Windows 10 Forced Upgrade: Fighting Decades-Long Institutional Insanity

Rob Enderle
Slide Show

The Human Factor: 5 Security Blunders People Keep Making

One of the funniest events I’ve ever been to was a talk given by a Microsoft executive at the company’s Mountain View facility, years ago. About halfway through the talk, his PC, which was showing the PowerPoint presentation, flashed a notice that in one minute it was going to initiate a patch process. There was nothing anyone could do, apparently, to stop this. Right on schedule, sixty seconds later, the huge screen went black and the speaker had to wing most of the rest of his talk while the audience laughed at his expense.

I’m sure Microsoft’s IT department got an ear full when he got back to Redmond. But the reasoning behind such a practice is generally to make sure that a critical patch that addresses some vulnerability is in place quickly. Back then, we had hours, if not days, to respond to an attack. Currently, we have something less than 15 minutes, which means we generally need the strongest defense we can muster in place before the attack takes place, and old operating systems are particularly vulnerable. It is highly likely that a successful national-level attack will be most successful on a down-level version of iOS, Android or especially Windows, because of the combination of high numbers and relatively high vulnerability.

Vendors clearly have a financial reason to get everyone on current versions of operating systems, because it reduces support costs. And there is a very real reason for the users to upgrade aggressively because of the security risk. Eventually, I expect this will be required by law.

Microsoft just moved Windows into this decade by putting in place a more aggressive upgrade process this week for Windows 10. Rather than complaining, like many are, I think it is well past time for this move. I think the griping is likely because Microsoft focused on the “what “and kind of left out the critical parts of the “why.” Let’s talk about why this is actually a good thing.

It’s Not IT’s Fault: More Institutional Insanity

One of the big mistakes that Microsoft made with Windows in the 1990s was to pivot away from users, who drove Microsoft’s success through Windows 95, and toward enterprise IT, which drove much of the firm’s strategy after Windows 95’s launch. What is still fascinating to me is that Microsoft beat IBM’s OS/2 by focusing more on users and then, after winning, not only adopted IBM’s strategy but basically rebuilt OS/2. Can you imagine any race where the winner decides after winning that the loser’s strategy is the one they must adopt? It even put guys out of Digital, a company that failed against IBM, in charge of much of the process. And here is the real kicker: We praised Microsoft for it. It was like we all collectively got stupid.

It should have been no surprise, then, that both Apple and Google, by focusing on the user, were able to carve into Microsoft’s dominance and pretty much take over the market. Though I think it is kind of amazing that Google came up with the enterprise-focused Chrome OS, and Apple’s big new product is an iPad designed for IT.


The idea of putting old operating systems on new products was actually not user driven but IT driven, because IT wanted the simplicity of one platform across all products. Look at user-based products like smartphones, smart TVs and tablets. They never get an old OS on a new product; the OS and the product are wedded and updates are pushed through, whether you want them or not.

OS Upgrades: Like Helmets and Seatbelts

Now, if you put aside safety, it is easy to argue that a user-focused company should let users run whatever version of the OS they want to run. But we have to consider security now.  Much like we force drivers of cars to wear seatbelts and drivers of motorcycles to wear helmets, we have to force operating system upgrades because current code is now a critical part of being able to both better protect against malware attacks and more rapidly deploy patches to better respond to them. Much like IT wanted the same OS on all products in order to make systems easier to manage, a vendor needs everyone at the same code level if it is going to push out a response to a zero-day exploit quickly. The more fragmented the code, the harder it will be to assure that a patch can be pushed out in a timely manner.

I am kind of surprised that Microsoft isn’t making this argument more forcefully, but I can imagine a time, likely after a cyber attack, when it may be illegal to run a down-level OS, much like it is illegal to drive without a seatbelt or helmet, or to drive while using a personal technology device.

Wrapping Up: A Future of Forced Upgrades

The world has changed a lot since we first saw PCs. Now we are surrounded by smart devices that automatically get updates whether we want them or not, largely because of a combination of bug fixes and constantly changing security exposures. Recently, the GSA began to put in place policies that force all U.S. government suppliers to aggressively assure all parts of their business from the citizenship and background of workers to the source and content of their software. This will quickly trickle down to every company that is in the supply chain of these firms. But it is very likely that in the next decade, we will face a security problem of national if not global proportions and that will force laws, and vendor liability, that will make keeping platforms current not only more acceptable but potentially illegal to avoid.

So two takeaways this week. First, aggressive operating system upgrades will likely eventually be driven by law, and second, adapting a strategy from the firm you just beat is not a policy that results in success.

Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm.  With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+



Add Comment      Leave a comment on this blog post
Feb 3, 2016 3:17 PM slozomby slozomby  says:
"I am kind of surprised that Microsoft isn’t making this argument more forcefully, but I can imagine a time, likely after a cyber attack, when it may be illegal to run a down-level OS, much like it is illegal to drive without a seatbelt or helmet, or to drive while using a personal technology device." depending on the age of the vehicle you may be exempt from seatbelt laws, catalytic converter requirements, smog requirements, mirror requirements, 3rd taillight requirements......... so bad analogy Reply
Feb 4, 2016 8:09 AM jjoensuu jjoensuu  says:
"Back then, we had hours, if not days, to respond to an attack. Currently, we have something less than 15 minutes" Really? Prove it, or simply stop writing B.S. The fact is that we have roughly the same amount of time to patch our systems today as we did 10 years ago. Neither our world nor our data centers will collapse if the instances are not updated with the latest patches in "15 minutes" or some other ridiculously short time period. Reply
Feb 4, 2016 2:42 PM Tab Tab  says:
This automatic upgrade stuff is a nightmare. As a software developer, I want to control exactly what's on my machine and why, but even discarding this, having my computer go "upgrade" in the middle of my workday (or perhaps even an important assignment I have to wrap up in 45 minutes) with no notice is counter-productive in many ways. I always turn them off with a new machine, but every once in a while one slips through and screws me up more than it helps me. Reply
Feb 5, 2016 7:46 AM John John  says:
Suppose the helmet had prongs on the inside that pierced your skull and extracted your personal preferences from your brain, then sold them or used them for its own corporate purposes. It's still safer, right? So we're all idiots if we don't wear it, right? Pffft. No thanks. Windows 7 was it for me. Time to figure out an open-source OS. Reply
Feb 5, 2016 8:32 AM GregP GregP  says: in response to slozomby
"I can imagine a time, likely after a cyber attack, when it may be illegal to run a down-level OS, much like it is illegal to drive without a seatbelt or helmet, or to drive while using a personal technology device." Silly analogy. A better one would be forced upgrade to a newer car -- one that you don't necessarily like or want -- because of safety additions (sometimes at the expense of driveability). This should never happen, and neither should forced OS upgrades. Reply
Feb 7, 2016 7:10 PM davidhoffman5 davidhoffman5  says: in response to slozomby
Windows 10 Upgrade keeps telling me to upgrade and that my laptop is compatible. The one thing it failed to note is that I do not have enough free disk space to do so, according to Microsoft's own recommendations. Reply
Feb 8, 2016 10:08 AM Rich Steiner Rich Steiner  says:
Microsoft didn't focus on users to beat OS/2. They focused on a few key application developers (e.g., WordPerfect), on device manufacturers (mainly video/sound card makers), and on PC vendors. Preloads and device drivers won the day, assisted by the Win32s-version-of-the-month club and other borderline practices ... and most end users had little say in the matter, and very little awareness that a battle for the desktop was actually occurring. Reply
Feb 8, 2016 10:35 AM rush2112 rush2112  says:
When Mr. Enderle says " Eventually, I expect this will be required by law." is he serious? Talk about "Big Brother" I mean Q the Rush music and Ayn Rand. Also, I disagree with several dogmatic assumptions made in this article. The entire premise that we need new OS every year is insane in itself. We just need the ones we have to be secure and work. Of course then no one can take our money from us by righting articles like this that scare us. Reply
Apr 22, 2016 9:03 AM Old Faithful Old Faithful  says:
I cannot believe what I read... We're back to the 30's and the totalitarian state concept where diversity is a crime and everyone is supposed to pledge allegiance to some Master Control Program. I wish there was a little bit more Intelligence in the I of IT to realize the foolishness of such arguments. Diversity of code and choice is what builds resilience in any system, be it natural, technological or social, NOT uniformity of code and behaviour! I do commend you on your perspicacity about what went wrong with Microsoft after Windows 95 and the loss of freedom users have had to endure since, but frankly, you need to brush up on some history and the humanities to realize the present path you are so adamantly advocating is dead wrong and is only going to bring on disaster. Reply
Jun 1, 2016 12:19 PM Zandra Zandra  says:
"Look at user-based products like smartphones, smart TVs and tablets. They never get an old OS on a new product; the OS and the product are wedded and updates are pushed through, whether you want them or not." My Android phone always asks me before upgrading. Unlike Windows, which simply redefines your GUI to trick you into upgrading (clicking the red dialog X now means "accept upgrade" according to their own blog). And my desktop is not comparable to a phone or smart t.v.: I don't do my taxes or graphic design on my phone. "It even put guys out of Digital, a company that failed against IBM, in charge of much of the process" Digital failed because nobody knew who they were: marketing failure, not tech failure by any means. Perhaps you should study some history...including authoritarian structures similar to the one you are suggesting we all embrace. Meanwhile, I've already switched to Linux Mint over this debacle! Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.