Posts filed under Windows

Linux: Rumors of Its Demise are Greatly Exaggerated

Filed in LinuxTags: Windows

Scott Spoonauer of LaptopMag seems to be spending quite a bit of time trying to insinuate that Linux has missed its opportunity for widespread adoption. For example:

  • Spoonauer claims that the window of opportunity for Linux (as a desktop client) has closed, maybe for good. He gives some examples of the closing window of opportunity, such as BestBuy opting for the WinXP version of the EeePC instead of the Linux version, Wal-Mart "pulling" Linux PCs from store shelves and opting for internet-only sales, and Dell thus far being the only "major" PC vendor to offer pre-installed Linux.
  • After getting slammed in the comments to his previous blog post, Spoonauer then goes about trying to defend his premise regarding the window of opportunity closing, but conceding that he may have been premature in proclaiming a "death knell" for desktop Linux.
  • Spoonauer then attempts to portray some objectivity by interviewing some analysts who essentially say, "not so fast." Their conclusions are that the BestBuy decision has no real bearing on the future opportunity of Linux, and that Microsoft is making concessions with respect to licensing in order to fend off a legitimate threat from Linux.
  • But the Spoonauer goes right back to his premise, interviewing yet another expert in attempt to discount EeePC Linux sales. Here, the premise is basically that while the Linux EeePC has sold over one million units worldwide, it has only sold about 100,000 in the US, which the expert claims have all gone to existing Linux geeks.

Others are picking up on the meme, and refuting it. See Linux Watch and Linux Solutions. Let's do the same, shall we?

As I have already pointed out, Microsoft's dual actions in extending the end-of-life for Windows XP and in offering pennies-on-the-dollar licensing for ULCPCs is a de facto concession of the threat of Linux. These actions are a stop-gap gambit to avoid loss of market share, and are neither sustainable nor viable, long-term.

OEM licensing (presumably, Windows and Office) accounts for 95% of Microsoft's revenues. Thus, Microsoft finds itself in a no-win situation in the ULCPC market: either concede the market to Linux, and thus generate no revenue due to no OEM licensing, or else give away OEM licenses (essentially for free) and thus generate no revenue from the OEM licenses they do procure.

The Linux business model is entirely different. With a few rare exceptions (SLED, Xandros, etc.), Linux distributions do not make money by selling OEM or end-user licenses for use of their OS; rather, the Linux business model is to give away the software and then make money by selling support contracts.

So, extrapolating the current environment several years: Microsoft continues to generate no revenues by giving away OEM licenses and offering support for an otherwise end-of-life operating system, while the Linux revenue stream is entirely unaffected. Linux is positioned to win any protracted desktop market share battle of attrition.

The second fatal flaw in Spoonauer's argument is the inherent assumption that US market share will continue to dictate the adoption rate for desktop Linux. While this assumption may hold true today, it is quickly being invalidated.

While Microsoft has entrenched itself in the various sales channels in the US (retail outlets, vendor online sales, etc.), it is quickly losing its grip outside of the US, due to increasing open source (and, in some cases, anti-Microsoft) trends, especially in Europe and Asia - not to mention the growing computer-user market in third-world countries.

Government agencies, educational institutions, and others are moving desktop installations wholesale from Windows to Linux, by the thousands and tens of thousands. Each one of these desktop Linux installations directly impacts Microsoft's bottom line.

In short, the jury may still be out regarding the ability of Linux eventually to realize its full potential - and market share - but if Windows remains the only viable threat to Linux desktop market share, Then the Linux window of opportunity will remain open in perpetuity. Microsoft's business model will ensure it.

Microsoft Concedes Linux Threat

Filed in LinuxTags: Computers, Geekery, Windows

Consider two recent bits of news from Microsoft:

  1. Microsoft extends life of Windows XP for Ultra-Low-Cost PCs
  2. Microsft Vista successor Windows 7 rumored to be released in 2009

What do these mean? Two things: Microsoft recognizes that Vista has not been well-received in the market, and Microsoft recognizes an emerging threat from Linux.

Consider the various markets for computers: enterprise (corporate) systems, high-end (gaming, graphic design, etc.) systems, standard consumer systems, and ultra-low-cost PC (ULCPC) systems. Other niche markets also exist, as well.

Even more than a year after its release, Vista has not been well-received in any of these markets. By all accounts, the corporate adoption rate has been dismal. Due to hardware/software compatibility issues, users of high-end systems likewise have stuck with Windows XP. ULCPCs do not meet the system requirements for Vista. The other niche markets include MacOS and Linux users who don't use any version of a Microsoft operating system.

This scenario leaves the standard consumer system market as the only viable growth option for Vista. This market includes the pre-configured computers purchased through retail outlets or manufacturers' direct-sale web sites. The vast majority of Microsoft's claimed, more than one hundred million Vista license sales come from this market. However, consumer backlash against pre-installed Vista has led to a resurgence of sorts in sales of Windows XP installation media. Windows Vista has trailed Windows XP in these so-called boxed-copy sales from the week Vista was released - and many of those XP copies are being installed over pre-installed Vista.

Microsoft's business model for Windows depends upon the operating system becoming a commodity - that is, for the average computer user, Windows equals computer use, and computer use means Windows.

In this model, corporations standardize on Windows, and follow the upgrade path defined by Microsoft: when Microsoft releases a new OS, corporations dutifully upgrade their systems all at once. In the consumer market, the business model assumes first that users will view the operating system as an unchangeable part of the computer, and second, that those users will replace their systems every 2-3 years, by purchasing another pre-configured computer at retail.

Similar to Microsoft's Office business model, in which Microsoft ensured product lock-in by creating an environment in which their proprietary document format was used by 99% of productivity suite users, Microsoft's Windows business model ensured product lock-in by creating dependency on Windows-only third-party applications and by creating an environment in which consumers could only purchase PCs with Windows pre-installed.

Previous threats to this business model have been relegated to servers, high-end systems, and certain niche markets: Linux is incredibly popular in the server market, MacOS owns the market of those for whom their computer is a fasion statement or status symbol, the computer-geek market often favors GNU/Linux, etc.

However, the emergence of the nascent ULCPC market poses a serious threat to Microsoft's Windows business model. ULCPCs appeal to lower-income PC owners in the US and Europe (the largest PC markets), but are also being targeted at impoverished and third-world communities - especially as an educational tool for children in those communities (see: OLPC and similar projects). These ULCPCs open up a market segment that could, theoretically, dwarf either the corporate or consumer market segments; not to mention, the ULCPC would have an impact on at least the consumer market segment, given its attractive price.

This emerging market would not threaten Microsoft's business model, were it not that almost all such PCs currently come pre-installed not with a Microsoft operating system, but rather with GNU/Linux. These PCs favor Linux for two reasons:

  1. Hardware capability: ULCPCs, due to their hardware specs, are better-suited to running Linux. In almost all cases, they cannot run Vista at all. In most cases, though many are capable of running XP, they perform better under Linux.
  2. Cost: Linux distributions are almost all free; Windows requires licensing - a cost which directly impacts the bottom-line cost for the consumer, and which is counter-intuitive to a product positioned as "very low cost."

Thus, the ULCPC market segment poses a serious threat to Microsoft's market share. This short-term threat, if realized, would have long-term impact on Microsoft's Windows business model.

Should Linux-based ULCPCs become the norm, then what is potentially the largest market segment would be brought up in an environment in which Microsoft Windows is not equivalent with computer use. If the ULCPC brings the computer to those segments of the world population that could not otherwise afford a computer, then this entire population would be brought up in this non-Microsoft Windows environment.

Currently, one of the most popular ULCPCs is the EeePC, sold by Asus. This computer has proven to be popular: sales are expected to be around four million units for 2008 - and while Asus now makes a Windows XP model, the EeePC originally only came pre-installed with Linux. Granted, Asus expects the XP model to take up about 60% of expected 2008 sales, but that still leaves 40% - or nearly two million units - of those sales for Linux-based units.

Microsoft has conceded that increasing Linux pre-installation poses a threat to its Windows market share, due primarily to the ULCPC market. (Linux pre-installation in the consumer market segment, while not insignificant, still remains a niche. It may yet pose a threat to Microsoft's dominant market share, but that outcome will take significant time.) Note that, in order to break into the ULCPC market, Microsoft had to make two important concessions: Microsoft first had to offer discount XP licenses to ULCPC manufacturers, and then had to extend the end-of-life date for XP at least another year.

Microsoft has found itself caught in an untenable situation: take reduced profits (due to licensing discounts) on OEM sales of a product the company wants to end-of-life (Windows XP), in order to prevent a potential hemorrhage of market share, meanwhile trying to cut losses on the product into which the company has most heavily invested in the past seven years, but which has been mostly rejected by the market (Windows Vista) - all while being forced to put all long-term hope in a product the company must now rush to get out the door early in order to stem the tide (Windows 7).

Microsoft is facing a complete upheaval of its operating-system business model. Could this scenario be the reason that Microsoft is all of a sudden so interested in buying Yahoo?

Linux Survives PWN 2 OWN Contest; Mac, Vista Fall – and What It Means For You

Filed in LinuxTags: Computers, Geekery, Windows

Head-to-head-to-head, Vista vs. MacOS vs. GNU/Linux in the PWN 2 OWN contest at CanSecWest 2008:

Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it...

Each has a file on them and it contains the instructions and how to claim the prize.

Targets (typical road-warrior clients):

  • VAIO VGN-TZ37CN running Ubuntu 7.10
  • Fujitsu U810 running Vista Ultimate SP1
  • MacBook Air running OSX 10.5.2

...Once you extract your claim ticket file from a laptop (note that doing so will involve executing code on the box, simple directory traversal style bugs are inadequate), you get to keep it.

The contest took place over three days, the challenge - and the cash prize - diminishing each day:

Day 1: March 26th: Remote pre-auth

All laptops will be open only for Remotely exploitable Pre-Auth vulnerabilities which require no user interaction. First one to pwn it, receives the laptop and a $20,000 cash prize.

The pwned machine(s) will be taken out of the contest at that time.

Day 2: March 27th: Default client-side apps

The attack surfaces increases to also include any default installed client-side applications which can be exploited by following a link through email, vendor supplied IM client or visiting a malicious website. First one to pwn it receives the laptop and a $10,000 cash prize.

The pwned machine(s) will be taken out of the contest at that time.

Day 3: March 28th: Third Party apps

Assuming the laptops are still standing, we will finally add some popular 3rd party client applications to the scope. That list will be made available at CanSecWest, and will be also posted here on the blog. First to pwn it receives the laptop and a $5,000 cash prize.

All three laptops survived the first day, as none of the contestants attempted any hacks.

However, day two brought the first successful attack: the MacBook Air was compromised in a matter of minutes. The attack vector was the Safari web browser. The contestant instructed the MacBook Air user to navigate to a specially designed web page using Safari. The attack reportedly took less than two minutes:

Charlie Miller, who was the first security researcher to remotely exploit the iPhone, felled the Mac by tapping a security bug in Safari. The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing.

And finally, day three saw the second successful attack, as the Vista laptop was compromised. This time, the attack exploited a reportedly cross-platform vulnerability in Java:

"The flaw is in something else, but the inherent nature of Java allowed us to get around the protections that Microsoft had in place," he said in an interview shortly after he claimed his prize Friday. "This could affect Linux or Mac OS X."

That means that in the end, only the GNU/Linux laptop (running Ubuntu) was left standing.

What is the moral of the story here? Well, in my opinion, there are two:

  1. Don't believe the Apple/Mac hype from Steve Jobs or his army of Apple fanboys. According to the two winning contestants, the Mac was the easiest of the three targets. Those who claim that Apple is inherently more secure have been proven to be making a baseless claim.
  2. More importantly, remember that the single, weakest link in security is the user (this means you). The successful attacks were accomplished by exploiting vulnerabilities not in the OSes themselves, but in standard-install and popular third-party apps (web browser, Java). A security-ignorant user can have his Mac box compromised, just as a security-aware user can safely use his Windows box.

So, as a user, what can you do to protect yourself? Many things - and these apply regardless of which Operating System you choose:

  1. Always operate behind a hardware firewall. Even if you only have one computer using your broadband internet connection, set it up behind a router. These devices are cheap (less than $100 for a wi-fi router, and $50 or less for an ethernet-only router), and provide the lion's share of protection you need for your computer.
  2. Never run as root (administrator). All operating systems have the ability to set up and use accounts with non-admin privileges. Linux and MacOS do so by default. Windows notoriously hasn't in the past, but one of the best changes in Vista - annoying though it may be - is the User Account Control, allowing a user to operate without admin rights, until explicitly elevated. If you are still using WinXP (or older), set up an account with admin privileges, but also an account without admin privileges. Use the non-admin account on a regular basis.
  3. Stay away from the internet's red-light district. While it is true that any web site can be hacked, most internet-based exploits are found on adult web sites, warez (software-pirating) web sites, and other "black-hat" (malicious computer hacking) web sites. Avoid them, and you will limit your exposure.
  4. Never, ever, open unsolicited email attachments. Surprisingly, email remains a viable attack vector, even though this basic rule has been preached for over a decade. If you receive an email attachment you didn't request or weren't otherwise expecting, do not open it. Period.
  5. Use web scripts judiciously. Use ActiveX even more suspiciously. Most browser-based attacks take advantage of JavaScript (cross-platform), the Java Runtime Environment (JRE, also cross-platform), or ActiveX (IE-, and thus, Windows-only). If you use Firefox, use the No Scripts plugin. If you use Internet Explorer, set ActiveX controls to require explicit authorization.
  6. Keep your third-party apps to a minimum. If you must use them, keep them updated. Another common attack vector is vulnerabilities discovered in third-party apps (e.g. QuickTime, Adobe Flash, Skype, etc.). If you don't need them, don't use them. Don't have them running by default. If you must have them, ensure that their browser plugins are configured not to launch/run automatically.

There is, as always, more (avoiding phishing, etc.); but the above list should provide the bulk of protection. Learn to modify your computer-use behavior, bearing in mind that you cannot place ultimate trust in your operating system to protect you.

Windows Vista DRM

Filed in Social IssuesTags: Computers, DRM, Geekery, Technology, Windows

Leo Laporte and Steve Gibson have been having an interesting discussion about Windows Vista Digital Rights Management (DRM) in Episodes 73, 74, and 75 of their weekly SecurityNow podcast, including a conversation with Peter Gutmann, who wrote a white paper called "A Cost Analysis of Windows Vista Content Protection".

Today I noticed a GRC newsgroup post referencing a shashdot post discussing a Windows Vista Blog post discussing Gutmann's paper.

If you are considering an upgrade to Windows Vista, and are not familiar with what Microsoft is doing with respect to DRM in the new O/S, you probably want to take a look.