Wednesday, June 28, 2006

LINK: The forthcoming Windows "kill switch"

On Sunday, I wrote the speculation that Microsoft is moving in the direction of being able to use WGA to turn off Windows. Today, this was posted by Ed Bott on ZDNet.

ยป Is Microsoft about to release a Windows "kill switch"?

Read it. Then make plans to migrate to Linux. You may not need them once the user reaction catches up to the press, but you'd better have them just in case.

Sunday, June 25, 2006

Five Steps to Empowerment

A friend was recently going on a trip, and commented to me that he'd like to take along a particular book, but it was too bulky. However, he's got a Palm device, so I offered to scan the book, convert it to a Palm eBook, and then he could take it in his pocket. He looked at me and said, "You can do that?"

Well, yes, you can. You can do it for the same reason that you're allowed to tape a television show here in the US... because the Supreme Court has decided that format-shifting is fair use of the content that you've purchased. After all, you bought the right to read the book... and what is "a book"? It's nothing more than the content. A codex of paper leaves is just one way of distributing it. If I've purchased a book, I should be able to apply the same terms: that is, I should be able to shift its format to my computer so it can be read to me with text-to-speech, or to my Palm device for portability. If I buy a DVD I should be allowed to shift its format from the disk to a file server so, for instance, my movies are instantly accessible from an ISO library on my hard drive without the need for expensive disk-changing hardware. (And yes... you can do that.)

But there's another point that struck me about the question, "you can do that?"... it's the surprise that most users express that you can, in practice, create your own content for your computer. The question actually shook me a little bit, because I'm so used to creating my own content that it surprises me when I see the shackles that tie others down.

In every case the answer to "You can do that?" should be, "Yes," or at the very least, "I don't see why not." Why should I be limited to what it is I can buy off of a Wal-Mart shelf? Why should I be limited to what Microsoft is willing to provide me? Why should you?

I can't think of a single valid reason why you should. Look, it's your data. You should be able to use it as you see fit for whatever purpose you feel appropriate. And if you feel the same way you need to take steps to keep your data accessible. And that means choosing vendor-neutral formats so your choice of tools are greatly expanded.

Let's look at a couple of trends to help clarify why this is an important topic... first, the right hand. Microsoft has recently announced a programme under which they'll sell time on pay-as-you-go computers. I've blogged about it here, but basically, it allows you to get a computer at little to no up-front cost, and purchase time on it as you would for a cell phone. One of the features of this programme is that it allows Microsoft to deny you access to your computer, and therefore your data, unless the payment is made.

Now look at what the left hand is doing with regards to the Windows Genuine Advantage (WGA) program and the associated notification nag screen. Though Microsoft says the notification program isn't spyware because you agreed to install it as part of Windows Update, it passes every definition of spyware there is. Microsoft fails to concede that most people who did install it did so because Microsoft lied by saying it was a critical update (which it most assuredly isn't). The notification pops up when the WGA program decides your copy of Windows is pirated, and it nags you to contact Microsoft, where of course your purse will be lightened. The program doesn't work very well, though. For instance, if a vendor's repair center restores your PC from a standard disk image (and this is industry-standard practice), then WGA will quite likely flag you as a pirate. Argggh. This is even if it was Microsoft's buggy software that landed your PC in the shop in the first place. So you spend top-dollar for a system that crashes, and you may even have to pay for the repair, only to be shaken down yet again when Microsoft denounces you as a software pirate. And they provide further punishment by denying you access to software updates until the situation they created is resolved.

But that's not all. Like the spyware it is, the WGA notification program 'phones home' to Microsoft every day (or it did... they're changing that to every two weeks). We all know that once you've been verified as being legitimate even once, there's no further need for it at all. So what's going on here? Microsoft says it's so they can disable the WGA notification remotely if it proves to be buggy, but that doesn't add up. They could do that by putting a fix in the next update, or by providing a link to a secure fix, or by using the already existing Remote Destop Assistance tools... but they didn't.

Now put the left and right hands together and you have a company that has a publicly acknowledged pilot programme to create pay-per-use computers that can in fact deny access to the system as a whole; and which has now combined a WGA program that does in fact deny access to Windows Update with a surreptitiously tested WGA notification program that not only tells YOU you're a pirate, but actively phones home to Microsoft whenever you use your PC, pirate or not.

No wonder people are collecting ways to disable WGA notification. The concerns here are not paranoid. They are the reasoned outcome of coldly and logically analyzing industry trends. The end result of that analysis is that there is a reasonable expectation that -- unchecked -- this trend will continue, and you will soon be at risk of losing access to some or all of your data. If you want to guarantee continued unrestricted access to your own data in the future, you should take proactive steps to do so now.

(Note that I'm not saying that Microsoft is conspiring to shut down your access. I'm saying that there are demonstrated trends in that direction, indicating a sizable risk to your data. A risk is not a certainty, and a trend is not proof of malicious intent. But, whatever the intent, the trend and the risk is real. Furthermore, as 'gloom and doom' as the above paragraph sounds, the overall prognostication is really rosy. As you're about to read, it's easy to eliminate your risks entirely.)

So what steps can you take?

1. Know what you have and what it can do. I worked for one client that chose an on-line document management system. This was a huge mistake, as they already had 100% of the capability in-house, and what they had even satisfied their requirement for a web-based system. Why would they contractually bind themselves to a huge unnecessary recurring expense? Because the people making the decision weren't aware of the duplication of effort and didn't take the time to find out what they had. And it wasn't just a waste of money... read on.

2. Avoid dependence on on-line storage. This is what I call "putting your eggs in somebody else's basket." The danger here is that if they decide to walk away, they've got your eggs. The client I mentioned chose to share documentation using Documentum eRoom. The thing is, they had all -- and I mean ALL -- of the functionality already as part of their existing Lotus Domino and Notes software. In addition, Domino has the superior data retrieval capabilities. The biggest difference was in the location of the data. Using Domino the company's sensitive project data would be kept in-house in the company's existing servers. With eRoom, the data are kept on somebody else's server... and the vendor has the ability, if not the contractual right, to deny you access. This risk must be factored in to the minimal on-going costs of running a Domino document server (the real costs of which are miniscule. I know... I run my own). Off-site on-line storage is useful for many things -- publication, backups -- but do not ever become dependent on it as your primary repository. All documents should be locally as well as remotely archived; those archives should include all metadata as well as raw files; and those archives should be accessible without any proprietary impediments.

3. Avoid subscription software licenses in favor of traditional perpetual licenses. Yes, subscription licensing (and 'utility computing') are all the rage. It's also an extremely bad idea, even when compared to proprietary formats. For example, I use IBM Lotus Domino/Notes as and example of a better choice in #2. This is because Domino it's sold under a perpetual license. IBM will not be knocking on your Accounts Payable department door every month. As a prime example, look at what happened with Microsoft Select licensing. This volume licensing scheme was pushed onto corporate users with the promise of lowered licensing costs and included upgrades... except that the actual costs were higher, and the upgrade never came. Companies that bought into Microsoft Select when XP was released fully expected a 'free' upgrade to Longhorn. Well, Longhorn is now Vista, and the commercial shipping date for Vista has now been pushed out past the expiration of those Select licenses. Even if Microsoft delivers a stripped-down 'corporate' version of the software by the drop-dead date in November of this year, corporate users are practically guaranteed a substandard offering. Face it... if it's not suitable for public release, why should you implement it in your organization? Microsoft Select was a bad business choice for the subscribers. Once bitten, twice shy.

4. Prefer open document formats. Microsoft Office is very popular, yes. But we're not discussing popular choices here... we're discussing correct choices. And this means that, even if you use MS Office, your better choice for storing your data is the OpenDocument format (ODF) that was recently ratified as the ISO/IEC 26300 standard. The OpenOffice.org team is making available a free plug-in that will allow you to read and save the ODF standard with Microsoft Office. That way, not only is your document portable to other agencies and users, it's also portable to other platforms. Similarly, use open document formats for other types of documents. These include PNG and MNG format for graphics.

5. Prefer Open Source licenses over proprietary licenses. When I develop software for clients, I do so whenever possible under an Open Source license. Why? Because it makes no sense for me to hang a noose around my customers' necks. With an Open Source license they are free to go elsewhere if our relationship sours. And if there's any customization to be done -- whatsoever -- you want ownership of the result. I've seen far too many cases where a program is customized beyond its ability to be updated by the vendor, yet the vendor demands some fee for maintenance of a system that isn't reasonably the same as what they're currently peddling or supporting. So Open Source licensing is great for the customer. But it benefits me as a custom vendor because I'm frankly tired of writing the same software over and over again due to contractual restraints. If a piece of code is appropriate to another use, with an Open Source license I'm able to reuse it, thus saving my customers a lot of development dollars.

As you've seen, we are strong supporters of Free and Open Source software (FOSS) here at Cratchit.org. We're pragmatic about it, and as a result we use both Linux and Windows, and we use and produce FOSS for our customers and ourselves. The five steps listed above are appropriate to whatever operating system you use. Microsoft is getting the bulk of the abuse simply because they own the bulk of the market. But while we're at it, I'm going to add a bonus sixth step:

6. Consider the move to Linux. Almost all of the popular preconceptions about Linux are wrong. In fact, Linux is a thoroughly modern system with a thoroughly modern user interface. It's easy to use, and for most corporate users it's easier to use than Windows. I don't say that lightly: not only do I use Linux professionally, but I have twin 10-year-olds that use it daily for home and school, and who prefer it over Windows on their dual-boot machine. A primary business benefit of Linux is cost, and Linux is less costly to acquire and own than Windows. Microsoft has a fixation with TCO. They claim that Windows is cheaper to own in the long run due to the cost of maintenance, etc. They're wrong, and argue from flawed premises, but you can hardly expect them to do otherwise. It's one of only two saleable arguments that they have.

The second argument is that there are more programs available for Windows. The flaw here is that, for a company, you should not choose a platform for the number of programs it can run. Rather, you choose a platform based on whether it performs the tasks you need it to do. After all, you don't choose your highway based on the brands of cars it allows, do you? No, you choose it because it runs from point A to point B. If you've followed the previous five steps and freed your data, then you're not concerned about whether you can run Microsoft Office when OpenOffice.org or StarOffice or KOffice or IBM Workplace might fit the bill for you.

Remember:
  • Freeing yourself and your company is the goal.
  • Freeing your data is the means.
  • And opening your choices to newer and less expensive software alternatives is fortuitous side-effect. Start today by downloading our list of recommended software alternatives. Download the software from the source, or you can get a disk image from Cratchit.org.
And for some fun, check out my personal blog.

Tuesday, June 13, 2006

SiteAdvisor

SiteAdvisor is one of my picks for Best security service on the Web. Obviously, McAfee feels the same... they've recently bought and branded the service. However, it could be even better. The logical extension of the service is to provide a security gateway for home use and enterprises that blocks access to sites SiteAdvisor has flagged as Red (or Red and Yellow).

I've passed the idea on to the folks at SiteAdvisor. Let's see what happens.

Friday, June 02, 2006

The "OpenOffice Virus" Isn't a Virus... It's Hype

ZDNet reports the following today: Stardust virus lands on OpenOffice | Tech News on ZDNet. Except that, the "virus" isn't a virus at all... more like, it's a slow news day at Ziff-Davis.

First the claim:
The virus, dubbed Stardust, is capable of infecting OpenOffice and StarOffice, which is sold by Sun Microsystems, a Kaspersky Lab researcher wrote on the Russian company's Viruslist Web site on Tuesday.

"Stardust is a macro virus written for StarOffice, the first one I've seen," the researcher wrote. "Macro viruses usually infect MS Office applications."

Now, the facts. First, Stardust isn't a virus. Viruses are defined by the fact that they can replicate themselves. This is simply a Star Basic macro that downloads an image and opens it in a new document.

Second, OpenOffice's default security behavior is to alert the user to the presence of any macros, and ask permission to run it. Stardust is no different. You open the document, are alerted that there's a macro there, and OpenOffice.org asks for permission to run it. This is worlds away from the covert behavior of viruses on less secure competing office suites.

Again, this isn't a virus, it's some Kasperski blogger making a name for himself by applying "scare words" to normal behavior. If you think you've got an actual security problem with OpenOffice.org, you can report it at www.openoffice.org/security/.