air makes no sense to me because I am not bought into the Apple ecosystem.  But if I were a dedicated Android or iOS user I would be, and thus more likely to also become a OS X or Chrome OS user.  So every Windows Phone or Tablet win represents a chance to keep someone in the Microsoft ecosystem and sell them the products for which Microsoft really makes money.

As for the conversation I wish I could have been a fly on the wall for, it’s the one they must have had about setting a precedent.  What happens if Microsoft’s wildest dreams come true and it becomes the top supplier of phone and/or tablet OS software?  Can it raise prices and monetize that success?  This is why I always envisioned the technical pricing details as a 100% kickback in MDF rather than a zero list price.  You can always phase down MDF but raising prices will be like tiptoeing through a dense minefield.  I’m sure Microsoft longs for a day when it must face this problem!


Posted in Computer and Internet, Microsoft, Mobile, Windows, Windows Phone | Tagged , | 7 Comments

Let the Build 2014 games begin!

We are just a few hours away from Build 2014, and the most important set of reveals for Microsoft’s Operating System business in a decade.  Yes, more important than Windows 8.  Or Windows Phone 7.  Or whatever other seemingly, at the time, critical reveals Microsoft has had.  The reason for that is simple, the Operating System business at Microsoft continues to struggle.  Sure it had a temporary reprieve with Windows 7, in what now looks like a “dead cat bounce”.  But otherwise Microsoft’s relevance for software that powers hardware has been, at best, in a holding pattern for a decade.

What gets announced and talked about this week won’t be the launch of totally revamped products that change the world but rather products that tell us if Microsoft is getting its OS mojo back.  Hopefully we will learn where Microsoft sees its core Desktop OS efforts going the next few years, the very thing it all but mortally wounded with the release of Windows 8.  This is about more than just some continuing tweaks to make Windows 8.x more appealing to desktop users, it is about sending them a message that they are important and will have optimized support going forward.  And it is about reassuring Win32 and a.NET developers that they have a bright future as well.

Next up is eliminating the arbitrary discrepancy between Windows for Tablets and Windows for Phones.  Of the three major ecosystems only Microsoft has this disparity.  iOS and Android are the same, and most importantly have the same development model, on all slate form-factor devices.  On Windows the discrepancy has caused the app stores for both Windows and Windows Phone to stall.  Many apps are available on one platform but not the other as developers are forced to choose between supporting one #3 platform or having two separate efforts for two #3 platforms.  This has been devastating.  Based on leaks it appears certain that after this week developers will be able to focus on one app for both the phone and the tablet (and of course, all Windows form factors).

At the same time its critical that Microsoft bring its app model to parity with iOS and Android, eliminating barriers that have caused leading edge apps to skip the platform.  It can no longer be the case that underlying platform capabilities are blocked by the lack of support in the new APIs.  We can’t have the most interesting new app categories skipping Windows devices because, after all the evangelism is done, they simply can’t get their app to work on Windows.  Nor can we have the situation where some of Microsoft’s own properties find it easier to implement new features on Android or iOS than on Windows.

It is also time that Microsoft dropped the excuse that it is playing catch-up in the mobile OS space.  If Windows Phone can’t be competitive at the user feature level in 2014 then it just never will be.  Oh I’m not saying it needs to leapfrog Android and iOS and leave them behind, as if it ever could really do that.  I’m saying that as users we have to be able to see Windows Phone as every bit as leading edge as Android and iOS.  It needs to be at parity on everything that is important to users, and continue to innovate in ways that set it apart.  Windows Phone 8.1 must be the end of the line on “catch-up” if Microsoft wants end-users and developers to commit to the platform.

Following on from last week’s clear focus on the cloud we need to see how Windows is going to be the best OS to power cloud-connected devices over the next decade.  We simply need to walk away from Build 2014 believing this.  As a user of the entire Microsoft ecosystem I see and enjoy the promise on a regular basis.  But if I were a 100% Apple user or 100% Google user then my experience wouldn’t be much different.  I think this is a tall order for Microsoft as the world, and especially developers, have to believe two things.  The first is that in a 100% Microsoft ecosystem Windows-powered devices have to offer a better cloud-connected experience than in 100% Apple or Google worlds.  The second is that Microsoft has to show why Windows-powered devices will be the best end-points in a heterogeneous environment.  And they have to do that despite Apple and Google not playing nice.  Apple is not a surprise since with the exception of iTunes they ignore the Windows platform.  Google is a bigger problem as they have explicitly avoided legitimizing Microsoft’s Phone and Tablet offerings with Windows Store apps.

Lastly, the “Internet of Things” is the next frontier for the OS business and Microsoft has been fairly absent in letting us know how they plan to address that market.  Keep in mind that this is another area where Microsoft was early, way too early.  Now it is faced with the problem of being leapfrogged by the competition, and Google in particular.  Microsoft can not let this happen.  It must give its remaining development community a reason to stick with it as this new gold rush begins.

Fortunately through leaks and through what little information it has released, like the schedule of Build sessions, we know that Microsoft will be addressing most if not all of these areas.  Will it be enough?  Will the messages resonate with the believers and bring some non-believers back?  The technical details are one thing, what Microsoft executives say during the keynotes are far more important.  If they paint a picture of a Windows world that users and developers really want to play in then a revival of the Windows business is possible.  If they fail to excite then they probably relegate it to a legacy business.  Either way Microsoft will survive and prosper.  But its future is a lot brighter if at the end of this week the key stakeholders are a lot more positive about the future of Windows than they were at the end of last week.

Posted in Computer and Internet, Microsoft, Mobile, Windows, Windows Phone | Tagged , , , | 20 Comments

Microsoft has a near miss with the Xbox One Media Remote

Regular readers will of course be familiar with my Xbox: Fail from January, and I thought a little update was in order.

To get something out-of-the-way, the February and March updates did nothing noticeable to improve voice recognition.  I did recalibrate after the February update, but not after the one in March.  Maybe I’ll try again after the April update.  And it appears to me that one of the updates degraded facial recognition as much of the time my Xbox One isn’t recognizing me and automatically logging in.  To put a short summary on it, the experience is no better than when I wrote the piece in January.

And to say something positive, I love that Microsoft added music videos to the Xbox Music app on the Xbox One.  We had company for the weekend and Saturday night we all stayed up past midnight finding favorite music videos.  On the few we couldn’t find on Xbox Music I found them on the web and put them up on our 55″ using Miracast from my Lumia 2520.  That worked flawlessly too.  Especially watching the launch of MTV.  Coverage of the first launch of the Space Shuttle is way cooler than any music video 🙂  And Video killed the radio star is a terrible song, even if it was perfectly appropriate as MTV’s first music video.

One thing I called for in the January piece was a Media Remote, and Microsoft has obliged with that.  I really like it, and if it weren’t for one major design flaw I would have titled this post “Xbox One Media Remote saved my marriage”.  That major design flaw?  The Xbox One Media Remote uses IR rather than RF to control the Xbox One.  That’s a problem for me because the Xbox One is in a cabinet, with a door blocking IR signals.

Given that the Xbox One come out of the box working with RF-based game controllers I never would have guessed that they’d use IR for the Media Remote.  Why not just have it use the same RF communications channel?  I hate IR.  It is the 80-column card of the A/V industry.  Except 80-column cards were a good idea in their time while I’m not convinced IR was ever a good idea.  In either case, their times have passed!

Dear Xbox team, wait until you see the blog post when one of my dogs crashes into the open door and breaks it off the built-in cabinet.  Wait until I send Satya the bill and demand payment in Hyderabadi Biryani, which I will do.  Seriously.

Anyway now I do open the cabinet door to consume media on the Xbox One.  This makes my wife happy because she interprets the voice commands about as accurately as the Xbox.  For example, I say “Xbox Select” and the Xbox displays a message about something else not being valid in the current context, if it hears me at all.  My wife interprets “Xbox Select” as “Dial Divorce Lawyer”.  Fortunately she tunes me out even better than the Xbox though I try not to press my luck.  So I no longer talk to the Xbox.

Meanwhile with the cabinet door perfectly positioned to absorb the shock of a Bernese Mountain Dog that is blissfully unaware that the U.S. Government has classified her as a weapon of mass destruction, I happily select apps, perform searches, play and pause media, etc. on the Media Remote.  It’s an accessory that I recommend to anyone who is going to regularly use their Xbox One for video.

What about installing (another, actually) IR repeater so I don’t have to leave the cabinet door open?  I suppose I will eventually.  But I hate IR, and I love Hyderabadi Biryani.

Posted in Computer and Internet, Home Entertainment, Microsoft | Tagged , , , , | 9 Comments

10″ LTE for me

One of the things that has bugged me about Windows 8.x from the beginning was the lack of devices with built-in WWAN, and particularly LTE, support.  I had 3G support in my original iPad, and it was a pleasure to just be able to open the case and start using the device without worrying about finding and connecting to a working WiFi network.  Not to mention the security advantages of avoiding public WiFi or avoiding draining the battery of my smartphone being used as a hotspot.  For the last couple of years I’ve been envious of my wife, who has her iPad on the Internet before I even have time to get my smartphone out of my pocket.

With the introduction of the LTE version of the Microsoft Surface 2 it turned out there were three devices I could choose from if I was serious about moving to a LTE device.  The final straw came the other day when I pulled my Lumia 1020 smartphone out of my pocket and discovered the battery was moments from being dead.  I just had to stop using it as a hotspot on a regular basis.  I’d thought about waiting to see what other devices hit the market in the next few months, and in fact I wouldn’t be surprised if I’m soon kicking myself for moving prematurely.  But what’s done is done.

A word about my computing environment before diving into my choice and a bit of review of it.  Prior to last week I had 3 tablet-like devices (not including those that are primarily my wife’s).  My primary tablet has been a Microsoft Surface RT.  Although it has a keyboard cover (and I go back and forth between the Touch and Type covers) my primary usage model is as a tablet.  It’s just nice to have a keyboard when you need it.  For the last 6 months I’ve also had a Dell Venue 8 Pro, which is obviously a pure tablet.  The DV8P has pushed my usage of the Surface more heavily towards notebook-like tasks since I tend to carry the DV8P when I use want something with me for consumption and the Surface when I think I might need to use a keyboard.  So last week I would have said the Surface RT is 40% Notebook and 60% Tablet.  The DV8P is 5/95.  Lastly I have a Surface Pro 2 which I purchased for my consulting practice.  As that implies, it sits in a dock as the desktop for my home office except when I am on a consulting engagement.  Then it is used 80% in notebook mode and 20% as a tablet.

The Surface Pro 2 is unlikely to need replacement for a couple of years.  The DV8P is on the chopping block later this year as the 8″ Windows tablet market matures and we get higher resolution devices with LTE.  But it was the Surface RT that was most ready for replacement.

As best I could tell there were three choices readily available on the U.S. market as of last week.  The oldest of the three was the Nokia Lumia 2520, which was introduced last fall.  Next up was the Microsoft Surface 2 LTE, identical to the Surface 2 introduced last fall except for the addition of LTE support.  Lastly was the Dell Venue 11 Pro line which just added a LTE model.

The Lumia 2520 was an attractive device from the moment Nokia announced it.  The 10.1″ form factor made it the most tablet-like of the choices.  It was built as a WWAN-based devices from the beginning, and you can’t even buy a WiFi-only version.  It is light (1.3lb).  It has an awesome screen.  And Nokia announced a keyboard case for it, one with an extra battery and a couple of USB ports to boot.  About its only negative is that it an ARM-based device like the Surface RT and Surface 2.  I seriously looked at buying one at introduction but there was a problem.  The keyboard case was unavailable and I was loath to buy the tablet and hope that the case, which more than doubles the weight of the combination, would be acceptable.  So month after month I would go to the AT&T store and the Microsoft Store and ask if they had the case in stock so I could see for myself.  Month after month they reported it wasn’t available.

When Microsoft introduced the Surface 2 they mentioned that a LTE version would be available in early 2014.  I waited, hoping that early would mean January.  January came and went with no LTE version.  February came and went with no LTE version.  Finally March brought announcement and availability of the Surface 2 LTE at the ridiculous price of $679.  Add on a Type 2 Cover and you are sitting at over $800.  Make it the new power cover and you are approaching $900.  That’s a lot of money to part with for any tablet, particularly one that is already half-way through its primary life-cycle.

The Surface 2 is also an ARM-based device.  It is heavier than the 2520.  With its 10.6″ screen it is a more awkward shape and size for tablet use, but the screen dimensions feel more natural for notebook-like use.  It also offers a wider array of keyboard covers (Touch, Type, Power).

The last entry, which I only learned about last week, is the LTE version of the Dell Venue 11 Pro.  Dell has introduced the Venue 11 Pro line as a family of x86-based devices with a choice of Intel Atom and Core processors.  The Atom-based models are thinner and more of a tablet-first offering while the Core-based models are thicker, heavier, and more of a notebook-first offering.  Basically the DV11P Atom models are Surface 2 competitors and the Core models are Surface Pro 2 competitors.  The screen size also positions them in this way, with the 10.8″ screen being comparable to the Surface family’s choice of 10.6″.  Moreover, the 10.8″ screen clearly positions them as members of the 11″ class of devices such as the MacBook Air notebook.  For me that is the problem.

The DV11P LTE model is Atom-based, which I do prefer to the ARM-based processors used in the 2520 and Surface 2.  However the 10.8″ screen size forces the DV11P into larger overall dimensions and a higher weight than the Surface 2.  I was looking for something much closer to the iPad Air in weight and size, so the DV11P was going in the wrong direction.  Pricing for the DV11P LTE is far better than for the Surface 2 LTE, and it has as good if not better set of accessories.  In particular, if you wanted to use any of the DV11P models heavily as notebook replacements than Dell offers one keyboard/cover option that is more of a notebook dock than anything available or the Surface line.  Indeed, if I didn’t already own a Surface Pro 2 I’d be giving the DV11P line a very serious look.  But it just didn’t add up for the needs around a Surface RT replacement.

With the DV11P LTE outside the envelope of what I considered a desirable physical characteristics envelope, and the Surface 2 LTE at a budget-busting price even for someone as price insensitive as I often am, I took another look at the 2520.

Months had gone by without me so much as being able to glance at the Lumia 2520’s power keyboard case.  Earlier this month I noticed that the local AT&T store had one on display, but it was bolted down so that I couldn’t actually hold one.  Actually you couldn’t even use it because of the design of the bracket.  The store was not stocking the keyboards, and corporate was refusing to accept orders for them because of the order backlog.  When I first saw this I checked at the Microsoft Store and they still hadn’t received any.

A few days ago I went into the Microsoft Store to pick up a Media Remote for my Xbox One.  They didn’t have the keyboard case for the 2520 on display, but I asked if they had any and they said yes!  So off they went to get one from the stockroom for me to see.  Taken alone the weight and feel were quite nice.  With a 2520 installed the combination was heavy (almost 3 pounds) but good feeling.  With a caveat I’ll mention in a moment, I decided the Lumia 2520 with its keyboard case would replace my Surface RT.

With the battery in the keyboard case the 2520 should come in at 16+ hours of actual use.  I’m not going to do a battery test, but I will say that I used it fairly heavily yesterday and when I looked this morning the cover’s battery was drained but the battery in the tablet itself was at 97%.  So you really can get 2 days of solid usage out of the combination.  There are things I like better about this keyboard than Microsoft’s Surface Type Cover 2, and things I like less.  Mostly less.  There is only one viewing angle as a negative.  The loose flap the touchpad is on is another.  But the most important negative is that you can’t fold the case out-of-the-way to use the 2520 as a tablet!  That isn’t just a problem in terms of holding the tablet in your hand, it is a problem in situations like tight airplane seats where the 2520 in its power keyboard case takes up a lot more room than a Surface 2 would.  Basically the 2520 power cover transforms the tablet into a notebook.

I’m disappointed that Nokia didn’t come out with a second keyboard cover that dispensed with the battery, because as nice as it is in theory to have a 16 hour device it isn’t really worth the 1/2 to 1 pound of extra weight for most people looking for this class of device.  Dropping the battery would also allow for a case that folded out-of-the-way for tablet use.  The 2520 doesn’t have a built-in kickstand, so you need some kind of case for almost any usage scenario.  What I decided to do was look for a third-party, keyboard-less, case that I could use when I wanted to carry the 2520 as a pure tablet.  As it turns out a few case manufacturers have created 2520-specific offerings and I have one on order through Amazon for $20.  It will be a few months until I know which case I use more often.

Although I’ve made my choice I’m rather disappointed by the Windows Tablet 10″ LTE landscape.  No manufacturer has come out with the right device, at the right price, in a timely fashion.  Nokia did the right device and the right price, but missed the boat on accessory availability and variety.  Microsoft has the right device and accessories, but totally missed the boat on both price and availability.  Dell is doing things right with the Dell Venue 11 Pro line, but the line is aimed solidly at the 2-in-1 space and is sub-optimal for the tablet space.

So there you have it, I’m a Lumia 2520 owner.  I may even be a fan, but it will be a few more weeks before I’ll be able to say.

One other thing to mention.  The Surface 2 LTE and DV11P LTE both come with 64GB of storage while the 2520 only comes with 32GB.  Of course they all take micro-SD cards.  I’ve lived with a 32GB DV8P long enough to know that it isn’t a problem, and an extra 32GB certainly isn’t worth the $168 difference between the Surface 2 LTE and the 2520.

Posted in Computer and Internet, Microsoft, Mobile, Windows | Tagged , , , , | 4 Comments

Supporting other platforms before Windows

A few Microsoft properties have received grief the last couple of years about shipping features, or even entire apps, on non-Microsoft platforms before those same features or apps come to Windows and Windows Phone.  I talked to a friend about this a few months ago,  and as rumors swirl that Office for iPad may arrive before a Metro/Modern version of Office for Windows 8.x I thought I’d relay his explanation.

What groups inside Microsoft are finding, just as third-party developers have found, is that the API set in WinRT and on Windows Phone is deficient compared to Android and IOS.  So the development team envisions a feature they want to add.  It takes them a couple of days to implement that feature for Android or IOS.  But for Windows/Windows Phone they get into a cycle of negotiating a feature request with the OS team and then waiting for an OS update that includes the feature.  That can take man-weeks of effort and many months of elapsed time.

Now the app or services team faces a dilemma.  They can wait the many months for the Windows support to appear while they lose competitive ground, or they can ship their feature on Android and IOS as soon as their own update schedule allows and play catch-up on Windows.  Years ago they most likely would have taken the hit to their own business in order to protect the Windows franchise.  However in an age where Microsoft is an underdog in many areas that is no longer considered a viable way to do business.  Thus we will sometimes see features or entire apps on non-Microsoft platforms before we see them on Windows/Windows Phone.

Now of course this really should be putting pressure on the OS team to expose a greater and more competitive set of features through their modern API sets.  This is something third-party app developers are getting rather vocal about as well.  So on one hand a lot of Microsoft fans are going to get upset as functionality comes to Android and IOS before appearing on the various flavors of Windows.  On the other, they should be happy that Microsoft teams are putting a lot of internal pressure on the OS team that in the medium to long-term will greatly improve Windows as a modern app platform.

Posted in Computer and Internet, Microsoft, Mobile, Windows, Windows Phone | Tagged , , , , , | 16 Comments

A call for EMET Lite

Often I make suggestions to Microsoft privately, occasionally I do so publicly.  I’m doing this one publicly to generate broader discussion and hopefully a consensus.  I already mentioned this on Twitter a few weeks ago, but the full discussion requires a blog entry.

Microsoft’s EMET (the Enhanced Mitigation Experience Toolkit) is a security tool aimed primarily at Enterprise Information Technology departments.  It can be used by, and is available to, sophisticated end users.  However it really isn’t designed for typical end-user use.  This is a call for Microsoft to create an “EMET Lite” that is available with or packaged into all Windows systems, with management provided by Microsoft via Windows Update.

To get an idea of why EMET Lite might be desirable take a look at the results from this week’s Pwn2Own hacking contest.  No one was able to claim the $150,000 Grand Prize for hacking IE11 with EMET running.  All major browsers, including IE11 without EMET, were hacked.

Ok, so what is EMET?  Let’s go back to the effort that Microsoft started in the early days of Windows XP when it became apparent that the OS had severe security problems in the Internet environment.  It started to add features (DEP, SEHOP, ASLR, etc.) to the operating system that applications could use to harden themselves against attacks.  Why did applications have to explicitly turn those features on instead of the OS just imposing them?  Easy, in many cases applications required minor changes to be compatible with the new security features.  So the model from Windows XP SP2 on has been that executables have to indicate when built that the features should be turned on.

Now Microsoft itself made turning on those features part of the Security Development Lifecycle (SDL) for its products, so those are fairly well protected.  And over the years many other software developers have adopted SDL or similar processes and turned on these features.  But what about applications that haven’t turned on those features?  What about bespoke applications that an IT shop writes that are no longer being actively developed?  What about apps that the source code is unavailable for?  Tweaking these apps and rebuilding them to use the features runs from impractical to impossible.  The answer to that problem was EMET.

EMET allows an IT shop to force one or more security features on for a particular executable.  So let’s take an example of how it was intended to be used.  You have a bespoke order processing application, and you have some kind of internal testing methodology for verifying changes to that application.  So you take EMET and you use it to turn on one or more of the features.  Then you test to see if you’ve broken the app.  If you haven’t broken the app then you deploy an EMET rule to all your clients turning on the features(s) for the order processing app.

The key here is that the IT department is responsible for testing and making sure the app is compatible with the selected security features.  And if the app is updated, the IT department is responsible for re-testing that the features don’t break it.  These are things beyond Microsoft’s control, and beyond what 99.99% of end-users are willing to deal with.  That’s why EMET is a toolkit and not simply an OS feature.

But if Microsoft is already mitigating its own software, and so are many ISVs, then isn’t EMET essentially only for bespoke apps?  Well, no.

Microsoft keeps expanding the set of mitigations available through EMET, with mitigations appearing in it before they are available through the OS and development tools.  Moreover, even if a new mitigation were available and used to protect “IE12” that wouldn’t help IE11.  So EMET can be used to add newer mitigation techniques to current, or older, software releases.

This is great for IT shops who can, and should, be using EMET to protect all software running on systems they are responsible for.  But what about the rest of us?

I propose that Microsoft create an EMET Lite that is distributed to users much as Microsoft Security Essentials and Windows Defender are today.  That is, either a free and recommended download or built-in to newer versions of the operating system.  The key differentiator between EMET and EMET Lite is that for the latter all of the rules would be generated by Microsoft and managed via Windows Update.    This places a burden on Microsoft, which is likely why they haven’t done it to date.  But for a company worried enough about security that they created EMET, and with evidence of the value of an EMET Lite such as the Pwn2Own results, Microsoft should take on this burden.

How much of a burden would Microsoft managing the EMET Lite rules actually be?  I don’t think it would be substantial.  Take as an example a default set of rules that come with the EMET 5 Technical Preview.  They turn on mitigations for “Microsoft Internet Explorer, WordPad, applications that are part of the Microsoft Office suite, Adobe Acrobat 8-11, Adobe Reader 8-11, and Oracle Java 6 and 7.”  So if you install EMET and accept the defaults you already have protected critical software using Microsoft supplied rules.  Now all they need to do is offer to update those rules as needed with Windows Update and you are rather close to my EMET Lite offering.

EMET Lite could be offered in a way that was almost totally transparent to end-users.  It could be distributed via Windows Update as a recommended download (and built in to post Update 1 versions of Windows 8.1 and later).  Once downloaded Windows Update would maintain the rule-set.  Telemetry from application crashes, as well as Microsoft’s other feedback loops, would be used to fix broken rules.  The testing processes used for Anti-Malware signatures and Patch Tuesday updates could be applied to proposed rule changes.

Third parties could be encouraged to validate and supply rules for their own software that Microsoft would then ship, though this carries some complexity and risks.  It seems that Microsoft already has many cooperation frameworks which could be extended to cover this case.  If not, Microsoft might simply let third-parties install and maintain their own rules.

EMET Lite also offers Microsoft an additional way to deal with some zero-day issues while it, or an ISV, develop a patch.  It could ship a new rule, or create a “Fix It” solution that installs a new rule, turning on a mitigation even if that creates a compatibility problem pending a real fix.  The Fix It path is particularly attractive because it allows Microsoft Customer Support to help customers while engineering is still investigating a permanent solution.

The benefits of EMET Lite seem enormous, the downside minimal.  Microsoft would take on some extra costs and risk.  But those costs and risk seem pretty minimal compared to the benefit that EMET is demonstrating.  Now is the time for EMET to move from IT toolkit to mass market security tool via an EMET Lite.

Posted in Computer and Internet, Microsoft, Security, Windows | Tagged , , , | 7 Comments