Over at EmergentChaos, Adam asked what happens when "the Snail" gets 10x worse? I need several cups of coffee to work that one out! My first impressions were that ... well, it gets worse, dunnit! which is just an excuse for not thinking about the question.
OK, so gallons of coffee and a week later, what is the natural break on the shift in the security marketplace? This is a systems theory (or "systemics" as it is known) question. Hereafter follows a rant on where it might go.
(Unfortunately, it's a bit shambolic. Sorry about that.)
A lot of ordinary users (right now) are investigating ways to limit their involvement with Windows due to repeated disasters with their PCs. This is the the first limiting factor on the damage: as people stop using PCs on a casual basis, they switch to using them on a "must use" basis.
(Downloading Firefox is the easy fix and I'll say no more about it.) Some of those - retail users - will switch to Macs, and we can guess that Mac might well double its market share over the next couple of years. A lot of others - development users and poorer/developing countries - will switch to the open source Unix alternates like Linux/BSD. So those guys will have a few good years of steady growth too.
Microsoft will withdraw from the weaker marketplaces. So we have already seen them pull out of supporting older versions, and we will see them back off from trying to fight Firefox too hard (they can always win that back later on). But it will maintain its core. It will fight tooth and nail to protect two things: the Office products, and the basic windows platform.
To do that, the bottom line is that they probably need to rewrite large chunks of their stuff. Hence the need to withdraw from marginal areas in order to concentrate on protecting that which is core, so as to concentrate efforts. So we'll see a period characterised by no growth or negative growth by Microsoft, during which the alternates will reach a stable significant percentage. But, Microsoft will come back, and this time with a more secure platform. My guess is that it will take them 2 years, but that's because everything of that size takes that long.
(Note that this negative market growth will be accompanied by an increase in revenues for Microsoft as companies are forced to upgrade to the latest releases in order to maintain some semblance of security. This is the perversity known as the cash cow: as the life cycle ends, the cash goes up.)
I'd go out on a limb here and predict that in 2 years, Microsoft will still control about half of the desk top market, down from about 90% today.
There are alternates outside the "PC" mold. More people will move to PDAs/cellular/mobile phones for smaller apps like contact and communications. Pushing this move also is the effect we've all wondered about for a decade now: spam. As spam grows and grows, email becomes worse and worse. Already there is a generation of Internet users that simply do not use email: the teenagers. They are chat users and phone users.
It's no longer the grannies who don't use email, it is now the middle aged tech groupies (us) who are feeling more and more isolated. Email is dying. Or, at least, it is going the way of the telegram, that slow clunky way in which we send rare messages like birthday, wedding and funderal notices. People who sell email-based product rarely agree with this, but I see it on every wall that has writing on it [1] [2].
But, I hear you say, chat and phones are also subject to all of the same attacks that are going to do Microsoft and the Internet so much damage! Yes, it's true, they are subject to those attacks, but they are not going to be damaged in the same way. There are two reasons for this.
Chat users are much much more comfortable with many many identities. In the world of instant messaging, Nyms are king and queen and all the other members of the royal family at the same time. The same goes for the mobile phone world; there has been a seismic shift in that world over to prepaid billing, which also means that an identity that is duff or a phone that is duff can simply be disposed of, and a new one set up. Some people I know go through phones and SIMs on a monthly basis.
Further, unlike email, there are multiple competing systems for both the phone platform and the IM platform, so we have a competition of technologies. We never had that in email, because we had one standard and nobody really cared to compete; but this time, as hackers hit, different technologies can experiment with different solutions to the cracks in different ways. The one that wins will attract a few percentage points of market share until the solution is copied. So the result of this is that the much lauded standardisation of email and the lack of competition in its basic technical operability is one of the things that will eventually kill it off.
In summary so far; email is dying, chat is king, queen, and anyone you want to be, and your mobile/cellular is your pre-paid primary communications and management device.
What else? Well, those who want email will have to pay *more* for it, because they will be the shrinking few who consume all the bandwidth with their spam. Also, the p2p space will save us from the identity crisis by inventing the next wave of commerce based on the nym. Which means that we can write off the Hollywood block buster for now.
Shambolic, isn't it!
[1] "Scammers Exploit DomainKeys Anti-phishing Weapon"
http://story.news.yahoo.com/news?tmpl=story2&u=/zd/20041129/tc_zd/139951
[2] "Will 2005 be the year of the unanswered e-mail message?"
http://www.iht.com/bin/print_ipub.php?file=/articles/2004/12/06/business/netfraud.html
just FWIW ... http://finance.yahoo.com/q/bc?s=AAPL&t=1y&l=off&z=m&q=l&c=
Posted by: JPM at December 8, 2004 10:26 AMHoly Dooley! So the stock market agrees... To be fair, there are other factors: the iTunes success, the iPod success, and the IBM rumours. But, right now, I suspect that Apple could no wrong.
(I stuck the link into the body above, thanks!)
Posted by: Iang at December 8, 2004 10:29 AMI have to say that I think this is a pretty outrageous prediction, although I'll give you credit for not holding back. Microsoft will have only 50% of the desktop market in two years? I don't think even the most wild-eyed Linux and Mac enthusiasts would dare to make such a prediction.
As for email dying, maybe it's a generational thing, but I don't find that chat or phones are suitable replacements. Chat and phone calls are ephemeral, here today and gone tomorrow. It's fine for asking for a date but for anything more substantive you want something where you can keep records, and where you can compose a message. Blogs and their comments are much more like email in nature than chat. They produce an archive and a record that you can refer to, can link to. (These stupid tiny little blog comment boxes are barely adequate - why do you think 10 lines is enough of a window? Do you set your own text windows to one inch by three inches?)
As far as Microsoft's rewriting efforts, from what I understand they began that about three years ago. And we're beginning to see the fruits of that labor, as in XP SP2. I expect that we'll see continued security updates going forward, gradually improving the situation.
But much of what you're talking about, spyware, is actually installed voluntarily by users in exchange for software that they want to use. Spyware is not technically a security problem, since it was accepted voluntarily. It's an education problem, and pretty soon people will wise up. They'll use P2P software that doesn't install spyware, and that by itself will go a considerable way towards fixing the situation. They'll use SP2 browsers that aren't vulnerable to drive by spyware installs, and that will help too.
Like so many people, you're extrapolating linearly instead of recognizing that the nature of progress is oscillatory. Every action triggers an opposite (if not precisely equal) reaction. Spam and spyware are the latest triggers, and the reaction is only beginning.
I'll go out on my own limb (easy with a pseudonym) and predict that in two years, spam will be yesterday's news, and something else will be the new problem. And it won't be because people have stopped using email. It may have changed its nature, there may be a parallel protocol that's not precisely RFC2822, but there will still be a communication medium with the key properties of email that I've outlined above.
Posted by: Cypherpunk at December 9, 2004 06:14 PMCypherpunk: "But much of what you're talking about, spyware, is actually installed voluntarily by users in exchange for software that they want to use. Spyware is not technically a security problem, since it was accepted voluntarily. It's an education problem, and pretty soon people will wise up."
I guess that means phishing isn't a security problem, because the users volunteer their information up to whosoever asks for it !?!
What can I say, other than ... "gone phishing!" In a sense I agree with you in that it isn't a simple technical crypto problem. But, it is a security problem. It's like a car that rolls over if driven too fast around a corner; saying "drive more slowly around corners" might be the right response, or it might not be.
In the case of phishing, it isn't the right response. Banks secured their sites with SSL, browser manufacturers hid all the SSL and cert stuff, and everyone told the users it was safe to use the net. Now that's changed and everyone is pointing fingers like mad.
How fast should the browsers drive around this corner? The answer is in the security model for browsing: spoofing is covered, check the advertising literature. So the browser manufacturers need to get back and figure out why spoofing slips through. The lucky answer is that it is actually really easy to address. It just requires thinking about it instead of trying to blame someone else.
(It's really very easy. About 1% of the work in SP2 would knock phishing on the head. 2 programmers for a month. Basic apple pie stuff.)
Posted by: Iang at December 9, 2004 08:52 PMBut, getting back to the big picture: oscillatory, straight line, whatever ...
My big point was that it is actually too late to address phishing alone. The money derived from phishing has now been re-invested and there is an industry addressing *all* the weaknesses in the Microsoft OS. Which means that they are now fighting a two front war against a well funded attacker: IE is being breached but so is the OS, and any weaknesses will be exploited more quickly than they can fix them.
Then, we have SP2. Yes, they started 3 years back. How far have they got? Not so far it seems to me: URL goes from scammer to user to browser and back to scammer. They haven't even acknowledged the link between phishing and the browser, can you offer any evidence that Microsoft are really thinking about security?
Secondly, think of it from a systems point of view. Assume for a wild moment that SP2 is safe at the OS level. What about all those users out there that are not upgraded? It might be easy to dismiss them ... but they are also more and more likely to dismiss Microsoft.
To that, I fear, there is no answer that bodes well for Microsoft.
Posted by: Iang at December 9, 2004 09:05 PM