Schneier on Security
A blog covering security and security technology.
« NSA Warrantless Wiretapping and Total Information Awareness |
| Friday Squid Blogging: Squids Have Personality »
April 28, 2006
Microsoft and Internet Explorer
John Dvorak makes an interesting argument that Internet Explorer was Microsoft's greatest mistake ever. Certainly its decision to tightly integrate IE with the operating system -- done as an anti-competitive maneuver against Netscape during the Browser Wars -- has resulted in some enormous security problems that Microsoft has still not recovered from. Not even with the introduction of IE7.
Posted on April 28, 2006 at 12:29 PM
• 66 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It's a rather narrow viewed article, though. It claims, for example, that the "income" side of the euqation is zero, which is plainly wrong.
Then again those "billions" he puts on the "losses" side are, mostly, paid for by Microsoft's income from the OS business. According to the microsoft thinking of 1998, however, the OS business would be dead by now if it weren't for their killing of Netscape. It therefor follows that, not only was IE integration into the OS profitable for MS, it is only now began to not be.
Now, had any of the anti-trust courts achieve anything, that may not have still been the case....
Dvorak is full of it, bigtime. By any economic measure (his arguments), IE was a grand success. It killed the web as a competing client, it helped kill netscape, it made Microsoft the #3 player in the Internet search and portal world, etc...
The security aspects are another story entirely, although I think a less integrated IE would still be as insecure: its the focus on active content and complexit, not the OS tie-in, that is so devistating.
What money has IE brought in for Microsoft? Microsoft never charged for it, and it isn't apparent to me that it allowed Microsoft to do anything. Windows users would still have had web browsers, only not paid for by Microsoft. Microsoft may have made money on other web business, but they would have done that even if they did not provide the browser. Companies like Google, Yahoo, and eBay can make money without having to publish their own browsers.
As far as the losses go, losses are losses even if they are made up for by another product. Dvorak's point is not that Microsoft lost money overall because of IE, but that they made less money overall.
His major point, however, is that Microsoft's thinking in 1998 was wrong. Microsoft did not have to get into the browser business in order to keep Windows alive. More and more applications are web-based these days, and almost all the users run Microsoft Windows. They may run Firefox or Opera or some other browser, but that's irrelevant to Microsoft's market position. We are seeing some of the 1998 predictions becoming true, but it isn't hurting Microsoft one bit.
I have to agree with Dvorak on this. Internet Explorer by itself never made money for Microsoft, and it was and is irrelevant to the success of Windows. On the other hand, Microsoft has been spending money on it, and it has been causing Microsoft headaches for a long time now. I haven't been counting, but many of the "must-install" security updates involve IE. Remove IE from Windows, and Microsoft software looks more stable and more attractive.
I have to agree that Dvorak is wrong. It is true that Microsoft's decision to wreck the modularity of their own OS to advance the monopoly was disasterous, but while it caused huge R&D expenses for Microsoft, it didn't hurt their bottom line; quite the opposite. Most of the billions in resulting expenses were paid by others (the users).
Has insecurity been a net loss for Microsoft? How much market share and revenue has it cost them? It's certainly tied a lot of customers closer to Microsoft (have to keep those patches up to date) and helped build up the huge secondary industry of consultants and programmers who fix Microsoft stuff and maintain it as an implicit standard.
(This is a devil's advocate argument, but I'm by no means sure it's wrong.)
You’re completely right Bruce what a great argument he makes!
Microsoft tying all of its business to this huge failure called the Internet has been its downfall.
What a crock.
Netscape was NEVER the real competition.
The "Browser Wars" was the only thing the public could understand.
The real war was over the budget of every business and family in the world.
The real battle was over the percentage businesses and individuals were going to spend on Microsoft products instead of Cisco products, IBM products, Sun, Oracle, etc.
ENTIRE product lines depend on the protocols and practices introduced via the IE browser.
To even think Microsoft's most important moment of the last 15 years was in court is a joke and shows the narrow minded people have when they think of one of the most successful companies in history.
Everyone who claims that the choice was wrong, a disaster and caused huge "losses" needs to explain the billions of dollars MS is worth today.
And who knows, on that different path, Linux may have been known as the boot-loader for Netscape.
"Has insecurity been a net loss for Microsoft? How much market share and revenue has it cost them? It's certainly tied a lot of customers closer to Microsoft (have to keep those patches up to date) and helped build up the huge secondary industry of consultants and programmers who fix Microsoft stuff and maintain it as an implicit standard."
That's exactly correct. There really ought to be a tipping point where people start looking at something other than Windows.
Ed Bott reported today that identity-stealing malware pops up when people go to the American Express web site. The malware asks for a mother's maiden name, social security number and birthdate. The software had nothing to do with Amex, but people whose computers are infected and go to the Amex site are VERY likely to have their identities stolen. This is the tip of the iceberg with this kind of scam. How long before the first class action lawsuit against Microsoft for identity theft due to Windows security problems?
The problem is that Firefox is basically a platform too.
If you look at the Safari exploits, they too were due to OS integration. So I'm not sure this is something you can get away from, though IE certainly has it worst of all.
I'm going to have to disagree with those people who are saying that IE is not a net loss for Microsoft.
Nobody, (and I mean not ever, not one person) has ever said, "We need Windows because we must have Internet Explorer".
People buy Windows for precisely four reasons:
1. It comes bundled with the computer
2. They want Microsoft Office
3. They play games
4. They have a gadget that comes with a Windows app
Corporations buy Windows for precisely five reasons:
1. It comes bundled with the computer
2. They want Microsoft Office
3. They want Exchange
4. They have legacy software that runs on Windows
5. Employees use Windows at home
Microsoft's primary revenue streams are (a) Windows, (b) Office, (c) Exchange.
Some people will argue that IE encouraged MSN, and thus enabled new revenue streams for Microsoft. MSN was started in 1995 and turned its first profit in 2003(!) I don't know what the net loss statement is on MSN from inception until today, but I would hazard an educated guess that MSN has been a net loss for Microsoft.
Dvorak is spot-on when he says R&D costs for IE are just money down the hole.
> It killed the web as a competing client
Are you saying that IE killed web-based applications? That's just wrong. Web based applications succeed in some areas. They fail in others, because local resources (as Dvorak points out) are more responsive than network resources. Nobody wants to run a word processor over the web.
> It helped kill netscape
Regardless of whether this is true or not, how does the lack of a "competing" browser to IE generate revenue for MS? They don't get to charge you every time you run IE...
> It made Microsoft the #3 player in the Internet search and portal world
Apparently, a very distant, very poor, "why are we even bothering" third. Google crushes Yahoo, and Yahoo obliterates MSN.
Since when is giving away things for free anti-competitive?
Is going to the justice department to prosecute your competitors, competitive?
Market share is not a sign of monopoly, legal barriers are.
In my opinion Netscape killed itself. Its whole institution was overextended on cheap credit.
"This is the tip of the iceberg with this kind of scam. How long before the first class action lawsuit against Microsoft for identity theft due to Windows security problems?"
How long before a class action lawsuit against the post office, who historically, has a much higher rate of indentity theft?
We can, of course, ignore the Dvorak article as another peice of creative writing: he makes no attempt to consider what value IE has to Microsoft, only mentioning the costs of owning the dominant browser. Anyone who controls the primary means of accessing the internet would have the same costs, but they still want to be there. The question of why is left unexplored: this is movie-plot economics :)
I've never really understand the "tied in with OS" argument. Nobody has ever told me what that means or how it affects my security. I'm worse off because other applications can host web technologies? Firefox and Opera don't have as much access to the system as IE? What?
What will happen after Vista? Will you start saying, "thanks to its integration with the OS, it can take advantage of features to enable protected mode whilst more portable alternatives do not"? Or will it simply be "This is long overdue" or "this shouldn't be necessary"?
It's about time you stopped propagating the tight-integration myth. It's the lazy person's way of avoiding identifying real architectural flaws (such as the Zones system, which has been made thoroughly useless in IE7).
I'm a Firefox user, but I'm still glad I have a lightweight way to use html and associated technologies in my applications.
@pat Nobody, (and I mean not ever, not one person) has ever said, "We need Windows because we must have Internet Explorer".
No, but Microsoft understood that there were a number of products they would like to bring to the market that would depend on "features" of IE being available.
It also ensured (in those days) that when people were looking to buy a computer that by chosing Windows, they would have a brower. People were buying computers to check out that "Internet thing" and things were complex enough.
Without IE people would look to Netscape for a browser solution. Once they had an experiance with another company then there was a chance that they might purchase Netscape's mail server instead of Microsoft Mail (and later Exchange) and use Netscape's LDAP server etc.
IE was marketed as it was so microsoft could sell their server products and development products, not because they were afraid of Netscape.
- Their server components, most notably IIS, needed an edge up on Apache to make people use it. Byt taking control of the browser, it was easier for microsoft too make IIS have more functionality
- The same goes for their development components, which leverage IE to work properly.
For all of you corporate users out there - while you can espouse the use of firefox until you're blue in the face, how many of you have delpoyed it as your corporate standard? If you have have you disabled IE?
I suspect very few have, there are simply too many applications that won't work with another browser.
"Since when is giving away things for free anti-competitive?"
When it is done to drive a competitor out of the market.
"When it is done to drive a competitor out of the market."
Ha ha. It's not competitive to drive out your competitors out of the market?
Wow - what definition of competition are you using?
We should prosecute all charities right now!
We should stop sending foreign aid - since it's just money for dictators, and ruins whatever economy the poor already have.
Now tell me how using compulsion on the part of the gov to prosecute 'anti-competitive' behavior is not anti-competitive.
People seem to be forgetting that Internet Explorer is not just a program, but a component - an ActiveX component - that can be reused. It's integration into the shell was likely to make richer UIs possible, like via the Desktop.ini file and an HTML page (seen lots in Win98). Yes, there have been problems but that has happened with Mozilla and every other application as well.
What revenue has it brought in? Nothing, probably. But it has provided value to both Microsoft and third-party applications wishing to host either MSHTML or the WebBrowser control to easily add HTML rendering or navigational functionality.
Not everything is about revenue, but also about enabling new ways to more easily make money. Should everyone wishing to render HTML for rich UIs have to write their own renderer / browser?
Give a regular user a choice between windows and linux, and i bet most of them would probably say "what's linux?". your average office lackey or home user who doesn't know much about computers wouldn't have a clue about linux, so I would say many people choose windows and internet explorer because of familiarity, and the fact its "user friendly" to the point of stupidness (but this can be a good thing for beginners).
At the end of the day, if windows didnt have a browser, then people would just bitch at the fact one wasn't provided. Plus, a company the size of Microsoft doesn't need to make money off every single thing they produce. I agree with Arl, the billions microsoft is worth today makes this "profit" argument irrelevant.
> No, but Microsoft understood that there were a number of products they
> would like to bring to the market that would depend on "features" of IE
> being available.
Substitute "believed" for "understood" and I'll buy that.
> - Their server components, most notably IIS, needed an edge up on
> Apache to make people use it.
Again, I think this was more of a corporate belief at Microsoft ("If we integrate it, people will come!")
And, for what that's worth, as a corporate strategy, it seems to have failed miserably, which would indicate this was probably a bad idea (and a money loser):
> Once they had an experiance with another company then there was a
> chance that they might purchase Netscape's mail server instead of
> Microsoft Mail (and later Exchange) and use Netscape's LDAP server etc.
Again, I agree this was probably the reasoning. But it seems (IMO) to be deeply flawed.
Sure, Microsoft had reasons to follow the course of action that they followed, but that doesn't mean the course of action wasn't a bad one, and led to an overall loss for the company.
"Nobody, (and I mean not ever, not one person) has ever said, 'We need Windows because we must have Internet Explorer'."
Incorrect. I'm the counter-example. IE is exactly why I have kept Windows XP installed on my hard drive for the past few years. I took a web-based class or two in college, and the distance-learning application supported IE exclusively. It mostly worked in firefox, but it couldn't do things like file uploads (fancy ActiveX uploader applet) that was needed to turn in my assignments. So I made a new partition and installed Windows on it, just to get IE.
Since then, there have always been a few websites that just refuse to work for me with linux/firefox, so I keep Windows around.
Fair enough, let me edit that:
"Nobody, (and I mean not ever, not one person) has ever said, "I need to buy a copy of Windows because I must have Internet Explorer"
Windows undoubtedly came with your computer. You may still have it on your machine because someone wrote an ActiveX control that you need to access, but this hasn't meant that you paid any more money to Microsoft to get IE.
Look at it this way:
Case 1 - Microsoft follows its history with IE
Outcome - you run IE on Windows (which you got with the computer). You don't pay anything additional for this... net revenue increase for Microsoft = 0$
Case 2 - Microsoft never got into the browser business
Outcome - Microsoft never spent a dime on developing IE, or maintaining it. Net revenue increase for Microsoft = N$ where N is the cost of maintaining the R&D department for IE (certainly not trivial).
It could be argued that without having IE, there would be no ActiveX, and without ActiveX, Microsoft would have sold less Server licenses, but the historical trend of web server deployments would seem to indicate that ActiveX, itself, has had very little outcome in the web server market.
@ Pat Cahalan
>People buy Windows for precisely four reasons:
>1. It comes bundled with the computer
>2. They want Microsoft Office
>3. They play games
>4. They have a gadget that comes with a Windows app
>Corporations buy Windows for precisely five reasons:
>1. It comes bundled with the computer
>2. They want Microsoft Office
>3. They want Exchange
>4. They have legacy software that runs on Windows
>5. Employees use Windows at home
Now take the above reason people/corprations buy Windows and look at what MS did with it.
1) Build Web server to support technologies only IE can use (at the time).
2) Tie in back office tool so they are very easy to connect.
3) Sell the message "Anyone who matters has IE on the desktop. Use IIS/ASP/ActiveX to make dev quick and easy"
4) Profit by selling more versions of Windows Server to run IIS and SQL server and Exchange and dev tools
5) Profit by making MSN the default home page/search so MS would not have to compete with quality
6) Profit by making partnerships with media companies to already have "channel" content and URLs already in the browser\
7) Punish Netscape for even suggesting that a web browser would make an OS irrlevant. Spread fear throughout the industry,
support us or die.
Let's face it. Without IE on every desktop, web servers would all have gone LAMP.
But with IE on the desktop, there was a perceived value to buying Windows Server with IIS and then using
all the MS Back Office tools.
That is why IE was a net gain, despite the horible security
I'm unsure what linux has to do with this thread. I agree that people use what they're familiar with, which means for the most part they use Windows and IE. So? If you take away IE, are they not still running Windows (which is what Microsoft makes their money off of)?
> At the end of the day, if windows didnt have a browser, then people
> would just bitch at the fact one wasn't provided.
That is the craziest thing I've ever heard of. People don't complain because their computer didn't come with Quicken, or Office, or any other piece of software, do they? Well, maybe they do, but even when they do, prebundled software from a computer vendor can include a browser. There's a difference between a third party VAR selling a machine with bundled software and a software vendor integrating two products into a single product line.
> Plus, a company the size of Microsoft doesn't need to make money off every
> single thing they produce.
Sure. Microsoft could also take $100M dollars of their gigantic pile of cash out of the bank, put it in a big pile in the quad of their campus, and burn it up during a big party too. That's still really bad business sense.
> I agree with Arl, the billions microsoft is worth today makes this "profit"
> argument irrelevant.
Remind me not to invest in any company you or Arl run.
> with IE on the desktop, there was a perceived value to buying Windows Server
> with IIS and then using all the MS Back Office tools.
A perceived value that allowed Microsoft to roar up to 20% market share in the web server market, where they've more or less stayed steady since 1996?
Excellent, that worked out well.
> Remind me not to invest in any company you or Arl run.
That was a cheap shot, and I apologize.
Note, however, that this is precisely what this thread is about. "Was IE a good business move for Microsoft". Good business moves involve profit. To say, "They don't need to make money on it" sort of ignores the point of the thread.
Predatory pricing (which a firm with huge market share selling at a loss in order to drive competitors out is an instance of) is illegal in the US.
Your opinion concerning the law is as immaterial as mine. Feel free to Google up the relevant citations if you care to.
Windows security problems have altogether different origin.
Microsoft, like almost everyone else never planned for the "criminalization of/by/for technology".
I remember days when .rhost file wasn't even used and the machines were totally unprotected.
To claim economic loss .. huh!! how many sites are there that only work on IE, I am sure IIS is not free !!! it was a reasonbly business/technical decision.
Windows design sucked from day one .. i mean from msdos days and not much has changed .. stop blaming bill and pay up ..
Like Andrew, you probably got Windows with your computer, ergo your preference for IE is largely irrelevant - you didn't "buy" IE, and didn't generate any revenue for Microsoft.
P.S. -> your web site is down.
I was mentioning linux because it's an alternative to windows, just making the point that many average users use windows because of a lack of alternatives (at least a lack of knowledge of alternatives)
Also, the point about profit. I was just saying that not all good business moves have to result in a profit. Google give away allsorts, google earth and picasa for example (and a bunch of others), and they get along fine. A company as big as Microsoft (or Google) make money from other products and other avenues of business, so a product like IE does not necessarily have a huge impact on profit.
I'm not saying that you're not correct, i'm just saying I think there are many examples where businesses can operate successfully and not have to charge users for every line of code written.
>A perceived value that allowed Microsoft to roar up to 20% market share in the web server market, where they've more or less stayed steady since 1996?
Maybe 20% of world market when it is Internet facing for all surveied domains. At least that is the around the 20% that Netcraft surveys.
But also this week Netcraft shows that for SSL enabled sites (which normally means customers with money), IIS holds 40-50% of the business. And has been the leader until this week.
Now also consider internal web sites. How many Fortune 500 "offical" internal web sites are running IIS vs. open source? I would say at least 60%.
>Excellent, that worked out well.
Actually it did work out well for MS. Just look at the annual shareholders reports for MS in the late 1990s. Look at how it's taken until now (2006) for Apache to overtake IIS in SSL enabled sites.
> Maybe 20% of world market when it is Internet facing for all surveied domains.
74,572,794 sites surveyed in the original netcraft report I quoted. I would call that a significant sample. You are correct, however, that is "internet facing".
> How many Fortune 500 "offical" internal web sites are running IIS vs.
> open source? I would say at least 60%.
I have no idea if this is the case, but for the sake of argument let's say you're correct. In fact, let's say IIS runs *80%* of the Fortune *1000* internal web sites... Apache 20%... and that each one of those web sites requires a total of 100 servers. That's 100,000 servers, 80,000 of which run IIS and 20,000 of which run Apache.
That gives a total deployment (including the public numbers) of 52,025,811 Apache servers and 15,373,030 IIS servers -> Apache is still killing Microsoft overall in deployed instances.
> But also this week Netcraft shows that for SSL enabled sites (which
> normally means customers with money), IIS holds 40-50% of the
I think what you're saying is that IIS held an equitable presence to other web services in the market of people "who were willing to pay for web server software". Fair enough.
How much of that is actually due to Microsoft's bundling of IE with the operating system? Some percentage, I would imagine. I'm not saying that ActiveX controls aren't used for corporate web-enabled applications. They certainly are. However, is this percentage really signifcant? I'll freely admit I'm not sure, but I don't think so. A much higher percentage of IIS/SSL implementations are probably running Exchange, not ActiveX enabled apps.
I would imagine IIS was a more popular SSL-enabled web server more because setting up IIS w/SSL is pretty trivial, whereas setting up Apache 1.x with mod_ssl wasn't trivial. As the article you linked to indicated, Apache 2.x's built-in mod_ssl is increasing its popularity.
> Just look at the annual shareholders reports for MS in the late 1990s.
Again, Microsoft's revenue is generated by (a) Windows (b) Office (c) Exchange. Windows 95/98/2000's and Office 95/97/2000 release cycles between 1995 and 2000 are the reasons why MS had great shareholder reports in the late 1990s. All this revenue would have been coming in regardless of IE's existence or lack thereof.
Just because a company is (or was) doing well doesn't mean that parts of its corporate strategy weren't poorly thought out.
I guess you think that Apple is "mistaken" as well, since it produces its own web browser (Safari), too.
I'm not buying that premise. The browser is the single most important app on a computing platform these days. If you ship with one produced by a third party, you are promoting their brand at the expense of your own. That is not a healthy long term strategy.
Linux users beware>
Linux: A European threat to our computers!
guess what software Osama Bin Laden uses on his laptop?
If you guessed it was Linux you would be 100% right. Osama uses Linux because he knows designed to counterfit DVDs, curcumventing the Digital Millenium Copyright Act, and defraud companies like Disney.
I doub't osama has power for his laptop ..
>74,572,794 sites surveyed in the original netcraft report I quoted.
>I would call that a significant sample. You are correct, however, that is "Internet facing".
Actually that is 74,572,794 domains. And Netcraft admits many groups of domains are on the same machines. Mostly small non-commerce related web sites. Sites that Microsoft would see as a low priority. So it's not 74,572,794 machines, it's 74,572,794 domains which 500 domains at a time could be on a single apache server. I bet there are fewer hosting ISPs using IIS, but a significant number of single corporate web sites that us IIS. But I admit that's a general guess.
> Apache is still killing Microsoft overall in deployed instances.
Sure in deployment. Not in dollars. Not in sales of related dev tools and databases. For Apache all that other stuff is from some other open source project. Microsoft went from having no web server presence to leader in SSL enabled sites and for internal corporate sites in a quick amount of time. They have now got themselves entrenched in corporations with a constant revenue stream. A big part of which was sold on the “seamless integration��? with Internet Explorer. You see this as a bad strategy?
>Apache 2.x's built-in mod_ssl is increasing its popularity.
Yes, mostly in countries outside of the U.S. Microsoft still has a good hold on the U.S. market as per the Netcraft report.
>Again, Microsoft's revenue is generated by (a) Windows
Right, because the "OS is irrelevant Web platform" promised by Netscape got killed by MS by bundling IE into Windows. Hence as people bought computers, they got bundled Windows. If Microsoft did not do so, many people may have bought a web appliance. It's hard to tell since that is history now. But in one sense it isn't, my Cellphone/PDA can do most business things my PC tower can do.
>How much of that is actually due to Microsoft's bundling of IE with the operating system?
I would say it was very significant. I remember in the late 1990's when I would point out, hey we can use Apache for free. But Management bought the line, hey since Internet Explorer is the only browser with any significant market share anymore, lets have our coders use the Microsoft only dev tools to tie into our infrastructure. Oh what we found we need a new database to support this, oh well, then I guess we also need to buy MS SQL to support this too. Now Pat, if you honestly didn't have some kind of experience like this with management, then point me to the yellow brick road because I want to join you in the land of OZ.
>Just because a company is (or was) doing well doesn't mean that parts of its corporate strategy weren't poorly thought out.
The key word is "parts". Over all Microsoft's plan was brilliant. It accomplished what they desired to do. It was to not just sell Windows, but a host of software to entrench themselves into the corporate infrastructure. What their plan lacked was a long term strategy to go from capturing the market to making a quality browser. Also they were so busy making money and capturing market share they just had no vision for people who write malware to take advantage of their rushed coding practices.
you cant do with it, and you can't do without it.
I don't know how much they would cost, but I think default bookmark (favorite in MS lingo) placement must be costly.
The corporations I deal with want nothing to do with IIS or IE where they can help it, and resent Microsoft and it's partners where they are forced to use either. The rule of the day is to partner for a vendor's strengths, but avoid “tar-baby��? tie-in. This is not limited to Microsoft products, but includes Computer Associates, IBM, Cisco and others as well.
With respect to IE and IIS, in large part this is because of the endless security problems, and Microsoft's tendency to shoot the messenger when such is revealed publicly, and to take their own sweet time plugging the holes if it is revealed privately. Clearly one doesn't want to deploy products that have such a bad security track record in security, in order to provide public access to sensitive information, the accountability for which is increasingly under regulatory scrutiny and legal constraint. If Microsoft (and the rest of the industry for that matter) wanted to change their approach to EULAs, to take some responsibility for the impact of their products, this might be different. As it's stands, it is Caveat Emptor all the way around, and increasingly smart companies are taking that to heart.
The case of Microsoft is not so different from IBM before them -- They did great, then got fat, then got lazy, then got petulant and started throwing their market weight around rather than actually competing on technological merit. IE is just a symptom of a larger problem in their case – Honestly, what kind of idiot unnecessarily scatters the functionality of a discrete software product all over the OS, adding complexity (which has a generally inverse relationship to security), thereby increasing the difficulty in regression testing and development for BOTH the software product AND the OS? And why then also provide unfettered access for unknown parties to local functionality via something like ActiveX, without taking the time to think about the inherent dangers to the average mom and pop user that forms such a large part of their customer base? It is a recipe for disaster that the great developers at Microsoft saw coming, but their message was one that MSFT Marketing and management simply did not want to hear. Beware companies that embrace their own marketing mythos, discard their core values, and seek to control rather than engage the environment which gave rise to their success.
>The corporations I deal with want nothing to do with IIS or IE where they can help it, and resent Microsoft and it's partners where they are forced to use either.
That is true today, 2006. Did you have the same resistance in 1995-1999? No. It was the opposite. There is a problem with how this is being argued. They are arguing with 20/20 hindsite. While IE and IIS have a horible reputation for security by today's standards, they actually acomplished the original goal of capturing enormous market share and holding on to the majority of it. Sure IE is the most famous malware entry point in all of security. But I don't see corporations leaving Widows in any significant numbers. It sounds like the companies you deal with are smart, but unfortunately it seems most companies are not this smart. Marcus Ranum wrote a two great opinion pieces about this.
"Stupid About Software" (Talks about management's stupid policies can prevent quality software from being installed)
The line that sums up the problem: Have you ever heard of a vendor being taken to court because their crappy software didn't work as advertised? NO!
His other one "Inviting Cockroaches To The Feast" mainly addresses the issue "software liability", but as part of his arguement he points out the corporations need to create a market for software quality. Right now they accept crap that gets patched along the way. He argues that the corporations need to demand a product that works as advertised. So if any company is complaning about IE, but keeps using IE, then it's there fault for being too dependant on crap. Agina here is the quote that sums it up:
The answer is so simple that apparently only the village idiot can see it:
If you don't like crap, don't buy crap.
If you do buy crap, don't complain that it smells.
If you hold your money in your hand and say what you want loudly enough, someone will come along and try to earn it.
Microsoft learned alot from IBM. Get yourself entrenched first, then worry about problems later. The reason is once you are entrenched, the company will tolerate your fixes because it's too hard or embarrassing to get rid of you. Hence IE was successful for the goals of 1995-1999. It's a failure in security, but unless MS looses the same market share it gained during that time (Right, like that's going to happen), it still was a net sum win for MS.
"Predatory pricing (which a firm with huge market share selling at a loss in order to drive competitors out is an instance of) is illegal in the US.
Your opinion concerning the law is as immaterial as mine. Feel free to Google up the relevant citations if you care to."
I'm aware of the fact that it's the law.
But making an appeal to authority is hardly what I was looking for.
I argue that it's wrong and it should be abolished. It is by its very nature anti-competitive. And you have done nothing to disprove this blatant fact.
Anyway, if one really approves of the "predatory pricing" model, then to be consistent, open source vendors should be persecuted for practicing predatory pricing.
Yes - It would be a terrible thing, but hey, the law is the law, right?
"Microsoft should pull the browser out of the OS and discontinue all IE development immediately. It should then bless the Mozilla.org folks with a cash endowment and take an investment stake in Opera, to influence the future direction of browser technology from the outside in."
This is where the article goes from insightful to absurd. He really had me up until this point.
I would say that IE has probably been more trouble then it's worth for MS. They overestimated both the threat of Netscape and their own potential to twist the web to their own ends. However, the idea that they will leave the browser market after being so firmly entrenched is absolutely absurd.
Most of the people making arguments for IE are making secondary business arguments.
If we start with the following premises:
1. Business is an excercise in making money.
2. The IE product has produced no direct revenue.
3. IE has direct expenses that continue.
4. There no visible financial returns in the near future.
The primary position must be this product is not a good investment. The secondary supporting arguments for the investment would have to nothing short of spectacular. I would be surprised if the venture capitalist gave you a second interview.
I think the article has some valid points; with the benefit of hindsight and all that. No one in their right mind would make an investment like the one described above - well not with their own money and governments excepted. I'm sure M$ didn't think this was the investment they were making.
>The primary position must be this product is not a good investment.
Except MS wanted to control a maket to drive corporation to use thier tools. I present the following evidence that it worked.
Note that while market share for IE went up so generally did the stock. Then come the tie-ins: MSN, IIS, Dev tools, etc.
While we all agree that IE sucks, the hard evidence of it being a failure is lacking. John D. has been wrong before and he is wrong now. If I am wrong, show me the hard evidence.
But high market share in a non commercial market doesn't mean anything positive commercially.
Whilst share price went up - I see no link between IE and the share price. The planet has been slowing warming over the same time period - but that doesn't prove a link either. Shareholders buy for a monetary return; which was my point I guess.
Business is about money. IE doesn't make any.
What you're forgetting is that MS is not just any company. They took on the responsibility of supporting a web browser, and like it or not, they're stuck with it. If they stopped supporting it now, people would be *pissed*. There would be a major backlash. No company in their right mind would do this. The closest thing I could see MS doing would be to re-write the browser from scratch, or else buy a company that already makes a good browser.
Of course you are right. I am sure they have painted themselves into a corner.
Depending on your ideological view of MS, it's possible to think that they integrated IE in Windows in order to make things simple for the unsophisticated home user that they were trying to target at the time (having more or less cornered the corporate market). They wanted a consistent user interface, so they tried to make everything look Web-like: Windows Explorer, Control Panel, etc. It didn't work very well, and the technical way they did it was not clever (in hindsight at least) but their motives were not necessarily entirely evil.
@quincunx "Since when is giving away things for free anti-competitive?"
Internet Explorer isn't free. The license makes it quite clear that you're not allowed to use it unless you have a valid Windows license. Of course, most people have already paid for a copy of Windows anyway, but it's still not free.
(Incidentally, Internet Explorer now runs fairly well under Linux using Wine. Of course, you can't legally do so, at least unless you already own a licensed copy of Windows - and perhaps not even then. Looks like IE7 will also have measures to prevent this, as well...)
Shemesh is right. The deal with Spyglass was for royalties on sales. Gates screwed Spyglass because he never intended to 'sell' it. But they didn't know it. He screwed them rotten - intentionally.
Anything else is idle speculation. A pastime for people with no lives.
>Business is about money. IE doesn't make any.
IE as a product did not make money.
IE as a way to keep business on Windows did.
IE as a way to convince business to buy server to get IIS did.
IE as a way to sell dev tools to make it easy to tie into IE did.
It's the old Gillette razor strategy: "Give away the razor handle, sell them the razor refills"
> So it's not 74,572,794 machines, it's 74,572,794 domains which 500 domains
> at a time could be on a single apache server.
Granted. Of course, the flip side is also true -> the domains reported as running on IIS can be multiple domains on a single server. Now you've got me curious - I wonder how many domain aggregators/resellers run IIS (vs Apache)?
> [Apache is killing IIS]... Sure in deployment. Not in dollars. Not in
> sales of related dev tools and databases.
Well, you can't compare dollars when one of your products doesn't cost anything. And getting into databases opens the whole MS-SQL vs Oracle product war, which is a completely different beast.
> Right, because the "OS is irrelevant Web platform" promised by Netscape
> got killed by MS by bundling IE into Windows. Hence as people bought
> computers, they got bundled Windows.
This is hard to refute authoritatively, but ...
> If Microsoft did not do so, many people may have bought a web appliance.
I don't believe this is the case. First of all, web appliances *always* stunk - I don't know of a single one that had even a minor impact on the technology market. Microsoft didn't need to drive them out of the market, they handled that themselves.
There is a balance in software deployment between binary clients that run on an end-user platform and web-enabled applications. IMO, the Netscape and/or Java dream of "no more software on your local machine" was a pipe dream to begin with (albeit one that Microsoft fell for as well).
Some software works great over a network, but generally speaking most of what people do on a day-to-day basis is much more efficiently run on your local machine.
> Management bought the line... [snip]... Now Pat, if you honestly didn't
> have some kind of experience like this with management, then point me to the
> yellow brick road because I want to join you in the land of OZ.
I agree that lots of businesses have made dubious decisions at a management level to go with Microsoft (or Oracle, or Sun, or any particular vendor) over some other vendor. Heck, choosing an open-source software product can be a terrible decision too, depending upon what you're trying to do and what your staff looks like.
But I think this mostly comes from "nobody ever got fired for buying IBM", which in the mid-to-late 90s was "nobody got fired for buying Microsoft".
I think that this was based upon Microsoft marketing in general rather than a particular Microsoft product. This is just opinion, though. You could argue that IE was a tipping point here, but I don't personally buy it -> I think Microsoft has always done a great job of grabbing market share, but the #1 tactic (and really, the only one they *needed* to use) was bundling their OS with almost every machine that shipped out of any OEM/VAR for the last 12 years. Everything else was preaching to the choir.
you know, im thinking of something reading all this. I hate to bring up Apple in this conversation. But here goes. IE makes money by not making money. Point is look at apple. They make apsolutly no money on Itunes itself, they have said so themselves, they break completly even on it, Yet Itunes is only supported by IPOD last i looked, and so what kinda revenue has that brought ya think? Use a service that is no profit to tripple or more your profit on another technology is very brilliant. Infact as many pointed out look at google, they give away and maintin aot of stuff for free, which is a zero gain, if not aloss, but consider the money they make from there name alone being there, not only the advertising revenue they make for it. I think what you are forgetting is the old saying you gotta spend money to make money is true, Apple and IPOD is a perfect example, Google, and its earth, picassa, and even free wireless interent service in some cities, defeinitly has to have a zero next to it if not a negative, yet it has increased revenue across the board. So just cause there is a big zero or a negative next to it, does not mean it was a bad decision, if it enables you to make tripple profit on another product. The fact most of you have not realized that, is why M$, Google, and even Apple, has so much money.
Another reason IE is not a failure in the grand plan for Microsoft.
Microsoft and Google Set to Wage Arms Race
There are two reasons Microsoft can wage this war.
1) Microsoft has the money to wage it
2) Microsoft still has the 80%+ market for web browsers via IE
All MS has do to is issue an update via Update Services API and within a week all Windows machines that get patches will go to www.live.com by default for search. They could add code that if google got mistyped gooogle it could go to www.live.com. There are all kinds of possibilities Microsoft can do since it has 80% of the browser market. Whatever MS decides, they can change the IE defaults in a week. No other vendor has that power.
Again, IE is a security failure, not a business failure.
"They could add code that if google got mistyped gooogle it could go to www.live.com"
In this particular case, no.
Try for yourself: www.gooogle.com / www.gogle.com
Even goooogle.com is registered, but not by google.
Up to this point I've found most of your arguments at least somewhat cogent and compelling, even the ones I disagree with.
> All MS has do to is issue an update via Update Services API and within a
> week all Windows machines that get patches will go to www.live.com by
> default for search. [snip]
The fact that this would instantly lead to about 5,000 lawsuits, court injunctions, and millions of words of bad press leads me to believe that this is not a feasible course of action. It would probably lead to Microsoft losing that 80% browser coverage in about a month, assuming that the firefox download servers could handle the load.
Having client superiority only gets you so much, technologically speaking. It certainly does not give you the social or legal power to execute this sort of maneuver.
>The fact that this would instantly lead to about 5,000 lawsuits, court injunctions, and millions of words of bad press leads me to believe that this is not a feasible course of action.
No, they would be providing a helpful service. See url at bottom.
>In this particular case, no.
>Try for yourself: www.gooogle.com / www.gogle.com
Except they already have a solution that prevents you even getting to the DNS server before you reach a typosquater site.
Now can someone provide evidence that my previous ideas are not possible?
Er, there's a difference between an opt-in service that does "helpful mis-typed URL correction" and categorically altering the way all Windows machines resolve DNS entries, redirecting other entities web presences to your own services.
Sure, technically they could do this. Do you seriously believe that there would be no repercussions?
IE vs Netscape...
It wasn't about the browser at all, when you get down to brass tacks, but about WHAT the browser was running on top of.
Netscape meant that Windows was NOT needed to access the internet, and, as long as that product existed that could run on OSF/1, D/UX, Solaris, AIX, Linux, etc... then those operating systems themselves were _capable_ of competing w/ Windows.
Any "killer app"-- and Netscape, as a well-built (laughs) browser at the time *was* the killer app for the InterNyet-- that could run on an alternative platform had to be targetted.
So the same browser engine worked on top of multiple operating systems and behaved more-or-less the same way on ALL of them would legitimize these other systems, so IE became a loss-leader to undermine a competitor that was depending upon being able to *sell* the product to stay in existence.
In effect, Microsoft used cross-subsidies to kill off Netscape as a brand/competitor, kind of how AT&T was watched closely to keep their computer business from being subsidized by the dial-tone business.
So, in effect, we have a monopoly trying to maintain a monoculture. I once wrote on this subject here:
Nowadays, with the Mozilla and Firefox projects, we have more choice, but the "knee" point of uptake, around the time of Win 3.1, 3.11 and W95 in the mid-1990s, was a "net" win for Microsoft. They used monies from other profitable parts of the company to subsidize the production of a browser in an attempt to lock out others choices. In effect, they grabbed the business "at the right time" and are unwilling to relax their hold.
Of course IE may end up being an albatross but so far it has not, all because using IE is the equivalent of letting a VCR's clock blink 12:00. (Don't argue over how we're getting away from that because NOWADAYS the VCRs look for a time signal on one of the TV channels to automagically set the clock. This'd be like having a daemon automagically download mozilla, opera *and* firefox built in to the OS itself once it's been booted the first time.)
>Sure, technically they could do this.
Which acknowledges my point about the power of holding 80+% of the browser market. Thank you.
>Do you seriously believe that there would be no repercussions?
No repercussions - no
Will the repercussions be serious enought to make them remove the "feature" until they have taken considerable market share with www.live.com (or whatever else), looking at history it's entirly possible.
They could also use the slow approch. Do this to just XP/Vista Home. Why not, they are just being helpful. Once eveyone has accepted that this is not outragious, then so the saem to the other versions. (The old boil a frog slowly approch)
Will they do it? I can't predict the future. If I could I would already be the king of Vegas and Wall Street.
You just acknowledged it is possible. Given MS past history they could pull it off.
The over all point is, IE in terms of business strategy was a success. Which is a separate issue from IE is a security disaster.
@John R Campbell
>In effect, they grabbed the business "at the right time" and are unwilling to relax their hold.
John, you and I are on the same page.
The only part I disagree on is IE/Windows is now so tied into the WSUS API that Microsoft can set the time on the VCR and give it PVR capabilites to make sure Tivo does not kill the VCR business. Once IE had "Windows Update" the path to partial control of Microsoft consumers (via patches/features like the new MS spyware program) was a natural extension to keeping MS on top. Hence in one sense security problems increased Microsoft's power.
"Try for yourself: www.gooogle.com / www.gogle.com
Even goooogle.com is registered, but not by google."
Last time I checked, domains were registered all the way up to www.gooooooooooooooogle.com (that's 15 "o"s), although most of them are just "ad-squatting" site.
Yeah, I was really bored one day. >
Actually, if Microsoft really wanted to, it shouldn't be too hard to just use their Windows monopoly to punish Google...
If a TCP/IP connection is made to port 80 on whatever IP address is currently in the lookup table for "google.com" or relatives, no previous connections to this IP address have been made yet this session, and a random number generator returns a "true" result (primed to be true about 50% of the time, say), then:
1. Pretend the connection's been made and wait for the HTTP request.
2. Return a web page describing how Google's become insolvent, and suggests using Microsoft's Search technologies as a replacement, with an automatic refresh to Microsoft's search page.
If Microsoft was brought up on anti-trust charges for this, who cares? The last 3 runs with the government were all big laughs (even with faking the evidence!), so what's the worst that can happen? Fines? Ha!
And what would the users do? Switch to some other system? (Admittedly, this is more of a threat than it used to be, but how often will a user decide to reboot just to try to get access to Google? They'll probably find themselves using Microsoft's search site, and learn to like it.)
First, some basics: they are committing to deliver a new version of Internet Explorer for Windows XP customers. Betas of IE7 will be available this summer. This new release will build on the work they did in Windows XP SP2 and (among other things) go further to defend users from phasing as well as deceptive or malicious software.
Why? Because they listened to customers, analysts, and business partners. But a clear message to them: “Yes, XP SP2 makes the situation better. We want more, sooner. We want security on top of the compatibility and extensibility IE gives us, and we want it on XP. Microsoft, show us your commitment.��? I think of today’s announcement as a clear statement back to us: “Hey, Microsoft heard you. We’re committing. ��?Personally I just hope that the IE team is working hard. They will eager to improve and better secure the web experience for the hundreds of millions of IE users around the world. And hopefullyit will be continue to deliver on security updates for customers (across several versions of IE (back to IE 5.01) and Windows).. sites. I have done a lot of researches for my dissertation (http://www.coursework4you.co.uk/sprtcasec92.htm),but your article give me some more ideas for my next project. Thank you
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.