[DotGNU]Bending the twig of .NET (large -- sorry)

[Ron Burk]

Hi,

I apologize in advance for the length of this and the
probable irrelevance (the discussion isn't really at
the high-level strategy stage any more, so I'm late).

I develop on multiple operating systems (most often Linux,
during the last several years) and was the editor of
Windows Developer's Journal for about a decade,
presumably giving me some exposure to Microsoft software
strategies (I'm even in the no-longer-exclusive club of people
who've testified against Microsoft in court :-).

I've been browsing the publicly available postings
on efforts to counter Microsoft's .NET initiative. I wanted to
post my two bits here. Though likely of marginal use
to most members of the group, it will at least be a different
perspective, and posting my thoughts in public always makes
it easier for me to see what's wrong with them :-).

Common Language Runtime
------------------------------------

I was surprised to see that this is considered something
worthy of duplication, especially if the goal is to counter
Microsoft (as opposed to just have fun, which is often
my goal in creating software). It made perfect sense to
me that Microsoft would create a CLR: a) they were
quite anxious to counter Java, and VJ++ had been
effectively neutralized by the courts and b) they have
always wanted the tools developers use to be controlled
by them; introducing a new ReallyNotJava language and
a layer that effectively made them the gatekeeper for all
other languages running on Windows would greatly
increase their control (and keep developers so busy
trying to keep up, that they never have time to figure out
exactly what business problem all this new crud is the
solution to -- a classic Microsoft strategy with developers).

However, this did not seem to me to be any response
to actual Microsoft customer needs. Languages have been co-existing
on Windows for a very long time. Mixing VB and C/C++ is
particularly common. The whole CLR framework solves a
strategic problem for Microsoft, not customers. It also plays to the
recurring Microsoft need to offer huge and complex frameworks that
will allegedly finally solve the problems that last year's huge
and complex framework failed to solve
(http://www.lohnet.org/~hornlo/mutterings/wdjef/). It's not at all
clear to me that Microsoft will be able to convince a high
percentage of Windows developers to use the CLR -- apart
from VB programmers, who will be moved into it by fiat, I expect.

I'm sure there's some very good reason why it's important
to mimic this Microsoft strategy to counter .Net -- but I just
couldn't figure out what it was. Creating an independent clone
of a language that Microsoft released solely because they
could no longer co-opt Java? I can see how that helps
Microsoft and gives them credibility, but can't see how it
helps any anti-Microsoft forces at all.
Seems like a lot of work, and significant additional
complexification for developers, so hopefully the payback
is worth it. I personally have no interest in developing on
Microsoft's CLR, or any competing equivalent. There's
already a popular and feature-rich byte-code platform
around, when I really want one.

Passport
------------

This part, at least, I understood. As the Microsoft's revenue
from taxing PC sales faces a decline, implementing a tax
on Internet usage becomes increasingly critical. They
attack this from a number of fronts. Being an ISP (MSN)
is nice, but AOL has proven difficult to crush, and Microsoft
generally prefers to find markets where it can eventually have
no competition. Taxing vendors for access to customers via
various XP software deals is great, but somewhat limited. Imposing
a tax via the browser looks extremely promising (pay
Microsoft $1,000,000, and they'll make every occurrence of
"sports car" in IE turn into a hot link to www.porsche.com),
but they had to temporarily back off of their Smart Tags
(pronounced "smart tax") technique due to an outpouring
of protest (I expect they will revisit it next year -- the money
is just too attractive to pass up).

That leaves Passport. Centralized login control is a lever that
could give Microsoft a degree of leverage over the Internet that
at least approach their control of Windows. So, the desire of
the "let's counter .Net" groups to offer an alternative to Passport
made a lot of sense.

Will the .NET Responses Succeed
-------------------------------------------

The efforts to counter .NET appear ambitious. However,
it's hard to say exactly what .NET will turn out to be in detail,
so it's likewise difficult to criticize nascent responses. Factors
I believe likely to limit the success of these responses to
.NET are a) too ambitious (slow), b) responding to Microsoft's
initiative, rather than forcing them to respond to yours (often
a losing strategy in the past for anti-Microsoft groups) and
c) focusing on the technology rather than on what people
actually need and want.

A Dumb Idea
----------------

I sat down with a piece of paper and wrote four things at the top:
"80/20 Rule" and ".NET" and "Real Users" and "SOON".
My goal was to think about the 20% of .NET that actually
matters to 80% of real users today, and what might be the simplest
method of throwing a monkeywrench into that 20% of
Microsoft's plan -- and soon.

I filled the paper with different ideas, but only one seemed like something
that could actually be working within a matter of weeks, and having
an impact on Microsoft's plans within months. That idea was: a
very simple, standards-based, single logon system that requires
no authentication servers at all (in concrete terms: a browser
plug-in, an Apache module, and a proposed standard that describes
how they interact).

Passport is key for Microsoft's goal of taxing the Internet. As
pointed out elsewhere on this mailing list, Microsoft has the
huge advantage of being able to force Passport to ship with
every new PC that runs Windows (not to mention the various
other screws they've begin to turn with increasing vigor to force
existing Windows users to acquire and use Passport).
Therefore, key to any response to .NET must be an effort
to begin displacing Passport ASAP. That means displacing
Passport on web servers.

Passport offers a staggering number of promises
to users. You'll be able to use a web browser at the
airport to tell your toaster at home to remind the maid to
put out extra food for your cat (IP addresses having not yet been
proposed for cats). Or something like that. But I like to apply the
"what can you actually do today?" filter to the Microsoft PR firehose,
mainly because that leaves a much more manageable amount of
information to inspect.

What matters right now, today, for real users, is not having to type
in passwords, names, addresses, and credit card information all
over again for each and every web site they go to. That's it. And
that's not only a fairly simple problem, it's a problem area where
Passport is still quite vulnerable today.

If you try only to solve that exact problem, then you do not need
centralized servers -- you don't need any servers at all.
Yes, it's a nifty feature if I can get to my authentication information
from any computer in the world, but most real users use exactly
one or two computers over and over again every day. For them,
it would be entirely sufficient to store their encrypted information
on the local hard disk, and be able to copy it to a floppy disk to
take with them.

I don't want to talk about features or implementation in detail,
but about strategy and end-user perspective. The simple system
I'm talking about has simple features: the user gets to create their
own database of personal information on their own hard disk,
it's portable to floppy, it works with their favorite web browser
(e.g., via a plug-in) and participating web sites to eliminate the
need to re-type identical personal information.

Here's why I think this can be an effective wedge against
Passport:

* It does about everything useful that Passport does as of today.
* Even end-users can understand the strategic advantages it has
   over giving their data to a centralized server controlled by Microsoft
   (something that will become especially clear the first time some
    teenager launches a DDoS attack against the Passport servers).
* It's simple and useful enough that web site managers will be willing to 
use it.

The last point is key. Any effort to counter Passport is useless if it's
technically beautiful, but fails to penetrate the market. The one
strength the open market has to counter Microsoft's Windows
monopoly advantage is Apache. If a Passport alternative were
to get installed on a majority of Apache sites by the end of this
year, that would be a credible threat to the important parts of
.NET (I don't think it's terribly important to threaten the CLR).
If you can get to a position where Microsoft is responding to you,
rather than vice versa, the war is half won.

I'll restate this in marketing terms for anyone who understands
positioning. Passport simply does not yet have a well-defined
position in most consumer's minds yet -- but Microsoft is working hard
to make that happen during the next 12 months. If you look very
closely at the Passport PR, you can see that Microsoft is quite
brassily claiming that with Passport, the customer owns their own
data. They can only hold that position while there is no credible
competitor. The most obvious position (and easiest to take!) for
any competing product is: "your data is secure because it's not
stored on a server at Microsoft with everybody else's data". Given
the relatively high degree of consumer anxiety about privacy,
this is a great position to hold vis a vis Passport. I like the following
tag line as well: "Passport: putting your personal information at
Microsoft's fingertips!"

There are a number of social techniques one could use to
encourage the spread of the necessary client software. The
obvious one to me is to get web site owners to display a logo
saying they support this single logon system, and clicking on
the logo takes you to a place you can download the (hopefully
quite small) plug-in for your browser. Again, getting as many
Apache sites on board as soon as possible is the main point
of leverage -- and I think that requires a simple solution that
makes their lives easier in the short term.

My guess is that a year is too long for any successful alternative
to Passport to emerge. I have no doubt that this group can
evolve a competing solution that is every bit as complex
and feature-rich as Microsoft's. I fear it won't be effective
in the marketplace. I find the idea of being "compatible" with
Microsoft especially depressing -- at that point, you are
playing their game (avoiding that game is one of the reasons
I started using Linux). I think it's much more effective (and more fun)
if you can force Microsoft to be compatible with you. Make
a simple standard protocol for single login that is supported
by most Apache sites, and they would have to do just that.
That standard could, of course, be a starting point from which
more complex offerings evolve. But you gotta get to something
useful *fast* if you want to counter Microsoft. Otherwise, you've
just got another Mozilla story.

FWIW.

Ron Burk
Windows Developer's Journal, www.wdj.com