New Photos:

  New Ramblings:

  New Links:

Counter

Last Updated

 


Previous Posts





About the Blog

The thoughts and theories of a guy who basically should have gone to bed hours ago.

I know, I know - what's the point? But look at it this way - I stayed up late writing it, but you're reading it...

Let's call ourselves even & move on, OK?


Powered by Blogger

Wednesday, March 15, 2006

Quantifying the Potential of Wintel Windows


The investment banking firm Needham & Co have done a study that attempts to determine how much Apple would earn if the Mactel machines ran Windows natively.

Bottom line: 1 million more machines, a 22% increase in sales for Apple, and an 80% increase in market share (9.2%, up from 5.1%).

The article points out that the survey is biased because it surveyed college students who already are mor highly disposed to Macs than the general population. Fair enough, but what it doesn't consider is the corporate purchases that would come if Apple were just another hardware provider, like HP or Dell. Without any supporting data, I would guess that this number would drawf the ones above.

posted by Brian at 12:23 AM


18 Comments:

  • Of course, if Apple were "just another hardware provider", what happens when "Macs" running Windows inflict their users with the same problems that are currently experienced by other hardware providers?

    I think it's a given that sooner or later there's going to be a dual-boot system for mere mortals. This, to me, isn't really going to be a big deal. The big deal would be the ability to launch Windows applications within Mac OS, so that you can run anything you like while still getting the overall advantages of the rest of the operating system. I can do this already with OS 9 and earlier Mac apps and X11 applications, so a copy of cohabitating Windows would make my computer pretty much a universal translator.

    That's why I'm keeping my eye on Darwin WINE development, since WINE is exactly the model I'm discussing. However, it's already announced that you'll be able to pull up a Windows layer within OS X as soon as Microsoft releases the next version of Virtual PC. Presumably there will be a method of booting directly into Windows -- but why would you want to?

    By Anonymous Jeff Porten, at 8:11 PM, March 15, 2006  


  • Because they need a Windows machine, that's why.

    I know we've had this discussion a hundred times, but you still maintain this implicit theory that anyone using Windows is doing so because they're either ignorant or stupid.

    I agree with you that OS X is a better OS on its own merits - it's newer, better architected and more secure.

    That being said, I could not do my job with a Mac. My office environment wouldn't support it, either because the technologies don't talk to each other, or because no network administrator would dedicate time or resources toward supporting the non-standard device. The applications I use in the office have not been tested on it, so any client-side problem I encountered would have to pass through the "is it OS X?" step before real debugging could begin. Finally, the documents I'd share with my colleagues, businses partners, vendors, etc. would be regularly appear slightly differently to me and to them. This is the smallest of the concerns, but still a real issue (heck, you and I spent signficiant time discussing the differences on this website between the two browsers, and this isn't exactly rocket science...)

    If Apple were just another hardware provider, folks who like the look of their hardware, but still needed a Windows box could buy one (about a million of them as per the Needham study). Corporate environments, I posited, would also get on board, if it could be proven that the hardware is truly compatible with the environment. That could mean a lot more than a million new machines.

    By Blogger Brian, at 11:21 AM, March 16, 2006  


  • Ommmmm... do not engage Brian with a hangover. Do not engage Brian with a hangover. Do not.... Oh, to heck with it.

    Yes, we will have this conversation hundreds of times more because we never seem to listen to each other.

    I do not think that anyone using Windows is ignorant or stupid. There are too many of you. I do think that many people using Windows have an incomplete grasp of ROI, or an inflated grasp of the concomitant costs of using a Mac.

    Anecdotal evidence only, but I'll note that I stopped being a Mac consultant in the mid-90s in favor of being a Mac/Internet consultant. Why? Because my Mac clients, who were very happy with my work, only needed me once every few months. Rule of thumb, supporting SOHO clients and small businesses, a successful Mac consultant needs a client roster of eight times as many clients as his Windows counterpart, because a Windows consultant is likely to get much more regular bread-and-butter work supporting his clients. In twelve years, I've landed one such Mac client, and that's because they run servers and their level of complexity is much higher.

    It has also been my experience, when acting as the Mac IT guy in a mixed shop, that I could make the Mac/Internet functions run more smoothly than the Windows functions, even when the other side had an entire team devoted to it.

    You do not need a Windows machine. You may need to run Windows software -- and my premise with WINE is that you would do so natively within the OS X interface. If the Mac won't talk to your office network, that's not a technological function, that's a business practice function -- as a Mac will talk out-of-the-box with damn near any network you care to throw at it. And can do so with an arbitrary level of security from basic to mathematically bulletproof. The obstacles in the way are based on your company's business decisions -- and perhaps they may have been previously justified, but when you ask me to route around boneheadedness, I'll tell you why I bill by the hour.

    That being said, if you take 25 users, take their entire IT support load out of your internal department, and support them with one Jeff on a purely contractual and as-needed basis, how much does that save in ongoing costs? I assure you I can integrate such groups into any larger organization as needed. Scale upwards as necessary with more Jeffs or my full-time equivalents. When you hear, "I can't" from the existing IT groups, I smell turf warfare more than a true understanding of the technical problems.

    Re debugging, "is it the OS?" is *always* the question you ask after debugging the application layer. If the OS isn't OS X, then you're debugging the Windows internals. The imposition of OS X just means that instead of working through a forest of possible problems, you would have one ancillary checklist. Which, if it's more difficult to your existing IT staff, again shows a problem in HR rather than IT.

    Re document appearance, yes, it is annoying that Microsoft can't figure out how to make its own software interoperable. It is true that your widows and orphans won't look the same as my widows and orphans. It is also true that this straw man won't stand up to a good sneeze, since the only time you care about this is when you're doing publishing. If you want a document to ship identically, there are plenty of non-Microsoft technologies that fit this bill nicely. Or, of course, you can just run Office for Windows on your Mac.

    Meanwhile, re the downside of Apple being "just another hardware provider", note the massive coverage of the Mac "vulnerabilities" of the last three weeks -- in quotes because you really have to bend over backwards to get yourself hurt by them. Note the massive level of FUD out there from people thinking that Mac-on-Intel makes them vulnerable to Windows viruses. The first Apple that ships supported with Windows and then proceeds to suck will kill the brand, and never mind the fact that it will be the non-Macness of it that does so. OTOH, users that *hack* Windows onto their machines, and then have them suck, have no brand impact whatsoever.

    Apple already ships a multi-OS computer. Out of the box with OS X and a version of BSD Unix. Installable with Linux and various other Unix flavors. Fully supports numerous X11 window managers, interoperable with Mac OS. Backwards compatible with Mac OS 9 (on PowerPC systems). Emulation layers for Windows (on PowerPC, and shortly for Intel). Emulation isn't nearly as good as intermixed windows, though, which is why I'm looking forward to drinking some WINE.

    By Anonymous Jeff Porten, at 1:36 PM, March 19, 2006  


  • Jeez...that was some hangover.

    You do not need a Windows machine. . . If the Mac won't talk to your office network, that's not a technological function, that's a business practice function

    You're right, but that doesn't make the problem go away. If I had a Mac at home, I could not connect with my office network. Period. Why doesn't really matter.

    That being said, there are a few technical issues: my employer has custom coded an application that configures a remote connection, launches our standard VPN client, establishes the connection, and monitors traffic. I have no idea if that will work through emulation, but I'd bet it would take tens of thousands of dollars to test (given the variability of the configurations in various states & countries).

    Re debugging, "is it the OS?" is *always* the question you ask after debugging the application layer.

    No. If you've got a standard platform and the app doesn't work, you tell the developer to go fix it. Once you support more than one configuration, you lose the ability to do that.

    It is true that your widows and orphans won't look the same as my widows and orphans. It is also true that this straw man won't stand up to a good sneeze, since the only time you care about this is when you're doing publishing

    Also not true. At my previous employer, there were standard Word and Powerpoint templates folks needed to use (in addition to a standard hardware platform). The purpose of these was to avoid legal issues with non-standard language & formats in legal documents. I'll refer you here for an example of what incompatible software can mean, even in today's day and age. Footnote formatting, proper display of tables, and proper captioning of charts/graphs can be the difference between an enforceable contract and a legal mess.

    By Blogger Brian, at 12:18 AM, March 20, 2006  


  • I will reply with the following one-act:

    Brian: "I've decided to beat myself in the head with a hammer."

    Jeff: "You might be more comfortable using this Nerf bat."

    Brian: "I can't. It's incompatible with the existing dent in my head."

    my employer has custom coded an application that configures a remote connection, launches our standard VPN client, establishes the connection, and monitors traffic. I have no idea if that will work through emulation, but I'd bet it would take tens of thousands of dollars to test

    If your employer used Internet standards, I could have that up and running on any Mac shipped since 2003 in under ten minutes. Everything you list here is built into the OS. If your employer locked it down with Windows-only technologies, by design you'd need the ten thousand dollars of testing. That's not a problem with the Mac, it's a problem with your hammer.

    No. If you've got a standard platform and the app doesn't work, you tell the developer to go fix it. Once you support more than one configuration, you lose the ability to do that.

    Man, if you've got such low standards for your developers, I really want to work for you. Where do I send my resume?

    Also not true. At my previous employer, there were standard Word and Powerpoint templates

    Again, you say that you insist on cross-platform compatibility, but only with the tools that are notably NOT cross-platform for your requirements. I *can* solve the problems you list, and rather easily. What I can't do is solve the problems you list, following the procedures you dictate that guarantee that your problems are insoluble.

    But I'm starting to understand why working for companies like yours is so lucrative. For my clients, these are things that we take care of before lunchtime so we can get down to the real work.

    By Anonymous Jeff Porten, at 3:59 PM, March 20, 2006  


  • If your employer used Internet standards, I could have that up and running on any Mac shipped since 2003 in under ten minutes. Everything you list here is built into the OS. If your employer locked it down with Windows-only technologies, by design you'd need the ten thousand dollars of testing. That's not a problem with the Mac, it's a problem with your hammer.

    Sigh...

    I'm sure the code would run on a Mac with little or no changes (with the possible exception of the VPN software, which may or may not be available for a Mac). The costs I'm discussing are not development costs, they're testing costs. Trillions of dollars and megs of non-public customer data travel through these systems each day. No one supporting that kind of environment is going to test for 10 minutes and then claim it's bulletproof because it uses well known standards. They're going to try and break it.

    I'm (still) not suggesting the Mac environment is more expensive or inferior in any way. I'm just saying it's a second environment, and two is always more expensive than one. Especially when there's no rael reason to have two.

    I *can* solve the problems you list, and rather easily. What I can't do is solve the problems you list, following the procedures you dictate that guarantee that your problems are insoluble.

    See, there's the thing right there: I didn't say I HAD a problem - you did. It's true that we can't add a second, totally unnecessary configuration to our internal systems without significant cost. But to suggest that this reflects poor architectural choices is like suggesting that the Berlitz Spanish course is poorly designed because it leaves you totally unprepared to speak German.

    What I did say is that, given the indisputable fact that thousands of companies have configurations similar to ours, Apple would see a financial benefit by making itself eligible to participate in our market.

    I don't think anything we've debated above changes that fact...

    By Blogger Brian, at 9:36 AM, March 22, 2006  


  • I'm sure all of this is true, it's just that it makes you sound very very silly.

    Question: you set up a mail server at work. You say that you can't rely on standards, so do you test the SMTP layer? The TCP layer? The IP layer? Do you run $10K of tests making sure that port 465 isn't accidentally opening on port 464.5 by accident?

    Or do you trust that all of the standards will work, and skip straight to the part where you hammer the higher-level functions for flaws? I suppose when you install a new phone, you have a team of engineers to ensure that the dialtone upper frequency is exactly 440 hertz?

    You're absolutely right -- when I set up a network connection over SSH for a client, we do absolutely no testing of the security of that connection. That's because the protocol has been around for decades, and millions of people have already hacked at it and refined it. I get a weekly mailing from the federal government that tells me exactly how much I need to worry about any of the standards we're using.

    That's why we can get this finished before lunchtime. Still sounds to me that if I worked for you, I'd be getting some very nice lunches indeed.

    with the possible exception of the VPN software, which may or may not be available for a Mac

    An L2TP and a PPTP compliant client are built in. You're right that there are some VPN flavors out there that need more software, or don't work at all without jumping through serious hoopage, but seeing as how L2TP is mathematically bulletproof for the next two billion years or so, I'm not quite sure why your requirements docs would ask for anything else. Unless, of course, your vendor or IT staff want to generate some lock-in.

    No one supporting that kind of environment is going to test for 10 minutes and then claim it's bulletproof because it uses well known standards.

    You read Bruce Schneier, right? In which case, you know that being "well-known" is one of the requirements for being bulletproof. That is, complete knowledge of the algorithm is necessary for complete confidence.

    Of course, you're right that I hack at any system I build, sometimes for far longer than 10 minutes. But what we're testing for is weaknesses at the junctions between layers. What unique aspects of my environment introduce flaws that won't be found in a stock model? But the security of each piece in and of itself? Sure, I trust that. Because it's well-known, and tested, and its flaws have been well-documented (and hopefully, fixed).

    I'm just saying it's a second environment, and two is always more expensive than one. Especially when there's no real reason to have two.

    I understand that you believe this. I'm also saying that in my (rather extensive, IMHO) experience, the costs of a Mac environment have always been far lower than my Windows counterparts, and in those cases where I have moved functions from Windows to Macs I've given my clients serious cost savings. So from my vantage point there are very good reasons to have two environments, because then you can choose the best tool for any given task.

    Stipulated that I don't work in enterprise and my results may not necessarily scale. However, I can say that the systems I built would have scaled quite nicely, when there was call to build for that.

    I didn't say I HAD a problem - you did.

    We're back to angels dancing on pins here. It's my perception that your problem is similar to the guy with the Model T who thinks that getting out and cranking the engine in the snow is just part of the cost of driving. The only way this point will ever be resolved is if one or both of us begin to use the other's OS in a serious way. I don't expect that to happen anytime soon; personally, I don't have enough time to keep that system secure.

    But to suggest that this reflects poor architectural choices is like suggesting that the Berlitz Spanish course is poorly designed because it leaves you totally unprepared to speak German.

    Yes, but I'm thinking that you're taking your Spanish class to prepare for a trip to Vienna.

    Yes, I am the Guantanamo for innocent metaphors.

    Apple would see a financial benefit by making itself eligible to participate in our market.

    Of course it would -- and do you doubt for a second how thrilled I would be to seriously be able to pitch myself to you for work? But the way to do this is not by becoming just another commodity hardware vendor running Windows. I've seen what it did to Apple's reputation when they allowed clones, and again, I can't emphasize enough how much work it's been to dispel the gleeful and inaccurate rumors about how Macs are now vulnerable to attack.

    Make you a deal -- when I can show you a Mac OS computer that can run Windows apps transparently, let's resume then and you can tell me all the reasons why you still can't buy one.

    By Anonymous jeff Porten, at 10:22 PM, March 22, 2006  


  • Wow, this is getting longer & harder to follow with each post. I'll break away from point-to-point and try to summarize:

    1) The testing you're talking about is component testing. I agree that you don't component test products that have already been component tested thousands of times. The testing I'm talking about is integration testing, where you've put together multiple components into a new system and want to see if they perform the business functions for which they were intended. No one's testing dial tone frequencies or SMTP layers in a mail server. They are, however, testing the several hundred ways a person can enter the network and making sure that the system as a whole keeps intruders out in every case. Let's be honest - if your account number fell into the hands of a hacker, you'd be first in line to blame a bank for not properly securing the data. The cost of testing is proportionate to the risk involved in having it fail, not to the complexity of the software.

    2) Macs are vulnerable to attack, in the sense that every system ever built is vulnerable to attack. I don't think it's any accident that the first attacks began as soon as the company released some products that approached enterprise strength, and if they continue to grow their market share, the number of attempted attacks (and, by definition, the number of successful ones) will also increase. I'm confident that these systems will outperform Windows in this area, but the folks who are still sticking to the negative proof model (whereby every exception is disproven in order to suggest that the thesis is still true) are approaching freefall speeds on a very public slipperly slope.

    3) Re: me using a Mac, we seem to have jumped over into a second argument. If I had a Mac at home, I could certainly accomplish a great deal of what I do with my home machine. No argument there. But, there are notable exceptions. These include connecting to my employer's network, creating documents that would be considered acceptable to send to colleagues, business parters, or vendors, and ditto for my wife's work. And those are deal breakers.

    By Blogger Brian, at 12:19 AM, March 24, 2006  


  • The testing I'm talking about is integration testing, where you've put together multiple components into a new system and want to see if they perform the business functions for which they were intended.

    Of course. Those of us in SOHO have to integrate, as well. My generic point is that systems which do not accommodate themselves readily to good tools can themselves be questioned. You seem to be saying that since your enterprise has already decided on an architecture that excludes Macs, Macs should adjust themselves accordingly. I see huge potential harm for the Mac market if that were to happen.

    Naturally, this doesn't mean I think you should run right out and re-engineer your entire system to be cross-platform. I expect it's the same question I have with a new client -- what are the costs of a given transition versus the benefits of that transition? It works the same way whether you're talking about a purchase of $1,000 or $10M.

    A far better strategy for Apple, IMO, which they seem to be following, is just to put out good hardware with solid Unix server cores. Maybe you're not going to buy them tomorrow. But the idea is to crack you open, one business unit at a time.

    And as I've noted before -- large new markets bring along high numbers of unqualified consultants. I actually prefer the incremental strategy, because if we started seeing exponential market growth, it wouldn't be long before every new client I spoke to was burned by previous incompetents. That happens pretty often already when I'm doing web work.

    Let's be honest - if your account number fell into the hands of a hacker, you'd be first in line to blame a bank for not properly securing the data.

    Absolutely. And what's the most common reason for this to occur? A company going with a single vendor and not staffing their IT accordingly. Sorry, but my first question when I hear about a crack is to find out what OS was running the server in question -- you want to lay odds on how often it's Microsoft?

    The cost of testing is proportionate to the risk involved in having it fail, not to the complexity of the software.

    As I think I've mentioned before, the work I do is on core business functions for my clients. Granted, we're not talking billions in losses if it fails. But we are talking critical. I think you forget that sometimes.

    Macs are vulnerable to attack, in the sense that every system ever built is vulnerable to attack.

    I really need to write a macro to answer the next few points.

    Yes, Macs are vulnerable to attack. They are, however, much less vulnerable, and that is at least in part due to design. You can die in a car crash driving a Miata or a Volvo. Does that mean we shouldn't compile statistics?

    I don't think it's any accident that the first attacks began as soon as the company released some products that approached enterprise strength

    Sorry, that's wholly inaccurate. I've been cleaning viruses off Macs since 1985. The difference between those viruses and the new ones is that you're hearing about them. And that gets more into news coverage of IT than anything else.

    I really don't want to digress onto the topic of hacker motivations, but if you read anything about why people write malware, you'll see pretty how specious this argument is.

    if they continue to grow their market share, the number of attempted attacks (and, by definition, the number of successful ones) will also increase

    Hogwash. You can throw as many rocks as you like at a tank, the tank isn't going to stop running. More attacks do *not* mean more successful attacks.

    To rephrase your argument to something I'd agree with -- yes, the more people using Macs, the larger the pool of incompetent people whom are administering them. Therefore, it's more likely that some Macs can be compromised. But this risk is greatly lessened by the fact that Macs (and most 3rd-party software) ship so you have to be a dedicated idiot to make yourself vulnerable.

    Dedicated idiots are not hard to find. But they're still not likely to create a thriving ecosystem for viruses. Your Mac will continue to be safe for the same reason that you don't need a flu shot if most of your neighbors get one.

    the folks who are still sticking to the negative proof model (whereby every exception is disproven in order to suggest that the thesis is still true) are approaching freefall speeds on a very public slipperly slope.

    That might be true. Such analysts are idiots. The analysts I read who write about the Mac environment (and who also tell me about life in your world) don't make such statements.

    there are notable exceptions. These include connecting to my employer's network, creating documents that would be considered acceptable to send to colleagues, business parters, or vendors, and ditto for my wife's work.

    Next time I'm at Chez Greenberg, I challenge you to come up with an instance of the above that I can't solve in under an hour. This is part of what I do. Stipulated that your work network might be designed such that I can't route around it, but documents? Sherry's work? Should be cake.

    Of course, all of the folks who aren't my friends, and whom therefore can't buy me off with conversation and bagels, would have to decide whether this kind of work was worth the time and money. But I strongly suspect that this kind of thing is far easier than what you're thinking.

    By Anonymous Jeff Porten, at 8:03 PM, March 24, 2006  


  • You seem to be saying that since your enterprise has already decided on an architecture that excludes Macs, Macs should adjust themselves accordingly. I see huge potential harm for the Mac market if that were to happen.

    No, Apple should not adjust their go-to-market strategy just to work in my enterprise (although my enterprise does have >130,000 users in it now). But if they were to adjust to my enterprise, they could sell upwards of a million more machines in the coming year (as per Needham & Co), and that's just in sales to individuals. Conservatively, I bet it's at least double that.

    You refer to this scenario as "huge potential harm for the Mac market." I think you're right - the Mac market, as it exists today, is a small and vocal group of folks who go apoplectic anytime someone suggests a flaw in the Mac environment, no matter how small. If they ever got into the hardware business in a serious way, this group would certainly erode, and the user base would be much more like the Dell user base: Some fans, some critics, and most customers saying, "Oh, is this machine a Dell? Whatever..."

    More attacks do *not* mean more successful attacks.

    You know WAY too much about probability & statistics to type a sentence like that. I agree the odds are better with Mac than with Windows. But I can also be fairly confident, without any knowledge of the environment at all, in saying that it hasn't really been tested yet, because it hasn't had a significant target on its back.

    You were right when you said that the difference in Mac malware now is that folks like me are hearing about it. If Apple does decide to double their marketshare overnight, I'll hear about it a lot more. Doesn't mean it's not the right thing to do...

    Next time I'm at Chez Greenberg, I challenge you to come up with an instance of the above that I can't solve in under an hour. This is part of what I do. Stipulated that your work network might be designed such that I can't route around it, but documents? Sherry's work? Should be cake.

    You're not getting this: If I were to find a way to connect to my work network with a Mac (or even with a non-firm-owned Windows machine), I could be fired on the spot. Period. End of discussion. You can't change that in an hour.

    On the softer side, if I were to send a Word document to my colleagues that came up on their screen with misaligned tables, poorly formatted charts & graphs, etc., they would likely consider me either a) an idiot who couldn't figure out how to use Word, or b) a guy who was too lazy to proofread his documents before sending them out. Same goes for Sherry. In fact, moreso for her, since her documents tend to be chapters in text books, which rely heavily on footnotes, complex charts, etc.

    Now, before I go too far on this point: I have no idea just how incompatible Mac's MSWord is from Windows' MSWord. Maybe they're close enough in 95% of the cases. But since I can use the Windows version, and it's cheaper and safer for me to do so, it simply makes no sense for me to do anything else.

    By Blogger Brian, at 1:44 AM, March 25, 2006  


  • You refer to this scenario as "huge potential harm for the Mac market." I think you're right - the Mac market, as it exists today, is a small and vocal group of folks who go apoplectic anytime someone suggests a flaw in the Mac environment, no matter how small.

    Once again you show your knack for saying innocuous things in infuriating ways. Yes, there are Mac users like this. Not the majority of us, and not me.

    You're saying that Apple would sell more hardware if they booted Windows. I don't disagree. But Porsche would probably sell more cars if they stripped down the engine and created a boxier chassis. The question is, would people still think of those cars as Porsches?

    It seems to me that Apple's major brand value is precisely that most people don't think, "Oh, is this an Apple? Whatever...." And if they lost that, they'd be in danger of having their lunch eaten by Dell.

    For the record, I do think we're going to see some sort of dual environment. I don't think it'll be dual-boot, because that's much more inelegant than Apple likes to be. It will be very interesting to see what happens if Virtual PC runs at native speeds. And I still think the killer app will be Windows-within-Mac interoperability.

    But it sounds to me like, you could have any of the above, and you still wouldn't use them. In which case, yes, I would say I'd rather not see Apple cripple their hardware to make themselves more attractive to you.

    But I can also be fairly confident, without any knowledge of the environment at all, in saying that it hasn't really been tested yet, because it hasn't had a significant target on its back.

    Apologies for saying so, but you clearly have no knowledge of the environment at all, either technical or biz. There's certainly enough crucial market data being stored on Macs to make some businesses a Mac target. The servers I administer are regularly attacked, as is literally every other public IP on the Internet.

    But the point you're truly missing is how much of these hacks are being done for bragging rights within the black hat community. Any machine that claims to be secure is a target, just for the challenge. Doesn't matter if it's got market share or not.

    I read instructions last week on how to hack the card readers at Kinkos. Every computer is a target. If you don't think Macs are, you're not paying close enough attention. And passing from fact to opinion: a) given that Macs have a large enough population now; b) given that Mac's OS has been tested in vivo for over 30 years; therefore c) no, I don't think a rapid increase in market share will increase Mac vulnerabilities, with the crucial exception that more idiots who think they know what they're doing will be in charge of one.

    You were right when you said that the difference in Mac malware now is that folks like me are hearing about it. If Apple does decide to double their marketshare overnight, I'll hear about it a lot more.

    If I understand you right, you mean that you'll be hearing about more Windows malware that Macs would be susceptible to, since you want an identical boot environment in different hardware. Right?

    You're not getting this: If I were to find a way to connect to my work network with a Mac (or even with a non-firm-owned Windows machine), I could be fired on the spot.

    *sputters*

    What?

    Can I list the different kinds of dumb this is?

    First -- you're a semi-poohbah. So this ensures that if you don't have the right piece of work-issued hardware, you're not allowed to get your job done with anything else. Nice trust issues.

    Second -- you're working for your company at least in part because you have geek cred. So this isn't a support issue, or shouldn't be. If you can get it to work to make your life easier, then you should be able to. Does the company also require you to use ballpoint pens rather than gels?

    Third -- and most important -- this seems to me to be a misguided attempt at security. I.e., "we only know our network is secure because we have it locked down end to end." WHICH IS INSECURE. A secure network should remain secure if you connect it to anything from a PowerBook to a toaster to Rom the Space Knight.

    You hook up a different computer to the network, you shouldn't get fired. The guy who was supposed to prevent you from doing this gets fired. But first I'd fire the guy who came up with the policy in the first place, because I guarantee you that with these kinds of procedures, you've got a hole in your security somewhere. The only people who are allowed to test it are the people who aren't supposed to be there.

    if I were to send a Word document to my colleagues that came up on their screen with misaligned tables, poorly formatted charts & graphs, etc.

    Well, yes, you would be an idiot. Because you didn't learn how not to do this.

    I'm going to skip the Office discussion, only because it's more religious than what's gone before. Suffice to say, your presumption that it's cheaper and safer makes statements about your OS, and the value of your time, that I don't think are valid.

    By Anonymous Jeff Porten, at 6:29 PM, March 25, 2006  


  • It seems to me that Apple's major brand value is precisely that most people don't think, "Oh, is this an Apple? Whatever...." And if they lost that, they'd be in danger of having their lunch eaten by Dell.

    And I'm suggesting that if they lost that, they might see a degradation in the "zealot" market, but trade it for a significant slice of the overall PC market (in effect, eating a little of Dell's lunch, rather than the other way around).

    By the way, if brand image was the only problem, it's one that is easily solved: Disney created Touchstone so it could distribute non-animated movies, United launched Ted so it could offer cheap flights without degrading their brand, companies like Coca Cola and Anheuser-Busch have dozens of brands each, and I know I don't have to tell you about Phillip Morris / Altria.

    Can I list the different kinds of dumb this is?

    Oh, boy...

    First -- you're a semi-poohbah. So this ensures that if you don't have the right piece of work-issued hardware, you're not allowed to get your job done with anything else. Nice trust issues.

    But I do have the right piece of work-issued hardware. As does everyone else who needs it.

    As to your other point, I seriously need to see about getting "semi-poohbah" on my business card...

    Second -- you're working for your company at least in part because you have geek cred. So this isn't a support issue, or shouldn't be. If you can get it to work to make your life easier, then you should be able to. Does the company also require you to use ballpoint pens rather than gels?

    OK, even though it makes me wince when you say it, it's my turn to tell you that you really don't understand this. In the last fifteen years, I've had login IDs on the corporate networks of more than thirty firms, each of which having more than 5,000 employees and more than $1 billion in revenue.

    EVERY SINGLE ONE OF THEM has a standard hardware platform for employees. Anyone who tried to logon with another platform was either denied access, or provided limited access (this was principally for consultants or other outsiders who had legitimate reasons to be logged on).

    Almost all of them have standard software builds as well. In fact, I spent six months at one firm (which I won't name here) who had roughly 80 software builds and had hired a consulting firm to discuss the feasability of moving to 1. Last I heard, they were considering reducing it to 10 or 15.

    Third -- and most important -- this seems to me to be a misguided attempt at security. . . .You hook up a different computer to the network, you shouldn't get fired. The guy who was supposed to prevent you from doing this gets fired.

    No. He gets fired if I hook up a different computer and it works. I get fired because I don't know how to follow simple corporate procedures.

    Remember - this isn't only a network security thing. If I'm a developer and have (legitimate) access to non-public information, that's all I have to do is open one of my application's files in a browser, and now that data is sitting in the cache on some internet cafe's machine. Do you want your account number in that file?

    But first I'd fire the guy who came up with the policy in the first place, because I guarantee you that with these kinds of procedures, you've got a hole in your security somewhere. The only people who are allowed to test it are the people who aren't supposed to be there.

    OK, just in case anyone I work with is reading this, I feel the need to state outright: neither I nor Jeff know of any holes in our network security (all "guarantees" aside). We don't count on evil-doers to test our security. We have a team of people that do this internally. In fact, I believe this entire discussion began when I suggested that those people would need to spend more than ten minutes (your estimate) regression testing the environment in order to allow access with another hardware configuration.

    By Blogger Brian, at 2:30 PM, March 28, 2006  


  • And I'm suggesting that if they lost that, they might see a degradation in the "zealot" market, but trade it for a significant slice of the overall PC market

    I'm completely failing to follow your line of reasoning regarding Apple hardware making inroads into your market if only they would boot Windows. Yes, our boxen are shinier and have more doodads, on the whole. Dell, however, is much more kickass at selling Windows servers since Apple's team is trained to sell OS X servers.

    As I understand you, you're suggesting that Apple should ship Windows-boot machines. Presumably, this would be in addition to Mac-boot machines. So I don't see much of a loss to the zealot market—people who love Mac OS and who get pissed off at Apple don't have anyplace else to go.

    So, no, I don't see much damage to the existing market. And maybe your colleagues do want Windows laptops with glow-in-the-dark keyboards. But I still maintain that Macs booting Windows as an alternative to Mac OS makes as much sense as Godiva selling chocolate bars at 7-11 for fifty cents.

    Dual-boot or a crossover OS, though, sounds very interesting to me. So part of my sputtering indignation is hearing that that's not going to fly. Never said that I was being wholly rational, mind you.

    if brand image was the only problem, it's one that is easily solved

    I would love to hear you explain how you think Apple could do this with a spinoff. Without sarcasm, it's quite possible you have an idea here that is so brilliant that you could convince me.

    I do have the right piece of work-issued hardware.

    It just seems silly to me to make your value to the company only as reliable as an internal 7200 RPM hard drive. I presume that there is a measurable amount of HR wastage due to downtime of sanctioned computers.

    I seriously need to see about getting "semi-poohbah" on my business card...

    I once ran a nonprofit and had business cards saying I was the "Benevolent Dictator." The co-founder was the "Grand High Poohbah". We never quite figured out who ranked whom.

    I've had login IDs on the corporate networks of more than thirty firms

    Man, you Wharton guys are promiscuous. No wonder you need anti-virus software.

    EVERY SINGLE ONE OF THEM has a standard hardware platform for employees.

    Hey, here's a question you won't believe:

    Why?

    I ask this, because at my client sites[1], we put a high value on making sure our systems are as agnostic as possible. Easier to support the client's user base; easier to support the client. And allows us to make upgrade decisions and allocate limited budget funds more wisely.

    But more importantly—and I freely admit that this is probably a philosophical difference—I frequently see it as my job to improve my clients' productivity and work satisfaction by giving them as much room for self-customization as possible. Independent of which OS you standardize upon, the kind of lockdown I'm hearing you discuss ensures that your entire employee base has to adjust to suit the computer and IT staff, and not the other way around. You can see why this strikes me as a Dilbert PHB decision.

    [1] Of course, the sum total of all of my clients' revenue over their lifetimes might not crack $1 billion (leaving out those stints at Traveller's and Merrill Lynch) and I'm well aware that these things don't scale.

    I get fired because I don't know how to follow simple corporate procedures.

    So the corporate procedures are all Known Good because the corporate procedures say so?

    Let me rephrase the question: why is it that semi-poohbahs don't have the latitude to decide how they can best work for the company? In my experience, you can usually extend that kind of selection throughout a company, with judicious selection of where to apply latitude. I don't show technophobes how to use a Unix prompt, but I certainly will listen when an intern tells me that the mail server is just a pain in the neck to use for reason X.

    this isn't only a network security thing. If I'm a developer and have (legitimate) access to non-public information, that's all I have to do is open one of my application's files in a browser, and now that data is sitting in the cache on some internet cafe's machine.

    That's a network security thing. If your developer doesn't know how to encrypt the traffic and store the files on his own USB key, he needs to be taken out and beaten senseless with 128-bit certs. More to the point, your developers, I presume, are paid well enough to use their own damn laptops, so the only thing they need to do is get that SSH tunnel running over the public wifi.

    My point here—and let's just take it for granted that you will never hire me for anything—is that when I do my work, I'm 2-3x as productive on my laptop as on another Mac system, let alone a Linux or Windows box. 90% of the time I'm a keystroke away from anything I need to use, I've got 10 desktops, five user spaces, and let's not even get into the looney Dvorak keyboard thing. Heck, I don't even use a mouse.

    I've had clients ask me to use their hardware. I've told them, "No problem. I get paid by the hour. Do you really want me to work at half productivity?" Typically, I'm double-teaming my hardware with theirs within a week (and of course, following all the rules about what data goes where!).

    Granted, I'm not a typical computer user. But neither are you, and neither are some subset of your employees.

    Do you want your account number in that file?

    Right, because corporate-issued laptops are never stolen.

    I want my account number managed by non-idiots. If you have idiots working for you, then it doesn't matter what your policies are. My account number will be posted on USENET because they broke the policy, or because the policy itself made for a security issue. Remember, yellow sticky notes proliferate at companies with overly restrictive password policies.

    OK, just in case anyone I work with is reading this, I feel the need to state outright: neither I nor Jeff know of any holes in our network security (all "guarantees" aside).

    In case any of Brian's co-workers are reading this, let me state that aside from knowing Brian's Real Title and the name of your company, he hasn't told me diddly about you and I haven't asked.

    But here's why I used the word "guarantee". It's a classic theoretical security issue. Even presuming the competence of your internal security team (and their constant level of sufficient staffing), to some extent you're relying on security from obscurity, specifically in this case the obscurity that only a company-issued laptop has the magic bits to connect to the network.

    So let's say, for the sake of argument, that a PowerBook G3 running the OpenGL version of Quake can simulate the string of bits necessary to read your CEO's email. No employee of your company can ever discover this safely and report it to the responsible parties. The people who find it will be the hackers who tried it. And they're not likely to tell you about it.

    Personally, I'd tell my poohbahs, "Hey, try to break in. Use only the data that you think others can guess. Pretend your keychain is stolen. Tell us exactly what you needed to get in, and which bits of data really did keep you out."

    this entire discussion began when I suggested that those people would need to spend more than ten minutes (your estimate) regression testing the environment in order to allow access with another hardware configuration.

    Well, yeah, because at that point I didn't know how fakachted I'd think your system was. I'm still unclear on this question: I can design a mathematically secure, interoperable, cross-platform network for my clients using only standards. Such a system does allow modifications for future needs with 10 minutes of testing. I'm not sure what your system does for you that my simpler, cheaper, more flexible designs wouldn't.

    By Anonymous Jeff Porten, at 10:42 PM, March 28, 2006  


  • I would love to hear you explain how you think Apple could do this with a spinoff. Without sarcasm, it's quite possible you have an idea here that is so brilliant that you could convince me.

    Not a lot of rocket science here: Apple releases a line of machines called "Oranges," with the same chip, audio/video capabilities, ergonomics, etc. as the Apple line, only they run the Windows OS native (or, possibly, they dual-boot, as long as the corporate world doesn't declare the dual-boot option to be too much of a unknown quantity). For a while, everyone knows they're really just Macs running Windows, but after a while, people tend to think of them as different companies (like Disney and Touchstone). If Orange crashes & burns, the damage to Apple's brand would be minimal...

    It just seems silly to me to make your value to the company only as reliable as an internal 7200 RPM hard drive. I presume that there is a measurable amount of HR wastage due to downtime of sanctioned computers.

    Actually, the entire hard drive on my laptop is encrypted, and the standard data folders are replicated to the corporate network every time I connect. If I lost my laptop, I think I could be up & running again as soon as I got back into the office to pick up a new one.

    BTW, it's this kind of functionality that you'd lose if you could develop at an airport's internet terminal.

    At my client sites, we put a high value on making sure our systems are as agnostic as possible. Easier to support the client's user base; easier to support the client. And allows us to make upgrade decisions and allocate limited budget funds more wisely.

    Woah - one second here. We're not talking about client facing systems here, right? We're talking about internal networks. Client facing systems are going to be as agnostic as possible[1]. Internal systems have the advantage of assuming a client environment, so you can save a bunch of money & time by not coding & testing all the differences.

    [1] "as agnostic as possible" being a cost/benefit calculation. We could test our apps to be compatible with Netscape Navigator 2.0, but whatever time & money we spent on it would hardly be worth the extra revenue, since no one uses that browser anymore. The same, sadly, may also be true for browsers like Safari and Firefox. As the user base shifts, I'm sure these decisions will change accordingly.

    when I do my work, I'm 2-3x as productive on my laptop as on another Mac system

    Heh... (trying to say this in the nicest possible way...) If you had the same work machine for several years in a row, you'd have those same 10 desktops, dvorak keyboard, etc. on that machine too. I spent a good portion of my first couple of days at the new job configuring my "environment" to my liking. In week 5 now, and I'm still making minor tweaks as they come up. This practice is as old as deciding where to put the pencil sharpener on the desk - far before computers were an issue...

    I'm still unclear on this question: I can design a mathematically secure, interoperable, cross-platform network for my clients using only standards. Such a system does allow modifications for future needs with 10 minutes of testing. I'm not sure what your system does for you that my simpler, cheaper, more flexible designs wouldn't.

    Simple: Mine is a whole lot cheaper to build and maintain. The features you're talking about adding in take time & money to create, and I DON'T NEED THEM.

    It's not a beauty contest, it's a business. You don't get extra points for elegant designs, unless they do something that adds value.

    By Blogger Brian, at 12:26 AM, March 29, 2006  


  • By the way, for anyone who's curious: total comment wordcount to this point: 8,686.

    Total words in the original post (including the title): 123.

    Sigh...

    By Blogger Brian, at 12:29 AM, March 29, 2006  


  • Apple releases a line of machines called "Oranges,"

    Huh. You're aware that one of the first Windows-on-an-Apple cards were made by Orange Micro?

    the same chip, audio/video capabilities, ergonomics, etc. as the Apple line, only they run the Windows OS native

    Sigh. My point can be summed up by saying that the a/v capabilities and ergonomics of Macs, along with a bunch of other things, are intrinsic to the OS. A Windows-based PowerBook would by definition have only a subset of those abilities. And people using them would wonder why Apple isn't as good as they're supposed to be.

    If Orange crashes & burns, the damage to Apple's brand would be minimal...

    I just don't think that Business Week and CNBC would be fooled by this. Orange would always be "Apple's spinoff brand Orange".

    the entire hard drive on my laptop is encrypted

    Curious to know if you're using an open-source algorithm, or one where the cryptography is itself secret. No, don't tell me.

    BTW, it's this kind of functionality that you'd lose if you could develop at an airport's internet terminal.

    Aside from the difficulties of fitting an arbitrary amount of data changes over an arbitrarily small pipe, I'm not sure why. All you're describing here is a good backup strategy. I do the same thing securely with rsync and SSH tunnels, precisely because I want to have my backup made even when I'm not home to plug in the Firewire cable.

    Internal systems have the advantage of assuming a client environment, so you can save a bunch of money & time by not coding & testing all the differences.... I spent a good portion of my first couple of days at the new job configuring my "environment" to my liking.

    These strike me as being contradictory. Just to be clear, my 10 desktops are not Apple-issue, they're a third-party hack. Loosely speaking, I have about 50 such hacks running concurrently on my laptop, about 10 of which are Apple-sanctioned, and some of the rest are homebrewed.

    This is precisely the sort of thing I hear you saying as being unallowable on your network. Where am I misunderstanding you?

    Simple: Mine is a whole lot cheaper to build and maintain. The features you're talking about adding in take time & money to create, and I DON'T NEED THEM.

    By what metric? I'm talking about systems I can build for a client and then send a bill for a few hundred bucks. I can't imagine you have anything in your company where you spent that little on just the bagels and coffee for the spec meetings.

    total comment wordcount to this point: 8,686. Total words in the original post (including the title): 123.

    It's not the Constitution, it's the amendments.

    By Anonymous Jeff Porten, at 10:45 PM, March 30, 2006  


  • I just don't think that Business Week and CNBC would be fooled by this. Orange would always be "Apple's spinoff brand Orange".

    Yes, but BusinessWeek and CNBC will lose you investors, not customers. Has AOL's demise reduced viewership for Warner Brothers TV shows? Did the latest Touchstone flop reduce traffic in Disneyworld? Have the anti-smoking campaigns reduced sales of Kraft foods? Brand separation is tried & true, and it works. I'm not suggesting Apple need go this way - I don't think there's too much in terms of overlap (i.e., I don't think people using Macs now are the target market for Apple-made Windows machines), but if they were concerned for that, it's an option.

    Just to be clear, my 10 desktops are not Apple-issue, they're a third-party hack. Loosely speaking, I have about 50 such hacks running concurrently on my laptop, about 10 of which are Apple-sanctioned, and some of the rest are homebrewed.

    This is precisely the sort of thing I hear you saying as being unallowable on your network. Where am I misunderstanding you?


    No, it was me misunderstanding you. I assumed the environment changes you're discussing were all legit (i.e., supported by the vendor). I assume I don't need to explain to you why we wouldn't use unsupported software in our environment, or "homebrewed hacks" (not that the software you've written isn't super-cool, mind you, just that the testing involved to make sure it didn't break anything would be (another) unnecessary cost.)

    By what metric? I'm talking about systems I can build for a client and then send a bill for a few hundred bucks.

    OK, I think we're approaching the end of this. I can't seem to convince you that changing an enterprise-wide environment takes significant testing (which costs money) and you can't seem to convince me that all the world's problems can be solved for a few hundred bucks.

    <stalemate>

    By Blogger Brian, at 10:36 AM, April 02, 2006  


  • If it makes you feel better, it's not the few hundred bucks, it's paying those bucks to me.

    I'll be glad to jack up my invoices for you if it makes you feel better.

    By Anonymous Jeff Porten, at 12:36 AM, April 05, 2006  


Post a Comment

<< Home