June 2009 - Posts

MAC vs PC, the “unlevel playing field”
23 June 09 12:57 PM | ronaldg

Well, as you know, I frequent the ZDNet blogs from time to time, especially the Ed Bott and Ryan Naraine ones.  Because of that, I also come across some other blogs on ZDNet that, for my money, are far too opinionated with far too little objectivity and/or factual basis or knowledge for those opinions – one of those is the Adrian Kingsley-Hughes’ blog, Hardware 2.0, which is theoretically supposed to be focused on hardware, but he seems to digress a lot and talk about Windows OS, and most of the time it’s a pretty negative spin.  But recently, I was attracted to this one post:

Snow Leopard and Windows 7: Two flavors of the same GUI?

As usual, within the first few paragraphs he showed his normal bent toward denigrating Microsoft technology, but then, much to my (pleasant) surprise, he came up with the following observation.

“But there’s another, far more important reason why Windows and Mac OS will never be on a level playing field. It’s because Apple tightly controls the hardware that Mac OS runs on, while Microsoft is at the whim of every OEM out there. While the Mac OS runs on a selection of systems, and can accept a small selection of hardware upgrades, people expect Windows to run on anything and everything, and then to be able to add any and all hardware they can find to the system. While it’s true that the Mac OS is more stable than Windows, much of this stability is down to a smaller, more controlled hardware and software ecosystem. People complain that Windows crashes, but more often than now it’s not Windows that’s responsible for the crash, but a driver or some dodgy bit of hardware. But Windows gets the blame.”

Wow, except for one slight phraseology issue (that I’ll speak to later), this is one of the best expositions of the basis for one of the key pillars of the MAC vs PC perception issue that I have ever run across – wish that I had come up with it myself, so I’ll do the next best thing and call out Adrian’s observation here.  I suspect that vast majority of my partner audience is already very familiar with the point made above, so I’m pointing this out, not so much for the “aha” factor as for the fact that he has done such a good job of addressing this issue in such a succinct, yet clear and comprehensive manner.  

So, why is this important to you, my partner friend?  Well, in the coming days (months/years?) as Apple continues to make inroads with its mobile technologies, it’s certainly possible that your customers will come to you with ideas about using the MAC platform for their business computing.  There’s (currently) 2 major reasons why a business would be drawn to the MAC platform, the perception (and I mean perception, again, we’ll get to that shortly) of better stability and the perception of better security. 

If you ever need to have the stability perception discussion with a customer, then I highly recommend you cut/paste the K-H blurb above into OneNote and save it for future reference.  It’s all the better because it would come, not from you or me, but from a professional technology blogger syndicated by ZDNet, which gives him (sometimes undue) credibility.  The small but crucial clarification point, regarding the perception of stability, that I’ve been threatening to get to is this: Windows actually can be as stable as MAC when it’s run within the context of the same hardware and software control as the MAC platform routinely enjoys.  So I take issue with Adrian “while it’s true that the MAC OS is more stable than Windows”.   Take DataCenter, or any of the 2003 or later Server products -- DataCenter with its tightly controlled hardware and software requirements is capable of, and even certified for, 5-9’s level of stability and reliability (and this is the SAME essential kernel code and architecture that runs the desktop OS).  By the same token, you’ve seldom heard about stability problems with 2003 or later Windows server products, and again, I point out, since the 2003 code base, the kernel for server and client are the same.  So, my point here is that, the apparent difference in the platform stability between MAC and PC, is largely based on perception supported by the fact that MAC OS can ONLY be run in a highly controlled hardware/software paradigm.  If the customer is willing to accept those same kinds of hardware and software limitations (e.g. using only signed drivers, and/or logo’d software) for their PC platform, there’s ample evidence to show that they should expect the same level of stability as the MAC platform.  And, even though I obviously can’t guarantee every case, most of you already know this is, by and large, the case from your own experience.

Before I sign off here, I know this is already long, I did want to quickly address the other major pillar, security.  If you haven’t already, I would ask you to peruse some of my recent posts around this pillar, specifically the post I did yesterday and the one on May 31st around how MAC maintains most of its security “halo” by virtue of security by obscurity.  In pure fact, the MAC OS X has had significantly more vulnerabilities reported than Vista and the PWN2OWN stuff that I related in the 5/31 is pretty compelling in my opinion since it comes right from the “hacker’s mouth”.  Here’s an except of that: “…the Mac is easier to exploit.  The things that Windows do to make it harder (for an exploit to work), Macs don’t do.  Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.”   The real point to make with this is that the Windows platform is the best security bet going forward.  Thanks to our SDL programming Initiative, we are constantly getting better around security (again, lots of evidence for that).  On the other hand, as we see by PWN2OWN results and comments, as well as things like the 50+ Safari patches; Apple lacks the formal, predictable, and successful security approach that Microsoft brings to the table with AutoUpdates, Patch Tuesday, and the SDL and our world-class Security Response system.  All of this would point to more risk, from a security standpoint, on the MAC platform going forward as their security by obscurity protection starts to wane in the face of potential increasing market share.  So even though MAC currently has the benefit of the perception of being more secure at this juncture, if someone is making a strategic platform decision in the near future, they need to understand the whole story and the ramifications of relying on that perception moving forward into an increasingly sophisticated and worsening security environment.

Hopefully you’ve stuck with me through this lengthy post and picked up some useful messaging for having the “MAC” discussion with your customers or others.

more security stuff and a shout out to ZDNet
22 June 09 02:44 PM | ronaldg

most of you who follow this blog know that I’ve recommended articles by Ed Bott on ZDNet from time-to-time in the past and would recommend his blog as a good source of technical and other info on Windows.  In fact, I would encourage you to read his blog on 6/18 around the launch of the “Morro” beta, aka Microsoft Security Essentials if you aren’t already familiar with that.

Ed Bott’s Microsoft Report | ZDNet.com

But this post isn’t really about Ed or Morro, but about a couple of other posts on the ZDNet that I ran across lately.

Besides Ed, one of the other bloggers that I think puts out some good stuff is Ryan Naraine, who does a security focused blog, also on ZDNet.

Here’s the three posts I wanted to highlight.  The titles should be self-explanatory.

Microsoft patches 31 Windows, IE, Office security holes,
Apple Safari jumbo patch: 50+ vulnerabilities fixed,
Adobe patches 13 critical Reader, Acrobat vulnerabilities

As you should also remember, I recently did another post on “Security by obscurity…” where I highlighted the results of this year’s PWN2OWN event, where once again the Apple products proved to be much easier to exploit than the Microsoft ones.  But mostly it was supposed to be about reminding you that Microsoft, in recent years, has made a deep commitment to security and that this should give you confidence in this aspect of our software.  What got my attention about these 3 was that even though there were 31 vulnerabilities fixed by Microsoft, they ran across a gamut of products from AD (2) to Print Spooler (3) to Works, including IE (8).   So here comes a Safari update with 50+ fixes for vulnerabilities on a single product, some rated extremely critical – WOW.   It was interesting to read a few of the “talkback's” and see how some MAC folks are still in denial that their platform is not the bulletproof bastion they have always thought it to be.   One of the questions that crossed my mind, and why this was interesting to me in my context of security by obscurity, is not so much that Safari had so many holes, but that it would appear that Apple doesn’t feel the need to release these patches until so many have built up including some extremely critical ones.  It all goes back to the point I was hoping to make in the security by obscurity post, I’m hoping that you understand and can articulate the platform value proposition around the Microsoft commitment and approach to security.

Another point of interest to me was the third post around the Adobe patches.  Here’s an excerpt from Ryan’s blog:  “Adobe has issued its first ever scheduled quarterly update for its Reader/Acrobat product line, a mega-patch covering 13 documented security vulnerabilities.  The patches address “critical vulnerabilities” in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions.  “These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system,” Adobe warned in an advisory.  The company also acknowledged it has silently fixed several security problems that are not being publicly documented.”  If you followed the PWN2OWN, you know that Adobe products have historically been used as exploit gateways, and now, finally, Adobe had deemed it worthwhile to issue “scheduled quarterly updates”.  But as with Apple, the main point here is to show you indicators of how little priority security seems to have at some of the leading software companies and to point out, in contrast, how Microsoft’s embracing of the SDL (Secure Development Lifecycle, part of the Trustworthy Computing Initiative) should be something that you should make sure your customers understand is an advantage of the Microsoft platform that you are providing and supporting for them.  

Speaking of the strategic advantage of moving to newer software…
05 June 09 11:12 AM | ronaldg

I did another post recently around helping customers realize the “latent pain” (potential risk) of staying on legacy versions of the OS, here’s a follow up to that that shows there are risks with staying on legacy versions of other apps, such as Office, as well.

In the last couple of weeks, we’re finding that attackers are using doctored PowerPoint files to exploit an unpatched vulnerability in that app.   Although the attacks are described as “limited and targeted” so far, this points out the potential for exposure and risk associated with the attack.   FYI, the exploit is a Trojan dropper embedded within certain .ppt or .pps data files.

The main point I want to make here though is that Microsoft Office PowerPoint 2007 and Microsoft Office for Mac 2008 are not affected.   Which speaks to a couple of the points I’ve been trying to make: 1) that our newer software, developed under the Trustworthy Computing Initiative, is more secure than previous versions, and 2) that there is an increased risk associated with staying on legacy versions of any software

Now that I’ve brought it up, here’s a list of the affected software:

  • Microsoft Office PowerPoint 2000 Service Pack 3
  • Microsoft Office PowerPoint 2002 Service Pack 3
  • Microsoft Office PowerPoint 2003 Service Pack 3
  • Microsoft Office 2004 for Mac

Also know that Microsoft has activated its security incident response process, and the company will issue a bulletin with patches, but this could take some time.   In the meantime, Microsoft recommends that Office users avoid opening or saving files, even from trusted sources because those could be spoofed.

On a related note, if PowerPoint usage is heavy in your business, then you should consider implementing MOICE, a tool that uses the 2007 Microsoft Office system converters to convert the Office binary format files into the Office Open XML format.  And, of course, you can download and use the Office Compatibility Tool to allow legacy Office versions to work with Office 2007 XML-based file formats.

FYI, admins could also use the Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations.

Windows 7 XP Mode (XPM) update
05 June 09 11:07 AM | ronaldg

In previous posts, I’ve mentioned the new XP Mode is coming with Windows 7.   There are several important things about XPM that I think are worthy of clarification, so I’m adding this post specific to XPM. 

One of the first things that has come to light is that XPM is apparently not planned as an out-of-the-box (OOB) component of Windows 7 but rather a free download for those with the qualifying versions of Windows 7 (which should be Professional, Enterprise, and Ultimate).  XP Mode will apparently be based on the next version of our host-based virtualization technology, VirtualPC, now to be called Windows Virtual PC (WVPC). 

It is also important to note that WVPC will require processor-based virtualization support (known as Intel-VT or AMD-V) to be present and enabled on the underlying PC, just like Hyper-V.  In a previous post, I alluded to this and also that one should not assume that “VT” is included with all current Intel processors.  It will be important for you and your customers to do due diligence here and insure that your desktops have this capability, or factor in the upgrade to it as part of the decision equation.

One of the key benefits of XP Mode is that it will incorporate a fully licensed copy of Windows XP SP3 in a downloadable VM.  Additionally, this VM (running in WVPC) has out-of-the-box integration with the local PC.  This is huge, and, just to clarify, what it means is that XPM does not require you to run the virtual environment as a separate Windows desktop (although you certainly can).  If you like, you can actually have the applications you install inside the virtual XP environment published directly in the host (Windows 7) OS as well. (e.g. shortcuts placed in the Start Menu.)  With this option users can run Windows XP-based applications right alongside their Windows 7 applications under a single desktop and have them appear to be native apps. Moreover, this integration means that local desktop drives are automatically mapped and show up in the VM.  And you can drag/drop between the VM and local desktop.  And, if that’s not enough, WVPC now includes the ability to leverage USB devices beyond the normal mouse and keyboard – this has not been possible in any previous version of our virtualization offerings.

It’s also important to remember that this solution is what I call stand-alone, in that it’s not managed OOB, and is thus aimed primarily at small businesses, which is also why it will be available in the Professional version (and above) not just as an Enterprise feature like BitLocker-to-go.  With that in mind, it should not be considered an alternative to more scalable solutions, such as MED-V and/or VDI, for larger businesses who normally want more control over things like who can install programs on their machines and other management issues.

My point in this post was to hit (and refresh) some of the key things you should know about Windows 7 XP Mode.  For those who need this to overcome compatibility, or other, issues that have kept them or their customers from making the transition to a “modern” OS (from our perspective, a modern OS would be one like Vista that has been developed under the SDL for enhanced security – see my recent post about this for more info if you want); to coin a take-off on an election theme – hopefully, “now you can”.

.

Thrive redux
05 June 09 11:04 AM | ronaldg

Back in February I did a post called “Helping Partners Help Themselves…".  The first part of that was around something called Skills Week and the second part was around something called “Thrive”.  Well, the Skills Week has come and gone, and hopefully you were able to take advantage of it, BUT in case you’ve forgotten, THRIVE is an on-going scenario.  Without making you have to go back and read the old post, here’s a recap in a nutshell: “Visit the Thrive site and learn how to enhance your skills, advance your career and elevate IT as the business leader.  Go ahead - find out how YOU can Thrive!”.  As I pointed out before, although it appears to be oriented toward IT Pros, partners need the same skills and knowledge of technology in many cases.  With virtualization being such a hot topic these days, I thought this would be a good time to do a redux on Thrive since it features some new offers around virtualization.  Check out #2 below – even if you don’t take the exam, here’s $160 worth of virtualization training for FREE!

Here’s a rundown of the current offers and a link: Thrive offers

note: if you are interested in any of the above the best way is to use the Thrive link at the top vs the direct links in the bullets; if you should go direct and have any issues, try going thru the main Thrive link.

Microsoft announces future online desktop management service
01 June 09 04:19 PM | ronaldg

Some weeks back (in late April), at the Microsoft Management Summit in Las Vegas, Microsoft unveiled System Center Online Desktop Manager, the first online service built on our System Center line of management tools.  Even though this isn’t “news” at this point, I wanted to post this since it’s an important new capability coming to support our Software+Services solution stack with some cloud-based management. 

The initial version of Online Desktop Manager (ODM) will provide desktop management capabilities that are focused on software updates, spyware and malware protection, system monitoring, group policy, configuration management, and asset management.  ODM was demonstrated in the Day 2 MMS keynote, and below are links to some of the first screenshots of the ODM interface (from the blog of John Fontana, writing for Network World).

 System Center ODM shows Host Protection info 
 ODM shows malware cleanup info
 ODM shows update status  
 ODM shows update information

The new ODM service leverages our Windows Update technology, which has been protecting literally hundreds of million of PCs around the world for years, and is now a very mature technology.  And the ODM console itself is based on Microsoft's Silverlight browser plug-in, as you might expect, which runs on Internet Explorer, as well as Firefox, Google Chrome, Safari and other browsers.

It was revealed that we are planning to launch a private beta of ODM in the near term, and that there will then be a public beta sometime before the end of this calendar year.  Of course the “live date” will be some months after that, so don’t expect to see this service available until sometime in 2010.   Of course, this just another step, or milestone if you will, in our strategy to provide Software + Services solutions to our customers and partners which involves being able to offer not only online, but on premise solutions across a range of technology.  Most of you are already familiar with Microsoft Online Services, including BPOS, which provide infrastructure software via online services for those who want to leverage the capability.  But, as you know, it’s all about choice with our strategy, so if you’d rather rely on an on-premise infrastructure, at least with Microsoft solutions, you have that option too.

Back to ODM, once the service goes live, Microsoft plans to do updates at least every six months.  And, according to Brad Anderson, general manager of the management and services division at Microsoft, ODM will eventually include software distribution functionality (ala System Center Configuration Manager), as well as federation with Active Directory identity features, and delegation of authority capabilities.

It is expected that the service will be most popular in the small and medium business space which is typically made up of businesses without major investments in System Center tools which would be run on premise.  I’m thinking this also be very good news for many of our SMB partners as well, since they can now leverage these cloud services to provide robust management for their customers’ desktops.

Bada BING, fagedaboutit to old-style searches, try this new “decision” support search solution from Microsoft
01 June 09 03:31 PM | ronaldg

Microsoft announced this new search service at the D7 conference last week and although it wasn’t scheduled to go “live” until June 3rd, it’s actually up and running today.  So check it out at http://www.bing.com/

Also, check out this page for lots more info on BING: Bing info on Microsoft PressPass site (includes links to press releases and reviewers’ guides and fact sheets)

If any of you had heard about our project code-named Kumo, this is basically the release version of that.  One of the most interesting things here is that Microsoft is not looking to launch just another search engine, but rather a “decision engine” that provides more than just a list of web pages that you have to sort thru many times to find what you’re really looking for.  In fact, research shows that a significant number of people actually use web search to find answers to questions or to get specific information, not just look for web pages that might have related info.  This research also showed that it took on average 3-4 sequential searches to finally get to the information they were looking for.  This is the limitation of current search engines that we are looking to address.  For sure, BING will still return Web results, but it also has built-in helper tools for searches that go beyond just finding Web pages, particularly when it comes to travel, shopping, health, and local info. 

The big deal here is that BING will increase the chances that you’ll get the answer you need right on the results page, without the need to click to another site, which, in the old search paradigm still may not even have what you're looking for.  One the key new features that facilitate this goal is the "quick-page preview," which displays text from pages in the results when you hover the mouse over the right side of a result's entry. I think this is going to be a killer feature, I’ve seen others already write that it's one of those "why wasn't that always there?" features that you quickly become dependent on.  But wait, as they say, there’s more - Bing has other features to help you get the answers you want directly on its results page such as “deep links” (e.g. you can search inside large sites without having to click into it, like track a package using a text box right in the results of searches on UPS or FedEx).  And there’s Quick Previews (look for the orange diamonds to the right when you hover over the search result descriptive text).   There’s also a feature called “Best Match” designed to make the “best” result stand out from the others and highlight the most potentially useful info.  And, also Instant Answers (type NWA 1420 or Samsung and see what you get right off).   Plus, Bing groups top search results into categories known as Web Groups. For more of the features coming to you in Bing, check out the reviewers guide in the PressPass link above.

One of the things you’ll notice right away that set it apart is the sidebar on the left that you could also call a “nav bar”.  Starting with the first search page, the consistency of this new interface begins: The left sidebar is always there to offer options, categories, and filters to fine-tune your search results.  Thus, it lets you quickly get at relevant subsets of the topic you searched for.  The results are also localized, but know that you first have to tell it your location, which is one of the initial settings you can configure.  And, btw, the home page itself is also much more interesting than the plain white Google or Ask.com (note: if you click on the arrows at the bottom right, you can cycle thru previous daily home pages).  For instance, here’s today’s home page, note the informational “hotspots”:

image

Here’s a couple of screen shots of searches…

image

image

Well, I just wanted to let you know about this and encourage you to go take a look at http://www.bing.com/