August 24, 2016

Archives for May 2008


The Microsoft Case: The Second Browser War

Today I’ll wrap up my series of posts looking back at the Microsoft Case, by looking at the Second Browser War that is now heating up.

The First Browser War, of course, started in the mid-1990s with the rise of Netscape and its Navigator browser. Microsoft was slow to spot the importance the Web and raced to catch up. With version 3 of its Internet Explorer browser, released in 1996, Microsoft reached technical parity with Netscape. This was not enough to capture market share – most users stuck with the familiar Navigator – and Microsoft responded by adopting the tactics that provoked the antitrust case. With the help of these tactics, Microsoft won the first browser war, capturing the lion’s share of the browser market as Navigator was sold to AOL and then faded into obscurity.

On its way over the cliff, Netscape spun off an open source version of its browser, dubbing it Mozilla, after the original code name for Netscape’s browser. Over time, the Mozilla project released other software and renamed its browser as Mozilla Firefox. Microsoft, basking in its browser-war victory and high market share, moved its attention elsewhere as Firefox improved steadily. Now Firefox market share is around 15% and growing, and many commentators see Firefox as technically superior to current versions of Internet Explorer. Lately, Microsoft is paying renewed attention to Internet Explorer and the browser market. This may be the start of a Second Browser War.

It’s interesting to contrast the Second Browser War with the First. I see four main differences.

First, Firefox is an open-source project where Navigator was not. The impact of open source here is not in its zero price – in the First Browser War, both browsers had zero price – but in its organization. Firefox is developed and maintained by a loosely organized coalition of programmers, many of whom work for for-profit companies. There is also a central Mozilla organization, which has its own revenue stream (coming mostly from Google in exchange for Firefox driving search traffic to Google), but the central organization plays a much smaller role in browser development than Netscape did. Mozilla, not needing to pay all of its developers from browser revenue, has a much lower “burn rate” than Netscape did and is therefore much more resistant to attacks on its revenue stream. Indeed, the Firefox technology will survive, and maybe even prosper, even if the central organization is destroyed. In short, an open source competitor is much harder to kill.

The second difference is that this time Microsoft starts with most of the market share, whereas before it had very little. Market share tends to be stable – customers stick with the familiar, unless they have a good reason to switch – so the initial leader has a significant advantage. Microsoft might be able to win the Second Browser War, at least in a market-share sense, just by maintaining technical parity.

The third difference is that technology has advanced a lot in the intervening decade. One implication is that web-based applications are more widespread and practical than before. (But note that participants in the First Browser War probably overestimated the practicality of web-based apps.) This has to be a big issue for Microsoft – the rise of web-based apps reduce its Windows monopoly power – so if anything Microsoft has a stronger incentive to fight hard in the new browser war.

The final difference is that the Second Browser War will be fought in the shadow of the antitrust case. Microsoft will not use all the tactics it used last time but will probably focus more on technical innovation to produce a browser that is at least good enough that customers won’t switch to Firefox. If Firefox responds by innovating more itself, the result will be an innovation race that will benefit consumers.

The First Browser War brought a flood of innovation, along with some unsavory tactics. If the Second Browser War brings us the same kind of innovation, in a fair fight, we’ll all be better off, and the browsers of 2018 will be better than we expected.


The Microsoft Case: The Government's Theory, in Hindsight

Continuing my series of posts on the tenth anniversary of the Microsoft antitrust case, I want to look today at the government’s theory of the case, and how it looks with ten years of hindsight.

The source of Microsoft’s power in Windows was what the government dubbed the “applications barrier to entry”. Users chose their operating system in order to get the application software they wanted. Windows had by far the biggest and best selection of applications, due to its high market share (over 95% on the PC platform). To enter the PC OS market, a company would not only have to develop a competitive operating system but would also have to entice application developers to port their applications to the new system, which would be very slow and expensive if not impossible. This barrier to entry, coupled with its high market share, gave Microsoft monopoly power.

The rise of the browser, specifically Netscape Navigator and its built-in Java engine, threatened to reduce the applications barrier to entry, the government claimed. Software would be written to run in the browser rather than using the operating system’s services directly, and such software would run immediately on any new operating system as soon as the browser was ported to the new system. Cross-platform browsers would reduce the applications barrier to entry and thereby weaken Microsoft’s Windows monopoly. The government accused Microsoft of acting anticompetitively to sabotage the development of cross-platform browser technology.

The imminent flowering of browser-based applications was widely predicted at the time, and the evidence showed that top executives at Netscape, Microsoft, and Sun seemed to believe it. Yet we know in hindsight that things didn’t unfold that way: browser-based applications were not a big trend in 1998-2003. Why not? There are two possible explanations. Either the government was right and Microsoft did succeed in squashing the trend toward browser-based applications, or the government and the conventional wisdom were both wrong and there was really no trend to squash.

This highlights one of the main difficulties in antitrust analysis: hypothetical worlds. To evaluate the key issue of whether consumers and competition were harmed, one always needs to compare the actual world against a hypothetical world in which the defendant did not commit the accused acts. What would have happened if Microsoft had simply competed to produce the best Internet Explorer browser? It’s a fascinating question which we can never answer with certainty.

What actually happened, after Microsoft’s accused acts, the lawsuit, and the settlement, in the years since the case was filed? Netscape crumbled. The browser market became quiet; Microsoft tweaked Internet Explorer here and there but the pace of innovation was much slower than it had been during the browser war. Then the open source browser Mozilla Firefox arose from the ashes of Netscape. Firefox was slow to start but gained momentum as its developer community grew. When Firefox passed 10% market share and (arguably) exceeded IE technically, Microsoft stepped up the pace of its browser work, leading to what might be another browser war.

We also saw, finally, the rise of browser-based applications that had been predicted a decade ago. Today browser-based applications are all the rage. The applications barrier to entry is starting to shrink, though the barrier will still be significant until browser-based office suites reach parity with Microsoft Office. In short, the scenario the government predicted (absent Microsoft’s accused acts) is developing now, ten years later.

Why now? One reason is the state of technology. Today’s browser-based applications simply couldn’t have run on the computers of 1998, but today’s computers have the horsepower to handle browser-based apps and more is known about how to make them work. Another reason, perhaps, is that Microsoft is not acting against Firefox in the way it acted against Netscape a decade ago. A new browser war – in which Microsoft and Firefox compete to make the most attractive product – is the best outcome for consumers.

Life doesn’t always offer do-overs, but we may get a do-over on the browser war, and this time it looks like Microsoft will take the high road.


The Microsoft Case: A Window Into the Software Industry

This week I’m publishing reflections on the Microsoft antitrust case, which was filed ten years ago. Today I want to consider how the case change the public view of the software industry.

Microsoft’s internal emails were a key part of the government’s evidence. The emails painted a vivid picture of how the company made its strategy decisions. Executives discussed frankly how “it will be very hard to increase browser market share on the merits of [Internet Explorer] alone. It will be very important to leverage the OS asset to make people use IE”. Often the tone was one of controlling customers and sabotaging competitors, rather than technical innovation.

Probably the most cringe-inducing metaphor in the whole case was “knifing the baby”. Here’s a trial dispatch from Business Week:

In particularly colorful testimony on Nov. 5 [1998], [Apple VP Avie] Tevanian described an April, 1997, meeting between two Apple and two Microsoft officials. Tevanian, who was not at the meeting, said Microsoft officials suggested that Apple abandon its business of providing “playback” software that enables users to view multimedia content on the computers. Instead, they offered Apple the much smaller portion of the market for the tools that developers use to create the content. In Apple’s mind, though, the playback software was its baby.

According to Tevanian, Apple executive Peter Hoddie asked Microsoft officials, “‘Are you asking us to kill playback? Are you asking us to knife the baby?'” He said Microsoft official Christopher Phillips responded, “‘Yes, we want you to knife the baby.’ It was very clear.”

Stories like this shredded the public perception of software companies as idealistic lab-coated technical innovators. It wasn’t just Microsoft whose reputation took a beating – it was Apple who gave us the baby-knifing metaphor. One shrewd observer told me at the time that the difference between Microsoft and its competitors was not motive but opportunity – the other companies would have done what Microsoft did, if they had the chance.

None of these companies were as crude and brutal as they looked in court – litigation has a way of highlighting the extremes – but there was more than a grain of truth to the idea that software markets are driven by power and dealmaking, along with engineering. Another classic moment in the trial came when a Microsoft lawyer was cross-examining Netscape CEO Jim Barksdale about emails written by Netscape founder and Silicon Valley superhero Jim Clark. The lawyer asked Barksdale whether he regarded Clark as “a truthful man”. Barksdale paused before answering, “I regard him as a salesman.”


The Microsoft Case, Ten Years Later

Sunday was the tenth anniversary of the government filing its antitrust case against Microsoft. The date passed almost unnoticed, though echoes of the case continue to reverberate. This week I want to reflect on the case, with the benefit of ten years’ hindsight. I’ll write at least three posts: today, on the overall legacy of the case; Wednesday, on how the case affected the public view of Microsoft and software companies generally; and Friday, on how the government’s theory of the software market (which the courts accepted) looks in hindsight.

(Before starting, I should clarify that although I worked with the DoJ trial team through virtually the entire case – from before the case was filed, through the negotiation of the final settlement – I can’t say anything about what happened behind closed doors. My opinion is informed by everything I saw and heard, but unfortunately some of the most interesting details have to stay secret.)

Today I want to consider the overall legacy of the case. The purpose of antitrust law is to protect market competition, for the good of consumers. Thus Microsoft’s ultimate success in crushing Netscape and blunting the effect of Java only matters to the extent that it might have harmed consumers. The relevant questions are these: (1) Are the markets for operating systems and browsers healthier and more competitive than they would have been had the case not been brought? (2) Are consumers better off than they would have been had the case not been brought?

I see the case as a success by these standards, not so much because of the settlement, which most people saw as weak, but because the case taught Microsoft that ignoring antitrust concerns can be dangerous. Microsoft was routed in court and faced the possibility (though never the likelihood) of a court-ordered break-up; but the company managed to negotiate a favorable settlement when the government was distracted after the 9/11 attacks. Apparently worried that it might not be so lucky the next time, the company has moderated its behavior. It still dominates the operating system and browser markets – and it is still a fierce technical competitor, but its business and legal behavior is more moderate.

This kinder, gentler Microsoft is one of the two main legacies of the case. The other is the consensus that antitrust laws do in fact apply to high-tech companies. Though the law moves slowly – and sometimes can only deter via the possibility of after-the-fact sanctions – companies are not immune to its discipline just because they are in high-tech markets. Other powerful companies, such as Intel and Google, have learned this lesson too.

Tomorrow: how the case affected the public view of Microsoft and the software industry.


Live Webcast: Future of News, May 14-15

We’re going to do a live webcast of our workshop on “The Future of News“, which will be held tomorrow and Thursday (May 14-15) in Princeton. Attending the workshop (free registration) gives you access to the speakers and other attendees over lunch and between sessions, but if that isn’t practical, the webcast is available.

Here are the links you need:

  • Live video streaming
  • Live chat facility for remote participants
  • To ask the speaker a question, email

Sessions are scheduled for 10:45-noon and 1:30-5:00 on Wed., May 14; and 9:30-12:30 and 1:30-3:15 on Thur., May 15.


Counterfeits, Trojan Horses, and shady distributors

Last Friday, the New York Times published an article about counterfeit Cisco products that have been sold as if they were genuine and are widely used throughout the U.S. government.  The article also raised the concern that these counterfeits could well be engineered with malicious intent, but that this appears not to have been the case. There was an immediate Slashdot thread as well, but a number of issues are still worth commenting on.

First things first: the facts, as best we understand them.  The New York Times reports that approximately 3500 counterfeit Cisco components (worth $3.5M) have been discovered as a result of a two-year FBI investigation.  A Cisco spokesman is quoted saying that they found “no evidence of re-engineering.”  In other words, we’re talking about faithful knock-offs of legitimate products.

If you go to the FBI’s unclassified PowerPoint presentation (dated January 11, 2008), you’ll see all the actual information.  This is a fascinating read.  For starters, let’s talk about the cost.  The slides claim you can get a counterfeit router for approximately 1/6 the cost of a genuine router.  (You can do similarly well buying used gear on eBay.)  The counterfeit gear looks an awful lot like the genuine article.  Detecting differences here is as difficult as detecting counterfeit money, counterfeit Rolex watches, or counterfeit signatures from sports stars.  Given the apparent discrepancy between component cost and street value, we should be no more surprised to find knock-off Cisco gear than we are to find knock-off everything else.

Counterfeit vs. Original Cisco line card

It’s claimed that these counterfeits are built to lower manufacturing standards than the original equipment, causing higher failure rates. One even caught fire due to a faulty power supply.  Likewise, the fakers are making stupid errors, like building multiple components with the same MAC address.  (MAC addresses, by design, are meant to be unique – no two ever the same.)

The really interesting story is all about the supply chain. Consider how you might buy yourself a new Mac.  You could go to your local Apple store.  Or you could get it from any of a variety of other stores, who in turn may have gotten it from Apple directly or may have gone through a distributor.  Apparently, for Cisco gear, it’s much more complicated than that.  The U.S. government buys from “approved” vendors, who might then buy from multiple tiers of sub-contractors.  In one case, one person bought shady gear from eBay and resold it to the government, moving a total of $1M in gear before he was caught.  In a more complicated case, Lockheed Martin won a bid for a U.S. Navy project.  They contracted with an unauthorized Cisco reseller who in turn contracted with somebody else, who used a sub-contractor, who then directly shipped the counterfeit gear to the Navy. (The slides say that $250K worth of counterfeit gear was sold; duplicate serial numbers were discovered.)

Why is this happening?  The Government wants to save money, so they look for contractors who can give them the best price, and their contracts allow for subcontracts, direct third-party shipping, and so forth.  There is no serious vetting of this supply chain by either Cisco or the government. Apparently, Cisco doesn’t do direct sales except for high-end, specialized gear.  You’d think Cisco would follow the lead of the airline industry, among others, and cut out the distributors to keep the profit for themselves.

Okay, on to the speculation.  Both the New York Times and the FBI presentation concern themselves with Trojan Horses.  Even though there’s no evidence that any of this counterfeit gear was actually malicious, the weak controls in the supply chain make it awfully easy for such compromised gear to be sold into sensitive parts of the government, raising all the obvious concerns.

Consider a recent paper by U. Illinois’s Sam King et al. where they built a “malicious processor”.  The idea is pretty clever.  You send along a “secret knock” (e.g., a network packet with a particular header) which triggers a sensor that enables “shadow code” to start running alongside the real operating system.  The Illinois team built shadow code that compromised the Linux login program, adding a backdoor password.  After the backdoor was tripped, it would disable the shadow code, thus going back to “normal” operation.

The military is awfully worried about this sort of threat, as well they should be.  For that matter, so are voting machine critics. It’s awfully easy for “stealth” malicious behavior to exist in legitimate systems, regardless of how carefully you might analyze or test it. Ken Thompson’s classic paper, Reflections on Trusting Trust, shows how he designed a clever Trojan Horse for Unix.  [Edit: it’s unclear that it ever got released into the wild.]

Okay everybody, let’s put on our evil hats.  If your goal was to get a Trojan Horse router into a sensitive military environment, how would you do it and how would it behave?  Clearly, the weak supply chain is an excellent vector for getting the gear into place.  Given the resources of a nation-state intelligence agency, you could afford to buy genuine Cisco parts and modify them, rather than using low-cost, counterfeit gear.  Nobody would detect you; you wouldn’t screw up and ship multiple boxes with the same serial number.

How will you implement your Trojan Horse logic?  Pretty much any gear you’ll ever find of any modest complexity will have software running inside it.  Even line cards have embedded processors of some sort.  For all that hardware, there’s software, and that’s what you’d go to install your logic bomb.  The increasing use of FPGAs in industrial designs means you could also “rewire” those parts to behave arbitrarily, much like the Illinois hack; you’d really want to get a hold of the original VHDL “source code”, leveraging your aforementioned spying prowess, to simplify the design and implementation of your malicious behavior.  Hacking the raw netlists (the FPGA-equivalent of machine code) would be possible, but would be far more painful. [See Sidebar.]

What sort of behavior would you build in?  The New York Times raises the idea of a kill switch.  I send your router a magic packet and it dies.  That’s too easy.  How about I send your router a magic packet, it then forwards it on to all of its peers, repeatedly, and then they all die a few seconds later?  That’s a pretty good denial of service attack (nevermind a plot device that was the basis of a popular science fiction television series). Alternatively, following the Illinois idea, we could imagine that the magic packet turns on a monitoring feature, allowing our intelligence agency to gather all kinds of information, reconfigure the router, and so forth.  If they don’t want to generate extra traffic, which might be detected, they could instead weaken the encryption of a VPN tunnel, perhaps publishing the session key through a subliminal channel of some sort, acquiring the ciphertext through “other” means.

In summary, it’s probably a good thing, from the perspective of the U.S. military, to discover that their supply chain is allowing counterfeit gear into production.  This will help them clean up the supply chain, and will also provide an extra push to consider just how much they trust the sources of their equipment to ship clean software and hardware.

[Sidebar: Xilinx supports a notion of “encrypting” a netlist.  Broadly speaking, the idea behind the technology is to encrypt the description of your FPGA configuration with a crypto key, such that anybody who reads the file out of your board gets encrypted garbage.  However, the FPGA has the key material to decrypt the configuration and then initialize itself normally.  This sort of technology is meant to serve an anti-piracy / anti-reverse-engineering purpose.  It could ostensibly also serve an anti-Trojan Horse purpose, although at that point it’s really no more or less secure, semantically, than Microsoft’s Authenticode.  This technology, more broadly, is also an active research area (see, for example, Roy et al.’s EPIC: Ending Piracy of Integrated Circuits).  Again, if we’ve got a nation-state intelligence service tampering with the system, none of this is going to provide meaningful protection for the end-user against Trojan Horses.]


DRM Not Dead, Just Temporarily Indisposed, Says RIAA Tech Head

The RIAA’s head technology guy says that the move away from DRM (anti-copying) technology by record labels is just a phase, according to a Greg Sandoval story at

“(Recently) I made a list of the 22 ways to sell music, and 20 of them still require DRM,” said David Hughes, who heads up the RIAA’s technology unit, during a panel discussion at the Digital Hollywood conference. “Any form of subscription service or limited play-per-view or advertising offer still requires DRM. So DRM is not dead.”

Last January, when Sony BMG became the last major recording company to sell DRM-free tracks at Amazon, plenty of observers considered the technology buried. Since then, a growing number of online stores have begun offering at least some open MP3s, including, Zune’s Marketplace, Amazon, as well as iTunes.

Not so fast, said Hughes, who predicted that DRM would reemerge in a big way. “I think there is going to be a shift,” he told the audience. “I think there will be a movement towards subscription services, and (that) will eventually mean the return of DRM.”

The imminent success of subscription services with DRM is more or less what the record industry was predicting several years ago. It didn’t happen, mostly because customers found the services clunky and inflexible – DRM at its worst. Nothing has changed to make DRMed subscription services more attractive. If anything, these services look even worse in light of the trend toward selling DRM-free tracks.

I can see the argument for selling large bundles of music rather than selling one track at a time. Bundling makes economic sense, given the huge storage capacity of today’s devices. The iPod of the future won’t be filled one track at a time.

But clunky DRM-based subscription services aren’t the only way to sell bundles of songs, and there are probably good ways to sell subscriptions without DRM. If you’re worried that a customer will subscribe for one month, download a zillion songs, cancel the subscription and keep the songs,then you can limit the number of downloads per month, or require a longer subscription period. If you can sell songs without DRM – and we know now that you can – there ought to be a way to sell a friendly subscription service too.

On this issue, the RIAA’s members may be ahead of the RIAA itself. There are encouraging signs that some of the major record companies are recognizing the need to rebuild their business strategy for the Internet era.


Stupidest Infotech Policy Contest

James Fallows at the Atlantic recently ran a reader contest to nominate the worst public policy decision of the past fifty years. (<a href=""The winner? Ethanol subsidies.) I’d like to do the same for technology policy.

Readers, please submit your suggestions for the stupidest infotech policy ever. An ideal submission is an infotech policy that (1) was established by a government, (2) did serious damage, (3) had wide support across the political spectrum, (4) failed for reasons that should have been obvious at the time, (5) failed even by the standards of its own supporters. It’s not enough that you would have chosen differently, or that you would have weighed competing public goods differently – we’re looking for a policy that no reasonable person, with the benefit of hindsight, would support.

Submit your suggestions in the comments. Once the discussion has died down, I’ll choose a winner. If this contest is successful, we’ll follow it up with a best policy contest.


30th Anniversary of First Spam Email; No End in Sight

Today marks the 30th anniversary of (what is reputed to be) the first spam email. Here’s the body of the email:



TUESDAY, MAY 9, 1978 – 2 PM

THURSDAY, MAY 11, 1978 – 2 PM


This is relatively mild by the standards of today’s spam. The message announced legitimate events relating to legitimate products in which the recipients might plausibly be interested. The sender was apparently unaware that this kind of message was against the rules.

Yet this message has much in common with today’s spam. The message used ALL CAPS, which was more common in those days but not the universal practice for email. The list of recipients was long. The message was incorrectly formatted – the original had more recipients than the email software of the day could handle, so what was supposed to be the recipient list actually spilled over into the body of the email, apparently unnoticed by the sender.

At the time, the Net’s rules forbade commercial activity, so the message was against the rules. Beyond the rule violation,the message’s propriety was widely questioned, and people debated what to do about it. (Brad Templeton has posted parts of the debate.)

Thirty years later, there is more spam than ever and no end is in sight. This shouldn’t be surprising, because the spam problem is fundamentally driven by economics. If anyone can send to anyone, and the cost of sending is nearly zero, many messages will be sent. Distinguishing unwanted email from wanted email is notoriously difficult – often you have to read a message to decide whether reading it was a waste of time. In this environment, spam will be a fact of life. The surprise, if anything, is that we have done as well as we have in coping with it.