By John Gruber
Kolide — User focused security for teams that Slack.
A few follow-up points to Monday’s “Good Times” fireball.
The most common counter-argument from those who disagreed with me is that my comparison between indoor plumbing and computing wasn’t fair, on the grounds that something like a toilet is a single-purpose device, whereas a PC must perform all sorts of various tasks. I.e., that a PC is vastly more complicated than a toilet.
My retort: OK, sure, a toilet is less complicated than a PC. But a PC is a platform, not a solution to a single specific problem. Broken apart into the component tasks, PCs start to look much less complicated. So I think comparing, say, toilets to email clients is a fair comparison.
Incompetent IT professionals are genuinely convinced that PCs are inherently so complicated that they cannot be expected to perform with high-reliability and low maintenance. All over the world, this very week, they are being asked by frustrated friends and family, Why is my email riddled with messages from this virus? And they are responding, with authority and confidence, Trust me, I’m a professional, this is just how it is. You string together a few million computers on a network and this sort of thing is inevitable.
They (the incompentent IT drones) aren’t lying. They believe it. They believe it because they don’t really understand computers — they just know Windows. In the same way that peasants in Ethiopia can’t conceive of a country where even the poor have plenty of food, someone who only knows Microsoft software can’t conceive of a platform where computers just work.
Another argument is that if Outbreak — er, Outlook — didn’t exist, there’d be some other market-leading email application, and the same vandals who now target Outlook would target that application instead.
This fallacy implies that the natural state of affairs is a software monoculture, where everyone runs identical software. In the larger sense, the same argument holds that if it weren’t for Windows, there’d be some other dominant OS with 90+ percent market share; and that if there were no Microsoft, there would be some other monopolist ruling the industry.
I disagree. I think Microsoft and its success is an anomaly. Standard platforms are indeed natural, but with multiple and diverse implementations. Nature tends to favor heterogeneity, not homogeneity. Email, again, serves as a fine example. In the internet-standard world of POP, IMAP, and SMTP, there are numerous servers, and a downright plethora of client applications. Internet-standard email clients are not impervious to Trojan-horse style attachment viruses, but their variety does make them exempt from widespread attack.
Further, this fallacy implies that all software is written to Microsoft’s lax security standards. It is not. Like I wrote Monday, it used to be true that you could not possibly get or spread a computer virus simply by opening a particular email message. And that’s still true for the vast majority of email client software.
The rest of the industry does not share Microsoft’s “our customers demand powerful new features, not security” development model.
A number of readers also took issue with my dismissal of the importance of Outlook and Exchange’s calendaring features. Fine, for the sake of argument I’ll concede that networked calendaring is an essential service in today’s world.
That alone does not excuse the corporate world’s widespread adoption and reliance on Microsoft Exchange.
The fact that Exchange’s calendaring is tied inextricably to its proprietary email makes it an unacceptable platform. The Exchange/Outlook platform is quite simply a menace — not only to the organizations that use it, but to the world at large. People who do not use Outlook, who have never used it, are forced to deal with tens of thousands of Sobig-infested messages flowing into their mail spools.
That’s scandalous. Microsoft bears responsibility, but so too does every single organization whose computers were afflicted. To respond to this by sticking with Exchange/Outlook is outrageous. I mean, what are the odds that this will happen again? I’d say they approach 100 percent. Truly, a matter of when, not if.
Forget the plumbing analogy if you want. Let’s talk telephones. Would anyone tolerate a corporate phone system that exhibited similar vulnerabilities? Say, by placing tens of thousands of automated calls, non-stop, at all hours of the day, to your company’s customers and suppliers? No, of course not. Such a phone system would be thrown out tomorrow — even if it were conveniently tied to your company’s shared calendaring system.
At the end of “Good Times”, I linked to a Robert X. Cringely column that touched on several of the same issues. But I very much disagree with Cringely on one point. Cringely writes:
Now another question: Why are Linux computers gaining in popularity with large organizations while Macs, which are based after all on BSD Unix, aren’t? While there is certainly a lot to be said for Linux in competition with various flavors of Windows (Linux is faster, more memory-efficient, more secure, has more sources of supply, supports many more simultaneous users per box in a server environment, and is clearly cheaper to buy), the advantage over Macintosh computers is less clear.
Again, it comes down to the IT Department Full Employment Act. Adopting Linux allows organizations to increase their IT efficiency without requiring the IT department to increase ITS efficiency. It takes just as many nerds to support 100 Linux boxes as 100 Windows boxes, yet Linux boxes are cheaper and can support more users. The organization is better off while the IT department is unscathed and unchallenged.
I am not claiming that every organization should throw out its PCs and replace them with Macs, but the numbers are pretty clear, and the fact that more Macs don’t make it into server racks has to be based on something, and I think that something is CIO self-interest.
Macs reduce IT head count while Linux probably increases IT head count, simple as that.
Cringely goes wrong by assuming that Linux’s undeniably growing momentum is supported by a majority of the existing IT culture. It’s not, not at all.
Any revolution away from corporate IT’s 20-year-old march along the path towards all-Microsoft all-the-time will come from above/outside the current IT culture, not from within. The problem isn’t just the overly-complicated, fragile, insecure software, it is also the people who espouse it.
In my experience, the staunchest Linux advocates tend to be the Good Guys — people with strong clues as to how computers really work, and who like Linux because they can see how things work and take personal responsibility for the network services they provide.
And conversely — although admittedly I don’t spend a lot of time these days in large corporate IT environments — it’s my experience that your typical IT drone knows next to nothing about Linux.
The people I see pushing for Linux aren’t saying Let’s do the same thing we’re doing now, only without paying license fees to Microsoft. They’re instead saying, This is madness, we can and should do better. That the software is cheaper than Microsoft’s matters, but that it is better is what matters most.
Complexity is not an excuse for low expectations. We’ve strapped men into giant rockets loaded with jet fuel, propelled them into space, and landed them on the moon. That was complicated. And our expectation was that we’d get them back.
Why we don’t expect our email to work is beyond me.