How To Really Scare Microsoft

1
How To Really Scare Microsoft

• Marcus J. Ranum
• CSO, Tenable Network Security, Inc.

2
AKA Make Bill Your Bitch
3
Who?

• Early innovator in firewall market
• Early innovator in VPN market
• Early innovator in IDS market
• Chief Security Officer, Tenable Network Security

4
What?

• What is this talk about and why?
• Computer technophiles appear to despise Microsoft
• Many talk about replacing Microsoft
• Many feel Microsoft is not a good custodian of
  the industry
• Many feel Microsoft is a monopoly
• Well explore some of Microsofts weaknesses and
  why they matter

5
The Big Picture

• The industry in which we work has only been
  around a short while
• Weve already seen giants arise and vanish (Cray,
  Digital, Data General, Wang)
• Dont expect Microsoft to last another 20 years
  in its current form and position, unless their
  customers really are stupid
• My ideas are all stolen from Project Athena,
  Plan 9, VAX/VMS, etc.

6
Lets Get this Out Of the Way.
(cuz its gonna hurt)

• But what about LINUX!?!?!
• An acceptable alternative to Windows primarily
  because its free
• Businesses have not made the wholesale shift to
  Linux that many were predicting in the mid 1990s
• Why didnt it happen?

7
Why LINUX Does Not Rule

• Short form
• Its as bad as Windows
• Long form
• In an attempt to out-do or match Windows
  features LINUX has become just as krufty,
  unmanageable, and pimped-out a piece of bloated
  shovelware as Windows (maybe worse!)

8
Linux V. Windows

• Avoid Strength, Attack Weakness (Sun Tzu)
• The current Linux strategy consists of attacking
  Microsoft where they are strongest (integration,
  features, 3rd party apps, single distro) while
  emphasizing areas where Linux is weakest (system
  administration, complexity, software distribution
  model)
• Thats exactly backwards

9
So.

• Where is Windows weak?

10
Points of Technological Attack

• System Administration
• Cost / Feature
• Data Lock-in

11
Points of Non-Technological Attack

• Software sales concept

12
Windows Sys Administration

• 2026AD The Infocalypse

Every man, woman, and child on earth (over the
age of 6) will be a Windows system administrator
2026AD
Systems under admin.
Earth Population
Time
13
Windows Systems Administration

• System administration is the achilles heel of
  all general-purpose operating systems
• Since Windows has the largest market share, it
  takes the lions share of the blame however the
  industrys trend towards appliance computing is
  a warning sign Microsoft cannot ignore

14
Windows Systems Administration

• Unfortunately...
• Microsoft is probably least well-positioned to
  address system administration because their
  platform has become so pervasively re-purposed
• Premise 1 Any successful attack on Microsoft
  will flow from making inroads into systems
  administration

15
Cost/Feature

• Microsoft has gotten away with monopolistic
  tricks by changing what is embedded in/included
  with the O/S and what is not
• FAXing is in, then its out, then its a product
• This allows Microsoft to pick and choose battles
  and confuse customers as to true costs of desktop
  computing

16
Cost/Feature

• The simplest way to neutralize the cost/feature
  confusion is to make it extremely clear what
  costs what, and make the cost ridiculously low
• I.e. 29.95 for all the word processor most
  people need
• This is sort of what Open Source does by making
  everything free, but they forgot the system
  administration issue

17
Data Lock-in

• This is the ace in Microsofts sleeve
• Make your file formats painful to convert from,
  and have enough users, and it becomes a
  significant deterrent to end-user platform
  mobility

18
Data Lock-in

• How to address data lock-in
• Wrong way
• Try to be compatible with Microsoft file formats
• Right way
• Offer easy to use tools that automate conversion
  to non-proprietary formats and back

19
Software Sales Concept

• The software sales model is Microsofts soft
  underbelly
• Continuing revenues are 100 vulnerable in a
  market in which software is sold not rented
• Downside of rental increase customer mobility
• Downside of sales customers can decide to tread
  water for a couple years

20
How to Scare Microsoft 1(and look like a
business visionary while youre doing it)

• Tread Water and Microsoft dies
• Thank you, Bill. We have all the software we
  need right now. Well buy some more in a few
  years when we need more.
• Premise - most businesses probably own enough
  software to freeze additional purchase and
  maintenance for a year or 2
• Use old versions
• Recycle and save huge

21
Software Sales Concept

• Corollary
• The application service provider boom went bust
  because of how software was licensed to prevent
  its being multiplexed
• Software industry is already reacting, albeit in
  sneaky ways
• . Can you say automatic patching? Hackers
  are unwitting patsies playing into the hands of
  Redmond and others

22
OK

• Enough of the high-level stuff
• ...Imagine you agree with me about some of these
  things and lets talk about how to really scare
  Microsoft
• (caveat I didnt say itd be easy)

23
Assumptions

• Make a broad push across the board
• Make simplicity a virtue and take advantage of it
• Turn the software sales model on its head
• Take advantage of things weve learned in the
  last 20 years of networked computing
• Steal ideas from old research and synthesize and
  update them
• Co-opt Open Source ideology

24
Main Lines of Attack

• System administration
• Cost / seat
• Performance
• Reliability
• Mobility / Ubiquity
• Security wouldnt hurt either (but lets be
  realistic customers dont care)

25
Step 1 Data Environment

• Use HTML/XML for everything
• Core tools
• Spreadsheet - Browser
• Image editor - File Manager
• HTML document editor
• IMAP client
• Presentation Viewer
• Messaging

26
Step 2 Operating System

• Operating systems today are probably 50
  virtualization kruft intended to make them able
  to use any of 102,392 different network cards or
  82,882 different display adapters
• This is stupid
• Consider appliance computing/palm computing, etc,
  as repudiations of hardware portability as a
  concept!

27
Operating System / cont

• The UNIX guys had it right make everything a
  file
• Extend it a bit
• Assume everything is a file
• Make everything PGP signed/encrypted
• Assume that everything can exist in one or more
  places
• Flag a file as cache consistency needed or not

28
Operating System / cont

• File service now software distribution
• Executables are read-only (duh! Whats wrong with
  people at Microsoft - writeable executables is
  retarded!)
• Before you begin to execute, contact server and
  offer up SHA-1,filename,system time
• Server might offer up a newer file (implicit
  software update) or allow you to operate on the
  cached version

29
Operating System / cont

• Allow users to set migration/replication policy
  on file (pick some sensible defaults)
• Store multiple copies in multiple locations
  implicit backup
• Store versions on server implicit versioning
• Users can pay for different options (retention,
  space, versions, etc) on servers

30
Operating System / cont

• Sharing is now a matter of key ring management
• Marcus wants to give Adam access to a file, adds
  it to the read-recipients list and resigns the
  files control block
• Details generate new key, local hash, send to
  server, let server re-encrypt - or for the
  paranoid encrypt it locally and let it migrate up
• Now Adam can pull the file from anyplace its
  stored and decrypt it
• Marcus doesnt actually have to move much data
  (but he can if he wants to be a paranoid)

31
Operating System / cont

• Mobile access is now a matter of taking your
  keyring to someone elses machine
• Local cache stored in (original) encrypted format
• No-cache pragma attached to file would be another
  option
• When you put your keyring in someones machine
  you unlock your files
• Local desktops are basically disk cache,
  execution, U/I, and compute engines - Plan 9
  style rather than X-windows style

32
Step 3 Platform

• Playstation2
• DVD boot
• USB keyboard interface
• Audio / Video
• Firewire
• Ethernet
• IDE interface
• What else do you need? By coding to the metal you
  can leave out all the device independent kruft

33
Step 4 Business Model

• Go to IBM and offer to partner with them on a
  business desktop that costs 100/seat with 0
  systems admin cost
• Server side is where the money will be
• Software
• Storage
• Services (Email, etc)

Email, of course, is just another directory of
files...
34
Step 5 Software Model

• Software now becomes an executable that you
  subscribe to for a time
• Run it as long as youre paying for it
• Youre always running the latest release so you
  get features/whatever and the industry breaks out
  of the 6-month buggy bloat-bug-release cycle
• Since file formats are standard data is portable
  increase competition for apps

35
anyhow...

• By now I ought to be running out of time
• I didnt want to get into an exhaustive design
  discussion
• Yes, there are lots of details
• The point is
• We can re-invent large systems usability
• We are using 1970s software architectures in the
  21st century - and so is Microsoft

36
Summary

• I believe Microsoft is shockingly vulnerable to
  changes in how software is sold
• They appear to know this if you watch what
  theyre doing they are trying to minimize the
  potential damage
• Feel free to give them a good hard shove off the
  cliff if you want to...